Crack the value of m in RSA quickly given n, e and c, given the condition that c == pow(m, e, n)

Question

I am trying to calculate the value of m in RSA. The values of n, e and c are given, and they are fairly large:

n = 0xce202f8fd1b78c23dfa53314617510cd422e3f4c5aa412400ed44abaf3d4bbdf4230c8f9f73736c32cbcbec0c7780b6b56f7d4bea1678640581cd4aaf2df9ff4175846fc44ddf94e924a188d0b0989ecc462da8c5e88c295e26beeafab201ab6ab299dc0f0106dd1a3cc21d17c757130be6f3f0b5b250932396f34ac3295d057
e = 0x684b3ab9779f91c23597668e5eb8dd73a3333f9fb7a456583204d255576bef204a1201d276a00cb88d531c3aa993e7304162bf673baebffc39210a1c3faa64712a4e12c1da67eb98817d981bc8bbe9d4cf605903fc039b507e8b77248a88c995741b152c41609d3d86518cba8d9da419dd36e8f8bc07881be87990ea26873b6b
c = 0x9cddd342018418c628f5ec22699f60397f39275013835374a3c1f4a5e568e1d0b70944641010cad4b07b94143d0ba2123ebc8cb1589ddc8818631c460a896c362da5f230ada3a48c24a22c5d86934d4b3b626a728c0de389fadae3a4b4ad8da7aa4473188fcf22e107f6e80707061f41eedc1d1112b57187afdb741d3ea2ff2a

There is a also a condition given that assert c = pow(m, e, n) (Python code).

There is a time limit of how fast I can calculate this problem, and it should take no longer than about 10 seconds on an i7 CPU. I have tried using RsaCtfTool to brute-force it (which uses the gmpy2 library), as suggested in this SO answer, but it was too slow and took over a minute, which exceeded the time limit. Is there better algorithm I can use to calculate problems such as these faster, knowing that c equals pow(m, e, n)? Thanks!

Vulnerable to [Wiener attack](https://en.wikipedia.org/wiki/Wiener%27s_attack) (for small d, here 0xCD4B2D33), see e.g. https://www.dcode.fr/rsa-cipher. But actually off topic, since not programming related. — Topaco, Jul 27 '22 at 10:28

score 1 · Accepted Answer · answered Jul 30 '22 at 03:35

As mentioned in the comment from Topaco, it is vulnerable to the Wiener attack. Here is code to do it in Python, using the owiener module:

import owiener
n = 0xce202f8fd1b78c23dfa53314617510cd422e3f4c5aa412400ed44abaf3d4bbdf4230c8f9f73736c32cbcbec0c7780b6b56f7d4bea1678640581cd4aaf2df9ff4175846fc44ddf94e924a188d0b0989ecc462da8c5e88c295e26beeafab201ab6ab299dc0f0106dd1a3cc21d17c757130be6f3f0b5b250932396f34ac3295d057
e = 0x684b3ab9779f91c23597668e5eb8dd73a3333f9fb7a456583204d255576bef204a1201d276a00cb88d531c3aa993e7304162bf673baebffc39210a1c3faa64712a4e12c1da67eb98817d981bc8bbe9d4cf605903fc039b507e8b77248a88c995741b152c41609d3d86518cba8d9da419dd36e8f8bc07881be87990ea26873b6b
c = 0x9cddd342018418c628f5ec22699f60397f39275013835374a3c1f4a5e568e1d0b70944641010cad4b07b94143d0ba2123ebc8cb1589ddc8818631c460a896c362da5f230ada3a48c24a22c5d86934d4b3b626a728c0de389fadae3a4b4ad8da7aa4473188fcf22e107f6e80707061f41eedc1d1112b57187afdb741d3ea2ff2a
d = owiener.attack(e, n)
m = pow(c, d, n)

Crack the value of m in RSA *quickly* given n, e and c, given the condition that c == pow(m, e, n)

1 Answers1

Crack the value of m in RSA quickly given n, e and c, given the condition that c == pow(m, e, n)