XORSA
- CTF: UMASSCTF
- Challenge: XORSA
- Category: Crypto
- Points: 488 (19 solves)
- Description: I leaked a bit more than half of the XOR of the primes.
TL;DR
This challenge involved exploiting a vulnerability in an RSA implementation where the creator leaked more than half of the XOR of the prime factors. The solution reconstructs the prime factors bit-by-bit using a recursive approach that:
- Starts with the most significant bits
- Uses the leaked XOR bits to constrain possibilities
- Prunes invalid paths via product bounds
- Switches to Coppersmith’s method for remaining bits
- Decrypts the flag with the recovered private key
Challenge Overview
The challenge provides this RSA implementation:
| |
This looks like standard RSA encryption, but there’s a critical information leak:
$${\tt partial\ p\oplus q} = (p \oplus q) \gg (\text{bits} // 2 - \text{extra})$$
The script leaks the most significant \( \text{bits}/2 + \text{extra} \) bits of \( p \oplus q \).
With \( \text{bits} = 1024 \) and \( \text{extra} = 75 \), we get:
- 1024/2 + 75 = 575 bits of the XOR leaked
- Out of 1024 total bits
- That’s 56% of the information about the relationship between \( p \) and \( q \)
This is a catastrophic information leak!
Task Analysis
What do we know?
| Known | Unknown |
|---|---|
| MSBs of \( p \oplus q \) (575 bits) | LSBs of \( p \oplus q \) (449 bits) |
| \( n = p \cdot q \) | \( p \) and \( q \) individually |
| Public key \( (n, e) \) | Private key \( d \) |
| Ciphertext \( c \) | Plaintext \( m \) |
Key Insight: The XOR constraint dramatically reduces the search space. For each bit position, if we know \( p_i \oplus q_i \), we only have 2 possibilities instead of 4:
| \( p_i \oplus q_i \) | Valid \( (p_i, q_i) \) pairs |
|---|---|
| 0 | (0, 0) or (1, 1) |
| 1 | (0, 1) or (1, 0) |
This is much better than trying all 4 combinations!
This approach is based on the discussion: Integer factorization with additional knowledge of \( p \oplus q \)
The key observation: tracking sets of k-bit values that satisfy \( p_k \cdot q_k \equiv n \pmod{2^k} \), then extending by one bit at a time. With the XOR constraint, most paths get pruned, leaving few valid continuations.
Exploitation
Algorithm Overview
Our recursive algorithm works from MSB to LSB:
- Start at the most significant bit
- For each bit position, try both possibilities allowed by \( p \oplus q \)
- Prune invalid candidates using product bounds
- Once XOR bits are exhausted, use Coppersmith’s method for remaining bits
- Recover the private key and decrypt
Product Bounds Pruning
For partially reconstructed \( p_{\text{high}} \) and \( q_{\text{high}} \), if we’ve decided \( k \) bits, the remaining \( m \) bits form unknown parts.
The minimum product (all remaining bits 0): $$p_{\min} \cdot q_{\min} = (p_{\text{high}} \ll m) \cdot (q_{\text{high}} \ll m)$$
The maximum product (all remaining bits 1): $$p_{\max} \cdot q_{\max} = ((p_{\text{high}} « m) + 2^m - 1) \cdot ((q_{\text{high}} « m) + 2^m - 1)$$
Pruning rule: If \( n \) is outside \( [p_{\min}, p_{\max}] \), this branch cannot produce the target modulus and can be skipped!
┌─────────────────────────┐
│ Bit-by-bit recursion │
├─────────────────────────┤
│ k = 1023 (MSB) │
│ Try 2 possibilities │
│ ├─ Check bounds │
│ ├─ If valid: recurse │
│ └─ If invalid: skip │
│ │
│ ...repeat down to LSB │
│ │
│ k < 512 - 75 │
│ └─ Call Coppersmith │
└─────────────────────────┘
Complete Solution
| |
Complexity Analysis:
Without any constraints, we’d need to try all \( 2^{1024} \) combinations (infeasible).
With the XOR constraint, we branch with factor 2 at each step, giving \( 2^{1024} \) possibilities still…
But the bounds checking prunes ~99% of branches! Most bit combinations make \( n \) unachievable. Combined with Coppersmith’s method for the final stretch, this becomes tractable.
Behind the Math
Why XOR Information is Powerful
For each bit position \( i \):
$$p_i \oplus q_i = \begin{cases} 0 & \text{if } p_i = q_i \ 1 & \text{if } p_i \neq q_i \end{cases}$$
This transforms a combinatorial search problem (try all \( 2^{1024} \) candidates) into a constraint satisfaction problem (only 2 valid choices per bit).
Product Bounds as a Pruning Heuristic
The modulus \( n = p \cdot q \) is a strict constraint. For fixed MSBs:
$$p = p_{\text{high}} \cdot 2^m + p_{\text{low}}$$ $$q = q_{\text{high}} \cdot 2^m + q_{\text{low}}$$
where \( 0 \leq p_{\text{low}}, q_{\text{low}} < 2^m \).
Therefore: $$n = (p_{\text{high}} \cdot 2^m + p_{\text{low}}) \cdot (q_{\text{high}} \cdot 2^m + q_{\text{low}})$$
The product ranges from: $$(p_{\text{high}} \cdot 2^m) \cdot (q_{\text{high}} \cdot 2^m)$$
to: $$((p_{\text{high}} + 1) \cdot 2^m - 1) \cdot ((q_{\text{high}} + 1) \cdot 2^m - 1)$$
If \( n \) is outside this range, no valid \( p_{\text{low}}, q_{\text{low}} \) exist. Pruning is safe!
Coppersmith’s Method for the Tail
Once we’ve fixed ~575 MSBs via the XOR constraint, we need to find the remaining ~449 bits. These form a “small” root:
$$f(x, y) = (p_{\text{high}} \cdot R + x) \cdot (q_{\text{high}} \cdot R + y) - n$$
where \( R = 2^{449} \) and \( x, y < R \).
Coppersmith’s theorem guarantees we can find this small root using lattice reduction (LLL algorithm), provided:
$$X \cdot Y < n^{1/(d+1)}$$
where \( d \) is the polynomial degree and \( X, Y \) are the bounds on roots.
Exploitation Timeline
┌────────────┐
│ Start │
└─────┬──────┘
│
├─ Parse leaked XOR (575 MSBs)
├─ Parse modulus n
└─ Start recursive search from MSB
│
├─ [~5 mins] Try bit combinations with bounds checking
├─ Most branches pruned early
├─ Explore ~10,000 valid paths to LSB
│
└─ [~5 mins] Hit base case, call Coppersmith
│
├─ Solve \\( f(x,y) = p_{\text{high}} \cdot R + x \\)
├─ Recover p and q
└─ Compute \\( d = e^{-1} \pmod{\phi(n)} \\)
│
└─ [~1 sec] Decrypt: \\( m = c^d \pmod{n} \\)
│
└─ Flag: UMASS{i_will_make_a_solve_script}
Total runtime: ~10 minutes
Conclusions
Information Leakage Breaks RSA: Any partial information about \( p \) and \( q \) or their relationships can compromise security. The XOR of primes should be as secret as the primes themselves.
Constraint Satisfaction > Brute Force: Rather than trying all \( 2^{1024} \) candidates, the XOR constraint and bounds checking reduced the search space by ~99+%, making factorization tractable.
Hybrid Approaches: Combining classical bit-by-bit search with modern lattice techniques (Coppersmith) gives a powerful cryptanalytic tool.
Implementation Flaws Matter: This vulnerability came from a seemingly minor leak—just shifting right instead of discarding all bits. One line of code broke 1024-bit RSA.
Formal Security Proofs: RSA’s security depends on factorization hardness. Proving no information leaks about \( p \oplus q \) is crucial.
References
- Integer factorization with additional knowledge of \( p \oplus q \)
- XOR Factor Implementation
- Coppersmith’s Attack on RSA
- Coppersmith, D. “Small solutions to polynomial equations, and low exponent RSA vulnerabilities.” Journal of Cryptology 10.4 (1997): 233-260.