Note: this is only a partial solution of the challenge. We did not mange to find the final exponents (which seemingly consisted of brute force search). Since there is no public write-up on this challenge, I decided to reveal the steps we managed to solve.
In the challenge, the attacker faces a server which holds two public primes and
. We are free to choose two public exponents, and then encrypt as many plaintexts we like and finally be provided with the ciphertexts. We are also given an encrypted ciphertext under some unknown pair of public and private exponents:
First, we query the encryption oracle with for a set of
and
. From this we can obtain
Now, we can compute the totient function:
Then, we can compute using
Ok, so we factored the two 2048-bit safe primes. Amazing! Now, the exponents we obtain are obviously not the ones used in decrypting the data in the image. So, we don’t know and
. The encryption is a function
. By inverting
, we find that
.
This is the part I did not solve. Ideally, this gives us . Now, we compute
and call
.