In [None]:
# coding: utf-8
###========================================================###
###========================================================###
###         IDENTITY-BASED LINKABLE RING SIGNATURE         ###
###========================================================###
###========================================================###

from timeit import default_timer as timer
import sys
import random
import time

In [None]:
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler

def SecretGen(q,n):
    """
    Generate the secret of LWR instance: uniformly from {-q,...,q}
    
    Input:
    
    Output:
    
    
    """
    
    #list_ss=[randint(-q, q) for i in range(n)]
    ssZZ=vector(ZZ,[randint(-q, q) for i in range(n)])
    return ssZZ
SecretGen(13,5)


In [None]:
def sample_z(s,c):
    """
    Sample from D_{ZZ,s,c} defined by \rho_s,c(x):=exp(-(x-c)^2/(2s^2))
    s: Gaussian parameter
    c: center
    Input:
    
    Output:
    
    See at https://doc.sagemath.org/html/en/reference/stats/sage/stats/distributions/discrete_gaussian_integer.html
    """
    D=DiscreteGaussianDistributionIntegerSampler(s, c)
    return D()

sampleZZ(0.3,5)

In [None]:
from sage.stats.distributions.discrete_gaussian_lattice import DiscreteGaussianDistributionLatticeSampler
def sample_d(BB,sigma,cc):
    """
    Sample from D_{L(BB),s,cc}, defined by \rho_s,c(x):=exp(-||x-c||^2/(2s^2))
    BB: a basis for the lattice L(BB)
    s: Gaussian parameter
    cc: center vector
    See at https://doc.sagemath.org/html/en/reference/stats/sage/stats/distributions/discrete_gaussian_lattice.html
    
      Input:
    
    Output:
    
    
    """
    
    D=DiscreteGaussianDistributionLatticeSampler(BB, sigma, cc)
    return D()
BB=[[1,3,2], [2,-1,4], [0,6,-1]]
sigma=0.6
cc=(2,-1,3)
#sampleD(ZZ^3,s, cc)
DiscreteGaussianDistributionLatticeSampler(BB, sigma, cc)
sampleD(BB,sigma,cc)

In [None]:
def MatVecTensor(AA,bb):
    """
    Compute the tensor product of AA amd bb
    Inputs:
    matrix AA:
    Vector bb:
    
    Output: Tensor of AA and bb
    
    """
    n=AA.nrows()
    m=AA.ncols()
    k=len(bb)
    CC=matrix(ZZ,n,n*k)
    for 
    

In [None]:
def gadget_matrix(n, q):
    """
    Input: Integers n, q
    
    Output:                  |gg  0   0  ...   0 |
                             |0   gg  0  ...   0 |
          Gadget matrix GG=  |0   0   gg ...   0 |    
                             |...................|
                             |0   0    0 ...   gg|
    where gg=(1 2 4 8....2^{k-1}), k=ceil(log(q,2)) .
    """
  
 
    k=ceil(log(q,2))
    m=n*k
    ZZq = IntegerModRing(q)
    #vector gg=[1 2 4 8....2^{k-1}] 
    gg=vector([2**i for i in range(k)])
    print("gg=",gg)
    
    # Initialize GG as a zero matrix in ZZ^{n x m}
    GG=zero_matrix(ZZ,n, m)
    print("GG=")
    print(GG)
    # For each row i, we change elements at i*k+j for j in [0,..,k-1] by gg[j]
    for i in range(n):
        for j in range(k):
            GG[i,i*k+j]=gg[j]
    print("GG=")
    print(GG)
    GG.change_ring(ZZq)
    
    return GG
gadget_matrix(3, 17)

In [None]:
def random_invertible_matrix(modulus, size):
    """
    Input:
    - modulus: modulus of the base ring, such as modulus=5 then we consider the ring ZZ_5 
    - size: default value is 3
    Output: A matrix that is invertible in ZZ_q, with q=modulus
    """
    ZZq = IntegerModRing(modulus)
    V = ZZq**size
    vectors = []
    for i in range(size):
        v = V.random_element()
        while v in V.span(vectors):
            v = V.random_element()
        vectors.append(v)
    return(matrix(vectors))
random_invertible_matrix(5, 4)

In [None]:
#==========================================================
def gen_trap_mp_12(n, q, m, option_HH=0):
    """
    Generate a matrix AA and its trapdoor TT via MP12:
    
    
    Input:
    
    n: number of rows (security parameter) of AA
    q: modulus, q should be prime 
    m: number of columns, where k=\ceil(log_2(q)), m=mt+n*k, mt>=1
    option_HH: If option_HH=0 (default) then HH is zero matrix. Otherwise, HH is chosen to be invertible in ZZq
    
    Output:
    
    
    """
    # Initial
    ZZq = IntegerModRing(q)
    k=ceil(log(q,2))
    w=n*k
    mt=m-w
    print("mt=", mt)
    print("nk=", n*k)
    
    #Generate (n x mt)-matrix AAt from ZZq
    AAt = random_matrix(ZZq,n,mt)
    print("AAt=")
    print(AAt)
    
    #Generate gadget matrix GG
    GG=gadget_matrix(n, q)
    print("GG=")
    print(GG)
    
    #Generate center for Discrete Gaussian
    cc=zero_vector(ZZ,w)
    print("cc=")
    print(cc)
    
    #Generate trapdoor via D_{ZZ^w,s,cc}
    TT=matrix([sample_d(ZZ^w,s,cc) for i in range(mt)])
    print("TT=")
    print(TT)
    
    #Generate n-dimensional matrix H that is invertible in ZZ_q
    if option_HH==0:
        HH=zero_matrix(ZZq,n)
    else:
        HH=random_invertible_matrix(q,n)
    print("HH=")
    print(HH)
    
    # Change into ZZ
    HHz=HH.change_ring(ZZ)
    GGz=GG.change_ring(ZZ)
    AAtz=AAt.change_ring(ZZ)
    
    # Compute BBz=HHz*GGz-AAtz*TT in ZZ and take modulo q
    BBz=HHz*GGz-AAtz*TT
    print("BBz=")
    print(BBz)
    
    BBz=BBz%q
    
    # Change into ZZq
    BB=BBz.change_ring(ZZq)        
    print("BB=")
    print(BB)
    
    # Set AA=[AAt|BB]
    AA=AAt.augment(BB, subdivide=True)
    print("AA=")
    print(AA)
    return (AA, HH, TT, q)

(AA,HH,TT, q)=gen_trap_mp_12(5,13, 25,1)
print("AA=",AA)
print("HH=",HH)
print("TT=",TT)
print("q=",q)
#==========================================================  

In [None]:
def standard_qAry_basis(AA, mod):
    """
    *Compute a basis for q-ary lattice generated by matrix AA in standard uSVP and BDD strategy
    *Input:
                AA:   matrix
               mod:   modulo
    *Output:
        qary_basis: q-ary basis 
    """
    
    m=AA.nrows()
    qII=mod*identity_matrix(m)         # the matrix mod*II_m where II_m is the identity matrix) 
    BB=qII.stack(AA.transpose())       # Create concatenation matrix of the form (qII   AA)^T
    BB_HNF=BB.echelon_form()           # compute Hermite Normal Form of matrix BB
    qary_basis=BB_HNF[0:m]             # m first rows of BB_HNF (which is non-zero)
    return qary_basis


In [None]:
def modulo_inverse_matrix(matrix, modulus):
    """
    *Compute the inverse modulo mod of matrix AA
    *Input: 
                   a   matrix
                   a   modulus
    *Output:
        AA_inverse_q: inverse modulo q of AA 
    """
    AA=matrix
    q=modulus
    determinant=AA.det()                                      # determinant of the matrix AA, i.e., det(AA)
    inv_AA=AA.inverse()                              # inverse of the matrix AA
    print("inv_AA=")
    print(inv_AA)
    det_inverse=determinant.inverse_mod(q)                    # inverse modulo mod of the real det(AA) 
    print("det_inverse=", det_inverse)
    AA_inverse_q=(det_inverse*determinant*inv_AA)%q        # inverse modulo mod of AA
    print("AA_inverse_q=")
    print(AA_inverse_q)
    
    return AA_inverse_q

q=5
n=4
LL=random_invertible_matrix(5, 4)
print(LL)

KK=modulo_inverse_matrix(LL, q)
print(LL)

In [None]:
q=5
n=4
LL=random_invertible_matrix(5, 4)
print(LL)

KK=modulo_inverse_matrix(LL, q)
print(LL)

In [None]:
def gaussian_sample_mp12(TT,AA,HH,uu,sigma,q):
    """
    Sample vector from discrete Gaussian over q-ary lattice \Lambda_q^{uu}(AA);
    Inputs:
    TT: (mt x w)-matrix trapdoor for matrix AA (via [MP12]) in ZZq
    AA: (n x m)-matrix in Zzq
    HH: (n x n)-matrix (tag w.r.t AA, TT) in ZZq
    uu: n-vector in ZZq
    q: modulus for ring Zzq
    sigma: Gaussian parameter
    Output: a (pseudo-random) vector in q-ary lattice \Lambda_q^{uu}(AA)
    
    """
    # Dimensions, sizes 
    n=AA.nrows()
    print("n=", n)
    m=AA.ncols()
    print("m=", m)
    mt=TT.nrows()
    print("mt=", mt)
    w=TT.ncols()
    print("w=", w)
    r=log(n,2)
    print("r=", r)
    
    #Generate gadget matrix GG
    GG=gadget_matrix(n, q)
    GG=GG.change_ring(ZZ)
    print("GG=")
    print(GG)
    
    
    #====Compute [TT^t I]^t[TT^t I] ============
    II=identity_matrix(ZZq,w)
    KK=(TT.transpose()).augment(II)
    print("KK=");print(KK)
   
    sigma_2=5
    #sigma_2=sqrt((2*KK.transpose()*KK).det(),2)
    
    print("sigma_2=", sigma_2)
    #=======Set rp====
    rp=r*sigma_2
    
    #===Choose pp from D_{ZZ^m,rp}====
    cc=zero_vector(ZZ,m)
    pp=sample_d(ZZ^m,rp,cc)
    print("pp=", pp)
    pp1=vector([pp[i] for i in range(mt)])
    pp2=vector([pp[i] for i in [mt..m-1]])
    print("pp1=", pp1)
    print("pp2", pp2)
    
    AAt=AA[[0..n-1],[0..mt-1]]
    
    
    AAt= AAt.change_ring(ZZ)
    print("AAt=");print(AAt)
  
    wwt=(AAt*(pp1-TT*pp2))%q
    ww=(GG*pp2)%q
    print("wwt=",wwt)
    print("ww=",ww)
    
    # 
    HH_inverse=modulo_inverse_matrix(HH, q)
    print("HH_inverse=",HH_inverse)
        
    vv=HH_inverse*(uu-wwt)-ww
    print("vv=",vv)
    return KK

(AA,HH,TT, q)=gen_trap_mp_12(5,13, 25,1)
print("AA=",AA)
print("HH=",HH)
print("TT=",TT)
print("q=",q)
HH_inverse=modulo_inverse_matrix(HH, q)
print("HH_inverse=",HH_inverse)
sigma=5
#sigma_2=3
uu=random_vector(ZZ,n)
print("uu=", uu)

gaussian_sample_mp12(TT,AA,HH,uu,sigma,q)    
    

In [None]:
a=vector([2, 3, 4, 5,6])
b=vector([1,3,])

In [1]:
def sum_1(x,y):
    return exp(x+y)

def sum_2(x,y):
    return exp(x)+exp(y)


In [13]:
x=randint(-1000, 1000)
y=randint(-1000, 1000)
print(x)
print(y)

669
-310


In [14]:
print(RR(sum_1(x,y)))
print(RR(sum_2(x,y)))

8.16054198028487e155
3.49147063110172e290
