【rsa】低指数相关消息攻击

https://link.springer.com/content/pdf/10.1007/3-540-68339-9_1.pdf

from Crypto.Util.number import *
import binascii
import gmpy2
flag = '*****************************************'
hex_flag=int(flag.encode("hex"),16)

p=getPrime(256)
q=getPrime(256)
n=p*q

e=0x3
c1=pow(hex_flag,e,n)
c2=pow(hex_flag+1,e,n)


print("n=",hex(n))
print("e=",hex(e))
print("c1=",hex(c1))
print("c2=",hex(c2))

'''
('n=', '0xb28ae8f29f8b90e8b8c5667b2b71e49929446b41f7f7a3e9e45bc52a1e8c45d59c1788be48a9c365d51feee0b2cd3295001cdad1ba5ccf808686b5ce5a269ae5L')
('e=', '0x3')
('c1=', '0x7ba5502ecbc3b15ad8c2db8f30a593eb062dde4d7dfacadf0a28291d1a576389a18dfba0607c0243f843f637449089dd2090d47ee9845d4147f02afd4d891f19L')
('c2=', '0x891ac4f663df41c1f6433ee3513d749c3ba02fe0aacd7f51d791b9bac4f7e5194bd484d78d972c344faf600f7d3aa580485774768efc47ab8ddb67eeeb330fa1L')
'''

solve

#!/usr/bin/python
# -*- coding: utf-8 -*-
import gmpy2

n = 9351035609579912430580224362406913775216485260866801060250235841497131649675821473038044490729550589638048144137033269711790417615294506088800324197718757
e = 3
c1 =6475853636479050645596496086080582816789963066323389815672770714308619633711541909793891052802547415987144453383534840748034987689956953991901404774080281
c2 =7180748878269451580223627474056868509561249251375351465737365567454518806786657134253453800373864987758778056252628950652794949518011402960483137799524257

def related_messages(a, b, c1, c2, n):
    a3 = pow(a, 3, n)
    b3 = pow(b, 3, n)
    mpoly = ((c2 + 2*a3*c1 - b3) * b) % n
    poly = ((c2 - a3*c1 + 2*b3) * a) % n
    tmp3 = gmpy2.invert(poly, n)
    m = (mpoly * tmp3) % n
    return m

m = related_messages(1, 1, c1, c2, n)
print(bytes.fromhex(hex(m)[2:]))
#b'flag is :3e7f54b8ad38787670776c2698a67c01'