The following code and the outputs was given. It seems that the flag is encrypted with random numbers. We can get the upper k bits of two consecutive values, named w0 and w1. We can get the flag when the prediction of pseudo random numbers can be achieved using these.
Let \(F(v) = v^2 + b\) over \(\mathbb{F}_p\) and \(n\) be the nbits. Then \(v_0\) and \(v_1\) are given by the following equations.
\[\begin{eqnarray} v_0 &=& 2^{n-k} w_0 + x \\ v_1 &=& 2^{n-k} w_1 + y \end{eqnarray}\]
Here \(x\) and \(y\) are unknown quantities. If they are found, we can expect the pseudo random sequences. Expanding \(v_1\), we get further
\[\begin{eqnarray} v_1 &=& F(v_0) \\ &=& (2^{n-k}w_0 + x)^2 + b \end{eqnarray}\]
Thus, we get the following equation
\[\begin{eqnarray} f(x, y) &=& 2^{n-k}w_1 + y - ((2^{n-k}w_0 + x)^2 + b) \\ &=& y + c_2x^2 + c_1x + c_0 \\ &=& 0\end{eqnarray}\]
where \(c_i \ (i=0,...,2)\) are suitable constants (They are explicitly depend on know parameters).
For easy understanding, the equation is written \(y + c_2x^2 + c_1x + c_0 \equiv 0 \mod p\) as a congruence in integers.
Now, \(k = \lceil \frac{nd}{d + 1} \rceil \ where\ d = \deg f\), and therefore we can believe that required roots are found by Coppersmith's method.
Here is the flag zer0pts{is_blum_blum_shub_safe?}