def solve_linear_congruence(a, b, c, n): """Returns a solution to ax+by=c mod n.""" a = Integer(a) b = Integer(b) x = Integer(c) n = Integer(n) x = ZZ.random_element(0, n) y = (c - a * x) * ~mod(b, n) y = Integer(mod(y, n)) assert mod(a * x + b * y, n) == mod(c, n) return x, y
def center_around(x, center, modulus): """Returns x' = x mod modulus in the interval [center - modulus / 2, center + modulus / 2]. """ x = Integer(x) modulus = Integer(modulus) k = ceil((center - modulus / 2 - x) / modulus) x_prime = x + modulus * k assert mod(x, modulus) == mod(x_prime, modulus) assert center - modulus / 2 <= x_prime <= center + modulus / 2 return x_prime
def finding_t_modln(E, l, volcano_2=True): field = E.base_field() q = E.base_field().order() j = E.j_invariant() if l == 2: mod_l = trace_of_frobenius_mod_2(E) else: mod_l = trace_of_frobenius_mod(E, l) # computes depth of volcano modulo l if mod(mod_l**2, l) != mod(4 * q, l): return mod_l, l try: result = find_full_descending_paths(j, l) except Found_0_1728: return mod_l, l if len(result) == 1: return mod_l, l n = result[3] e = result[2] modul = l**(2 * n) if e == 0: modul *= l if l == 2 and not volcano_2: if modul < 2**3: return mod_l, 2 else: return 2, 4 if l == 2: if modul < 2**3: return mod_l, 2 if modul < 2**5 or q % 8 == 3 or q % 8 == 7: return 2, 4 roots = mod(4 * q, modul).sqrt(all=True) roots = [Integer(r % (modul // 4)) for r in roots] if is_8_order(E): for r in roots: if q % 8 == 1 and r % 8 == 2: return r, Integer(modul // 4) if q % 8 == 5 and r % 8 == 6: return r, Integer(modul // 4) else: for r in roots: if q % 8 == 5 and r % 8 == 2: return r, Integer(modul // 4) if q % 8 == 1 and r % 8 == 6: return r, Integer(modul // 4) root = Integer(mod(4 * q, modul).sqrt()) if mod(root, l) == mod(mod_l, l): return root, modul else: return modul - root, modul
def _brown_indecomposable(q, p): r""" Return the Brown invariant of the indecomposable form ``q``. The values are taken from Table 2.1 in [Shim2016]_. INPUT: - ``q`` - an indecomposable quadratic form represented by a rational `1 \times 1` or `2 \times 2` matrix - ``p`` - a prime number EXAMPLES:: sage: from sage.modules.torsion_quadratic_module import _brown_indecomposable sage: q = Matrix(QQ, [1/3]) sage: _brown_indecomposable(q,3) 6 sage: q = Matrix(QQ, [2/3]) sage: _brown_indecomposable(q,3) 2 sage: q = Matrix(QQ, [5/4]) sage: _brown_indecomposable(q,2) 5 sage: q = Matrix(QQ, [7/4]) sage: _brown_indecomposable(q,2) 7 sage: q = Matrix(QQ, 2, [0,1,1,0])/2 sage: _brown_indecomposable(q,2) 0 sage: q = Matrix(QQ, 2, [2,1,1,2])/2 sage: _brown_indecomposable(q,2) 4 """ v = q.denominator().valuation(p) if p == 2: # brown(U) = 0 if q.ncols() == 2: if q[0, 0].valuation(2) > v + 1 and q[1, 1].valuation(2) > v + 1: # type U return mod(0, 8) else: # type V return mod(4 * v, 8) u = q[0, 0].numerator() return mod(u + v * (u**2 - 1) / 2, 8) if p % 4 == 1: e = -1 if p % 4 == 3: e = 1 if v % 2 == 1: u = q[0, 0].numerator() // 2 if legendre_symbol(u, p) == 1: return mod(1 + e, 8) else: return mod(-3 + e, 8) return mod(0, 8)
def _brown_indecomposable(q, p): r""" Return the Brown invariant of the indecomposable form ``q``. The values are taken from Table 2.1 in [Shim2016]_. INPUT: - ``q`` - an indecomposable quadratic form represented by a rational `1 \times 1` or `2 \times 2` matrix - ``p`` - a prime number EXAMPLES:: sage: from sage.modules.torsion_quadratic_module import _brown_indecomposable sage: q = Matrix(QQ, [1/3]) sage: _brown_indecomposable(q,3) 6 sage: q = Matrix(QQ, [2/3]) sage: _brown_indecomposable(q,3) 2 sage: q = Matrix(QQ, [5/4]) sage: _brown_indecomposable(q,2) 5 sage: q = Matrix(QQ, [7/4]) sage: _brown_indecomposable(q,2) 7 sage: q = Matrix(QQ, 2, [0,1,1,0])/2 sage: _brown_indecomposable(q,2) 0 sage: q = Matrix(QQ, 2, [2,1,1,2])/2 sage: _brown_indecomposable(q,2) 4 """ v = q.denominator().valuation(p) if p == 2: # brown(U) = 0 if q.ncols() == 2: if q[0,0].valuation(2)>v+1 and q[1,1].valuation(2)>v+1: # type U return mod(0, 8) else: # type V return mod(4*v, 8) u = q[0,0].numerator() return mod(u + v*(u**2 - 1)/2, 8) if p % 4 == 1: e = -1 if p % 4 == 3: e = 1 if v % 2 == 1: u = q[0,0].numerator()//2 if legendre_symbol(u,p) == 1: return mod(1 + e, 8) else: return mod(-3 + e, 8) return mod(0, 8)
def is_blum_prime(n): r""" Determine whether or not ``n`` is a Blum prime. INPUT: - ``n`` a positive prime. OUTPUT: - ``True`` if ``n`` is a Blum prime; ``False`` otherwise. Let `n` be a positive prime. Then `n` is a Blum prime if `n` is congruent to 3 modulo 4, i.e. `n \equiv 3 \pmod{4}`. EXAMPLES: Testing some integers to see if they are Blum primes:: sage: from sage.crypto.util import is_blum_prime sage: from sage.crypto.util import random_blum_prime sage: is_blum_prime(101) False sage: is_blum_prime(7) True sage: p = random_blum_prime(10**3, 10**5) sage: is_blum_prime(p) True """ if n < 0: return False if is_prime(n): if mod(n, 4).lift() == 3: return True else: return False else: return False
def ell_power_equiv(J, O, ell, print_progress=False): """Solve ell isogeny problem. This function only works in quaternion algebras with prime discriminant p = 3 mod 4. Args: J: A left O-ideal. O: An order in a quaternion algebra. ell: A prime. print_progress: True if you want to print progress. Returns: A pair (J, delta) where J = I*delta, delta is in the quaternion algebra and J is a nonfractional ideal in the same class as I that has ell power norm. """ B = O.quaternion_algebra() if not is_prime(B.discriminant()) or not mod(B.discriminant(), 4) == 3: raise NotImplementedError("The quaternion algebra must have prime" " discrimint p = 3 mod 4.") # When B has discriminant p = 3 mod 4 the call B.maximal_order() always # returns the first maximal order in the cases environment in Lemma 2 of # the paper. I probably shouldn't rely on this. O_special = B.maximal_order() I = connecting_ideal(O_special, O) K = I * J I_1, gamma_1 = special_ell_power_equiv(I, O_special, ell) I_2, gamma_2 = special_ell_power_equiv(K, O_special, ell) gamma = gamma_1.conjugate() * gamma_2 * I.norm() J_2 = J.scale(gamma) assert J_2.left_order() == O assert Integer(J_2.norm()).prime_factors() == [ell] assert [x in O for x in J_2.basis()] return J_2, gamma
def is_semisimple_modular(M, m, nprimes=5): """M is a pari matrix over Q(zeta_m). Check if M mod p has squarefree char poly for nprimes primes p=1 (mod m). If True for any p, return True since then the char poly of M itself must be square-free. If False for all p, return False since the M probably has non-squarefree char poly. There may therefore be false negatives. """ pol = cyclotomic_polynomial(m) pt = pari("t") np = 0 for p in prime_range(1000000): if m > 1 and not p % m == 1: continue np += 1 #print("testing modulo p={}".format(p)) if np > nprimes: #print("op not semisimple modulo {} primes, so returning False".format(nprimes)) return False zmodp = pari(pol.roots(GF(p))[0][0]) #print("zmodp = {}".format(zmodp)) try: Mmodp = M.lift() * pari(mod(1, p)) #print("Lifted matrix = {}".format(Mmodp)) Mmodp = Mmodp.subst(pt, zmodp) #print("matrix (mod {}) = {}".format(p,Mmodp)) modpcharpoly = Mmodp.charpoly() #print("char poly (mod {}) = {}".format(p,modpcharpoly)) if modpcharpoly.issquarefree(): #print("op is semisimple mod {}".format(p)) return True else: #print("op is not semisimple mod {}".format(p)) pass except PariError: ## happens if M not integral mod p np -= 1
def _normalize(G, normal_odd=True): r""" Return the transformation to sums of forms of types `U`, `V` and `W`. Part of the algorithm :meth:`p_adic_normal_form`. INPUT: - ``G`` -- a symmetric matrix over `\ZZ_p` in jordan form -- the output of :meth:`p_adic_normal_form` or :meth:`_jordan_2_adic` - ``normal_odd`` -- bool (default: True) if true and `p` is odd, compute a normal form. OUTPUT: - ``(D, B)`` -- a pair of matrices such that ``D=B*G*B.T`` is a sum of forms of types `U`, `V` and `W` for `p=2` or diagonal with diagonal entries equal `1` or `u` where `u` is the smallest non-square modulo the odd prime `p`. EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _normalize sage: R = Zp(3, prec = 5, type = 'fixed-mod', print_mode='series', show_prec=False) sage: G = matrix.diagonal(R, [1,7,3,3*5,3,9,-9,27*13]) sage: D, B =_normalize(G) sage: D [ 1 0 0 0 0 0 0 0] [ 0 1 0 0 0 0 0 0] [ 0 0 3 0 0 0 0 0] [ 0 0 0 3 0 0 0 0] [ 0 0 0 0 2*3 0 0 0] [ 0 0 0 0 0 3^2 0 0] [ 0 0 0 0 0 0 2*3^2 0] [ 0 0 0 0 0 0 0 3^3] """ R = G.base_ring() D = copy(G) p = R.prime() n = G.ncols() B = copy(G.parent().identity_matrix()) if p != 2: # squareclasses 1, v v = _min_nonsquare(p) v = R(v) non_squares = [] val = 0 for i in range(n): if D[i,i].valuation() > val: # a new block starts val = D[i,i].valuation() if normal_odd and len(non_squares) != 0: # move the non-square to # the last entry of the previous block j = non_squares.pop() B.swap_rows(j, i-1) d = D[i, i].unit_part() if d.is_square(): D[i, i] = 1 B[i, :] *= d.inverse_of_unit().sqrt() else: D[i, i] = v B[i, :] *= (v * d.inverse_of_unit()).sqrt() if normal_odd and len(non_squares) != 0: # we combine two non-squares to get # the 2 x 2 identity matrix j = non_squares.pop() trafo = _normalize_odd_2x2(D[[i,j],[i,j]]) B[[i,j],:] = trafo*B[[i,j],:] D[i,i] = 1 D[j,j] = 1 else: non_squares.append(i) if normal_odd and len(non_squares) != 0: j=non_squares.pop() B.swap_rows(j,n-1) else: # squareclasses 1,3,5,7 modulo 8 for i in range(n): d = D[i, i].unit_part() if d != 0: v = R(mod(d, 8)) B[i, :] *= (v * d.inverse_of_unit()).sqrt() D = B * G * B.T for i in range(n-1): if D[i, i+1] != 0: # there is a 2 x 2 block here block = D[i:i+2, i:i+2] trafo = _normalize_2x2(block) B[i:i+2, :] = trafo * B[i:i+2, :] D = B * G * B.T return D, B
def strong_approximation(mu_0, N, O, ell): """Find mu in O with nrd(mu) = ell^e and mu = lambda * mu_0 mod NO Args: mu_0: An element of Rj. N: A prime. O: An order contaning 1, i, j, k. ell: A prime. Returns: mu in O with nrd(mu) = ell^e and mu = lambda * mu_0 mod NO. """ ell = Integer(ell) N = Integer(N) B = O.quaternion_algebra() p = B.discriminant() i, j, k = B.gens() t_0, x_0, y_0, z_0 = mu_0.coefficient_tuple() assert t_0 == x_0 == 0 beta_0 = y_0 + z_0 * i # TODO: gracefully handle the case where # ~mod(p * Integer(beta_0.reduced_norm()), N) does not exist. e = 2 * ceil(log(N**4 * (p + 1) / 2, ell)) + (0 if ( ~mod(p * Integer(beta_0.reduced_norm()), N)).is_square() else 1) e_max = e + 2 * (2 * ceil(log(p, ell)) + 2) # First we solve for lambda. lamb = Integer( (ell**e * ~mod(p * Integer(beta_0.reduced_norm()), N)).sqrt()) assert mod(ell**e, N) == mod(lamb**2 * Integer(mu_0.reduced_norm()), N) mu = None count = 0 count_max = 5 * e while e < e_max: # Then we solve for beta_1. lhs = Integer( (ell**e - p * lamb**2 * Integer(beta_0.reduced_norm())) / N) y_1, z_1 = solve_linear_congruence(2 * Integer(y_0) * p * lamb, p * lamb * 2 * z_0, lhs, N) y_1 = center_around(y_1, -2 * lamb * y_0, N) z_1 = center_around(z_1, -2 * lamb * y_0, N) beta_1 = Integer(y_1) + Integer(z_1) * i assert mod(lhs, N) == mod( p * lamb * (beta_0 * beta_1.conjugate()).reduced_trace(), N) # Now we calculate r. r = Integer( (ell**e - p * (lamb * beta_0 + N * beta_1).reduced_norm()) / N**2) # In the paper they say that r can be the product of a prime and a # smooth square. For simplicity I will just wait for r prime. if not is_prime(r): count += 1 if count > count_max: print("Increasing", e, e_max) e += 2 count_max = 0 continue sol = solve_norm_equation(1, r) if sol is not None: t_1, x_1 = sol alpha_1 = t_1 + x_1 * i mu_1 = alpha_1 + beta_1 * j mu = lamb * mu_0 + N * mu_1 assert mu - lamb * mu_0 in O.left_ideal(O.basis()).scale(N) assert mu.reduced_norm() == ell**e return mu # This is sort of a random heuristic. Can do better. count += 1 if count > count_max: e += 2 count_max = 0 return None
def TaylorTwographDescendantSRG(q, clique_partition=None): r""" constructing the descendant graph of the Taylor's two-graph for `U_3(q)`, `q` odd This is a strongly regular graph with parameters `(v,k,\lambda,\mu)=(q^3, (q^2+1)(q-1)/2, (q-1)^3/4-1, (q^2+1)(q-1)/4)` obtained as a two-graph descendant of the :func:`Taylor's two-graph <sage.combinat.designs.twographs.taylor_twograph>` `T`. This graph admits a partition into cliques of size `q`, which are useful in :func:`TaylorTwographSRG <sage.graphs.generators.classical_geometries.TaylorTwographSRG>`, a strongly regular graph on `q^3+1` vertices in the Seidel switching class of `T`, for which we need `(q^2+1)/2` cliques. The cliques are the `q^2` lines on `v_0` of the projective plane containing the unital for `U_3(q)`, and intersecting the unital (i.e. the vertices of the graph and the point we remove) in `q+1` points. This is all taken from §7E of [BvL84]_. INPUT: - ``q`` -- a power of an odd prime number - ``clique_partition`` -- if ``True``, return `q^2-1` cliques of size `q` with empty pairwise intersection. (Removing all of them leaves a clique, too), and the point removed from the unital. EXAMPLES:: sage: g=graphs.TaylorTwographDescendantSRG(3); g Taylor two-graph descendant SRG: Graph on 27 vertices sage: g.is_strongly_regular(parameters=True) (27, 10, 1, 5) sage: from sage.combinat.designs.twographs import taylor_twograph sage: T = taylor_twograph(3) # long time sage: g.is_isomorphic(T.descendant(T.ground_set()[1])) # long time True sage: g=graphs.TaylorTwographDescendantSRG(5) # not tested (long time) sage: g.is_strongly_regular(parameters=True) # not tested (long time) (125, 52, 15, 26) TESTS:: sage: g,l,_=graphs.TaylorTwographDescendantSRG(3,clique_partition=True) sage: all(map(lambda x: g.is_clique(x), l)) True sage: graphs.TaylorTwographDescendantSRG(4) Traceback (most recent call last): ... ValueError: q must be an odd prime power sage: graphs.TaylorTwographDescendantSRG(6) Traceback (most recent call last): ... ValueError: q must be an odd prime power """ from sage.rings.arith import is_prime_power p, k = is_prime_power(q, get_data=True) if k == 0 or p == 2: raise ValueError('q must be an odd prime power') from sage.schemes.projective.projective_space import ProjectiveSpace from sage.rings.finite_rings.constructor import FiniteField from sage.modules.free_module_element import free_module_element as vector from sage.rings.finite_rings.integer_mod import mod from __builtin__ import sum Fq = FiniteField(q**2, 'a') PG = map(tuple, ProjectiveSpace(2, Fq)) def S(x, y): return sum(map(lambda j: x[j] * y[2 - j]**q, xrange(3))) V = filter(lambda x: S(x, x) == 0, PG) # the points of the unital v0 = V[0] V.remove(v0) if mod(q, 4) == 1: G = Graph( [V, lambda y, z: not (S(v0, y) * S(y, z) * S(z, v0)).is_square()], loops=False) else: G = Graph( [V, lambda y, z: (S(v0, y) * S(y, z) * S(z, v0)).is_square()], loops=False) G.name("Taylor two-graph descendant SRG") if clique_partition: lines = map(lambda x: filter(lambda t: t[0] + x * t[1] == 0, V), filter(lambda z: z != 0, Fq)) return (G, lines, v0) else: return G
def bin_to_ascii(B): r""" Return the ASCII representation of the binary string ``B``. INPUT: - ``B`` -- a non-empty binary string or a non-empty list of bits. The number of bits in ``B`` must be a multiple of 8. OUTPUT: - The ASCII string corresponding to ``B``. ALGORITHM: Consider a block of bits `B = b_0 b_1 \cdots b_{n-1}` where each sub-block `b_i` is a binary string of length 8. Then the total number of bits is a multiple of 8 and is given by `8n`. Let `c_i` be the integer representation of `b_i`. We can consider `c_i` as the integer representation of an ASCII character. Then the ASCII representation `A` of `B` is `A = a_0 a_1 \cdots a_{n-1}`. EXAMPLES: Convert some ASCII strings to their binary representations and recover the ASCII strings from the binary representations:: sage: from sage.crypto.util import ascii_to_bin sage: from sage.crypto.util import bin_to_ascii sage: A = "Abc" sage: B = ascii_to_bin(A); B 010000010110001001100011 sage: bin_to_ascii(B) 'Abc' sage: bin_to_ascii(B) == A True :: sage: A = "123 \" #" sage: B = ascii_to_bin(A); B 00110001001100100011001100100000001000100010000000100011 sage: bin_to_ascii(B) '123 " #' sage: bin_to_ascii(B) == A True This function also accepts strings and lists of bits:: sage: from sage.crypto.util import bin_to_ascii sage: bin_to_ascii("010000010110001001100011") 'Abc' sage: bin_to_ascii([0, 1, 0, 0, 0, 0, 0, 1]) 'A' TESTS: The number of bits in ``B`` must be non-empty and a multiple of 8:: sage: from sage.crypto.util import bin_to_ascii sage: bin_to_ascii("") Traceback (most recent call last): ... ValueError: B must be a non-empty binary string. sage: bin_to_ascii([]) Traceback (most recent call last): ... ValueError: B must be a non-empty binary string. sage: bin_to_ascii(" ") Traceback (most recent call last): ... ValueError: The number of bits in B must be a multiple of 8. sage: bin_to_ascii("101") Traceback (most recent call last): ... ValueError: The number of bits in B must be a multiple of 8. sage: bin_to_ascii([1, 0, 1]) Traceback (most recent call last): ... ValueError: The number of bits in B must be a multiple of 8. """ # sanity checks n = len(B) if n == 0: raise ValueError("B must be a non-empty binary string.") if mod(n, 8) != 0: raise ValueError("The number of bits in B must be a multiple of 8.") # perform conversion to ASCII string b = [int(str(x)) for x in list(B)] A = [] # the number of 8-bit blocks k = n // 8 for i in range(k): # Convert from 8-bit string to ASCII integer. Then convert the # ASCII integer to the corresponding ASCII character. A.append(chr(ascii_integer(b[8*i: 8*(i+1)]))) return "".join(A)
def prime_norm_representative(I, O, D, ell): """ Given an order O and a left O-ideal I return another left O-ideal J in the same class, but with prime norm. This corresponds to Step 1 in the notes. So given an ideal I it returns an ideal in the same class but with reduced norm N where N != ell is a large prime coprime to both D and p, and ell is a quadratic nonresidue module N. Args: I: A left O-ideal. O: An order in a quaternion algebra. D: An integer. ell: A prime. Returns: A pair (J, gamma) where J = I * gamma is a left O-ideal in the same class with prime norm N. N will be coprime to both D and p, and ell will be a nonquadratic residue module N. """ # TODO: Change so O is not an argument. if not is_minkowski_basis(I.basis()): print("Warning: The ideal I does not have a minkowski basis" " precomputed and Sage can not do it for you.") nrd_I = I.norm() B = I.quaternion_algebra() p = B.discriminant() alpha = B(0) normalized_norm = Integer(alpha.reduced_norm() / nrd_I) # Choose random elements in I until one is found with norm N*nrd(I) where N # is prime. m_power = 3 m = Integer(2)**m_power # TODO: Change this to a proper bound. count = 0 while (not is_prime(normalized_norm) or normalized_norm.divides(D) or normalized_norm == ell or normalized_norm == p or mod(ell, normalized_norm).is_square()): # Make a new random element. alpha = random_combination(I.basis(), bound=m) normalized_norm = Integer(alpha.reduced_norm() / nrd_I) # Increase the box we search in if we've been trying for too long. Note # this was just a random heuristic I came up with, it's not in the # paper. count += 1 if count > 4 * m_power: m_power += 1 m = Integer(2)**m_power count = 0 # We now have an element alpha with norm N*nrd(I) where N is prime. The # ideal J = I*gamma has prime norm where gamma = conjugate(alpha) / nrd(I). gamma = alpha.conjugate() / nrd_I J = I.scale(gamma) assert is_prime(Integer(J.norm())) assert not mod(ell, Integer(J.norm())).is_square() assert gcd(Integer(J.norm()), D) == 1 return J, gamma
def TaylorTwographDescendantSRG(q, clique_partition=None): r""" constructing the descendant graph of the Taylor's two-graph for `U_3(q)`, `q` odd This is a strongly regular graph with parameters `(v,k,\lambda,\mu)=(q^3, (q^2+1)(q-1)/2, (q-1)^3/4-1, (q^2+1)(q-1)/4)` obtained as a two-graph descendant of the :func:`Taylor's two-graph <sage.combinat.designs.twographs.taylor_twograph>` `T`. This graph admits a partition into cliques of size `q`, which are useful in :func:`~sage.graphs.graph_generators.GraphGenerators.TaylorTwographSRG`, a strongly regular graph on `q^3+1` vertices in the Seidel switching class of `T`, for which we need `(q^2+1)/2` cliques. The cliques are the `q^2` lines on `v_0` of the projective plane containing the unital for `U_3(q)`, and intersecting the unital (i.e. the vertices of the graph and the point we remove) in `q+1` points. This is all taken from §7E of [BvL84]_. INPUT: - ``q`` -- a power of an odd prime number - ``clique_partition`` -- if ``True``, return `q^2-1` cliques of size `q` with empty pairwise intersection. (Removing all of them leaves a clique, too), and the point removed from the unital. EXAMPLES:: sage: g=graphs.TaylorTwographDescendantSRG(3); g Taylor two-graph descendant SRG: Graph on 27 vertices sage: g.is_strongly_regular(parameters=True) (27, 10, 1, 5) sage: from sage.combinat.designs.twographs import taylor_twograph sage: T = taylor_twograph(3) # long time sage: g.is_isomorphic(T.descendant(T.ground_set()[1])) # long time True sage: g=graphs.TaylorTwographDescendantSRG(5) # not tested (long time) sage: g.is_strongly_regular(parameters=True) # not tested (long time) (125, 52, 15, 26) TESTS:: sage: g,l,_=graphs.TaylorTwographDescendantSRG(3,clique_partition=True) sage: all(map(lambda x: g.is_clique(x), l)) True sage: graphs.TaylorTwographDescendantSRG(4) Traceback (most recent call last): ... ValueError: q must be an odd prime power sage: graphs.TaylorTwographDescendantSRG(6) Traceback (most recent call last): ... ValueError: q must be an odd prime power """ p, k = is_prime_power(q,get_data=True) if k==0 or p==2: raise ValueError('q must be an odd prime power') from sage.schemes.projective.projective_space import ProjectiveSpace from sage.modules.free_module_element import free_module_element as vector from sage.rings.finite_rings.integer_mod import mod from __builtin__ import sum Fq = FiniteField(q**2, 'a') PG = map(tuple,ProjectiveSpace(2, Fq)) def S(x,y): return sum(map(lambda j: x[j]*y[2-j]**q, xrange(3))) V = filter(lambda x: S(x,x)==0, PG) # the points of the unital v0 = V[0] V.remove(v0) if mod(q,4)==1: G = Graph([V,lambda y,z: not (S(v0,y)*S(y,z)*S(z,v0)).is_square()], loops=False) else: G = Graph([V,lambda y,z: (S(v0,y)*S(y,z)*S(z,v0)).is_square()], loops=False) G.name("Taylor two-graph descendant SRG") if clique_partition: lines = map(lambda x: filter(lambda t: t[0]+x*t[1]==0, V), filter(lambda z: z != 0, Fq)) return (G, lines, v0) else: return G
def has_blum_prime(lbound, ubound): """ Determine whether or not there is a Blum prime within the specified closed interval. INPUT: - ``lbound`` -- positive integer; the lower bound on how small a Blum prime can be. The lower bound must be distinct from the upper bound. - ``ubound`` -- positive integer; the upper bound on how large a Blum prime can be. The lower bound must be distinct from the upper bound. OUTPUT: - ``True`` if there is a Blum prime ``p`` such that ``lbound <= p <= ubound``. ``False`` otherwise. ALGORITHM: Let `L` and `U` be distinct positive integers. Let `P` be the set of all odd primes `p` such that `L \leq p \leq U`. Our main focus is on Blum primes, i.e. odd primes that are congruent to 3 modulo 4, so we assume that the lower bound `L > 2`. The closed interval `[L, U]` has a Blum prime if and only if the set `P` has a Blum prime. EXAMPLES: Testing for the presence of Blum primes within some closed intervals. The interval `[4, 100]` has a Blum prime, the smallest such prime being 7. The interval `[24, 28]` has no primes, hence no Blum primes. :: sage: from sage.crypto.util import has_blum_prime sage: from sage.crypto.util import is_blum_prime sage: has_blum_prime(4, 100) True sage: for n in range(4, 100): ....: if is_blum_prime(n): ....: print(n) ....: break 7 sage: has_blum_prime(24, 28) False TESTS: Both the lower and upper bounds must be greater than 2:: sage: from sage.crypto.util import has_blum_prime sage: has_blum_prime(2, 3) Traceback (most recent call last): ... ValueError: Both the lower and upper bounds must be > 2. sage: has_blum_prime(3, 2) Traceback (most recent call last): ... ValueError: Both the lower and upper bounds must be > 2. sage: has_blum_prime(2, 2) Traceback (most recent call last): ... ValueError: Both the lower and upper bounds must be > 2. The lower and upper bounds must be distinct from each other:: sage: has_blum_prime(3, 3) Traceback (most recent call last): ... ValueError: The lower and upper bounds must be distinct. The lower bound must be less than the upper bound:: sage: has_blum_prime(4, 3) Traceback (most recent call last): ... ValueError: The lower bound must be less than the upper bound. """ # sanity checks if (lbound < 3) or (ubound < 3): raise ValueError("Both the lower and upper bounds must be > 2.") if lbound == ubound: raise ValueError("The lower and upper bounds must be distinct.") if lbound > ubound: raise ValueError("The lower bound must be less than the upper bound.") # now test for presence of a Blum prime for p in primes(lbound, ubound + 1): if mod(p, 4).lift() == 3: return True return False
def _normalize(G, normal_odd=True): r""" Return the transformation to sums of forms of types `U`, `V` and `W`. Part of the algorithm :meth:`p_adic_normal_form`. INPUT: - ``G`` -- a symmetric matrix over `\ZZ_p` in jordan form -- the output of :meth:`p_adic_normal_form` or :meth:`_jordan_2_adic` - ``normal_odd`` -- bool (default: True) if true and `p` is odd, compute a normal form. OUTPUT: - ``(D, B)`` -- a pair of matrices such that ``D=B*G*B.T`` is a sum of forms of types `U`, `V` and `W` for `p=2` or diagonal with diagonal entries equal `1` or `u` where `u` is the smallest non-square modulo the odd prime `p`. EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _normalize sage: R = Zp(3, prec = 5, type = 'fixed-mod', print_mode='series', show_prec=False) sage: G = matrix.diagonal(R, [1,7,3,3*5,3,9,-9,27*13]) sage: D, B =_normalize(G) sage: D [ 1 0 0 0 0 0 0 0] [ 0 1 0 0 0 0 0 0] [ 0 0 3 0 0 0 0 0] [ 0 0 0 3 0 0 0 0] [ 0 0 0 0 2*3 0 0 0] [ 0 0 0 0 0 3^2 0 0] [ 0 0 0 0 0 0 2*3^2 0] [ 0 0 0 0 0 0 0 3^3] """ R = G.base_ring() D = copy(G) p = R.prime() n = G.ncols() B = copy(G.parent().identity_matrix()) if p != 2: # squareclasses 1, v v = _min_nonsquare(p) v = R(v) non_squares = [] val = 0 for i in range(n): if D[i, i].valuation() > val: # a new block starts val = D[i, i].valuation() if normal_odd and len(non_squares) != 0: # move the non-square to # the last entry of the previous block j = non_squares.pop() B.swap_rows(j, i - 1) d = D[i, i].unit_part() if d.is_square(): D[i, i] = 1 B[i, :] *= d.inverse_of_unit().sqrt() else: D[i, i] = v B[i, :] *= (v * d.inverse_of_unit()).sqrt() if normal_odd and len(non_squares) != 0: # we combine two non-squares to get # the 2 x 2 identity matrix j = non_squares.pop() trafo = _normalize_odd_2x2(D[[i, j], [i, j]]) B[[i, j], :] = trafo * B[[i, j], :] D[i, i] = 1 D[j, j] = 1 else: non_squares.append(i) if normal_odd and len(non_squares) != 0: j = non_squares.pop() B.swap_rows(j, n - 1) else: # squareclasses 1,3,5,7 modulo 8 for i in range(n): d = D[i, i].unit_part() if d != 0: v = R(mod(d, 8)) B[i, :] *= (v * d.inverse_of_unit()).sqrt() D = B * G * B.T for i in range(n - 1): if D[i, i + 1] != 0: # there is a 2 x 2 block here block = D[i:i + 2, i:i + 2] trafo = _normalize_2x2(block) B[i:i + 2, :] = trafo * B[i:i + 2, :] D = B * G * B.T return D, B
def _relations(G, n): r""" Return relations of `2`-adic quadratic forms. See [MirMor2009]_ IV Prop. 3.2. This function is for internal use only. INPUT: - ``n`` -- an integer between 1 and 10 -- the number of the relation - ``G`` -- a block diagonal matrix consisting of blocks of types `U, V, W` the left side of the relation. If ``G`` does not match `n` then the results are unpredictable. OUTPUT: - square matrix ``B`` such that ``B * G * B.T`` is the right side of the relation which consists of blocks of types `U`, `V`, `W` again EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _relations sage: R = Zp(2, type = 'fixed-mod',print_mode='terse', show_prec=False) sage: U = Matrix(R,2,[0,1,1,0]) sage: V = Matrix(R,2,[2,1,1,2]) sage: W1 = Matrix(R,1,[1]) sage: W3 = Matrix(R,1,[3]) sage: W5 = Matrix(R,1,[5]) sage: W7 = Matrix(R,1,[7]) sage: G = Matrix.block_diagonal(W1,W1) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 5] sage: G = Matrix.block_diagonal(W1,W3) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 7] sage: G = Matrix.block_diagonal(W1,W5) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 1] sage: G = Matrix.block_diagonal(W1,W7) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 3] sage: G = Matrix.block_diagonal(W3,W3) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 7] sage: G = Matrix.block_diagonal(W3,W5) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 1] sage: G = Matrix.block_diagonal(W3,W7) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 3] sage: G = Matrix.block_diagonal(W5,W5) sage: b = _relations(G,1) sage: b * G * b.T [1 0] [0 1] sage: G = Matrix.block_diagonal(W5,W7) sage: b = _relations(G,1) sage: b * G * b.T [1 0] [0 3] sage: G = Matrix.block_diagonal(W7,W7) sage: b = _relations(G,1) sage: b * G * b.T [3 0] [0 3] sage: G = Matrix.block_diagonal([V,V]) sage: b = _relations(G,3) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 0 1] [0 0 1 0] sage: G = Matrix.block_diagonal([V,W1,W1]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 7 0] [0 0 0 3] sage: G = Matrix.block_diagonal([V,W1,W5]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 3 0] [0 0 0 3] sage: G = Matrix.block_diagonal([V,W3,W7]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 5 0] [0 0 0 5] sage: G = Matrix.block_diagonal([W1,2*W1]) sage: b = _relations(G,6) sage: b * G * b.T [3 0] [0 6] sage: G = Matrix.block_diagonal([W1,2*W3]) sage: b = _relations(G,6) sage: b * G * b.T [ 7 0] [ 0 10] sage: G = Matrix.block_diagonal([W1,2*W5]) sage: b = _relations(G,6) sage: b * G * b.T [ 3 0] [ 0 14] sage: G = Matrix.block_diagonal([W1,2*W7]) sage: b = _relations(G,6) sage: b * G * b.T [7 0] [0 2] sage: G = Matrix.block_diagonal([W3,2*W5]) sage: b = _relations(G,6) sage: b * G * b.T [5 0] [0 6] sage: G = Matrix.block_diagonal([W3,2*W3]) sage: b = _relations(G,6) sage: b * G * b.T [1 0] [0 2] sage: G = Matrix.block_diagonal([2*W5,4*W7]) sage: b = _relations(G,6) sage: b * G * b.T [6 0] [0 4] sage: G = Matrix.block_diagonal([W3,2*V]) sage: b = _relations(G,7) sage: b * G * b.T [7 0 0] [0 0 2] [0 2 0] sage: G = Matrix.block_diagonal([W7,2*V]) sage: b = _relations(G,7) sage: b * G * b.T [3 0 0] [0 0 2] [0 2 0] sage: G = Matrix.block_diagonal([U,2*W1]) sage: b = _relations(G,8) sage: b * G * b.T [ 2 1 0] [ 1 2 0] [ 0 0 10] sage: G = Matrix.block_diagonal([U,2*W5]) sage: b = _relations(G,8) sage: b * G * b.T [2 1 0] [1 2 0] [0 0 2] sage: G = Matrix.block_diagonal([V,2*W1]) sage: b = _relations(G,8) sage: b * G * b.T [ 0 1 0] [ 1 0 0] [ 0 0 10] sage: G = Matrix.block_diagonal([V,2*W7]) sage: b = _relations(G,8) sage: b * G * b.T [0 1 0] [1 0 0] [0 0 6] sage: G = Matrix.block_diagonal([W1,W5,2*W5]) sage: b = _relations(G,9) sage: b * G * b.T [3 0 0] [0 3 0] [0 0 2] sage: G = Matrix.block_diagonal([W3,W3,2*W5]) sage: b = _relations(G,9) sage: b * G * b.T [5 0 0] [0 1 0] [0 0 2] sage: G = Matrix.block_diagonal([W3,W3,2*W1]) sage: b = _relations(G,9) sage: b * G * b.T [ 5 0 0] [ 0 1 0] [ 0 0 10] sage: G = Matrix.block_diagonal([W3,4*W1]) sage: b = _relations(G,10) sage: b * G * b.T [ 7 0] [ 0 20] sage: G = Matrix.block_diagonal([W5,4*W5]) sage: b = _relations(G,10) sage: b * G * b.T [1 0] [0 4] """ R = G.base_ring() if n == 1: e1 = G[0, 0].unit_part() e2 = G[1, 1].unit_part() B = Matrix(R, 2, [1, 2, 2 * e2, -e1]) if n == 2: e1 = G[0, 0].unit_part() e2 = G[1, 1].unit_part() e3 = G[2, 2].unit_part() B = Matrix(R, 3, [1, 1, 1, e2, -e1, 0, e3, 0, -e1]) if n == 3: B = Matrix(R, 4, [1, 1, 1, 0, 1, 1, 0, 1, 1, 0, -1, -1, 0, 1, -1, -1]) if n == 4: raise NotImplementedError("relation 4 is not needed") if n == 5: e1 = G[2, 2].unit_part() e2 = G[3, 3].unit_part() if mod(e1, 4) != mod(e2, 4): raise ValueError("W is of the wrong type for relation 5") B = Matrix(R, 4, [ 1, 0, 1, 1, 0, 1, 1, 1, -e2, -e2, 0, 3, -e1, -e1, 2 * e2 + 3, -2 * e1 ]) if n == 6: if G[0, 0].valuation() + 1 != G[1, 1].valuation(): raise ValueError("wrong scales for relation 6") e1 = G[0, 0].unit_part() e2 = G[1, 1].unit_part() B = Matrix(R, 2, [1, 1, -2 * e2, e1]) if n == 7: e = G[0, 0].unit_part() B = Matrix(R, 3, [-3, e**2, e**2, 2 * e, 1, 0, 2 * e, 0, 1]) if n == 8: e = G[2, 2].unit_part() if G[0, 0] == 0: B = Matrix(R, 3, [e, 0, -1, 0, e, -1, 2, 2, 1]) else: B = Matrix(R, 3, [1, 0, 1, 0, 1, 1, 2 * e, 2 * e, -3]) if n == 9: e1 = G[0, 0].unit_part() e2 = G[1, 1].unit_part() e3 = G[2, 2].unit_part() B = Matrix(R, 3, [ 1, 0, 1, 2 * e3, 1, -e1, -2 * e2 * e3, 2 * e1**2 * e3 + 4 * e1 * e3**2, e1 * e2 ]) if n == 10: e1 = G[0, 0].unit_part() e2 = G[1, 1].unit_part() B = Matrix(R, 2, [1, 1, -4 * e2, e1]) D, B1 = _normalize(B * G * B.T) return B1 * B
def random_blum_prime(lbound, ubound, ntries=100): r""" A random Blum prime within the specified bounds. Let `p` be a positive prime. Then `p` is a Blum prime if `p` is congruent to 3 modulo 4, i.e. `p \equiv 3 \pmod{4}`. INPUT: - ``lbound`` -- positive integer; the lower bound on how small a random Blum prime `p` can be. So we have ``0 < lbound <= p <= ubound``. The lower bound must be distinct from the upper bound. - ``ubound`` -- positive integer; the upper bound on how large a random Blum prime `p` can be. So we have ``0 < lbound <= p <= ubound``. The lower bound must be distinct from the upper bound. - ``ntries`` -- (default: ``100``) the number of attempts to generate a random Blum prime. If ``ntries`` is a positive integer, then perform that many attempts at generating a random Blum prime. This might or might not result in a Blum prime. OUTPUT: - A random Blum prime within the specified lower and upper bounds. .. NOTE:: Beware that there might not be any primes between the lower and upper bounds. So make sure that these two bounds are "sufficiently" far apart from each other for there to be primes congruent to 3 modulo 4. In particular, there should be at least two distinct Blum primes within the specified bounds. EXAMPLES: Choose a random prime and check that it is a Blum prime:: sage: from sage.crypto.util import random_blum_prime sage: p = random_blum_prime(10**4, 10**5) sage: is_prime(p) True sage: mod(p, 4) == 3 True TESTS: Make sure that there is at least one Blum prime between the lower and upper bounds. In the following example, we have ``lbound=24`` and ``ubound=30`` with 29 being the only prime within those bounds. But 29 is not a Blum prime. :: sage: from sage.crypto.util import random_blum_prime sage: random_blum_prime(24, 30, ntries=10) Traceback (most recent call last): ... ValueError: No Blum primes within the specified closed interval. sage: random_blum_prime(24, 28) Traceback (most recent call last): ... ValueError: No Blum primes within the specified closed interval. """ # sanity check if not has_blum_prime(lbound, ubound): raise ValueError("No Blum primes within the specified closed interval.") # Now we know that there is a Blum prime within the closed interval # [lbound, ubound]. Pick one such prime at random. p = random_prime(ubound, lbound=lbound, proof=True) n = 1 while mod(p, 4) != 3: p = random_prime(ubound, lbound=lbound, proof=True) n += 1 if n > ntries: raise ValueError("Maximum number of attempts exceeded.") return p
def _two_adic_normal_forms(G, partial=False): r""" Return the 2-adic normal form of a symmetric matrix. INPUT: - ``G`` -- block diagonal matrix with blocks of type `U`, `V`, `W` - ``partial`` -- bool (defaul: ``False``) OUTPUT: - ``D``, ``B`` -- such that ``D = B * G * B.T`` EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _two_adic_normal_forms sage: R = Zp(2, type = 'fixed-mod', print_mode='terse', show_prec=False) sage: U = Matrix(R,2,[0,1,1,0]) sage: V = Matrix(R,2,[2,1,1,2]) sage: W1 = Matrix(R,1,[1]) sage: W3 = Matrix(R,1,[3]) sage: W5 = Matrix(R,1,[5]) sage: W7 = Matrix(R,1,[7]) sage: G = Matrix.block_diagonal([2*W1,2*W1,4*V]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [ 2 0 0 0] [ 0 10 0 0] [ 0 0 0 4] [ 0 0 4 0] sage: G = Matrix.block_diagonal([W1,2*V,2*W3,2*W5]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [3 0 0 0 0] [0 0 2 0 0] [0 2 0 0 0] [0 0 0 2 0] [0 0 0 0 2] sage: G = Matrix.block_diagonal([U,2*V,2*W3,2*W5]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [2 1 0 0 0 0] [1 2 0 0 0 0] [0 0 4 2 0 0] [0 0 2 4 0 0] [0 0 0 0 2 0] [0 0 0 0 0 6] """ B = copy(G.parent().identity_matrix()) h, scales = _get_homogeneous_block_indices(G) h.append(B.ncols()) # UVlist[k] is a list of indices of the block of scale p^k. # It contains the indices of the part of types U or V. # So it may be empty. UVlist = [[],[]] # empty lists are appended to avoid special cases. # same as UVlist but contains the indices of the part of type W Wlist = [[],[]] # homogeneous normal form for each part for k in range(scales[-1] - scales[0]+1): if k+scales[0] in scales: i = scales.index(k + scales[0]) Gk = G[h[i]:h[i+1], h[i]:h[i+1]] Dk, Bk, wk = _partial_normal_form_of_block(Gk) B[h[i]:h[i+1],:] = Bk * B[h[i]:h[i+1], :] if not partial: Dk, B1k = _homogeneous_normal_form(Dk, wk) B[h[i]:h[i+1],:] = B1k * B[h[i]:h[i+1], :] UVlist.append(range(h[i], h[i+1] - wk)) Wlist.append(range(h[i+1]-wk, h[i+1])) else: UVlist.append([]) Wlist.append([]) D = B * G * B.T if partial: return D, B # use relations descending in k # we never leave partial normal form # but the homogneneous normal form may be destroyed # it is restored at the end. for k in range(len(UVlist)-1,2,-1): # setup notation W = Wlist[k] Wm = Wlist[k-1] Wmm = Wlist[k-2] UV = UVlist[k] UVm = UVlist[k-1] V = UVlist[k][-2:] if len(V)!=0 and D[V[0], V[0]]==0: V = [] # it is U not V # condition b) if len(Wm) != 0: if len(V)==2: R = Wm[:1] + V B[R,:] = _relations(D[R,R],7) * B[R,:] V = [] D = B * G * B.T E = {3,7} for w in W: if D[w,w].unit_part() in E: R = Wm[:1] + [w] B[R,:] = _relations(D[R,R],6) * B[R,:] D = B * G * B.T # condition c) # We want type a or W = [] # modify D[w,w] to go from type b to type a x = [len(V)] + [ZZ(mod(w.unit_part(),8)) for w in D[W,W].diagonal()] x.sort() # a = [[0,1], [2,3], [2,5], [0,7], [0,1,1], [1,2,3], [0,7,7], [0,1,7]] b = [[0,5], [2,7], [1,2], [0,3], [0,1,5], [1,2,7], [0,3,7], [0,1,3]] if x in b: w = W[-1] if x == [3,7]: w = W[0] if len(UVm) > 0: R = UVm[-2:] + [w] B[R,:] = _relations(D[R,R],8) * B[R,:] elif len(Wmm) > 0: R = Wmm[:1] + [w] B[R,:] = _relations(D[R,R],10) * B[R,:] elif len(Wm) == 2: e0 = D[Wm,Wm][0,0].unit_part() e1 = D[Wm,Wm][1,1].unit_part() if mod(e1-e0,4) == 0: R = Wm + [w] B[R,:] = _relations(D[R,R],9) * B[R,:] D = B * G * B.T # condition a) - stay in homogneneous normal form R = UV + W Dk = D[R,R] Bk = _homogeneous_normal_form(Dk, len(W))[1] B[R,:] = Bk * B[R,:] D = B * G * B.T # we need to restore the homogeneous normal form of k-1 if len(Wm)>0: R = UVm + Wm Dkm = D[R,R] Bkm = _homogeneous_normal_form(Dkm, len(Wm))[1] B[R,:] = Bkm * B[R,:] D = B * G * B.T return D, B
def _relations(G,n): r""" Return relations of `2`-adic quadratic forms. See [MirMor2009]_ IV Prop. 3.2. This function is for internal use only. INPUT: - ``n`` -- an integer between 1 and 10 -- the number of the relation - ``G`` -- a block diagonal matrix consisting of blocks of types `U, V, W` the left side of the relation. If ``G`` does not match `n` then the results are unpredictable. OUTPUT: - square matrix ``B`` such that ``B * G * B.T`` is the right side of the relation which consits of blocks of types `U`, `V`, `W` again EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _relations sage: R = Zp(2, type = 'fixed-mod',print_mode='terse', show_prec=False) sage: U = Matrix(R,2,[0,1,1,0]) sage: V = Matrix(R,2,[2,1,1,2]) sage: W1 = Matrix(R,1,[1]) sage: W3 = Matrix(R,1,[3]) sage: W5 = Matrix(R,1,[5]) sage: W7 = Matrix(R,1,[7]) sage: G = Matrix.block_diagonal(W1,W1) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 5] sage: G = Matrix.block_diagonal(W1,W3) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 7] sage: G = Matrix.block_diagonal(W1,W5) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 1] sage: G = Matrix.block_diagonal(W1,W7) sage: b = _relations(G,1) sage: b * G * b.T [5 0] [0 3] sage: G = Matrix.block_diagonal(W3,W3) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 7] sage: G = Matrix.block_diagonal(W3,W5) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 1] sage: G = Matrix.block_diagonal(W3,W7) sage: b = _relations(G,1) sage: b * G * b.T [7 0] [0 3] sage: G = Matrix.block_diagonal(W5,W5) sage: b = _relations(G,1) sage: b * G * b.T [1 0] [0 1] sage: G = Matrix.block_diagonal(W5,W7) sage: b = _relations(G,1) sage: b * G * b.T [1 0] [0 3] sage: G = Matrix.block_diagonal(W7,W7) sage: b = _relations(G,1) sage: b * G * b.T [3 0] [0 3] sage: G = Matrix.block_diagonal([V,V]) sage: b = _relations(G,3) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 0 1] [0 0 1 0] sage: G = Matrix.block_diagonal([V,W1,W1]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 7 0] [0 0 0 3] sage: G = Matrix.block_diagonal([V,W1,W5]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 3 0] [0 0 0 3] sage: G = Matrix.block_diagonal([V,W3,W7]) sage: b = _relations(G,5) sage: b * G * b.T [0 1 0 0] [1 0 0 0] [0 0 5 0] [0 0 0 5] sage: G = Matrix.block_diagonal([W1,2*W1]) sage: b = _relations(G,6) sage: b * G * b.T [3 0] [0 6] sage: G = Matrix.block_diagonal([W1,2*W3]) sage: b = _relations(G,6) sage: b * G * b.T [ 7 0] [ 0 10] sage: G = Matrix.block_diagonal([W1,2*W5]) sage: b = _relations(G,6) sage: b * G * b.T [ 3 0] [ 0 14] sage: G = Matrix.block_diagonal([W1,2*W7]) sage: b = _relations(G,6) sage: b * G * b.T [7 0] [0 2] sage: G = Matrix.block_diagonal([W3,2*W5]) sage: b = _relations(G,6) sage: b * G * b.T [5 0] [0 6] sage: G = Matrix.block_diagonal([W3,2*W3]) sage: b = _relations(G,6) sage: b * G * b.T [1 0] [0 2] sage: G = Matrix.block_diagonal([2*W5,4*W7]) sage: b = _relations(G,6) sage: b * G * b.T [6 0] [0 4] sage: G = Matrix.block_diagonal([W3,2*V]) sage: b = _relations(G,7) sage: b * G * b.T [7 0 0] [0 0 2] [0 2 0] sage: G = Matrix.block_diagonal([W7,2*V]) sage: b = _relations(G,7) sage: b * G * b.T [3 0 0] [0 0 2] [0 2 0] sage: G = Matrix.block_diagonal([U,2*W1]) sage: b = _relations(G,8) sage: b * G * b.T [ 2 1 0] [ 1 2 0] [ 0 0 10] sage: G = Matrix.block_diagonal([U,2*W5]) sage: b = _relations(G,8) sage: b * G * b.T [2 1 0] [1 2 0] [0 0 2] sage: G = Matrix.block_diagonal([V,2*W1]) sage: b = _relations(G,8) sage: b * G * b.T [ 0 1 0] [ 1 0 0] [ 0 0 10] sage: G = Matrix.block_diagonal([V,2*W7]) sage: b = _relations(G,8) sage: b * G * b.T [0 1 0] [1 0 0] [0 0 6] sage: G = Matrix.block_diagonal([W1,W5,2*W5]) sage: b = _relations(G,9) sage: b * G * b.T [3 0 0] [0 3 0] [0 0 2] sage: G = Matrix.block_diagonal([W3,W3,2*W5]) sage: b = _relations(G,9) sage: b * G * b.T [5 0 0] [0 1 0] [0 0 2] sage: G = Matrix.block_diagonal([W3,W3,2*W1]) sage: b = _relations(G,9) sage: b * G * b.T [ 5 0 0] [ 0 1 0] [ 0 0 10] sage: G = Matrix.block_diagonal([W3,4*W1]) sage: b = _relations(G,10) sage: b * G * b.T [ 7 0] [ 0 20] sage: G = Matrix.block_diagonal([W5,4*W5]) sage: b = _relations(G,10) sage: b * G * b.T [1 0] [0 4] """ R = G.base_ring() if n == 1: e1 = G[0,0].unit_part() e2 = G[1,1].unit_part() B = Matrix(R,2,[1,2,2*e2,-e1]) if n == 2: e1 = G[0,0].unit_part() e2 = G[1,1].unit_part() e3 = G[2,2].unit_part() s1 = e1 + e2 + e3 s2 = e1*e2 + e1*e3 + e2*e3 s3 = e1*e2*e3 B = Matrix(R,3,[1,1,1,e2,-e1,0,e3,0,-e1]) if n == 3: B = Matrix(R,4,[1,1,1,0, 1,1,0,1, 1,0,-1,-1, 0,1,-1,-1]) if n == 4: raise NotImplementedError("relation 4 is not needed") if n == 5: e1 = G[2,2].unit_part() e2 = G[3,3].unit_part() if mod(e1,4) != mod(e2,4): raise ValueError("W is of the wrong type for relation 5") B = Matrix(R,4,[ 1, 0, 1, 1, 0, 1, 1, 1, -e2, -e2, 0, 3, -e1, -e1, 2*e2 + 3, -2*e1]) if n == 6: if G[0,0].valuation()+1 != G[1,1].valuation(): raise ValueError("wrong scales for relation 6") e1 = G[0,0].unit_part() e2 = G[1,1].unit_part() B = Matrix(R,2,[1,1,-2*e2,e1]) if n == 7: e = G[0,0].unit_part() B = Matrix(R,3,[-3, e**2, e**2, 2*e, 1, 0, 2*e, 0, 1]) if n == 8: e = G[2,2].unit_part() if G[0,0]==0: B = Matrix(R,3,[e, 0, -1, 0, e, -1, 2, 2, 1]) else: B = Matrix(R,3,[ 1, 0, 1, 0, 1, 1, 2*e, 2*e, - 3]) if n == 9: e1 = G[0,0].unit_part() e2 = G[1,1].unit_part() e3 = G[2,2].unit_part() B = Matrix(R,3,[1, 0, 1, 2*e3, 1, -e1, -2*e2*e3, 2*e1**2*e3 + 4*e1*e3**2, e1*e2]) if n == 10: e1 = G[0,0].unit_part() e2 = G[1,1].unit_part() B = Matrix(R,2,[1,1,-4*e2,e1]) D, B1 = _normalize(B*G*B.T) return B1*B
def _partial_normal_form_of_block(G): r""" Return the partial normal form of the homogeneous block ``G``. For internal use in :meth:`_two_adic_normal_forms`. INPUT: - ``G`` -- a modular symmetric matrix over the `2`-adic integers OUTPUT: - ``D, B, w`` -- with ``B`` a transformation matrix such that ``B * G * B.T`` is in partial normal form and `w = 0, 1, 2` is the size of the part consisting of forms of type W EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _partial_normal_form_of_block sage: R = Zp(2,prec=4, type = 'fixed-mod',print_mode='terse', show_prec=False) sage: U = Matrix(R, 2, [0,1,1,0]) sage: V = Matrix(R, 2, [2,1,1,2]) sage: W1 = Matrix(R, 1, [1]) sage: W3 = Matrix(R, 1, [3]) sage: W5 = Matrix(R, 1, [5]) sage: W7 = Matrix(R, 1, [7]) sage: G = Matrix.block_diagonal([W1, U, V, W5, V, W3, V, W7]) sage: B = _partial_normal_form_of_block(G)[1] sage: B * G * B.T [0 1 0 0 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 0 0 2 1 0 0] [0 0 0 0 0 0 0 0 1 2 0 0] [0 0 0 0 0 0 0 0 0 0 1 0] [0 0 0 0 0 0 0 0 0 0 0 7] sage: G = Matrix.block_diagonal([W1, U, V, W1, V, W1, V, W7]) sage: B = _partial_normal_form_of_block(G)[1] sage: B * G * B.T [0 1 0 0 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 1 0 0] [0 0 0 0 0 0 0 0 1 0 0 0] [0 0 0 0 0 0 0 0 0 0 3 0] [0 0 0 0 0 0 0 0 0 0 0 7] """ D = copy(G) R = D.base_ring() n = D.ncols() B = copy(G.parent().identity_matrix()) # the transformation matrix blocks = _get_small_block_indices(D) # collect the indices of forms of types U, V and W U = [] V = [] W = [] for i in blocks: if i+1 in blocks or i==n-1: W.append(i) else: if D[i,i] != 0: V += [i,i+1] else: U += [i,i+1] if len(W) == 3: # W W W transforms to W U or W V T = _relations(D[W,W], 2) B[W,:] = _relations(D[W,W],2) * B[W,:] D = B * G * B.T if mod(D[W[1:], W[1:]].det().unit_part(), 8) == 3: V += W[1:] else: U += W[1:] W = W[:1] if len(V) == 4: B[V,:] = _relations(D[V,V],3) * B[V,:] U += V V = [] D = B * G * B.T # put everything into the right order UVW = U + V + W B = B[UVW,:] D = B * G * B.T return D, B, len(W)
def _normalize_2x2(G): r""" Normalize this indecomposable `2` by `2` block. INPUT: ``G`` - a `2` by `2` matrix over `\ZZ_p` with ``type = 'fixed-mod'`` of the form:: [2a b] [ b 2c] * 2^n with `b` of valuation 1. OUTPUT: A unimodular `2` by `2` matrix ``B`` over `\ZZ_p` with ``B * G * B.transpose()`` either:: [0 1] [2 1] [1 0] * 2^n or [1 2] * 2^n EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _normalize_2x2 sage: R = Zp(2, prec = 15, type = 'fixed-mod', print_mode='series', show_prec=False) sage: G = Matrix(R, 2, [-17*2,3,3,23*2]) sage: B =_normalize_2x2(G) sage: B * G * B.T [2 1] [1 2] sage: G = Matrix(R,2,[-17*4,3,3,23*2]) sage: B = _normalize_2x2(G) sage: B*G*B.T [0 1] [1 0] sage: G = 2^3 * Matrix(R, 2, [-17*2,3,3,23*2]) sage: B = _normalize_2x2(G) sage: B * G * B.T [2^4 2^3] [2^3 2^4] """ from sage.rings.all import PolynomialRing from sage.modules.free_module_element import vector B = copy(G.parent().identity_matrix()) R = G.base_ring() P = PolynomialRing(R, 'x') x = P.gen() # The input must be an even block odd1 = (G[0, 0].valuation() < G[1, 0].valuation()) odd2 = (G[1, 1].valuation() < G[1, 0].valuation()) if odd1 or odd2: raise ValueError("Not a valid 2 x 2 block.") scale = 2 ** G[0,1].valuation() D = Matrix(R, 2, 2, [d // scale for d in G.list()]) # now D is of the form # [2a b ] # [b 2c] # where b has valuation 1. G = copy(D) # Make sure G[1, 1] has valuation 1. if D[1, 1].valuation() > D[0, 0].valuation(): B.swap_columns(0, 1) D.swap_columns(0, 1) D.swap_rows(0, 1) if D[1, 1].valuation() != 1: # this works because # D[0, 0] has valuation at least 2 B[1, :] += B[0, :] D = B * G * B.transpose() assert D[1, 1].valuation() == 1 if mod(D.det(), 8) == 3: # in this case we can transform D to # 2 1 # 1 2 # Find a point of norm 2 # solve: 2 == D[1,1]*x^2 + 2*D[1,0]*x + D[0,0] pol = (D[1,1]*x**2 + 2*D[1,0]*x + D[0,0]-2) // 2 # somehow else pari can get a hickup see `trac`:#24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[0, 1] = sol D = B * G * B.transpose() # make D[0, 1] = 1 B[1, :] *= D[1, 0].inverse_of_unit() D = B * G * B.transpose() # solve: v*D*v == 2 with v = (x, -2*x+1) if D[1, 1] != 2: v = vector([x, -2*x + 1]) pol = (v*D*v - 2) // 2 # somehow else pari can get a hickup `trac`:#24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[1, :] = sol * B[0,:] + (-2*sol + 1)*B[1, :] D = B * G * B.transpose() # check the result assert D == Matrix(G.parent(), 2, 2, [2, 1, 1, 2]), "D1 \n %r" %D elif mod(D.det(), 8) == 7: # in this case we can transform D to # 0 1 # 1 0 # Find a point representing 0 # solve: 0 == D[1,1]*x^2 + 2*D[1,0]*x + D[0,0] pol = (D[1,1]*x**2 + 2*D[1,0]*x + D[0,0])//2 # somehow else pari can get a hickup, see `trac`:#24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[0,:] += sol*B[1, :] D = B * G * B.transpose() # make the second basis vector have 0 square as well. B[1, :] = B[1, :] - D[1, 1]//(2*D[0, 1])*B[0,:] D = B * G * B.transpose() # rescale to get D[0,1] = 1 B[0, :] *= D[1, 0].inverse_of_unit() D = B * G * B.transpose() # check the result assert D == Matrix(G.parent(), 2, 2, [0, 1, 1, 0]), "D2 \n %r" %D return B
def decrypt(self, C, K): r""" Apply the Blum-Goldwasser scheme to decrypt the ciphertext ``C`` using the private key ``K``. INPUT: - ``C`` -- a ciphertext resulting from encrypting a plaintext using the Blum-Goldwasser encryption algorithm. The ciphertext `C` must be of the form `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Each `c_i` is a sub-block of binary string and `x_{t+1}` is the result of the `t+1`-th iteration of the Blum-Blum-Shub algorithm. - ``K`` -- a private key `(p, q, a, b)` where `p` and `q` are distinct Blum primes and `\gcd(p, q) = ap + bq = 1`. OUTPUT: - The plaintext resulting from decrypting the ciphertext ``C`` using the Blum-Goldwasser decryption algorithm. ALGORITHM: The Blum-Goldwasser decryption algorithm is described in Algorithm 8.56, page 309 of [MenezesEtAl1996]_. The algorithm works as follows: #. Let `C` be the ciphertext `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Then `t` is the number of ciphertext sub-blocks and `h` is the length of each binary string sub-block `c_i`. #. Let `(p, q, a, b)` be the private key whose corresponding public key is `n = pq`. Note that `\gcd(p, q) = ap + bq = 1`. #. Compute `d_1 = ((p + 1) / 4)^{t+1} \bmod{(p - 1)}`. #. Compute `d_2 = ((q + 1) / 4)^{t+1} \bmod{(q - 1)}`. #. Let `u = x_{t+1}^{d_1} \bmod p`. #. Let `v = x_{t+1}^{d_2} \bmod q`. #. Compute `x_0 = vap + ubq \bmod n`. #. For `i` from 1 to `t`, do: #. Compute `x_i = x_{t-1}^2 \bmod n`. #. Let `p_i` be the `h` least significant bits of `x_i`. #. Compute `m_i = p_i \oplus c_i`. #. The plaintext is `m = m_1 m_2 \cdots m_t`. EXAMPLES: The following decryption example is taken from Example 8.57, pages 309--310 of [MenezesEtAl1996]_. Here we decrypt a binary string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: p = 499; q = 547 sage: C = ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) sage: K = bg.private_key(p, q); K (499, 547, -57, 52) sage: P = bg.decrypt(C, K); P [[1, 0, 0, 1], [1, 1, 0, 0], [0, 0, 0, 1], [0, 0, 0, 0], [1, 1, 0, 0]] Convert the plaintext sub-blocks into a binary string:: sage: bin = BinaryStrings() sage: bin(flatten(P)) 10011100000100001100 Decrypt a longer ciphertext and convert the resulting plaintext into an ASCII string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: from sage.crypto.util import bin_to_ascii sage: bg = BlumGoldwasser() sage: p = 78307; q = 412487 sage: K = bg.private_key(p, q) sage: C = ([[1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0], \ ... [1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1], \ ... [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0], \ ... [0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1], \ ... [1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0], \ ... [0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1], \ ... [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0], \ ... [1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1], \ ... [0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0], \ ... [1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1], \ ... [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], \ ... [1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0], \ ... [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1]], 3479653279) sage: P = bg.decrypt(C, K) sage: bin_to_ascii(flatten(P)) 'Blum-Goldwasser encryption' TESTS: The private key `K = (p, q, a, b)` must be such that `p` and `q` are distinct Blum primes. Even if `p` and `q` pass this criterion, they must also satisfy the requirement `\gcd(p, q) = ap + bq = 1`. :: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: C = ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) sage: K = (7, 7, 1, 2) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: p and q must be distinct Blum primes. sage: K = (7, 23, 1, 2) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: a and b must satisfy gcd(p, q) = ap + bq = 1. sage: K = (11, 29, 8, -3) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: p and q must be distinct Blum primes. """ # ciphertext c = C[0] xt1 = C[-1] # number of ciphertext sub-blocks t = len(c) # length of each ciphertext sub-block h = len(c[0]) # private key p, q, a, b = K # public key n = p * q # sanity checks if p == q: raise ValueError("p and q must be distinct Blum primes.") if (a * p + b * q) != 1: raise ValueError("a and b must satisfy gcd(p, q) = ap + bq = 1.") if (not is_blum_prime(p)) or (not is_blum_prime(q)): raise ValueError("p and q must be distinct Blum primes.") # prepare to decrypt d1 = power_mod((p + 1) // 4, t + 1, p - 1) d2 = power_mod((q + 1) // 4, t + 1, q - 1) u = power_mod(xt1, d1, p) v = power_mod(xt1, d2, q) x0 = mod(v * a * p + u * b * q, n).lift() # perform the decryption M = [] for i in xrange(t): x1 = power_mod(x0, 2, n) p = least_significant_bits(x1, h) M.append(list(map(xor, p, c[i]))) x0 = x1 return M
def _partial_normal_form_of_block(G): r""" Return the partial normal form of the homogeneous block ``G``. For internal use in :meth:`_two_adic_normal_forms`. INPUT: - ``G`` -- a modular symmetric matrix over the `2`-adic integers OUTPUT: - ``D, B, w`` -- with ``B`` a transformation matrix such that ``B * G * B.T`` is in partial normal form and `w = 0, 1, 2` is the size of the part consisting of forms of type W EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _partial_normal_form_of_block sage: R = Zp(2,prec=4, type = 'fixed-mod',print_mode='terse', show_prec=False) sage: U = Matrix(R, 2, [0,1,1,0]) sage: V = Matrix(R, 2, [2,1,1,2]) sage: W1 = Matrix(R, 1, [1]) sage: W3 = Matrix(R, 1, [3]) sage: W5 = Matrix(R, 1, [5]) sage: W7 = Matrix(R, 1, [7]) sage: G = Matrix.block_diagonal([W1, U, V, W5, V, W3, V, W7]) sage: B = _partial_normal_form_of_block(G)[1] sage: B * G * B.T [0 1 0 0 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 0 0 2 1 0 0] [0 0 0 0 0 0 0 0 1 2 0 0] [0 0 0 0 0 0 0 0 0 0 1 0] [0 0 0 0 0 0 0 0 0 0 0 7] sage: G = Matrix.block_diagonal([W1, U, V, W1, V, W1, V, W7]) sage: B = _partial_normal_form_of_block(G)[1] sage: B * G * B.T [0 1 0 0 0 0 0 0 0 0 0 0] [1 0 0 0 0 0 0 0 0 0 0 0] [0 0 0 1 0 0 0 0 0 0 0 0] [0 0 1 0 0 0 0 0 0 0 0 0] [0 0 0 0 0 1 0 0 0 0 0 0] [0 0 0 0 1 0 0 0 0 0 0 0] [0 0 0 0 0 0 0 1 0 0 0 0] [0 0 0 0 0 0 1 0 0 0 0 0] [0 0 0 0 0 0 0 0 0 1 0 0] [0 0 0 0 0 0 0 0 1 0 0 0] [0 0 0 0 0 0 0 0 0 0 3 0] [0 0 0 0 0 0 0 0 0 0 0 7] """ D = copy(G) n = D.ncols() B = copy(G.parent().identity_matrix()) # the transformation matrix blocks = _get_small_block_indices(D) # collect the indices of forms of types U, V and W U = [] V = [] W = [] for i in blocks: if i + 1 in blocks or i == n - 1: W.append(i) else: if D[i, i] != 0: V += [i, i + 1] else: U += [i, i + 1] if len(W) == 3: # W W W transforms to W U or W V B[W, :] = _relations(D[W, W], 2) * B[W, :] D = B * G * B.T if mod(D[W[1:], W[1:]].det().unit_part(), 8) == 3: V += W[1:] else: U += W[1:] W = W[:1] if len(V) == 4: B[V, :] = _relations(D[V, V], 3) * B[V, :] U += V V = [] D = B * G * B.T # put everything into the right order UVW = U + V + W B = B[UVW, :] D = B * G * B.T return D, B, len(W)
def encrypt(self, P, K, seed=None): r""" Apply the Blum-Goldwasser scheme to encrypt the plaintext ``P`` using the public key ``K``. INPUT: - ``P`` -- a non-empty string of plaintext. The string ``""`` is an empty string, whereas ``" "`` is a string consisting of one white space character. The plaintext can be a binary string or a string of ASCII characters. Where ``P`` is an ASCII string, then ``P`` is first encoded as a binary string prior to encryption. - ``K`` -- a public key, which is the product of two Blum primes. - ``seed`` -- (default: ``None``) if `p` and `q` are Blum primes and `n = pq` is a public key, then ``seed`` is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. If ``seed=None``, then the function would generate its own random quadratic residue in `(\ZZ/n\ZZ)^{\ast}`. Where a value for ``seed`` is provided, it is your responsibility to ensure that the seed is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. OUTPUT: - The ciphertext resulting from encrypting ``P`` using the public key ``K``. The ciphertext `C` is of the form `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Each `c_i` is a sub-block of binary string and `x_{t+1}` is the result of the `t+1`-th iteration of the Blum-Blum-Shub algorithm. ALGORITHM: The Blum-Goldwasser encryption algorithm is described in Algorithm 8.56, page 309 of [MenezesEtAl1996]_. The algorithm works as follows: #. Let `n` be a public key, where `n = pq` is the product of two distinct Blum primes `p` and `q`. #. Let `k = \lfloor \log_2(n) \rfloor` and `h = \lfloor \log_2(k) \rfloor`. #. Let `m = m_1 m_2 \cdots m_t` be the message (plaintext) where each `m_i` is a binary string of length `h`. #. Choose a random seed `x_0`, which is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. That is, choose a random `r \in (\ZZ/n\ZZ)^{\ast}` and compute `x_0 = r^2 \bmod n`. #. For `i` from 1 to `t`, do: #. Let `x_i = x_{i-1}^2 \bmod n`. #. Let `p_i` be the `h` least significant bits of `x_i`. #. Let `c_i = p_i \oplus m_i`. #. Compute `x_{t+1} = x_t^2 \bmod n`. #. The ciphertext is `c = (c_1, c_2, \dots, c_t, x_{t+1})`. The value `h` in the algorithm is the sub-block length. If the binary string representing the message cannot be divided into blocks of length `h` each, then other sub-block lengths would be used instead. The sub-block lengths to fall back on are in the following order: 16, 8, 4, 2, 1. EXAMPLES: The following encryption example is taken from Example 8.57, pages 309--310 of [MenezesEtAl1996]_. Here, we encrypt a binary string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: p = 499; q = 547; n = p * q sage: P = "10011100000100001100" sage: C = bg.encrypt(P, n, seed=159201); C ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) Convert the ciphertext sub-blocks into a binary string:: sage: bin = BinaryStrings() sage: bin(flatten(C[0])) 00100000110011100100 Now encrypt an ASCII string. The result is random; no seed is provided to the encryption function so the function generates its own random seed:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: K = 32300619509 sage: P = "Blum-Goldwasser encryption" sage: bg.encrypt(P, K) # random ([[1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0], \ [1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1], \ [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0], \ [0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1], \ [1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0], \ [0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1], \ [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0], \ [1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1], \ [0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0], \ [1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1], \ [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], \ [1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0], \ [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1]], 3479653279) TESTS: The plaintext cannot be an empty string. :: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: bg.encrypt("", 3) Traceback (most recent call last): ... ValueError: The plaintext cannot be an empty string. """ # sanity check if P == "": raise ValueError("The plaintext cannot be an empty string.") n = K k = floor(log(n, base=2)) h = floor(log(k, base=2)) bin = BinaryStrings() M = "" try: # the plaintext is a binary string M = bin(P) except TypeError: # encode the plaintext as a binary string # An exception might be raised here if P cannot be encoded as a # binary string. M = bin.encoding(P) # the number of plaintext sub-blocks; each sub-block has length h t = 0 try: # Attempt to use t and h values from the algorithm described # in [MenezesEtAl1996]. t = len(M) / h # If the following raises an exception, then we can't use # the t and h values specified by [MenezesEtAl1996]. mod(len(M), t) # fall back to using other sub-block lengths except TypeError: # sub-blocks of length h = 16 if mod(len(M), 16) == 0: h = 16 t = len(M) // h # sub-blocks of length h = 8 elif mod(len(M), 8) == 0: h = 8 t = len(M) // h # sub-blocks of length h = 4 elif mod(len(M), 4) == 0: h = 4 t = len(M) // h # sub-blocks of length h = 2 elif mod(len(M), 2) == 0: h = 2 t = len(M) // h # sub-blocks of length h = 1 else: h = 1 t = len(M) // h # If no seed is provided, select a random seed. x0 = seed if seed is None: zmod = IntegerModRing(n) # K = n = pq r = zmod.random_element().lift() while gcd(r, n) != 1: r = zmod.random_element().lift() x0 = power_mod(r, 2, n) # perform the encryption to_int = lambda x: int(str(x)) C = [] for i in xrange(t): x1 = power_mod(x0, 2, n) p = least_significant_bits(x1, h) # xor p with a sub-block of length h. There are t sub-blocks of # length h each. C.append( list(map(xor, p, [to_int(_) for _ in M[i * h:(i + 1) * h]]))) x0 = x1 x1 = power_mod(x0, 2, n) return (C, x1)
def _two_adic_normal_forms(G, partial=False): r""" Return the 2-adic normal form of a symmetric matrix. INPUT: - ``G`` -- block diagonal matrix with blocks of type `U`, `V`, `W` - ``partial`` -- bool (defaul: ``False``) OUTPUT: - ``D``, ``B`` -- such that ``D = B * G * B.T`` EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _two_adic_normal_forms sage: R = Zp(2, type = 'fixed-mod', print_mode='terse', show_prec=False) sage: U = Matrix(R,2,[0,1,1,0]) sage: V = Matrix(R,2,[2,1,1,2]) sage: W1 = Matrix(R,1,[1]) sage: W3 = Matrix(R,1,[3]) sage: W5 = Matrix(R,1,[5]) sage: W7 = Matrix(R,1,[7]) sage: G = Matrix.block_diagonal([2*W1,2*W1,4*V]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [ 2 0 0 0] [ 0 10 0 0] [ 0 0 0 4] [ 0 0 4 0] sage: G = Matrix.block_diagonal([W1,2*V,2*W3,2*W5]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [3 0 0 0 0] [0 0 2 0 0] [0 2 0 0 0] [0 0 0 2 0] [0 0 0 0 2] sage: G = Matrix.block_diagonal([U,2*V,2*W3,2*W5]) sage: B = _two_adic_normal_forms(G)[1] sage: B * G * B.T [2 1 0 0 0 0] [1 2 0 0 0 0] [0 0 4 2 0 0] [0 0 2 4 0 0] [0 0 0 0 2 0] [0 0 0 0 0 6] """ B = copy(G.parent().identity_matrix()) h, scales = _get_homogeneous_block_indices(G) h.append(B.ncols()) # UVlist[k] is a list of indices of the block of scale p^k. # It contains the indices of the part of types U or V. # So it may be empty. UVlist = [[], []] # empty lists are appended to avoid special cases. # same as UVlist but contains the indices of the part of type W Wlist = [[], []] # homogeneous normal form for each part for k in range(scales[-1] - scales[0] + 1): if k + scales[0] in scales: i = scales.index(k + scales[0]) Gk = G[h[i]:h[i + 1], h[i]:h[i + 1]] Dk, Bk, wk = _partial_normal_form_of_block(Gk) B[h[i]:h[i + 1], :] = Bk * B[h[i]:h[i + 1], :] if not partial: Dk, B1k = _homogeneous_normal_form(Dk, wk) B[h[i]:h[i + 1], :] = B1k * B[h[i]:h[i + 1], :] UVlist.append(list(range(h[i], h[i + 1] - wk))) Wlist.append(list(range(h[i + 1] - wk, h[i + 1]))) else: UVlist.append([]) Wlist.append([]) D = B * G * B.T if partial: return D, B # use relations descending in k # we never leave partial normal form # but the homogeneous normal form may be destroyed # it is restored at the end. for k in range(len(UVlist) - 1, 2, -1): # setup notation W = Wlist[k] Wm = Wlist[k - 1] Wmm = Wlist[k - 2] UV = UVlist[k] UVm = UVlist[k - 1] V = UVlist[k][-2:] if len(V) != 0 and D[V[0], V[0]] == 0: V = [] # it is U not V # condition b) if len(Wm) != 0: if len(V) == 2: R = Wm[:1] + V B[R, :] = _relations(D[R, R], 7) * B[R, :] V = [] D = B * G * B.T E = {3, 7} for w in W: if D[w, w].unit_part() in E: R = Wm[:1] + [w] B[R, :] = _relations(D[R, R], 6) * B[R, :] D = B * G * B.T # condition c) # We want type a or W = [] # modify D[w,w] to go from type b to type a x = [len(V)] + [ZZ(mod(w.unit_part(), 8)) for w in D[W, W].diagonal()] x.sort() # a = [[0,1], [2,3], [2,5], [0,7], [0,1,1], [1,2,3], [0,7,7], [0,1,7]] b = [[0, 5], [2, 7], [1, 2], [0, 3], [0, 1, 5], [1, 2, 7], [0, 3, 7], [0, 1, 3]] if x in b: w = W[-1] if x == [3, 7]: w = W[0] if len(UVm) > 0: R = UVm[-2:] + [w] B[R, :] = _relations(D[R, R], 8) * B[R, :] elif len(Wmm) > 0: R = Wmm[:1] + [w] B[R, :] = _relations(D[R, R], 10) * B[R, :] elif len(Wm) == 2: e0 = D[Wm, Wm][0, 0].unit_part() e1 = D[Wm, Wm][1, 1].unit_part() if mod(e1 - e0, 4) == 0: R = Wm + [w] B[R, :] = _relations(D[R, R], 9) * B[R, :] D = B * G * B.T # condition a) - stay in homogeneous normal form R = UV + W Dk = D[R, R] Bk = _homogeneous_normal_form(Dk, len(W))[1] B[R, :] = Bk * B[R, :] D = B * G * B.T # we need to restore the homogeneous normal form of k-1 if len(Wm) > 0: R = UVm + Wm Dkm = D[R, R] Bkm = _homogeneous_normal_form(Dkm, len(Wm))[1] B[R, :] = Bkm * B[R, :] D = B * G * B.T return D, B
def decrypt(self, C, K): r""" Apply the Blum-Goldwasser scheme to decrypt the ciphertext ``C`` using the private key ``K``. INPUT: - ``C`` -- a ciphertext resulting from encrypting a plaintext using the Blum-Goldwasser encryption algorithm. The ciphertext `C` must be of the form `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Each `c_i` is a sub-block of binary string and `x_{t+1}` is the result of the `t+1`-th iteration of the Blum-Blum-Shub algorithm. - ``K`` -- a private key `(p, q, a, b)` where `p` and `q` are distinct Blum primes and `\gcd(p, q) = ap + bq = 1`. OUTPUT: - The plaintext resulting from decrypting the ciphertext ``C`` using the Blum-Goldwasser decryption algorithm. ALGORITHM: The Blum-Goldwasser decryption algorithm is described in Algorithm 8.56, page 309 of [MvOV1996]_. The algorithm works as follows: #. Let `C` be the ciphertext `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Then `t` is the number of ciphertext sub-blocks and `h` is the length of each binary string sub-block `c_i`. #. Let `(p, q, a, b)` be the private key whose corresponding public key is `n = pq`. Note that `\gcd(p, q) = ap + bq = 1`. #. Compute `d_1 = ((p + 1) / 4)^{t+1} \bmod{(p - 1)}`. #. Compute `d_2 = ((q + 1) / 4)^{t+1} \bmod{(q - 1)}`. #. Let `u = x_{t+1}^{d_1} \bmod p`. #. Let `v = x_{t+1}^{d_2} \bmod q`. #. Compute `x_0 = vap + ubq \bmod n`. #. For `i` from 1 to `t`, do: #. Compute `x_i = x_{t-1}^2 \bmod n`. #. Let `p_i` be the `h` least significant bits of `x_i`. #. Compute `m_i = p_i \oplus c_i`. #. The plaintext is `m = m_1 m_2 \cdots m_t`. EXAMPLES: The following decryption example is taken from Example 8.57, pages 309--310 of [MvOV1996]_. Here we decrypt a binary string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: p = 499; q = 547 sage: C = ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) sage: K = bg.private_key(p, q); K (499, 547, -57, 52) sage: P = bg.decrypt(C, K); P [[1, 0, 0, 1], [1, 1, 0, 0], [0, 0, 0, 1], [0, 0, 0, 0], [1, 1, 0, 0]] Convert the plaintext sub-blocks into a binary string:: sage: bin = BinaryStrings() sage: bin(flatten(P)) 10011100000100001100 Decrypt a longer ciphertext and convert the resulting plaintext into an ASCII string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: from sage.crypto.util import bin_to_ascii sage: bg = BlumGoldwasser() sage: p = 78307; q = 412487 sage: K = bg.private_key(p, q) sage: C = ([[1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0], \ ....: [1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1], \ ....: [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0], \ ....: [0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1], \ ....: [1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0], \ ....: [0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1], \ ....: [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0], \ ....: [1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1], \ ....: [0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0], \ ....: [1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1], \ ....: [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], \ ....: [1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0], \ ....: [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1]], 3479653279) sage: P = bg.decrypt(C, K) sage: bin_to_ascii(flatten(P)) 'Blum-Goldwasser encryption' TESTS: The private key `K = (p, q, a, b)` must be such that `p` and `q` are distinct Blum primes. Even if `p` and `q` pass this criterion, they must also satisfy the requirement `\gcd(p, q) = ap + bq = 1`. :: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: C = ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) sage: K = (7, 7, 1, 2) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: p and q must be distinct Blum primes. sage: K = (7, 23, 1, 2) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: a and b must satisfy gcd(p, q) = ap + bq = 1. sage: K = (11, 29, 8, -3) sage: bg.decrypt(C, K) Traceback (most recent call last): ... ValueError: p and q must be distinct Blum primes. """ # ciphertext c = C[0] xt1 = C[-1] # number of ciphertext sub-blocks t = len(c) # length of each ciphertext sub-block h = len(c[0]) # private key p, q, a, b = K # public key n = p * q # sanity checks if p == q: raise ValueError("p and q must be distinct Blum primes.") if (a*p + b*q) != 1: raise ValueError("a and b must satisfy gcd(p, q) = ap + bq = 1.") if (not is_blum_prime(p)) or (not is_blum_prime(q)): raise ValueError("p and q must be distinct Blum primes.") # prepare to decrypt d1 = power_mod((p + 1) // 4, t + 1, p - 1) d2 = power_mod((q + 1) // 4, t + 1, q - 1) u = power_mod(xt1, d1, p) v = power_mod(xt1, d2, q) x0 = mod(v*a*p + u*b*q, n).lift() # perform the decryption M = [] for i in range(t): x1 = power_mod(x0, 2, n) p = least_significant_bits(x1, h) M.append(list(map(xor, p, c[i]))) x0 = x1 return M
def _normalize_2x2(G): r""" Normalize this indecomposable `2` by `2` block. INPUT: ``G`` - a `2` by `2` matrix over `\ZZ_p` with ``type = 'fixed-mod'`` of the form:: [2a b] [ b 2c] * 2^n with `b` of valuation 1. OUTPUT: A unimodular `2` by `2` matrix ``B`` over `\ZZ_p` with ``B * G * B.transpose()`` either:: [0 1] [2 1] [1 0] * 2^n or [1 2] * 2^n EXAMPLES:: sage: from sage.quadratic_forms.genera.normal_form import _normalize_2x2 sage: R = Zp(2, prec = 15, type = 'fixed-mod', print_mode='series', show_prec=False) sage: G = Matrix(R, 2, [-17*2,3,3,23*2]) sage: B =_normalize_2x2(G) sage: B * G * B.T [2 1] [1 2] sage: G = Matrix(R,2,[-17*4,3,3,23*2]) sage: B = _normalize_2x2(G) sage: B*G*B.T [0 1] [1 0] sage: G = 2^3 * Matrix(R, 2, [-17*2,3,3,23*2]) sage: B = _normalize_2x2(G) sage: B * G * B.T [2^4 2^3] [2^3 2^4] """ from sage.rings.all import PolynomialRing from sage.modules.free_module_element import vector B = copy(G.parent().identity_matrix()) R = G.base_ring() P = PolynomialRing(R, 'x') x = P.gen() # The input must be an even block odd1 = (G[0, 0].valuation() < G[1, 0].valuation()) odd2 = (G[1, 1].valuation() < G[1, 0].valuation()) if odd1 or odd2: raise ValueError("Not a valid 2 x 2 block.") scale = 2**G[0, 1].valuation() D = Matrix(R, 2, 2, [d // scale for d in G.list()]) # now D is of the form # [2a b ] # [b 2c] # where b has valuation 1. G = copy(D) # Make sure G[1, 1] has valuation 1. if D[1, 1].valuation() > D[0, 0].valuation(): B.swap_columns(0, 1) D.swap_columns(0, 1) D.swap_rows(0, 1) if D[1, 1].valuation() != 1: # this works because # D[0, 0] has valuation at least 2 B[1, :] += B[0, :] D = B * G * B.transpose() assert D[1, 1].valuation() == 1 if mod(D.det(), 8) == 3: # in this case we can transform D to # 2 1 # 1 2 # Find a point of norm 2 # solve: 2 == D[1,1]*x^2 + 2*D[1,0]*x + D[0,0] pol = (D[1, 1] * x**2 + 2 * D[1, 0] * x + D[0, 0] - 2) // 2 # somehow else pari can get a hickup see trac #24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[0, 1] = sol D = B * G * B.transpose() # make D[0, 1] = 1 B[1, :] *= D[1, 0].inverse_of_unit() D = B * G * B.transpose() # solve: v*D*v == 2 with v = (x, -2*x+1) if D[1, 1] != 2: v = vector([x, -2 * x + 1]) pol = (v * D * v - 2) // 2 # somehow else pari can get a hickup see trac #24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[1, :] = sol * B[0, :] + (-2 * sol + 1) * B[1, :] D = B * G * B.transpose() # check the result assert D == Matrix(G.parent(), 2, 2, [2, 1, 1, 2]), "D1 \n %r" % D elif mod(D.det(), 8) == 7: # in this case we can transform D to # 0 1 # 1 0 # Find a point representing 0 # solve: 0 == D[1,1]*x^2 + 2*D[1,0]*x + D[0,0] pol = (D[1, 1] * x**2 + 2 * D[1, 0] * x + D[0, 0]) // 2 # somehow else pari can get a hickup, see trac #24065 pol = pol // pol.leading_coefficient() sol = pol.roots()[0][0] B[0, :] += sol * B[1, :] D = B * G * B.transpose() # make the second basis vector have 0 square as well. B[1, :] = B[1, :] - D[1, 1] // (2 * D[0, 1]) * B[0, :] D = B * G * B.transpose() # rescale to get D[0,1] = 1 B[0, :] *= D[1, 0].inverse_of_unit() D = B * G * B.transpose() # check the result assert D == Matrix(G.parent(), 2, 2, [0, 1, 1, 0]), "D2 \n %r" % D return B
def encrypt(self, P, K, seed=None): r""" Apply the Blum-Goldwasser scheme to encrypt the plaintext ``P`` using the public key ``K``. INPUT: - ``P`` -- a non-empty string of plaintext. The string ``""`` is an empty string, whereas ``" "`` is a string consisting of one white space character. The plaintext can be a binary string or a string of ASCII characters. Where ``P`` is an ASCII string, then ``P`` is first encoded as a binary string prior to encryption. - ``K`` -- a public key, which is the product of two Blum primes. - ``seed`` -- (default: ``None``) if `p` and `q` are Blum primes and `n = pq` is a public key, then ``seed`` is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. If ``seed=None``, then the function would generate its own random quadratic residue in `(\ZZ/n\ZZ)^{\ast}`. Where a value for ``seed`` is provided, it is your responsibility to ensure that the seed is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. OUTPUT: - The ciphertext resulting from encrypting ``P`` using the public key ``K``. The ciphertext `C` is of the form `C = (c_1, c_2, \dots, c_t, x_{t+1})`. Each `c_i` is a sub-block of binary string and `x_{t+1}` is the result of the `t+1`-th iteration of the Blum-Blum-Shub algorithm. ALGORITHM: The Blum-Goldwasser encryption algorithm is described in Algorithm 8.56, page 309 of [MvOV1996]_. The algorithm works as follows: #. Let `n` be a public key, where `n = pq` is the product of two distinct Blum primes `p` and `q`. #. Let `k = \lfloor \log_2(n) \rfloor` and `h = \lfloor \log_2(k) \rfloor`. #. Let `m = m_1 m_2 \cdots m_t` be the message (plaintext) where each `m_i` is a binary string of length `h`. #. Choose a random seed `x_0`, which is a quadratic residue in the multiplicative group `(\ZZ/n\ZZ)^{\ast}`. That is, choose a random `r \in (\ZZ/n\ZZ)^{\ast}` and compute `x_0 = r^2 \bmod n`. #. For `i` from 1 to `t`, do: #. Let `x_i = x_{i-1}^2 \bmod n`. #. Let `p_i` be the `h` least significant bits of `x_i`. #. Let `c_i = p_i \oplus m_i`. #. Compute `x_{t+1} = x_t^2 \bmod n`. #. The ciphertext is `c = (c_1, c_2, \dots, c_t, x_{t+1})`. The value `h` in the algorithm is the sub-block length. If the binary string representing the message cannot be divided into blocks of length `h` each, then other sub-block lengths would be used instead. The sub-block lengths to fall back on are in the following order: 16, 8, 4, 2, 1. EXAMPLES: The following encryption example is taken from Example 8.57, pages 309--310 of [MvOV1996]_. Here, we encrypt a binary string:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: p = 499; q = 547; n = p * q sage: P = "10011100000100001100" sage: C = bg.encrypt(P, n, seed=159201); C ([[0, 0, 1, 0], [0, 0, 0, 0], [1, 1, 0, 0], [1, 1, 1, 0], [0, 1, 0, 0]], 139680) Convert the ciphertext sub-blocks into a binary string:: sage: bin = BinaryStrings() sage: bin(flatten(C[0])) 00100000110011100100 Now encrypt an ASCII string. The result is random; no seed is provided to the encryption function so the function generates its own random seed:: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: K = 32300619509 sage: P = "Blum-Goldwasser encryption" sage: bg.encrypt(P, K) # random ([[1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0], \ [1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1], \ [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0], \ [0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1], \ [1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0], \ [0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1], \ [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0], \ [1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1], \ [0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0], \ [1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1], \ [1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1], \ [1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0], \ [0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1]], 3479653279) TESTS: The plaintext cannot be an empty string. :: sage: from sage.crypto.public_key.blum_goldwasser import BlumGoldwasser sage: bg = BlumGoldwasser() sage: bg.encrypt("", 3) Traceback (most recent call last): ... ValueError: The plaintext cannot be an empty string. """ # sanity check if P == "": raise ValueError("The plaintext cannot be an empty string.") n = K k = floor(log(n, base=2)) h = floor(log(k, base=2)) bin = BinaryStrings() M = "" try: # the plaintext is a binary string M = bin(P) except TypeError: # encode the plaintext as a binary string # An exception might be raised here if P cannot be encoded as a # binary string. M = bin.encoding(P) # the number of plaintext sub-blocks; each sub-block has length h t = 0 try: # Attempt to use t and h values from the algorithm described # in [MvOV1996]. t = len(M) / h # If the following raises an exception, then we can't use # the t and h values specified by [MvOV1996]. mod(len(M), t) # fall back to using other sub-block lengths except TypeError: # sub-blocks of length h = 16 if mod(len(M), 16) == 0: h = 16 t = len(M) // h # sub-blocks of length h = 8 elif mod(len(M), 8) == 0: h = 8 t = len(M) // h # sub-blocks of length h = 4 elif mod(len(M), 4) == 0: h = 4 t = len(M) // h # sub-blocks of length h = 2 elif mod(len(M), 2) == 0: h = 2 t = len(M) // h # sub-blocks of length h = 1 else: h = 1 t = len(M) // h # If no seed is provided, select a random seed. x0 = seed if seed is None: zmod = IntegerModRing(n) # K = n = pq r = zmod.random_element().lift() while gcd(r, n) != 1: r = zmod.random_element().lift() x0 = power_mod(r, 2, n) # perform the encryption to_int = lambda x: int(str(x)) C = [] for i in range(t): x1 = power_mod(x0, 2, n) p = least_significant_bits(x1, h) # xor p with a sub-block of length h. There are t sub-blocks of # length h each. C.append(list(map(xor, p, [to_int(_) for _ in M[i*h : (i+1)*h]]))) x0 = x1 x1 = power_mod(x0, 2, n) return (C, x1)