Ceci n'est pas une Bellcore 1/2

hardware VM fault attacks RSA FCSC 2026 solved on

star star star

Description

Imagine it’s the fall of 1996, and a team at Bellcore has just announced an attack that can break RSA keys. To break an RSA key (n, e, d), they require a pair (s, s'), where s = m^d mod n is the correct signature of a message m, and s' is a faulty signature of the same message, resulting from a perturbed computation.

Following this announcement, Lenstra devised a similar attack that only requires knowledge of (m, s'), without access to the correct signature.

However, these attacks only work if the signature computation is accelerated using the Chinese Remainder Theorem (CRT).

Does avoiding the use of the CRT protect against all attacks that rely solely on the knowledge of a message and a faulty signature?

The documentation of the virtual machine is available on this page.

Files

Author

Neige

Challenge Instructions

  1. First, download docker-compose.yml:
    curl https://hackropole.fr/challenges/fcsc2026-hardware-ceci-n-est-pas-une-bellcore/docker-compose.public.yml -o docker-compose.yml
  2. Launch the challenge by executing in the same folder:
    docker compose up
  3. Then, in another console, access the challenge with Netcat:
    nc localhost 4000
⚠️ Important: You must solve the challenge by interacting with the Docker container through the exposed network port. Any other way is not considered valid.

In case you encounter problems, please consult the FAQ.

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

There are no public solutions for this challenge yet, but you can submit yours after getting the flag.