# Homework 5

## Note on Lists

As [observed in the book](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#scope-of-variables), one has to be careful when a functions takes a list as an argument, as it might, unintentionally, alter the original.  If that is not the intent, one should make a *copy* of the list with either

```python
new_list = old_list.copy()
```

or, with the advantage of making other objects like tuples into lists, with

```python
new_list = list(old_list)
```

## Problem 1: Chinese Remainder Theorem

Given a lists $a = (a_1, \ldots, a_k)$ and $m = (m_1, \ldots , m_k)$, with all $m_i$'s pairwise relatively prime find an integer $x$ between $0$ and $n = \mathrm{lcm}(m_1, \ldots, m_k)$ such that
$$
    x \equiv a_1 \pmod{m_1}, \\
    x \equiv a_2 \pmod{m_2}, \\ 
    \vdots \\
    x \equiv a_k \pmod{m_k}.
$$
Note that by the [Chinese Remainder Theorem](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#th-crt) we know such $x$ exists (since the $m_i$'s are pairwise relatively prime).

Since it should be unique in $\Z/n\Z$, where $n = \mathrm{lcm}(m_1, \ldots , m_k)$, as above, give your solution in $\mathbb{Z}/n\mathbb{Z}$, **not** in $\mathbb{Z}$.

**Hint:** The process is [described in the book](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#the-chinese-remainder-theorem) and an [Example](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#example) is given.  But note that we can use the list method [pop](https://www.w3schools.com/Python/ref_list_pop.asp) to remove elements from the end, and the method [append](https://www.w3schools.com/python/ref_list_append.asp) to add elements to the end of the list.  So, one can use them to replace the *last* two congruences with a single one, instead of the first two.

In [None]:
def my_crt(a, m):
    """
    Given lists a = [a1, a2, ...] and m = [m1, m2, ...] find x such that x is
    congruent to ao mod ai for each i.

    INPUTS:
    a: a list of integers.
    m: a list of pairwise relatively prime integers greater than or equal to 2
       of the same length as a.  (The moduli.)

    OUTPUT:
    Some interger x between 0 and the prodcut of entries of m minus 1 such that
    x is congruent to ai modulo mi for each i.
    """
    a = list(a)  # copy of a
    m = list(m)  # copy of m
    ...

Test it:

In [None]:
number_of_tests = 30
max_length = 10
max_mod = 10000


for _ in range(number_of_tests):
    length = randint(1, max_length + 1)
    m = []
    while len(m) < length:
        mi = ZZ(randint(2, max_mod))
        stop = False
        for mj in m:
            if gcd(mi, mj) != 1:
                stop = True
                break
        if not stop:
            m.append(mi)

    a = [ZZ(randint(0, mi)) for mi in m]

    # let's create copies to be safe
    cm = list(m)
    ca = list(a)

    res_mod = prod(m)
    result = my_crt(ca, cm)
    expected = Mod(crt(a, m), res_mod)

    if ca != a or cm != m:
        print(f"Your function changed the lists!")
        print(f"Original a: {a}.  After: {ca}.")
        print(f"Original m: {m}.  After: {cm}.")
        break

    n = parent(result).characteristic()

    if n != res_mod:
        print(f"Failed for {a = } and {m = }.")
        print(f"Your solution should be modulo {res_mod}Z, not modulo {n}.")
        break

    if result != Mod(expected, n):
        print(f"Failed for {a = } and {m = }.")
        print(f"The solution should be {expected}, not {result}.")
        break
else:
    print("It works!")

## Problem 2: Extended Euclidean Algorithm for Many Integers

In this problem we will compute the $\gcd(a_1,a_2,\ldots, a_n)$ and find $r_1, r_2, \ldots , r_n$ such that $\gcd(a_1,a_2,\ldots, a_n) = r_1 \cdot a_1 + r_2 \cdot a_2 + \cdots + r_n \cdot a_n$.  This is [discussed in the book](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#generalized-bezout-s-lemma) and the [algorithm is given](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#al-geea).  (We also have [an example](https://luisfinotti.org/pcimc/08-CRT_Bezout.html#id2).)

The input then is a list `v` (with $v = (a_1, \ldots , a_n)$) and the output is a pair `d, w`, where $d$ is the GCD of the $a_i$'s and $w = (r_1, \ldots, r_n)$ as above.  (After you find `d` and `w`, you just do `return d, w` in your function.)

**Hints:**

  * Make sure to make a copy of `v` instead of working directly with it!
  * To remove the the last element of a list, use the method `.pop()`.  It gives as *output* the last element of the list **and** removes this last element from the list itself (thus changing the list.)
  * To add an element, say `a`, to the beginning of a vector/list `v`, you can do `v.insert(0, a)`, or `[a] + v`.  
  * To multiply all elements of a list `v` by a number `a`, you can do `[x * a for x in v]`.

**Note:**  One could also do this using a [recursion](https://en.wikipedia.org/wiki/Recursion_(computer_science)), but it is not as efficient.

In [None]:
def xea2(v):
    """
    Extended Euclidean Algorithm for a vector v.  If v = [a1, a2, ... , an], then
    retruns the GCD d of the ai's and [r1, r2, ... , rn] such that 
      d = r1 * a1 + r2 * a2 + ... + rn * an.

    INPUT:
    v: a list of integers.

    OUTPUT:
    d: the GCD of the elements of v.
    w: a list [r1, r2, ..., rn] that coordinatewise multiplied by v and added
       gives d.
    """
    v = list(v)  # make a copy to not alter original!
    ...

Test it:

In [None]:
number_of_tests = 30
max_length = 10  # max length of v
max_a = 10000  # max number

for _ in range(number_of_tests):
    v = [randint(1, max_a) for i in range(randint(2, max_length + 1))]
    vv = list(v)  # to make sure the function doesn't mess v up
    d_res, w_res = xea2(v)
    d_exp = gcd(v)

    if v != vv:
        print(f"You've changed the original v.  Original: {vv}.  After the function: {v}.")
        break

    if len(w_res) != len(v):
        print(f"Your w has length {len(w_res)}, but it should have the same length {len(vv)}, the same as v.")
        print(f"{w_res = }")
        print(f"{v = }")
        break

    if d_res != d_exp:
        print(f"It gives GCD {d_res} when it should be {d_exp}.")
        print(f"{w_res = }")
        break

    res_sum = sum([vv[i] * w_res[i] for i in range(len(vv))])
    if res_sum != d_res:
        print(f"It adds to {res_sum}, not to the GCD {d_res}.")
        print(f"{w_res = }")
        print(f"{v = }")
        break
else:
    print("It works!")

### Alternative (but worse!) Solution: Recursion

**You cannot use this (recursion) in your solution!**

Here is the idea: If `v` has length 2, just use Sage's built in `xgcd` to get the GCD of the two elements and the two entries of the ouptut vector.

For *larger length* (all that comes now assumes that `v` has length greater than 2), we can use a [recursion](https://en.wikipedia.org/wiki/Recursion_(computer_science)): we have that $\gcd(a_1,a_2,\ldots ,a_n) = \gcd(a_1, \gcd(a_2, \ldots , a_n))$ (which we can get using `xgcd`, since the right-hand side has only two entries, $a_1$ and $\gcd(a_2, \ldots , a_n)$!).

So, inside our function we call the function itself with `xea3(v[1:])` (where `v[1:]` just gives the vector `v` minus its first entry, i.e., $(a_2, \ldots , a_n)$).  This gives some `e` (which is $\gcd(a_2, \ldots ,a_n)$) and a vector `w` (that gives the linear combination for this smaller vector), say $w = (t_2, \ldots, t_n)$.

With `e` we can call `xgcd(v[0], e)`, which gives `g, r, s`, where `g` is the GCD of `v[0]` and `e` (so, the GCD of $a_1$ and $\gcd(a_2, \ldots, a_n)$, i.e., $\gcd(a_1, a_2, \ldots, a_n)$ which we wanted), and `g = r*v[0] + s*e`.  So, we already have our GCD to give (namely, `g` above), and hence we just need the vector that gives the linear combination.  This is simply $(r, s \cdot t_2, s \cdot t_3 , \ldots , s \cdot t_n)$ (with $r$ and $s$ from this last call of `xgcd` and $t_i$'s from the vector `w` from the recursive call (in the above paragraph)).

In [None]:
def xea3(v):
    """
    Extended Euclidean Algorith for a vector v, but USING RECURSION!

    If v = [a1, a2, ... , an], then retruns the GCD d of the ai's and 
    [r1, r2, ... , rn] such that 
      d = r1 * a1 + r2 * a2 + ... + rn * an.

    INPUT:
    v: a list of integers.

    OUTPUT:
    d: the GCD of the elements of v.
    w: a list [r1, r2, ..., rn] that coordinatewise multiplied by v and added
       gives d.
    """
    if len(v) == 2:
        d, u, v = xgcd(v[0], v[1])
        return d, [u, v]
    e, w = xea3(v[1:])  # calls itself
    d, r, s = xgcd(v[0], e)
    return d, [r] + [s * x for x in w]

Let's test it:

In [None]:
number_of_tests = 30
max_length = 10  # max length of v
max_a = 10000  # max number

for _ in range(number_of_tests):
    v = [randint(1, max_a) for i in range(randint(2, max_length + 1))]
    vv = list(v)  # to make sure the function doesn't mess v up
    d_res, w_res = xea3(v)
    d_exp = gcd(v)

    if v != vv:
        print(f"You've changed the original v.  Original: {vv}.  After the function: {v}.")
        break

    if len(w_res) != len(v):
        print(f"Your w has length {len(w_res)}, but it should have the same length {len(vv)}, the same as v.")
        print(f"{w_res = }")
        print(f"{v = }")
        break

    if d_res != d_exp:
        print(f"It gives GCD {d_res} when it should be {d_exp}.")
        print(f"{w_res = }")
        break

    res_sum = sum([vv[i] * w_res[i] for i in range(len(vv))])
    if res_sum != d_res:
        print(f"It adds to {res_sum}, not to the GCD {d_res}.")
        print(f"{w_res = }")
        print(f"{v = }")
        break
else:
    print("It works!")

But let's test it and compare with some long list:

In [None]:
length = 965
max_a = 100000000
v = [randint(max_a // 2, max_a) for i in range(length)]

In [None]:
%%time
res1 = xea2(v)

In [None]:
%%time
res2 = xea3(v)

In [None]:
res1 == res2

So, the times are pretty similar!  But see what happens for even longer lists:

In [None]:
length = 20000
max_a = 10000000
v = [randint(max_a // 2, max_a) for i in range(length)]

In [None]:
%%time
res1 = xea2(v)

In [None]:
%%time
res2 = xea3(v)

## Problem 3: Pohlig-Hellman Algorithm

Here we will implement the [Pohlig-Hellman algorithm](https://luisfinotti.org/pcimc/09-Improving_DL.html#al-ph) described the book.

Given elements $g$ and $h$ in $\mathbb{F}_p^{\times}$, we want to solve the discrete log of $h$ base $g$ (i.e., find $x$ such that $g^x = h$), by solving for elements whose order that are a *power of a prime only* (so if $|g| = q^e$ for some prime $q$ and positive integer $e$).

To solve these, you call Sage's own `discrete_log(h, g)` function.  (Note that $h$ comes first!)  **But, you can only use it if $g$ has order power of prime!**

We will assume that there is a solution here!  (No need to check for that in your code.)

You will also need to use the Chinese Remainder Theorem.  Instead of using your own (above), use Sage's built in `crt(a, m)` (with `a` and `m` as in the previous problem, so it's the same syntax!).  On the other hand, its output is an *integer*.

To factor $N$, the order of the given $g$, use Sage's `factor(N)`.  Although `factor(N)` prints "nicely", it is actually a vector of the form `[[p1, e1], [p2, e2], ... ,[pk, ek]]`, where $N = p_1^{e_1} p_2^{e_2} \cdots p_k^{e_k}$:

In [None]:
N = 2^4 * 3^7 * 5^11
N_factorization = factor(N)
print(N_factorization)

It prints it nicely, but we can *loop through the factorization*:

In [None]:
for q, e in N_factorization:
    print(f"prime = {q}, power = {e}")

Note that your output, namely the $x$ that is a solution of $g^x = h$, must be an *integer* in $\{0, 1, \ldots, N-1 \}$  (where $N = |g|$).

In [None]:
def pha(h, g):
    """
    Use the Pohlig-Hellman algorithm to compute the discrete log by reducing
    to the case when g has order power of a prime.

    INPUTS:
    h, g: units of Zmod(p), where h is some power of g.

    OUTPUT:
    The discrete log base g of h, i.e., the power x such that g^x = h (an integer
    between 0 and the order of g minus one).
    """
    ...

Test it:

In [None]:
number_of_tests = 30
minp = 100
maxp = 10000

for _ in range(number_of_tests):
    p = random_prime(maxp, lbound=minp)
    F = FiniteField(p)
    g = F.primitive_element()
    k = randint(2, p - 2)
    h = g^k
    result = pha(h, g)
    if result != k:
        print(f"Fails for {p = }, with {g = } and {h = }.  The result should be {k}, not {result}.")
        break
else:
    print("It works!")

## Problem 4:  Reduce DLP to Order Prime Only

Now, we will solve the discrete log $\log_g(h)$ in the case when $|g|=q^e$, for some $q$ prime and positive integer $e$, by reducing to the case when $|g|$ is prime, using the [algorithm described in the book](https://luisfinotti.org/pcimc/09-Improving_DL.html#al-dl-power).

So, similar to the above, you will call Sage's `discrete_log(h, g)`, but now **only for $g$ of *prime order* (and not power of prime order).**

Hence, we will *assume* here that the given $g$ has order power of prime.  You do not need to check it in your code.

**Hint:** 

1) There is also an [example in the book](https://luisfinotti.org/pcimc/09-Improving_DL.html#example) that might also help.
2) Since we know that $|g| = q^e$, we can get $q$ and $e$ with `q, e = factor(g.multiplicative_order())[0]`.

In [None]:
def pha2(h, g):
    """
    Given g of order power of a prime, compute the discrete log of h base g by
    reducing to computations of discrete logs with bases of prime order.

    INPUTS:
    h, g: units of Zmod(p), where g has order power of some prime and h is some 
          power of g.

    OUTPUT:
    The discrete log base g of h, i.e., the power x such that g^x = h (an integer
    between 0 and the order of g minus one).
    """
    ...

Test it:

In [None]:
number_of_tests = 30
minp = 100
maxp = 100000

for _ in range(number_of_tests):
    while True:
        p = random_prime(maxp, lbound=minp)
        f = [v for v in factor(p - 1)]
        f = f[1:]  # let's remove powers of 2
        if f != []:
            exponents = [v[1] for v in f]
            e = max(exponents)
            if e >= 4:
                i = exponents.index(e)
                q = f[i][0]
                break
    F = FiniteField(p)
    g = F.primitive_element()^((p - 1) / q^e)
    k = randint(2, q^e - 1)
    h = g^k
    result = pha2(h, g)
    if result != k:
        print(
            f"Faild for {p = }, {g = }, and {h = }.  The result should be {k}, not {result}."
        )
        break
else:
    print("It works!")

## Reading: Optimizing the DLP

(You don't have to do any work in this section, but you should read it!)

So, one can put the previous two problems together with Shank's *Baby-Step/Giant-Step* algorithm (from the previous HW) to compute discrete logs (without using Sage at all) efficiently, as long as we factor $|g|$ (which might actually be hard).

It would go something like this (to find $x$ such that $g^x = h$):

1. Factor $N=|g|$, say $N = q_1^{e_1} \cdots q_k^{e_k}$.
2. Use the Pohlig-Hellman algorithm (your function `pha`) to reduce this computation to computations of discrete logs for $g$ of order power of a prime.
3. Instead of calling Sage's `discrete_log` inside `pha`, you call `pha2`, to break this computation into computations of discrete logs only for $g$ of prime order.
4. Instead of calling Sage's `discrete_log` inside `pha2`, you use the Baby-Step/Giant-Step algorithm (`bsgs` from the previous HW.)

I've run a test comparing using the Baby-Step/Giant-Step algorithm directly, for $|g| = 61119897840 = 2^4 \cdot 3^4 \cdot 5 \cdot 389 \cdot 24247$, and this method described above to compare the two.  The former took 1 minutes and 41 seconds, while the latter took 3 *milisconds*!

If your functions were implemented correctly, you can try this out.  (I can't show it here since it would give away solutions.)