#### Challenge 41: Implement unpadded message recovery oracle

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)

In [1]:
from Crypto.Util import number
from Crypto.Random import random
from Crypto.Hash.SHA256 import SHA256Hash

import cryptopals as cp

<div class="alert alert-block alert-info">

Nate Lawson says we should stop calling it "RSA padding" and start calling it "RSA armoring". Here's why.

Imagine a web application, again with the Javascript encryption, taking RSA-encrypted messages which (again: Javascript) aren't padded before encryption at all.

You can submit an arbitrary RSA blob and the server will return plaintext. But you can't submit the same message twice: let's say the server keeps hashes of previous messages for some liveness interval, and that the message has an embedded timestamp:

```
{
  time: 1356304276,
  social: '555-55-5555',
}
```

You'd like to capture other people's messages and use the server to decrypt them. But when you try, the server takes the hash of the ciphertext and uses it to reject the request. Any bit you flip in the ciphertext irrevocably scrambles the decryption.

This turns out to be trivially breakable:

- Capture the ciphertext C
- Let N and E be the public modulus and exponent respectively
- Let S be a random number > 1 mod N. Doesn't matter what.
- Now:
    
    ```
    `C' = ((S**E mod N) C) mod N
    ```
    
- Submit C', which appears totally different from C, to the server, recovering P', which appears totally different from P
- Now:

              P'
        P = -----  mod N
              S

Oops!

Implement that attack.
    
<div class="alert alert-block alert-warning">    
    
#### **Careful about division in cyclic groups.**
    
Remember: you don't simply divide mod N; you multiply by the multiplicative inverse mod N. So you'll need a modinv() function.
    
</div>
</div>

In [20]:
key_size = 1024
[e,d,n] = cp.genRSA_keypair(key_size)
m = int((b'This is ridiculous! There\'s no such thing as privacy anymore!').hex(), 16)
c = pow(m, e, n)

In [21]:
s = 79
c_ = (pow(s, e, n) * c) % n
p_ = pow(c_, d, n)

Despite the warning, I wanted to try straight division (not multiplying by the inverse mod N):

In [22]:
recovered_pt = (p_ // s) % n

def print_it(x):
    
    hex_x = hex(x)[2:]
    if len(hex_x) % 2:
        hex_x = '0' + hex_x
    print(bytes.fromhex(hex_x))
    
print_it(recovered_pt)

b"This is ridiculous! There's no such thing as privacy anymore!"


Now the way it says to do it:

In [23]:
mi = cp.invmod(s, n)
recovered_pt = (p_*mi) % n
print_it(recovered_pt)

b"This is ridiculous! There's no such thing as privacy anymore!"


Let's try to break the division approach:

[Back to Index](CryptoPalsWalkthroughs_Cobb.ipynb)

In [25]:
key_size = 2048
for ii in range(1000):
    
    print('.')
    [e,d,n] = cp.genRSA_keypair(key_size)
    c = pow(m, e, n)
    s = random.randint(0, 2**128-1)
    c_ = (pow(s, e, n) * c) % n
    p_ = pow(c_, d, n)
    recovered_pt = (p_ // s) % n
    
    if recovered_pt != m:        
        print('Broke it!')
        print(f'e={e}\nd={d}\nn={n}\ns={s}\n')
        break


.
.
.
.
.
.
.
.
.
.
.
.
.


KeyboardInterrupt: 

Here are two trivial examples of where division by a # and multiplication by a multiplicative inverse are 1) the same, and 2) different within a cyclic group (modulo arithmetic).

In [None]:
n = 17
s = 4
x = 12

print((x//s) % n)
print((x * cp.invmod(s, n)) % n)

n = 17
s = 4
x = 9

print((x//s) % n)
print((x * cp.invmod(s, n)) % n)