Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
jvdsn
GitHub Repository: jvdsn/crypto-attacks
 Path: blob/master/shared/small_roots/coron_direct.py
2589 views
1
import logging

2


3
from sage.all import ZZ

4
from sage.all import matrix

5


6
from shared import small_roots

7
from shared.polynomial import max_norm

8


9


10
def integer_bivariate(p, k, X, Y, echelon_algorithm="default", roots_method="groebner"):

11
    """

12
    Computes small integer roots of a bivariate polynomial.

13
    More information: Coron J., "Finding Small Roots of Bivariate Integer Polynomial Equations: a Direct Approach"

14
    :param p: the polynomial

15
    :param k: the amount of shifts to use

16
    :param X: an approximate bound on the x roots

17
    :param Y: an approximate bound on the y roots

18
    :param echelon_algorithm: the algorithm to use to calculate the Echelon form of L (default: "default")

19
    :param roots_method: the method to use to find roots (default: "groebner")

20
    :return: a generator generating small roots (tuples of x and y roots) of the polynomial

21
    """

22
    pr = p.parent()

23
    x, y = pr.gens()

24
    delta = max(p.degrees())

25


26
    (i0, j0), W = max_norm(p(x * X, y * Y))

27


28
    logging.debug("Calculating n...")

29
    S = matrix(ZZ, k ** 2, k ** 2)

30
    for a in range(k):

31
        for b in range(k):

32
            s = x ** a * y ** b * p

33
            for i in range(k):

34
                for j in range(k):

35
                    S[a * k + b, i * k + j] = s.coefficient([i0 + i, j0 + j])

36


37
    n = abs(S.det())

38
    logging.debug(f"Found {n = }")

39


40
    # Monomials are collected in "left" and "right" lists, which determine where the columns are in relation to each other.

41
    # This partition ensures the Echelon form will set desired monomial coefficients to zero.

42
    logging.debug("Generating monomials...")

43
    left_monomials = []

44
    right_monomials = []

45
    for i in range(k + delta):

46
        for j in range(k + delta):

47
            if 0 <= i - i0 < k and 0 <= j - j0 < k:

48
                left_monomials.append(x ** i * y ** j)

49
            else:

50
                right_monomials.append(x ** i * y ** j)

51


52
    assert len(left_monomials) == k ** 2

53
    monomials = left_monomials + right_monomials

54


55
    logging.debug("Generating shifts...")

56


57
    shifts = []

58
    for a in range(k):

59
        for b in range(k):

60
            s = x ** a * y ** b * p

61
            shifts.append(s)

62


63
    for monomial in monomials:

64
        r = monomial * n

65
        shifts.append(r)

66


67
    logging.debug(f"Filling the lattice ({len(shifts)} x {len(monomials)})...")

68
    L = matrix(ZZ, len(shifts), len(monomials))

69
    for row, shift in enumerate(shifts):

70
        for col, monomial in enumerate(monomials):

71
            L[row, col] = shift.monomial_coefficient(monomial) * monomial(X, Y)

72


73
    logging.debug("Generating Echelon form...")

74
    L = L.echelon_form(algorithm=echelon_algorithm)

75


76
    L2 = L.submatrix(k ** 2, k ** 2, (k + delta) ** 2 - k ** 2)

77
    L2 = small_roots.reduce_lattice(L2)

78
    # Only use right monomials now (corresponding the the sublattice).

79
    polynomials = small_roots.reconstruct_polynomials(L2, p, n, right_monomials, [X, Y])

80
    for roots in small_roots.find_roots(pr, [p] + polynomials, method=roots_method):

81
        yield roots[x], roots[y]

82


83