<div style="text-align: center; margin: 50px">

<h1 style="color: black; background-color: grey; text-align: center;">A boot camp on Future Security Technologies and Hardware Design</h1>
<h3> Hands on Practice on Post Qauntum Cryptography </h3>
<h3>Prepared by: Ali Raya & Vikas Kumar </h3>
</div>


# Overview

1. [Introduction](#intro) <br>
    1.1 [Tutorial layout](#layout) 
2. [Steps of our experiment](#steps)<br>
    2.1 [Key generation](#keygen)<br>
    2.2 [Encapsulation](#encap) <br>
    2.3 [Decapsulation](#decap)<br>
    2.4 [Key establishment](#ss)<br>
    2.5 [Encrypting](#enc)<br>
    2.6 [Decrypting](#dec)<br>
    2.7 [Cryptanalysis](#analysis)<br>




<a id="intro"></a>
### Introduction


**Lattice( Definition 1)**: Let $v_1, v_2, \ldots , v_n \in \mathbb{R}^m$ be a set of linearily independent vectors. 

The lattice $\mathcal{L}$ generated by $v_1, v_2, \ldots v_n$ is the set of linear combinations of $v_1, v_2, \ldots, v_n$ with coefficients in $\mathbb{Z}$.

$$\mathcal{L} = \{ a_1v_1 + a_2 v_2 + \ldots a_nv_n: a_1, a_2, \ldots a_n \in \mathbb{Z} \}$$

A basis for $\mathcal{L}$ is any set of independent vectors that generates $\mathcal{L}$.

For convenience, we denote the basis as a matrix $B$ of dimension $n \times m$, where the row $i$ in the matrix corresponds to the coefficients of the vector $i$ in the basis.

There are infinitely many bases to define a lattice with a dimension greater than 2.

Let $B$ and $B^\prime$ be two basis matrices for a lattice $\mathcal{L}$. Then $B^\prime = U B$ where $U$ is an $n \times n$ matrix such that $det(U)=\pm 1$.

**Lattice( Definition 2)**: a subset of $\mathbb{R}^m$ is a lattice if and only if it is a discrete additive subgroup.

Let $\mathcal{L}$ be a lattice in $\mathbb{R}^m$ of rank $n$ with basis matrix $B$. Then $det(\mathcal{L})= \sqrt{det(BB^T)}$. For a full rank lattice(i.e., $n=m$) $det(\mathcal{L})= |det(B)|$.


**Hard problems of lattices**

***The Shortest Vector Problem (SVP)***: Find a shortest nonzero vector in a lattice $\mathcal{L}$, i.e., find a nonzero vector $v \in \mathcal{L}$ that minimizes the Euclidean norm $\lVert v \rVert$.

***The Closet Vector Problem( CVP)***: Given a vector $w \in \mathbb{R}^m$ that is not in $\mathcal{L}$, find a vecotr $v \in \mathcal{L}$ that is the closet to $w$, i.e,. find a vector $v \in \mathcal{L}$ that minimizes the Euclidean norm $\lVert w-v \rVert$.

There are relaxed variants of the previous problems that don't ask for finding the shortest(the closest) vector ever, but the shortest(the closest) up to an approximation factor $\gamma$.

**Gaussian Heuristic (Definition)**: let $\mathcal{L} $ be a full rank lattice generated by the basis matrix $B$, then the gaussian expected length of a shortest vector $\mathcal{L}$ is 

$$\sigma({\mathcal{L}})= \sqrt{\frac{n}{2\pi e}}(det(\mathcal{L}))^{1/n}$$.

For detailed definitions and related results refer to an introduction to mathematical cryptography [chapter 6](https://link.springer.com/chapter/10.1007/978-0-387-77993-5_6)




## NTRU cryptosystem

The initial NTRU scheme is framed over the factor ring of a polynomial ring. In this tutorial, we give a simple description of the NTRU cryptosystem as described initialy in [chapter 6](https://link.springer.com/chapter/10.1007/978-0-387-77993-5_6)



<a id="layout"></a>

### Layout

In this tutorial, we aim to understand the NTRU cryptosystem as a lattice-based cryptosystem and 
its generalization to some related NTRU-like schemes.

For this purpose, we cover:
- A construction of NTRU as it was initially introduced in literature.
- GR-NTRU as a possible generalization of NTRU.
- Twisted GR-NTRU as a more generalized form.
- A construction of GR-NTRU over the dihedral group.
- Some other NTRU-like cryptosystems from quaternion algebra.

<a id="step1"></a>
# Introduction to NTRU cryptosystem

**Parameters selection**
Let $N, p, q, d$ be positive integers with $N, p$ prime, $p << q$, gcd$(N,q)=$ gcd$(p,q) = 1$, and $q>(6d+1)p$. 

Let $\mathcal{R} = {\mathbb{Z}[x]}/{(x^N-1)}$, $\mathcal{R}_q = {\mathbb{Z}_q[x]}/{(x^N-1)}$, and $\mathcal{R}_p = {\mathbb{Z}_p[x]}/{(x^N-1)}$.

For positive integers $d_1,d_2$, 
$$\mathcal{T}(d_1,d_2) =
   \left\{ f \in \mathcal{R}  \middle\vert \begin{array}{l}
    f~~\text{has $d_1$ coefficients equal to 1} \\
    f~~\text{has $d_2$ coefficients equal to -1} \\
    \text{rest coefficients are 0}
  \end{array}\right\}$$
  
  
We call polynomials from $\mathcal{T}(d_1,d_2)$ to be ternary polynomials. Suppose $f(x)\in \mathcal{R}_q$, then the centered lift of $f(x)$ is the unique polynomial $f^{\prime}(x)\in \mathcal{R}$ whose coefficients are in the interval $\left(-\frac{q}{2},\frac{q}{2}\right]$ and $f^{\prime}(x)\pmod q = f(x)$. 


Message space consists of elements from $\mathcal{R}$ whose coefficients are between $-\frac{p}{2}$ and $\frac{p}{2}$. In other words, a message is an element in $\mathcal{R}$ that is the centered lift of some element in $\mathcal{R}_p$.

<a id="key"></a>
### * Key generation

- Choose $f\in \mathcal{T}(d+1,d)$ such that there exist $f_q\in \mathcal{R}_q$, $f_p \in \mathcal{R}_p$ satisfying $f\star f_q \equiv 1\pmod q$ and $f \star f_p \equiv 1 \pmod p$. 
- Choose another element $g\in \mathcal{T}(d,d)$.
- construct $h\in\mathcal{R}_q$ such that $f \star h \equiv g \pmod q$.
- declare $h,p,q$ to be public key.
- $f$ and $f_p$ are private keys.


As we can see, finding the inverse involves inverting $f$ over $\mathcal{R_p}$ and $\mathcal{R_q}$.

For the NTRU ring, there are fast inversion algorithms like [Almost inverse algorithm](https://ntru.org/f/tr/tr014v1.pdf).

However, for simplicity and genarality, we first build the matrix corresponding to the element from the ring (in the case of the NTRU, it is a right circulant matrix) and then check whether the matrix is invertible. 

If the matrix is invertible, then the first row of the inverted matrix is precisely the inverse of the element.





In [None]:
from random import Random
from hashlib import sha256
import numpy as np

In [None]:
def randomBitArray(seed, s):
    """
    Input: Integer s.
           seed: a randomly generated number.
           
    Output: Random bit array of length s.
    """
    random = Random()
    random.seed(seed)
    return [random.randrange(2) for i in range(s)]

In [None]:
def fixed_type(n, b, d1, d2):
    """
    Input: A bit array b of length sample_fixed_type_bits.
           n: the order of the group
    Output: A ternary polynomial with exactly d1 coefficients equal to 1 and d2  coefficients equal to −1.
    """
    A = [0] *n
    v = [0] *n
    i = 0
    while i < d1:
        A[i] = 1
        for j in range(30):
            A[i] += 2 ** (2 + j) * b[30 * i + j]
        i += 1
    while i < d1+d2:
        A[i] = 2
        for j in range(30):
            A[i] += 2 ** (2 + j) * b[30 * i + j]
        i += 1

    while i < n:
        for j in range(30):
            A[i] += 2 ** (2 + j) * b[30 * i + j]
        i += 1

    A.sort()

    for i in range(n):
        v[i] = A[i] % 4
        if v[i] ==2:
            v[i] =-1

    return v

In [None]:
def ternary(n, b):
    """
    Input: - b: A bit array b of length sample_iid_bits.
           - n: the order of the group
            
    Output: A ternary polynomial.

   """
    v = [0] *n

    for i in range(n):
        coeff_i = 0
        for j in range(8):
            coeff_i += 2 ^ j * b[8 * i + j]
        v[i] = coeff_i

    for i in range(n):
        v[i] = v[i]%3
        if v[i]==2:
            v[i]=-1
    return v


In [None]:
#Test the function
n = 11
bitstr = 8*n
seed = randint(0,2**64)
b= randomBitArray(seed,bitstr)
ternary(n,b)

In [None]:
def shiftLbyn(arr, n=0):
    """
     Auxiliary function
     Input: arr: an array , n: an integer 
     Output: shifting to left the array by n positions
    """
    return arr[n::] + arr[:n:]

In [None]:
def get_A(first_row, FF):
    """
    Matrix representation for an element of Z_qC_n (right circulant matrix)
    It's also an auxiliary matrix for matrix representation for an element in Z_qD_n
    Input: the first row that represents an element f,g, or h.
    FF: the space over it, the matrix to be constructed either IntegerModRing(3)
    or IntgerModRing(q)
    """

    n = len(first_row)
    a = first_row
    m = []
    for i in range(n):
        m.append(a)
        a = shiftLbyn(a, -1)

    MS2 = MatrixSpace(FF, n, n)
    A = MS2.matrix(m)

    return A



In [None]:
def element_to_matrix(first_row, FF):
    """
    For cyclic group, the matrix representation of an element is just
    the corresponding matrix to the element
    """
    return get_A(first_row, FF)

In [None]:
def get_q_no_error(d,p):
    """
    The function returns the value of q that gives no decryption failure for variant of NTRU
    Input: d = int(order of the group/3)
           p usually 3
    """
    value= p*(6*d+1)
    q= 2**(len(bin(value))-2)
    return q

In [None]:

def ZCn_multiply(n, element1, element2, mod):
    
    """
    Input:  -n: the order of the group
            -element1, element2: two elements representing two polynomials from the ring Z_mod[x]/(X^n-1)
            - mod: the mod of the multiplication
    Output: their multiplication
    """

    multi_result = [0] * n
    # ai*aj*ri*rj = ai*aj(r_(i+j)%n)
    for i in range(n):
        for j in range(n):
            multi_result[(i + j) % n] = (multi_result[(i + j) % n] + element1[i] * element2[
                j]) % mod  # ai*aj*ri*rj = ai*aj(r_(i+j))

    return multi_result

<a id="keygen"></a>
# Vikas: Key generation 


In [None]:
#Test the function
n = 11
p = 3
d = int(n/3)
q = get_q_no_error(d,p)
FFp = IntegerModRing(p)
FFq = IntegerModRing(q)


###### Sample f #####
## We repeat sampling f until, we get an invertible 
## element over R_p and R_q
while(1):
    bitstr = 30*n
#     seed = randint(0,2**64)  ##This seed needs to be random later 
    seed = int(999) ### We fix the seed to get the same output
    b= randomBitArray(seed,bitstr)
    f = fixed_type(n,b,d+1,d)
    Fp_mat = element_to_matrix(f,FFp)
    if Fp_mat.is_invertible():
        Fp = Fp_mat.inverse()[0] ##inverse of f mod (p, X^{n-1})
        Fq_mat = element_to_matrix(f,FFq)
        if Fq_mat.is_invertible():
            Fq = Fq_mat.inverse()[0] ##inverse of f mod (q, X^{n-1})
            break # we got an invertible element over R_p, R_q

##### Sample g ######
# seed = randint(0,2**64)
seed = int(1000) #fixed seed
b= randomBitArray(seed,bitstr)
g = fixed_type(n,b,d,d) ## sample g

print("f:",f)
print("g:", g)


### Public key 
h = ZCn_multiply(n, Fq, g, q) 
print("h:",h)

# Jothi: Encapsulation

<a id="encap"></a>

To encapsulate a sequnce $s$, we first randomly choose $r \in\mathcal{T}(d,d)$. Then, the ciphertext is computed as follows:
$$c \equiv ph\star r + s \pmod q.$$

In [None]:
# def encapsulate(n, p,q, s, h):
#     """
#     Input: n: the order of the group
#            p: modulo p
#            q: modulo q
#            a sequence s to encapsulate
#            h: the public key
#     Output: the encapsulated message
#     """

#     random = Random()
#     seed = 1001  #randint(0, 2 ** 64)  ###fixed seed
#     random.seed(seed)
#     sample_fixed_type = 30*n
#     seed_for_r = [random.randrange(2) for i in range(sample_fixed_type)]
#     d = int(n/3)
#     r = fixed_type(n,seed_for_r,d, d)
#     e1 = ZCn_multiply(n,h, r, q)
#     prh = list(np.multiply(p, e1))
#     e = list(np.add(prh, s))

#     return e

In [None]:
# # seed = randint(0,2**64)

# seed = 1002 ##fixed seed
# bitstr = 8*n ##length of the randomstring to generate a message
# b = randomBitArray(seed,bitstr)
# s = ternary(n,b)
# print("s: ", s)

# c = encapsulate(n,p,q,s,h)
# print("c: ", c)

## The ciphertext given by Jothi after encapsulation

In [None]:
c = [40, 15, 21, 31, 38, 51, 23, 25, 38, 49, 55]

# 3. Vikas: Decapsulation

<a id="decap"></a>

First, compute $a \equiv f\star c \pmod q$.

Centerlift the coefficients of $a$ in the interval $\left(-\frac{q}{2}, \frac{q}{2}\right]$.

Then, $s$ can be recovered by computing $f_p\star a \pmod p$ and centerlifting it.


In [None]:
def center_lift_form(f,q):
    """
    Centerlifting a vector f with respect to modulo q
    Input: f is a list
           q: a modulo
    Output: the centerlifting of the vector f with respect to q
    """
    t = f[:]
    for i in range(len(f)):
        t[i] = int(t[i])
        if t[i]>int(q/2):
            t[i] = t[i]-q
    return t

## \[FILL HERE\] You have to fill this function only !!!



In [None]:
def decapsulate(n,p,q, encap_message,f, Fp):
    """
    Input: (n,p,q): the parameters that defines NTRU
            encap_message: an encapsulated message
            f: the private key 
            Fp: the inverse of the private key with respect to mod p
    Output: the decapsulated message (s_prime)
    """
    #1. compute a = f*c(mod q)
    
    
    #2. centerlift a,i.e., send the coefficients of a into the range (-q/2, q/2]
    
    #3. multiply f^-1*a (mod p)
 
   
    
    #4. retrieve the message s by centerlifting the result into (-p/2, p/2)
    
    return s_prime

In [None]:
###Check that both of the parties have established the same shared secret key

s_prime = decapsulate(n,p,q, c,f,Fp)
print("s_prime: ", s_prime)



### *Correctness

We have $a \equiv pg\star\phi + f\star s\pmod q$. Since $f, g$, and $\phi$ are ternary and coefficients of $s$ lie between $-\frac{p}{2}$ to $\frac{p}{2}$.
Therefore, the largest coefficient of $g\star \phi$ can be $2d$, and the largest coefficient of $f\star s$ can be $(2d+1)\frac{p}{2}$.
Consequently, the largest coefficient of $pg\star \phi + f\star s$ is at most $(6d+1)\frac{p}{2}$. 
Thus, if $q>(6d+1)p$, computing $a\equiv f\star c\pmod q$ and then centerlifting it gives exactly the element $pg\star \phi + f\star s$. We can multiply this element with $f_p$ and reduce coefficients modulo $p$ to recover an element in $\mathcal{R}_p$ whose centered lift gives us the message $s$.

In [None]:
# assert(s==s_prime)

## If you have reached successfully to this point, you are almost done!

### Suppose that we are mapping 


\begin{equation}0 \rightarrow 00 \\ 1 \rightarrow 01 \\ -1 \rightarrow 10 \end{equation}

#### 1. Let ss_to_bitstirng() be the function that converts the shared secret s into a bitstring.
#### 2. Let bitsting_to_message() be the function that converts a bit string to its ASCII representation.


In [None]:
message_length =96  

In [None]:
def ss_to_bitstring(arr):
    
    """
    Input:  -arr: an array with entries in {-1, 0, 1}
    Output: - the binary representation according to rules mentioned above
    """
    # Mapping dictionary for the values
    mapping = {1: '01', 0: '00', -1: '10'}
    
    # Convert each element in the array based on the mapping
    bitstring = ''.join(mapping[num] for num in arr)
    
    return bitstring
    
    

In [None]:
def string_to_binary(input_string):
    """
    Input:  input_string a string
    Output: the binary representation of the string according to ASCII
    """
    # Convert each character in the string to its ASCII binary representation
    binary_string = ''.join(format(ord(char), '08b') for char in input_string)
    return binary_string

In [None]:
def bitstring_to_message(binary_string):
    """
    Input:   -binary_string: abitstring represented for some text in ASCII
    Output:  -The ASCII text corresponing to the binary string
    """
    # Ensure the binary string is a multiple of 8
    if len(binary_string) % 8 != 0:
        ###fill the remaining bits to be zero
        binary_string = binary_string.zfill(len(binary_string) + (8 - len(binary_string) % 8))

    # Split the binary string into chunks of 8 bits
    chars = [binary_string[i:i+8] for i in range(0, len(binary_string), 8)]
    
    # Convert each chunk to its corresponding character
    text = ''.join(chr(int(char, 2)) for char in chars)
    
    return text

In [None]:
def xor_binary_strings(bin_str1, bin_str2):
    """
    Input: -bin_str1: the first binary string
           -bin_str2: the second binary string
           
    Output: bin_str1 xor bin_str2
    """
    # Ensure both binary strings are of equal length by padding the shorter one with '0's
    length = max(len(bin_str1), len(bin_str2))
    bin_str1 = bin_str1.zfill(length)
    bin_str2 = bin_str2.zfill(length)
    
    # Perform XOR on the binary strings bit by bit
    xor_result = ''.join('1' if bin_str1[i] != bin_str2[i] else '0' for i in range(length))
    
    return xor_result

<a id="ss"></a>
# Vikas: Establishing the shared key

In [None]:
#Therefore, the shared secret between the two parties is calculates as:

ss_bitstring= ss_to_bitstring(s_prime)##convert s into binary
ss_bytes =  bitstring_to_message(ss_bitstring) ##convert the binary string into bytes
ss = sha256(ss_bytes.encode()).hexdigest() ## get the shared key
# Convert the hex hash to binary
binary_hash = bin(int(ss, 16))[2:] ## get the shared key as binary
k= binary_hash[:message_length] ## get the key bits as long as the message

### Therefore, the shared key between the two parties is k as given below

<a id="enc"></a>
# Vikas: Encryption

### After establishing the shared key between Jothi and Vikas, Vikas encrypts the message and share the following ciphertext with Jothi

In [None]:
cstar = '101001001111110010111011010100000111101001111010110000011100001101110010100100011011101010010111'

<a id="dec"></a>
# Jothi: Decryption

In [None]:
def bitstring_to_message(binary_string):
    """
    Input:   -binary_string: abitstring represented for some text in ASCII
    Output:  -The ASCII text corresponing to the binary string
    """
    # Ensure the binary string is a multiple of 8
    if len(binary_string) % 8 != 0:
        ###fill the remaining bits to be zero
        binary_string = binary_string.zfill(len(binary_string) + (8 - len(binary_string) % 8))

    # Split the binary string into chunks of 8 bits
    chars = [binary_string[i:i+8] for i in range(0, len(binary_string), 8)]
    
    # Convert each chunk to its corresponding character
    text = ''.join(chr(int(char, 2)) for char in chars)
    
    return text

### \[FILL HERE\] Decrypt the message here and let's find out the food type !!!



In [None]:
##1. m = cstar xor k



##2  convet the bitstring to a message by calling the function bitstring_to_message



<a id="analysis"></a>

# Ali: Attack phase

## Let's try to attack the problem

## *NTRU lattice
The problem of finding the NTRU private key can be related to the SVP of a lattice of a certain form.

Given the public information $q,N$ and $h = f_q\ast g\pmod q$, construct the basis matrix for the lattice $\mathcal{L}(\textbf{B}_{\textbf{cyclic}})$ as follows:
\begin{equation}\label{matrixCN}
    \textbf{B}_{\textbf{cyclic}} = \begin{pmatrix}
        \textbf{I}_N  & \textbf{H}_{\textbf{cyclic}}\\
        \textbf{0}_N & q\textbf{I}_N
    \end{pmatrix}
\end{equation}
  where $\textbf{H}_{\textbf{cyclic}}$ is a right circulant matrix whose rows are the coefficient vectors of the polynomials $x^i \ast h$ for $i\in \{0,1,\ldots, N-1\}$. 
  
  


In [None]:
def get_B_cyclic(h,n,q):  
    """
    Input: h: the public key
           n,q: parameters that define NTRU cryptosystem
    """
    FF =IntegerRing()
    H0 = element_to_matrix(h, FF)
    #print(H0)
   
    
    MS2 = MatrixSpace(FF, n,n)
    Identity = MS2.matrix(np.identity(n))
    Zero = MS2.matrix(np.zeros([n,n]))
    qIdentity =q*Identity
    #print(upper_right)
    
    return block_matrix(2, 2, [ Identity, H0, Zero,qIdentity])

In [None]:
B = get_B_cyclic(h,n,q)
print("ntru lattice:\n ")
print(B)

The determinant of the lattice $\mathcal{L}(\textbf{B}_{\textbf{cyclic}})$ is $det(\textbf{B}_{\textbf{cyclic}}) = q^N$. 

Therefore,  
  \begin{equation}
      gh(\mathcal{L}(\textbf{B}_{\textbf{cyclic}})) = \sqrt{\frac{qN}{\pi e}}.
  \end{equation}

While the norm of the private elements $(x^i\ast f,x^i \ast g)$ is approximately $\sqrt{4N/3}$ and $(x^i \ast f,x^i\ast g)\in \mathcal{L}(\textbf{B}_{\textbf{cyclic}})$ since $(x^i \ast f)\ast h = x^i \ast g\pmod q$.

Therefore, one expects $(f,g)$ or its rotations to be the shortest vectors in the lattice $\mathcal{L}(\textbf{B}_{\textbf{cyclic}})$ for large values of $N$.

Therefore, If one can find short vector (up to some norm) lies in the lattice $\mathcal{L}(\textbf{B}_{\textbf{cyclic}})$, this vector can serve as 
a decryption key.

[LLL](https://link.springer.com/article/10.1007/BF01457454) and [BKZ](https://www.sciencedirect.com/science/article/pii/0304397587900648) are famous examples of lattice reduction algorithms that take a random basis as an input and give as an output reduced basis. I.e., a basis with shorter vectors that are more orthogonal to each other.

In the coming tutorial, we describe in detail how these algorithms work.

For this tutorial, it is enough to think of the reduction algorithm as a $\textit{blackbox}$ in which its input is a random basis $\textbf{B}$ and its output is a reduced basis $\textbf{B}^{\prime}$ where $\textbf{B}^{\prime} = U* \textbf{B} $ for a unimodular matrix $U$. 

### Blackbox for this tutorial

In [None]:
from fpylll import IntegerMatrix, GSO, FPLLL
from fpylll.algorithms.bkz2 import BKZReduction

In [None]:
B = IntegerMatrix.from_matrix(B)

In [None]:
float_type ="d"
M = GSO.Mat(B, float_type = float_type, U = IntegerMatrix.identity(B.nrows, int_type=B.int_type), UinvT = IntegerMatrix.identity(B.nrows, int_type=B.int_type))

### Apply LLL, for small lattice dimension

In [None]:
### LLL

## Create GSO object, I am creating a copy of B and pass it to the function so that I can do the check for M.U*B = M.B
M = GSO.Mat(copy(B), float_type = float_type, U = IntegerMatrix.identity(B.nrows, int_type=B.int_type), UinvT = IntegerMatrix.identity(B.nrows, int_type=B.int_type))
##no need to update now

bkz = BKZReduction(M) ###create an object of BKZreduction

bkz.lll_obj() ### apply LLL algorithm for lattice reduction
## At this point the matrices U and M have been updated.

### Apply BKZ for larger dimensions

In [None]:
# from fpylll import BKZ as BKZ_FPYLLL


# ## Create GSO object, I am creating a copy of B and pass it to the function so that I can do the check for M.U*B = M.B
# M = GSO.Mat(copy(B), float_type = float_type, U = IntegerMatrix.identity(B.nrows, int_type=B.int_type), UinvT = IntegerMatrix.identity(B.nrows, int_type=B.int_type))
# ##no need to update now
# bkz = BKZReduction(M) ###create an object of BKZreduction

# blocksize = 20
# par = BKZ_FPYLLL.Param(blocksize, strategies=BKZ_FPYLLL.DEFAULT_STRATEGY, max_loops = 8) ##Parameters 
# bkz(par)  

In [None]:
print(M.B)

### Basis after reduction

In [None]:
print(M.B)

In [None]:
print(M.B)

### We get a t vector in the reduced basis and consider the first part of it as a decryption key.

### Let us check if it is working!

In [None]:
first_row = list(M.B[0])
f_prime = first_row[:n]
g_prime = first_row[n:]

Fp_mat = element_to_matrix(f_prime, FFp) ##check that FP is invertible
i = 1
while(not Fp_mat.is_invertible()):
    row = list(M.B[i])
    f_prime = row[:n]
    g_pime  = row[n:]
    Fp_mat = element_to_matrix(f_prime, FFp)
    i=i+1

    
    
print("f_prime: {}, g_prime = {} ".format(f_prime, g_prime))
print("orginal f: {}, orginal g = {} ".format(f, g))


In [None]:
Fp_prime = Fp_mat.inverse()[0] ##inverse of f_prime
s1_prime = decapsulate(n,p,q, c,f_prime,Fp_prime)
if (s_prime == s1_prime):
    print("Ali managed to decapsulate correctly!!! \n")

### If Ali managed to decapsulate correctly, he can establish the shared key k easily

In [None]:
#Therefore, the shared secret between the two parties is calculates as:

ss_bitstring= ss_to_bitstring(s1_prime)##convert s into binary
ss_bytes =  bitstring_to_message(ss_bitstring) ##convert the binary string into bytes
ss = sha256(ss_bytes.encode()).hexdigest() ## get the shared key
# Convert the hex hash to binary
binary_hash = bin(int(ss, 16))[2:] ## get the shared key as binary
k= binary_hash[:message_length] ## get the key bits as long as the message

In [None]:
print("The retrieved key by Ali is: \n", k)

## Ali try to decrypt the message

In [None]:
m = xor_binary_strings(cstar, k)

message_prime = bitstring_to_message(m)

print("Ali gets the following message ", message_prime)