# **Fword CTF 2020**
## Schuuuuush
### Points : 499
### Flag : FwordCTF{Mehdi_knows_alot_about_Schmidt-samoa_but_is_it_better_than_RSA?}
Challenge :
from Crypto.Util.number import getPrime, bytes_to_long
from gmpy2 import gcd
from sympy import nextprime
from secret import flag,BITS
func = lambda x, bits : x**12 + (x & (2**(bits//2)-1))
def PrimeGen(bits):
pr = getPrime(bits)
p = nextprime(func(pr,bits))
qr = getPrime(bits)
q = nextprime(func(qr,bits))
return p, q
p,q = PrimeGen(BITS)
n = pow(p,2)*q
c = pow(bytes_to_long(flag),n,n)
**Solution :**
First of all we find the **BITS** variable value.
Let's say **getPrime(bits)** generate a prime **x**. Bit length of **n** is 2047 and **n** is effectively *x<sup>36</sup>*. So bit length of **x** should be around ***(2047/36)±1***. Take some random values for these bit lengths and compare it to n, and it can be easily concluded that **BITS** is **57**.
Now let's say:
*p = nextprime(func(x1))*
*q = nextprime(func(x2))*
So **p** and **q** are effectively:
*p = x1<sup>12</sup>+k1*
*q = x2<sup>12</sup>+k2* , where k1 and k2 are constants << x<sup>12</sup>
Now basically we need to calculate **x1** and **x2**.
Let's analyse what the **12th** root of **n** gives:
*n<sup>1/12</sup> = p<sup>1/6</sup> \* q<sup>1/12</sup>*
= *x1<sup>2</sup> (1 + k1 / (6 \* x1<sup>12</sup>)) \* x2 (1 + k2 / (6 \* x2<sup>12</sup>))* [Using binomial approximation]
= *(x1<sup>2</sup> + k1 / (6 \* x1<sup>10</sup>)) \* (x2 + k2 / (6 \* x2<sup>11</sup>))*
= *(x1<sup>2</sup> \* x2 + y)* [y is the rest of the product and it is << 1]
= *x1<sup>2</sup> \* x2* [We are dealing only in integer values]
WTF ? **12th** root of **n** gives **us x1<sup>2</sup> \* x2**
>>> _product = iroot(n, 12)[0] [Using gmpy2]
# _product = 2199766062441797577302949884026507797060867827397893
As we have **x1** and **x2**, calculate primes and eventually flag.
Full solution is avaliable at [shh.py](https://github.com/ketanch/ctf-writeups/blob/master/Fword%20CTF/shh.py)