# Recover the secret on Binary Ring-LWE using some random known bits

Defining the RING-LWE parameters and Quotient Ring $\frac{Z_{q}[x]}{x^n + 1}$ with $n = q = 256$.

In [132]:
n = 256
q = 256

R = PolynomialRing(Integers(q),"y")
w = R.gen()
S = R.quotient(w^n + 1, 'x')
X = S.gen()

Code to generate small polynomials ${\bf p}= \sum^{n - 1}_{i=0} p_i.x^{i}$ where $p_i\in[0, 1]$

In [135]:
def smallPolynomial():
    ans = 0 
    for i in range(n):
        bit = randint(0, 1)
        ans += X^i*bit
    
    return ans

print(smallPolynomial())


x^253 + x^250 + x^249 + x^246 + x^245 + x^243 + x^240 + x^237 + x^235 + x^233 + x^232 + x^228 + x^227 + x^226 + x^225 + x^220 + x^219 + x^218 + x^217 + x^216 + x^215 + x^214 + x^213 + x^209 + x^208 + x^206 + x^205 + x^204 + x^203 + x^202 + x^197 + x^194 + x^192 + x^187 + x^186 + x^181 + x^179 + x^177 + x^174 + x^173 + x^172 + x^171 + x^170 + x^169 + x^168 + x^167 + x^166 + x^163 + x^162 + x^161 + x^160 + x^159 + x^157 + x^154 + x^152 + x^151 + x^149 + x^147 + x^146 + x^144 + x^142 + x^141 + x^138 + x^137 + x^135 + x^133 + x^132 + x^129 + x^128 + x^126 + x^125 + x^124 + x^117 + x^114 + x^110 + x^109 + x^103 + x^102 + x^100 + x^99 + x^98 + x^97 + x^96 + x^95 + x^93 + x^92 + x^89 + x^88 + x^86 + x^84 + x^83 + x^76 + x^70 + x^69 + x^68 + x^65 + x^60 + x^56 + x^55 + x^50 + x^49 + x^42 + x^40 + x^38 + x^37 + x^34 + x^32 + x^31 + x^28 + x^26 + x^19 + x^18 + x^17 + x^14 + x^12 + x^10 + x^9 + x^2


### One Ring-LWE instance

In [131]:
a = S.random_element()
s = smallPolynomial()
e = smallPolynomial()

b = a*s + e

### Generating random known coefficients of the secret ${\bf s}$ and the noise ${\bf e}$

In [138]:
sk = {}
ek = {}

percentage = .51

while len(sk) + len(ek) < int(percentage*(2*n)):
    rand = randint(0, 2*n)
    if rand < n: 
        ek[rand] = e[rand]
    else: 
        rand = rand % n
        sk[rand] = s[rand]
      
print(len(sk), "known coefficients of s")
print(len(ek), "known coefficients of e")
print()
print(sk)
print(ek)


126 known coefficients of s
135 known coefficients of e

{2: 1, 114: 0, 132: 1, 192: 0, 14: 1, 117: 1, 88: 1, 158: 1, 4: 1, 51: 0, 118: 0, 76: 0, 239: 0, 245: 0, 65: 1, 249: 1, 107: 0, 68: 1, 253: 0, 216: 1, 219: 1, 238: 0, 53: 1, 104: 0, 30: 0, 210: 1, 220: 0, 142: 0, 10: 0, 23: 0, 80: 1, 79: 1, 67: 1, 218: 1, 201: 1, 221: 1, 169: 1, 102: 1, 226: 1, 211: 0, 126: 1, 131: 0, 154: 1, 170: 0, 83: 0, 194: 1, 196: 0, 215: 0, 242: 1, 120: 1, 8: 0, 138: 1, 3: 1, 209: 0, 96: 1, 71: 0, 130: 0, 101: 1, 119: 1, 86: 0, 116: 0, 66: 1, 34: 0, 188: 1, 141: 0, 35: 1, 93: 0, 222: 1, 149: 0, 228: 0, 22: 0, 202: 1, 42: 0, 240: 0, 41: 0, 89: 1, 20: 1, 63: 1, 185: 0, 204: 1, 21: 0, 29: 0, 87: 1, 26: 0, 186: 1, 150: 1, 19: 0, 52: 0, 17: 0, 81: 0, 167: 0, 121: 0, 135: 0, 255: 1, 180: 1, 6: 0, 64: 1, 234: 0, 7: 1, 105: 0, 175: 1, 177: 0, 44: 0, 153: 0, 90: 1, 182: 1, 84: 0, 171: 0, 133: 0, 190: 0, 197: 1, 200: 0, 195: 1, 122: 1, 254: 1, 252: 0, 173: 1, 207: 0, 54: 1, 191: 1, 224: 0, 172: 1, 156: 1, 134: 0, 45

### Code to generate the matrix ${\bf A}$:

In [142]:
A = [[0 for _ in range(n)] for _ in range(n)]

aa = 0 

for i in range(n):
    aa += a[n - 1 - i]*X^i
    
for i in range(n):
    for j in range(n):
        A[i][j] = aa[j]
    
    aa = -aa*X^(n - 1)
    
A = A[:: -1]

for row in A: 
    print(row)


[230, 46, 35, 27, 243, 147, 215, 23, 175, 196, 146, 219, 226, 26, 146, 196, 201, 68, 244, 185, 106, 214, 40, 57, 96, 30, 92, 196, 13, 158, 166, 171, 169, 6, 228, 177, 36, 212, 105, 226, 152, 170, 196, 244, 232, 242, 105, 255, 63, 58, 39, 207, 28, 220, 239, 50, 211, 242, 194, 195, 95, 157, 200, 203, 189, 196, 245, 93, 114, 71, 16, 242, 97, 95, 31, 140, 77, 55, 98, 71, 124, 218, 17, 19, 91, 26, 237, 86, 121, 177, 3, 100, 175, 75, 210, 226, 76, 143, 80, 147, 70, 231, 77, 132, 147, 207, 208, 174, 84, 191, 255, 143, 147, 192, 207, 192, 49, 19, 103, 84, 120, 43, 207, 166, 66, 253, 198, 161, 79, 165, 176, 137, 77, 204, 236, 231, 252, 99, 140, 76, 212, 77, 129, 61, 160, 98, 68, 100, 200, 203, 117, 42, 123, 246, 173, 63, 25, 66, 140, 76, 161, 164, 21, 4, 46, 233, 173, 240, 136, 172, 165, 40, 74, 249, 136, 240, 146, 185, 172, 87, 15, 65, 83, 78, 85, 173, 175, 142, 221, 26, 31, 218, 188, 140, 254, 219, 47, 106, 225, 84, 114, 202, 221, 120, 168, 145, 47, 127, 81, 44, 195, 79, 140, 72, 114, 144, 27

### usingKnownCoefficients algorithm that returns the matrix $\bar{\bf A}'$ and ${\bf b}$

In [143]:
def usingKnownCoefficients(b, A, sk, ek):   
    AA = []
    bb = []

    for i in range(n):
        if i in ek: 
            tmp = b[i] - ek[i]
            aa = []
            
            for j in range(n):
                if j in sk: 
                    tmp += -sk[j]*A[i][j]
                
                else:                
                    aa.append(A[i][j])
                                        
            AA.append(aa)
            bb.append(tmp)

    return AA, bb


### Using the Gaussian Elimination method

In [144]:
AA, bb = usingKnownCoefficients(b, A, sk, ek)

AAA = matrix(GF(q), AA)
su = AAA.solve_right(vector(GF(q), bb))

print(su)


(1, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1)


## Generating the secret using ${\bf s_u}$ and ${\bf s_k}$

In [145]:
newS = 0
idx = 0 

for i in range(n):
    if i in sk:
        newS += sk[i]*w^i
    else:
        newS += Integer(su[idx])*w^i
        
        idx += 1
        
print(newS, newS == s)


y^255 + y^254 + y^251 + y^250 + y^249 + y^247 + y^244 + y^243 + y^242 + y^235 + y^233 + y^231 + y^226 + y^223 + y^222 + y^221 + y^219 + y^218 + y^217 + y^216 + y^210 + y^206 + y^205 + y^204 + y^203 + y^202 + y^201 + y^199 + y^197 + y^195 + y^194 + y^191 + y^188 + y^186 + y^182 + y^181 + y^180 + y^179 + y^175 + y^174 + y^173 + y^172 + y^169 + y^168 + y^165 + y^163 + y^162 + y^159 + y^158 + y^157 + y^156 + y^154 + y^150 + y^147 + y^146 + y^139 + y^138 + y^137 + y^132 + y^129 + y^126 + y^124 + y^123 + y^122 + y^120 + y^119 + y^117 + y^112 + y^111 + y^110 + y^109 + y^108 + y^106 + y^102 + y^101 + y^100 + y^99 + y^98 + y^97 + y^96 + y^95 + y^94 + y^91 + y^90 + y^89 + y^88 + y^87 + y^85 + y^82 + y^80 + y^79 + y^78 + y^75 + y^72 + y^68 + y^67 + y^66 + y^65 + y^64 + y^63 + y^62 + y^59 + y^57 + y^55 + y^54 + y^53 + y^49 + y^47 + y^43 + y^39 + y^38 + y^37 + y^35 + y^33 + y^31 + y^25 + y^20 + y^16 + y^15 + y^14 + y^12 + y^11 + y^7 + y^5 + y^4 + y^3 + y^2 + y + 1 True
