2. Modular Arithmetic
• Modular arithmetic or Clock arithmetic is a circular system that
increases until a specific point called modulus then rest to zero again.
• Definition
• Let 𝑍𝑛 be a set of all non-negative integers that are smaller than 𝑛:
𝑍𝑛 = {0,1,2, … , 𝑛 − 1}
where 𝑛 is a positive integer.
• In order to find the value of integer 𝑛 (mod 𝑚) we can use the
following equation: 𝑛 = 𝑞𝑚 + 𝑟
where:
• 𝑞 is integer and 𝑟 is the remainder
3. Modular Arithmetic
• Examples:
• 51 𝑚𝑜𝑑 10 = 5 10 + 1
• −51 𝑚𝑜𝑑 10 = −6 10 + 9
• Congruence modulo:
To explain it in a simple way lets see
the representation for all integers
𝑚𝑜𝑑 5, all integers in slice 𝑛
gives a remainder 𝑛 𝑚𝑜𝑑 5,
we can say that those integers are
in the same equivalence class,
which can be represented as
𝐴≡B (mod C).
4. Congruence modulo and Equivalence
relations
• If we looked at the previous chart, we could notice that the difference
between any two integers in the same slice can be represented as
multiple of 5.
• We can write the congruence mod 𝑛 as any of the following:
• 𝐴 ≡ B (𝑚𝑜𝑑 𝑛)
• 𝐴 𝑚𝑜𝑑 𝑛 = 𝐵 𝑚𝑜𝑑 𝑛
• 𝑛 | (𝐴 − 𝐵)
• 𝐴 = 𝐵 + 𝑥 (𝑛) for integer 𝑥
5. Congruence modulo and Equivalence
relations
• The figure have the following
properties:
• Every pair in the same slice
are related
• We can never find the same
integer in 2 slides
• If we collected all the slices,
we will get all the numbers.
• Which means that the congruence
modulo is equivalence relation.
6. Congruence modulo and Equivalence
relations
• Why do we even care whether it’s an equivalence relation or not?
It’s simple, so we can apply the equivalence relation properties:
• 𝐴≡𝐴 (𝑚𝑜𝑑 𝑛) (reflexive)
• 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 → 𝐵≡𝐴 𝑚𝑜𝑑 𝑛 (symmetric)
• 𝐴≡𝐵 𝑚𝑜𝑑 𝑛 & 𝐵≡𝐷 𝑚𝑜𝑑 𝑛 then 𝐴≡𝐷 (𝑚𝑜𝑑 𝑛) (transitive)
8. Modular Inverses
• In basic arithmetic we know that the inverse of a number 𝑋 =
1
𝑋
since
𝑋 ∗
1
𝑋
= 1
• But in Modular arithmetic we don’t have a division operation, so the
inverse would be :
• 𝐴−1 ∶ 𝐴 ∗ 𝐴−1 ≡ 1 𝑚𝑜𝑑 𝑛
• which is means 𝐴 ∗ 𝐴−1
𝑚𝑜𝑑 𝑛 = 1
• 𝐴 is coprime to 𝑛
9. Modular Inverses
• Calculating mod inverse:
the native method is brute forcing all the number from 0 to 𝑛 − 1
until we find a number 𝐵 that makes 𝐴 ∗ 𝐵 𝑚𝑜𝑑 𝑛 = 1
• This method is sow slow and we need a faster method.
10. The Euclidean Algorithm
• The Euclidean Algorithm is a quick method to calculate the GCD of
two integers.
• Let’s use Example to describe it:
• GCD(270, 192):
• 270 = 1 * 192 + 78
• 192 = 2 * 78 + 36
• 78 = 2 * 36 + 6
• 36 = 6 * 6 + 0
• We got 0 so our GCD is the last value before 0 which is 6.
11. Caesar cipher
• Caesar cipher is the first substitution cipher ever, substitution ciphers
are mainly about mapping the characters into other characters and
use this map to (encode/decode)
• In Caesar cipher we was shifting any number
by three for encode for EX: ABC -> DEF
• We can change just pick any key instead
of three and do the same operation,
as we mentioned in the Modular arithmetic,
we will always do the full turn then back again
to the character A
12. Caesar cipher
• Let’s call then encryption function enc(m) and the decryption dec(m)
• Enc(m) = for c in m: (c + k) mod 26
• Dec(m) = for c in m: (c - k) mod 26
• Where:
• k is our key
• c is each character in the string
• 26 is number of characters in English alphabet
• As you can see it’s so related to figure we showed earlier in the
modular arithmetic.
13. Public key cryptography
• After we learned a basic mathematics, we will start to introduce one
of the most used application to secure our communications, which is
the Public Key Cryptography.
• As we shown in Caesar cipher, the same key was used for encryption
and decryption, which can be unsecure and if the sides of
communication are far away which will force them to share it through
a channel, which may lead to leak it and expose the communication.
• So, in public key crypto both sides of the conversation will have 2
keys, public key and private key, the public key can be shared and the
private key remains as a secret.
14. Diffie-hellman key exchange
• Diffie-Hellman key exchange is a method for securely exchanging the
keys of encryption without being exposed to the public channel, it’s
named after Whitfield Diffie and Martin Hellman and published in
1976.
• The method is simple, let’s explain it by example:
Assume that alice wants to send massage to bob,
and we have eve watching the public channel
between them.
15. Diffie-hellman key exchange
• Now alice wants to share its key without,
letting eve know it, so first both alice and,
bob will choose a public generator 𝑔 and
prime modulus 𝑝.
• Now each of them will choose a private
key 𝑑1, 𝑑2and apply the following: 𝑔𝑑𝑥 𝑚𝑜𝑑 𝑝.
• At this point we will have 2 public keys for each alice 𝑃1 and bob
𝑃2 and they will send it to each other (until now eve got it also), now
alice and bob create a shared secret key and eve will not get it by:
𝑃1
𝑑2 𝑚𝑜𝑑 𝑝 , 𝑃2
𝑑1 𝑚𝑜𝑑 𝑝.
16. Diffie-hellman key exchange
• Let’s expand those expressions in order to make it simple:
• Alice: 𝑔 = 3, 𝑝 = 17, 𝑑 = 15
• Bob: 𝑔 = 3, 𝑝 = 17, 𝑑 = 13
• Alice public key: 315𝑚𝑜𝑑 17 ≡ 6 , Bob public key: 313𝑚𝑜𝑑 17 ≡12
• Now Alice and Bob will exchange the public keys
• Alice shared key: 1215𝑚𝑜𝑑 17 ≡10 , Bob shared key: 613𝑚𝑜𝑑 17 ≡10 which
will always be the same since it’s the same calculations, why??
That’s easy the what alice did was 31315
𝑚𝑜𝑑 17 and bob 31513
𝑚𝑜𝑑 17.
• Now eve only have: 𝑔 = 3, 𝑝 = 17, 𝑎𝑝𝑘 = 6, 𝑏𝑝𝑘 = 12 and she cannot get
the shared key.
17. RSA
• The previous way needed alice to generate a shared key for everyone
she is contacting with, which can bee too hard and difficult, for this
James Ellis, a British mathematician introduced and idea to create
only 1 public key and send it to everyone then anyone wants to
contact Alice will just use this key.
• After that, a British mathematician and cryptographer, Clifford Cocks,
introduced a mathematical way to apply this concept.
18. RSA
• Bob will send a message 𝑚 using alice public key 𝑛 and a public
exponent 𝑒 as follows:
• 𝑚𝑒
≡ 𝑐 (𝑚𝑜𝑑 𝑛)where 𝑐 is the encrypted message
• Now alice needs to have a private key 𝑑 to decrypt the message such
that: 𝑐𝑑 ≡ 𝑚(𝑚𝑜𝑑 𝑛)
• Now eve only have 𝑛, 𝑒 𝑎𝑛𝑑 𝑐 let’s see if eve wants to get 𝑑 what she
needs to do.
19. Euler’s totient
• Euler’s phi function ∅ 𝑚 is a simple function to calculate the count
of co-primes less than a number 𝑚.
• If we noticed the co-primes of a prime number 𝑝,
they will be all the numbers below it since it’s
already a prime, means ∅ 𝑝 = 𝑝 − 1.
20. Euler’s Formula
• Euler’s Formula states that: 𝑚∅(𝑛) ≡ 1 𝑚𝑜𝑑 𝑛
• Rising to the power 𝑘 then multiplying by 𝑚 would give us
𝑚𝑘∗∅ 𝑛 +1 ≡ 𝑚 (𝑚𝑜𝑑 𝑛)
• Now back to the decryption formula: 𝑐𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛 →
𝑚𝑒𝑑 ≡ 𝑚 𝑚𝑜𝑑 𝑛
• now we can see that 𝑘 ∗ ∅ 𝑛 + 1 = 𝑒𝑑 → 𝑑 =
𝑘 ∗ ∅ 𝑛 +1
𝑒
, 𝑒 is co-
prime to ∅ 𝑛 → 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 )
• In order to choose our 𝑑, 𝑒 we need to know 2 important theorems.
21. Chinese Remainder Theorem
• Chinese Remainder Theorem states that if we have some numbers:
𝑛1, 𝑛2, 𝑛3, … , 𝑛𝑥 and they are all relatively prime to each other, then
for 𝑏1, 𝑏2, … . 𝑏𝑥,
𝐴 ≡ 𝑏1(𝑚𝑜𝑑 𝑛1), 𝐴 ≡ 𝑏2(𝑚𝑜𝑑 𝑛2), 𝐴 ≡ 𝑏3 𝑚𝑜𝑑 𝑛3 ,….., 𝐴 ≡
𝑏𝑥(𝑚𝑜𝑑 𝑛𝑥) have exactly one solution 0 ≤ 𝐴 ≤ 𝑖=1
𝑥
𝑛𝑖.
22. Example
• 𝑥 ≡ 3 𝑚𝑜𝑑 5 , 𝑥 ≡ 1 𝑚𝑜𝑑 7 , 𝑥 ≡ 6 𝑚𝑜𝑑 8
• Ok as we can see we have the same 𝑥 in 3 different congruences and
we need to solve for 𝑥, using the Chinese remainder theorem we can
create a table consist of Four columns: 𝑏𝑖 , 𝑁𝑖, 𝑥𝑖 and their product.
• Where 𝑏𝑖 is our remainder, 𝑁𝑖 is
𝑁
𝑛𝑖
for 𝑁 = 𝑛1𝑛2𝑛3 and 𝑥𝑖 =
𝑖𝑛𝑣 𝑁𝑖, 𝑛𝑖
• Now our final 𝑥 is the sum of the last column 𝑚𝑜𝑑 𝑁 → x = 78
𝟑 𝑵𝒊 𝒙𝒊 𝒃𝒊𝑵𝒊𝒙𝒊
3 56 1 168
1 40 3 120
6 35 3 630
23. Fermat’s Little Theorem
• Fermat’s Little Theorem states that if 𝑝 is a prime number and 𝑝
doesn’t divide 𝑎 then 𝑎𝑝−1 ≡ 1 (𝑚𝑜𝑑 𝑝).
24. Choosing 𝑑 and 𝑒
• There is some constrains on 𝑒 to which are:
• 1 < 𝑒 < ∅(𝑛)
• 𝑒 have to be co-prime with 𝑛, ∅(𝑛)
• The private key 𝑑 have to satisfy that 𝑑𝑒 ≡ 1 (𝑚𝑜𝑑 ∅ 𝑛 ) which
means 𝑑 = 𝑖𝑛𝑣(𝑒, ∅ 𝑛 ).
26. Attacks on RSA
• Now let’s start to interduce how can attacker know our secrets, note
that we are not showing that the RSA is breakable, we will show that
bad choosing of numbers can lead to recover the private key.
• Factorizing 𝑛:
• Choosing 𝑛 needs to be very careful, there is a lot of services online that
works on factorize a huge collection of numbers like factordb, as shown in the
previous example we could find 𝑑 just by getting the prime factorization of 𝑛.
• Let’s discuss some of the Factorization methods for 𝑛.
27. Prime Factorization
• Fermat’s Factorization:
• named after Pierre de fermat, which represent the odd integers as difference of two
squares, 𝑁 = 𝑎2 − 𝑏2
• Since we can already factor the difference of two squares: 𝑎 + 𝑏 𝑎 − 𝑏
• And we know that our 𝑛 = 𝑝 𝑞 where 𝑝, 𝑞 are primes, we can write it as
(
𝑝+𝑞
2
)2−(
𝑝−𝑞
2
)2
• Assuming that 𝑛 is odd so 𝑝, 𝑞 are also odd.
• Now the steps are simple, first we can rewrite 𝑛 as 𝑎2 − 𝑛 = 𝑏2
• Then we need to find the smallest 𝑘 s.t 𝑘2
≥ 𝑛 → 𝑘2
− 𝑛 ≥ 0 → 𝑏2
≥ 0
• Then we start to look at the following numbers 𝑘2 − 𝑛, 𝑘 + 1 2 − 𝑛, 𝑘 + 2 2 −
𝑛, … . . Until we get a perfect square.
• Note that this will terminate always since (
𝑛+1
2
)2−𝑛 = (
𝑛−1
2
)2
28. Fermat Factorization Example
• Here is a small example to apply our steps, let 𝑛 = 119143
• First find 𝑘 → 346 since 3462 is the smallest k s.t 𝑘2 ≥ 𝑛
• Then we start to find the perfect square from the sequence we mentioned:
3462 − 𝑛 = 573 (not perfect square)
3472 − 𝑛 = 1266 (not perfect square)
….
…
3522 − 𝑛 = 4761 = 692 (perfect square!)
• Now we can write 𝑛 as 𝑛 = 119143 = 3522 − 692 = 352 − 69 (352 +
29. Pollard’s p-1 Factorization
• Another method of factorization that uses Fermat's little theorem
that we introduced.
• The method is simple, since we know from Fermat’s Little theorem
that 𝑎𝑝−1≡1 𝑚𝑜𝑑 𝑝 where gcd 𝑎, 𝑝 = 1,suppose that we have a
number 𝑝 − 1 s.t it’s a factor for another number 𝑀 where 𝑀 =
𝑝 − 1 ∗ 𝑘 , 𝑘 ∈ 𝑍.
• Then 𝑎𝑀≡(𝑎𝑝−1)𝑘≡1 𝑚𝑜𝑑 𝑝, since in rsa our 𝑛 = 𝑝 ∗ 𝑞, then
𝑝 𝑎𝑀 − 1 & 𝑝 𝑛.
• So gcd 𝑎𝑀
− 1, 𝑛 will include the factor 𝑝 or will equal it.
30. Pollard’s p-1 Factorization
• So, let’s wrap our steps:
• Choose integer 𝑎 s.t gcd 𝑎, 𝑛 = 1
• Calculate 𝑎𝐵!
: 𝐵 = 1, 2, 3, … to find the nontrivial factor, note that we
replaced the 𝑀 with 𝐵! Since it’s increase so fast and will give us a good
chance to check if 𝑛 is prime.
• Now we will take the gcd 𝑎𝐵! − 1, 𝑛 if it's nontrivial.
• Example: 𝑛 = 91, 𝑎 = 2
• 21! = 2 → gcd 2 − 1, 91 = 1
…
23!
= 26
→ 𝑔𝑐𝑑 64 − 1, 91 = 7
• So, 91 = 7 ∗ 13
31. RSA Security
• We still have many other factorizations methods like Quadratic sieve,
ECM but does that mean that the RSA is not secure?
• The answer is until now no, the strength point in RSA that it’s
depends on ignorance than knowledge, we don’t have an efficient
way to calculate how hard is to factor a huge number, we just know
it’s hard, and a small mitigation for the previous factorization
methods is adding more digits to our 𝑛 which will make it harder to
factorize.
• But there are some attacks on RSA based on bad key generation for
our variables or even our encryption methodology.
32. Bad Key generation Attacks
• Some of the attacks can be applied on RSA are:
• Common Modulus
• Blinding
• Small Private Exponent: wiener
• Small Public Exponent: Coppersmith, Hastad
• Time Attack
• We will try to explain some of them by examples in order to make it
clearer.
34. Example1
• As you can see the 𝑛 is huge number, factorizing it won’t be an easy thing at all, but we notice that 𝑒 is so
small, small such that 𝑚𝑒 < 𝑛, so 𝑐 = 𝑚𝑒 𝑚𝑜𝑑 𝑛 = 𝑚𝑒
• So, to get 𝑚 we can just take the cubic root for 𝑐, computer can do this easily.
• So, 𝑚 = 3
𝑐 =
13016382529449106065839070830454998857466392684017754632233906857023684751222397
• Decoding the long to string using the ASCII table will result this message:
• picoCTF{e_w4y_t00_sm411_81b6559f} , which is our solution.
35. Example2
• PICO CTF 2018:
• We are given the following inputs:
• c:
177867301851107514035069825289163955790640709025053905722180634076877670576311381537327171359820673
494330413688530765764474616655780152761455595506361395855071560610250266076857330008476741047886616
129573917962674329283920486265414847289694983534607432371666740494992970190373787209058814769825082
6373180618
• n:
775319695037483265896774189483151408705840152453867636332415188453568509795644029232666967041865672
700063612088620862545275760104121352302795536849406359566566497281348938745676199486753040524827204
303677486127089171058465340828630428239131661208653622524792065769421470713963194591125808537717425
37940112457
• e:
561724365774597256989343913591391049150414302131842212923016585717264140594118891557829820240198145
645122914219324897315635192963728734150805463794246193088591523602142097401691351597612348949231449
713729740380219452019546002389942096050357033171191928449754639154657254065430979290176378590199505
90916533609
• As you can see everything is huge, and after tries to factorize 𝑛 it didn’t work, in this case we can consider checking another
attack called wiener attack
36. Wiener’s Attack
• Michael J. Wiener was able to state a theorem based on continuous
fractions that says if 𝑑 <
1
3
𝑛
1
4 then we can recover 𝑑 without
factoring 𝑛.
• Explaining:
• we already mentioned before that 𝑒𝑑 = 𝑘 ∗ ∅ 𝑛 + 1, and since ∅ 𝑛 =
𝑝 − 1 𝑞 − 1 → 𝑝𝑞 − 𝑝 + 𝑞 + 1, and since 𝑝, 𝑞 are so large we can take
a good approximation that ∅ 𝑛 ≈ 𝑛.
• Now substituting this into our first equation: 𝑒𝑑 = 𝑘 ∗ 𝑛 + 1 → 𝑒𝑑 − 𝑘𝑛 =
1 →
𝑒
𝑛
−
𝑘
𝑑
=
1
𝑑𝑛
→
𝑒
𝑛
≈
𝑘
𝑑
37. Wiener’s Attack
• So, let’s set our steps:
• We need to find a set of convergent
𝑘
𝑑
that approximate
𝑒
𝑛
(using continued
fractions and we will demonstrate it), under some conditions:
• Since 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 ∅(𝑛) and ∅(𝑛) is product of 2 primes so it will be even number, 𝑑
will be odd, so we can skip the convergent if our 𝑑 is not odd.
• Since ∅ 𝑛 must be a whole number,
𝑒𝑑 −1
𝑘
also must be a whole number, and if it’s not
so we will move to the next convergent.
• Now let 𝑥 − 𝑝 𝑥 − 𝑞 = 0 be a quadratic equation then: 𝑥 − 𝑝 (𝑥 −
39. Wiener’s Attack
• Now since ∅ 𝑛 =
𝑒𝑑 −1
𝑘
= 64000
• We can set our quadratic equation as: 𝑥2
− (64741 − 64000 +
40. Example2
• Now applying this to the example will be hard to do manually so with
a use of simple script and run it on a computer we get the following
message: picoCTF{w@tch_y0ur_Xp0n3nt$_c@r3fu11y_5495627}
41. Example3
• Qiwi CTF 2016:
• We are given the following data:
• e = 3
• n1 =
951183579890375398832721687460046528729588905624458143018898666630723524217032649859978006600753116455557997454268683433653215027347360
062480079024096285405786359255597422174807974871302027470202114526207430210975651130593925044727852271548241172310778444446723932218381
92941390309312484066647007469668558141
• n2 =
983641659192512462438466673235423180228042348336779241611757332536895813936073466678952982537181842735322689820609056293996281549819187
120702414514944911614708277371461763160118437389434271216023242087736531807827329994228694395881983184224516979206405638807773855770649
13983202033744281727004289781821019463
• n3 =
688279409393531896130903922268981550217427728978224384835450219442158121468093186865103757240648887052963738533989550930766633230013800
478578097748663900834342727813624471474414222079675773237698128960388165867572421302245248289350431873155795234124393091388163355698454
70021720847405857361000537204746060031
• c1 =
648304467081690127664145873275688124211304348175260891461901367964612985920712389303847075433183902924511189803028055121517902489896222
693629587182282984272126302725251864786272999998474890184006244006718766977089524476389908023455873819054072369354942714369607648990064
30941507608152322588169896193268212007
• c2 =
969074907173443465884324916037223126942086603342829642344876876545939847141448256561981807778723272792506679614651697992674057344316751
110353620897292499950273268630992625224212064594004052303776311411328829973368292188101717289250875356749074555845579568018314471254867
53515868079342148815961792481779375529
• c3 =
436838749130117465300561031454452502813077326340454374865246051046397854690504991716405214770364707509033415233365996022881766111606375
225688683912376892414463926993219107232350611808269454646497803733010281390492888815782348407395450003382029176780082697941791007323412
69448362920924719338148857398181962112
42. Example3
• As you can see yes, our public exponent 𝑒 is small, but taking the 3rd
root for 𝑐 won’t give us the solution, this means that 𝑚𝑒
> 𝑛
• Now there is an attack in this case we can apply called Hastad’s
attack.
• Let’s discuss it in the next slide
43. Hastad’s Attack
• Simply when we send the same message to different receivers, an
attacker can retrieve the private key using Chinese remainder
theorem that we discussed before.
• 𝑚𝑒 ≡ 𝑐1 𝑚𝑜𝑑 𝑛1
• 𝑚𝑒 ≡ 𝑐2 𝑚𝑜𝑑 𝑛2
• ……
• 𝑚𝑒
≡ 𝑐𝑥 𝑚𝑜𝑑 𝑛𝑥
• The Chinese Remainder Theorem allows us to solve those
congruences and since 𝑚 < min(𝑛1, 𝑛2, … , 𝑛𝑥), then 𝑚𝑒
< 𝑛1 ∗
𝑛2*.. 𝑛𝑥 so we can solve them and get our 𝑚.
47. Example4
• As u can see we cannot use any of the previous attacks since 𝑒 is not
small enough and we couldn’t factorize 𝑛1, 𝑛2 but we noticed that
they are the same, also it’s given that the message is the same.
• In this case we can use an attack called Common modulus Attack
48. Common Modulus Attack
• Let’s translate our input as math:
• 𝑐1 = 𝑚𝑒1 𝑚𝑜𝑑 𝑛
• 𝑐2 = 𝑚𝑒2 𝑚𝑜𝑑 𝑛
• gcd 𝑒1, 𝑒2 = 𝑑
• Now we know that RSA system is homomorphic to multiplication, so
we can get a new cipher text which is the product of the other cipher
texts raised to powers 𝑎, 𝑏: 𝑐𝑚 = 𝑐1
𝑎 ∗ 𝑐2
𝑏𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1 ∗
𝑚𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 → 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛
• Now we can use Bézout's identity which states:
• For 𝑎, 𝑏 ∈ 𝑍+, gcd 𝑎, 𝑏 = 𝑑 𝑡ℎ𝑒𝑛 ∃ 𝑥, 𝑦 ∈ 𝑍 ∶ 𝑥 ∗ 𝑎 + 𝑦 ∗ 𝑏 = 𝑑
49. Common Modulus Attack
• Now using Extended Euclidean algorithm to find the multiplicative
inverse , we can recover our 𝑚, let’s see example with small numbers.
• Let: 𝑛 = 143, 𝑒1 = 7, 𝑒2 = 17, 𝑐1 = 42, 𝑐2 = 9
• Solution:
• In EEA:
• So gcd 𝑒1, 𝑒2 = 1 & 𝑖𝑛𝑣 𝑒1, 𝑒2 = 5
• And from this a = 5, 𝑏 = −2
q 𝒓𝟏 𝒓𝟐 𝒓 𝒕𝟏 𝒕𝟐 𝒕
2 17 7 3 0 1 -2
2 7 3 1 1 -2 5
3 3 1 0 -2 5 -17
1 0 5 -17
50. Common Modulus Attack
• To validate our result, we know from Bézout's identity that: 𝑎𝑒1 +
𝑏𝑒2 = gcd 𝑒1, 𝑒2 → 5 ∗ 7 + −2 17 = 1 which is true
• Now to get our new 𝑐𝑚 = 𝑐1
𝑎 ∗ 𝑐2
𝑏 𝑚𝑜𝑑 𝑛 = 425 ∗
(9−1)2𝑚𝑜𝑑 143
• Now we need to e EEA again for 9−1 for short using computers it will
give us 16
• So 𝑐𝑚 = 425
∗ 16 2
𝑚𝑜𝑑 143 = 3
• And since 𝑚𝑎∗𝑒1+𝑏∗𝑒2 𝑚𝑜𝑑 𝑛 = 𝑚gcd(𝑒1,𝑒2) 𝑚𝑜𝑑 𝑛 =
𝑚1 𝑚𝑜𝑑 143 = 𝑐𝑚 so our 𝑚 = 3
51. Example4
• Applying the same steps on the example we will get message:
CBCTF{6ac2afd2fc108894db8ab21d1e30d3f3}
52. Last Words
• Number theory is very interesting and fun, applying it to cryptography will
give you more fun, there is still a lot of topics we can discuss and other
attacks like: LLL and time attacks, also there is a lot of interesting topics in
cryptography like fast powering, elliptic curves, lattices, successive powers,
quadratic residue and much more, I really want to stay with you and talk
more but we can do it in another time, so always keep learning and excited
and never give up to math, it might seems hard and most of simple thing
seems weird to you but when you get it you will be so proud.
• In the next slide I will share a great resources that I use to practice and
learn.
Don’t learn to hack… hack to learn.
53. Resources
• Cryptohack one of the best websites that teaches you by challenges
• Math 3107 by prof. Jeff Suzuki Boston University
• MIT 6.875 MIT Cryptography Spring 2018
• An Introduction to Mathematical Cryptography by J.H. Silverman, Jill
Pipher, Jeffrey Hoffstein