class LWE(SageObject):
"""
Learning with Errors (LWE) oracle.
.. automethod:: __init__
.. automethod:: __call__
"""
def __init__(self, n, q, D, secret_dist='uniform', m=None):
"""
Construct an LWE oracle in dimension ``n`` over a ring of order
``q`` with noise distribution ``D``.
INPUT:
- ``n`` - dimension (integer > 0)
- ``q`` - modulus typically > n (integer > 0)
- ``D`` - an error distribution such as an instance of
:class:`DiscreteGaussianSamplerRejection` or :class:`UniformSampler`
- ``secret_dist`` - distribution of the secret (default: 'uniform'); one of
- "uniform" - secret follows the uniform distribution in `\Zmod{q}`
- "noise" - secret follows the noise distribution
- ``(lb,ub)`` - the secret is chosen uniformly from ``[lb,...,ub]`` including both endpoints
- ``m`` - number of allowed samples or ``None`` if no such limit exists
(default: ``None``)
EXAMPLE:
First, we construct a noise distribution with standard deviation 3.0::
sage: from sage.crypto.lwe import DiscreteGaussianSampler
sage: D = DiscreteGaussianSampler(3.0)
Next, we construct our oracle::
sage: from sage.crypto.lwe import LWE
sage: lwe = LWE(n=20, q=next_prime(400), D=D); lwe
LWE(20, 401, DiscreteGaussianSamplerRejection(3.000000, 53, 4), 'uniform', None)
and sample 1000 samples::
sage: L = [lwe() for _ in range(1000)]
To test the oracle, we use the internal secret to evaluate the samples
in the secret::
sage: S = [ZZ(a.dot_product(lwe._LWE__s) - c) for (a,c) in L]
However, while Sage represents finite field elements between 0 and q-1
we rely on a balanced representation of those elements here. Hence, we
fix the representation and recover the correct standard deviation of the
noise::
sage: sqrt(variance([e if e <= 200 else e-401 for e in S]).n())
3.0...
If ``m`` is not ``None`` the number of available samples is restricted::
sage: from sage.crypto.lwe import LWE
sage: lwe = LWE(n=20, q=next_prime(400), D=D, m=30)
sage: _ = [lwe() for _ in range(30)]
sage: lwe() # 31
Traceback (most recent call last):
...
IndexError: Number of available samples exhausted.
"""
self.n = ZZ(n)
self.m = m
self.__i = 0
self.K = IntegerModRing(q)
self.FM = FreeModule(self.K, n)
self.D = D
self.secret_dist = secret_dist
if secret_dist == 'uniform':
self.__s = random_vector(self.K, self.n)
elif secret_dist == 'noise':
self.__s = vector(self.K, self.n, [self.D() for _ in range(n)])
else:
try:
lb, ub = map(ZZ, secret_dist)
self.__s = vector(self.K, self.n,
[randint(lb, ub) for _ in range(n)])
except (IndexError, TypeError):
raise TypeError("Parameter secret_dist=%s not understood." %
(secret_dist))
def _repr_(self):
"""
EXAMPLE::
sage: from sage.crypto.lwe import DiscreteGaussianSampler, LWE
sage: D = DiscreteGaussianSampler(3.0)
sage: lwe = LWE(n=20, q=next_prime(400), D=D); lwe
LWE(20, 401, DiscreteGaussianSamplerRejection(3.000000, 53, 4), 'uniform', None)
sage: lwe = LWE(n=20, q=next_prime(400), D=D, secret_dist=(-3, 3)); lwe
LWE(20, 401, DiscreteGaussianSamplerRejection(3.000000, 53, 4), (-3, 3), None)
"""
if type(self.secret_dist) == str:
return "LWE(%d, %d, %s, '%s', %s)" % (
self.n, self.K.order(), self.D, self.secret_dist, self.m)
else:
return "LWE(%d, %d, %s, %s, %s)" % (self.n, self.K.order(), self.D,
self.secret_dist, self.m)
def __call__(self):
"""
EXAMPLE::
sage: from sage.crypto.lwe import DiscreteGaussianSampler, LWE
sage: LWE(10, 401, DiscreteGaussianSampler(3))()
((309, 347, 198, 194, 336, 360, 264, 123, 368, 398), 198)
"""
if self.m is not None:
if self.__i >= self.m:
raise IndexError("Number of available samples exhausted.")
self.__i += 1
a = self.FM.random_element()
return a, a.dot_product(self.__s) + self.K(self.D())
class LWE(SageObject):
"""
Learning with Errors (LWE) oracle.
.. automethod:: __init__
.. automethod:: __call__
"""
def __init__(self, n, q, D, secret_dist='uniform', m=None):
r"""
Construct an LWE oracle in dimension ``n`` over a ring of order
``q`` with noise distribution ``D``.
INPUT:
- ``n`` - dimension (integer > 0)
- ``q`` - modulus typically > n (integer > 0)
- ``D`` - an error distribution such as an instance of
:class:`DiscreteGaussianDistributionIntegerSampler` or :class:`UniformSampler`
- ``secret_dist`` - distribution of the secret (default: 'uniform'); one of
- "uniform" - secret follows the uniform distribution in `\Zmod{q}`
- "noise" - secret follows the noise distribution
- ``(lb,ub)`` - the secret is chosen uniformly from ``[lb,...,ub]`` including both endpoints
- ``m`` - number of allowed samples or ``None`` if no such limit exists
(default: ``None``)
EXAMPLES:
First, we construct a noise distribution with standard deviation 3.0::
sage: from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler
sage: D = DiscreteGaussianDistributionIntegerSampler(3.0)
Next, we construct our oracle::
sage: from sage.crypto.lwe import LWE
sage: lwe = LWE(n=20, q=next_prime(400), D=D); lwe
LWE(20, 401, Discrete Gaussian sampler over the Integers with sigma = 3.000000 and c = 0, 'uniform', None)
and sample 1000 samples::
sage: L = [lwe() for _ in range(1000)]
To test the oracle, we use the internal secret to evaluate the samples
in the secret::
sage: S = [ZZ(a.dot_product(lwe._LWE__s) - c) for (a,c) in L]
However, while Sage represents finite field elements between 0 and q-1
we rely on a balanced representation of those elements here. Hence, we
fix the representation and recover the correct standard deviation of the
noise::
sage: sqrt(variance([e if e <= 200 else e-401 for e in S]).n())
3.0...
If ``m`` is not ``None`` the number of available samples is restricted::
sage: from sage.crypto.lwe import LWE
sage: lwe = LWE(n=20, q=next_prime(400), D=D, m=30)
sage: _ = [lwe() for _ in range(30)]
sage: lwe() # 31
Traceback (most recent call last):
...
IndexError: Number of available samples exhausted.
"""
self.n = ZZ(n)
self.m = m
self.__i = 0
self.K = IntegerModRing(q)
self.FM = FreeModule(self.K, n)
self.D = D
self.secret_dist = secret_dist
if secret_dist == 'uniform':
self.__s = random_vector(self.K, self.n)
elif secret_dist == 'noise':
self.__s = vector(self.K, self.n, [self.D() for _ in range(n)])
else:
try:
lb, ub = map(ZZ, secret_dist)
self.__s = vector(self.K, self.n, [randint(lb,ub) for _ in range(n)])
except (IndexError, TypeError):
raise TypeError("Parameter secret_dist=%s not understood."%(secret_dist))
def _repr_(self):
"""
EXAMPLES::
sage: from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler
sage: from sage.crypto.lwe import LWE
sage: D = DiscreteGaussianDistributionIntegerSampler(3.0)
sage: lwe = LWE(n=20, q=next_prime(400), D=D); lwe
LWE(20, 401, Discrete Gaussian sampler over the Integers with sigma = 3.000000 and c = 0, 'uniform', None)
sage: lwe = LWE(n=20, q=next_prime(400), D=D, secret_dist=(-3, 3)); lwe
LWE(20, 401, Discrete Gaussian sampler over the Integers with sigma = 3.000000 and c = 0, (-3, 3), None)
"""
if isinstance(self.secret_dist, str):
return "LWE(%d, %d, %s, '%s', %s)"%(self.n,self.K.order(),self.D,self.secret_dist, self.m)
else:
return "LWE(%d, %d, %s, %s, %s)"%(self.n,self.K.order(),self.D,self.secret_dist, self.m)
def __call__(self):
"""
EXAMPLES::
sage: from sage.crypto.lwe import DiscreteGaussianDistributionIntegerSampler, LWE
sage: LWE(10, 401, DiscreteGaussianDistributionIntegerSampler(3))()
((309, 347, 198, 194, 336, 360, 264, 123, 368, 398), 198)
"""
if self.m is not None:
if self.__i >= self.m:
raise IndexError("Number of available samples exhausted.")
self.__i+=1
a = self.FM.random_element()
return a, a.dot_product(self.__s) + self.K(self.D())
def clean(pts, k):
r"""
Return a list of points with the same convex hull as in ``pts`` but with
potentially less points.
INPUT:
- ``pts`` -- list or tuple of points
- ``k`` -- number of nonredundant point set in the cleaning
(in the case of matrices, a wise choice is nvars - dim + 1)
"""
dim = len(pts[0])
if len(pts) < 2*k:
return pts
F = FreeModule(RDF, dim)
pts = [(p,F(p)) for p in pts]
go = 1
approx_ch = set()
while go < 3:
print "new loop, {} points".format(len(pts))
T = set()
n = 0
for _ in range(k*k):
z = F.random_element()
m_min = m_max = z.dot_product(pts[0][0])
p_min = p_max = pts[0][0]
for p,pa in pts[1:]:
m = z.dot_product(pa)
if m > m_max:
p_max = p
m_max = m
elif m < m_min:
p_min = p
m_min = m
T.add(p_min)
T.add(p_max)
n += 1
approx_ch.update(T)
if len(approx_ch) > 2*k:
T = sample(list(approx_ch), k)
else:
while len(T) < k:
T.update(x[0] for x in sample(pts,k-len(T)))
gs = Generator_System()
for p in T:
gs.insert(point(Linear_Expression(p,0)))
poly_T = C_Polyhedron(gs)
new_pts = []
for p,pa in pts:
if p in T:
new_pts.append((p,pa))
continue
gs = Generator_System()
gs.insert(point(Linear_Expression(p,0)))
poly_p = C_Polyhedron(gs)
if poly_T.contains(poly_p):
go = 0
else:
new_pts.append((p,pa))
go += 1
pts = new_pts
print "approx ch with {} points".format(len(approx_ch))
return [x[0] for x in pts]
