# Broadcast attack

A secret message (one 128bit symmetric key) was sent to 3 recipients encrypted with RSA with each recipient’s public key, with the same padding value (padding scheme RSAES-PKCS1-V1_5).

In [1]:
from math import gcd
from operator import mul
from functools import reduce

from gmpy2 import cbrt

In [2]:
# Public keys
n1 = 87617523948177647312867775239694626750987292134627889364808905617827332876105350879470010739139344292545770540409899305653944242239880100328192428705797212072724323423041291119344048342058210621360780869091664865999689405851181985243820506729202457035583684007010204771260794056165692617016320638991306056971
e1 = 3

n2 = 157924041114647369229870617094437851802316941267184788933608836375564767772848701641688858696007853369291135059337850679893135460205320456206898932645455436133369113857496950130545810994125246833907260221346227394884508785210676049418226525446419689791538932619557120002466506317385975439092143284415874027211
e2 = 3

n3 = 131838608633676640357181447748492700119690962351507876169571398908111512224354777757996176099828271304349963607084588120858016224316252565697977767839599356978916409295387565046205091469855019418988788689432116878030657624011562009433753926073552436199075792228327510102237935074223902088975550473614367494057
e3 = 3

# The three cryptograms were observed on the network
c1=65212541317751284945506670900226056975795010934933260071670282892032802604842097393658979526420346854804581094518520227574641987146937473402588909454892030738136515156287257945593373062628072825528841140843460692938629933406016148043093433950475747067155338655038454056567193537623903933983553464412593090069
c2=156382357585467430660629788383054623242324250227822556985971693848351330121162133454674039801720527155134137933856606359528665363372668511326729412708820502692450710775929374472783735915284966718107235882039123636874001815937218546463720092113732842309236191032972133895854339528436872197043533983579035222837
c3=60503578526025909836402242708419858013018067036973039030239080408145933920566256907144297043756503316641584712782889200080106252564748066020635642241350111055877635349767719255482806493092144842653965557405779843774330253634516323287118947492451943926212539801046839516868238865378114669552919766008255657505

n = [n1, n2, n3]
e = [e1, e2, e3]
c = [c1, c2, c3]

In [3]:
for i in range(3):
    for j in range(i + 1, 3):
        if e[i] != 3:
            print(f"e{i} is not 3")
            break
        if factor := gcd(n[i], n[j]) != 1:
            print(f"n{i} and n{j} share a factor: {factor}")
            break
    else:
        continue
    break
else:
    print("Håstad's broadcast attack is applicable")

Håstad's broadcast attack is applicable


In [4]:
def crt(c, n):
    assert len(c) == len(n)

    x = 0
    m = reduce(mul, n)

    for i in range(3):
        mi = m // n[i]
        xi = pow(mi, -1, n[i])
        x += c[i] * mi * xi

    return x % m

In [None]:
# broadcast attack

x = crt(c, n)
m = int(cbrt(x))

print(f"The value of the secret symmetric key is {m}")

The value of the secret symmetric key is 482849025285979826085525086769004061770761524330446337041574039499296818895650478214493566212459754378085043230751741535860862972295826792627319078912.000000
