1
import os
2
import sys
3

4
from sage.all import ZZ
5
from sage.all import matrix
6

7
path = os.path.dirname(os.path.dirname(os.path.dirname(os.path.realpath(os.path.abspath(__file__)))))
8
if sys.path[1] != path:
9
    sys.path.insert(1, path)
10

11
from shared import symmetric_mod
12

13

14
def attack(x, rho):
15
    """
16
    Solves the ACD problem using the orthogonal based approach.
17
    More information: Galbraith D. S. et al., "Algorithms for the Approximate Common Divisor Problem" (Section 4)
18
    :param x: the x samples, with xi = p * qi + ri
19
    :param rho: the bit length of the r values
20
    :return: the secret integer p and a list containing the r values, or None if p could not be found
21
    """
22
    assert len(x) >= 2, "At least two x values are required."
23

24
    R = 2 ** rho
25

26
    B = matrix(ZZ, len(x), len(x) + 1)
27
    for i, xi in enumerate(x):
28
        B[i, 0] = xi
29
        B[i, i + 1] = R
30

31
    B = B.LLL()
32

33
    K = B.submatrix(row=0, col=1, nrows=len(x) - 1, ncols=len(x)).right_kernel()
34
    q = K.an_element()
35
    r0 = symmetric_mod(x[0], q[0])
36
    p = abs((x[0] - r0) // q[0])
37
    r = [symmetric_mod(xi, p) for xi in x]
38
    if all(-R < ri < R for ri in r):
39
        return int(p), r
40

41