poka2019 writeup 1 - Lenstra-Lenstra-Lovász

Sep. 25, 2019

I am not good at Linear Algebra : ( Can you tell me about Lenstra-Lenstra-Lovász lattice basis reduction algorithm? Add) e=151. This is for make challenge easy.

enc.txt

Lenstra-Lenstra-Lovász.sage

Notations

Before start, let’s make the notations clear.

Given values are n,e,ct,s. Of course, the objective is getting the plaintext of the RSA encryption.

Modular Arithmetics

Since ed1mod((p1)(q1))ed \equiv 1 \mod ((p-1)(q-1)),

edp1mod(p1). ed_p \equiv 1 \mod (p-1).

Let edp=1+(p1)ked_p = 1 + (p-1)k. Then

e(sshiftbits+x)=1+(p1)k e(s \ll \texttt{shiftbits} + x ) = 1 + (p-1)k

Range For bit and shiftbits

We have bit-length of secret which is approximately 6/10 bit-length of dp, which was 614. Therefore bits is either 1023 or 1024.

for bits in range (1010,1030):
	print(bits, bits - (bits//2 - bits//10))

...
1018 610
1019 611
1020 612
1021 613
1022 613
1023 614 (*)
1024 614 (*)
1025 615
1026 615
1027 616
1028 616
...

Also note that edp=k(p1)+1ed_p = k (p-1)+1 and d_p < p-1 $, so $k\le e=151. So bound of k and bit-length of dp is reasonable.

Polynomial Modulo p

We now have appropriate range for shiftbits and k to solve

e(sshiftbits+x)1+k0modp e(s \ll \texttt{shiftbits} + x ) -1 + k \equiv 0 \mod p

I used small_roots in SageMath to use Coppersmith’s Method to solve above this.

sshiftbits+x+(k1)e10modN s \ll \texttt{shiftbits} + x + (k-1) e^{-1} \equiv 0 \mod N

Where e1e^{-1} is modular inverse of ee respect to NN.

def coppersmith(shiftbits, k):
    F.<x> = PolynomialRing(Zmod(n))
    invE = inverse_mod(e, n)
    f = (s << shiftbits) + x + (k - 1) * invE   # make monic
    x0 = f.small_roots(X=2 ** shiftbits, beta=0.44, epsilon=1/32)
    return x0

Therefore I get dp and also p using p=edp1k+1p = \frac {e d_p -1} k +1. By processing a simple RSA decryption, flag is:

POKA{You_4r3_Crypt0_N00000B_XDD}

solve.sage is the full code.