Re: Hypotheses on P(x) in zncoppersmith?

Karim Belabas on Wed, 04 Dec 2019 23:17:58 +0100

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: Hypotheses on P(x) in zncoppersmith?

To: Georgi Guninski <gguninski@gmail.com>
Subject: Re: Hypotheses on P(x) in zncoppersmith?
From: Karim Belabas <Karim.Belabas@math.u-bordeaux.fr>
Date: Wed, 4 Dec 2019 23:17:58 +0100
Cc: pari-dev@pari.math.u-bordeaux.fr
Delivery-date: Wed, 04 Dec 2019 23:17:58 +0100
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=math.u-bordeaux.fr; s=mail; t=1575497875; bh=dk5NwSbi3aJ/5pOfc/ZNlNI9eQxM+RFnrs3kfTOt69U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=T0MhngaxXE6ngT16bBUM7raV4jInF69e4P1qg/kbZk/4xWiA9HKE5BVJJr8KSHmpj k4NMuaIisPoHq+Aaq7EVOG8PlkM2dXiJHBndPHPCUuYw/BNiFWb05TfWLRD/xZAko8 Eloh6sTaCBFUONx9tPFTUxSv9noj4bB0qZVKfXFU=
In-reply-to: <CAGUWgD9zHiFuzE-MdXs0rJeiRtzFr+HTyT7=AWtPT-XUqkpr0w@mail.gmail.com>
Mail-followup-to: Georgi Guninski <gguninski@gmail.com>, pari-dev@pari.math.u-bordeaux.fr
References: <CAGUWgD90sU1XhdKky-Y_2SKHriHxdip3_7cW8VL4iQcwVpqphg@mail.gmail.com> <20191204012601.43cdbq4yfzgwhg6t@math.u-bordeaux.fr> <CAGUWgD9zHiFuzE-MdXs0rJeiRtzFr+HTyT7=AWtPT-XUqkpr0w@mail.gmail.com>
User-agent: NeoMutt/20180716

* Georgi Guninski [2019-12-04 09:15]:
> On Wed, Dec 4, 2019 at 3:26 AM Karim Belabas
> <Karim.Belabas@math.u-bordeaux.fr> wrote:
> 
> > When gcd(lc(P), N) > 1, there is no easy formula. The best I can come
> > up with is the following
> >
> >   d := deg P
> >   b := log_N B
> >   x := log_N X
> >   p := log_N gcd(lc(P), N)
> >
> 
> Your constraints are so restrictive I am not sure
> they are ever satisfiable.
> Do you have explicit N,P with gcd(N,lc(P))>1 where
> zncoppersmith finds root?

Sure. Here's a "random" example in the "small p" category [ 2) in my original
message ]

q = nextprime(10^20);
N = q * nextprime(10^10) * nextprime(10^30) * nextprime(10^50);
P = q * t + 100000000189172653204751006593737760787542892542935566160916650706339174019956544019987983467739604695370082353

p = log(q) / log(N);
b = 1/2;
x = 0.1;

? zncoppersmith(P, N, N^x, sqrtint(N))
%1 = [-11987937]

? gcd(subst(P,t,%1[1]), N)
%2 = 10000000000000000003900000000000000000000000000015100000000000000005889

? x * (1 + p*(1-2)) - (b - p)^2   \\ negative
%3 = -0.019421487604037331500073537357409660596

I'm not claiming that the feature is very useful, just that this is supported
with no extra cost in the implementation. (And that the documentation is now
correct.)

Cheers,

    K.B.
--
Karim Belabas, IMB (UMR 5251)  Tel: (+33) (0)5 40 00 26 17
Universite de Bordeaux         Fax: (+33) (0)5 40 00 21 23
351, cours de la Liberation    http://www.math.u-bordeaux.fr/~kbelabas/
F-33405 Talence (France)       http://pari.math.u-bordeaux.fr/  [PARI/GP]
`

References:
- Hypotheses on P(x) in zncoppersmith?
  - From: Georgi Guninski <gguninski@gmail.com>
- Re: Hypotheses on P(x) in zncoppersmith?
  - From: Karim Belabas <Karim.Belabas@math.u-bordeaux.fr>
- Re: Hypotheses on P(x) in zncoppersmith?
  - From: Georgi Guninski <gguninski@gmail.com>

Prev by Date: Re: Hypotheses on P(x) in zncoppersmith?
Next by Date: Re: change to qfbsolve to handle arbitrary integers
Previous by thread: Re: Hypotheses on P(x) in zncoppersmith?
Next by thread: Re: Solving x^2+n*y^2=a without factoring positive $n$?
Index(es):
- Date
- Thread