# 01 - About Blind Rotation
---

In [1]:
import numpy as np
import random as rand

np.set_printoptions(linewidth=np.inf) # print np array in only one line

dimension = 4

In [2]:
def getDiv(n : int) -> np.array :
    divisor = np.zeros(n+1)
    divisor[n] = 1
    divisor[0] = 1
    return divisor

def getPosDiv(n:int) -> np.array:
    divisor = np.zeros(n+1)
    divisor[n] = 1
    divisor[0] = -1
    return divisor

Let we use ring $\Z_q[x]/(x^n+1)$. That is, we use negacyclic convolution.

Function $\textsf{positive\_ring\_mult}$ for cyclic convolution that used in ring $\Z_q[x]/(x^n-1)$.

In [3]:
# negacyclic convolution define in $\Z_q[x]/(x^n+1)$
def negative_ring_mult(poly1 : np.array, poly2 : np.array) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    q, r = np.polydiv(prod, getDiv(dimension))
    return r[::-1]

# cyclic convolution define in $\Z_q[x]/(x^n-1)$
def positive_ring_mult(poly1 : np.array, poly2 : np.array) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    q, r = np.polydiv(prod, getPosDiv(dimension))
    return r[::-1]

def negative_ring_mult_q(poly1 : np.array, poly2 : np.array, q) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    _, r = np.polydiv(prod, getDiv(dimension))
    r = r % q
    return r[::-1]

def positive_ring_mult_q(poly1 : np.array, poly2 : np.array, q) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    _, r = np.polydiv(prod, getPosDiv(dimension))
    r = r % q
    return r[::-1]


---

In [None]:
dimension = 16
poly = np.array([i for i in range(16)])
monomial = [0,1]

for i in range(32):
    poly = negative_ring_mult(poly, monomial)
    print(poly)

[-15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.  13.  14.]
[-14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.  13.]
[-13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.]
[-12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.]
[-11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.]
[-10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.]
[ -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.]
[ -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.]
[ -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.]
[ -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.]
[ -5.  -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.]
[ -4.  -5.  -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.]
[ -3.  -4.  -5. 

In [5]:
dimension = 16
poly = np.array([i for i in range(16)])
monomial = [0,1]

for i in range(32):
    poly = positive_ring_mult(poly, monomial)
    print(poly)

[15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14.]
[14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13.]
[13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12.]
[12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11.]
[11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10.]
[10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9.]
[ 9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.]
[ 8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.]
[ 7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.]
[ 6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.]
[ 5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.]
[ 4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.]
[ 3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.]
[ 2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.]
[ 1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.]
[ 0.  1.  2.  

---

## The question is what if we define cyclic convolution in $\Z_q[x]/(x^n+1)$ via NTT-like operation
We can remove neccesarity of negacyclic property while blind rotation is running?

---

Function for find suitable $\omega, \omega^{-1}, n, n^{-1} \in \Z_{q}$ to execute NTT-like cyclic convolution.

In [6]:
def mod_inverse(a, m):
    """Compute the modular inverse of a modulo m using the Extended Euclidean Algorithm."""
    m0 = m
    x0, x1 = 0, 1
    if m == 1:
        return 0
    while a > 1:
        q = a // m
        a, m = m, a % m
        x0, x1 = x1 - q * x0, x0
    return x1 + m0 if x1 < 0 else x1

def prime_factors(n):
    """Return the set of prime factors of n."""
    factors = set()
    # Factor out 2
    while n % 2 == 0:
        factors.add(2)
        n //= 2
    # Factor out odd primes
    i = 3
    while i * i <= n:
        while n % i == 0:
            factors.add(i)
            n //= i
        i += 2
    if n > 2:
        factors.add(n)
    return factors

def primitive_root(q):
    """
    Find a primitive root modulo q.
    Assumes q is prime.
    """
    if q == 2:
        return 1
    phi = q - 1
    factors = prime_factors(phi)
    for g in range(2, q):
        flag = True
        for factor in factors:
            if pow(g, phi // factor, q) == 1:
                flag = False
                break
        if flag:
            return g
    raise ValueError("No primitive root found.")

def nth_roots_of_unity(n, q):
    """
    For a given dimension n and prime modulus q:
      - Compute the inverse of n modulo q.
      - Compute the primitive n-th root of unity, omega.
      - Compute its inverse, omega_inv.
      - List all n-th roots of unity in Z_q.
      
    Note: n-th roots of unity exist only if n divides q-1.
    """
    # Check necessary condition
    if (q - 1) % n != 0:
        raise ValueError("n does not divide q-1. n-th roots of unity do not exist in Z_q.")
    
    inv_n = mod_inverse(n, q)
    
    # Find a primitive root modulo q
    g = primitive_root(q)
    
    # Compute omega: a primitive n-th root of unity
    exponent = (q - 1) // n
    omega = pow(g, exponent, q)
    
    # Compute the inverse of omega
    omega_inv = mod_inverse(omega, q)
    
    # Compute all n-th roots of unity: {omega^0, omega^1, ..., omega^(n-1)}
    roots = [pow(omega, k, q) for k in range(n)]
    
    return inv_n, roots, omega, omega_inv

# Example usage:
# inv_n, roots, omega, omega_inv = nth_roots_of_unity(n, q)

In [7]:
def positive_wrapped_ntt(a, omega, q, n):
    # Initialize the result vector with zeros
    hat_a = np.zeros(n, dtype=int)
    
    # Loop over each j to compute hat_a[j]
    for j in range(n):
        # Summation: hat_a[j] = sum(omega^(ij) * a_i) mod q
        summation = 0
        for i in range(n):
            exponent = (i * j) % (n) # exponent ij modulo n
            summation += pow(omega, exponent, q) * a[i]
        
        # Take modulo q for the result
        hat_a[j] = summation % q
    
    return hat_a

def positive_wrapped_intt(hat_a, omega_inv, q, n, n_inv):
    # Initialize the result vector with zeros
    a = np.zeros(n, dtype=int)
    
    # Loop over each j to compute hat_a[j]
    for i in range(n):
        # Summation: a[i] = sum(omega_inv^{-(ij)} * hat_a[j]) mod q
        summation = 0
        for j in range(n):
            exponent = (i * j) % (n) # exponent 2ij + i modulo 2n
            summation += pow(omega_inv, exponent, q) * hat_a[j]
        
        # Take modulo q for the result
        a[i] = (n_inv * summation) % q
    
    return a

def NTT_like_PWC(poly1, poly2, omega, omega_inv, n, n_inv, q):
    ntt_poly1 = positive_wrapped_ntt(poly1, omega, q, n)
    ntt_poly2 = positive_wrapped_ntt(poly2, omega, q, n)

    ntt_res = np.zeros(n)
    for i in range(n):
        ntt_res[i] = (ntt_poly1[i] * ntt_poly2[i]) % q
    
    poly_nega_conv = positive_wrapped_intt(ntt_res, omega_inv, q, n, n_inv)
    return poly_nega_conv
    

# Polynomial coefficients a = [a_0, a_1, ..., a_{n-1}]
dimension = 16
q = 7681  # Modulo value q
a = np.array([i for i in range(16)])
b = np.array([i for i in range(16)])
inv_n, roots, omega, omega_inv = nth_roots_of_unity(dimension, q)

res = NTT_like_PWC(a, b, omega, omega_inv, dimension, inv_n, q)
print(res)

res = positive_ring_mult_q(a, b, q)
print(res)

[ 680  784  872  944 1000 1040 1064 1072 1064 1040 1000  944  872  784  680  560]
[ 680.  784.  872.  944. 1000. 1040. 1064. 1072. 1064. 1040. 1000.  944.  872.  784.  680.  560.]


In [None]:
dimension = 16
q = 7681
inv_n, roots, omega, omega_inv = nth_roots_of_unity(dimension, q)
poly     = np.array([i for i in range(16)])
monomial = np.zeros(16)
monomial[1] = 1 # X

for i in range(dimension * 2):
    poly = NTT_like_PWC(poly, monomial, omega, omega_inv, dimension, inv_n, q)
    print(poly)

[15  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14]
[14 15  0  1  2  3  4  5  6  7  8  9 10 11 12 13]
[13 14 15  0  1  2  3  4  5  6  7  8  9 10 11 12]
[12 13 14 15  0  1  2  3  4  5  6  7  8  9 10 11]
[11 12 13 14 15  0  1  2  3  4  5  6  7  8  9 10]
[10 11 12 13 14 15  0  1  2  3  4  5  6  7  8  9]
[ 9 10 11 12 13 14 15  0  1  2  3  4  5  6  7  8]
[ 8  9 10 11 12 13 14 15  0  1  2  3  4  5  6  7]
[ 7  8  9 10 11 12 13 14 15  0  1  2  3  4  5  6]
[ 6  7  8  9 10 11 12 13 14 15  0  1  2  3  4  5]
[ 5  6  7  8  9 10 11 12 13 14 15  0  1  2  3  4]
[ 4  5  6  7  8  9 10 11 12 13 14 15  0  1  2  3]
[ 3  4  5  6  7  8  9 10 11 12 13 14 15  0  1  2]
[ 2  3  4  5  6  7  8  9 10 11 12 13 14 15  0  1]
[ 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15  0]
[ 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15]
[15  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14]
[14 15  0  1  2  3  4  5  6  7  8  9 10 11 12 13]
[13 14 15  0  1  2  3  4  5  6  7  8  9 10 11 12]
[12 13 14 15  0  1  2  3  4  5  6  7  8  9 10 11]


---

# TEST : Negacyclic Blind rotation

---

#### Parameters

* $n = 556$
* $q = 2048$
* $N = 1024$
* $Q = 2^{27}$

#### Functions

* ACC initialization
* LWE extraction

#### Class

* Ring $\Z_q[x]/(x^n+1)$ with NTT-like cyclic convolution

In [9]:
class R:
    def __init__(self, dimension, modulus, coeffs):
        self.n = dimension
        self.q = modulus
        self.coeffs = coeffs
        self.inv_n, self.roots, self.omega, self.omega_inv = nth_roots_of_unity(dimension, modulus)
        
    def positive_wrapped_ntt(a, omega, q, n):
        # Initialize the result vector with zeros
        hat_a = np.zeros(n, dtype=int)

        # Loop over each j to compute hat_a[j]
        for j in range(n):
            # Summation: hat_a[j] = sum(omega^(ij) * a_i) mod q
            summation = 0
            for i in range(n):
                exponent = (i * j) % (n) # exponent ij modulo n
                summation += pow(omega, exponent, q) * a[i]

            # Take modulo q for the result
            hat_a[j] = summation % q

        return hat_a

    def positive_wrapped_intt(hat_a, omega_inv, q, n, n_inv):
        # Initialize the result vector with zeros
        a = np.zeros(n, dtype=int)

        # Loop over each j to compute hat_a[j]
        for i in range(n):
            # Summation: a[i] = sum(omega_inv^{-(ij)} * hat_a[j]) mod q
            summation = 0
            for j in range(n):
                exponent = (i * j) % (n) # exponent 2ij + i modulo 2n
                summation += pow(omega_inv, exponent, q) * hat_a[j]

            # Take modulo q for the result
            a[i] = (n_inv * summation) % q

        return a

    def NTT_like_PWC(self, other):
        assert self.omega == other.omega
        assert self.omega_inv == other.omega_inv
        assert self.q == other.q
        assert self.n == other.n

        ntt_poly1 = positive_wrapped_ntt(self.coeffs, self.omega, self.q, self.n)
        ntt_poly2 = positive_wrapped_ntt(other.coeffs, other.omega, other.q, other.n)

        ntt_res = np.zeros(self.n)
        for i in range(self.n):
            ntt_res[i] = (ntt_poly1[i] * ntt_poly2[i]) % self.q

        poly_nega_conv = positive_wrapped_intt(ntt_res, self.omega_inv, self.q, self.n, self.inv_n)
        return R(self.n, self.q, poly_nega_conv)

    def negative_ring_mult_q(self, other):
        assert self.q == other.q
        assert self.n == other.n
        
        prod = np.polymul(self.coeffs[::-1], other.coeffs[::-1])
        qq, r = np.polydiv(prod, getDiv(self.n))
        r = np.mod(r, 1024)
        return R(self.n, self.q, r[::-1])
    
    # def __repr__(self):
    #         terms = []
    #         for i, coef in enumerate(self.coeffs):
    #             if coef != 0:
    #                 if i == 0:
    #                     terms.append(f"{coef}")
    #                 elif i == 1:
    #                     terms.append(f"{coef}x")
    #                 else:
    #                     terms.append(f"{coef}x^{i}")
    
    #         poly_str = " + ".join(terms) if terms else "0"
    #         return f"R(n={self.n}, q={self.q}, coeffs= {poly_str})"
    
    def __repr__(self):
        terms = []
        for i, coef in enumerate(self.coeffs):
            # if coef != 0:
                if i == 0:
                    terms.append(f"{coef}")
                elif i == 1:
                    terms.append(f"{coef}x")
                else:
                    terms.append(f"{coef}x^{i}")
    
        poly_str = " + ".join(terms) if terms else "0"
    
        # Split into two lines
        mid = len(terms) // 2  # Find the middle index
        first_half = " + ".join(terms[:mid])
        second_half = " + ".join(reversed(terms[mid:]))
        # second_half = " + ".join(terms[mid:])

        return f"R(n={self.n}, q={self.q}, coeffs=\n  {first_half}\n  {second_half})"
    
    def __getitem__(self, index):
        return self.coeffs[index]  # Allow indexing into the coefficient array
    


---
## Simple examples

In [10]:
# Parameters
dimension = 4
q = 7681  # Modulo value q

a = [1, 2, 3, 4]
b = [5, 6, 7, 8]

poly1 = R(dimension, q, a)
poly2 = R(dimension, q, b)

res = poly1.negative_ring_mult_q(poly2)
print(res)

res = poly1.NTT_like_PWC(poly2)
print(res)

R(n=4, q=7681, coeffs=
  968.0 + 988.0x
  60.0x^3 + 2.0x^2)
R(n=4, q=7681, coeffs=
  66 + 68x
  60x^3 + 66x^2)


In [11]:
# Parameters
dimension = 1024
Q = 134218753  # Modulo value q

a = np.array([i for i in range(dimension)])
b = np.array([i for i in range(dimension)])

poly1 = R(dimension, Q, a)
poly2 = R(dimension, Q, b)

res = poly1.negative_ring_mult_q(poly2)
print(res)

res = poly1.NTT_like_PWC(poly2)
print(res)

R(n=1024, q=134218753, coeffs=
  512.0 + 0.0x + 514.0x^2 + 8.0x^3 + 532.0x^4 + 40.0x^5 + 582.0x^6 + 112.0x^7 + 680.0x^8 + 240.0x^9 + 842.0x^10 + 440.0x^11 + 60.0x^12 + 728.0x^13 + 398.0x^14 + 96.0x^15 + 848.0x^16 + 608.0x^17 + 402.0x^18 + 232.0x^19 + 100.0x^20 + 8.0x^21 + 982.0x^22 + 976.0x^23 + 1016.0x^24 + 80.0x^25 + 218.0x^26 + 408.0x^27 + 652.0x^28 + 952.0x^29 + 286.0x^30 + 704.0x^31 + 160.0x^32 + 704.0x^33 + 290.0x^34 + 968.0x^35 + 692.0x^36 + 488.0x^37 + 358.0x^38 + 304.0x^39 + 328.0x^40 + 432.0x^41 + 618.0x^42 + 888.0x^43 + 220.0x^44 + 664.0x^45 + 174.0x^46 + 800.0x^47 + 496.0x^48 + 288.0x^49 + 178.0x^50 + 168.0x^51 + 260.0x^52 + 456.0x^53 + 758.0x^54 + 144.0x^55 + 664.0x^56 + 272.0x^57 + 1018.0x^58 + 856.0x^59 + 812.0x^60 + 888.0x^61 + 62.0x^62 + 384.0x^63 + 832.0x^64 + 384.0x^65 + 66.0x^66 + 904.0x^67 + 852.0x^68 + 936.0x^69 + 134.0x^70 + 496.0x^71 + 1000.0x^72 + 624.0x^73 + 394.0x^74 + 312.0x^75 + 380.0x^76 + 600.0x^77 + 974.0x^78 + 480.0x^79 + 144.0x^80 + 992.0x^81 + 978.0x^

---
* Define ACC initialization
* and Blind rotation via negacyclic convolution

In [12]:
def nega_ACC_init(b, q, N):
    N2 = 2*N
    acc = np.zeros(N2)

    for i in range(q):
        acc[i]      =  (b-(i)) % q
        acc[i+q]    = -(b-(i)) % q
    acc = R(N2, Q, acc)
    return acc

def nega_blind_rotation(acc : R, a, s, q, n, Q, N):
    tmp_acc = acc
    for i in range(n):
        _as = a[i] * s[i] % q
        if _as == 0 : continue
        print("round :", i)
        monomial = np.zeros(N*2)
        monomial[N-(_as)] = 1
        monomial = R(N*2, Q, monomial)

        tmp_acc = tmp_acc.negative_ring_mult_q(monomial)
        print(tmp_acc)

    return tmp_acc

In [13]:
# n = 556
# q = 1024
# N = 1024 # Reduced value for nega-like work, which means it actually 2048, i guess.
# # Q = 134218753 # For N = 1024
# Q = 134225921 # For N = 2048

# m = rand.randint(0, 1) * q//2
# a = np.array([rand.randint(0, q//2) for _ in range(n)])
# s = np.array([rand.randint(0, 1) for _ in range(n)])
# b = (m + sum(a * s)) % q

# print("Message : ", m)
# print("Random Nounce : ", a)
# print("Secret values : ", s)
# print("<a,s> = ", sum(a*s) % q)
# print("Encryption(Noiseless) : ", b)
# print("Decrytion : ", (b - sum(a*s)) % q)

# acc = nega_ACC_init(b, q, N)
# print("Initialized Accumulator : ", acc)

# res = nega_blind_rotation(acc, a, s, q, n, Q, N)
# constant_term = res[0]
# print("Extracted result : ", constant_term, " and message : ", m)

---
* Define ACC initialization for cyclic convolution in ring $\Z_Q[X]/(X^N+1)$ via NTT-like operation
* And define blind rotation via NTT-like cyclic convolution

In [14]:
def NTT_like_ACC_init(b, q, N):
    acc = np.zeros(N)

    for i in range(q):
        acc[i]      =  (b-(i)) % q
    acc = R(N, Q, acc)
    return acc

def NTT_like_blind_rotation(acc : R, a, s, q, n, Q, N):
    tmp_acc = R(N, Q, acc.coeffs)
    for i in range(n):
        _as = a[i] * s[i] % q
        if _as == 0 : continue
        print("round :", i)
        monomial = np.zeros(N)
        monomial[N-(_as)] = 1
        monomial = R(N, Q, monomial)

        tmp_acc = tmp_acc.NTT_like_PWC(monomial)
        print(tmp_acc)
    return tmp_acc



In [15]:
# n = 556
# q = 1024
# N = 1024 # Reduced value for nega-like work, which means it actually 2048, i guess.
# Q = 12289 # For N = 1024
# # Q = 134225921 # For N = 2048

# m = rand.randint(0, 1) * q//2
# a = np.array([rand.randint(0, q//2) for _ in range(n)])
# s = np.array([rand.randint(0, 1) for _ in range(n)])
# b = (m + sum(a * s)) % q

# print("Message : ", m)
# print("Random Nounce : ", a)
# print("Secret values : ", s)
# print("<a,s> = ", sum(a*s) % q)
# print("Encryption(Noiseless) : ", b)
# print("Decrytion : ", (b - sum(a*s)) % q)

# acc = NTT_like_ACC_init(b, q, N)
# print("Initialized Accumulator : ", acc)

# res = NTT_like_blind_rotation(acc, a, s, q, n, Q, N)
# constant_term = res[0]
# print("Extracted result : ", constant_term, " and message : ", m)