示例#1
0
  /**
   * Method based on FFT to find the determinant and the first coefficient of w(x) this suffices to
   * find w(x) completely
   *
   * @param q the polynomial
   * @param n the degree
   * @return The determinant and the first coefficient of w(x).
   */
  static BigInteger[] gzModZ2(Polynomial q, int n) {
    int i;
    int N = 1 << n;

    Polynomial V = new Polynomial(q.coeffs); // V = q
    Polynomial U = new Polynomial(1); // U = 1
    U.setCoeff(0, new BigInteger("1"));
    Polynomial F = new Polynomial(N); // F(x) = x^N +1
    F.setCoeff(0, new BigInteger("1"));
    F.setCoeff(N, new BigInteger("1"));
    Polynomial V2 = new Polynomial(N);

    while (N > 1) {
      V2 = new Polynomial(V.coeffs);
      for (i = 1; i <= V2.degree; i += 2) { // set V2(x) := V(-x)
        V2.coeffs[i] = V2.coeffs[i].negate(); // negate odd coefficients
      }
      V = Polynomial.mod(Polynomial.mult(V, V2), F); // V := V(x) * V(-x) mod f(x)
      U = Polynomial.mod(Polynomial.mult(U, V2), F); // U := U(x) * V(-x) mod f(x)

      // Sanity-check: verify that the odd coefficients in V are zero
      for (i = 1; i <= V.degree; i += 2)
        if (!V.coeffs[i].equals(new BigInteger("0"))) {
          return null;
        }

      // "Compress" the non-zero coefficients of V
      for (i = 1; i <= V.degree / 2; i++) V.coeffs[i] = V.coeffs[2 * i];
      for (; i <= V.degree; i++) V.coeffs[i] = new BigInteger("0");
      V.normalize();

      // Set U to the "compressed" ( U(x) + U(-x) ) /2
      for (i = 0; i <= U.degree / 2; i++) U.coeffs[i] = U.coeffs[2 * i];
      for (; i <= U.degree; i++) U.coeffs[i] = new BigInteger("0");
      U.normalize();

      // Set N := N/2 and update F accordingly
      F.coeffs[N] = new BigInteger("0");
      N >>= 1;
      F.coeffs[N] = new BigInteger("1");
      F.normalize();
    }

    return new BigInteger[] {V.coeffs[0], U.coeffs[0]};
  }
示例#2
0
  /**
   * Verifies whether the polynomial q yields a lattice with the correct HNF and odd resultant,
   * computes the determinant (or resultant), root and inverse polynomial w(x)
   *
   * @param q the polynomial yielding the lattice
   * @param n the dimension
   * @return True if the polynomial suffices, false otherwise.
   */
  boolean invModFx(Polynomial q, int n) {
    int N = 1 << n;
    BigInteger res, wi = null;

    if (q.degree >= N) return false;

    // compute resultant and w0
    BigInteger w0, w1;
    BigInteger rw[] = gzModZ2(q, n);
    res = rw[0];
    w0 = rw[1];

    if (Functions.isEven(res)) { // Resultant must be odd
      return false;
    }

    // repeat for the polynomial x*q(x) mod x^N+1
    Polynomial qx = new Polynomial(N);
    for (int i = N - 1; i > 0; i--) {
      qx.setCoeff(i, q.coeffs[i - 1]); // copy 1st N-1 coeffs
    }
    qx.setCoeff(0, q.coeffs[N - 1].negate()); // negate last coeff
    qx.normalize();
    rw = gzModZ2(qx, n);
    res = rw[0];
    w1 = rw[1];

    // now that we have res, w0, w1, set root = w1/w0 mod res
    // make sure things are positive
    if (res.signum() == -1) {
      res = res.negate();
      w0 = w0.negate();
      w1 = w1.negate();
    }
    if (w0.signum() < 0) w0 = w0.add(res);
    if (w1.signum() < 0) w1 = w1.add(res);

    BigInteger inv =
        Functions.xgcd(w0, res); // returns a = w0^{-1} if w0 invertible, null otherwise
    if (inv == null) {
      return false; // verify that w0^{-1} exists
    }
    root = w1.multiply(inv).divideAndRemainder(res)[1]; // root= w1 * w0^{-1} mod res

    BigInteger tmp = root.modPow(new BigInteger(Integer.toString(N)), res);
    // it should hold that root^n = -1 mod res
    if (!tmp.add(new BigInteger("1")).equals(res)) {
      return false;
    }
    W = new BigInteger[N]; // get the entire polynomial w(x), for debug purposes
    W[0] = w0;
    W[1] = w1;
    for (int k = 2; k < N; k++) {
      W[k] = W[k - 1].multiply(root).mod(res);
    }
    // for decryption only a single odd coefficient of w(x) is necessary
    int i = 0;
    if (((w0.compareTo(res.shiftRight(1)) <= 0) && Functions.isOdd(w0))
        || ((w0.compareTo(res.shiftRight(1)) > 0) && Functions.isEven(w0))) {
      wi = w0;
    } else {
      if (((w1.compareTo(res.shiftRight(1)) <= 0) && Functions.isOdd(w1))
          || ((w1.compareTo(res.shiftRight(1)) > 0) && Functions.isEven(w1))) {
        wi = w1;
      } else {
        for (i = 2; i < N; i++) {
          w1 = w1.multiply(root).mod(res); // (w1.multiply(root)).divideAndRemainder(res)[1];
          if (((w1.compareTo(res.shiftRight(1)) <= 0) && Functions.isOdd(w1))
              || ((w1.compareTo(res.shiftRight(1)) > 0) && Functions.isEven(w1))) {
            wi = w1;
            break;
          }
        }
      }
    }

    det = res;
    w = wi;
    return ((i == N) ? false : true); // We get i==N only if all the wi's are even
  }