tfeneuil
/
LeakLWE2
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Fork of the official github repository of the framework Leaky-LWE-Estimator, a Sage Toolkit to attack and estimate the hardness of LWE with Side Information. https://github.com/lducas/leaky-LWE-Estimator
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
LeakLWE2/framework/instance_gen.sage

instance_gen.sage 6.8KB
Raw Permalink Blame History 

  1. from random import shuffle, randint

  2. 

  3. load("../framework/proba_utils.sage")

  4. load("../framework/DBDD_predict_diag.sage")

  5. load("../framework/DBDD_predict.sage")

  6. load("../framework/DBDD.sage")

  7. 

  8. 

  9. def initialize_from_LWE_instance(dbdd_class, n, q, m, D_e,

  10.                                  D_s, diag=False, verbosity=1):

  11.     """

  12.     constructor that builds a DBDD instance from a LWE instance

  13.     :n: (integer) size of the secret s

  14.     :q: (integer) modulus

  15.     :m: (integer) size of the error e

  16.     :D_e: distribution of the error e (dictionnary form)

  17.     :D_s: distribution of the secret s (dictionnary form)

  18.     """

  19.     if verbosity:

  20.         logging("     Build DBDD from LWE     ", style="HEADER")

  21.         logging("n=%3d \t m=%3d \t q=%d" % (n, m, q), style="VALUE")

  22.     # define the mean and sigma of the instance

  23.     mu_e, s_e = average_variance(D_e)

  24.     mu_s, s_s = average_variance(D_s)

  25.     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  26.     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  27.     # draw matrix A and define the lattice

  28.     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  29.     B = build_LWE_lattice(-A, q)

  30.     D = build_LWE_lattice(A/q, 1/q)

  31.     # draw the secrets

  32.     s = vec([draw_from_distribution(D_s) for _ in range(n)])

  33.     e = vec([draw_from_distribution(D_e) for _ in range(m)])

  34.     # compute the public value t and build a target

  35.     b = (s * A.T + e) % q

  36.     tar = concatenate([b, [0] * n])

  37.     B = kannan_embedding(B, tar)

  38.     D = kannan_embedding(D, concatenate([-b/q, [0] * n])).T

  39.     u = concatenate([e, s, [1]])

  40.     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity, D=D, Bvol=m*log(q))

  41. 

  42. 

  43. def initialize_from_LWR_instance(dbdd_class, n, q, p, m, D_s, verbosity=1):

  44.     if verbosity:

  45.         logging("     Build DBDD from LWR     ", style="HEADER")

  46.         logging("n=%3d \t m=%3d \t q=%d \t p=%d" % (n, m, q, p), style="VALUE")

  47.     D_e = build_mod_switching_error_law(q, p)

  48.     # draw matrix A and define the lattice

  49.     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  50.     s = vec([draw_from_distribution(D_s) for _ in range(n)])

  51.     B = build_LWE_lattice(-A, q)

  52.     b = q / p * ((p / q) * s * A.T).apply_map(lambda x: x.round(mode='down'))

  53.     e = b - s * A.T

  54.     tar = concatenate([b, [0] * n])

  55.     B = kannan_embedding(B, tar)

  56.     u = concatenate([e, s, [1]])

  57.     # define the mean and sigma of the instance

  58.     mu_e, s_e = average_variance(D_e)

  59.     mu_s, s_s = average_variance(D_s)

  60.     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  61.     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  62.     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity)

  63. 

  64. 

  65. def initialize_round5_instance(dbdd_class, n, q, p, h, m, D_e,

  66.                                D_s, verbosity=1):

  67.     if verbosity:

  68.         logging("     Build DBDD from round5     ", style="HEADER")

  69.         logging("n=%3d \t m=%3d \t q=%d \t p=%d" % (n, m, q, p), style="VALUE")

  70.     # draw matrix A and define the lattice

  71.     assert (h % 2 == 0), "Round5 requires 2 to divide h"

  72.     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  73.     s = h / 2 * [1] + h / 2 * [-1] + (n - h) * [0]

  74.     shuffle(s)

  75.     s = vec(s)

  76.     B = build_LWE_lattice(-A, q)

  77.     b = vec([q / p * (round((p / q) * ((s * A.T)[0][i] % q)) % p)

  78.              for i in range(n)])

  79.     e = vec([((- s * A.T)[0][i] + b[0][i]) % q

  80.              if ((- s * A.T)[0][i] + b[0][i]) % q < q / 2

  81.              else ((- s * A.T)[0][i] + b[0][i]) % q - q

  82.              for i in range(n)])

  83.     tar = concatenate([b, [0] * n])

  84.     B = kannan_embedding(B, tar)

  85.     u = concatenate([e, s, [1]])

  86.     # define the mean and sigma of the instance

  87.     mu_e, s_e = average_variance(D_e)

  88.     mu_s, s_s = average_variance(D_s)

  89.     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  90.     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  91.     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity)

  92. 

  93. 

  94. def initialize_LAC_instance(dbdd_class, n, q, m, D_e, D_s, verbosity=1):

  95.     if verbosity:

  96.         logging("     Build DBDD for LAC     ", style="HEADER")

  97.         logging("n=%3d \t m=%3d \t q=%d" % (n, m, q), style="VALUE")

  98.     # draw matrix A and define the lattice

  99.     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  100.     B = build_LWE_lattice(-A, q)

  101.     assert (n % 4 == 0) and (m % 4 == 0), "LAC requires 4 to divide n and m"

  102.     s = (n / 4) * [0, 1, 0, -1]

  103.     shuffle(s)

  104.     s = vec(s)

  105.     e = (m / 4) * [0, 1, 0, -1]

  106.     shuffle(e)

  107.     e = vec(e)

  108.     b = (s * A.T + e) % q

  109.     tar = concatenate([b, [0] * n])

  110.     B = kannan_embedding(B, tar)

  111.     u = concatenate([e, s, [1]])

  112.     # define the mean and sigma of the instance

  113.     mu_e, s_e = average_variance(D_e)

  114.     mu_s, s_s = average_variance(D_s)

  115.     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  116.     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  117.     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity)

  118. 

  119. 

  120. def initialize_NTRU_instance(dbdd_class, n, q, m, D_e, D_s, verbosity=1):

  121.     if verbosity:

  122.         logging("     Build DBDD for NTRU HPS VERSION     ", style="HEADER")

  123.         logging("n=%3d \t m=%3d \t q=%d" % (n, m, q), style="VALUE")

  124. 

  125.     assert (q % 16 == 0), "NTRU-HPS requires 16 to divide q"

  126.     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  127.     B = build_LWE_lattice(-A, q)

  128.     if q / 8 - 2 <= 2 * n / 3:

  129.         hamming_weight = (q / 16 - 1)

  130.     else:

  131.         hamming_weight = floor(n / 3)

  132.     s = hamming_weight * [1] + hamming_weight * \

  133.         [-1] + (n - 2 * hamming_weight) * [0]

  134.     shuffle(s)

  135.     s = vec(s)

  136.     e = vec([draw_from_distribution(D_e) for _ in range(m)])

  137.     b = (s * A.T + e) % q

  138.     tar = concatenate([b, [0] * n])

  139.     B = kannan_embedding(B, tar)

  140.     u = concatenate([e, s, [1]])

  141.     # define the mean and sigma of the instance

  142.     mu_e, s_e = average_variance(D_e)

  143.     mu_s, s_s = average_variance(D_s)

  144.     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  145.     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  146.     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity)

  147. 

  148. 

  149. # def initialize_NTRU_prime_instance(dbdd_class, n, q, m, h, D_f,

  150. #                                    D_g, verbosity=1):

  151. #     if verbosity:

  152. #         logging("     Build DBDD for NTRU PRIME VERSION     ", style="HEADER")

  153. #         logging("n=%3d \t m=%3d \t q=%d \t h=%d" % (n, m, q, h), style="VALUE")

  154. 

  155. #     A = matrix([[randint(0, q) for _ in range(n)] for _ in range(m)])

  156. #     B = build_LWE_lattice(-A, q)

  157. #     e = h * [1] + (n - h) * [0]

  158. #     shuffle(e)

  159. #     e = [(-1) ** randint(0, 1) * e[i] for i in range(len(e))]

  160. #     e = vec(e)

  161. #     s = vec([draw_from_distribution(D_g) for _ in range(m)])

  162. #     b = (s * A.T + e) % q

  163. #     tar = concatenate([b, [0] * n])

  164. #     B = kannan_embedding(B, tar)

  165. #     u = concatenate([e, s, [1]])

  166. #     # define the mean and sigma of the instance

  167. #     mu_e, s_e = average_variance(D_g)

  168. #     mu_s, s_s = average_variance(D_f)

  169. #     mu = vec(m * [mu_e] + n * [mu_s] + [1])

  170. #     S = diagonal_matrix(m * [s_e] + n * [s_s] + [0])

  171. #     return A, b, dbdd_class(B, S, mu, u, verbosity=verbosity)