# LATTICES

### Vectors

A vector space $V$ over a field $F$ is a set defined with to binary operations. For a vector $v \in V$ and a scalar $a \in F$, vector addition takes two vectors and produces another vector $v+w = z; v,w,z \in V$ and scalar multiplication takes a vector and a scalar and produces a vector $a*v = w; v,w \in V, a \in F$ 

For two dimensions, $v = (a,b); a,b \in R$, vector addition: $v+w = (a,b) + (c,d) = (a+c, b + d)$ and a scalar multiplication $c*v = c*(a,b) = (c*a, c*b)$

The inner or dot product takes two vectors and returns a scalar. Formally $v \cdot w = a; v,w \in V, a \in F$, in two dimensions $v \cdot w = (a,b) \cdot (c,d) = a*c + b*d$

In [None]:
import numpy as np 
v = np.array([2,6,3])
w = np.array([1,0,0])
u = np.array([7,7,2])

print(np.dot(3*(2*v - w),2*u))

702


### Size and Basis

We say a set of vectors $v_1, v_2, ..., v_k \in V$ are linearly independent if the only solution to the equation: 

$a_1*v_1 + a_2 * v_2 + ... + a_k * v_k = 0$ 

is for $a_1 = a_2 = ... = a_k = 0$

To visualise this, let's think of a vector pointing out of a point. Given a set of lienarly independent vectors, the only way to return back to the original point is moving along the original vector. No combination of any other vectors will get us back there. 

A basis is a set of linearly independent vectors $v_1, v_2, ... , v_n \in V$ such that any vector $w \in V$ can be written as: 
$w = a_1 * v_1 + a_2 * v_2 + ... + a_k * v_n$ 

The number of elements in the basis is also the dimension of the vector space 

We define the size of a vector $||v||$, using the inner product of the vector with itself: $||v||^2 = v \cdot v$

A basis is orthogonal if for a vector basis $v_1, v_2, ... , v_n \in V$, the inner product between any two different vectors is zero: $v_i \cdot v_j = 0, i \neq j$ 

A basis is orthonormal if it is orthogonal and $||v_i|| = 1$



In [None]:
import numpy as np 
v = np.array([4,6,2,5]) 

print(np.sqrt(np.dot(v,v)))

9.0


### Gram Schmidt 

Gram Schmidt algorithm calculates an orthogonal basis $u_1, u_2, ..., u_n \in V$ from a given basis $v_1, v_2, ..., v_n \in V$ 

In [None]:
import numpy as np 


def gram_schmidt(v):
   
    n = v.shape[1]
    u = np.zeros_like(v, dtype=np.float64) 
    
    u[0, :] = v[0, :]

    for i in range(1, n): 
        for j in range(i): 
            u[i, :] -= np.dot(v[i, :], u[j, :])/np.dot(u[j, :], u[j, :])* u[j, :]
        u[i,:] += v[i, :]

    return u 



v1 = [4, 1, 3, -1]
v2 = [2, 1, -3, 4]
v3 = [1, 0, -2, 7]
v4 = [6, 2, 9, -5]

res = gram_schmidt(np.array([v1,v2,v3,v4]))

print(np.round(res[3:],5))


[[-0.36192  0.91611  0.21489  0.1131 ]]


### What's a Lattice

Given a set of linearly independent vectors $v_1, v_2, ..., v_n \in R^m$, the lattice $L$ generated by $v_1, v_2, ... , v_n$ is the set of linearly independent $v_1, v_2, ..., v_n$ with integer coefficients

$L = \{a_1 * v_1 + a_2 * v_2 + ... + a_k*v_k: a_1, a_2,...,a_n \in Z \}$

The basis for the lattice $L$ is any set of independent vectors that generates $L$. The choice of basis is far from unique. 

Bellow is an image of two dimensional lattice with two different basis vectors given by $u_1, u_2$ and $v_1, v_2$
![lattice-img](imgs/lattice.svg)

Using a basis, we can reach any point within the lattice with integer multiplies of the basis vectors. The basis vectors also define the fundamental domain: 
$F(v_1, ..., v_n) = \{t_1 v_1 + t_2 v_2 + ... t_n v_n : 0 \leq t_i < 1\}$

As a two dimensional example, the fundamental domain is the parallelogram with sides $u_1$ and $u_2$ 

We can calculate the volume of the fundamental domain from the basis vectors 

In [None]:
import numpy as np 

A = np.array([
    np.array([6, 2 , -3]), 
    np.array([5, 1, 4]),
    np.array([2, 7, 1])
])


np.abs(round(np.linalg.det(A)))

255

### Gaussian Reduction

Two hard problems: 

1. The **Shortest Vector Problem(SVP)**: find the shortest non-zero vector in a lattice $L$. In other words, find the non zero vector within $v \in L$ such that $||v||$ is minimized 

2. The **Closest Vector Problem(CVP)**: Given a vector $w \in R^m$ that is not in $L$, find the vector $v\in L$ that is the closest to $w$, $||v-w||$ is minimized 

The SVP is hard for a generic lattice, but for simple enough cases there are efficient algorithms to compute either a solution or an approximation for the SVP. When the dimension of the lattice is four or less, we have polyonimal time algorithms, for higher dimensions we use approximations. 

Gauss developed his algorithm to find an optimal basis for a two dimensional lattice given an arbitrary basis. Moreover, the output of the algorithm is a shortest nonzero vector in $L$ 

For higher dimensions LLL 

Gauss's algorithm roughly works by subtracting multiples of one basis vector from the other until it's no longer possible to make them any smaller. 

In [None]:
import numpy as np 
import math 
def gauss(v1, v2): 
    while True: 
        if np.linalg.norm(np.array(v2, dtype = np.float64)) < np.linalg.norm(np.array(v1, dtype=np.float64)): 
            t = v2 
            v2 = v1 
            v1 = t 
        m = math.floor(np.dot(v1,v2)/np.dot(v1,v1))
        if m == 0: 
            return v1,v2  
        v2 -= m*v1 

r = gauss(np.array([846835985, 9834798552]), np.array([87502093, 123094980]))
np.dot(r[0], r[1])        

7410790865146821

### Find the Lattice

This is the NTRUEncrypt system, so basically we use Gauss reduction to the NTRU matrix

In [None]:
from Crypto.Util.number import inverse, long_to_bytes

pk =  (7638232120454925879231554234011842347641017888219021175304217358715878636183252433454896490677496516149889316745664606749499241420160898019203925115292257, 2163268902194560093843693572170199707501787797497998463462129592239973581462651622978282637513865274199374452805292639586264791317439029535926401109074800)

flag =  5605696495253720664142881956908624307570671858477482119657436163663663844731169035682344974286379049123733356009125671924280312532755241162267269123486523

q = pk[0] 
h = pk[1] 
ntru_lattice = np.array([[1, h],[0, q]])

r = gauss(ntru_lattice[0], ntru_lattice[1])

def decrypt(q, h, f, g, e):
    a = (f*e) % q
    m = (a*inverse(f, g)) % g
    return m


long_to_bytes(decrypt(q, h, r[0][0], r[0][1], flag))

b'crypto{Gauss_lattice_attack!}'

### Backpack Cryptography

# LEARNING WITH ERRORS

### LWE Background

In [1]:
print('Oded Regev')

Oded Regev


### LWE Intro

https://cims.nyu.edu/~regev/papers/lwesurvey.pdf

https://web.archive.org/web/20231008081450/https://cryptopedia.dev/posts/kyber/

https://cims.nyu.edu/~regev/papers/qcrypto.pdf

LWE is computational problem of learning a linear function $f(A)$ which takes values over a ring, given many noisy samples of the function. These samples look like the pair $A, A\cdot S+e$ where $S$ is the secret element which defines the linear function, $e$ is some small error term from a known distribution, and $A$ is also known element of the ring 

Cryptosystems based on LWE have these features: 
1. They use modular arithmetic under two different moduli, the plaintext modulus and the ciphertext modulus 
2. The secret key is an element of a vector space $\bmod N$ 
3. Messages are encrypted by adding an encoded noisy message to a large dot-product

The noisy message is properly encoded sum of the message and a small error or noise term. 

The dot-product is between the secret and a random element of the vector space, where this is random element is provided as part of the ciphertext 

This looks like $(A, A \cdot s +$ encoded $(m,e))$ , where $A$ is an element of the vector space

If the secret key is known then the dot product can be subtracted out, leaving only the encoded message and noise. Thanks to the special way in which the message and noise are encoded, the noise can be remove from the encoding, leaving only the message behind. 

There are two common ways to store message and noise in LWE systems: you can either store the message in the high bits of the LWE sample and the noise in the low bits or vice-versa. 

What algorithm could we use if there was no error term? 

In [1]:
print('Gaussian elimination')

Gaussian elimination


### LWE High Bits Message

Parameters: 
1. vector space dimension $n$ 
2. ciphertext modulus $q$ 
3. plaintext modulus $p$ (can only encrypt messages $<p$)
4. scaling factor $\Delta = round(q/p)$

Key-gen: 
- The secret key $S$ is a random element of the vector space $Z_q^n$ 

Ciphertext format: 
- Ciphertexts consist of pair $A,b$ where $A$ is an element of the vector space $Z_q^n$ and $b$ is an element of $Z_q$ 

Encryption given message $m$: 
1. Sample $A$, a random element of the vector space $Z_q^n$
2. Sample the error term $e$, an integer in the range $[-\frac{\Delta}{2}, \frac{\Delta}{2}]$, can be Gaussian distribution or uniform
3. Compute $b = $A \cdot S + \Delta m + e$ 
4. Return the pair $(A,b)$

Decryption given ciphertext $(A,b)$: 
1. Compute $x = b - A \cdot S \bmod q$ and then interpret x as an integer (not $\bmod q$)
2. Compute $m = round(\frac{x}{\Delta})$ where rounding and division happen over integers 
3. return m 

In this system, decryption works because after the dot product is removed, the remaining equation for the noisy message $\Delta m +e$ holds over integers, so there is no modular wraparound due to $q$. As such, removing the error term can be done by rounding integer-division. This requires the parameters to be chosen so that $\Delta m + e < \frac{q}{2}$ holds. 

In [2]:
print(201)

201


### LWE Low Bits Message

$ q,p$ must be coprime 

Encryption given message $m$: 
1. Sample $A$, a random element of the vector space $Z_q^n$ 
2. Sample the error term $e$, an integer in the range $[-\frac{q}{2p},\frac{q}{2p}]$
3. Compute $b = A \cdot S + pe$
4. Return pair $(A,b)$

Decryption given ciphertext $(A,b)$: 
1. Compute $x = b - A \cdot S$ centered $\bmod q$ and then interpret $x$ as integer (not $\bmod q$). Note this centered modular reduction must produce a result between $(-q/2, q/2]$, as opposed to usual modular reduction producing a result between $[0, q-1]$
2. Compute $m = x \bmod p$ where division and rounding happens over the integers 
3. return $m$ 

Decryption works because after removing the dot product, the remaining equation for the noisy message $ m +pe$ holds over the integers, so there is no modular wraparound due to $q$. As such, removing the error term $e$ can be done by reducing $\bmod p$. This requires parameters to be chosen so that $m + pe < \frac{q}{2}$ holds. 

In [3]:
print(147)

147


### From Private to Public Key LWE

This can be turned into a public key cryptosystem by using the **additively homomorphic" property of LWE. That is, given an encryption $<A,b>$ encrypting the number $m$, it is possible for anyone to turn this into a valid encryption of $m + m_2$ for any number $m_2$. Explicitly this is done by computing $<A, b+m_2>$ for low-bit message and $<A,b+ \delta m_2>$ for high bit messages. 

Similarly, adding two LWE ciphertexts produces a new valid ciphertext which encrypts the sum of corresponding plaintexts. The owner of the private key can use this property to turn LWE into a public key system by releasing many different encryptions of zero as the public key. For Alice to use this information to encrypt, she first chooses a random subset of these encryptions of zero and add them together. By the second additively homomorphic property, this is also a valid encryption of zero. Next, Alice creates a new encoding for her message $m$, and adds this encoded message to this new encryption of zero. By the first additevly homomoprhic property, this is a valid encryption fo $m$. This procedure requires the distribution from which the noise samples are drawn to be carefully chosen so that the final error term is (with high probability) below the threshold needed to decrypt. 

In order for this to be secure, it must be hard for an adversary to determine which public key samples were summed to produce the LWE ciphertext. To ensure this, the number of encryptions of zero in the public key must be significantly larger than the LWE dimesion. As such, the size of public key scales as $O(n^2 log(q))$ bits, making LWE cryptosystems have large public keys. 

What is the size of a Kyber1024 public key in bytes?

In [1]:
print(1568)

1568


# LEARNING WITH ERRORS 2

### Noise Free

We issue 64 encryptions of 0, that way we get $A_i,b_i$ we stack them up in matrices and solve

$As =b$ to get the secret key $s$ then we use that key do decrypt each byte of encrypted flag

In [24]:
from python import utils
import ast 

n = 64
p = 257
q = 0x10001

F = GF(q) 
V = VectorSpace(F,n)

c = utils.Challenge(int(13411))
c.readline()

A = [] 
b = [] 
for _ in range(n): 
    c.json_send({'option': 'encrypt', 'message': int(0)})
    r = c.json_recv()

    A_i = ast.literal_eval(r['A'])
    A.append(A_i) 

    b_i = int(r['b'])
    b.append(b_i) 

A = matrix(F,A)
b = vector(F,b) 
S = A.solve_right(b) 


flag = list("crypto{????????????????????????}")
for i in range(7,len(flag)-1): 
    c.json_send({'option': 'get_flag','index': int(i)})
    r = c.json_recv()
    A = V(tuple(ast.literal_eval(r['A'])))
    b = F(int(r['b']))
    flag[i]=chr(int(b-A*S))

print(''.join(flag))


crypto{linear_algebra_is_useful}


### Bounded Noise

http://archive.ymsc.tsinghua.edu.cn/pacm_download/672/12690-dingjt-i23.pdf

In [14]:
import json,ast 
import random 
import numpy as np 
import math 

with open("data/bounded_noise.txt", "r") as f:
    json_dump = json.loads(f.read())
    A = ast.literal_eval(json_dump['A'])
    b = ast.literal_eval(json_dump['b'])
A = np.array(A)
b = np.array(b)

D = 2 
n = len(A[0])
q = 0x10001

Q = math.comb(n+D, D) 


selected_indices = random.sample(range(len(A)), Q)


A_selected = A[selected_indices]
b_selected = b[selected_indices]

A = A_selected.tolist()
b = b_selected.tolist()

var_names = [f'x{i+1}' for i in range(n)]
F = GF(q)
R = PolynomialRing(F, n, names=[f'x{i+1}' for i in range(n)])
vars = R.gens()

C= [] 
for i, a in enumerate(A): 
    p= F(-b[i])
    for j, a_i in enumerate(a): 
        p+=F(a_i)*vars[j] 
    C.append((p*(p+1)))

L = []
B = []
monomials = R.monomials_of_degree(2) + R.monomials_of_degree(1)

for c in C: 
    L.append([F(c.monomial_coefficient(m)) for m in monomials])
    B.append(-F(c.constant_coefficient()))
   

L = matrix(F,L)
B = vector(F,B) 
s = L.solve_right(B)[-25:]

#s = s[::-1]

s_integers = [int(s_i.lift()) for s_i in s]

def reconstruct_flag_int(secret_key, q):
    flag_int = 0
    for part in secret_key:
        flag_int = flag_int * q + part
    return flag_int

def int_to_bytes(flag_int):
    flag_int = int(flag_int)
    num_bytes = (flag_int.bit_length() + 7) // 8
    flag_bytes = flag_int.to_bytes(num_bytes, byteorder='big')
    return flag_bytes


flag_int = reconstruct_flag_int_2(s_integers, q) 
print(int_to_bytes(flag_int).decode())

crypto{linearised_polynomials_for_bounded_errors}


### Nativity

In [3]:
import numpy as np
from random import SystemRandom
from Crypto.Util.number import bytes_to_long, long_to_bytes

# dimension
n = 64
# number of samples in public key
m = 512
dtype = np.uint16

random = SystemRandom()
sigma = 2.3
def normal(): return round(random.gauss(0, sigma))
def binary(): return random.randrange(2)


FLAG = b"crypto{?????????????????????????????????????????}"


def uniform(shape):
    buffer = [random.randrange(0, 1 << 16) for i in range(np.prod(shape))]
    return np.array(buffer, dtype=dtype).reshape(shape)


def sample(shape, dist):
    return np.fromfunction(np.vectorize(lambda *_: dist()), shape).astype(dtype)


def keygen():
    A = uniform((n, m))
    s = uniform((n,))
    pk = np.vstack((A, s @ A + 2*sample((m,), normal)))
    sk = np.append(-s, 1).astype(dtype)
    return pk, sk


def encrypt(pk, msg):
    e = sample((m,), binary)
    print(e) 
    c = pk @ e + np.append(np.zeros(n), msg)
    return c.astype(dtype)


def decrypt(sk, c):
    return sk.dot(c) & 1


pk, sk = keygen()
 

msg = np.fromiter([int(i) for i in "{:0{}b}".format(
    bytes_to_long(FLAG), 8 * len(FLAG))], dtype)


ciphertexts = np.vstack([encrypt(pk, b) for b in msg])

np.savetxt("ciphertexts.txt", ciphertexts, fmt="%d")
np.savetxt("public_key.txt", pk, fmt="%d")



[0 0 1 1 1 1 0 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 1 0 0 0 1 1
 0 0 1 1 0 1 1 0 0 1 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 0 1 0 0 0 1 1 0 0 0 0 1
 0 1 1 1 0 0 1 0 1 0 1 1 1 1 1 1 1 0 1 0 0 1 1 1 0 1 0 0 1 1 0 0 1 1 0 0 0
 1 1 0 1 1 1 1 1 0 0 1 1 0 1 0 0 1 1 0 1 1 0 0 0 0 0 0 0 1 0 1 1 1 1 1 1 1
 0 0 0 0 1 1 1 0 0 1 1 0 1 1 1 1 1 0 0 1 1 1 0 1 1 0 0 0 1 1 1 0 0 1 0 1 0
 0 1 0 1 0 1 0 0 1 1 0 1 0 1 1 0 1 1 0 1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 0 1
 0 1 1 1 0 1 1 0 1 0 1 0 0 1 1 0 1 0 0 1 0 1 0 0 0 1 1 0 0 0 1 1 1 1 0 0 0
 0 0 1 1 0 0 1 1 0 1 0 0 1 1 0 0 0 1 1 1 0 0 0 0 1 0 1 0 1 0 1 0 0 0 1 0 1
 1 0 1 1 0 1 0 1 0 1 0 1 0 0 0 0 1 0 0 1 0 0 1 1 1 0 0 0 0 1 1 1 1 1 0 1 1
 0 0 1 0 1 0 1 1 1 1 0 1 1 0 1 1 0 1 0 1 0 1 1 1 0 1 0 0 1 0 1 1 1 1 1 0 1
 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 1 0 1 0 1 1 0 0 0 0 1
 1 0 0 1 1 0 1 1 0 0 0 1 1 1 1 1 0 1 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 0 0 0 1
 1 0 1 1 1 1 1 0 1 0 1 0 1 1 0 1 1 1 0 1 0 1 1 1 1 0 1 1 0 0 1 0 1 1 0 0 1
 0 1 0 0 1 1 0 0 0 1 1 1 

### Missing Modulus

https://eprint.iacr.org/2018/822.pdf

In [5]:
import numpy as np 
from pwn import * 
import json 
import ast

host = "socket.cryptohack.org"
port = 13412
n = 512 
p = 257
q = 6007
delta = int(round(q/p))

context.log_level = 'error'
conn = remote(host,port)

conn.recv()

forgery = {}
forgery["option"] = "encrypt"  
forgery["message"] = int(0)

A = [] 
b = [] 
for _ in range(n): 
    conn.send(json.dumps(forgery).encode()) 
    r = json.loads(conn.recvline().decode().strip())

    A_i = ast.literal_eval(r['A'])
    A.append(A_i) 

    b_i = int(r['b'])
    b.append(b_i) 

A = np.array(A) 
b = np.array(b) 

S_prime = np.round(np.linalg.inv(A.T @ A)@(A.T@b)).astype(int) 


flag = list("crypto{??????????????????????????????????????}")
for i in range(7,len(flag)-1): 
    conn.send(json.dumps({'option': 'get_flag','index': int(i)}).encode())
    r = json.loads(conn.recvline().decode().strip())
    A = ast.literal_eval(r['A'])
    b = int(r['b'])
    flag[i]=chr(int(round((b - A @ S_prime)/delta)))
print(''.join(flag))

crypto{learning-is-easy-over-the-real-numbers}


### Noise Cheap

So basically taken the fact that $e$ is multiplied with $p$, we can remove the $pe$ term by taking $b \bmod p$

Mod is defined by $a \equiv b (\bmod m) => m|(a-b) => (a-b) = km => a = b + km$ 

In [1]:
from pwn import * 
import json 
import ast

host = "socket.cryptohack.org"
port = 13413

conn = remote(host,port)

conn.recv()

forgery = {}
forgery["option"] = "encrypt"  
forgery["message"] = int(0)



A = [] 
b = [] 
for _ in range(n): 
    conn.send(json.dumps(forgery).encode()) 
    
    r = json.loads(conn.recv().decode().strip()) 

    A_i = ast.literal_eval(r['A'])
    A.append(A_i) 

    b_i = (int(r['b']))%p
    b.append(b_i) 

p = 257 
q = 1048583
n = 64 



F = GF(q) 
V = VectorSpace(F,n)

A = matrix(F,A)
b = vector(F,b) 
S = A.solve_right(b) 

[x] Opening connection to socket.cryptohack.org on port 13413
[x] Opening connection to socket.cryptohack.org on port 13413: Trying 134.122.111.232
[+] Opening connection to socket.cryptohack.org on port 13413: Done


TypeError: 'function' object cannot be interpreted as an integer

In [None]:
FLAG = b"crypto{????????????????????????}"
for i in range(7,len(flag)-1): 
    conn.send(json.dumps({'option': 'get_flag','index': int(i)}).encode())
    r = json.loads(conn.recv().decode().strip()) 
    A = V(tuple(ast.literal_eval(r['A'])))
    b = F(int(r['b'])%p)
    print(chr(int(b-A*S)))

In [22]:
FLAG = b"crypto{????????????????????????}"


n = 64

p = 257
# ciphertext modulus
q = 1048583

V = VectorSpace(GF(q), n)
S = V.random_element()
print(S) 

def encrypt(m):
    A = V.random_element()
    e = randint(-1, 1)
    b = A * S + m + p * e
    return A, b

your_input = {}
your_input["message"] = 0 

message = int(your_input["message"])

A = []
b = []
for _ in range(n): 
    A_i, b_i = encrypt(message) 

    A.append(A_i) 
    b.append(int(b_i)%p) 


F = GF(q) 
V = VectorSpace(F,n)

A = matrix(F,A)
b = vector(F,b) 
S_prime = A.solve_right(b)

k = 0
while True: 
    S_prime += vector(F,([k*p]*n))
    if S_prime == S: 
        break 
    k+=1 

(81250, 827541, 324818, 745414, 886234, 915195, 778507, 413526, 807634, 370074, 134499, 636550, 1060, 498173, 674688, 739384, 504192, 945281, 406117, 789308, 197006, 333948, 901227, 76353, 176364, 539003, 885384, 116914, 276798, 413386, 641656, 553041, 360864, 448287, 866439, 621491, 554030, 660814, 534912, 316746, 326149, 449996, 974729, 324158, 902903, 903078, 221014, 884776, 557900, 490596, 658351, 862028, 942701, 832051, 471137, 164289, 750982, 115956, 1004518, 778433, 419430, 880237, 989243, 856261)


KeyboardInterrupt: 

### Too Many Errors

Google says it could be Arora-Ge attack