commit 1d6fa11fcf15f832ef5044a5ad8bd299dc8ef588 Author: EvilMuffinHa Date: Sun Jul 2 03:26:39 2023 -0400 first diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..3f5c3d5 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,9 @@ +[submodule "fgb_sage"] + path = fgb_sage + url = https://github.com/mwageringel/fgb_sage +[submodule "lattice-estimator"] + path = lattice-estimator + url = https://github.com/malb/lattice-estimator +[submodule "multivariate_quadratic_estimator"] + path = multivariate_quadratic_estimator + url = https://github.com/Crypto-TII/multivariate_quadratic_estimator diff --git a/fgb_sage b/fgb_sage new file mode 160000 index 0000000..ffeaa4a --- /dev/null +++ b/fgb_sage @@ -0,0 +1 @@ +Subproject commit ffeaa4ad3d98f223b4fc1eb697ff7ab6f3c54e5b diff --git a/get_basis.sage b/get_basis.sage new file mode 100644 index 0000000..2d7d46e --- /dev/null +++ b/get_basis.sage @@ -0,0 +1,76 @@ +from random import randint +from tqdm import tqdm + +F = GF(3301, names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +# m = 44 +# n = 112 + +# m = 72 +# n = 184 + +m = 8 +n = 20 + +# m = 2 +# n = 5 + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +z = zero_matrix(F, m, (n - m)) + +for i in range(m): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(0, len(P1.rows())): + for k in range(0, j): + P1[j, k] = 0 + + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(0, len(P3.rows())): + for k in range(j+1, len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = 0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[2:] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, 1, [randint(0, 1) for i in range(n)]) + +oil_basis = block_matrix(F, 2, 1, [O, identity_matrix(F, m)]) + +hint = [zero_matrix(F, n, 1) for i in range(1)] + +value = zero_matrix(F, n, 1) + +for i in oil_basis.columns(): + for j in range(len(hint)): + hint[j] += F.random_element() * matrix(F, n, 1, list(i)) + value += F.random_element() * matrix(F, n, 1, list(i)) + + + + diff --git a/get_basis.sage.py b/get_basis.sage.py new file mode 100644 index 0000000..aef2bd9 --- /dev/null +++ b/get_basis.sage.py @@ -0,0 +1,85 @@ + + +# This file was *autogenerated* from the file get_basis.sage +from sage.all_cmdline import * # import sage library + +_sage_const_3301 = Integer(3301); _sage_const_8 = Integer(8); _sage_const_20 = Integer(20); _sage_const_0 = Integer(0); _sage_const_1 = Integer(1); _sage_const_2 = Integer(2) +from random import randint +from tqdm import tqdm + +F = GF(_sage_const_3301 , names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +# m = 44 +# n = 112 + +# m = 72 +# n = 184 + +m = _sage_const_8 +n = _sage_const_20 + +# m = 2 +# n = 5 + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +z = zero_matrix(F, m, (n - m)) + +for i in range(m): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(_sage_const_0 , len(P1.rows())): + for k in range(_sage_const_0 , j): + P1[j, k] = _sage_const_0 + + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(_sage_const_0 , len(P3.rows())): + for k in range(j+_sage_const_1 , len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = _sage_const_0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, _sage_const_1 , [randint(_sage_const_0 , _sage_const_1 ) for i in range(n)]) + +oil_basis = block_matrix(F, _sage_const_2 , _sage_const_1 , [O, identity_matrix(F, m)]) + +hint = [zero_matrix(F, n, _sage_const_1 ) for i in range(_sage_const_1 )] + +value = zero_matrix(F, n, _sage_const_1 ) + +for i in oil_basis.columns(): + for j in range(len(hint)): + hint[j] += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + value += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + + + +for P in poly_m: + print(value.T * (P + P.T) * hint[_sage_const_0 ]) + + diff --git a/lattice-estimator b/lattice-estimator new file mode 160000 index 0000000..cf36315 --- /dev/null +++ b/lattice-estimator @@ -0,0 +1 @@ +Subproject commit cf36315e7718b1e2e3de271b705697943ebaecf4 diff --git a/multivariate_quadratic_estimator b/multivariate_quadratic_estimator new file mode 160000 index 0000000..ee5c7fe --- /dev/null +++ b/multivariate_quadratic_estimator @@ -0,0 +1 @@ +Subproject commit ee5c7fe0aa0df737870bd4395003d9d83698fd21 diff --git a/recover_o.sage b/recover_o.sage new file mode 100644 index 0000000..186f38c --- /dev/null +++ b/recover_o.sage @@ -0,0 +1,159 @@ +from random import randint +from tqdm import tqdm + +f_size = 3301 + +F = GF(f_size, names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +m = 44 +n = 112 + +# m = 72 +# n = 184 + +# m = 8 +# n = 20 + +# m = 2 +# n = 5 + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +d = n / (m * log(f_size, 2).n()) +N = ceil(sqrt((n + 1)/4)) + 1 +print("d: ", d) +print("N: ", N) + +z = zero_matrix(F, m, (n - m)) + +for i in tqdm(range(m)): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(0, len(P1.rows())): + for k in range(0, j): + P1[j, k] = 0 + + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(0, len(P3.rows())): + for k in range(j+1, len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = 0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[2:] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, 1, [randint(0, 1) for i in range(n)]) + +oil_basis = block_matrix(F, 2, 1, [O, identity_matrix(F, m)]) + +o1 = zero_matrix(F, n, 1) +o2 = zero_matrix(F, n, 1) + +for i in oil_basis.columns(): + o1 += F.random_element() * matrix(F, n, 1, list(i)) + o2 += F.random_element() * matrix(F, n, 1, list(i)) + +o_hat1 = v + o1 +# o_hat2 = v + o2 + +print("o1 :", [i[0] for i in o1]) +# print("o2 :", [i[0] for i in o2]) +print("v :", [i[0] for i in v]) +print("o1+v :", [i[0] for i in o_hat1]) +# print("o2+v :", [i[0] for i in o_hat2]) + +print() + +# for P in poly_m: +# print("oPo:", o1.T * P * o1) +# print("vPv:", v.T * P * v) +# print("qPq:", o_hat.T * P * o_hat) +# correction = o_hat.T * (P.T + P) * v +# print("oPx:", correction) +# print("tot:", v.T * P * v + o_hat.T * P * o_hat - correction) +# print() +# print() + + +# P = poly_m[0] +vec = [[(o_hat1.T * (P.T + P))[0][i] for i in range(n)] for P in poly_m] +s = [(v.T * P * v + o_hat1.T * P * o_hat1)[0][0] for P in poly_m] + +# print("s: ", (v.T * P * v + o_hat.T * P * o_hat)[0][0]) +# print("k: ", vec) + +# out = 0 +# for i in range(len(vec)): +# out += int(vec[i]) * int(v[i][0]) +# +# t = matrix(QQ, 1, len(vec) + 2, [int(i[0]) for i in v] + [-(out // 3301), -1]) +# print("t: ", t) + +d = n / (m * log(f_size, 2).n()) +N = ceil(sqrt((n + 1)/4)) + 1 +print("d: ", d) +print("N: ", N) + +b1 = identity_matrix(QQ, n) +b2 = zero_matrix(QQ, n, 1) +b3 = matrix(QQ, m, n, [[N * int(i) for i in j] for j in vec]).T +b4 = zero_matrix(QQ, m, n) +b5 = zero_matrix(QQ, m, 1) +b6 = N * f_size * identity_matrix(QQ, m) +b7 = matrix(QQ, 1, n, [1/2]*n) +b8 = matrix(QQ, 1, 1, [1/2]) +b9 = matrix(QQ, 1, m, [N * int(i) for i in s]) + + +B = block_matrix([[b1, b2, b3], [b4, b5, b6], [b7, b8, b9]]) + +print(B) +print() + +BH = B.LLL() + +BH = matrix(ZZ, 2 * BH) + +print(BH) + +for beta in tqdm(range(0, 10)): + BH = BH.BKZ(block_size=beta + 1, fp='rr', precision=200) + +BH = 1/2 * matrix(QQ, BH) + +print(BH) +print() +for out_vec in BH: + if abs(out_vec[-(m + 1)]) == 1/2: + if out_vec[-(m + 1)] == -1/2: + testvec = [i + 1/2 for i in out_vec] + else: + testvec = [i + 1/2 for i in -out_vec] + + print(testvec) + +print() +print([i[0] for i in v]) diff --git a/recover_o.sage.py b/recover_o.sage.py new file mode 100644 index 0000000..11d96e5 --- /dev/null +++ b/recover_o.sage.py @@ -0,0 +1,164 @@ + + +# This file was *autogenerated* from the file recover_o.sage +from sage.all_cmdline import * # import sage library + +_sage_const_3301 = Integer(3301); _sage_const_44 = Integer(44); _sage_const_112 = Integer(112); _sage_const_2 = Integer(2); _sage_const_1 = Integer(1); _sage_const_4 = Integer(4); _sage_const_0 = Integer(0); _sage_const_10 = Integer(10); _sage_const_200 = Integer(200) +from random import randint +from tqdm import tqdm + +F = GF(_sage_const_3301 , names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +m = _sage_const_44 +n = _sage_const_112 + +# m = 72 +# n = 184 + +# m = 8 +# n = 20 + +# m = 2 +# n = 5 + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +d = n / (m * log(_sage_const_3301 , _sage_const_2 ).n()) +N = ceil(sqrt((n + _sage_const_1 )/_sage_const_4 )) + _sage_const_1 +print("d: ", d) +print("N: ", N) + +z = zero_matrix(F, m, (n - m)) + +for i in tqdm(range(m)): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(_sage_const_0 , len(P1.rows())): + for k in range(_sage_const_0 , j): + P1[j, k] = _sage_const_0 + + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(_sage_const_0 , len(P3.rows())): + for k in range(j+_sage_const_1 , len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = _sage_const_0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, _sage_const_1 , [randint(_sage_const_0 , _sage_const_1 ) for i in range(n)]) + +oil_basis = block_matrix(F, _sage_const_2 , _sage_const_1 , [O, identity_matrix(F, m)]) + +o1 = zero_matrix(F, n, _sage_const_1 ) +o2 = zero_matrix(F, n, _sage_const_1 ) + +for i in oil_basis.columns(): + o1 += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + o2 += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + +o_hat1 = v + o1 +# o_hat2 = v + o2 + +print("o1 :", [i[_sage_const_0 ] for i in o1]) +# print("o2 :", [i[0] for i in o2]) +print("v :", [i[_sage_const_0 ] for i in v]) +print("o1+v :", [i[_sage_const_0 ] for i in o_hat1]) +# print("o2+v :", [i[0] for i in o_hat2]) + +print() + +# for P in poly_m: +# print("oPo:", o1.T * P * o1) +# print("vPv:", v.T * P * v) +# print("qPq:", o_hat.T * P * o_hat) +# correction = o_hat.T * (P.T + P) * v +# print("oPx:", correction) +# print("tot:", v.T * P * v + o_hat.T * P * o_hat - correction) +# print() +# print() + + +# P = poly_m[0] +vec = [[(o_hat1.T * (P.T + P))[_sage_const_0 ][i] for i in range(n)] for P in poly_m] +s = [(v.T * P * v + o_hat1.T * P * o_hat1)[_sage_const_0 ][_sage_const_0 ] for P in poly_m] + +# print("s: ", (v.T * P * v + o_hat.T * P * o_hat)[0][0]) +# print("k: ", vec) + +# out = 0 +# for i in range(len(vec)): +# out += int(vec[i]) * int(v[i][0]) +# +# t = matrix(QQ, 1, len(vec) + 2, [int(i[0]) for i in v] + [-(out // 3301), -1]) +# print("t: ", t) + +d = n / (m * log(_sage_const_3301 , _sage_const_2 ).n()) +N = ceil(sqrt((n + _sage_const_1 )/_sage_const_4 )) + _sage_const_1 +print("d: ", d) +print("N: ", N) + +b1 = identity_matrix(QQ, n) +b2 = zero_matrix(QQ, n, _sage_const_1 ) +b3 = matrix(QQ, m, n, [[N * int(i) for i in j] for j in vec]).T +b4 = zero_matrix(QQ, m, n) +b5 = zero_matrix(QQ, m, _sage_const_1 ) +b6 = N * _sage_const_3301 * identity_matrix(QQ, m) +b7 = matrix(QQ, _sage_const_1 , n, [_sage_const_1 /_sage_const_2 ]*n) +b8 = matrix(QQ, _sage_const_1 , _sage_const_1 , [_sage_const_1 /_sage_const_2 ]) +b9 = matrix(QQ, _sage_const_1 , m, [N * int(i) for i in s]) + + +B = block_matrix([[b1, b2, b3], [b4, b5, b6], [b7, b8, b9]]) + +print(B) +print() + +BH = B.LLL() + +BH = matrix(ZZ, _sage_const_2 * BH) + +print(BH) + +for beta in tqdm(range(_sage_const_0 , _sage_const_10 )): + BH = BH.BKZ(block_size=beta + _sage_const_1 , fp='rr', precision=_sage_const_200 ) + +BH = _sage_const_1 /_sage_const_2 * matrix(QQ, BH) + +print(BH) +print() +for out_vec in BH: + if abs(out_vec[-(m + _sage_const_1 )]) == _sage_const_1 /_sage_const_2 : + if out_vec[-(m + _sage_const_1 )] == -_sage_const_1 /_sage_const_2 : + testvec = [i + _sage_const_1 /_sage_const_2 for i in out_vec] + else: + testvec = [i + _sage_const_1 /_sage_const_2 for i in -out_vec] + + print(testvec) + +print() +print([i[_sage_const_0 ] for i in v]) + diff --git a/test_f5.sage b/test_f5.sage new file mode 100644 index 0000000..e4baa99 --- /dev/null +++ b/test_f5.sage @@ -0,0 +1,107 @@ +from random import randint +from tqdm import tqdm +from sage.rings.polynomial.msolve import variety as msolve_variety + +F = GF(3301, names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +# m = 44 +# n = 112 + +# m = 72 +# n = 184 + +# m = 8 +# n = 20 + +# m = 2 +# n = 5 + +m = 44 +n = 112 + + +print("vars: ", n) +print("eqns: ", m) + +print("actual vars: ", n - m) +print("actual eqns: ", m + m) + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +z = zero_matrix(F, m, (n - m)) + +for i in tqdm(range(m)): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(0, len(P1.rows())): + for k in range(0, j): P1[j, k] = 0 + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(0, len(P3.rows())): + for k in range(j+1, len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = 0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[2:] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[2:] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, 1, [randint(0, 1) for i in range(n)]) + +oil_basis = block_matrix(F, 2, 1, [O, identity_matrix(F, m)]) + +var_list = ','.join([f'x{i}' for i in range(n - m)]) +R = PolynomialRing(F, var_list) + + +value = zero_matrix(R, n, 1) +hint = zero_matrix(R, n, 1) +hint2 = zero_matrix(R, n, 1) + +for i in oil_basis.columns(): + value += F.random_element() * matrix(F, n, 1, list(i)) + hint += F.random_element() * matrix(F, n, 1, list(i)) + hint2 += F.random_element() * matrix(F, n, 1, list(i)) + +print(value) + +print() +print(n - m) + +print() +for i in range(n - m): + value[i] = R(f'x{i}') + +polys = [] +for i in poly_m: + polys.append((value.T * i * value)[0][0]) + polys.append((value.T * (i + i.T) * hint)[0][0]) + polys.append((value.T * (i + i.T) * hint2)[0][0]) + +I = R.ideal(*polys) + + + +print(msolve_variety(I, F, proof=False)) + diff --git a/test_f5.sage.py b/test_f5.sage.py new file mode 100644 index 0000000..b528db1 --- /dev/null +++ b/test_f5.sage.py @@ -0,0 +1,114 @@ + + +# This file was *autogenerated* from the file test_f5.sage +from sage.all_cmdline import * # import sage library + +_sage_const_3301 = Integer(3301); _sage_const_44 = Integer(44); _sage_const_112 = Integer(112); _sage_const_0 = Integer(0); _sage_const_1 = Integer(1); _sage_const_2 = Integer(2) +from random import randint +from tqdm import tqdm +from sage.rings.polynomial.msolve import variety as msolve_variety + +F = GF(_sage_const_3301 , names=("z", )) + +f_a = list(F) + +# m = 32 +# n = 80 + +# m = 44 +# n = 112 + +# m = 72 +# n = 184 + +# m = 8 +# n = 20 + +# m = 2 +# n = 5 + +m = _sage_const_44 +n = _sage_const_112 + + +print("vars: ", n) +print("eqns: ", m) + +print("actual vars: ", n - m) +print("actual eqns: ", m + m) + +O = random_matrix(F, (n - m), m) + +output = "" +poly_m = [] + +z = zero_matrix(F, m, (n - m)) + +for i in tqdm(range(m)): + + P1 = random_matrix(F, (n - m), (n - m)) + + for j in range(_sage_const_0 , len(P1.rows())): + for k in range(_sage_const_0 , j): P1[j, k] = _sage_const_0 + P2 = random_matrix(F, (n - m), m) + P3 = -O.T * P1 * O - O.T * P2 + + for j in range(_sage_const_0 , len(P3.rows())): + for k in range(j+_sage_const_1 , len(P3.rows())): + P3[j, k] += P3[k, j] + P3[k, j] = _sage_const_0 + + for i in P1: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P2: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + for i in P3: + for j in i: + output += hex(f_a.index(j))[_sage_const_2 :] + + P = block_matrix([ [P1, P2], [z, P3]]) + poly_m.append(P) + +v = matrix(F, n, _sage_const_1 , [randint(_sage_const_0 , _sage_const_1 ) for i in range(n)]) + +oil_basis = block_matrix(F, _sage_const_2 , _sage_const_1 , [O, identity_matrix(F, m)]) + +var_list = ','.join([f'x{i}' for i in range(n - m)]) +R = PolynomialRing(F, var_list) + + +value = zero_matrix(R, n, _sage_const_1 ) +hint = zero_matrix(R, n, _sage_const_1 ) +hint2 = zero_matrix(R, n, _sage_const_1 ) + +for i in oil_basis.columns(): + value += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + hint += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + hint2 += F.random_element() * matrix(F, n, _sage_const_1 , list(i)) + +print(value) + +print() +print(n - m) + +print() +for i in range(n - m): + value[i] = R(f'x{i}') + +polys = [] +for i in poly_m: + polys.append((value.T * i * value)[_sage_const_0 ][_sage_const_0 ]) + polys.append((value.T * (i + i.T) * hint)[_sage_const_0 ][_sage_const_0 ]) + polys.append((value.T * (i + i.T) * hint2)[_sage_const_0 ][_sage_const_0 ]) + +I = R.ideal(*polys) + + + +print(msolve_variety(I, F, proof=False)) + +