Shamira Changeset - d19e877af29d

Changeset - d19e877af29d

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Laman - 4 years ago 2020-11-29 20:34:47

finite field discrete fourier transform

4 files changed with 100 insertions and 70 deletions:

src/shamira/fft.py

src/shamira/gf256.py

src/shamira/tests/test_fft.py

src/shamira/tests/test_gf256.py

0 comments (0 inline, 0 general)

src/shamira/fft.py

➞

Show inline comments

 import math
 import cmath
 import itertools
 from .gf256 import gfmul, gfpow
 # values of n-th square roots
 SQUARE_ROOTS = {3: 189, 5: 12, 15: 225, 17: 53, 51: 51, 85: 15, 255: 3}
 def precompute_x(n):
 	"""Return a geometric sequence [1, w, w**2, ..., w**(n-1)], where w**n==1.
 	This can be done only for certain values of n."""
 	assert n in SQUARE_ROOTS
 	w = SQUARE_ROOTS[n]  # primitive N-th square root of 1
 	return list(itertools.accumulate([1]+[w]*(n-1), gfmul))
 def complex_dft(p):
 	"""Quadratic formula from the definition. The basic case in complex numbers."""
 	N = len(p)
 	w = cmath.exp(-2*math.pi*1j/N)  # primitive N-th square root of 1
 	y = [0]*N
 	for k in range(N):
 		xk = w**k
 		for n in range(N):
 			y[k] += p[n] * xk**n
 	return y
 def dft(p):
 	"""Quadratic formula from the definition."""
+	"""Quadratic formula from the definition. In GF256."""
 	N = len(p)
 	w = cmath.exp(-2*math.pi*1j/N)  # primitive N-th square root of 1
 	x = [0]*N
 	x = precompute_x(N)
 	y = [0]*N
 	for k in range(N):
 		x[k] = w**k
 		for n in range(N):
-			y[k] += p[n] * x[k]**n
+			y[k] ^= gfmul(p[n], gfpow(x[k], n))
 	return y
 def compute_inverse(N1, N2):
 	for i in range(N2):
 		if N1*i % N2 == 1:
 			return i
 	raise ValueError("Failed to find an inverse to {0} mod {1}.".format(N1, N2))
 def prime_fft(p, divisors):
 	"""https://en.wikipedia.org/wiki/Prime-factor_FFT_algorithm"""
 	if len(divisors) == 1:
-		return dft(p)
+		return complex_dft(p)
 	N = len(p)
 	N1 = divisors[0]
 	N2 = N//N1
 	N1_inv = compute_inverse(N1, N2)
 	N2_inv = compute_inverse(N2, N1)
 	ys = []
 	for n1 in range(N1):  # compute rows
 		p_ = [p[(n2*N1+n1*N2) % N] for n2 in range(N2)]
 		ys.append(prime_fft(p_, divisors[1:]))
 	for k2 in range(N2):  # compute cols
 		p_ = [row[k2] for row in ys]
-		y_ = dft(p_)
+		y_ = complex_dft(p_)
 		for (yi, row) in zip(y_, ys):  # update col
 			row[k2] = yi
 	# remap and output
 	res = [0]*N
 	for k1 in range(N1):
 		for k2 in range(N2):
 			res[(k1*N2*N2_inv+k2*N1*N1_inv) % N] = ys[k1][k2]
 	return res
 # arr = [9,8,5,3,8,4,9,7,0,9,5,6,6,2,4]
 # print(dft(arr))
 # print()
 # print(prime_fft(arr,[3,5]))
 """
 def fft(x):
     N = len(x)
     if N <= 1: return x
     even = fft(x[0::2])
     odd = fft(x[1::2])
     T = [cmath.exp(-2j*math.pi*k/N)*odd[k] for k in range(N//2)]
     return [even[k] + T[k] for k in range(N//2)] + \
            [even[k] - T[k] for k in range(N//2)]
 def fft_mixed(x, r1, r2):
 	A = dft(x)
 	for k0 in range(0, r2):
 		pass
 def bit_reverse(x, width):
 	y = 0
 	for i in range(width):
 		y <<= 1
 		y |= x&1
 		x >>= 1
 	return y
 def bit_reverse_seq(x):
 	n = len(x)
 	width = round(math.log2(n))
 	return [x[bit_reverse(i, width)] for i in range(n)]
 def fft2(x):
 	y = bit_reverse_seq(x)
 	n = len(x)
 	omegas = [(-2*math.pi*1j/n)**i for i in range(0, n)]
 	b = 1
 	while b<n:
 		for j in range(0, n, 2*b):
 			for k in range(0, b):
 				alpha = omegas[n*k//(2*b)]
 				u = y[j+k]
 				t = alpha*y[j+k+b]
 				y[j+k] = u+t
 				y[j+k+b] = u-t
 		b *= 2
 	return y
 """

src/shamira/gf256.py

➞

Show inline comments

@@ @@ -17,48 +17,61 @@ def _gfmul(a, b): @@
 	return res
 g = 3  # generator
 E = [None]*256  # exponentials
 L = [None]*256  # logarithms
 acc = 1
 for i in range(256):
 	E[i] = acc
 	L[acc] = i
 	acc = _gfmul(acc, g)
 L[1] = 0
 INV = [E[255-L[i]] if i!=0 else None for i in range(256)]  # multiplicative inverse
 def gfmul(a, b):
 	"""Fast multiplication. Basic multiplication is expensive. a*b==g**(log(a)+log(b))"""
 	assert 0<=a<=255, 0<=b<=255
 	if a==0 or b==0: return 0
 	t = L[a]+L[b]
 	if t>255: t -= 255
 	return E[t]
 def gfpow(x, k):
 	"""Compute x**k."""
 	i = 1
 	res = 1
 	while i <= k:
 		if k&i:
 			res = gfmul(res, x)
 		x = gfmul(x, x)
 		i <<= 1
 	return res
 def evaluate(coefs, x):
 	"""Evaluate polynomial's value at x.
 	:param coefs: [an, ..., a1, a0]."""
 	res = 0
 	for a in coefs:  # Horner's rule
 		res = gfmul(res, x)
 		res ^= a
 	return res
 def get_constant_coef(weights, y_coords):
 	"""Compute constant polynomial coefficient given the points.
 	See https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing#Computationally_Efficient_Approach"""
 	return reduce(
 		operator.xor,
 		map(lambda ab: gfmul(*ab), zip(weights, y_coords))
+	)
 def compute_weights(x_coords):

src/shamira/tests/test_fft.py

➞

Show inline comments

 # GNU GPLv3, see LICENSE
 import random
 import functools
 import operator
 from unittest import TestCase
 from ..gf256 import evaluate
 from ..fft import *
 def batch_evaluate(coefs, xs):
 	return [evaluate(coefs, x) for x in xs]
 class TestFFT(TestCase):
 	def test_dft(self):
 		self.assertEqual(dft([0]), [0+0j])
 		self.assertEqual(dft([1]), [1+0j])
 		self.assertEqual(dft([2]), [2+0j])
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(dft([3, 1]), [4+0j, 2+0j]))
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(dft([3, 1, 4]), [8+0j, 0.5+2.59807621j, 0.5-2.59807621j]))
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(dft([3, 1, 4, 1]), [9+0j, -1+0j, 5+0j, -1+0j]))
 	def test_complex_dft(self):
 		self.assertEqual(complex_dft([0]), [0+0j])
 		self.assertEqual(complex_dft([1]), [1+0j])
 		self.assertEqual(complex_dft([2]), [2+0j])
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1]), [4+0j, 2+0j]))
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1, 4]), [8+0j, 0.5+2.59807621j, 0.5-2.59807621j]))
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(complex_dft([3, 1, 4, 1]), [9+0j, -1+0j, 5+0j, -1+0j]))
 		all(self.assertAlmostEqual(a, b) for (a, b) in zip(
-			dft([3, 1, 4, 1, 5]),
+			complex_dft([3, 1, 4, 1, 5]),
 			[14+0j, 0.80901699+2.04087031j, -0.30901699+5.20431056j, -0.30901699-5.20431056j, 0.80901699-2.04087031j]
 		))
 	def test_complex_prime_fft(self):
 		random.seed(1918)
 		for divisors in [[3], [2, 3], [3, 5], [3, 5, 17], [2, 3, 5, 7, 11]]:
 			n = functools.reduce(operator.mul, divisors)
 			coefficients = [random.randint(-128, 127) for i in range(n)]
 			a = prime_fft(coefficients, divisors)
 			b = complex_dft(coefficients)
 			all(self.assertAlmostEqual(ai, bi) for (ai, bi) in zip(a, b))
 	def test_dft(self):
 		random.seed(1918)
 		x = {i: precompute_x(i) for i in [3, 5, 15, 17]}  # all sets of xs
 		for n in [3, 5, 15, 17]:
 			coefficients = [random.randint(0, 255) for i in range(n)]
 			self.assertEqual(
 				dft(coefficients),
 				batch_evaluate(coefficients[::-1], x[n])
+			)

src/shamira/tests/test_gf256.py

➞

Show inline comments

 # GNU GPLv3, see LICENSE
 import random
 import unittest
 from unittest import TestCase
 from ..gf256 import _gfmul
 from ..gf256 import *
 class TestGF256(TestCase):
 	def test__gfmul(self):
 		self.assertEqual(_gfmul(0, 0), 0)
 		self.assertEqual(_gfmul(1, 1), 1)
 		self.assertEqual(_gfmul(2, 2), 4)
 		self.assertEqual(_gfmul(0, 21), 0)
 		self.assertEqual(_gfmul(0x53, 0xca), 0x01)
 		self.assertEqual(_gfmul(0xff, 0xff), 0x13)
 	def test_gfmul(self):
 		for a in range(256):
 			for b in range(256):
 				self.assertEqual(_gfmul(a, b), gfmul(a, b))
 	def test_gfpow(self):
 		self.assertEqual(gfpow(0, 0), 1)
 		for i in range(1, 256):
 			self.assertEqual(gfpow(i, 0), 1)
 			self.assertEqual(gfpow(i, 1), i)
 			self.assertEqual(gfpow(0, i), 0)
 			self.assertEqual(gfpow(1, i), 1)
 			self.assertEqual(gfpow(i, 256), i)
 			self.assertEqual(gfpow(i, 2), gfmul(i, i))
 		random.seed(1918)
 		for i in range(256):
 			j = random.randint(2, 255)
 			k = random.randint(3, 255)
 			y = 1
 			for m in range(k):
 				y = gfmul(y, j)
 			self.assertEqual(gfpow(j, k), y)
 	def test_evaluate(self):
 		for x in range(256):
 			(a0, a1, a2, a3) = (x, x>>1, x>>2, x>>3)
 			self.assertEqual(evaluate([17], x), 17)  # constant polynomial
 			self.assertEqual(evaluate([a3, a2, a1, a0], 0), x)  # any polynomial at 0
 			self.assertEqual(evaluate([a3, a2, a1, a0], 1), a0^a1^a2^a3)  # polynomial at 1 == sum of coefficients
 	def test_get_constant_coef(self):
 		weights = compute_weights((1, 2, 3))
 		ys = (1, 2, 3)
 		self.assertEqual(get_constant_coef(weights, ys), 0)
 		random.seed(17)
 		random_matches = 0
 		for i in range(10):
 			k = random.randint(2, 255)
 			# exact
 			res = self.check_coefs_match(k, k)
 			self.assertEqual(res[0], res[1])
 			# overdetermined
 			res = self.check_coefs_match(k, 256)
 			self.assertEqual(res[0], res[1])

0 comments (0 inline, 0 general)