gh-37118: Fix random polynomial bias

For a polynomial ring `R` say `GF(11)["x"]`, before `R.random_element` is very far from random, now it is uniformly random. URL: #37118 Reported by: grhkm21 Reviewer(s): grhkm21, Travis Scrimshaw
sagemath · Mar 21, 2024 · 397fd3f · 397fd3f
2 parents 9d73e3c + 9d1d0a1
commit 397fd3f
Show file tree

Hide file tree

Showing 5 changed files with 171 additions and 98 deletions.
diff --git a/src/sage/crypto/lattice.py b/src/sage/crypto/lattice.py
@@ -112,10 +112,10 @@ def gen_lattice(type='modular', n=4, m=8, q=11, seed=None,
         [ 0 11  0  0  0  0  0  0]
         [ 0  0 11  0  0  0  0  0]
         [ 0  0  0 11  0  0  0  0]
-        [-2 -3 -3  4  1  0  0  0]
-        [ 4 -2 -3 -3  0  1  0  0]
-        [-3  4 -2 -3  0  0  1  0]
-        [-3 -3  4 -2  0  0  0  1]
+        [-3 -3 -2  4  1  0  0  0]
+        [ 4 -3 -3 -2  0  1  0  0]
+        [-2  4 -3 -3  0  0  1  0]
+        [-3 -2  4 -3  0  0  0  1]
 
     Ideal bases also work with polynomials::
 
@@ -125,10 +125,10 @@ def gen_lattice(type='modular', n=4, m=8, q=11, seed=None,
         [ 0 11  0  0  0  0  0  0]
         [ 0  0 11  0  0  0  0  0]
         [ 0  0  0 11  0  0  0  0]
-        [ 1  4 -3  3  1  0  0  0]
-        [ 3  1  4 -3  0  1  0  0]
-        [-3  3  1  4  0  0  1  0]
-        [ 4 -3  3  1  0  0  0  1]
+        [-3  4  1  4  1  0  0  0]
+        [ 4 -3  4  1  0  1  0  0]
+        [ 1  4 -3  4  0  0  1  0]
+        [ 4  1  4 -3  0  0  0  1]
 
     Cyclotomic bases with n=2^k are SWIFFT bases::
 
@@ -137,10 +137,10 @@ def gen_lattice(type='modular', n=4, m=8, q=11, seed=None,
         [ 0 11  0  0  0  0  0  0]
         [ 0  0 11  0  0  0  0  0]
         [ 0  0  0 11  0  0  0  0]
-        [-2 -3 -3  4  1  0  0  0]
-        [-4 -2 -3 -3  0  1  0  0]
-        [ 3 -4 -2 -3  0  0  1  0]
-        [ 3  3 -4 -2  0  0  0  1]
+        [-3 -3 -2  4  1  0  0  0]
+        [-4 -3 -3 -2  0  1  0  0]
+        [ 2 -4 -3 -3  0  0  1  0]
+        [ 3  2 -4 -3  0  0  0  1]
 
     Dual modular bases are related to Regev's famous public-key
     encryption [Reg2005]_::

diff --git a/src/sage/crypto/lwe.py b/src/sage/crypto/lwe.py
@@ -670,7 +670,7 @@ def __init__(self, ringlwe):
             sage: lwe = RingLWEConverter(RingLWE(16, 257, D, secret_dist='uniform'))
             sage: set_random_seed(1337)
             sage: lwe()
-            ((32, 216, 3, 125, 58, 197, 171, 43), ...)
+            ((171, 197, 58, 125, 3, 216, 32, 130), ...)
         """
         self.ringlwe = ringlwe
         self._i = 0
@@ -686,7 +686,7 @@ def __call__(self):
             sage: lwe = RingLWEConverter(RingLWE(16, 257, D, secret_dist='uniform'))
             sage: set_random_seed(1337)
             sage: lwe()
-            ((32, 216, 3, 125, 58, 197, 171, 43), ...)
+            ((171, 197, 58, 125, 3, 216, 32, 130), ...)
         """
         R_q = self.ringlwe.R_q
 

diff --git a/src/sage/misc/randstate.pyx b/src/sage/misc/randstate.pyx
@@ -56,22 +56,22 @@ results of these random number generators reproducible. ::
 
     sage: set_random_seed(0)
     sage: print(rtest())
-    (303, -0.266166246380421, 1/6, (1,2), [ 0, 1, 1, 0, 0 ], 265625921, 79302, 0.2450652680687958)
+    (303, -0.266166246380421, 1/2*x^2 - 1/95*x - 1/2, (1,3), [ 1, 0, 0, 1, 1 ], 265625921, 5842, 0.9661911734708414)
     sage: set_random_seed(1)
     sage: print(rtest())
-    (978, 0.0557699430711638, -1/8*x^2 - 1/2*x + 1/2, (1,2,3), [ 1, 0, 0, 0, 1 ], 807447831, 23865, 0.6170498912488264)
+    (978, 0.0557699430711638, -3*x^2 - 1/12, (1,2), [ 0, 0, 1, 1, 0 ], 807447831, 29982, 0.8335077654199736)
     sage: set_random_seed(2)
     sage: print(rtest())
-    (207, -0.0141049486533456, 0, (1,3)(4,5), [ 1, 0, 1, 1, 1 ], 1642898426, 16190, 0.9343331114872127)
+    (207, -0.0141049486533456, 4*x^2 + 1/2, (1,2)(4,5), [ 1, 0, 0, 1, 1 ], 1642898426, 41662, 0.19982565117278328)
     sage: set_random_seed(0)
     sage: print(rtest())
-    (303, -0.266166246380421, 1/6, (1,2), [ 0, 1, 1, 0, 0 ], 265625921, 79302, 0.2450652680687958)
+    (303, -0.266166246380421, 1/2*x^2 - 1/95*x - 1/2, (1,3), [ 1, 0, 0, 1, 1 ], 265625921, 5842, 0.9661911734708414)
     sage: set_random_seed(1)
     sage: print(rtest())
-    (978, 0.0557699430711638, -1/8*x^2 - 1/2*x + 1/2, (1,2,3), [ 1, 0, 0, 0, 1 ], 807447831, 23865, 0.6170498912488264)
+    (978, 0.0557699430711638, -3*x^2 - 1/12, (1,2), [ 0, 0, 1, 1, 0 ], 807447831, 29982, 0.8335077654199736)
     sage: set_random_seed(2)
     sage: print(rtest())
-    (207, -0.0141049486533456, 0, (1,3)(4,5), [ 1, 0, 1, 1, 1 ], 1642898426, 16190, 0.9343331114872127)
+    (207, -0.0141049486533456, 4*x^2 + 1/2, (1,2)(4,5), [ 1, 0, 0, 1, 1 ], 1642898426, 41662, 0.19982565117278328)
 
 Once we've set the random number seed, we can check what seed was used.
 (This is not the current random number state; it does not change when
@@ -81,7 +81,7 @@ random numbers are generated.)  ::
     sage: initial_seed()
     12345
     sage: print(rtest())
-    (720, -0.612180244315804, 0, (1,3), [ 1, 0, 1, 1, 0 ], 1911581957, 65175, 0.8043027951758298)
+    (720, -0.612180244315804, x^2 - x, (1,2,3), [ 1, 0, 0, 0, 1 ], 1911581957, 27093, 0.9205331599518184)
     sage: initial_seed()
     12345
 
@@ -216,19 +216,19 @@ that you get without intervening ``with seed``. ::
 
     sage: set_random_seed(0)
     sage: r1 = rtest(); print(r1)
-    (303, -0.266166246380421, 1/6, (1,2), [ 0, 1, 1, 0, 0 ], 265625921, 79302, 0.2450652680687958)
+    (303, -0.266166246380421, 1/2*x^2 - 1/95*x - 1/2, (1,3), [ 1, 0, 0, 1, 1 ], 265625921, 5842, 0.9661911734708414)
     sage: r2 = rtest(); print(r2)
-    (443, 0.185001351421963, -2, (1,3), [ 0, 0, 1, 1, 0 ], 53231108, 8171, 0.28363811590618193)
+    (105, 0.642309615982449, -x^2 - x - 6, (1,3)(4,5), [ 1, 0, 0, 0, 1 ], 53231108, 77132, 0.001767155077382232)
 
 We get slightly different results with an intervening ``with seed``. ::
 
     sage: set_random_seed(0)
     sage: r1 == rtest()
     True
     sage: with seed(1): rtest()
-    (978, 0.0557699430711638, -1/8*x^2 - 1/2*x + 1/2, (1,2,3), [ 1, 0, 0, 0, 1 ], 807447831, 23865, 0.6170498912488264)
+    (978, 0.0557699430711638, -3*x^2 - 1/12, (1,2), [ 0, 0, 1, 1, 0 ], 807447831, 29982, 0.8335077654199736)
     sage: r2m = rtest(); r2m
-    (443, 0.185001351421963, -2, (1,3), [ 0, 0, 1, 1, 0 ], 53231108, 51295, 0.28363811590618193)
+    (105, 0.642309615982449, -x^2 - x - 6, (1,3)(4,5), [ 1, 0, 0, 0, 1 ], 53231108, 40267, 0.001767155077382232)
     sage: r2m == r2
     False
 
@@ -245,8 +245,8 @@ case, as we see in this example::
     sage: with seed(1):
     ....:     print(rtest())
     ....:     print(rtest())
-    (978, 0.0557699430711638, -1/8*x^2 - 1/2*x + 1/2, (1,2,3), [ 1, 0, 0, 0, 1 ], 807447831, 23865, 0.6170498912488264)
-    (181, 0.607995392046754, -x + 1/2, (2,3)(4,5), [ 1, 0, 0, 1, 1 ], 1010791326, 9693, 0.5691716786307407)
+    (978, 0.0557699430711638, -3*x^2 - 1/12, (1,2), [ 0, 0, 1, 1, 0 ], 807447831, 29982, 0.8335077654199736)
+    (138, -0.0404945051288503, 2*x - 24, (1,2,3), [ 1, 1, 0, 1, 1 ], 1010791326, 91360, 0.0033332230808060803)
     sage: r2m == rtest()
     True
 
@@ -258,7 +258,7 @@ NTL random numbers were generated inside the ``with seed``.
     True
     sage: with seed(1):
     ....:     rtest()
-    (978, 0.0557699430711638, -1/8*x^2 - 1/2*x + 1/2, (1,2,3), [ 1, 0, 0, 0, 1 ], 807447831, 23865, 0.6170498912488264)
+    (978, 0.0557699430711638, -3*x^2 - 1/12, (1,2), [ 0, 0, 1, 1, 0 ], 807447831, 29982, 0.8335077654199736)
     sage: r2m == rtest()
     True