Trying to upsolve "notsosmart - hxp CTF 2017"
https://2017.ctf.link/internal/challenge/5c8119ca-bfed-444a-968d-1cc9bff27bfb.html
This server code was given during the CTF, letting you get multiple values of n:
#!/usr/bin/env python3
from random import randrange
from gmpy2 import *
from fast import random_prime
p, q = random_prime(), random_prime()
assert is_prime(p) and is_prime(q)
assert gcd(65537, (p - 1) * (q - 1)) == 1
n = p * q
m = open('flag.txt', 'rb').read().strip()
assert len(m) <= 100
m = int.from_bytes(m, 'big')
m |= randrange(0, n, 1 << 800)
print('n = {:#x}'.format(n))
print('c = {:#x}'.format(pow(m, 65537, n)))
But this code was only released AFTER the CTF ended:
import random
import gmpy2
random = random.SystemRandom()
m = 0xb107cff9bc81dc39662bc077f2dddc1f2345cf31e6af31a1a22b01c5c88488d3ccdc6b893c7a4b6171ad475e801db52542
o = 0x114fede0c299ca7ee8d431d71a582dd30df0dff236b96939a64037186703f424f7c5160000000000000000000000000000
g = 0x5e90d99feb75d04a3cb15a55cb9ea7dbdd03879a18b49d4108f18dc012f64b02324365accf82aad52bf0d1c117a60d5b6b
def random_prime():
while True:
p = pow(g, random.randrange(o), m)
p += random.randrange(0, 2 ** 512, m)
if gmpy2.is_prime(p):
break
return p
If I just take M and g from this secret file then I can find a good M' etc and do the normal ROCA attack and factor in a few seconds.
But how could you solve it without knowing them?
M could be bruted somewhat easily since it's a primorial
But idk how to find g or something related to g....
