1
from sage.all import GF
2

3

4
def attack(q, A, b, E, S=None):
5
    """
6
    Recovers the secret key s from the LWE samples A and b.
7
    More information: "The Learning with Errors Problem: Algorithms" (Section 1)
8
    :param q: the modulus
9
    :param A: the matrix A, represented as a list of lists
10
    :param b: the vector b, represented as a list
11
    :param E: the possible error values
12
    :param S: the possible values of the entries in s (default: None)
13
    :return: a list representing the secret key s
14
    """
15
    m = len(A)
16
    n = len(A[0])
17
    gf = GF(q)
18
    pr = gf[tuple(f"x{i}" for i in range(n))]
19
    gens = pr.gens()
20

21
    f = []
22
    for i in range(m):
23
        p = 1
24
        for e in E:
25
            p *= (b[i] - sum(A[i][j] * gens[j] for j in range(n)) - e)
26
        f.append(p)
27

28
    if S is not None:
29
        # Use information about the possible values for s to add more polynomials.
30
        for j in range(n):
31
            p = 1
32
            for s in S:
33
                p *= (gens[j] - s)
34
            f.append(p)
35

36
    s = []
37
    for p in pr.ideal(f).groebner_basis():
38
        assert p.nvariables() == 1 and p.degree() == 1
39
        s.append(int(-p.constant_coefficient()))
40

41
    return s
42

43