Multiple Ciphertexts
Common Modulus
Theory
Common Modulus Attack is used when the same plaintext is encrypted twice with the same modulus but distinct public exponent and . In other words:
If and are coprime, then Bezout's Identity tells us that s.t.
Here and can be solved using extended Euclidean Algorithm. Once we know and , we could compute
Correctness:
Implementation
#!/usr/bin/env python3
from Crypto.Util.number import inverse, long_to_bytes, bytes_to_long
from Crypto.PublicKey import RSA
from sympy import gcdex
from sys import exit
#--------Data--------#
N = <N>
e1 = <e1>
e2 = <e2>
c1 = <c1>
c2 = <c2>
#--------Common modulus--------#
a, b, gcd = gcdex(e1, e2)
a = int(a)
b = int(b)
# Test if e1 and e2 are coprime
if gcd != 1:
print("e1 and e2 must be coprime")
exit()
m = (pow(c1, a, N) * pow(c2, b, N)) % N
flag = long_to_bytes(m)
print(flag)
Hastad Broadcast Attack
Theory
Hastad Broadcast Attack is used when the same plaintext is encrypted multiple () times with the same public exponents but distinct modulus . In other words:
Chinese Remainder Theorem tells us the solution to the following equation exists:
Denote this solution as . Chinese Remainder Theorem also provides a method for computing :
where . Note that the plaintext , hence . As a result, taking -th root of gives us the plaintext . No need to worry about modulo since is not large enough.
Implementation
#!/usr/bin/env python3
from Crypto.Util.number import inverse, long_to_bytes
from sympy import root
#--------Data--------#
e = 3
n1 = <n1>
n2 = <n2>
n3 = <n3>
c1 = <c1>
c2 = <c2>
c3 = <c3>
#--------Hastad broadcast attack--------#
N = n1 * n2 * n3
N1 = N // n1
N2 = N // n2
N3 = N // n3
u1 = inverse(N1, n1)
u2 = inverse(N2, n2)
u3 = inverse(N3, n3)
M = (c1*u1*N1 + c2*u2*N2 + c3*u3*N3) % N
m = root(M, e)
print(long_to_bytes(m).decode())
Last updated
Was this helpful?