In the task.py, we are given the middle bits of p, which divides an 2048-bit RSA modulus N. The unknown bits are located in two blocks, each of which is 100 bits in length.
This small roots problem can be solved by lattice techniques.
At Asiacrypt 2008, Herrmann and May proposed an algorithm to solve multivariate linear equations modulo an unknown divisor p of a known composite integer N [1].
They use the shift-polynomials with positive integers m,t,
$$
g_{k, i}(x_1, x_2) := x_2^i f^k(x_1, x_2) N^{max{t-k, 0}}.
$$
To maximize solvable root bounds, they select as many helpful polynomials as possible. The parameter
But here we are more interested in the speed; find the roots by constructing a lower dimensional lattices.
A hint is also hided in the topic description. Compared to the definition of Coppersmith method in the Wikipedia, we can easily find a related research [2] by googling "Coppersmith in the Wild".
Based on their implementation details, we can construct a lattice with the coefficient vectors of the set of polynomials $$ G:={y^h x^i f^j N^l | j + l = 1,0 \leq h + i + j \leq k} $$
and solve for solutions in a shorter time.
给出 RSA 其中一素数的中间位, 可以得到一个二元一次方程, 典型的 coppersmith method.
对于求解一个多元线性同余式的 small roots, 最先由 Herrmann 和 May 在 Asiacrypt 2008 提出具体解法.
为了最大化可解根的上界, 他们选择了尽可能多的helpful多项式, 这也意味着高阶的格基.
但是在解题时, 我们对速度更感兴趣.
题目描述中藏有 hint, 与维基中Coppersmith method的定义对比,可以发现多了 “Coppersmith in the Wild”.
根据论文的实现细节,我们可以使用多项式集合的系数向量构造一个低维的格基 $$ G:={y^h x^i f^j N^l | j + l = 1,0 \leq h + i + j \leq k} $$ 并在更短的时间内解决问题. (以上渣翻)
两个月前出的题, 在收到选手的 wp 后, 才发现 11 月上旬 github 上有相关的代码实现了该方案. 另外, 0ops的师傅的三变量解法也很好, 感谢.