CoCalc -- 2025-09-06-file-1.ipynb

Bro-key-n (UIUCTF 2022) writeup

2025-09-06-file-1.ipynb

⁹ views

unlisted

ubuntu2404

Kernel: SageMath 10.7

In [1]:

from sage.all import *
from sage.modules.free_module_integer import IntegerLattice

## Parameters
e = 65537
N_ = 0x125165155e03af44b26423bed827a0651b9b7a7a7e79cac5b8d07a5ac0c25bf5b4f258c227348916a4befeb306be79d75a8e4fac2f7d8591d7f7f1e5006eaff2d32e93fcb1a50cb5bd449a84840c71f9f0bad999aeeed500dc32b7092d0b021adde2859d53c604f4b1613880fb4ada66c5a19da058bc7a6646b935c4d28a321bad0a39bb387465775dbc2ad7184ce221bd0ebc3de0fc0e9574b952a0cd7c2718d0696ba2b2ac5122708cd9643c8a28b3916d47b28f46c6aed7e91df1a78278039b9197223d1a8b0e88f2ddc55766a28eeaaa571e4daa7f2132d4028015a372b78b04b775987b1f6a420f5ad96d30d76cc3d354199c968a85390c85d4e12c7aeb050b1b04f430b23725ec5c13d0340138f66c6acfa459461b4ebfbe5af2b2d6907b8fa782e1652514529fdf343667e6875d7d1498f3d80cb76524580b6f2af01142f15bb10e91366dd882f7738fb2c242b417a4f2e0cfa5cd6fd6b63d1972901df69b9d5c4817782494309e80954d1c90e975592a47cce447619f5a3d5b7612bb667bbb14e1774964b14ea97cea375f99f7a19da543a9b4e9a978bdbfb2fff8f35e8e9597473888cb12b2efef708d871489e7ddb3ca64997ac6f4ad29c7e13d3545eb056a2e872ce32f13df5ecedd25b7bdd7c32464306466d2e5b7e48af9ace8a81e429581ab377468c7f03103ef758eaefb79a740489926fd8f26334fda1d65
a = 0xc55acb5a46475e4fcb3fc012a26f3b896bc34f7f047035c610d3739b98ce50a146ec49127e5e8667352e06dac2bfa37224a47c29cd904b9e418bf4f8484f60594906ccedac2257de1cdc54453ba892d1e1a00fe8fc7e1b415dfe4c5055bcab0af08a335a6d9a934fa98644d884794621738f8783eeb975a8468134811d36cd9544c9ac47086ba8865c81155bcdc39fe5c1376a07a59934ff25e18554517e462927c6f85571249c3ca82c7dd8691707186de2ea6cb69ced941c6f5f90cfb5d4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
R_: int = 2 ** 516
R2 = R_ ** 2

## Attack Start
e_inv = pow(e, -1, N_)
print(f'{e_inv = }')
is_stop = False
kp = 28128 # found Kp
A = a + e_inv * (kp - 1)
B = IntegerLattice([
    [R2, R_*A, 0],
    [0,  R_,   A],
    [0,  0,    N_]
], lll_reduce=True) 
try:
    v0, v1, v2 = B.shortest_vector(update_reduced_basis=False)
except RuntimeError as e:
    # Lattice reduction failure, skip this kp
    print(f'[-] ERROR! kp is invalid')
    is_stop = True

if is_stop == False:
    assert v0 % R2 == 0 and v1 % R_ == 0
    quad_a = v0 // R2; quad_b = v1 // R_; quad_c = v2;
    ZP = ZZ['x']
    for r, _ in ZP([quad_c, quad_b, quad_a]).roots(): # Solve quadratic: a*x^2 + b*x + c = 0
        p = gcd(A + r, N_)
        if p != 1 and p != N_:
            assert N_ % p == 0
            q = N_ // p
            print('ANSWER!')
            print(f'{p = }')
            print(f'{q = }')
            assert is_prime(p) and is_prime(q) and p * q == N_
            break

Out[1]:

e_inv = 59295843288738639141819346844547947320443839418602881361524673127441536857600006545973816703209287817192106708528788340951700221900685866616620571586420534229098116604671839935900552049565574758539961119799260909326946312850329500040418823689789327612428211110431468298910084114110292991269979460532479986933134856378717358030574505979732723737068131046915082205124630874929287630214753473154670861090257872497354432006879222911987980796521656208106161310725415850096422253424200018637403908121771744497426383232040917759744558293205245784949376720107171216402461232483496339237859349461969451225792444599992398475368231562069353539629175739721262304112828753164221047282814616447062466089086730960938056749071766911785139278255749998432491513991260426831502719110039121578672898285900596891174788783926723412145702519733249820385310860110673227024885124619981422495925676361989946741900436709375444853651492710038111172867527305389587338783987376114854331307289385142437104284525015381356409662083903242314841468053386824581960959222236613199684498230928907394321069785142576342351962040023468996206935411401922438279574280806819567170119192912720194631708913587537859132483244156214332476769161116080409932161957753537949554106630
ANSWER!
p = 3627991603884808062736141310447106260943326330899396275199779984022462194376994246446102117532813224234792046840726872009503786329408256663119027353255969224649727885389580250774873824390822482215139013309728202469835336298188620697403248917907049738004864552884412233025397042416703298163382725246031075810130222032765486555500736412969415261015967808462136504839813036078699995347830504646364842806157413675646357345753021818180743963892741139070590339137165833818468345693182851348835784086931651709553805159969447778964285167310407227065749316889692916103874856521269259363246539154909931419853080560118329293059
q = 20598369222871626043072216357111854496024645053994263979092523658841340015618093953301403603006820017599326657242822459672261069591757161666583903417748632127452902462416407108216272232046821496547425743893487370083414071869503963944576753877699674625320223980514728077608176436018469521820069344910135073178779460798798070288038908901616872195433430227246973421982015955456791648994934658395900842039051221873444228459558128608404028483977743648206193560549325892128792059229756408316058150451063406159514445706989869623611544592427409034225334586140215511798730646848775635621896189852877392621164908264378996645751

In [0]:

Product

Resources

Company