RSA Calculator

Common RSA CTF attack patterns

Most RSA CTF challenges exploit weak key generation rather than breaking the underlying math:

• Sum/product leak - if you know p + q and p * q, solve the quadratic x² - (p+q)x + pq = 0 (use "Factor from sum" mode).
• Smooth p-1 (Pollard) - if p - 1 has only small prime factors, Pollard's p-1 algorithm factors n in seconds.
• Small e with small m - if e = 3 and the message is small, m³ < n, so computing the integer cube root of c gives m directly.
• Shared factor - if two public keys share a prime, GCD(n₁, n₂) reveals it.

Challenges solved with this tool: picoCTF 2022 - Sum-O-Primes, Very Smooth, picoCTF 2023 - SRA, picoCTF 2024 - rsa_oracle.

The core of RSA rests on the difficulty of factoring the modulus n = p * q. The private key exponent d is computed as the modular inverse of e modulo Euler's totient φ(n) = (p - 1)(q - 1). Decryption then computes m = cd mod n. All of this arithmetic is performed on very large integers - typically thousands of bits in real-world RSA, but only hundreds of bits in CTF problems to keep solving feasible.

A useful first step when you receive an RSA challenge is to check whether n can be factored online. Sites like FactorDB maintain a database of factored integers. If the challenge author reused or generated weak primes, the factorization may already be known. Paste n there before spending time on algebraic attacks - it often saves hours.

After recovering p and q by any method, paste them into the Decrypt mode of this calculator along with e and the ciphertext c. The tool computes φ(n), finds the modular inverse d via the extended Euclidean algorithm, and raises c to the dth power mod n to produce the plaintext integer. Convert the result to bytes (big-endian) and you typically have the flag.

For a deeper understanding of the attacks behind these challenges - small public exponent, weak modulus factoring, common modulus, Wiener's attack, and RSA oracle blinding - see the RSA Attacks for CTF guide.