# Cyber Santa is Coming to Town –  Common Mistake


https://hilb3r7.github.io/walkthroughs/cybersanta_crypto.html#1

# Problem

Elves are trying very hard to communicate in perfect secrecy in order to keep Santa's warehouse. Unfortunately, thier lack of knowledge about cryptography leads them to **common** mistakes.

In [25]:
rsa_1 = {'n': 0xa96e6f96f6aedd5f9f6a169229f11b6fab589bf6361c5268f8217b7fad96708cfbee7857573ac606d7569b44b02afcfcfdd93c21838af933366de22a6116a2a3dee1c0015457c4935991d97014804d3d3e0d2be03ad42f675f20f41ea2afbb70c0e2a79b49789131c2f28fe8214b4506db353a9a8093dc7779ec847c2bea690e653d388e2faff459e24738cd3659d9ede795e0d1f8821fd5b49224cb47ae66f9ae3c58fa66db5ea9f73d7b741939048a242e91224f98daf0641e8a8ff19b58fb8c49b1a5abb059f44249dfd611515115a144cc7c2ca29357af46a9dc1800ae9330778ff1b7a8e45321147453cf17ef3a2111ad33bfeba2b62a047fa6a7af0eef, 'e': 0x10001, 'ct': 0x55cfe232610aa54dffcfb346117f0a38c77a33a2c67addf7a0368c93ec5c3e1baec9d3fe35a123960edc2cbdc238f332507b044d5dee1110f49311efc55a2efd3cf041bfb27130c2266e8dc61e5b99f275665823f584bc6139be4c153cdcf153bf4247fb3f57283a53e8733f982d790a74e99a5b10429012bc865296f0d4f408f65ee02cf41879543460ffc79e84615cc2515ce9ba20fe5992b427e0bbec6681911a9e6c6bbc3ca36c9eb8923ef333fb7e02e82c7bfb65b80710d78372a55432a1442d75cad5b562209bed4f85245f0157a09ce10718bbcef2b294dffb3f00a5a804ed7ba4fb680eea86e366e4f0b0a6d804e61a3b9d57afb92ecb147a769874}
rsa_2 = {'n': 0xa96e6f96f6aedd5f9f6a169229f11b6fab589bf6361c5268f8217b7fad96708cfbee7857573ac606d7569b44b02afcfcfdd93c21838af933366de22a6116a2a3dee1c0015457c4935991d97014804d3d3e0d2be03ad42f675f20f41ea2afbb70c0e2a79b49789131c2f28fe8214b4506db353a9a8093dc7779ec847c2bea690e653d388e2faff459e24738cd3659d9ede795e0d1f8821fd5b49224cb47ae66f9ae3c58fa66db5ea9f73d7b741939048a242e91224f98daf0641e8a8ff19b58fb8c49b1a5abb059f44249dfd611515115a144cc7c2ca29357af46a9dc1800ae9330778ff1b7a8e45321147453cf17ef3a2111ad33bfeba2b62a047fa6a7af0eef, 'e': 0x23, 'ct': 0x79834ce329453d3c4af06789e9dd654e43c16a85d8ba0dfa443aefe1ab4912a12a43b44f58f0b617662a459915e0c92a2429868a6b1d7aaaba500254c7eceba0a2df7144863f1889fab44122c9f355b74e3f357d17f0e693f261c0b9cefd07ca3d1b36563a8a8c985e211f9954ce07d4f75db40ce96feb6c91211a9ff9c0a21cad6c5090acf48bfd88042ad3c243850ad3afd6c33dd343c793c0fa2f98b4eabea399409c1966013a884368fc92310ebcb3be81d3702b936e7e883eeb94c2ebb0f9e5e6d3978c1f1f9c5a10e23a9d3252daac87f9bb748c961d3d361cc7dacb9da38ab8f2a1595d7a2eba5dce5abee659ad91a15b553d6e32d8118d1123859208}

# Solving

If the ct’s (ciphertexts) are the resulting encryptions of the same message used with these two keys, then we are able to recover the message by using a common modulus attack, which would fit with the name of the challenge

In [26]:
rsa_1["n"] == rsa_2["n"]

True

So if we assume the same message was encrypted both times with the same modulus and it was only the exponent that was changed. The resulting ct’s (changing their names to $c_1$ and $c_2$ from here on out) would then be expressed as 

$$c_1 = m^{e_1} \mod n$$
$$c_2 = m^{e_2} \mod n$$

## Bézout’s identity

For nonzero integers $a$ and $b$, let $d$ be the greatest common divisor $d = \gcd(a,b)$. Then, there exist integers $x$ and $y$ such that

$$ax + by = d$$ 

In [27]:
print(gcd(rsa_1["e"], rsa_2["e"]))

1


Then

$$e_1 \cdot x + e_2 \cdot y = 1$$

How does that help us? Well if we knew $x$ and $y$ and could somehow get ourselves into an equation where we can evaluate

$$m^{e_1x+e_2y} = m^1 = m$$

Using pow properties:

$$m^{e_1x+e_2y} = (m^{e_1})^x \cdot (m^{e_2})^y = (c_1)^x \cdot (c_2)^y \mod n = m $$


The Euclidean algorithm is a famous algorithm for finding the greatest common divisor of two integers. It does this by repeatedly dividing the divisor by the reaminder until nothing is left. The extended algorithm works its way backwards, by starting with the gcd and eventually expressing it as a linear combination of the original two numbers. We can use this to solve the above formula. 

In [28]:
d, x, y = xgcd(rsa_1["e"], rsa_2["e"])
print(f"x: {x}")
print(f"y: {y}")

x: -2
y: 3745


Calculate solution

In [29]:
from Crypto.Util.number import long_to_bytes
m = pow(rsa_1['ct'], x, rsa_1["n"]) * pow(rsa_2['ct'], y, rsa_2["n"])

print(long_to_bytes(int(m)))

b'HTB{c0mm0n_m0d_4774ck_15_4n07h3r_cl4ss1c}'
