tfeneuil
/
LeakLWE2
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Fork of the official github repository of the framework Leaky-LWE-Estimator, a Sage Toolkit to attack and estimate the hardness of LWE with Side Information. https://github.com/lducas/leaky-LWE-Estimator
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
2 Incheckningar
1 Gren
Träd: e0394e60f6
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'e0394e60f6'
${ noResults }
LeakLWE2/framework/geometry.sage

geometry.sage 8.1KB
Normal View Historik

First Commit
4 år sedan
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308 
  1. from numpy.linalg import inv as np_inv

  2. # from numpy.linalg import slogdet as np_slogdet

  3. from numpy import array

  4. import numpy as np

  5. 

  6. 

  7. def dual_basis(B):

  8.     """

  9.     Compute the dual basis of B

  10.     """

  11.     return B.pseudoinverse().transpose()

  12. 

  13. 

  14. def projection_matrix(A):

  15.     """

  16.     Construct the projection matrix orthogonally to Span(V)

  17.     """

  18.     S = A * A.T

  19.     return A.T * S.inverse() * A

  20. 

  21. 

  22. def project_against(v, X):

  23.     """ Project matrix X orthonally to vector v"""

  24.     # Pv = projection_matrix(v)

  25.     # return X - X * Pv

  26.     Z = (X * v.T) * v / scal(v * v.T)

  27.     return X - Z

  28. 

  29. 

  30. # def make_primitive(B, v):

  31. #     assert False

  32. #     # project and Scale v's in V so that each v

  33. #     # is in the lattice, and primitive in it.

  34. #     # Note: does not make V primitive as as set of vector !

  35. #     # (e.g. linear dep. not eliminated)

  36. #     PB = projection_matrix(B)

  37. #     DT = dual_basis(B).T

  38. #     v = vec(v) * PB

  39. #     w = v * DT

  40. #     den = lcm([x.denominator() for x in w[0]])

  41. #     num = gcd([x for x in w[0] * den])

  42. #     if num==0:

  43. #         return None

  44. #     v *= den/num

  45. #     return v

  46. 

  47. 

  48. def vol(B):

  49.     return sqrt(det(B * B.T))

  50. 

  51. 

  52. def project_and_eliminate_dep(B, W):

  53.     # Project v on Span(B)

  54.     PB = projection_matrix(B)

  55.     V = W * PB

  56.     rank_loss = V.nrows() - V.rank()

  57. 

  58.     if rank_loss > 0:

  59.         print("WARNING: their were %d linear dependencies out of %d " %

  60.               (rank_loss, V.nrows()))

  61.         V = V.LLL()

  62.         V = V[rank_loss:]

  63. 

  64.     return V

  65. 

  66. 

  67. def is_cannonical_direction(v):

  68.     v = vec(v)

  69.     return sum([x != 0 for x in v[0]]) == 1

  70. 

  71. 

  72. def cannonical_param(v):

  73.     v = vec(v)

  74.     assert is_cannonical_direction(v)

  75.     i = [x != 0 for x in v[0]].index(True)

  76.     return i, v[0, i]

  77. 

  78. def remove_linear_dependencies(B, dim=None):

  79.     nrows = B.nrows()

  80.     if dim is None or nrows > dim:

  81.         #print(f'Go... [{dim}]')

  82.         B = B.LLL()

  83.         r = min([i for i in range(B.nrows()) if not B[i].is_zero()]) if dim is None else nrows-dim

  84.         B = B[r:]

  85.         #print(f'[{nrows}->{B.nrows()}]')

  86.     return B

  87. 

  88. def lattice_orthogonal_section(D, V):

  89.     """

  90.     Compute the intersection of the lattice L(B)

  91.     with the hyperplane orthogonal to Span(V).

  92.     (V can be either a vector or a matrix)

  93.     INPUT AND OUTPUT DUAL BASIS

  94.     Algorithm:

  95.     - project V onto Span(B)

  96.     - project the dual basis onto orth(V)

  97.     - eliminate linear dependencies (LLL)

  98.     - go back to the primal.

  99.     """

  100. 

  101.     #V = project_and_eliminate_dep(D, V) ## No need because D is full-rank

  102.     #r = V.nrows()

  103. 

  104.     # Project the dual basis orthogonally to v

  105.     PV = projection_matrix(V)

  106.     D = D - D * PV

  107. 

  108.     #print(f'LLL... ({return_basis})', end='')

  109.     # Eliminate linear dependencies

  110.     #if return_basis:

  111.     #    D = remove_linear_dependencies(D)

  112.     #print(f'{D.nrows()}')

  113.     #print('Done.')

  114. 

  115.     # Go back to the primal

  116.     return D

  117. 

  118. 

  119. def lattice_project_against(B, V):

  120.     """

  121.     Compute the projection of the lattice L(B) orthogonally to Span(V). All vectors if V

  122.     (or at least their projection on Span(B)) must belong to L(B). 

  123.     Algorithm:

  124.     - project V onto Span(B)

  125.     - project the basis onto orth(V)

  126.     - eliminate linear dependencies (LLL)

  127.     """

  128.     # Project v on Span(B)

  129.     #V = project_and_eliminate_dep(B, V) ## No need because D is full-rank

  130.     #r = V.nrows() # Useless

  131. 

  132.     # Check that V belogs to L(B)

  133.     D = dual_basis(B)

  134.     M = D * V.T

  135.     if not lcm([x.denominator() for x in M.list()]) == 1:

  136.         raise ValueError("Not in the lattice")

  137. 

  138.     # Project the basis orthogonally to v

  139.     PV = projection_matrix(V)

  140.     B = B - B * PV

  141. 

  142.     # Eliminate linear dependencies

  143.     #if return_basis:

  144.     #    B = remove_linear_dependencies(B)

  145. 

  146.     # Go back to the primal

  147.     return B

  148. 

  149. 

  150. def lattice_modular_intersection(D, V, k):

  151.     """

  152.     Compute the intersection of the lattice L(B) with

  153.     the lattice {x | x*V = 0 mod k}

  154.     (V can be either a vector or a matrix)

  155.     Algorithm:

  156.     - project V onto Span(B)

  157.     - append the equations in the dual

  158.     - eliminate linear dependencies (LLL)

  159.     - go back to the primal.

  160.     """

  161.     # Project v on Span(B)

  162.     #V = project_and_eliminate_dep(D, V) ## No need because D is full-rank

  163.     #r = V.nrows() # Useless

  164. 

  165.     # append the equation in the dual

  166.     V /= k

  167.     # D = dual_basis(B)

  168.     D = D.stack(V)

  169. 

  170.     # Eliminate linear dependencies

  171.     #if return_basis:

  172.     #    D = remove_linear_dependencies(D)

  173. 

  174.     # Go back to the primal

  175.     return D

  176. 

  177. 

  178. def is_diagonal(M):

  179.     if M.nrows() != M.ncols():

  180.         return False

  181.     A = M.numpy()

  182.     return np.all(A == np.diag(np.diagonal(A)))

  183. 

  184. 

  185. def logdet(M, exact=False):

  186.     """ 

  187.     Compute the log of the determinant of a large rational matrix,

  188.     tryping to avoid overflows.

  189.     """

  190.     if not exact:

  191.         MM = array(M, dtype=float)

  192.         _, l = slogdet(MM)

  193.         return l

  194. 

  195.     a = abs(M.det())

  196.     l = 0

  197. 

  198.     while a > 2**32:

  199.         l += RR(32 * ln(2))

  200.         a /= 2**32

  201. 

  202.     l += ln(RR(a))

  203.     return l

  204. 

  205. 

  206. def degen_inverse(S, B=None):

  207.     """ Compute the inverse of a symmetric matrix restricted 

  208.     to its span

  209.     """

  210.     # Get an orthogonal basis for the Span of B

  211. 

  212.     if B is None:

  213.         # Get an orthogonal basis for the Span of B

  214.         V = S.echelon_form()

  215.         V = V[:V.rank()]

  216.         P = projection_matrix(V)

  217.     else:

  218.         P = projection_matrix(B)

  219. 

  220.     # make S non-degenerated by adding the complement of span(B)

  221.     C = identity_matrix(S.ncols()) - P

  222.     Sinv = (S + C).inverse() - C

  223. 

  224.     assert S * Sinv == P, "Consistency failed (probably not your fault)."

  225.     assert P * Sinv == Sinv, "Consistency failed (probably not your fault)."

  226. 

  227.     return Sinv

  228. 

  229. 

  230. def degen_logdet(S, B=None):

  231.     """ Compute the determinant of a symmetric matrix

  232.     sigma (m x m) restricted to the span of the full-rank

  233.     rectangular (k x m, k <= m) matrix V

  234.     """

  235.     # Get an orthogonal basis for the Span of B

  236. 

  237.     if B is None:

  238.         # Get an orthogonal basis for the Span of B

  239.         V = S.echelon_form()

  240.         V = V[:V.rank()]

  241.         P = projection_matrix(V)

  242.     else:

  243.         P = projection_matrix(B)

  244. 

  245.     # Check that S is indeed supported by span(B)

  246.     #assert S == P.T * S * P

  247.     assert (S - P.T * S * P).norm() <= 1e-10

  248. 

  249.     # make S non-degenerated by adding the complement of span(B)

  250.     C = identity_matrix(S.ncols()) - P

  251.     l3 = logdet(S + C)

  252.     return l3

  253. 

  254. 

  255. def square_root_inverse_degen(S, B=None):

  256.     """ Compute the determinant of a symmetric matrix

  257.     sigma (m x m) restricted to the span of the full-rank

  258.     rectangular (k x m, k <= m) matrix V

  259.     """

  260.     if B is None:

  261.         # Get an orthogonal basis for the Span of B

  262.         V = S.echelon_form()

  263.         V = V[:V.rank()]

  264.         P = projection_matrix(V)

  265.     else:

  266.         P = projection_matrix(B)

  267. 

  268.     # make S non-degenerated by adding the complement of span(B)

  269.     C = identity_matrix(S.ncols()) - P

  270.     S_inv = np_inv(array((S + C), dtype=float))

  271.     S_inv = array(S_inv, dtype=float)

  272.     L_inv = cholesky(S_inv)

  273.     L_inv = round_matrix_to_rational(L_inv)

  274.     L = L_inv.inverse()

  275. 

  276.     return L, L_inv

  277. 

  278. 

  279. def build_standard_substitution_matrix(V, pivot=None, data=None, output_data=False):

  280.     _, pivot = V.nonzero_positions()[0] if (pivot is None) else (None, pivot) 

  281.     assert V[0,pivot] != 0, 'The value of the pivot must be non-zero.'

  282.     dim = V.ncols()

  283.     

  284.     V1 = - V[0,:pivot] / V[0,pivot]

  285.     V2 = - V[0,pivot+1:] / V[0,pivot]

  286.     

  287.     Gamma = zero_matrix(QQ, dim,dim-1)

  288.     Gamma[:pivot,:pivot] = identity_matrix(pivot)

  289.     Gamma[pivot,:pivot] = V1

  290.     Gamma[pivot,pivot:] = V2

  291.     Gamma[pivot+1:,pivot:] = identity_matrix(dim-pivot-1)

  292. 

  293.     data = data if not output_data else {}

  294.     if data is not None:

  295.         norm2 = 1 + scal(V1*V1.T) + scal(V2*V2.T)

  296.         normalization_matrix = zero_matrix(QQ, dim-1,dim-1)

  297.         normalization_matrix[:pivot,:pivot] = identity_matrix(pivot) - V1.T*V1 / norm2

  298.         normalization_matrix[pivot:,pivot:] = identity_matrix(dim-pivot-1) - V2.T*V2 / norm2

  299.         normalization_matrix[:pivot,pivot:] = - V1.T*V2 / norm2

  300.         normalization_matrix[pivot:,:pivot] = - V2.T*V1 / norm2

  301.         

  302.         data['det'] = norm2

  303.         data['normalization_matrix'] = normalization_matrix

  304. 

  305.     if output_data:

  306.         return Gamma, data

  307.     else:

  308.         return Gamma