forked from jvdsn/crypto-attacks
-
Notifications
You must be signed in to change notification settings - Fork 1
/
jochemsz_may_integer.py
155 lines (119 loc) · 4.13 KB
/
jochemsz_may_integer.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import logging
from abc import ABCMeta
from abc import abstractmethod
from math import gcd
from sage.all import ZZ
from shared import small_roots
class Strategy(metaclass=ABCMeta):
@abstractmethod
def generate_S_M(self, f, m):
"""
Generates the S and M sets.
:param f: the polynomial
:param l: the leading monomial
:param m: the amount of normal shifts to use
:return: a tuple containing the S and M sets
"""
pass
class BasicStrategy(Strategy):
def generate_S_M(self, f, m):
S = set((f ** (m - 1)).monomials())
M = set((f ** m).monomials())
return S, M
class ExtendedStrategy(Strategy):
def __init__(self, t):
self.t = t
def generate_S_M(self, f, m):
x = f.parent().gens()
assert len(x) == len(self.t)
S = set()
for monomial in (f ** (m - 1)).monomials():
for xi, ti in zip(x, self.t):
for j in range(ti + 1):
S.add(monomial * xi ** j)
M = set()
for monomial in S:
M.update((monomial * f).monomials())
return S, M
class Ernst1Strategy(Strategy):
def __init__(self, t):
self.t = t
def generate_S_M(self, f, m):
x1, x2, x3 = f.parent().gens()
S = set()
for i1 in range(m):
for i2 in range(m - i1):
for i3 in range(i2 + self.t + 1):
S.add(x1 ** i1 * x2 ** i2 * x3 ** i3)
M = set()
for i1 in range(m + 1):
for i2 in range(m - i1 + 1):
for i3 in range(i2 + self.t + 1):
M.add(x1 ** i1 * x2 ** i2 * x3 ** i3)
return S, M
class Ernst2Strategy(Strategy):
def __init__(self, t):
self.t = t
def generate_S_M(self, f, m):
x1, x2, x3 = f.parent().gens()
S = set()
for i1 in range(m):
for i2 in range(m - i1 + self.t):
for i3 in range(m - i1):
S.add(x1 ** i1 * x2 ** i2 * x3 ** i3)
M = set()
for i1 in range(m + 1):
for i2 in range(m - i1 + self.t + 1):
for i3 in range(m - i1 + 1):
M.add(x1 ** i1 * x2 ** i2 * x3 ** i3)
return S, M
def integer_multivariate(f, m, W, X, strategy, roots_method="resultants"):
"""
Computes small integer roots of a multivariate polynomial.
More information: Jochemsz E., May A., "A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants" (Section 2.2)
:param f: the polynomial
:param m: the parameter m
:param W: the parameter W
:param X: a list of approximate bounds on the roots for each variable
:param strategy: the strategy to use (Appendix B)
:param roots_method: the method to use to find roots (default: "resultants")
:return: a generator generating small roots (tuples) of the polynomial
"""
pr = f.parent()
x = pr.gens()
assert len(x) > 1
S, M = strategy.generate_S_M(f, m)
l = [0] * len(x)
for monomial in S:
for j, xj in enumerate(x):
l[j] = max(l[j], monomial.degree(xj))
a0 = int(f.constant_coefficient())
assert a0 != 0
while gcd(a0, W) != 1:
W += 1
R = W
for j, Xj in enumerate(X):
while gcd(a0, Xj) != 1:
Xj += 1
R *= Xj ** l[j]
X[j] = Xj
assert gcd(a0, R) == 1
f_ = (pow(a0, -1, R) * f % R).change_ring(ZZ)
logging.debug("Generating shifts...")
shifts = set()
monomials = set()
for monomial in S:
g = monomial * f_
for xj, Xj, lj in zip(x, X, l):
g *= Xj ** (lj - monomial.degree(xj))
shifts.add(g)
monomials.add(monomial)
for monomial in M:
if monomial not in S:
shifts.add(monomial * R)
monomials.add(monomial)
L = small_roots.fill_lattice(shifts, monomials, X)
L = small_roots.reduce(L)
polynomials = small_roots.reconstruct_polynomials(L, f, monomials, X)
for roots in small_roots.find_roots([f] + polynomials, pr, method=roots_method):
yield tuple(roots[xi] for xi in x)