In [29]:
# coding: utf-8
###========================================================###
###========================================================###
###         IDENTITY-BASED LINKABLE RING SIGNATURE         ###
###========================================================###
###========================================================###

from timeit import default_timer as timer
import sys
import random
import time

In [30]:
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler

def SecretGen(q,n):
    """
    Generate the secret of LWR instance: uniformly from {-q,...,q}
    
    Input:
    
    Output:
    
    
    """
    
    #list_ss=[randint(-q, q) for i in range(n)]
    ssZZ=vector(ZZ,[randint(-q, q) for i in range(n)])
    return ssZZ
SecretGen(13,5)


(2, -12, -11, 3, -12)

In [32]:
def sample_z(s,c):
    """
    Sample from D_{ZZ,s,c} defined by \rho_s,c(x):=exp(-(x-c)^2/(2s^2))
    s: Gaussian parameter
    c: center
    Input:
    
    Output:
    
    See at https://doc.sagemath.org/html/en/reference/stats/sage/stats/distributions/discrete_gaussian_integer.html
    """
    D=DiscreteGaussianDistributionIntegerSampler(s, c)
    return D()

sample_z(0.3,5)

5

In [37]:
from sage.stats.distributions.discrete_gaussian_lattice import DiscreteGaussianDistributionLatticeSampler

def sample_d(BB,sigma,cc):
    """
    Sample from D_{L(BB),s,cc}, defined by \rho_s,c(x):=exp(-||x-c||^2/(2s^2))
    BB: a basis for the lattice L(BB)
    s: Gaussian parameter
    cc: center vector
    See at https://doc.sagemath.org/html/en/reference/stats/sage/stats/distributions/discrete_gaussian_lattice.html
    
    * Input:
        - 
        -
    
    * Output:
        - 
    """
    
    D=DiscreteGaussianDistributionLatticeSampler(BB, sigma, cc)
    return D()
BB=[[1,3,2], [2,-1,4], [0,6,-1]]
sigma=0.6
cc=(2,-1,3)
#sampleD(ZZ^3,s, cc)
DiscreteGaussianDistributionLatticeSampler(BB, sigma, cc)

sample_d(BB,sigma,cc)

(1, -3, 3)

In [40]:
def gadget_matrix(n, q):
    """
    Input: Integers n, q
    
    Output:                  |gg  0   0  ...   0 |
                             |0   gg  0  ...   0 |
          Gadget matrix GG=  |0   0   gg ...   0 |    
                             |...................|
                             |0   0    0 ...   gg|
    where gg=(1 2 4 8....2^{k-1}), k=ceil(log(q,2)) .
    """
  
 
    k=ceil(log(q,2))
    m=n*k
    ZZq = IntegerModRing(q)
    #vector gg=[1 2 4 8....2^{k-1}] 
    gg=vector([2**i for i in range(k)])
    print("gg=",gg)
    
    # Initialize GG as a zero matrix in ZZ^{n x m}
    GG=zero_matrix(ZZ,n, m)
    print("GG=")
    print(GG)
    
    # For each row i, we change elements at i*k+j for j in [0,..,k-1] by gg[j]
    for i in range(n):
        for j in range(k):
            GG[i,i*k+j]=gg[j]
    print("GG=")
    print(GG)
    # Change ring of GG into ZZ_q
    GG.change_ring(ZZq)
    
    return GG
gadget_matrix(3, 17)

gg= (1, 2, 4, 8, 16)
GG=
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
GG=
[ 1  2  4  8 16  0  0  0  0  0  0  0  0  0  0]
[ 0  0  0  0  0  1  2  4  8 16  0  0  0  0  0]
[ 0  0  0  0  0  0  0  0  0  0  1  2  4  8 16]


[ 1  2  4  8 16  0  0  0  0  0  0  0  0  0  0]
[ 0  0  0  0  0  1  2  4  8 16  0  0  0  0  0]
[ 0  0  0  0  0  0  0  0  0  0  1  2  4  8 16]

In [44]:
def random_invertible_matrix(modulus, size=3):
    """
    Input:
    - modulus: modulus of the base ring, such as modulus=5 then we consider the ring ZZ_5 
    - size: default value is 3
    Output: A matrix that is invertible in ZZ_q, with q=modulus
    """
    ZZq = IntegerModRing(modulus)
    V = ZZq**size
    vectors = []
    for i in range(size):
        v = V.random_element()
        while v in V.span(vectors):
            v = V.random_element()
        vectors.append(v)
    return(matrix(vectors))

AA=random_invertible_matrix(5, 4)
print("AA=",AA)

AA= [4 1 1 0]
[1 4 0 2]
[2 2 4 1]
[1 1 3 3]


In [67]:
#==========================================================
def gen_trap_mp_12(n, q, m, option_HH=0, smoothing_parameter=0.00001):
    """
    * Input:
        - n: number of rows (security parameter) of AA
        - q: modulus, q should be prime 
        - m: number of columns, where k=\ceil(log_2(q)), m=mt+n*k, mt>=1
        - option_HH: If option_HH=0 (default) then HH is zero matrix. Otherwise, HH is chosen to be invertible in ZZq
        - smoothing_parameter: epsilon in \eta_{epsilon}(ZZ) (which is smoothing parameter of ZZ). Default value is 0.00001
    * Output: A matrix AA and its trapdoor TT via MP12:
        - 
    """
    # Initial
    ZZq = IntegerModRing(q)
    k=ceil(log(q,2))
    w=n*k
    mt=m-w
    print("mt=", mt)
    print("nk=", n*k)
    
    #Generate (n x mt)-matrix AAt from ZZq
    AAt = random_matrix(ZZq,n,mt)
    print("AAt=")
    print(AAt)
    
    #Generate gadget matrix GG
    GG=gadget_matrix(n, q)
    print("GG=")
    print(GG)
    
    #Generate center for Discrete Gaussian
    cc=zero_vector(ZZ,w)
    print("cc=")
    print(cc)
    
    
    # Choose Gaussian parameter sigma for Discrete Gaussian w.r.t. smoothing parameter
    print("smoothing_parameter=",smoothing_parameter)
    sigma= RR(sqrt(ln(2+2/smoothing_parameter)/pi))
    sigma= ceil(sqrt(n))#sqrt(log(2+2:e,e):pi)
    print("sigma=",sigma)
    
    #Generate trapdoor via D_{ZZ^w,s,cc}
    TT=matrix([sample_d(ZZ^w,sigma,cc) for i in range(mt)])
    print("TT=")
    print(TT)
    
    #Generate n-dimensional matrix H that is invertible in ZZ_q
    if option_HH==0:
        HH=zero_matrix(ZZq,n)
    else:
        HH=random_invertible_matrix(q,n)
    print("HH=")
    print(HH)
    
    # Change into ZZ
    HHz=HH.change_ring(ZZ)
    GGz=GG.change_ring(ZZ)
    AAtz=AAt.change_ring(ZZ)
    
    # Compute BBz=HHz*GGz-AAtz*TT in ZZ and take modulo q
    BBz=HHz*GGz-AAtz*TT
    print("BBz=")
    print(BBz)
    
    BBz=BBz%q
    
    # Change into ZZq
    BB=BBz.change_ring(ZZq)        
    print("BB=")
    print(BB)
    
    # Set AA=[AAt|BB]
    AA=AAt.augment(BB, subdivide=True)
    print("AA=")
    print(AA)
    return (AA, HH, TT, q)

(AA,HH,TT, q)=gen_trap_mp_12(5,13, 25,1, 0.00001)
#==========================================================  

mt= 5
nk= 20
AAt=
[ 1  9  0 11 10]
[ 8  3  5 12 12]
[ 7  3  5 12 11]
[ 6  1  2  8  8]
[ 1  0  8  1  3]
gg= (1, 2, 4, 8)
GG=
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
GG=
[1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8]
GG=
[1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8]
cc=
(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
smoothing_parameter= 0.0000100000000000000
sigma= 3
TT=
[-1 -2 -3 -1 -2  0 -3 -6  3  0  0 -6 -1  2  0  1  0  1  3 -1]
[-1  3 -4  5 -2 -2 -5  3 -2 -1  0  0  0 -5  2  2  0  2 

  """


In [62]:
def qary_basis(matrix, modulus):
    """
    *Input:
        - matrix
        - modulus
    *Output: 
        - A basis for q-ary lattice generated by matrix in modulo q, q=mdolus
    """
    AA=matrix
    q=modulus
    
    # number of rows in AA
    m=AA.nrows()
    # Generate matrix q*II_m where II_m is the identity matrix of dimension m 
    q_iden_matrix=q*identity_matrix(m) 
    
    # Create concatenation matrix of the form (qII   AA)^T
    BB=q_iden_matrix.stack(AA.transpose())   
    
    # Compute Hermite Normal Form of matrix BB
    BB_hnf=BB.echelon_form()
    
    # Keep m first rows of BB_hnf (which is non-zero)
    qary_basis=BB_hnf[0:m] 
    
    return qary_basis


In [27]:
def modulo_inverse_matrix(matrix, modulus):
    """
    * Input: 
        - matrix: A matrix e.g. AA
        - modulus: A modulus e.g., q
    * Output:
        - The inverse matrix modulo q of matrix AA if modulus=q and matrix = AA 
    """
    AA=matrix
    q=modulus
    
     # determinant of the matrix AA, i.e., det(AA)
    determinant=AA.det()   
    print("determinant=", determinant)
    
    # inverse of the matrix AA
    inverse_of_AA=AA.inverse() 
    print("inverse_of_AA=")
    print(inverse_of_AA)
    
    # inverse modulo q of det(AA) 
    det_inverse=inverse_mod(q, determinant)                    
    print("det_inverse=", det_inverse)
    
     # inverse modulo q of matrix AA
    inverse_of_AA_in_modulo_q=(det_inverse*determinant*inverse_of_AA)%q       
    print("inverse_of_AA_in_modulo_q=")
    print(inverse_of_AA_in_modulo_q)
    
    return inverse_of_AA_in_modulo_q

q=5
n=4
k=8
inverse_mod(q,k)
print("k=",k)
LL=random_invertible_matrix(5, 4)
print("LL=",LL)

KK=modulo_inverse_matrix(LL, q)
print("KK=",KK)

k= 8
LL= [3 3 2 4]
[0 3 2 0]
[3 0 0 1]
[0 4 2 1]
determinant= 2
inverse_of_AA=
[1 4 1 0]
[3 1 2 1]
[3 4 2 1]
[2 3 3 0]
det_inverse= 1
inverse_of_AA_in_modulo_q=
[2 3 2 0]
[1 2 4 2]
[1 3 4 2]
[4 1 1 0]
KK= [2 3 2 0]
[1 2 4 2]
[1 3 4 2]
[4 1 1 0]


In [119]:
def operator_norm(matrix):
    """
    * Input:
        - a matrix, say, LL
        -
    * Output:Compute the operator norm (or sup norm) of matrix, say AA, defined as s_1(LL)=sup(||LLuu||/||uu||).
    * Steps:
        - Trasform the base-ring of the matrix into the RDF ring
        - Perform the Singular Value Decomposition to get LL=AA.BB.CC in which BB is a diagonal matrix and s_1(LL)=BB[0][0]. 
    """
    matrix=matrix.change_ring(RDF)
    print("matrix=")
    print(matrix)
    (AA,BB,CC)=matrix.SVD()
    print("AA=")
    print(AA)
    print("BB=")
    print(BB)
    print("CC=")
    print(CC)
    n=BB.nrows()
    m=BB.ncols()
    return BB[0][0]

#matrix= Matrix([[1, 4],[5, 6]])
matrix=random_matrix(ZZ,3,5)
operator_norm(matrix)8

matrix=
[ 1.0  9.0 -1.0  1.0 -1.0]
[ 1.0  0.0 -1.0  4.0  2.0]
[ 0.0  0.0 -3.0  2.0 39.0]
AA=
[ -0.02316074342812885   -0.9958810314403955   0.08766157186059151]
[   0.0584526831880452  -0.08888404170327949   -0.9943253546795472]
[   0.9980214746146367 -0.017905260336082973   0.06027053890851437]
BB=
[39.242854489123786                0.0                0.0                0.0                0.0]
[               0.0  9.205743310698464                0.0                0.0                0.0]
[               0.0                0.0   4.03145899681334                0.0                0.0]
CC=
[0.0008993214234629399  -0.11783568545551505  -0.22489718574233986   -0.9661855971955554  0.044950974085659914]
[-0.005311710719487217   -0.9736236369470878    0.1956994099081621   0.07728309180097825   0.08807873744801799]
[ -0.07719510731420966   0.12367071465362692    0.1800470168906996  -0.01180877290672766    0.9727230306387354]
[ 0.056231713194179356  -0.15069154897177192   -0.9349217670376527  

39.242854489123786

In [108]:
def sample_d_mp12(TT,AA,HH,uu,sigma,q):
    """
    Sample vector from discrete Gaussian over q-ary lattice \Lambda_q^{uu}(AA);
    *Input:
        - TT: (mt x w)-matrix trapdoor for matrix AA (via [MP12]) in ZZq
        - AA: (n x m)-matrix in Zzq
        - HH: (n x n)-matrix (tag w.r.t AA, TT) in ZZq
        - uu: n-vector in ZZq
        - q: modulus for ring Zzq
        - sigma: Gaussian parameter
    *Output: 
        - A (pseudo-random) vector in q-ary lattice \Lambda_q^{uu}(AA)
    
    """
    # Dimensions, sizes 
    n=AA.nrows()
    print("n=", n)
    m=AA.ncols()
    print("m=", m)
    mt=TT.nrows()
    print("mt=", mt)
    w=TT.ncols()
    print("w=", w)
    r=log(n,2)
    print("r=", r)
    r=sqrt(log(n,2))
    
    #Generate gadget matrix GG
    GG=gadget_matrix(n, q)
    GG=GG.change_ring(ZZ)
    print("GG=")
    print(GG)
    
    
    #Compute [TT^t I]^t[TT^t I] 
    iden_matrix=identity_matrix(ZZq,w)
    KK=(TT.transpose()).augment(iden_matrix)
    print("KK=");print(KK)
    sigma_2=5
    
    #sigma_2=sqrt((2*KK.transpose()*KK).det(),2)
    
    print("sigma_2=", sigma_2)
    #=======Set rp====
    rp=r*sigma_2
    
    #===Choose pp from D_{ZZ^m,rp}====
    cc=zero_vector(ZZ,m)
    pp=sample_d(ZZ^m,rp,cc)
    print("pp=", pp)
    pp1=vector([pp[i] for i in range(mt)])
    pp2=vector([pp[i] for i in [mt..m-1]])
    print("pp1=", pp1)
    print("pp2", pp2)
    
    AAt=AA[[0..n-1],[0..mt-1]]
    
    
    AAt= AAt.change_ring(ZZ)
    print("AAt=");print(AAt)
  
    wwt=(AAt*(pp1-TT*pp2))%q
    ww=(GG*pp2)%q
    print("wwt=",wwt)
    print("ww=",ww)
    
    # 
    HH_inverse=modulo_inverse_matrix(HH, q)
    print("HH_inverse=",HH_inverse)
        
    vv=HH_inverse*(uu-wwt)-ww
    print("vv=",vv)
    return KK

(AA,HH,TT, q)=gen_trap_mp_12(5,13, 25,1)
print("AA=")
print(AA)
print("HH=")
print(HH)
print("TT=")
print(TT)
print("q=")
print(q)
HH_inverse=modulo_inverse_matrix(HH, q)
print("HH_inverse=")
print(HH_inverse)
sigma=5
#sigma_2=3
uu=random_vector(ZZ,n)
print("uu=", uu)

sample_d_mp12(TT,AA,HH,uu,sigma,q)    
    

mt= 5
nk= 20
AAt=
[ 1  5  5  6  4]
[ 6 12  6  8 10]
[12  3  5  1  3]
[ 8  8  2  7  5]
[ 3  1 12 11  0]
gg= (1, 2, 4, 8)
GG=
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
GG=
[1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8]
GG=
[1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8 0 0 0 0]
[0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 4 8]
cc=
(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
smoothing_parameter= 0.0000100000000000000
sigma= 3


  """


TypeError: 'sage.rings.integer.Integer' object is not callable

In [None]:
a=vector([2, 3, 4, 5,6])
b=vector([1,3,])