1
import logging
2

3
from sage.all import ZZ
4

5
from shared import small_roots
6

7

8
def modular_univariate(f, N, m, t, X):
9
    """
10
    Computes small modular roots of a univariate polynomial.
11
    More information: May A., "New RSA Vulnerabilities Using Lattice Reduction Methods" (Section 3.2)
12
    :param f: the polynomial
13
    :param N: the modulus
14
    :param m: the amount of normal shifts to use
15
    :param t: the amount of additional shifts to use
16
    :param X: an approximate bound on the roots
17
    :return: a generator generating small roots of the polynomial
18
    """
19
    f = f.monic().change_ring(ZZ)
20
    pr = f.parent()
21
    x = pr.gen()
22
    delta = f.degree()
23

24
    logging.debug("Generating shifts...")
25

26
    shifts = []
27
    for i in range(m):
28
        for j in range(delta):
29
            g = x ** j * N ** (m - i) * f ** i
30
            shifts.append(g)
31

32
    for i in range(t):
33
        h = x ** i * f ** m
34
        shifts.append(h)
35

36
    L, monomials = small_roots.create_lattice(pr, shifts, [X], order=None)
37
    L = small_roots.reduce_lattice(L)
38
    polynomials = small_roots.reconstruct_polynomials(L, f, N ** m, monomials, [X])
39
    for roots in small_roots.find_roots(pr, polynomials):
40
        yield roots[x],
41

42