NSA Backdoor - picoCTF 2022
vulnerability: non-prime field with m<p

Rookie Mistake - HTB
vulnerability: non-prime field with m>p and factorisation of N

log log log - Angstrom CTF 2022
vulnerability: smooth field order (allowing Pohlig–Hellman algorithm)

Break the Log - EmbeddedSecurityCTF 2022
vulnerability: m < p (mod p^2)

MEWTWO - squeamishossifrage
vulnerability: isomorphism (mod p^2)

janken-vs-yoshiking-2 - Cake CTF 2023
vulnerability: discrete log of two matrices with smooth field order

Too Many Leaks - GCC CTF 2024
vulnerability: partial secrets given

Strong Primes - DDC 2024
vulnerability: oracle encrypting same message multiple times