2

It's given 2 plaintexts $m_1$ and $m_2$, and 5 different values of $n\quad\{n_1, n_2, n_3, n_4, n_5\}$ which are generated as follows:

  • $n_1$ is a a product of two relatively small 128-bit $p$ and $q$ so its easily factorable by a simple database look-up,
  • $n_2$ is the value of $p_1*p_2*q_1*q_2$, with $p_2$ being the next prime after a 512-bit prime $p_1$, and $q_2$ being the next prime after a 512-bit prime $q_1$
  • $n_3$, $n_4$, $n_5$ each are product of two 1024-bit primes, but that shouldn't be an issue as we see later.

The encryption:

  • $m_1$ is simply encrypted using $e = 65537$ with $n_2$, three times, giving $c_1$;
  • $m_2$ is encrypted using $e=65537$ with $n_1$ and then $n_2$, generating $c_2$, which is not given;
  • However, $c_2$ is then encrypted separately using $e=3$ with $n_3$, $n_4$, and $n_5$, giving $c_3, c_4$,and $c_5$ respectively.

So all the info we have now is $n_1$, $n_2$, $n_3$, $n_4$, $n_5$, $c_1$, $c_3$, $c_4$, and $c_5$. A small public exponent attack should work for $n_3$, $n_4$, and $n_5$, and as said earlier $n_1$ is already factorable but the thing that brings trouble is $n_2$.

Fermat's factorization gives 2 non-primes close to each other which I assumed are $p_1*q_2$ and $p_2*q_1$ respectively. My reasoning was: since $p_2 = p_1 + k$ for some relatively small $k$ and $q_2 = q_1 + \ell$ for some relatively small $\ell$, cross-multiplying the two pairs must give two numbers that are near each other,

  • is my hunch correct?
  • how can I go forward from here?
  • does the suspiciously low public exponent encryption of $n_3$, $n_4$, and $n_5$ have anything to do with factoring $n_2$?
fgrieu
  • 140,762
  • 12
  • 307
  • 587
Alden Luthfi
  • 21
  • 3

1 Answers1

1

$n_1$ is a product of two relatively small 128-bit $p$ and $q$ so its easily factorable by a simple database look-up

Hint: use an approximation of the prime-counting function to comfort or challenge that reasoning.

A small public exponent attack should work for $n_3$, $n_4$, and $n_5$

Hint: $e=3$ is questionable if some conditions are met, see this. You haven't stated which of these these conditions is met.

Is my hunch (that Fermat factorization will reveal a non-trivial factorization of $n_2$) correct?

You've got a non-quantitative justification of that hunch, which correctly identifies the non-trivial factorization you can hope to get. To decide if that works, quantitatively estimate what's the expected number of steps in the Fermat method, or just try it.

How can I go forward from here?

Hints valid for RSA-related CTFs: Write relations between unknowns as formulas. Estimate the expected bit size of unknowns. Try to identify a path towards a solution, as the sequence of unknowns to compute. Try to put all stated, testable, or probable facts to good use. Basic tools include algebra, the FLT and the CRT (plus, in some advanced cases, Copersmith's theorem). Show us your progress in the question if you hope for more hints.

Does the suspiciously low public exponent encryption of $n_3$, $n_4$, and $n_5$ have anything to do with factoring $n_2$?

You don't present any argument towards this. And $e=3$ is not used in conjunction with $n_2$. On top of it, breaking poorly devised RSA encryption with whatever odd public exponent leads to factoring the modulus as a byproduct only when it's recovered a private exponent, or exploited the implementation, or the plaintext somewhat helps the factorization.

fgrieu
  • 140,762
  • 12
  • 307
  • 587