# 01 - About Blind Rotation
---

In [1]:
import numpy as np
import random as rand
from note_include.elem.Ring  import Ring

np.set_printoptions(linewidth=np.inf) # print np array in only one line

dimension = 4

In [2]:
def getDiv(n : int) -> np.array :
    divisor = np.zeros(n+1)
    divisor[n] = 1
    divisor[0] = 1
    return divisor

def getPosDiv(n:int) -> np.array:
    divisor = np.zeros(n+1)
    divisor[n] = 1
    divisor[0] = -1
    return divisor

Let we use ring $\Z_q[x]/(x^n+1)$. That is, we use negacyclic convolution.

Function $\textsf{positive\_ring\_mult}$ for cyclic convolution that used in ring $\Z_q[x]/(x^n-1)$.

In [3]:
# negacyclic convolution define in $\Z_q[x]/(x^n+1)$
def negative_ring_mult(poly1 : np.array, poly2 : np.array) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    q, r = np.polydiv(prod, getDiv(dimension))
    return r[::-1]

# cyclic convolution define in $\Z_q[x]/(x^n-1)$
def positive_ring_mult(poly1 : np.array, poly2 : np.array) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    q, r = np.polydiv(prod, getPosDiv(dimension))
    return r[::-1]

def negative_ring_mult_q(poly1 : np.array, poly2 : np.array, q) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    _, r = np.polydiv(prod, getDiv(dimension))
    r = r % q
    return r[::-1]

def positive_ring_mult_q(poly1 : np.array, poly2 : np.array, q) -> np.array:
    prod = np.polymul(poly1[::-1], poly2[::-1])
    _, r = np.polydiv(prod, getPosDiv(dimension))
    r = r % q
    return r[::-1]


---

In [4]:
dimension = 16
poly = np.array([i for i in range(16)])
monomial = [0,1]

for i in range(32):
    poly = negative_ring_mult(poly, monomial)
    print(poly)

[-15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.  13.  14.]
[-14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.  13.]
[-13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.  12.]
[-12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.  11.]
[-11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.  10.]
[-10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.   9.]
[ -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.   8.]
[ -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.   7.]
[ -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.   6.]
[ -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.   5.]
[ -5.  -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.   4.]
[ -4.  -5.  -6.  -7.  -8.  -9. -10. -11. -12. -13. -14. -15.   0.   1.   2.   3.]
[ -3.  -4.  -5. 

In [5]:
dimension = 16
poly = np.array([i for i in range(16)])
monomial = [0,1]

for i in range(32):
    poly = positive_ring_mult(poly, monomial)
    print(poly)

[15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14.]
[14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13.]
[13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12.]
[12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11.]
[11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9. 10.]
[10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.  9.]
[ 9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.  8.]
[ 8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.  7.]
[ 7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.  6.]
[ 6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.  5.]
[ 5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.  4.]
[ 4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.  3.]
[ 3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.  2.]
[ 2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.  0.  1.]
[ 1.  2.  3.  4.  5.  6.  7.  8.  9. 10. 11. 12. 13. 14. 15.]
[ 0.  1.  2.  

---

## The question is what if we define cyclic convolution in $\Z_q[x]/(x^n+1)$ via NTT-like operation
We can remove neccesarity of negacyclic property while blind rotation is running?

---

Function for find suitable $\omega, \omega^{-1}, n, n^{-1} \in \Z_{q}$ to execute NTT-like cyclic convolution.

In [6]:
def mod_inverse(a, m):
    """Compute the modular inverse of a modulo m using the Extended Euclidean Algorithm."""
    m0 = m
    x0, x1 = 0, 1
    if m == 1:
        return 0
    while a > 1:
        q = a // m
        a, m = m, a % m
        x0, x1 = x1 - q * x0, x0
    return x1 + m0 if x1 < 0 else x1

def prime_factors(n):
    """Return the set of prime factors of n."""
    factors = set()
    # Factor out 2
    while n % 2 == 0:
        factors.add(2)
        n //= 2
    # Factor out odd primes
    i = 3
    while i * i <= n:
        while n % i == 0:
            factors.add(i)
            n //= i
        i += 2
    if n > 2:
        factors.add(n)
    return factors

def primitive_root(q):
    """
    Find a primitive root modulo q.
    Assumes q is prime.
    """
    if q == 2:
        return 1
    phi = q - 1
    factors = prime_factors(phi)
    for g in range(2, q):
        flag = True
        for factor in factors:
            if pow(g, phi // factor, q) == 1:
                flag = False
                break
        if flag:
            return g
    raise ValueError("No primitive root found.")

def nth_roots_of_unity(n, q):
    """
    For a given dimension n and prime modulus q:
      - Compute the inverse of n modulo q.
      - Compute the primitive n-th root of unity, omega.
      - Compute its inverse, omega_inv.
      - List all n-th roots of unity in Z_q.
      
    Note: n-th roots of unity exist only if n divides q-1.
    """
    # Check necessary condition
    if (q - 1) % n != 0:
        raise ValueError("n does not divide q-1. n-th roots of unity do not exist in Z_q.")
    
    inv_n = mod_inverse(n, q)
    
    # Find a primitive root modulo q
    g = primitive_root(q)
    
    # Compute omega: a primitive n-th root of unity
    exponent = (q - 1) // n
    omega = pow(g, exponent, q)
    
    # Compute the inverse of omega
    omega_inv = mod_inverse(omega, q)
    
    # Compute all n-th roots of unity: {omega^0, omega^1, ..., omega^(n-1)}
    roots = [pow(omega, k, q) for k in range(n)]
    
    return inv_n, roots, omega, omega_inv

# Example usage:
# inv_n, roots, omega, omega_inv = nth_roots_of_unity(n, q)

In [7]:
def positive_wrapped_ntt(a, omega, q, n):
    # Initialize the result vector with zeros
    hat_a = np.zeros(n, dtype=int)
    
    # Loop over each j to compute hat_a[j]
    for j in range(n):
        # Summation: hat_a[j] = sum(omega^(ij) * a_i) mod q
        summation = 0
        for i in range(n):
            exponent = (i * j) % (n) # exponent ij modulo n
            summation += pow(omega, exponent, q) * a[i]
        
        # Take modulo q for the result
        hat_a[j] = summation % q
    
    return hat_a

def positive_wrapped_intt(hat_a, omega_inv, q, n, n_inv):
    # Initialize the result vector with zeros
    a = np.zeros(n, dtype=int)
    
    # Loop over each j to compute hat_a[j]
    for i in range(n):
        # Summation: a[i] = sum(omega_inv^{-(ij)} * hat_a[j]) mod q
        summation = 0
        for j in range(n):
            exponent = (i * j) % (n) # exponent 2ij + i modulo 2n
            summation += pow(omega_inv, exponent, q) * hat_a[j]
        
        # Take modulo q for the result
        a[i] = (n_inv * summation) % q
    
    return a

def NTT_like_PWC(poly1, poly2, omega, omega_inv, n, n_inv, q):
    ntt_poly1 = positive_wrapped_ntt(poly1, omega, q, n)
    ntt_poly2 = positive_wrapped_ntt(poly2, omega, q, n)

    ntt_res = np.zeros(n)
    for i in range(n):
        ntt_res[i] = (ntt_poly1[i] * ntt_poly2[i]) % q
    
    poly_nega_conv = positive_wrapped_intt(ntt_res, omega_inv, q, n, n_inv)
    return poly_nega_conv
    

# Polynomial coefficients a = [a_0, a_1, ..., a_{n-1}]
dimension = 16
q = 7681  # Modulo value q
a = np.array([i for i in range(16)])
b = np.array([i for i in range(16)])
inv_n, roots, omega, omega_inv = nth_roots_of_unity(dimension, q)

res = NTT_like_PWC(a, b, omega, omega_inv, dimension, inv_n, q)
print(res)

res = positive_ring_mult_q(a, b, q)
print(res)

[ 680  784  872  944 1000 1040 1064 1072 1064 1040 1000  944  872  784  680  560]
[ 680.  784.  872.  944. 1000. 1040. 1064. 1072. 1064. 1040. 1000.  944.  872.  784.  680.  560.]


In [8]:
dimension = 16
q = 7681
inv_n, roots, omega, omega_inv = nth_roots_of_unity(dimension, q)
poly     = np.array([i for i in range(16)])
monomial = np.zeros(16)
monomial[1] = 1 # X

for i in range(dimension * 2):
    poly = NTT_like_PWC(poly, monomial, omega, omega_inv, dimension, inv_n, q)
    print(poly)

[15  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14]
[14 15  0  1  2  3  4  5  6  7  8  9 10 11 12 13]
[13 14 15  0  1  2  3  4  5  6  7  8  9 10 11 12]
[12 13 14 15  0  1  2  3  4  5  6  7  8  9 10 11]
[11 12 13 14 15  0  1  2  3  4  5  6  7  8  9 10]
[10 11 12 13 14 15  0  1  2  3  4  5  6  7  8  9]
[ 9 10 11 12 13 14 15  0  1  2  3  4  5  6  7  8]
[ 8  9 10 11 12 13 14 15  0  1  2  3  4  5  6  7]
[ 7  8  9 10 11 12 13 14 15  0  1  2  3  4  5  6]
[ 6  7  8  9 10 11 12 13 14 15  0  1  2  3  4  5]
[ 5  6  7  8  9 10 11 12 13 14 15  0  1  2  3  4]
[ 4  5  6  7  8  9 10 11 12 13 14 15  0  1  2  3]
[ 3  4  5  6  7  8  9 10 11 12 13 14 15  0  1  2]
[ 2  3  4  5  6  7  8  9 10 11 12 13 14 15  0  1]
[ 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15  0]
[ 0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15]
[15  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14]
[14 15  0  1  2  3  4  5  6  7  8  9 10 11 12 13]
[13 14 15  0  1  2  3  4  5  6  7  8  9 10 11 12]
[12 13 14 15  0  1  2  3  4  5  6  7  8  9 10 11]


---

# TEST : Negacyclic Blind rotation

---

#### Parameters

* $n = 556$
* $q = 2048$
* $N = 1024$
* $Q = 2^{27}$

#### Functions

* ACC initialization
* LWE extraction

#### Class

* Ring $\Z_q[x]/(x^n+1)$ with NTT-like cyclic convolution

---
## Simple examples

---
* Define ACC initialization
* and Blind rotation via negacyclic convolution

In [9]:
def nega_ACC_init(b, q, N):
    acc = np.zeros(N)

    for i in range(q//2):
        b = (b - 1) % q

        if b >= ((3 * q) // 8) and b < ((7 * q) // 8):
            acc[i] = q // 8
        else :
            acc[i] = (-q // 8) % q

    acc = Ring(N, q, acc)
    return acc

# It looks like works
def nega_blind_rotation(acc : Ring, a, s, q, n, N):
    tmp_acc = acc
    for i in range(n):
        _as = a[i] * s[i] % q
        if _as == 0 : continue

        reduced = False
        if (_as >= N) :
            _as -= N
            reduced = True

        if _as == 0:
            tmp_acc = -1 * tmp_acc
            continue

        if reduced == False:
            monomial = np.zeros(N)
            monomial[(N)-(_as)] = -1
            monomial = Ring(N, q, monomial)
        else:
            monomial = np.zeros(N)
            monomial[(N)-(_as)] = 1
            monomial = Ring(N, q, monomial)
            
        tmp_acc = tmp_acc * monomial

    return tmp_acc

In [10]:
n = 8
q = 512
N = 256

snum = 0
fnum = 0
for i in range(100):
    m1 = rand.randint(0, 1)
    m2 = rand.randint(0, 1)
    a = np.array([rand.randint(0, q) for _ in range(n)])
    s = np.array([rand.randint(0, 1) for _ in range(n)])

    b = ((m1 * q//4 + m2 * q//4) + sum(a * s)) % q

    acc = Ring(N, q, [i for i in range(N)])

    res = nega_blind_rotation(acc, a, s, q, n, N)

    _as = sum(a*s)
    _as = int((((_as % q) + q) % q) * (2 * (N) // q)) #  for param q = 2N ?
    
    reduced = False
    if (_as >= N) :
        _as -= N
    reduced = True

    if sum(a*s) % q < N: # even 
        # print("Ideal : ", acc[_as])
        ideal = acc[_as]
    else: # sum(a*s) % q >= N
        acc = -1 * acc
        # print("Ideal : ", acc[_as])
        ideal = acc[_as]

    if ideal != res.coeffs[0]:
        print("Error?\n")
        break

In [13]:
n = 16
q = 64
N = 32

snum = 0
fnum = 0

for i in range(1000):
    m1 = rand.randint(0, 1)
    m2 = rand.randint(0, 1)
    a = np.array([rand.randint(0, q) for _ in range(n)])
    s = np.array([rand.randint(0, 1) for _ in range(n)])
    b = ((m1 * q//4 + m2 * q//4) + sum(a * s)) % q

    acc = nega_ACC_init(b, q, N)
    res = nega_blind_rotation(acc, a, s, q, n, N)
    constant_term = (res[0] + q//8) % q

    if constant_term   == q//4  and (m1 and m2) == 1:
        snum += 1
    elif constant_term == 0     and (m1 and m2) == 0:
        snum += 1
    else:
        fnum += 1

print("Success number : ", snum)
print("Fail number    : ", fnum)

Success number :  1000
Fail number    :  0
