def defining_polynomials(self):
"""
Return the pair of products of cyclotomic polynomials.
EXAMPLES::
sage: from sage.modular.hypergeometric_motive import HypergeometricData as Hyp
sage: Hyp(alpha_beta=([1/4,3/4],[0,0])).defining_polynomials()
(x^2 + 1, x^2 - 2*x + 1)
"""
up = prod(cyclotomic_polynomial(d) for d in self._cyclo_up)
down = prod(cyclotomic_polynomial(d) for d in self._cyclo_down)
return (up, down)
def defining_polynomials(self):
"""
Return the pair of products of cyclotomic polynomials.
EXAMPLES::
sage: from sage.modular.hypergeometric_motive import HypergeometricData as Hyp
sage: Hyp(alpha_beta=([1/4,3/4],[0,0])).defining_polynomials()
(x^2 + 1, x^2 - 2*x + 1)
"""
up = prod(cyclotomic_polynomial(d) for d in self._cyclo_up)
down = prod(cyclotomic_polynomial(d) for d in self._cyclo_down)
return (up, down)
def __init__(self, N, q, D, poly=None, secret_dist='uniform', m=None):
"""
Construct a Ring-LWE oracle in dimension ``n=phi(N)`` over a ring of order
``q`` with noise distribution ``D``.
INPUT:
- ``N`` - index of cyclotomic polynomial (integer > 0, must be power of 2)
- ``q`` - modulus typically > N (integer > 0)
- ``D`` - an error distribution such as an instance of
:class:`DiscreteGaussianDistributionPolynomialSampler` or :class:`UniformSampler`
- ``poly`` - a polynomial of degree ``phi(N)``. If ``None`` the
cyclotomic polynomial used (default: ``None``).
- ``secret_dist`` - distribution of the secret. See documentation of
:class:`LWE` for details (default='uniform')
- ``m`` - number of allowed samples or ``None`` if no such limit exists
(default: ``None``)
EXAMPLES::
sage: from sage.crypto.lwe import RingLWE
sage: from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler
sage: D = DiscreteGaussianDistributionPolynomialSampler(ZZ['x'], n=euler_phi(20), sigma=3.0)
sage: RingLWE(N=20, q=next_prime(800), D=D)
RingLWE(20, 809, Discrete Gaussian sampler for polynomials of degree < 8 with σ=3.000000 in each component, x^8 - x^6 + x^4 - x^2 + 1, 'uniform', None)
"""
self.N = ZZ(N)
self.n = euler_phi(N)
self.m = m
self.__i = 0
self.K = IntegerModRing(q)
if self.n != D.n:
raise ValueError("Noise distribution has dimensions %d != %d" %
(D.n, self.n))
self.D = D
self.q = q
if poly is not None:
self.poly = poly
else:
self.poly = cyclotomic_polynomial(self.N, 'x')
self.R_q = self.K['x'].quotient(self.poly, 'x')
self.secret_dist = secret_dist
if secret_dist == 'uniform':
self.__s = self.R_q.random_element() # uniform sampling of secret
elif secret_dist == 'noise':
self.__s = self.D()
else:
raise TypeError("Parameter secret_dist=%s not understood." %
(secret_dist))
def __init__(self, N, q, D, poly=None, secret_dist='uniform', m=None):
"""
Construct a Ring-LWE oracle in dimension ``n=phi(N)`` over a ring of order
``q`` with noise distribution ``D``.
INPUT:
- ``N`` - index of cyclotomic polynomial (integer > 0, must be power of 2)
- ``q`` - modulus typically > N (integer > 0)
- ``D`` - an error distribution such as an instance of
:class:`DiscreteGaussianDistributionPolynomialSampler` or :class:`UniformSampler`
- ``poly`` - a polynomial of degree ``phi(N)``. If ``None`` the
cyclotomic polynomial used (default: ``None``).
- ``secret_dist`` - distribution of the secret. See documentation of
:class:`LWE` for details (default='uniform')
- ``m`` - number of allowed samples or ``None`` if no such limit exists
(default: ``None``)
EXAMPLES::
sage: from sage.crypto.lwe import RingLWE
sage: from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler
sage: D = DiscreteGaussianDistributionPolynomialSampler(ZZ['x'], n=euler_phi(20), sigma=3.0)
sage: RingLWE(N=20, q=next_prime(800), D=D)
RingLWE(20, 809, Discrete Gaussian sampler for polynomials of degree < 8 with σ=3.000000 in each component, x^8 - x^6 + x^4 - x^2 + 1, 'uniform', None)
"""
self.N = ZZ(N)
self.n = euler_phi(N)
self.m = m
self.__i = 0
self.K = IntegerModRing(q)
if self.n != D.n:
raise ValueError("Noise distribution has dimensions %d != %d"%(D.n, self.n))
self.D = D
self.q = q
if poly is not None:
self.poly = poly
else:
self.poly = cyclotomic_polynomial(self.N, 'x')
self.R_q = self.K['x'].quotient(self.poly, 'x')
self.secret_dist = secret_dist
if secret_dist == 'uniform':
self.__s = self.R_q.random_element() # uniform sampling of secret
elif secret_dist == 'noise':
self.__s = self.D()
else:
raise TypeError("Parameter secret_dist=%s not understood."%(secret_dist))
def gen_lattice(type='modular', n=4, m=8, q=11, seed=None,
quotient=None, dual=False, ntl=False, lattice=False):
"""
This function generates different types of integral lattice bases
of row vectors relevant in cryptography.
Randomness can be set either with ``seed``, or by using
:func:`sage.misc.randstate.set_random_seed`.
INPUT:
- ``type`` -- one of the following strings
- ``'modular'`` (default) -- A class of lattices for which
asymptotic worst-case to average-case connections hold. For
more refer to [A96]_.
- ``'random'`` -- Special case of modular (n=1). A dense class
of lattice used for testing basis reduction algorithms
proposed by Goldstein and Mayer [GM02]_.
- ``'ideal'`` -- Special case of modular. Allows for a more
compact representation proposed by [LM06]_.
- ``'cyclotomic'`` -- Special case of ideal. Allows for
efficient processing proposed by [LM06]_.
- ``n`` -- Determinant size, primal:`det(L) = q^n`, dual:`det(L) = q^{m-n}`.
For ideal lattices this is also the degree of the quotient polynomial.
- ``m`` -- Lattice dimension, `L \subseteq Z^m`.
- ``q`` -- Coefficient size, `q-Z^m \subseteq L`.
- ``seed`` -- Randomness seed.
- ``quotient`` -- For the type ideal, this determines the quotient
polynomial. Ignored for all other types.
- ``dual`` -- Set this flag if you want a basis for `q-dual(L)`, for example
for Regev's LWE bases [R05]_.
- ``ntl`` -- Set this flag if you want the lattice basis in NTL readable
format.
- ``lattice`` -- Set this flag if you want a
:class:`FreeModule_submodule_with_basis_integer` object instead
of an integer matrix representing the basis.
OUTPUT: ``B`` a unique size-reduced triangular (primal: lower_left,
dual: lower_right) basis of row vectors for the lattice in question.
EXAMPLES:
Modular basis::
sage: sage.crypto.gen_lattice(m=10, seed=42)
[11 0 0 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0 0 0]
[ 2 4 3 5 1 0 0 0 0 0]
[ 1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
Random basis::
sage: sage.crypto.gen_lattice(type='random', n=1, m=10, q=11^4, seed=42)
[14641 0 0 0 0 0 0 0 0 0]
[ 431 1 0 0 0 0 0 0 0 0]
[-4792 0 1 0 0 0 0 0 0 0]
[ 1015 0 0 1 0 0 0 0 0 0]
[-3086 0 0 0 1 0 0 0 0 0]
[-5378 0 0 0 0 1 0 0 0 0]
[ 4769 0 0 0 0 0 1 0 0 0]
[-1159 0 0 0 0 0 0 1 0 0]
[ 3082 0 0 0 0 0 0 0 1 0]
[-4580 0 0 0 0 0 0 0 0 1]
Ideal bases with quotient x^n-1, m=2*n are NTRU bases::
sage: sage.crypto.gen_lattice(type='ideal', seed=42, quotient=x^4-1)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 -2 -3 -3 1 0 0 0]
[-3 4 -2 -3 0 1 0 0]
[-3 -3 4 -2 0 0 1 0]
[-2 -3 -3 4 0 0 0 1]
Ideal bases also work with polynomials::
sage: R.<t> = PolynomialRing(ZZ)
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=t^4-1)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 1 4 -3 1 0 0 0]
[-3 4 1 4 0 1 0 0]
[ 4 -3 4 1 0 0 1 0]
[ 1 4 -3 4 0 0 0 1]
Cyclotomic bases with n=2^k are SWIFFT bases::
sage: sage.crypto.gen_lattice(type='cyclotomic', seed=42)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 -2 -3 -3 1 0 0 0]
[ 3 4 -2 -3 0 1 0 0]
[ 3 3 4 -2 0 0 1 0]
[ 2 3 3 4 0 0 0 1]
Dual modular bases are related to Regev's famous public-key
encryption [R05]_::
sage: sage.crypto.gen_lattice(type='modular', m=10, seed=42, dual=True)
[ 0 0 0 0 0 0 0 0 0 11]
[ 0 0 0 0 0 0 0 0 11 0]
[ 0 0 0 0 0 0 0 11 0 0]
[ 0 0 0 0 0 0 11 0 0 0]
[ 0 0 0 0 0 11 0 0 0 0]
[ 0 0 0 0 11 0 0 0 0 0]
[ 0 0 0 1 -5 -2 -1 1 -3 5]
[ 0 0 1 0 -3 4 1 4 -3 -2]
[ 0 1 0 0 -4 5 -3 3 5 3]
[ 1 0 0 0 -2 -1 4 2 5 4]
Relation of primal and dual bases::
sage: B_primal=sage.crypto.gen_lattice(m=10, q=11, seed=42)
sage: B_dual=sage.crypto.gen_lattice(m=10, q=11, seed=42, dual=True)
sage: B_dual_alt=transpose(11*B_primal.inverse()).change_ring(ZZ)
sage: B_dual_alt.hermite_form() == B_dual.hermite_form()
True
TESTS:
Test some bad quotient polynomials::
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=cos(x))
Traceback (most recent call last):
...
TypeError: unable to convert cos(x) to an integer
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=x^23-1)
Traceback (most recent call last):
...
ValueError: ideal basis requires n = quotient.degree()
sage: R.<u,v> = ZZ[]
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=u+v)
Traceback (most recent call last):
...
TypeError: quotient should be a univariate polynomial
We are testing output format choices::
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42)
[11 0 0 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0 0 0]
[ 2 4 3 5 1 0 0 0 0 0]
[ 1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42, ntl=True)
[
[11 0 0 0 0 0 0 0 0 0]
[0 11 0 0 0 0 0 0 0 0]
[0 0 11 0 0 0 0 0 0 0]
[0 0 0 11 0 0 0 0 0 0]
[2 4 3 5 1 0 0 0 0 0]
[1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
]
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42, lattice=True)
Free module of degree 10 and rank 10 over Integer Ring
User basis matrix:
[ 0 0 1 1 0 -1 -1 -1 1 0]
[-1 1 0 1 0 1 1 0 1 1]
[-1 0 0 0 -1 1 1 -2 0 0]
[-1 -1 0 1 1 0 0 1 1 -1]
[ 1 0 -1 0 0 0 -2 -2 0 0]
[ 2 -1 0 0 1 0 1 0 0 -1]
[-1 1 -1 0 1 -1 1 0 -1 -2]
[ 0 0 -1 3 0 0 0 -1 -1 -1]
[ 0 -1 0 -1 2 0 -1 0 0 2]
[ 0 1 1 0 1 1 -2 1 -1 -2]
REFERENCES:
.. [A96] Miklos Ajtai.
Generating hard instances of lattice problems (extended abstract).
STOC, pp. 99--108, ACM, 1996.
.. [GM02] Daniel Goldstein and Andrew Mayer.
On the equidistribution of Hecke points.
Forum Mathematicum, 15:2, pp. 165--189, De Gruyter, 2003.
.. [LM06] Vadim Lyubashevsky and Daniele Micciancio.
Generalized compact knapsacks are collision resistant.
ICALP, pp. 144--155, Springer, 2006.
.. [R05] Oded Regev.
On lattices, learning with errors, random linear codes, and cryptography.
STOC, pp. 84--93, ACM, 2005.
"""
from sage.rings.finite_rings.integer_mod_ring import IntegerModRing
from sage.matrix.constructor import identity_matrix, block_matrix
from sage.matrix.matrix_space import MatrixSpace
from sage.rings.integer_ring import IntegerRing
if seed is not None:
from sage.misc.randstate import set_random_seed
set_random_seed(seed)
if type == 'random':
if n != 1: raise ValueError('random bases require n = 1')
ZZ = IntegerRing()
ZZ_q = IntegerModRing(q)
A = identity_matrix(ZZ_q, n)
if type == 'random' or type == 'modular':
R = MatrixSpace(ZZ_q, m-n, n)
A = A.stack(R.random_element())
elif type == 'ideal':
if quotient is None:
raise ValueError('ideal bases require a quotient polynomial')
try:
quotient = quotient.change_ring(ZZ_q)
except (AttributeError, TypeError):
quotient = quotient.polynomial(base_ring=ZZ_q)
P = quotient.parent()
# P should be a univariate polynomial ring over ZZ_q
if not is_PolynomialRing(P):
raise TypeError("quotient should be a univariate polynomial")
assert P.base_ring() is ZZ_q
if quotient.degree() != n:
raise ValueError('ideal basis requires n = quotient.degree()')
R = P.quotient(quotient)
for i in range(m//n):
A = A.stack(R.random_element().matrix())
elif type == 'cyclotomic':
from sage.arith.all import euler_phi
from sage.misc.functional import cyclotomic_polynomial
# we assume that n+1 <= min( euler_phi^{-1}(n) ) <= 2*n
found = False
for k in range(2*n,n,-1):
if euler_phi(k) == n:
found = True
break
if not found:
raise ValueError("cyclotomic bases require that n "
"is an image of Euler's totient function")
R = ZZ_q['x'].quotient(cyclotomic_polynomial(k, 'x'), 'x')
for i in range(m//n):
A = A.stack(R.random_element().matrix())
# switch from representatives 0,...,(q-1) to (1-q)/2,....,(q-1)/2
def minrep(a):
if abs(a-q) < abs(a): return a-q
else: return a
A_prime = A[n:m].lift().apply_map(minrep)
if not dual:
B = block_matrix([[ZZ(q), ZZ.zero()], [A_prime, ZZ.one()] ],
subdivide=False)
else:
B = block_matrix([[ZZ.one(), -A_prime.transpose()],
[ZZ.zero(), ZZ(q)]], subdivide=False)
for i in range(m//2):
B.swap_rows(i,m-i-1)
if ntl and lattice:
raise ValueError("Cannot specify ntl=True and lattice=True "
"at the same time")
if ntl:
return B._ntl_()
elif lattice:
from sage.modules.free_module_integer import IntegerLattice
return IntegerLattice(B)
else:
return B
def gen_lattice(type='modular', n=4, m=8, q=11, seed=None,
quotient=None, dual=False, ntl=False, lattice=False):
r"""
This function generates different types of integral lattice bases
of row vectors relevant in cryptography.
Randomness can be set either with ``seed``, or by using
:func:`sage.misc.randstate.set_random_seed`.
INPUT:
- ``type`` -- one of the following strings
- ``'modular'`` (default) -- A class of lattices for which
asymptotic worst-case to average-case connections hold. For
more refer to [Aj1996]_.
- ``'random'`` -- Special case of modular (n=1). A dense class
of lattice used for testing basis reduction algorithms
proposed by Goldstein and Mayer [GM2002]_.
- ``'ideal'`` -- Special case of modular. Allows for a more
compact representation proposed by [LM2006]_.
- ``'cyclotomic'`` -- Special case of ideal. Allows for
efficient processing proposed by [LM2006]_.
- ``n`` -- Determinant size, primal:`det(L) = q^n`, dual:`det(L) = q^{m-n}`.
For ideal lattices this is also the degree of the quotient polynomial.
- ``m`` -- Lattice dimension, `L \subseteq Z^m`.
- ``q`` -- Coefficient size, `q-Z^m \subseteq L`.
- ``seed`` -- Randomness seed.
- ``quotient`` -- For the type ideal, this determines the quotient
polynomial. Ignored for all other types.
- ``dual`` -- Set this flag if you want a basis for `q-dual(L)`, for example
for Regev's LWE bases [Reg2005]_.
- ``ntl`` -- Set this flag if you want the lattice basis in NTL readable
format.
- ``lattice`` -- Set this flag if you want a
:class:`FreeModule_submodule_with_basis_integer` object instead
of an integer matrix representing the basis.
OUTPUT: ``B`` a unique size-reduced triangular (primal: lower_left,
dual: lower_right) basis of row vectors for the lattice in question.
EXAMPLES:
Modular basis::
sage: sage.crypto.gen_lattice(m=10, seed=42)
[11 0 0 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0 0 0]
[ 2 4 3 5 1 0 0 0 0 0]
[ 1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
Random basis::
sage: sage.crypto.gen_lattice(type='random', n=1, m=10, q=11^4, seed=42)
[14641 0 0 0 0 0 0 0 0 0]
[ 431 1 0 0 0 0 0 0 0 0]
[-4792 0 1 0 0 0 0 0 0 0]
[ 1015 0 0 1 0 0 0 0 0 0]
[-3086 0 0 0 1 0 0 0 0 0]
[-5378 0 0 0 0 1 0 0 0 0]
[ 4769 0 0 0 0 0 1 0 0 0]
[-1159 0 0 0 0 0 0 1 0 0]
[ 3082 0 0 0 0 0 0 0 1 0]
[-4580 0 0 0 0 0 0 0 0 1]
Ideal bases with quotient x^n-1, m=2*n are NTRU bases::
sage: sage.crypto.gen_lattice(type='ideal', seed=42, quotient=x^4-1)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[-2 -3 -3 4 1 0 0 0]
[ 4 -2 -3 -3 0 1 0 0]
[-3 4 -2 -3 0 0 1 0]
[-3 -3 4 -2 0 0 0 1]
Ideal bases also work with polynomials::
sage: R.<t> = PolynomialRing(ZZ)
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=t^4-1)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 1 4 -3 3 1 0 0 0]
[ 3 1 4 -3 0 1 0 0]
[-3 3 1 4 0 0 1 0]
[ 4 -3 3 1 0 0 0 1]
Cyclotomic bases with n=2^k are SWIFFT bases::
sage: sage.crypto.gen_lattice(type='cyclotomic', seed=42)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[-2 -3 -3 4 1 0 0 0]
[-4 -2 -3 -3 0 1 0 0]
[ 3 -4 -2 -3 0 0 1 0]
[ 3 3 -4 -2 0 0 0 1]
Dual modular bases are related to Regev's famous public-key
encryption [Reg2005]_::
sage: sage.crypto.gen_lattice(type='modular', m=10, seed=42, dual=True)
[ 0 0 0 0 0 0 0 0 0 11]
[ 0 0 0 0 0 0 0 0 11 0]
[ 0 0 0 0 0 0 0 11 0 0]
[ 0 0 0 0 0 0 11 0 0 0]
[ 0 0 0 0 0 11 0 0 0 0]
[ 0 0 0 0 11 0 0 0 0 0]
[ 0 0 0 1 -5 -2 -1 1 -3 5]
[ 0 0 1 0 -3 4 1 4 -3 -2]
[ 0 1 0 0 -4 5 -3 3 5 3]
[ 1 0 0 0 -2 -1 4 2 5 4]
Relation of primal and dual bases::
sage: B_primal=sage.crypto.gen_lattice(m=10, q=11, seed=42)
sage: B_dual=sage.crypto.gen_lattice(m=10, q=11, seed=42, dual=True)
sage: B_dual_alt=transpose(11*B_primal.inverse()).change_ring(ZZ)
sage: B_dual_alt.hermite_form() == B_dual.hermite_form()
True
TESTS:
Test some bad quotient polynomials::
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=cos(x))
Traceback (most recent call last):
...
TypeError: unable to convert cos(x) to an integer
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=x^23-1)
Traceback (most recent call last):
...
ValueError: ideal basis requires n = quotient.degree()
sage: R.<u,v> = ZZ[]
sage: sage.crypto.gen_lattice(type='ideal', seed=1234, quotient=u+v)
Traceback (most recent call last):
...
TypeError: quotient should be a univariate polynomial
We are testing output format choices::
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42)
[11 0 0 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0 0 0]
[ 2 4 3 5 1 0 0 0 0 0]
[ 1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42, ntl=True)
[
[11 0 0 0 0 0 0 0 0 0]
[0 11 0 0 0 0 0 0 0 0]
[0 0 11 0 0 0 0 0 0 0]
[0 0 0 11 0 0 0 0 0 0]
[2 4 3 5 1 0 0 0 0 0]
[1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
]
sage: sage.crypto.gen_lattice(m=10, q=11, seed=42, lattice=True)
Free module of degree 10 and rank 10 over Integer Ring
User basis matrix:
[ 0 0 1 1 0 -1 -1 -1 1 0]
[-1 1 0 1 0 1 1 0 1 1]
[-1 0 0 0 -1 1 1 -2 0 0]
[-1 -1 0 1 1 0 0 1 1 -1]
[ 1 0 -1 0 0 0 -2 -2 0 0]
[ 2 -1 0 0 1 0 1 0 0 -1]
[-1 1 -1 0 1 -1 1 0 -1 -2]
[ 0 0 -1 3 0 0 0 -1 -1 -1]
[ 0 -1 0 -1 2 0 -1 0 0 2]
[ 0 1 1 0 1 1 -2 1 -1 -2]
"""
from sage.rings.finite_rings.integer_mod_ring import IntegerModRing
from sage.matrix.constructor import identity_matrix, block_matrix
from sage.matrix.matrix_space import MatrixSpace
from sage.rings.integer_ring import IntegerRing
if seed is not None:
from sage.misc.randstate import set_random_seed
set_random_seed(seed)
if type == 'random':
if n != 1: raise ValueError('random bases require n = 1')
ZZ = IntegerRing()
ZZ_q = IntegerModRing(q)
A = identity_matrix(ZZ_q, n)
if type == 'random' or type == 'modular':
R = MatrixSpace(ZZ_q, m-n, n)
A = A.stack(R.random_element())
elif type == 'ideal':
if quotient is None:
raise ValueError('ideal bases require a quotient polynomial')
try:
quotient = quotient.change_ring(ZZ_q)
except (AttributeError, TypeError):
quotient = quotient.polynomial(base_ring=ZZ_q)
P = quotient.parent()
# P should be a univariate polynomial ring over ZZ_q
if not is_PolynomialRing(P):
raise TypeError("quotient should be a univariate polynomial")
assert P.base_ring() is ZZ_q
if quotient.degree() != n:
raise ValueError('ideal basis requires n = quotient.degree()')
R = P.quotient(quotient)
for i in range(m//n):
A = A.stack(R.random_element().matrix())
elif type == 'cyclotomic':
from sage.arith.all import euler_phi
from sage.misc.functional import cyclotomic_polynomial
# we assume that n+1 <= min( euler_phi^{-1}(n) ) <= 2*n
found = False
for k in range(2*n,n,-1):
if euler_phi(k) == n:
found = True
break
if not found:
raise ValueError("cyclotomic bases require that n "
"is an image of Euler's totient function")
R = ZZ_q['x'].quotient(cyclotomic_polynomial(k, 'x'), 'x')
for i in range(m//n):
A = A.stack(R.random_element().matrix())
# switch from representatives 0,...,(q-1) to (1-q)/2,....,(q-1)/2
def minrep(a):
if abs(a-q) < abs(a): return a-q
else: return a
A_prime = A[n:m].lift().apply_map(minrep)
if not dual:
B = block_matrix([[ZZ(q), ZZ.zero()], [A_prime, ZZ.one()] ],
subdivide=False)
else:
B = block_matrix([[ZZ.one(), -A_prime.transpose()],
[ZZ.zero(), ZZ(q)]], subdivide=False)
for i in range(m//2):
B.swap_rows(i,m-i-1)
if ntl and lattice:
raise ValueError("Cannot specify ntl=True and lattice=True "
"at the same time")
if ntl:
return B._ntl_()
elif lattice:
from sage.modules.free_module_integer import IntegerLattice
return IntegerLattice(B)
else:
return B
def molien_series(self, chi=None, return_series=True, prec=20, variable='t'):
r"""
Compute the Molien series of this finite group with respect to the
character ``chi``. It can be returned either as a rational function
in one variable or a power series in one variable. The base field
must be a finite field, the rationals, or a cyclotomic field.
Note that the base field characteristic cannot divide the group
order (i.e., the non-modular case).
ALGORITHM:
For a finite group `G` in characteristic zero we construct the Molien series as
.. MATH::
\frac{1}{|G|}\sum_{g \in G} \frac{\chi(g)}{\text{det}(I-tg)},
where `I` is the identity matrix and `t` an indeterminate.
For characteristic `p` not dividing the order of `G`, let `k` be the base field
and `N` the order of `G`. Define `\lambda` as a primitive `N`-th root of unity over `k`
and `\omega` as a primitive `N`-th root of unity over `\QQ`. For each `g \in G`
define `k_i(g)` to be the positive integer such that
`e_i = \lambda^{k_i(g)}` for each eigenvalue `e_i` of `g`. Then the Molien series
is computed as
.. MATH::
\frac{1}{|G|}\sum_{g \in G} \frac{\chi(g)}{\prod_{i=1}^n(1 - t\omega^{k_i(g)})},
where `t` is an indeterminant. [Dec1998]_
INPUT:
- ``chi`` -- (default: trivial character) a linear group character of this group
- ``return_series`` -- boolean (default: ``True``) if ``True``, then returns
the Molien series as a power series, ``False`` as a rational function
- ``prec`` -- integer (default: 20); power series default precision
- ``variable`` -- string (default: ``'t'``); Variable name for the Molien series
OUTPUT: single variable rational function or power series with integer coefficients
EXAMPLES::
sage: MatrixGroup(matrix(QQ,2,2,[1,1,0,1])).molien_series()
Traceback (most recent call last):
...
NotImplementedError: only implemented for finite groups
sage: MatrixGroup(matrix(GF(3),2,2,[1,1,0,1])).molien_series()
Traceback (most recent call last):
...
NotImplementedError: characteristic cannot divide group order
Tetrahedral Group::
sage: K.<i> = CyclotomicField(4)
sage: Tetra = MatrixGroup([(-1+i)/2,(-1+i)/2, (1+i)/2,(-1-i)/2], [0,i, -i,0])
sage: Tetra.molien_series(prec=30)
1 + t^8 + 2*t^12 + t^16 + 2*t^20 + 3*t^24 + 2*t^28 + O(t^30)
sage: mol = Tetra.molien_series(return_series=False); mol
(t^8 - t^4 + 1)/(t^16 - t^12 - t^4 + 1)
sage: mol.parent()
Fraction Field of Univariate Polynomial Ring in t over Integer Ring
sage: chi = Tetra.character(Tetra.character_table()[1])
sage: Tetra.molien_series(chi, prec=30, variable='u')
u^6 + u^14 + 2*u^18 + u^22 + 2*u^26 + 3*u^30 + 2*u^34 + O(u^36)
sage: chi = Tetra.character(Tetra.character_table()[2])
sage: Tetra.molien_series(chi)
t^10 + t^14 + t^18 + 2*t^22 + 2*t^26 + O(t^30)
::
sage: S3 = MatrixGroup(SymmetricGroup(3))
sage: mol = S3.molien_series(prec=10); mol
1 + t + 2*t^2 + 3*t^3 + 4*t^4 + 5*t^5 + 7*t^6 + 8*t^7 + 10*t^8 + 12*t^9 + O(t^10)
sage: mol.parent()
Power Series Ring in t over Integer Ring
Octahedral Group::
sage: K.<v> = CyclotomicField(8)
sage: a = v-v^3 #sqrt(2)
sage: i = v^2
sage: Octa = MatrixGroup([(-1+i)/2,(-1+i)/2, (1+i)/2,(-1-i)/2], [(1+i)/a,0, 0,(1-i)/a])
sage: Octa.molien_series(prec=30)
1 + t^8 + t^12 + t^16 + t^18 + t^20 + 2*t^24 + t^26 + t^28 + O(t^30)
Icosahedral Group::
sage: K.<v> = CyclotomicField(10)
sage: z5 = v^2
sage: i = z5^5
sage: a = 2*z5^3 + 2*z5^2 + 1 #sqrt(5)
sage: Ico = MatrixGroup([[z5^3,0, 0,z5^2], [0,1, -1,0], [(z5^4-z5)/a, (z5^2-z5^3)/a, (z5^2-z5^3)/a, -(z5^4-z5)/a]])
sage: Ico.molien_series(prec=40)
1 + t^12 + t^20 + t^24 + t^30 + t^32 + t^36 + O(t^40)
::
sage: G = MatrixGroup(CyclicPermutationGroup(3))
sage: chi = G.character(G.character_table()[1])
sage: G.molien_series(chi, prec=10)
t + 2*t^2 + 3*t^3 + 5*t^4 + 7*t^5 + 9*t^6 + 12*t^7 + 15*t^8 + 18*t^9 + 22*t^10 + O(t^11)
::
sage: K = GF(5)
sage: S = MatrixGroup(SymmetricGroup(4))
sage: G = MatrixGroup([matrix(K,4,4,[K(y) for u in m.list() for y in u])for m in S.gens()])
sage: G.molien_series(return_series=False)
1/(t^10 - t^9 - t^8 + 2*t^5 - t^2 - t + 1)
::
sage: i = GF(7)(3)
sage: G = MatrixGroup([[i^3,0,0,-i^3],[i^2,0,0,-i^2]])
sage: chi = G.character(G.character_table()[4])
sage: G.molien_series(chi)
3*t^5 + 6*t^11 + 9*t^17 + 12*t^23 + O(t^25)
"""
if not self.is_finite():
raise NotImplementedError("only implemented for finite groups")
if chi is None:
chi = self.trivial_character()
M = self.matrix_space()
R = FractionField(self.base_ring())
N = self.order()
if R.characteristic() == 0:
P = PolynomialRing(R, variable)
t = P.gen()
#it is possible the character is over a larger cyclotomic field
K = chi.values()[0].parent()
if K.degree() != 1:
if R.degree() != 1:
L = K.composite_fields(R)[0]
else:
L = K
else:
L = R
mol = P(0)
for g in self:
mol += L(chi(g)) / (M.identity_matrix()-t*g.matrix()).det().change_ring(L)
elif R.characteristic().divides(N):
raise NotImplementedError("characteristic cannot divide group order")
else: #char p>0
#find primitive Nth roots of unity over base ring and QQ
F = cyclotomic_polynomial(N).change_ring(R)
w = F.roots(ring=R.algebraic_closure(), multiplicities=False)[0]
#don't need to extend further in this case since the order of
#the roots of unity in the character divide the order of the group
L = CyclotomicField(N, 'v')
v = L.gen()
#construct Molien series
P = PolynomialRing(L, variable)
t = P.gen()
mol = P(0)
for g in self:
#construct Phi
phi = L(chi(g))
for e in g.matrix().eigenvalues():
#find power such that w**n = e
n = 1
while w**n != e and n < N+1:
n += 1
#raise v to that power
phi *= (1-t*v**n)
mol += P(1)/phi
#We know the coefficients will be integers
mol = mol.numerator().change_ring(ZZ) / mol.denominator().change_ring(ZZ)
#divide by group order
mol /= N
if return_series:
PS = PowerSeriesRing(ZZ, variable, default_prec=prec)
return PS(mol)
return mol
def gen_lattice(type='modular', n=4, m=8, q=11, seed=None, \
quotient=None, dual=False, ntl=False):
"""
This function generates different types of integral lattice bases
of row vectors relevant in cryptography.
Randomness can be set either with ``seed``, or by using
:func:`sage.misc.randstate.set_random_seed`.
INPUT:
* ``type`` - one of the following strings
* ``'modular'`` (default). A class of lattices for which
asymptotic worst-case to average-case connections hold. For
more refer to [A96]_.
* ``'random'`` - Special case of modular (n=1). A dense class
of lattice used for testing basis reduction algorithms
proposed by Goldstein and Mayer [GM02]_.
* ``'ideal'`` - Special case of modular. Allows for a more
compact representation proposed by [LM06]_.
* ``'cyclotomic'`` - Special case of ideal. Allows for
efficient processing proposed by [LM06]_.
* ``n`` - Determinant size, primal:`det(L) = q^n`, dual:`det(L) = q^{m-n}`.
For ideal lattices this is also the degree of the quotient polynomial.
* ``m`` - Lattice dimension, `L \subseteq Z^m`.
* ``q`` - Coefficent size, `q*Z^m \subseteq L`.
* ``seed`` - Randomness seed.
* ``quotient`` - For the type ideal, this determines the quotient
polynomial. Ignored for all other types.
* ``dual`` - Set this flag if you want a basis for `q*dual(L)`, for example
for Regev's LWE bases [R05]_.
* ``ntl`` - Set this flag if you want the lattice basis in NTL readable
format.
OUTPUT: ``B`` a unique size-reduced triangular (primal: lower_left,
dual: lower_right) basis of row vectors for the lattice in question.
EXAMPLES:
* Modular basis ::
sage: sage.crypto.gen_lattice(m=10, seed=42)
[11 0 0 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0 0 0]
[ 2 4 3 5 1 0 0 0 0 0]
[ 1 -5 -4 2 0 1 0 0 0 0]
[-4 3 -1 1 0 0 1 0 0 0]
[-2 -3 -4 -1 0 0 0 1 0 0]
[-5 -5 3 3 0 0 0 0 1 0]
[-4 -3 2 -5 0 0 0 0 0 1]
* Random basis ::
sage: sage.crypto.gen_lattice(type='random', n=1, m=10, q=11^4, seed=42)
[14641 0 0 0 0 0 0 0 0 0]
[ 431 1 0 0 0 0 0 0 0 0]
[-4792 0 1 0 0 0 0 0 0 0]
[ 1015 0 0 1 0 0 0 0 0 0]
[-3086 0 0 0 1 0 0 0 0 0]
[-5378 0 0 0 0 1 0 0 0 0]
[ 4769 0 0 0 0 0 1 0 0 0]
[-1159 0 0 0 0 0 0 1 0 0]
[ 3082 0 0 0 0 0 0 0 1 0]
[-4580 0 0 0 0 0 0 0 0 1]
* Ideal bases with quotient x^n-1, m=2*n are NTRU bases ::
sage: sage.crypto.gen_lattice(type='ideal', seed=42, quotient=x^4-1)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 -2 -3 -3 1 0 0 0]
[-3 4 -2 -3 0 1 0 0]
[-3 -3 4 -2 0 0 1 0]
[-2 -3 -3 4 0 0 0 1]
* Cyclotomic bases with n=2^k are SWIFFT bases ::
sage: sage.crypto.gen_lattice(type='cyclotomic', seed=42)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 -2 -3 -3 1 0 0 0]
[ 3 4 -2 -3 0 1 0 0]
[ 3 3 4 -2 0 0 1 0]
[ 2 3 3 4 0 0 0 1]
* Dual modular bases are related to Regev's famous public-key
encryption [R05]_ ::
sage: sage.crypto.gen_lattice(type='modular', m=10, seed=42, dual=True)
[ 0 0 0 0 0 0 0 0 0 11]
[ 0 0 0 0 0 0 0 0 11 0]
[ 0 0 0 0 0 0 0 11 0 0]
[ 0 0 0 0 0 0 11 0 0 0]
[ 0 0 0 0 0 11 0 0 0 0]
[ 0 0 0 0 11 0 0 0 0 0]
[ 0 0 0 1 -5 -2 -1 1 -3 5]
[ 0 0 1 0 -3 4 1 4 -3 -2]
[ 0 1 0 0 -4 5 -3 3 5 3]
[ 1 0 0 0 -2 -1 4 2 5 4]
* Relation of primal and dual bases ::
sage: B_primal=sage.crypto.gen_lattice(m=10, q=11, seed=42)
sage: B_dual=sage.crypto.gen_lattice(m=10, q=11, seed=42, dual=True)
sage: B_dual_alt=transpose(11*B_primal.inverse()).change_ring(ZZ)
sage: B_dual_alt.hermite_form() == B_dual.hermite_form()
True
REFERENCES:
.. [A96] Miklos Ajtai.
Generating hard instances of lattice problems (extended abstract).
STOC, pp. 99--108, ACM, 1996.
.. [GM02] Daniel Goldstein and Andrew Mayer.
On the equidistribution of Hecke points.
Forum Mathematicum, 15:2, pp. 165--189, De Gruyter, 2003.
.. [LM06] Vadim Lyubashevsky and Daniele Micciancio.
Generalized compact knapsacks are collision resistant.
ICALP, pp. 144--155, Springer, 2006.
.. [R05] Oded Regev.
On lattices, learning with errors, random linear codes, and cryptography.
STOC, pp. 84--93, ACM, 2005.
"""
from sage.rings.finite_rings.integer_mod_ring \
import IntegerModRing
from sage.matrix.constructor import matrix, \
identity_matrix, block_matrix
from sage.matrix.matrix_space import MatrixSpace
from sage.rings.integer_ring import IntegerRing
if seed != None:
from sage.misc.randstate import set_random_seed
set_random_seed(seed)
if type == 'random':
if n != 1: raise ValueError('random bases require n = 1')
ZZ = IntegerRing()
ZZ_q = IntegerModRing(q)
A = identity_matrix(ZZ_q, n)
if type == 'random' or type == 'modular':
R = MatrixSpace(ZZ_q, m-n, n)
A = A.stack(R.random_element())
elif type == 'ideal':
if quotient == None: raise \
ValueError('ideal bases require a quotient polynomial')
x = quotient.default_variable()
if n != quotient.degree(x): raise \
ValueError('ideal bases require n = quotient.degree()')
R = ZZ_q[x].quotient(quotient, x)
for i in range(m//n):
A = A.stack(R.random_element().matrix())
elif type == 'cyclotomic':
from sage.rings.arith import euler_phi
from sage.misc.functional import cyclotomic_polynomial
# we assume that n+1 <= min( euler_phi^{-1}(n) ) <= 2*n
found = False
for k in range(2*n,n,-1):
if euler_phi(k) == n:
found = True
break
if not found: raise \
ValueError('cyclotomic bases require that n is an image of' + \
'Euler\'s totient function')
R = ZZ_q['x'].quotient(cyclotomic_polynomial(k, 'x'), 'x')
for i in range(m//n):
A = A.stack(R.random_element().matrix())
# switch from representatives 0,...,(q-1) to (1-q)/2,....,(q-1)/2
def minrep(a):
if abs(a-q) < abs(a): return a-q
else: return a
A_prime = A[n:m].lift().apply_map(minrep)
if not dual:
B = block_matrix([[ZZ(q), ZZ.zero()], [A_prime, ZZ.one()] ], \
subdivide=False)
else:
B = block_matrix([[ZZ.one(), -A_prime.transpose()], [ZZ.zero(), \
ZZ(q)]], subdivide=False)
for i in range(m//2): B.swap_rows(i,m-i-1)
if not ntl:
return B
else:
return B._ntl_()
def __init__(self, cyclotomic=None, alpha_beta=None, gamma_list=None):
r"""
Creation of hypergeometric motives.
INPUT:
three possibilities are offered, each describing a quotient
of products of cyclotomic polynomials.
- ``cyclotomic`` -- a pair of lists of nonnegative integers,
each integer `k` represents a cyclotomic polynomial `\Phi_k`
- ``alpha_beta`` -- a pair of lists of rationals,
each rational represents a root of unity
- ``gamma_list`` -- a pair of lists of nonnegative integers,
each integer `n` represents a polynomial `x^n - 1`
In the last case, it is also allowed to send just one list of signed
integers where signs indicate to which part the integer belongs to.
EXAMPLES::
sage: from sage.modular.hypergeometric_motive import HypergeometricData as Hyp
sage: Hyp(cyclotomic=([2],[1]))
Hypergeometric data for [1/2] and [0]
sage: Hyp(alpha_beta=([1/2],[0]))
Hypergeometric data for [1/2] and [0]
sage: Hyp(alpha_beta=([1/5,2/5,3/5,4/5],[0,0,0,0]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
sage: Hyp(gamma_list=([5],[1,1,1,1,1]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
sage: Hyp(gamma_list=([5,-1,-1,-1,-1,-1]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
"""
if gamma_list is not None:
if isinstance(gamma_list[0], (list, tuple)):
pos, neg = gamma_list
gamma_list = pos + [-u for u in neg]
cyclotomic = gamma_list_to_cyclotomic(gamma_list)
if cyclotomic is not None:
cyclo_up, cyclo_down = cyclotomic
if any(x in cyclo_up for x in cyclo_down):
raise ValueError('overlapping parameters not allowed')
deg = sum(euler_phi(x) for x in cyclo_down)
up_deg = sum(euler_phi(x) for x in cyclo_up)
if up_deg != deg:
msg = 'not the same degree: {} != {}'.format(up_deg, deg)
raise ValueError(msg)
cyclo_up.sort()
cyclo_down.sort()
alpha = cyclotomic_to_alpha(cyclo_up)
beta = cyclotomic_to_alpha(cyclo_down)
elif alpha_beta is not None:
alpha, beta = alpha_beta
if len(alpha) != len(beta):
raise ValueError('alpha and beta not of the same length')
alpha = sorted(u - floor(u) for u in alpha)
beta = sorted(u - floor(u) for u in beta)
cyclo_up = alpha_to_cyclotomic(alpha)
cyclo_down = alpha_to_cyclotomic(beta)
deg = sum(euler_phi(x) for x in cyclo_down)
self._cyclo_up = tuple(cyclo_up)
self._cyclo_down = tuple(cyclo_down)
self._alpha = tuple(alpha)
self._beta = tuple(beta)
self._deg = deg
self._gamma_array = cyclotomic_to_gamma(cyclo_up, cyclo_down)
self._trace_coeffs = {}
up = QQ.prod(capital_M(d) for d in cyclo_up)
down = QQ.prod(capital_M(d) for d in cyclo_down)
self._M_value = up / down
if 0 in alpha:
self._swap = HypergeometricData(alpha_beta=(beta, alpha))
if self.weight() % 2:
self._sign_param = 1
else:
if (deg % 2) != (0 in alpha):
self._sign_param = prod(cyclotomic_polynomial(v).disc()
for v in cyclo_down)
else:
self._sign_param = prod(cyclotomic_polynomial(v).disc()
for v in cyclo_up)
def _exceptionals(E, L, patience=1000):
r"""
Determine which primes in L are exceptional for E, using Proposition 19
of Section 2.8 of Serre's ``Proprietes Galoisiennes des Points d'Ordre
Fini des Courbes Elliptiques'' [Serre72].
INPUT:
- ``E`` - EllipticCurve - over a number field.
- ``L`` - list - a list of prime numbers.
- ``patience`` - int (a bound on the number of traces of Frobenius to
use while trying to prove surjectivity).
OUTPUT: list - The list of all primes l in L for which the mod l image
might fail to be surjective.
EXAMPLES::
sage: K = NumberField(x**2 - 29, 'a'); a = K.gen()
sage: E = EllipticCurve([1, 0, ((5 + a)/2)**2, 0, 0])
sage: sage.schemes.elliptic_curves.gal_reps_number_field._exceptionals(E, [29, 31])
[29]
"""
E = _over_numberfield(E)
K = E.base_field()
output = []
L = list(set(L)) # Remove duplicates from L.
for l in L:
if l == 2: # c.f. Section 5.3(a) of [Serre72].
if (E.j_invariant() - 1728).is_square():
output.append(2)
elif not E.division_polynomial(2).is_irreducible():
output.append(2)
elif l == 3: # c.f. Section 5.3(b) of [Serre72].
if K(-3).is_square():
output.append(3)
elif not (K['x'].gen()**3 - E.j_invariant()).is_irreducible():
output.append(3)
elif not E.division_polynomial(3).is_irreducible():
output.append(3)
elif (K.discriminant() % l) == 0:
if not K['x'](cyclotomic_polynomial(l)).is_irreducible():
# I.E. if the action on lth roots of unity is not surjective
# (We want this since as a Galois module, \wedge^2 E[l]
# is isomorphic to the lth roots of unity.)
output.append(l)
for l in output:
L.remove(l)
if 2 in L:
L.remove(2)
if 3 in L:
L.remove(3)
# If the image is not surjective, then it is contained in one of the
# maximal subgroups. So, we start by creating a dictionary between primes
# l in L and possible maximal subgroups in which the mod l image could
# be contained. This information is stored as a triple whose elements
# are True/False according to whether the mod l image could be contained
# in:
# 0. A Borel or normalizer of split Cartan subgroup.
# 1. A nonsplit Cartan subgroup or its normalizer.
# 2. An exceptional subgroup of GL_2.
D = {}
for l in L:
D[l] = [True, True, True]
for P in K.primes_of_degree_one_iter():
try:
trace = E.change_ring(P.residue_field()).trace_of_frobenius()
except ArithmeticError: # Bad reduction at P.
continue
patience -= 1
determinant = P.norm()
discriminant = trace**2 - 4 * determinant
unexc = [] # Primes we discover are unexceptional go here.
for l in D.iterkeys():
tr = GF(l)(trace)
det = GF(l)(determinant)
disc = GF(l)(discriminant)
if tr == 0:
# I.E. if Frob_P could be contained in the normalizer of
# a Cartan subgroup, but not in the Cartan subgroup.
continue
if disc == 0:
# I.E. If the matrix might be non-diagonalizable over F_{p^2}.
continue
if legendre_symbol(disc, l) == 1:
# If the matrix is diagonalizable over F_p, it can't be
# contained in a non-split Cartan subgroup. Since we've
# gotten rid of the case where it is contained in the
# of a nonsplit Cartan subgroup but not the Cartan subgroup,
D[l][1] = False
else:
# If the matrix is not diagonalizable over F_p, it can't
# be contained Borel subgroup.
D[l][0] = False
if det != 0: # c.f. [Serre72], Section 2.8, Prop. 19
u = trace**2 / det
if u not in (1, 2, 4) and u**2 - 3 * u + 1 != 0:
D[l][2] = False
if D[l] == [False, False, False]:
unexc.append(l)
for l in unexc:
D.pop(l)
unexc = []
if (D == {}) or (patience == 0):
break
for l in D.iterkeys():
output.append(l)
output.sort()
return output
def molien_series(self,
chi=None,
return_series=True,
prec=20,
variable='t'):
r"""
Compute the Molien series of this finite group with respect to the
character ``chi``. It can be returned either as a rational function
in one variable or a power series in one variable. The base field
must be a finite field, the rationals, or a cyclotomic field.
Note that the base field characteristic cannot divide the group
order (i.e., the non-modular case).
ALGORITHM:
For a finite group `G` in characteristic zero we construct the Molien series as
.. MATH::
\frac{1}{|G|}\sum_{g \in G} \frac{\chi(g)}{\text{det}(I-tg)},
where `I` is the identity matrix and `t` an indeterminate.
For characteristic `p` not dividing the order of `G`, let `k` be the base field
and `N` the order of `G`. Define `\lambda` as a primitive `N`-th root of unity over `k`
and `\omega` as a primitive `N`-th root of unity over `\QQ`. For each `g \in G`
define `k_i(g)` to be the positive integer such that
`e_i = \lambda^{k_i(g)}` for each eigenvalue `e_i` of `g`. Then the Molien series
is computed as
.. MATH::
\frac{1}{|G|}\sum_{g \in G} \frac{\chi(g)}{\prod_{i=1}^n(1 - t\omega^{k_i(g)})},
where `t` is an indeterminant. [Dec1998]_
INPUT:
- ``chi`` -- (default: trivial character) a linear group character of this group
- ``return_series`` -- boolean (default: ``True``) if ``True``, then returns
the Molien series as a power series, ``False`` as a rational function
- ``prec`` -- integer (default: 20); power series default precision
- ``variable`` -- string (default: ``'t'``); Variable name for the Molien series
OUTPUT: single variable rational function or power series with integer coefficients
EXAMPLES::
sage: MatrixGroup(matrix(QQ,2,2,[1,1,0,1])).molien_series()
Traceback (most recent call last):
...
NotImplementedError: only implemented for finite groups
sage: MatrixGroup(matrix(GF(3),2,2,[1,1,0,1])).molien_series()
Traceback (most recent call last):
...
NotImplementedError: characteristic cannot divide group order
Tetrahedral Group::
sage: K.<i> = CyclotomicField(4)
sage: Tetra = MatrixGroup([(-1+i)/2,(-1+i)/2, (1+i)/2,(-1-i)/2], [0,i, -i,0])
sage: Tetra.molien_series(prec=30)
1 + t^8 + 2*t^12 + t^16 + 2*t^20 + 3*t^24 + 2*t^28 + O(t^30)
sage: mol = Tetra.molien_series(return_series=False); mol
(t^8 - t^4 + 1)/(t^16 - t^12 - t^4 + 1)
sage: mol.parent()
Fraction Field of Univariate Polynomial Ring in t over Integer Ring
sage: chi = Tetra.character(Tetra.character_table()[1])
sage: Tetra.molien_series(chi, prec=30, variable='u')
u^6 + u^14 + 2*u^18 + u^22 + 2*u^26 + 3*u^30 + 2*u^34 + O(u^36)
sage: chi = Tetra.character(Tetra.character_table()[2])
sage: Tetra.molien_series(chi)
t^10 + t^14 + t^18 + 2*t^22 + 2*t^26 + O(t^30)
::
sage: S3 = MatrixGroup(SymmetricGroup(3))
sage: mol = S3.molien_series(prec=10); mol
1 + t + 2*t^2 + 3*t^3 + 4*t^4 + 5*t^5 + 7*t^6 + 8*t^7 + 10*t^8 + 12*t^9 + O(t^10)
sage: mol.parent()
Power Series Ring in t over Integer Ring
Octahedral Group::
sage: K.<v> = CyclotomicField(8)
sage: a = v-v^3 #sqrt(2)
sage: i = v^2
sage: Octa = MatrixGroup([(-1+i)/2,(-1+i)/2, (1+i)/2,(-1-i)/2], [(1+i)/a,0, 0,(1-i)/a])
sage: Octa.molien_series(prec=30)
1 + t^8 + t^12 + t^16 + t^18 + t^20 + 2*t^24 + t^26 + t^28 + O(t^30)
Icosahedral Group::
sage: K.<v> = CyclotomicField(10)
sage: z5 = v^2
sage: i = z5^5
sage: a = 2*z5^3 + 2*z5^2 + 1 #sqrt(5)
sage: Ico = MatrixGroup([[z5^3,0, 0,z5^2], [0,1, -1,0], [(z5^4-z5)/a, (z5^2-z5^3)/a, (z5^2-z5^3)/a, -(z5^4-z5)/a]])
sage: Ico.molien_series(prec=40)
1 + t^12 + t^20 + t^24 + t^30 + t^32 + t^36 + O(t^40)
::
sage: G = MatrixGroup(CyclicPermutationGroup(3))
sage: chi = G.character(G.character_table()[1])
sage: G.molien_series(chi, prec=10)
t + 2*t^2 + 3*t^3 + 5*t^4 + 7*t^5 + 9*t^6 + 12*t^7 + 15*t^8 + 18*t^9 + 22*t^10 + O(t^11)
::
sage: K = GF(5)
sage: S = MatrixGroup(SymmetricGroup(4))
sage: G = MatrixGroup([matrix(K,4,4,[K(y) for u in m.list() for y in u])for m in S.gens()])
sage: G.molien_series(return_series=False)
1/(t^10 - t^9 - t^8 + 2*t^5 - t^2 - t + 1)
::
sage: i = GF(7)(3)
sage: G = MatrixGroup([[i^3,0,0,-i^3],[i^2,0,0,-i^2]])
sage: chi = G.character(G.character_table()[4])
sage: G.molien_series(chi)
3*t^5 + 6*t^11 + 9*t^17 + 12*t^23 + O(t^25)
"""
if not self.is_finite():
raise NotImplementedError("only implemented for finite groups")
if chi is None:
chi = self.trivial_character()
M = self.matrix_space()
R = FractionField(self.base_ring())
N = self.order()
if R.characteristic() == 0:
P = PolynomialRing(R, variable)
t = P.gen()
#it is possible the character is over a larger cyclotomic field
K = chi.values()[0].parent()
if K.degree() != 1:
if R.degree() != 1:
L = K.composite_fields(R)[0]
else:
L = K
else:
L = R
mol = P(0)
for g in self:
mol += L(chi(g)) / (M.identity_matrix() -
t * g.matrix()).det().change_ring(L)
elif R.characteristic().divides(N):
raise NotImplementedError(
"characteristic cannot divide group order")
else: #char p>0
#find primitive Nth roots of unity over base ring and QQ
F = cyclotomic_polynomial(N).change_ring(R)
w = F.roots(ring=R.algebraic_closure(), multiplicities=False)[0]
#don't need to extend further in this case since the order of
#the roots of unity in the character divide the order of the group
L = CyclotomicField(N, 'v')
v = L.gen()
#construct Molien series
P = PolynomialRing(L, variable)
t = P.gen()
mol = P(0)
for g in self:
#construct Phi
phi = L(chi(g))
for e in g.matrix().eigenvalues():
#find power such that w**n = e
n = 1
while w**n != e and n < N + 1:
n += 1
#raise v to that power
phi *= (1 - t * v**n)
mol += P(1) / phi
#We know the coefficients will be integers
mol = mol.numerator().change_ring(ZZ) / mol.denominator().change_ring(
ZZ)
#divide by group order
mol /= N
if return_series:
PS = PowerSeriesRing(ZZ, variable, default_prec=prec)
return PS(mol)
return mol
def _exceptionals(E, L, patience=1000):
r"""
Determine which primes in L are exceptional for E, using Proposition 19
of Section 2.8 of Serre's ``Proprietes Galoisiennes des Points d'Ordre
Fini des Courbes Elliptiques'' [Serre72].
INPUT:
- ``E`` - EllipticCurve - over a number field.
- ``L`` - list - a list of prime numbers.
- ``patience`` - int (a bound on the number of traces of Frobenius to
use while trying to prove surjectivity).
OUTPUT: list - The list of all primes l in L for which the mod l image
might fail to be surjective.
EXAMPLES::
sage: K = NumberField(x**2 - 29, 'a'); a = K.gen()
sage: E = EllipticCurve([1, 0, ((5 + a)/2)**2, 0, 0])
sage: sage.schemes.elliptic_curves.gal_reps_number_field._exceptionals(E, [29, 31])
[29]
"""
E = _over_numberfield(E)
K = E.base_field()
output = []
L = list(set(L)) # Remove duplicates from L.
for l in L:
if l == 2: # c.f. Section 5.3(a) of [Serre72].
if (E.j_invariant() - 1728).is_square():
output.append(2)
elif not E.division_polynomial(2).is_irreducible():
output.append(2)
elif l == 3: # c.f. Section 5.3(b) of [Serre72].
if K(-3).is_square():
output.append(3)
elif not (K['x'].gen()**3 - E.j_invariant()).is_irreducible():
output.append(3)
elif not E.division_polynomial(3).is_irreducible():
output.append(3)
elif (K.discriminant() % l) == 0:
if not K['x'](cyclotomic_polynomial(l)).is_irreducible():
# I.E. if the action on lth roots of unity is not surjective
# (We want this since as a Galois module, \wedge^2 E[l]
# is isomorphic to the lth roots of unity.)
output.append(l)
for l in output:
L.remove(l)
if 2 in L:
L.remove(2)
if 3 in L:
L.remove(3)
# If the image is not surjective, then it is contained in one of the
# maximal subgroups. So, we start by creating a dictionary between primes
# l in L and possible maximal subgroups in which the mod l image could
# be contained. This information is stored as a triple whose elements
# are True/False according to whether the mod l image could be contained
# in:
# 0. A Borel or normalizer of split Cartan subgroup.
# 1. A nonsplit Cartan subgroup or its normalizer.
# 2. An exceptional subgroup of GL_2.
D = {}
for l in L:
D[l] = [True, True, True]
for P in K.primes_of_degree_one_iter():
try:
trace = E.change_ring(P.residue_field()).trace_of_frobenius()
except ArithmeticError: # Bad reduction at P.
continue
patience -= 1
determinant = P.norm()
discriminant = trace**2 - 4 * determinant
unexc = [] # Primes we discover are unexceptional go here.
for l in D.iterkeys():
tr = GF(l)(trace)
det = GF(l)(determinant)
disc = GF(l)(discriminant)
if tr == 0:
# I.E. if Frob_P could be contained in the normalizer of
# a Cartan subgroup, but not in the Cartan subgroup.
continue
if disc == 0:
# I.E. If the matrix might be non-diagonalizable over F_{p^2}.
continue
if legendre_symbol(disc, l) == 1:
# If the matrix is diagonalizable over F_p, it can't be
# contained in a non-split Cartan subgroup. Since we've
# gotten rid of the case where it is contained in the
# of a nonsplit Cartan subgroup but not the Cartan subgroup,
D[l][1] = False
else:
# If the matrix is not diagonalizable over F_p, it can't
# be contained Borel subgroup.
D[l][0] = False
if det != 0: # c.f. [Serre72], Section 2.8, Prop. 19
u = trace**2 / det
if u not in (1, 2, 4) and u**2 - 3 * u + 1 != 0:
D[l][2] = False
if D[l] == [False, False, False]:
unexc.append(l)
for l in unexc:
D.pop(l)
unexc = []
if (D == {}) or (patience == 0):
break
for l in D.iterkeys():
output.append(l)
output.sort()
return output
from sage.arith.all import euler_phi
from sage.misc.functional import cyclotomic_polynomial
# we assume that n+1 <= min( euler_phi^{-1}(n) ) <= 2*n
found = False
for k in range(2*n,n,-1):
if euler_phi(k) == n:
found = True
break
if not found:
raise ValueError("cyclotomic bases require that n "
"is an image of Euler's totient function")
R = ZZ_q['x'].quotient(cyclotomic_polynomial(2*n, 'x'), 'x')
g=x**(n/2)+1
T=ZZ_q['x'].quotient(x**(n/2)+1)
a_pol=R.random_element()
s_pol=sample_noise(R)
e_pol=sample_noise(R)
s_pol2=T((s_pol))
e_pol2=T((e_pol))
print("s={0},e={1}".format(T(s_pol),T(e_pol)))
Z_mat=e_pol2.matrix().augment(s_pol2.matrix())
def __init__(self, cyclotomic=None, alpha_beta=None, gamma_list=None):
r"""
Creation of hypergeometric motives.
INPUT:
three possibilities are offered, each describing a quotient
of products of cyclotomic polynomials.
- ``cyclotomic`` -- a pair of lists of nonnegative integers,
each integer `k` represents a cyclotomic polynomial `\Phi_k`
- ``alpha_beta`` -- a pair of lists of rationals,
each rational represents a root of unity
- ``gamma_list`` -- a pair of lists of nonnegative integers,
each integer `n` represents a polynomial `x^n - 1`
In the last case, it is also allowed to send just one list of signed
integers where signs indicate to which part the integer belongs to.
EXAMPLES::
sage: from sage.modular.hypergeometric_motive import HypergeometricData as Hyp
sage: Hyp(cyclotomic=([2],[1]))
Hypergeometric data for [1/2] and [0]
sage: Hyp(alpha_beta=([1/2],[0]))
Hypergeometric data for [1/2] and [0]
sage: Hyp(alpha_beta=([1/5,2/5,3/5,4/5],[0,0,0,0]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
sage: Hyp(gamma_list=([5],[1,1,1,1,1]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
sage: Hyp(gamma_list=([5,-1,-1,-1,-1,-1]))
Hypergeometric data for [1/5, 2/5, 3/5, 4/5] and [0, 0, 0, 0]
"""
if gamma_list is not None:
if isinstance(gamma_list[0], (list, tuple)):
pos, neg = gamma_list
gamma_list = pos + [-u for u in neg]
cyclotomic = gamma_list_to_cyclotomic(gamma_list)
if cyclotomic is not None:
cyclo_up, cyclo_down = cyclotomic
if any(x in cyclo_up for x in cyclo_down):
raise ValueError('overlapping parameters not allowed')
deg = sum(euler_phi(x) for x in cyclo_down)
up_deg = sum(euler_phi(x) for x in cyclo_up)
if up_deg != deg:
msg = 'not the same degree: {} != {}'.format(up_deg, deg)
raise ValueError(msg)
cyclo_up.sort()
cyclo_down.sort()
alpha = cyclotomic_to_alpha(cyclo_up)
beta = cyclotomic_to_alpha(cyclo_down)
elif alpha_beta is not None:
alpha, beta = alpha_beta
if len(alpha) != len(beta):
raise ValueError('alpha and beta not of the same length')
alpha = sorted(u - floor(u) for u in alpha)
beta = sorted(u - floor(u) for u in beta)
cyclo_up = alpha_to_cyclotomic(alpha)
cyclo_down = alpha_to_cyclotomic(beta)
deg = sum(euler_phi(x) for x in cyclo_down)
self._cyclo_up = cyclo_up
self._cyclo_down = cyclo_down
self._alpha = alpha
self._beta = beta
self._deg = deg
if self.weight() % 2:
self._sign_param = 1
else:
if deg % 2:
self._sign_param = prod(cyclotomic_polynomial(v).disc()
for v in cyclo_down)
else:
self._sign_param = prod(cyclotomic_polynomial(v).disc()
for v in cyclo_up)
def my_gen_lattice2(n=4, q=11, seed=None,
quotient=None, dual=False, ntl=False, lattice=False, GuessStuff=True):
"""
This is a modification of the code for the gen_lattice function from Sage
Randomness can be set either with ``seed``, or by using
:func:`sage.misc.randstate.set_random_seed`.
INPUT:
- ``type`` -- one of the following strings
- ``'cyclotomic'`` -- Special case of ideal. Allows for
efficient processing proposed by [LM2006]_.
- ``n`` -- Determinant size, primal:`det(L) = q^n`, dual:`det(L) = q^{m-n}`.
For ideal lattices this is also the degree of the quotient polynomial.
- ``m`` -- Lattice dimension, `L \subseteq Z^m`.
- ``q`` -- Coefficient size, `q-Z^m \subseteq L`.
- ``t`` -- BKZ Block Size
- ``seed`` -- Randomness seed.
- ``quotient`` -- For the type ideal, this determines the quotient
polynomial. Ignored for all other types.
- ``dual`` -- Set this flag if you want a basis for `q-dual(L)`, for example
for Regev's LWE bases [Reg2005]_.
- ``ntl`` -- Set this flag if you want the lattice basis in NTL readable
format.
- ``lattice`` -- Set this flag if you want a
:class:`FreeModule_submodule_with_basis_integer` object instead
of an integer matrix representing the basis.
OUTPUT: ``B`` a unique size-reduced triangular (primal: lower_left,
dual: lower_right) basis of row vectors for the lattice in question.
EXAMPLES:
Cyclotomic bases with n=2^k are SWIFFT bases::
sage: sage.crypto.gen_lattice(type='cyclotomic', seed=42)
[11 0 0 0 0 0 0 0]
[ 0 11 0 0 0 0 0 0]
[ 0 0 11 0 0 0 0 0]
[ 0 0 0 11 0 0 0 0]
[ 4 -2 -3 -3 1 0 0 0]
[ 3 4 -2 -3 0 1 0 0]
[ 3 3 4 -2 0 0 1 0]
[ 2 3 3 4 0 0 0 1]
Dual modular bases are related to Regev's famous public-key
encryption [Reg2005]_::
sage: sage.crypto.gen_lattice(type='modular', m=10, seed=42, dual=True)
[ 0 0 0 0 0 0 0 0 0 11]
[ 0 0 0 0 0 0 0 0 11 0]
[ 0 0 0 0 0 0 0 11 0 0]
[ 0 0 0 0 0 0 11 0 0 0]
[ 0 0 0 0 0 11 0 0 0 0]
[ 0 0 0 0 11 0 0 0 0 0]
[ 0 0 0 1 -5 -2 -1 1 -3 5]
[ 0 0 1 0 -3 4 1 4 -3 -2]
[ 0 1 0 0 -4 5 -3 3 5 3]
[ 1 0 0 0 -2 -1 4 2 5 4]
"""
from sage.rings.finite_rings.integer_mod_ring import IntegerModRing
from sage.matrix.constructor import identity_matrix, block_matrix
from sage.matrix.matrix_space import MatrixSpace
from sage.rings.integer_ring import IntegerRing
from sage.modules.free_module_integer import IntegerLattice
if seed is not None:
from sage.misc.randstate import set_random_seed
set_random_seed(seed)
m=n+1
ZZ = IntegerRing()
ZZ_q = IntegerModRing(q)
from sage.arith.all import euler_phi
from sage.misc.functional import cyclotomic_polynomial
# we assume that n+1 <= min( euler_phi^{-1}(n) ) <= 2*n
found = False
for k in range(2*n,n,-1):
if euler_phi(k) == n:
found = True
break
if not found:
raise ValueError("cyclotomic bases require that n "
"is an image of Euler's totient function")
R = ZZ_q['x'].quotient(cyclotomic_polynomial(2*n, 'x'), 'x')
g=x**(n/2)+1
T=ZZ_q['x'].quotient(x**(n/2)+1)
a_pol=R.random_element()
s_pol=sample_noise(R)
e_pol=sample_noise(R)
s_pol2=T((s_pol))
e_pol2=T((e_pol))
print("s={0},e={1}".format(T(s_pol),T(e_pol)))
Z_mat=e_pol2.matrix().augment(s_pol2.matrix())
Z_mattop=Z_mat[0:1].augment(matrix(1,1,[ZZ.one()*-1]))
b_pol=(a_pol*s_pol+e_pol)
print("s_pol={0}\ne_pol={1}".format((s_pol2).list(),(e_pol2).list()))
# Does a linear mapping change the shortest vector size for the rest?/
a_pol=a_pol#*x_pol
b_pol=b_pol#*x_pol
a_pol2 = T(a_pol.list())# % S(g.list())
b_pol2 = T((b_pol).list())# % S(g.list())
# print("a={0}\nb={1}".format(a_pol2,b_pol2))
A=identity_matrix(ZZ_q,n/2)
A=A.stack(a_pol2.matrix())
b_prime=b_pol2.matrix()[0:1]
b_prime=b_prime - 11*A[8:9]
A=A.stack(b_pol2.matrix()[0:1])
# print("X=\n{0}".format(X))
# A = A.stack(identity_matrix(ZZ_q, n/2))
print("A=\n{0}\n".format(A))
# switch from representatives 0,...,(q-1) to (1-q)/2,....,(q-1)/2
def minrepnegative(a):
if abs(a-q) < abs(a): return (a-q)*-1
else: return a*-1
def minrep(a):
if abs(a-q) < abs(a): return (a-q)
else: return a
A_prime = A[(n/2):(n+1)].lift().apply_map(minrep)
# b_neg= A[(n):(n+1)].lift().apply_map(minrepnegative)
Z_fixed=Z_mattop.lift().apply_map(minrep)
print("Z_fixed={0}\n||Z_fixed||={1}".format(Z_fixed,float(Z_fixed[0].norm())))
print('Z_fixed*A={0}\n\n'.format(Z_fixed*A))
print("z_fixed[0].norm()={0}".format(float(Z_fixed[0].norm())))
# B=block_matrix([[ZZ(q),ZZ.zero()],[A_neg,ZZ.one()]], subdivide=False)
# B = block_matrix([[ZZ.one(), -A_prime.transpose()],
# [ZZ.zero(), ZZ(q)]], subdivide=False)
B = block_matrix([[ZZ(q), ZZ.zero()], [-A_prime, ZZ.one()]], subdivide=False)
# for i in range(m//2):
# B.swap_rows(i,m-i-1)
# print("{0}\n".format(A_neg))
# B=block_matrix([[ZZ(q), ZZ.zero(),ZZ.zero()],[ZZ.one(),A_neg,ZZ.zero() ],[ZZ.zero(),b_neg,ZZ.one()]],
# subdivide=False)
#print("B=\n{0}".format(B))
print("B*A=\n{0}\n\n".format(B*A))
#print("A=\n{0}\n".format(A))
def remap(x):
return minrep((x*251)%251)
BL=B.BKZ(block_size=n/2.)
y=(BL.solve_left(Z_fixed))#.apply_map(remap))
# print("y*B={0}".format(y*B))
print("y:=B.solve_left(Z_fixed)={0}".format(y))
# BL=B.BKZ(block_size=n/2.)
print(BL[0])
print("shortest norm={0}".format(float(BL[0].norm())))
# L = IntegerLattice(B)
# p
# v=L.shortest_vector()
# print("L.shortest_vector={0}, norm={1}".format(v,float(v.norm())))
if ntl and lattice:
raise ValueError("Cannot specify ntl=True and lattice=True ")
if ntl:
return B._ntl_()
elif lattice:
from sage.modules.free_module_integer import IntegerLattice
return IntegerLattice(B)
else:
return B