# STARTER

## Import

In [8]:
from Cryptodome.Util.number import long_to_bytes, bytes_to_long
import gmpy2 

### RSA Starter 1

In [2]:
pow(101, 17 , 22663)

19906

### RSA Starter 2

In [4]:
e = 65537 
x = 12 
p = 17  
q = 23 
N = p*q 

pow(x,e,N)

301

### RSA Starter 3

In [5]:
p = 857504083339712752489993810777
q = 1029224947942998075080348647219

(p-1)*(q-1)


882564595536224140639625987657529300394956519977044270821168

### RSA Starter 4

In [17]:
p = 857504083339712752489993810777
q = 1029224947942998075080348647219
    
phi = (p-1)*(q-1) 
e = 65537

pow(e,-1,phi)

121832886702415731577073962957377780195510499965398469843281

### RSA Starter 5

In [20]:
N = 882564595536224140639625987659416029426239230804614613279163
e = 65537
c = 77578995801157823671636298847186723593814843845525223303932  
d = 121832886702415731577073962957377780195510499965398469843281

pow(c,d,N)

13371337

### RSA Starter 6

$ C = M^{e_0} \bmod N_0$ encrypt with public key $e_0$

$H(M) => S = H(M)^{d_1} \bmod N_1 $ sign and "encrypt" with private key $d_1$

at other end , decrypt the message with $m = C^{d_0} \bmod N_0$ 

now using first party's public key $e_1$ calculate $s = S^{e_1} \bmod N_1$ which results in H(M)

we check if $H(m)=s$

In [32]:
from Cryptodome.Hash import SHA256


def h(m): 
    h = SHA256.new()
    h.update(m)
    return h.digest()

N = 15216583654836731327639981224133918855895948374072384050848479908982286890731769486609085918857664046075375253168955058743185664390273058074450390236774324903305663479046566232967297765731625328029814055635316002591227570271271445226094919864475407884459980489638001092788574811554149774028950310695112688723853763743238753349782508121985338746755237819373178699343135091783992299561827389745132880022259873387524273298850340648779897909381979714026837172003953221052431217940632552930880000919436507245150726543040714721553361063311954285289857582079880295199632757829525723874753306371990452491305564061051059885803
d = 11175901210643014262548222473449533091378848269490518850474399681690547281665059317155831692300453197335735728459259392366823302405685389586883670043744683993709123180805154631088513521456979317628012721881537154107239389466063136007337120599915456659758559300673444689263854921332185562706707573660658164991098457874495054854491474065039621922972671588299315846306069845169959451250821044417886630346229021305410340100401530146135418806544340908355106582089082980533651095594192031411679866134256418292249592135441145384466261279428795408721990564658703903787956958168449841491667690491585550160457893350536334242689
e = 65537 

M = b"crypto{Immut4ble_m3ssag1ng}"
H_M = h(M)
pow(bytes_to_long(H_M),d,N)



13480738404590090803339831649238454376183189744970683129909766078877706583282422686710545217275797376709672358894231550335007974983458408620258478729775647818876610072903021235573923300070103666940534047644900475773318682585772698155617451477448441198150710420818995347235921111812068656782998168064960965451719491072569057636701190429760047193261886092862024118487826452766513533860734724124228305158914225250488399673645732882077575252662461860972889771112594906884441454355959482925283992539925713424132009768721389828848907099772040836383856524605008942907083490383109757406940540866978237471686296661685839083475

# PRIMES PART 1

### Factoring

In [5]:
import subprocess

def factor(N): 
    command = [
    'python',
    '-m',
    'primefac',
    '-v',
    '-m=factordb',
    str(N)
    ]

    result = subprocess.run(command,stdout=subprocess.PIPE,text=True)

    return result.stdout


In [6]:

N = 510143758735509025530880200653196460532653147 

print(factor(N))


510143758735509025530880200653196460532653147: [1;31mfactordb[;m 19704762736204164635843 25889363174021185185929 



### Inferius Prime 

In [11]:
n = 742449129124467073921545687640895127535705902454369756401331
e = 3
ct = 39207274348578481322317340648475596807303160111338236677373

print(factor(n))

742449129124467073921545687640895127535705902454369756401331: [1;31mfactordb[;m 752708788837165590355094155871 986369682585281993933185289261 



In [13]:
p = 752708788837165590355094155871 
q = 986369682585281993933185289261 

phi = (p-1)*(q-1)

d = pow(e,-1,phi)

long_to_bytes(pow(ct,d,n))


b'crypto{N33d_b1g_pR1m35}'

### Monoprime

If N is a prime number, $\phi(N) = N-1$

In [31]:
n = 171731371218065444125482536302245915415603318380280392385291836472299752747934607246477508507827284075763910264995326010251268493630501989810855418416643352631102434317900028697993224868629935657273062472544675693365930943308086634291936846505861203914449338007760990051788980485462592823446469606824421932591                                                                  
e = 65537
ct = 161367550346730604451454756189028938964941280347662098798775466019463375610700074840105776873791605070092554650190486030367121011578171525759600774739890458414593857709994072516290998135846956596662071379067305011746842247628316996977338024343628757374524136260758515864509435302781735938531030576289086798942  

phi = n-1

d = pow(e,-1,phi)

long_to_bytes(pow(ct,d,n))


b'crypto{0n3_pr1m3_41n7_pr1m3_l0l}'

### Square eyes

$ \phi(nm) = \phi(n) \phi(m) \frac{d}{\phi(d)} $ where $d = gcd(n,m) $ 

if n = m 

$gcd(n,n) = n $

$ \phi(nn) = \phi(n) \phi(n) \frac{n}{\phi(n)}$ 

$ \phi(n^2) = \phi(n) n $

In [23]:
n = 535860808044009550029177135708168016201451343147313565371014459027743491739422885443084705720731409713775527993719682583669164873806842043288439828071789970694759080842162253955259590552283047728782812946845160334801782088068154453021936721710269050985805054692096738777321796153384024897615594493453068138341203673749514094546000253631902991617197847584519694152122765406982133526594928685232381934742152195861380221224370858128736975959176861651044370378539093990198336298572944512738570839396588590096813217791191895941380464803377602779240663133834952329316862399581950590588006371221334128215409197603236942597674756728212232134056562716399155080108881105952768189193728827484667349378091100068224404684701674782399200373192433062767622841264055426035349769018117299620554803902490432339600566432246795818167460916180647394169157647245603555692735630862148715428791242764799469896924753470539857080767170052783918273180304835318388177089674231640910337743789750979216202573226794240332797892868276309400253925932223895530714169648116569013581643192341931800785254715083294526325980247219218364118877864892068185905587410977152737936310734712276956663192182487672474651103240004173381041237906849437490609652395748868434296753449
e = 65537
ct = 222502885974182429500948389840563415291534726891354573907329512556439632810921927905220486727807436668035929302442754225952786602492250448020341217733646472982286222338860566076161977786095675944552232391481278782019346283900959677167026636830252067048759720251671811058647569724495547940966885025629807079171218371644528053562232396674283745310132242492367274184667845174514466834132589971388067076980563188513333661165819462428837210575342101036356974189393390097403614434491507672459254969638032776897417674577487775755539964915035731988499983726435005007850876000232292458554577437739427313453671492956668188219600633325930981748162455965093222648173134777571527681591366164711307355510889316052064146089646772869610726671696699221157985834325663661400034831442431209123478778078255846830522226390964119818784903330200488705212765569163495571851459355520398928214206285080883954881888668509262455490889283862560453598662919522224935145694435885396500780651530829377030371611921181207362217397805303962112100190783763061909945889717878397740711340114311597934724670601992737526668932871436226135393872881664511222789565256059138002651403875484920711316522536260604255269532161594824301047729082877262812899724246757871448545439896

p = gmpy2.isqrt(n)
phi = p*(p-1)

d = pow(e,-1,phi)

long_to_bytes(pow(ct,d,n))



b'crypto{squar3_r00t_i5_f4st3r_th4n_f4ct0r1ng!}'

### Manyprime

In [1]:
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
ct = 320721490534624434149993723527322977960556510750628354856260732098109692581338409999983376131354918370047625150454728718467998870322344980985635149656977787964380651868131740312053755501594999166365821315043312308622388016666802478485476059625888033017198083472976011719998333985531756978678758897472845358167730221506573817798467100023754709109274265835201757369829744113233607359526441007577850111228850004361838028842815813724076511058179239339760639518034583306154826603816927757236549096339501503316601078891287408682099750164720032975016814187899399273719181407940397071512493967454225665490162619270814464

## from sagemath ecm.factor(n)
factors = [ 9282105380008121879,
            9303850685953812323,
            9389357739583927789,
            10336650220878499841,
            10638241655447339831,
            11282698189561966721,
            11328768673634243077,
            11403460639036243901,
            11473665579512371723,
            11492065299277279799,
            11530534813954192171,
            11665347949879312361,
            12132158321859677597,
            12834461276877415051,
            12955403765595949597,
            12973972336777979701,
            13099895578757581201,
            13572286589428162097,
            14100640260554622013,
            14178869592193599187,
            14278240802299816541,
            14523070016044624039,
            14963354250199553339,
            15364597561881860737,
            15669758663523555763,
            15824122791679574573,
            15998365463074268941,
            16656402470578844539,
            16898740504023346457,
            17138336856793050757,
            17174065872156629921,
            17281246625998849649 ] 

phi = 1 
for f in factors: 
    phi*=(f-1)

d = pow(e,-1,phi)

print(long_to_bytes(pow(ct,d,n)))



b'crypto{700_m4ny_5m4ll_f4c70r5}'


# PUBLIC EXPONENT

### Salty

Basically if $ e = 1 $ so will $d$ since $ed=1$

In [25]:
n = 110581795715958566206600392161360212579669637391437097703685154237017351570464767725324182051199901920318211290404777259728923614917211291562555864753005179326101890427669819834642007924406862482343614488768256951616086287044725034412802176312273081322195866046098595306261781788276570920467840172004530873767                                                                  
e = 1
ct = 44981230718212183604274785925793145442655465025264554046028251311164494127485

d = 1 

long_to_bytes(pow(ct,d,n))

b'crypto{saltstack_fell_for_this!}'

### Modulus Inutilis

Without proper padding scheme, e = 3 is insecure we can compute $ m = \sqrt[3]{c}$
 
https://crypto.stackexchange.com/questions/18301/textbook-rsa-with-exponent-e-3

In [35]:
n = 17258212916191948536348548470938004244269544560039009244721959293554822498047075403658429865201816363311805874117705688359853941515579440852166618074161313773416434156467811969628473425365608002907061241714688204565170146117869742910273064909154666642642308154422770994836108669814632309362483307560217924183202838588431342622551598499747369771295105890359290073146330677383341121242366368309126850094371525078749496850520075015636716490087482193603562501577348571256210991732071282478547626856068209192987351212490642903450263288650415552403935705444809043563866466823492258216747445926536608548665086042098252335883
e = 3
ct = 243251053617903760309941844835411292373350655973075480264001352919865180151222189820473358411037759381328642957324889519192337152355302808400638052620580409813222660643570085177957

print(long_to_bytes(gmpy2.iroot(ct,3)[0]))


b'crypto{N33d_m04R_p4dd1ng}'


### Everything is Big

Basically taking N to be very big doesn't help much if d is small 

https://en.wikipedia.org/wiki/Wiener%27s_attack

I used sagemath, script will be included in challenges/sage
Use continuted_fractions and convergents to get $\frac{k}{d}$ described in wikipedia article

To solve polynomials, best way: https://doc.sagemath.org/html/en/constructions/polynomials.html#roots-of-polynomials

In [14]:
def hex_to_bigint(h): 
    return bytes_to_long(bytes.fromhex(h[2:]))


N = hex_to_bigint('0xb8af3d3afb893a602de4afe2a29d7615075d1e570f8bad8ebbe9b5b9076594cf06b6e7b30905b6420e950043380ea746f0a14dae34469aa723e946e484a58bcd92d1039105871ffd63ffe64534b7d7f8d84b4a569723f7a833e6daf5e182d658655f739a4e37bd9f4a44aff6ca0255cda5313c3048f56eed5b21dc8d88bf5a8f8379eac83d8523e484fa6ae8dbcb239e65d3777829a6903d779cd2498b255fcf275e5f49471f35992435ee7cade98c8e82a8beb5ce1749349caa16759afc4e799edb12d299374d748a9e3c82e1cc983cdf9daec0a2739dadcc0982c1e7e492139cbff18c5d44529407edfd8e75743d2f51ce2b58573fea6fbd4fe25154b9964d')
e = hex_to_bigint('0x9ab58dbc8049b574c361573955f08ea69f97ecf37400f9626d8f5ac55ca087165ce5e1f459ef6fa5f158cc8e75cb400a7473e89dd38922ead221b33bc33d6d716fb0e4e127b0fc18a197daf856a7062b49fba7a86e3a138956af04f481b7a7d481994aeebc2672e500f3f6d8c581268c2cfad4845158f79c2ef28f242f4fa8f6e573b8723a752d96169c9d885ada59cdeb6dbe932de86a019a7e8fc8aeb07748cfb272bd36d94fe83351252187c2e0bc58bb7a0a0af154b63397e6c68af4314601e29b07caed301b6831cf34caa579eb42a8c8bf69898d04b495174b5d7de0f20cf2b8fc55ed35c6ad157d3e7009f16d6b61786ee40583850e67af13e9d25be3')
c = hex_to_bigint('0x3f984ff5244f1836ed69361f29905ca1ae6b3dcf249133c398d7762f5e277919174694293989144c9d25e940d2f66058b2289c75d1b8d0729f9a7c4564404a5fd4313675f85f31b47156068878e236c5635156b0fa21e24346c2041ae42423078577a1413f41375a4d49296ab17910ae214b45155c4570f95ca874ccae9fa80433a1ab453cbb28d780c2f1f4dc7071c93aff3924d76c5b4068a0371dff82531313f281a8acadaa2bd5078d3ddcefcb981f37ff9b8b14c7d9bf1accffe7857160982a2c7d9ee01d3e82265eec9c7401ecc7f02581fd0d912684f42d1b71df87a1ca51515aab4e58fab4da96e154ea6cdfb573a71d81b2ea4a080a1066e1bc3474')

print(str(N)+"\n"+str(e))

23314261774711635287199613322625299631998299531668574856054445891367514103118788671741746880773471358355043843424178957765687991051382738221889741391209910265414558275853987805928032540504091325882973089325788388764059748141908558032906355962434381133814683631259503022678117195972953901341152390082323332013081727028250772610795079682074032005674396787209080870144904438012362544373403906582078249640767748443695976768936365312724837274503878342188073955100351982119862045062809973110618490322000848950789796929040191128376295484446101182115221654618310291664010793027421046736723687597493681537019384653365187810893
1953022641004397081072555700343554313576353088142421024805525378914611696211921061486943298557086511875298591938368959852589157488638777791065655235299537644438146613179911511882158206850761415907949166047166049870385665710021943216941569435705102665350158762716135921691706861169946038840470499402065803511386770456486452044762813021920403611595622937837453390417729851142069123298

In [5]:
d = 79434351637397000170240219617391501050474168352481334243649813782018808904459
long_to_bytes(pow(c,d,N))

b'crypto{s0m3th1ng5_c4n_b3_t00_b1g}'

### Crossed wires

Since $ed \equiv 1 \bmod \phi(N)$

From definition of modulus

$\phi(N)|(ed-1)$

This means that $ed-1 = k \phi(N) $ 

We can take $k = 2 $ because we can look at $\phi(N)$ as k and rewrite $k|(ed-1) => ed \equiv 1 \bmod k $

For this to be true $gcd(k,ed) = 1 $ since $ed$ is odd number from $gcd(ed,\phi(N)) = 1 $ we know that $gcd(2,ed)$ will be $1$

In [22]:


my = (21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 
      2734411677251148030723138005716109733838866545375527602018255159319631026653190783670493107936401603981429171880504360560494771017246468702902647370954220312452541342858747590576273775107870450853533717116684326976263006435733382045807971890762018747729574021057430331778033982359184838159747331236538501849965329264774927607570410347019418407451937875684373454982306923178403161216817237890962651214718831954215200637651103907209347900857824722653217179548148145687181377220544864521808230122730967452981435355334932104265488075777638608041325256776275200067541533022527964743478554948792578057708522350812154888097)

friend = [(21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 106979),
          (21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 108533), 
          (21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 69557), 
          (21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 97117), 
          (21711308225346315542706844618441565741046498277716979943478360598053144971379956916575370343448988601905854572029635846626259487297950305231661109855854947494209135205589258643517961521594924368498672064293208230802441077390193682958095111922082677813175804775628884377724377647428385841831277059274172982280545237765559969228707506857561215268491024097063920337721783673060530181637161577401589126558556182546896783307370517275046522704047385786111489447064794210010802761708615907245523492585896286374996088089317826162798278528296206977900274431829829206103227171839270887476436899494428371323874689055690729986771, 103231)]

c= 20304610279578186738172766224224793119885071262464464448863461184092225736054747976985179673905441502689126216282897704508745403799054734121583968853999791604281615154100736259131453424385364324630229671185343778172807262640709301838274824603101692485662726226902121105591137437331463201881264245562214012160875177167442010952439360623396658974413900469093836794752270399520074596329058725874834082188697377597949405779039139194196065364426213208345461407030771089787529200057105746584493554722790592530472869581310117300343461207750821737840042745530876391793484035024644475535353227851321505537398888106855012746117

N = my[0]

d = my[1]
e = 65537 

t = e*d -1 
phi = t//2

for f in friend: 
    d = pow(f[1],-1,phi)
    c = pow(c,d,N)

long_to_bytes(c)


b'crypto{3ncrypt_y0ur_s3cr3t_w1th_y0ur_fr1end5_publ1c_k3y}'

### Endless mails
Solution is in <code>sage/broadcast.sage</code> it had nice crt support i needed

In [25]:
print('crypto{1f_y0u_d0nt_p4d_y0u_4r3_Vuln3rabl3}')

crypto{1f_y0u_d0nt_p4d_y0u_4r3_Vuln3rabl3}
