# Prerequisites
- LWE
- Abstract algebra - rings

# Theory

- https://www.youtube.com/watch?v=Lo-_ZBqGa7I - learnt after this

TL DR: $LWE$ on polynomials over rings

## The why

**$LWE$ Disadvantage**
- Big keys + matrix mutiplications => quadratic time $\mathcal{O}(n^2)$ => to encrypt/ decrypt => Slow

*Idea*
- We want to transform $As + e = B \in \mathbb{Z}^n_q$ into $A \star s + e = B \in \mathbb{Z}^n_q$ where $\star$ is a faster operator

**Solution**
- $\star = $ multiplication in **polynomial ring** $\mathbb{Z}_q[X]/(f(X)$ where $f(X)$ is an irreductible polynomial of degree $n$ (Ex: $X^n + 1$)
    - Fast fourier transforms => $n \log n$ operations $\bmod q$

## Rings geometry

suggested reading: 
- https://eprint.iacr.org/2012/230.pdf - page 11
- or https://eprint.iacr.org/2015/938.pdf -page 34 



Let 
- $R = \mathbb{Z}_q[X]/(f(X)$  where $f(X)$ is an irreductible polynomial of degree $n$
- $R_q = R/qR$ 
    - Elements here are $poly$ of $deg < n$ with coeff $\bmod q$

#### Embeddings

**Coefficient embedding**
> For every $f \in R$ we associate the $n-$dimensional vector of coefficients

**Canonical embedding**
- $f$ is a polynomial in $R$ of degree $n$ => it has $n$ *complex* roots
- Evaluating the polynomial at a root $\alpha_i$ gives a homomorphism into $\mathbb{C}$
    - We have $n$ homomorphisms $X \mapsto \alpha_i$
    
> *canonical embedding*: $\sigma : R \to \mathbb{C^n}, \sigma(f) = (f(\alpha_i))$
- We can define norms $\|f\|_2 = \|\sigma(f)\|_2$
- $\sigma(a + b) = \sigma(a) + \sigma(b)$
- $\sigma(ab) = \sigma(a) \cdot \sigma(b)$

Examples (go over them) : https://youtu.be/Lo-_ZBqGa7I?t=2082

![image.png](attachment:image.png)

**Cyclotomic ring**
- suggested reading (again) : https://eprint.iacr.org/2012/230.pdf - page 11
- Usually $n=2^k$. Why?
- In any $2^k$ cyclotomic for any $j$ we have: $\|X^j\|_2 = \sqrt n$ and $\|X^j\|_{\infty} = 1$
- $\{1, X, ..., X^{n-1}\}$ is **orthogonal** under the $\sigma$ embedding
    - Coeff / canonical embedings are equivalent (up to $\sqrt n$ scaling)

#### Dual Ideal

- https://en.wikipedia.org/wiki/Ideal_(ring_theory)
- $R$ has a dual ideal $R^\vee$
- $R_q = R/qR$ and $R^\vee = R^\vee / qR^\vee$

**Trace function**
> let $Tr$ be the following function: $$Tr : R \to \mathbb{Z}$$ $$Tr(a) = \sum_{i\in \mathbb{Z}_M^*}a(w^i)$$
- *Intuition:* Sum of all embeddings
- $Tr(a \cdot b) = \sum_i a(w^i) \cdot b(w^i) = \underbrace{\langle \sigma(a), \overline{\sigma(b)} \rangle}_{\text{"inner product"}}$

**Dual**
> $R$'s dual: $R^\vee = \{b: tr(a\cdot b) \in \mathbb{Z} \ \forall a \in R\}$

- Power of 2 cyclotomic ring (Just a scaling of $R$): ![image.png](attachment:image.png)

**Note**
- if $n \neq 2^k$ the basis is not orthogonal anymore

## Ring-LWE

Let 
- $R = \mathbb{Z}_q[X]/(f(x)$  where $f(x)$ is an irreductible polynomial of degree $n$
- $R_q = R/qR$ 
    - Elements here are $poly$ of $deg < n$ with coeff $\bmod q$
    
Let $LWE_{R, q, \chi, m}$ (or $R-LWE_{q, \chi, m}$) be a Ring-LWE problem:

**Search**
>given $m$ pairs $(a_1, ...), (b_1, ...)$ generated as follows: 
>
>$\begin{equation}
a_1 \leftarrow R_q , \ \ b_1 = s \cdot a_1 + e_1 \in R_q^\vee\\
a_2 \leftarrow R_q , \ \ b_2 = s \cdot a_2 + e_2 \in R_q^\vee\\
\vdots
\end{equation}$
> - for errors from a gaussian of width $\alpha q$ over $R_q^\vee$
>
>find $s \in R_q^\vee$

**Decision**
> Distinguish $(a_i, b_i)$ from uniform $(a_i, b_i) \in R_q \times R_q^\vee$

![image.png](attachment:image.png)

## Public Cryptosystem
- https://eprint.iacr.org/2012/230.pdf - page 4

Public parameters: $n, R_q$, sometimes $a \in R_q$

**Alice** 
- chooses a secret $s \leftarrow \chi, s \in R$
- chooses an error $e \leftarrow \chi$
- sends to Bob her **public key**
    - $(a, b = as + e)$ - RLWE pair


**Bob**
- chooses a message $m \in R_2$ - $n$-bit string
- chooses an error $e_1, e_2 \leftarrow \chi$
- chooses $r \leftarrow \chi$
- *Encrypts* and sends to Alice
    - $u = a \cdot r + e_1 \in R_q$ 
    - $v = b \cdot r + e_2 + m \cdot \dfrac q 2 \in R_q$

**Alice**
- *Decrypts*
    - $v - s \cdot u \approx m \cdot \cfrac q 2 + \underbrace{\underbrace{b}_{\approx a \cdot s} \cdot r - s \cdot a \cdot r}_{\text{very small}} \approx m \cdot \dfrac q 2$


# Code

- https://eprint.iacr.org/2012/230.pdf - page 4

In [119]:
from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler
import random

In [205]:
#Parameters
n = 2**4
q = next_prime(800)
#Rings
P.<x> = Zmod(q)[]
RQ.<X>  = P.quotient(x**n + 1)
D = DiscreteGaussianDistributionPolynomialSampler(P, n=n, sigma=sqrt(n) + 1)
#Generate A
a = RQ.random_element()

In [206]:
#Alice1
def generate_public_key(a, D):
    s = D()
    e = D()
    b = a * s + e
    return s, b

s, b = generate_public_key(a, D) #s is secret, b is public
print(b)

401*X^15 + 421*X^14 + 91*X^13 + 281*X^12 + 518*X^11 + 515*X^10 + 610*X^9 + 770*X^8 + 241*X^7 + 279*X^6 + 587*X^5 + 353*X^4 + 587*X^3 + 268*X^2 + 125*X + 581


In [207]:
#Bob1
def encrypt_msg(msg, b, a, D):
    e1 = D()
    e2 = D()
    r = D()
    
    u = a * r + e1
    v = b * r + e2 + msg * (q//2)
    
    return u, v
    
msg = [random.randint(0, 1) for _ in range(n)]
print(msg, RQ(msg))
u, v = encrypt_msg(RQ(msg), b, a, D)

print(u)
print(v)

[0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0] X^13 + X^9 + X^8 + X^6 + X^4 + X^3 + X^2
561*X^15 + 551*X^14 + 501*X^13 + 65*X^12 + 571*X^11 + 174*X^10 + 148*X^9 + 248*X^8 + 57*X^7 + 279*X^6 + 783*X^5 + 727*X^4 + 612*X^3 + 57*X^2 + 326*X + 452
222*X^15 + 526*X^14 + 504*X^13 + 708*X^12 + 280*X^11 + 762*X^10 + 140*X^9 + 220*X^8 + 467*X^7 + 619*X^6 + 508*X^5 + 629*X^4 + 729*X^3 + 56*X^2 + 803*X + 313


In [208]:
#Decrypt
temp = v - s * u
print(temp, list(temp))

print([int(q//4 < coeff <= 3 * q//4) for coeff in temp.list()]) # check if it's closer to q//2 to receive the bit
print(msg)

96*X^15 + 778*X^14 + 441*X^13 + 759*X^12 + 38*X^11 + 45*X^10 + 345*X^9 + 456*X^8 + 493*X^7 + 398*X^6 + 783*X^5 + 732*X^4 + 213*X^3 + 498*X^2 + 107*X + 78 [78, 107, 498, 213, 732, 783, 398, 493, 456, 345, 45, 38, 759, 441, 778, 96]
[0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0]
[0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0]


**Note**
- Obviously you can do this using vectors mod q but I used rings for illustrative purposes

## Defined constructions

In [71]:
from sage.crypto.lwe import RingLWE
from sage.stats.distributions.discrete_gaussian_polynomial import DiscreteGaussianDistributionPolynomialSampler

In [78]:
n = 8
q = 127
D = DiscreteGaussianDistributionPolynomialSampler(ZZ['x'], n=n, sigma=3.0)

rlwe = RingLWE(N=20, q=q, D=D)
rlwe

RingLWE(20, 127, Discrete Gaussian sampler for polynomials of degree < 8 with σ=3.000000 in each component, x^8 - x^6 + x^4 - x^2 + 1, 'uniform', None)

In [83]:
l = [rlwe() for _ in range(3)]
l

[((34, 73, 125, 94, 108, 92, 17, 97), (62, 117, 60, 99, 28, 124, 113, 65)),
 ((98, 6, 43, 9, 8, 100, 87, 79), (33, 40, 69, 2, 31, 102, 111, 59)),
 ((67, 55, 116, 78, 83, 74, 44, 1), (51, 50, 37, 122, 108, 12, 63, 15))]

In [89]:
l[0][0].parent(), l[0][1].parent()

(Vector space of dimension 8 over Ring of integers modulo 127,
 Vector space of dimension 8 over Ring of integers modulo 127)

# Resources

- https://web.eecs.umich.edu/~cpeikert/pubs/lattice-survey.pdf - page 30
- https://eprint.iacr.org/2015/938.pdf
- http://cryptowiki.net/index.php?title=LWE-based_cryptographic_protocols