In [1]:
def coppersmith_howgrave_univariate(pol, modulus, mm, tt, XX=-1):
    """
    Taken from https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/coppersmith.sage
    Removed unnecessary stuff
    """
    dd = pol.degree()
    nn = dd * mm + tt

    if not pol.is_monic():
        raise ArithmeticError("Polynomial must be monic.")
        
    if XX == -1:
        XX = int(modulus ^ (1 / dd))

    # change ring of pol and x
    polZ = pol.change_ring(ZZ)
    x = polZ.parent().gen()

    # compute polynomials
    gg = []
    for ii in range(mm):
        for jj in range(dd):
            gg.append((x * XX)**jj * modulus**(mm - ii) * polZ(x * XX)**ii)
    for ii in range(tt):
        gg.append((x * XX)**ii * polZ(x * XX)**mm)
    
    # construct lattice B
    BB = Matrix(ZZ, nn)

    for ii in range(nn):
        for jj in range(ii+1):
            BB[ii, jj] = gg[ii][jj]
            
    # LLL
    BB = BB.LLL()

    # transform shortest vector in polynomial    
    new_pol = 0
    for ii in range(nn):
        new_pol += x**ii * BB[0, ii] / XX**ii

    # factor polynomial
    potential_roots = new_pol.roots()

    # test roots
    roots = []
    for root in potential_roots:
        if root[0].is_integer():
            roots.append(ZZ(root[0]))
                
    return roots

In [3]:
def genPoly(f):
    _x_ = PolynomialRing(RationalField(), 'x').gen()
    fInPolyRep = 0
    for i in range(len(f)):
        fInPolyRep += f[i] * _x_ ^ i
    return fInPolyRep

In [4]:
n = 95341235345618011251857577682324351171197688101180707030749869409235726634345899397258784261937590128088284421816891826202978052640992678267974129629670862991769812330793126662251062120518795878693122854189330426777286315442926939843468730196970939951374889986320771714519309125434348512571864406646232154103
e = 3
c = 63476139027102349822147098087901756023488558030079225358836870725611623045683759473454129221778690683914555720975250395929721681009556415292257804239149809875424000027362678341633901036035522299395660255954384685936351041718040558055860508481512479599089561391846007771856837130233678763953257086620228436828

In [5]:
c1 = (c * inverse_mod((2^456)^3, n)) % n

In [17]:
def trimZero(f):
    while len(f) > 0 and f[-1] == 0:
        f.pop()
    return f

def fillZero(f, lenFill):
    assert len(f) <= lenFill
    return f + [0] * (lenFill - len(f))
        
def modPoly(f, modulus):
    r = f.copy()
    for i in range(len(f)):
        r[i] %= modulus
    return trimZero(r)

def makeMonic(f, modulus):
    r = f.copy()
    leadCoefficientInverse = inverse_mod(r[-1], modulus)
    for i in range(len(r)):
        r[i] *= leadCoefficientInverse
        r[i] %= modulus
    return r

def addPoly(f1, f2):
    f3 = [0] * max(len(f1), len(f2))
    for i in range(len(f3)):
        if i < min(len(f1), len(f2)):
            f3[i] = f1[i] + f2[i]
        elif len(f1) < len(f2):
            f3[i] = f2[i]
        else:
            f3[i] = f1[i]
    return trimZero(f3)

def mulPoly(f1, f2):
    f3 = [0] * (len(f1) + len(f2))
    for i2 in range(len(f2)):
        for i1 in range(len(f1)):
            f3[i1 + i2] += f1[i1] * f2[i2]
    return trimZero(f3)

def powPoly(f, p):
    r = [1]
    for i in range(p):
        r = mulPoly(r, f)
    return r

def getRoots(f):
#     print("[i] Finding roots of {}...".format(f))
    _x_ = PolynomialRing(RationalField(), 'x').gen()
    fInPolyRep = 0
    for i in range(len(f)):
        fInPolyRep += f[i] * _x_ ^ i
    try:
        return fInPolyRep.roots()
    except:
        return []
    
def genPoly(f):
    _x_ = PolynomialRing(RationalField(), 'x').gen()
    fInPolyRep = 0
    for i in range(len(f)):
        fInPolyRep += f[i] * _x_ ^ i
    return fInPolyRep

def coppersmith(f, modulus, m, X=-1):    
    # Assure monic
    assert f[-1] == 1
    
    # Get degree & set X if necessary
    degree = len(f) - 1
    assert degree >= 1
    if X == -1:
        X = int(modulus ^ (1 / degree))
        if degree == 1:
            X -= 1
#         print('[No upperbound is set so the algorithm set it to {}]'.format(X))
    
    print("[] Solving {} = 0 mod {} \n\tfor x <= {} \n\tfor m = {}".format(genPoly(f), modulus, X, m))
    
    # Get dim
    dimension = (degree) * (m + 1)

    # Constructs a matrix.
    M = []
    for v in range( 0, m+1 ):
        for u in range( 0, degree ):
            # Generate g(x) function from f(x)
            g = mulPoly( mulPoly( [modulus^(m-v)], [0]*u+[1] ), powPoly(f, v) )
            
            # Create g(xX) from g(x)
            for i in range(len(g)):
                g[i] *= X^i
            
            # Append to row
            M.append( fillZero(g, dimension) )
    
    # Convert to matrix
    M = matrix(M)
#     print("[] M:\n")
#     print(M)
    
    # Assert if our matrix meets the criteria
#     det = 1
#     for i in range(dimension):
#         det *= M[i, i]
#     assert int((det ^ (1/dimension)) * (2 ^ (dimension/4))) < int(modulus ^ m / isqrt(dimension))
    
    # Apply LLL
    M = M.LLL()
#     print("\n[] M.LLL():\n")
#     print(M)
    
    
    # Scroll through the shortest vectors as the new polynomials
    roots = []
    for row in M:
        f = trimZero([int(col) for col in row])
        for i in range(len(f)):
            assert f[i] % (X^i) == 0
            f[i] //= X^i
#         print("[] f: {}, row: {}".format(f, row))
        roots += getRoots(f)
    
    return roots

In [18]:
br = ord('}')
f = mulPoly([(br^3 - c1) % n, 3 * br^2 * 2^8, 3 * br * 2^16, 2^24], [inverse_mod(2^24, n)])
f = modPoly(f, n)
coppersmith(f, n, 10)

[] Solving x^3 + 47298190972240185269476220178340596088836353081445116378536068027238036260007536029108850004945601352606297349885723679405383643302367461484502790870969529687323305335979402680101112848851121392945416415945488141409044383051764536562970815371153552241502386829151320342749813511445946332408698357984654232701*x^2 + 23467246511232973320064004296776948680764616497194610368545931143804649449747218371233847792500538121890138488896610749030765365099362989702464152298831492476199933513000853365917539719636363164050274120497559953526983727331693335977401643170277988164606145482930608650618148429906943906498668590448156293913*x + 57999478643836474067339126693368064839037979297955548145001486286807919797755998252395500875117791125412828060393509556919219356187321576498095043650785790252532978425915153390596259248391960617433395229196200571140609997509562395724991836789638851662285811282909313047681854778835192349650251623537863126664 = 0 mod 95341235345618011251857577682324351171

[] f: [-26625304123553039262677454667982708714994229936917867910885999848912166068440414733087494656727791704076915384190051042346997303570885922807729614810251305391593737482045103617979214089172647781453885670632030284584698542948096982207042614337552491759243021022791940522455641057737149935154056535338829039813258163041812712117980172083934535734666787236091952376457107562492492238300589045220008750813169979267536103397572621673815435443670857319236634122211023011603868003270400184322854281908487699123949790458067437381593356537138860110802158009211287318699046723022325116736418618774392554361928115647863670778432156708858219244416833378629630002092346980931415333480441710491375197941638134382231889620779435712599189971610597290233179544510204444318290083042864921373576789897301947456168940587945560423405032094584381455431113840079640639328085660606830055555296769717158853504492002069480926707850866901441881368912891392916652731738332559753999497040562881189363234438088397518341557

[] f: [-29967046578662300909845929207962901433007353049187511261974946306149828220648191542198174355924669347382877833879605284667229807414329802914434934168565082570996689832823846415903349217702076985023259387889967995523089392953891681896628530335196192700954402689455188723243351461099902288312384382569912356166733260309877578895586260498690028715916529168314421610859267844156674523671538054704505914325866634173295078706691169862782298165252980577107359295740628373038207846405985185983649548110438513852027402442101300275045614780718107599685979250023766732810373314576912113290889583162468431125593965503099118821717807498915773975166035948997176247943406074121899198266378684913085187169337315336293175435893257543138125288529608079006896794620078607889084189225987185284156419271849833751985835112712300699501596210848911011661963682122906465706733237899134213618807781297386814792636383474831652554724656618408328603284838181427690794039194726589635180612048379302559422718251884186119556

[] f: [-16097496804327861010842928634780055363416540638588523306562918883639877651976335830192265530023530497190584221732416200389477199687638106040659421288094462824228178389088391184602838486350628188187934647552892471731182189285475332575409125635290782429424842818473833420165485215600691755398850319122642258060446453364331157057034810690161641055706865051550290234544545794875160971361707437024959852525297420283808035764749762831554188908328985709650937710886293274360938467780889667490079875003887831990746833511668817459042898485619299642985361911592504663973095214746533664513787786182615120941636880155530745888113316512140604653521390840996382825645363580093633031730906420843550460765280648261568571915778326655143347848305597999088086067536889056698791718986326422165338410240434622535651973130317258910864126949138811728733234242823761721094580016312567994876355977290595150173698782912369086472872529553967236231071883865023093463957994083296463510818583374365404140666089519037612178

[(54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  1),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  2),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  3),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  4),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  4),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  5),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  6),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  7),
 (54378971213289398953784088432450365616857947331656976856187769983595603428029791430301072236126565740,
  8),
 

In [14]:
coppersmith([5, 1], 11, 3, 10)

[] Solving x + 5 = 0 mod 11 
	for x <= 10 
	for m = 3
[] f: [-150, -35, 4, 1], row: (-150, -350, 400, 1000)
[] f: [-330, -11, 11], row: (-330, -110, 1100, 0)
[] f: [1331], row: (1331, 0, 0, 0)
[] f: [605, 121], row: (605, 1210, 0, 0)


[(6, 1), (-5, 2), (6, 1), (-5, 1), (-5, 1)]