# Prerequisites
- Lattices

# Theory

- https://youtu.be/SZkTJMorxnM?t=279 - simple explanation

## LWE

*Idea*:
- Find secret $s \in (\mathbb{Z}/q\mathbb Z)^n$ given many *noisy inner products*

### Search LWE

**Definition**

&emsp; Given the following parameters $n, q = poly(n)$, gaussian error distribution $\chi \in (\mathbb{Z}/q\mathbb Z)$ => We define the problem Search-$\text{LWE}_{n, m, q, \chi}$ as follows:

&emsp; &emsp; Given $m$ independent samples $(\vec{a_i}, b_i) \in  (\mathbb{Z}/q\mathbb Z)^n \times  (\mathbb{Z}/q\mathbb Z)$ generated as follows

$$\begin{equation}
\vec{a_1} \leftarrow (\mathbb{Z}/q\mathbb Z)^n , \ \ b_1 = \langle s, \vec{a_1} \rangle + e_1\\
\vec{a_2} \leftarrow (\mathbb{Z}/q\mathbb Z)^n , \ \ b_2 = \langle s, \vec{a_2} \rangle + e_2\\
\vdots
\end{equation}
$$
&emsp; &emsp; for some errors $e_i \leftarrow \chi$ with width $\alpha q > \sqrt n$

Task: Find $s \in (\mathbb{Z}/q\mathbb Z)^n$

Matrix notation:

$$A = \begin{bmatrix}
| & &  | \\
a_1 & \dots & a_m  \\
| & &  | \\
\end{bmatrix}, \ \ b^T = s^TA + e^T$$

Drawing:

![image.png](attachment:99cfb33b-db14-4d97-88f0-02ec2501685e.png)

**Notes**
- Without $e_i$ we can efficiently recover $s$ with Gaussian elimination

### Decision LWE

**Definition**  
&emsp; Distinguish $(A, b^T = s^TA + e^T)$ from uniform $(A, b^T)$ where $A = (a_1, ... a_m)$

![image.png](attachment:be296311-79fd-451d-b125-03927b13f906.png)

## Lattice

Let $\mathcal{L}(A) = \{z \in \mathbb{Z}^m z^t = s^tA \bmod q \}$ be the LWE lattice
- $\mathcal{L}(A) = q(\mathcal{L}^\perp(A))^\vee$ = scaled dual of SIS lattice

**BDD problem on $\mathcal{L}(A)$**

Given $b^T \approx v^T = s^TA \in \mathcal{L}(A)$, find $v$
- The ammount of error is very small to the minimum distance 

![image.png](attachment:b8eeea17-7a35-43bf-ba38-284cf6a9f690.png)

![image.png](attachment:0c6d61d9-c429-4d33-a967-73ba2ab678ba.png)

## Properties

**Easy to check if a solution is small**
- test $b - \langle s', a \rangle$ is small

**Shift the secret by any $t \in  (\mathbb{Z}/q\mathbb Z)^n$**
- $(a, b = \langle s, a \rangle + e) \to (a, b' = b + \langle t, a \rangle = \langle s + t, a \rangle + e)$

## Cryptosystems

### Public key (encrypting a bit)

#### Regev

Public parameters: $A \in  (\mathbb{Z}/q\mathbb Z)^{n\times m}$

**Alice** 
- chooses a secret $s \in  (\mathbb{Z}/q\mathbb Z)^n$
- generates public key $b^T = s^TA + e^T$

**Bob**
- chooses a secret $x \in \{0, 1\}^m$
- computes and sends to Alice
    - $u = Ax$ - the hash of the secret
    - $u' = b^Tx + bit \cdot \dfrac q 2$
    
**Alice**
- decodes $u' - s^Tu \approx bit \cdot \dfrac q 2$

**Note**
- $(A, b^t)$ is $LWE$
- $(u, u')$ are uniformly random by left-over hash lemma when $m \geq nlog_2 q$

#### Dual 

Public parameters: $A \in  (\mathbb{Z}/q\mathbb Z)^{n\times m}$

**Alice** 
- chooses a secret $x \in \{0, 1\}^m$
- sends to Bob her **public key**
    - $u = Ax$ - the hash of the secret


**Bob**
- chooses a secret $s \in  (\mathbb{Z}/q\mathbb Z)^n$
- generates and sends to Alice
    - $b^T = s^TA + e^T$
    - $b' = s^Tu + e' + bit \cdot \dfrac q 2$ - adding $bit \cdot \dfrac q 2$ does not break the uniformity of $s^TA + e^T$

**Alice**
- decodes $b' - b^Tx \approx bit \cdot \dfrac q 2$
- $b' - b^Tx = s^Tu + e' + bit \cdot \dfrac q 2 - (s^TA + e^T)x = \underbrace{s^Tu - s^T\underbrace{Ax}_{u}}_{=0} + \underbrace{\overbrace{e^Tx}^{\text{both small}} - e'}_{\text{very small} << q/2} +  bit \cdot \dfrac q 2 \approx bit \cdot \dfrac q 2$

**Note**
- $(A,u; b, b')$ is $\text{LWE}$ pair

# Code

## Dual

In [1]:
import random
from sage.stats.distributions.discrete_gaussian_lattice import DiscreteGaussianDistributionLatticeSampler
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler

In [2]:
is_prime(127)

True

In [3]:
#Public parameters
q = next_prime(400)
n = 10
m = n * ceil(log(q, 2)) + 1
A = random_matrix(Zmod(q), m, n)


In [4]:
#Alice1
def generate_keys(A, m, n, q):
    x = vector(Zmod(q), [random.randint(0, 1) for i in range(m)]) #Alice's secret
    u = x * A # Alice's public key
    return x, u

x, u = generate_keys(A, m, n, q)
print(x)
print(u)

(1, 1, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1)
(235, 159, 138, 243, 215, 241, 165, 115, 59, 237)


In [5]:
#Bob1
def encrypt_bit(bit, u, A, m, n, q):
    s = vector(Zmod(q), [round(random.randint(0, q-1)) for i in range(n)]) #Bob's secret
    #generate errors
    #e = vector(Zmod(q), [round(random.gauss(0, sqrt(n) + 1)) for _ in range(m)]) # lol this
    Dl = DiscreteGaussianDistributionLatticeSampler(Zmod(q)**m, sqrt(n)+1)
    e = Dl()
    #e_ = round(random.gauss(0, sqrt(n) + 1)) #lol this 2
    D = DiscreteGaussianDistributionIntegerSampler(sigma = sqrt(n)+1)
    e_ = Zmod(q)(D())
    
    b = A * s + e
    b_ = u * s + e_ + bit * q // 2
    return b, b_

bit = 1
b, b_ = encrypt_bit(bit, u, A, m, n, q)

In [6]:
print(b)
print(b_)

(95, 281, 87, 395, 174, 108, 265, 248, 205, 143, 216, 309, 289, 168, 48, 306, 376, 252, 35, 11, 50, 367, 126, 361, 31, 7, 362, 180, 171, 161, 142, 152, 12, 117, 171, 385, 221, 283, 146, 360, 55, 101, 98, 31, 57, 108, 34, 332, 87, 277, 376, 159, 140, 236, 339, 93, 60, 200, 304, 63, 292, 97, 213, 83, 382, 377, 317, 182, 265, 394, 54, 386, 388, 301, 400, 83, 343, 90, 78, 396, 23, 217, 181, 48, 214, 310, 200, 232, 212, 156, 298)
182


In [7]:
#Alice2
print(b_ - b * x)
print(bit, int(q//4 <=  b_ - b * x  < 3 * q//4 )) # check if it's closer to q//2 to receive the bit

232
1 1


## Defined constructions in Sage

https://doc.sagemath.org/html/en/reference/cryptography/sage/crypto/lwe.html

In [8]:
from sage.stats.distributions.discrete_gaussian_integer import DiscreteGaussianDistributionIntegerSampler

In [9]:
D = DiscreteGaussianDistributionIntegerSampler(sigma = 3)

In [10]:
vector(Zmod(q), [D() for _ in range(m)])

(0, 1, 1, 399, 399, 2, 6, 395, 2, 1, 400, 394, 400, 1, 2, 395, 1, 397, 394, 394, 6, 4, 3, 1, 0, 1, 0, 400, 399, 3, 398, 1, 5, 0, 399, 398, 0, 1, 399, 4, 398, 0, 400, 3, 1, 397, 0, 2, 398, 0, 398, 3, 396, 397, 1, 4, 4, 3, 393, 393, 399, 2, 1, 2, 398, 3, 0, 395, 2, 399, 396, 399, 393, 5, 398, 399, 400, 1, 0, 2, 400, 400, 2, 399, 398, 2, 396, 400, 7, 400, 400)

In [11]:
from sage.stats.distributions.discrete_gaussian_lattice import DiscreteGaussianDistributionLatticeSampler

In [12]:
Dl = DiscreteGaussianDistributionLatticeSampler(Zmod(q)**n, sqrt(n)+1)

In [13]:
Dl()

(1, 399, 0, 400, 7, 393, 392, 7, 398, 11)

# Resources

- https://en.wikipedia.org/wiki/Learning_with_errors
- http://cryptowiki.net/index.php?title=LWE-based_cryptographic_protocols
- https://eprint.iacr.org/2015/938.pdf - page 10
- https://cims.nyu.edu/~regev/papers/lwesurvey.pdf - regev paper
- https://asecuritysite.com//encryption/lwe_output
- https://www.youtube.com/watch?v=K_fNK04yG4o&list=PLgKuh-lKre10rqiTYqJi6P4UlBRMQtPn0&index=5

- https://crypto.stackexchange.com/questions/26169/how-to-generate-new-lwe-samples - generating more samples from a given set