Recovering a Sum of Two Squares Decomposition Revisited

Abstract

Recently, in [6] Gomez et al. presented algorithms to recover a decomposition of an integer \(N=rA^2+sB^2\), where N, r, s are positive integers, and A, B are the wanted unknowns. Their first algorithm recovers two addends by directly using rigorous Coppersmith’s bivariate integer method when the error bounds of given approximations to A and B are less than \(N^{\frac{1}{6}}\). Then by combining with the linearization technique, they improved this theoretical bound to \(N^{\frac{1}{4}}\). In this paper, we heuristically reach the bound \(N^{\frac{1}{4}}\) with experimental supports by transforming the integer polynomial concerned in their first algorithm into a modular one. Then we describe a better heuristic algorithm, the dimension of the lattice involved in this improved method is much smaller under the same error bounds.

Appendices

A Analysis for Remark 2

In this part, we give the details to show that when dealing with Eq. (3) as a non-constant modular polynomial (4), the corresponding error bound is \(N^{1/6}\).

First, we display the trick for finding the small roots of \(f_2(x,y)=rx^2+sy^2+2A_0rx+2B_0sy \equiv 0~mod~(N-rA_0^2-sB_0^2).\) Set \(M=N-rA_0^2-sB_0^2\) as the modulus. The shifting polynomials for this equation can be constructed as

$$ \left\{ \begin{aligned}&g^1_{k,i}(x,y)=y^iM^m,\\&i=1,...,2m;\\&g^2_{k,i}(x,y)=x^jy^if_3^k(x,y)M^{m-k},\\&k=0,...,m-1;j=1,2;i=0,...,2(m-k-1); \end{aligned} \right. $$

Suppose \(|x|\le X=N^{\delta },|y|\le Y=N^{\delta }\), then \(M\approx N^{\frac{1}{2}+\delta }\). Similarly, the coefficients of \(g^1(xX,yY),g^2(xX,yY)\) can be arranged as a lower triangular lattice \(\mathcal {L}_1\), whose determinant can be easily calculated as \(det(\mathcal {L}_1)=X^{S_X}Y^{S_Y}M^{S_M}\), where

$$\begin{aligned} \begin{aligned}&\omega =2m^2+2m=2m^2+o(m^2).\\&S_X=\frac{1}{3}m(4m^2+3m+2)=\frac{4}{3}m^3+o(m^3).\\&S_Y=\frac{1}{3}m(4m^2+3m+2)=\frac{4}{3}m^3+o(m^3).\\&S_M=\frac{1}{3}m(4m^2+9m-1)=\frac{4}{3}m^3+o(m^3). \end{aligned} \end{aligned}$$

Put these values into inequality \(det(\mathcal {L}_1)\le M^{m\omega }\), we obtain \(\delta \le \frac{1}{6},\) which means that the error bound derived by this method is

$$\varDelta \le N^{\frac{1}{6}},$$

a poorer bound compared to \(N^{\frac{1}{4}}\). The experimental results in Table 5 show that this method works much better in practice than in theoretic analysis, although still weaker than the result in Sect. 3.2.

B Analysis for Remark 3

Notice that the problem of finding coordinates for vector \(\mathbf {e}-\mathbf {f}\) can also be transformed into solving a non-constant modular equation

$$\begin{aligned} q(\alpha ,\beta )&=(ru_1^2+su_2^2)\alpha ^2+(rv_1^2+sv_2^2)\beta ^2+2(ru_1v_1+su_2v_2)\alpha \beta \\&\quad +(2rf_1u_1+2sf_2u_2-u_3)\alpha +(2rf_1v_1+2rf_2v_2-v_3)\beta \\&\equiv 0~mod~(N-2rA_0f_1-2sB_0f_2-rf_1^2-sf_2^2-rA_0^2-sB_0^2) \end{aligned}$$

Set \(M=|N-2rA_0f_1-2sB_0f_2-rf_1^2-sf_2^2-rA_0^2-sB_0^2|\) as the modulus. Then the problem reduced to solving

$$q'(x,y)=x^2+b_2y^2+b_3xy+b_4x+b_5y \equiv 0~mod~M.$$

Here we assume that \(q'(x,y)\) is a monic irreducible polynomial, since we can make it satisfied by multiplying the modular inverse term. We apply Coppersmith’s method to solve this polynomial. The shifting polynomials can be constructed as

$$ \left\{ \begin{aligned}&g^1_{k,i}(x,y)=y^iM^m,\\&i=1,...,2m;\\&g^2_{k,i}(x,y)=y^iq'^k(x,y)M^{m-k},\\&k=1,...,m,i=0,...,2(m-k);\\&g^3_{k,i}(x,y)=xy^iq'^k(x,y)M^{m-k},\\&k=0,...,m-1,i=0,...,2(m-k)-1; \end{aligned} \right. $$

From the former analysis, we know that \(|x|,|y|\le \varDelta ^{3/2}N^{-1/4}=X=Y\), and \(M\approx \varDelta ^{2}\). Similarly, the coefficients of \(g^1(xX,yY),g^2(xX,yY)\) and \(g^3(xX,yY)\) can be arranged as a lower triangular lattice \(\mathcal {L}_2\), whose determinant can be easily calculated as \(det(\mathcal {L}_2)=X^{S_X}Y^{S_Y}M^{S_M}\), where

$$\begin{aligned} \begin{aligned}&\omega =2m^2+3m=2m^2+o(m^2).\\&S_X=\frac{2}{3}m(2m^2+3m+1)=\frac{4}{3}m^3+o(m^3).\\&S_Y=\frac{2}{3}m(2m^2+3m+1)=\frac{4}{3}m^3+o(m^3).\\&S_M=\frac{1}{6}m(8m^2+15m+1)=\frac{4}{3}m^3+o(m^3). \end{aligned} \end{aligned}$$

Put these values into inequality \(det(\mathcal {L}_2)\le M^{m\omega }\), we gain the corresponding error bound

$$ \varDelta \le N^{\frac{1}{4}}. $$