0

I totally have no idea about this Rabin decrypt problem. source code:

https://github.com/shanzhuer/myctf/blob/main/crypto/rabin.py

Inside there were $2^{21}$ times of encryption and decryption of Rabin-cryptosystem, with 126 bytes plaintext, 1024-bit public key $N$(unknown 512-bit $p$ and $q$ when $p*q=N$)

the output log is $\dfrac{140}{2^{21}}$ decrypt failure because $2$ small root of ciphertext(less than 126 bytes) exists

and the hint is "Quadratic method to solve if p problem"

I was trying several days to find out how to use the Quadratic method to factor $N$ in this question but didn't work

Can anyone help?

kelalaka
  • 48,443
  • 11
  • 116
  • 196
shanzhuer
  • 1
  • 2
  • @kodlu https://crypto.meta.stackexchange.com/q/1106/18298 Well, you might not spoil the flag with a hash commitment as I did – kelalaka Oct 29 '22 at 14:32
  • i think there is probably some kind of relationship between ciphertext has 2 small roots and factors of N. but i tried many times and didn't work out. if the program print out the values of 2 small roots then i can calculate p from gcd(root1-root2,N). but the program only print out one of the two small roots. – shanzhuer Oct 30 '22 at 02:06
  • @shanzhuer did you read about the Quadratic Sieve as a factorization method? (https://en.wikipedia.org/wiki/Quadratic_sieve) – ddddavidee Oct 30 '22 at 11:01
  • @ddddavidee yes i did but it's very hard to find out two different x!=y when x^2=y^2 mod n in this question – shanzhuer Oct 30 '22 at 12:16
  • @shanzhuer, try to understand why the decryption failed. The Rabin cryptosystem maps 4 plaintexts into the same ciphertext. So when you decrypt and fine the 4 square roots, you need to decide which one is the correct to keep. If you have two different square roots... can you do something? – ddddavidee Oct 30 '22 at 13:41
  • @ddddavidee i already know gcd(root1-root2,N) is factor for N. but now i just have one of the two small roots. so sad – shanzhuer Oct 30 '22 at 14:34
  • Could you please link to the original CTF? – ddddavidee Oct 31 '22 at 07:42
  • @ddddavidee it's just an internal competition and only one anonymous team solves. – shanzhuer Oct 31 '22 at 09:21

0 Answers0