= PolynomialRing(ZmodN)pbar = f = pbar + xbeta = 0.4d = f.degree()epsilon = beta / 7h = ceil(beta**2 / (d * epsilon))t = floor(d * h * ((1/beta) - 1))X = ceil(N**((beta**2/d) - epsilon)) roots = coppersmith(f, N, beta, h, t, X)这个脚本其实也可以用在第一关 ， 只要将beta改成1 ， 再带入相应的多项式和数据就可以了 。
相关的paper和原脚本在github ， 有兴趣的师傅可以研究研究 。
同样 ， 利用现成函数版exp
N = pbar = ZmodN = Zmod(N)P. = PolynomialRing(ZmodN)f = pbar + xx0 = f.small_roots(X=2^kbits, beta=0.4)p =pbar + x0print("p: ", p)BTW ， 同第一关一样 ， 这里的p泄露了高位 ， 但与p泄露了低位的情况 ， 无差 。
第三关：Partial Key Exposure Attack已知n,e=3,c ， d的低512bit已知 【n的长度为1023】
[+]Generating challenge 3[+]n=0x6f209521a941ddde2294745f53711ae6a7a59aa4d0735f47328ac03e26a4e092bb1c4c885029950f52b1e071597dc6e6d5129afbdb4688ad0479d6f9655dafef915da0a3f5114989cb474a13a9a4a4293fd447739b3cc2b0a3966f21617f057e6c199c5fd4d11ce78fdf9112f53446578b6cfd2c405eb0d3389cd3965636f719L[+]e=3[+]m=random.getrandbits(512)[+]c=pow(m,e,n)=0x6126eaf34233341016966d50c54c6f7401e98f2015bcbdc4d56f93f0c48590fcd8ee784521c503be322c0848f998dc3a6d630bc1043a4162467c4b069b6c0e186061ed2187d0b2d44e9797ce62569d2dab58d183d69b9d110369a8d690361b22223e34e65e51868646d0ebf697b10e21a97d028833719e87c1584d2564f21167L[+]d=invmod(e,(p-1)*(q-1))[+]d&((1<<512)-1)=0x1d8f1499c4f6d90716d89f76833823e8fca4dd4034f17157e4fd9f6f070e1526f3b4fa3fe507d645ec848e4d7ff3728eb8df04b72849feabaa3425f9fc510ec3L[-]long_to_bytes(m).encode('hex')=
exp
def recover_p(p0, n):PR. = PolynomialRing(Zmod(n))nbits = n.nbits()p0bits = p0.nbits()f = 2^p0bits*x + p0f = f.monic()roots = f.small_roots(X=2^(nbits//2-p0bits), beta=0.4)if roots:x0 = roots[0]p = gcd(2^d0bits*x0 + p0, n)return ZZ(p)def find_p0(d0, e, n):X = var('X')for k in range(1, e+1):results = solve_mod([e*d0*X == k*n*X + k*X + X-k*X**2 - k*n], 2^d0.nbits())for x in results:p0 = ZZ(x[0])p = recover_p(p0, n)if p and p != 1:return pn =e = c =d0 =p = int(find_p0(d0, e, n))print("found p: ", p)q = n//int(p)print("found d: ", inverse_mod(e, (p-1)*(q-1)))第四关：Hastad’s Broadcast Attack已知n1,c1,n2,c2,n3,c3,e=3
[+]Generating challenge 4[+]e=3[+]m=random.getrandbits(512)[+]n1=0x1819da5abb8b8158ad6c834cb8fd6bc3ed9a3bd3e33b976344173f1766bf909bda253f18c9d9640570152707e493e3d3d461becc7197367ab702af33d67805e938321915f439e33f616b41781c54c101f05db0760cc8ca0f09063f3142b5b31f6aa062f1e60bba1a45e3720ab462ebd31e1228f5c49ae3de8172bad77b2d5b57L[+]c1=pow(m,e,n1)=0x7841e1b22f4d571b722807007dc1d550a1970a32801c4649e83f4b99a01f70815b3952a34eadc1ec8ba112be840e81822f1c464b1bb4b24b168e5cb38016469548c5afd8c1bdb55402d1208f3201a2a4098aef305a8380b8c5b6b5b17d9fb65a6bdfdcf21abc063924a6512f18f1dc22332dfc87f4a00925daf1988d43aaecdL[+]n2=0x6d1164ffa8cb2b7818b5ac90ef121b94e38fd5f93636b212184717779c45581f13c596631b23781de82417f9c8126be4a04ab52a508397f9318c713e65d08961d172f24f877f48ef9e468e52e3b5b17cbbe81646903d650f703c51f2ad0928dd958700b939e1fd7f590f26a6d637bd9ef265d027e7364c4e5e40a172ce970021L[+]c2=pow(m,e,n2)=0x58f26614932924c81d30ef2389d00cf2115652ced08d59e51619207a7836fd3908b3179fc0df03fe610059c1fe001ca421e01e96afc47147d77bbbe6a3f51c5c06f1baeab8dc245c2567a603f87dea0a053b8f5df4e68f28896d7d1ba3dd3dcd7c4652d59404fa237f4868e1bbc9ae529196739486d86bd1723a78dfac781fe5L[+]n3=0xde53be1db600264b0c3511ae4939c82164ea1166aadfd8dd0af6e15eb9df79a5d1a2757d3d15630441790ecf834098a1cf4b5858003f0b7f3a72823de014ac0a7c827ed1ca4185b245774f442a05dee3fe6bf846e5b035caf3b3c574b88911b7e5b81fc2c638729240f949e09a25a3a4a762c31005684791577d5e9fc8221abdL[+]c3=pow(m,e,n3)=0x89f9fabc7e8d6f0e92d31109ea4c024446b323d9f441d72db4eb296eba3011abe2a58e68ec21a663e6493981e21835a826f28d1bc28d3476273ff733ef69c152e7fbfebc826132266f6eb65c86b242417c06eb31453f99ed7e075ababbfc208d042a2436a766f24eb9af0f45b60eea2c4405edfabd87584806bc0a1a51f9ca7aL[-]long_to_bytes(m).encode('hex')=