![ݫ|      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~                 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJ K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~                                     !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABC D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~                                                                                           !!!!!!!!!!!!!!!!!!!!!!!!""""####### $ $ $ $ $$%%&&&&&&&&&& &!&"&#&$&%&&&''(')'*'+','-'.'/'0'1'2'3'4'5'6'7'8(9(:(;(<(=(>(?(@(A(B(C(D(E(F(G(H(I)J)K)L)M)N)O)P)Q)R)S)T)U)V)W)X)Y)Z*[*\*]*^*_*`*a*b*c*d*e*f*g*h*i*j*k+l+m+n+o+p+q+r+s+t+u+v+w+x+y+z+{+?,Internal module.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental<POSIX \( \def\Z{\mathbb{Z}} \) \( \def\C{\mathbb{C}} \)None&'+,-./1=?HSVXfq%lol Convert a 4 to an integral type.&lolKind-restricted synonym for |.'lolKind-restricted synonym for |.1lolConvert an integral type to a 4.2lol Convert a 7 to an integral type.3lolConvert an integral type to a 7.4lolReify a 4 as a singleton.5lolReify a 4 for a | constraint.6lolReify a 7 as a singleton.7lolReify a 7 for a | constraint.8lol Template Haskell splice for the 4 type representing a given ", e.g.,  $(posType 8).9lol Template Haskell splice for the 7 type representing a given ", e.g.,  $(binType 89).:lol)Template Haskell splice that defines the 4 type synonym Pn.;lol)Template Haskell splice that defines the 7 type synonym Bn.<lol6Template Haskell splice that declares a type synonym <pfx>n as the type f n.=lol;Infinite list of primes, built using Sieve of Erastothenes.>lolSearch for the argument in =. This is not particularly fast, but works well enough for moderate-sized numbers that would appear as (divisors of) cyclotomic indices of interest.<lol pfxlol flol n2234657:89./0!" #$%&'()*+,-123456789:;<=>-1Type-level positive naturals in Peano and binary.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone.>234657:89!"./0 #$%&'()*+,-123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.Internal module.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIXNone&',-./1=?@AHSUVXk6=lolType synonym for (prime, exponent) pair.lol&Constraint synonym for coprimality of B types.lol'Constraint synonym for divisibility of B types.lolKind-restricted synonym for |.lolKind-restricted synonym for |.lolKind-restricted synonym for |.lol,Type (family) synonym for multiplication of B types.lol&Type (family) synonym for division of B types.lolReify a ? as a singleton. lolReify a ? for a  constraint.!lolReify a @ as a singleton."lolReify a @ for a  constraint.#lolReify a B as a singleton.$lolReify a B for a  constraint.%lol:Entails constraint for transitivity of division, i.e. if  k \mid l  and  l \mid m , then  k \mid m .&lol(Entailment for divisibility by GCD: if  g=\gcd(m_1,m_2)  then  g \mid m_1  and  g \mid m_2 .'lol%Entailment for LCM divisibility: if  l=\lcm(m_1,m_2)  then  m_1 \mid l  and  m_2 \mid l .(lol=Entailment for LCM divisibility: the LCM of two divisors of  m  also divides  m .)lolEntailment for  p -free division: if  f  is m  after removing all  p -factors, then  f \mid m  and  \gcd(f,p)=1 .*lolEntailment for  p -free division: if  m \mid m' , then ) \text{p-free}(m) \mid \text{p-free}(m') .+lol Conversion.,lol Reflect a @ type to a  value.-lol2Value-level prime-power factorization tagged by a B type..lolThe value of a ? type./lolThe value of a B type.0lolThe totient of a B type's value.1lolThe "hat" of a B type's value: _ \hat{m} = \begin{cases} m & \mbox{if } m \text{ is odd} \\ m/2 & \text{otherwise} \end{cases} .2lol-The radical (product of prime divisors) of a B type.3lol5The odd radical (product of odd prime divisors) of a B type.4lolThe value of a B.5lol Totient of a B.6lol The hat of a B.7lolThe radical of a B.8lolThe odd radical of a B.9lol!Reflect the prime component of a @ type.:lol$Reflect the exponent component of a @ type.;lolThe value of a @ type.<lolThe totient of a @ type's value.=lolThe "hat" of a @ type's value:  p^e  if  p  is odd,  2^{e-1}  otherwise.>lolThe radical of a @ type's value.?lolThe odd radical of a @ type's value.}lol Product of values of individual s~lol"Product of totients of individual slol"Product of radicals of individual slol&Product of odd radicals of individual s@lolThe value of a prime power.AlolTotient of a prime power.BlolThe "hat" of a prime power:  p^e  if  p  is odd,  2^{e-1}  otherwise.ClolThe radical of a prime power.Dlol!The odd radical of a prime power.Elol Value of a ?.FlolReturn  m  if  m  is odd, and  m/2  otherwise.Glol Template Haskell splice for the ?? type corresponding to a given positive prime integer. (Uses > to enforce primality of the base, so should only be used on small-to-moderate-sized arguments.) This is the preferred (and only) way of constructing a concrete ?! type (and is used to define the Primep type synonyms).Hlol Template Haskell splice for the @ type corresponding to a given  . (Calls G on the first component of its argument, so should only be used on small-to-moderate-sized numbers.) This is the preferred (and only) way of constructing a concrete @ type.Ilol Template Haskell splice for the Bu type corresponding to a given positive integer. Factors its argument using a naive trial-division algorithm with =o, so should only be used on small-to-moderate-sized arguments (any reasonable cyclotomic index should be OK).Jlol)Template Haskell splice that defines the ? type synonym Primep for a positive prime integer  p .Klol)Template Haskell splice that defines the @ type synonym PPn, where  n=p^e .Llol)Template Haskell splice that defines the B type synonym Fn for a positive integer n.Mlol!Converts input to its data-level B representation.lolFactorize a positive integer into an ordered list of its prime divisors, with possible duplicates. First argument is infinite list of primes left to consider.lolkFactorize a positive integer into a list of (prime,exponent) pairs, in strictly increasing order by prime.U234657:89;<=>?@ABCDEFGHIJKLM!"./0 #$%&'()*+,-123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMType-level factored naturals.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimental#POSIX \( \def\lcm{\text{lcm}} \)None.P՜234657:89;<=>?@ABCDEFGHIJKLM!"./0 #$%&'()*+,-123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~BIL#$M@AHK!"?GJ EK J L ;<=>D C GFIHEM-/0231,9:;<>?=.45786%&'()*F+@ACDB465!"'8:45%13$2# 7:89./0(&9;6723-+,)*<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~NOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~1Generic interface for reflecting types to values.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone -.=>?@AHXklolReflection without fundep, and with tagged value. Intended only for low-level code; build specialized wrappers around it for specific functionality.lol)Reflect the value assiated with the type a.NoneHV^/(Modifications to NumericPrelude for Lol.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone&'+,.=?@AUVX lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolConvenient synonym for ( a,  a)lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolSane synonym for .lolThe Prelude definition of .lolThe Prelude definition of .lolThe sane definition of  from 01 rather than the default from NumericPrelude.lolThe hidden NP function from Algebra.ToRational.lolBOur custom exponentiation, overriding NP's version that requires $ exponent. Copied from Jhttp://hackage.haskell.org/package/base-4.7.0.0/docs/src/GHC-Real.html#%5Elol Inverse of a modulo q , in range [0,q-1]'. (Argument order is infix-friendly.)lolXDecompose an element into a list of "centered" digits with respect to relative radices.lol3Deterministically round to the nearest multiple of  i .lol<Randomly round to the nearest larger or smaller multiple of  i 1, where the round-off term has expectation zero.lol Variant of 23) in which the remainder is in the range  [-b/2,b/2).lol instance for  lol instance for , missing from NPlol instance for , missing from NPlol dividend aloldivisor blol(quotient, remainder)  a` VZ_|}~zy{UT,) !"#$%*+&/01'(-.NOPQRS[\]^bcdefghijklmnopqrstuvwx     2Types for using crypto-api with MonadCryptoRandom.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNoneMlolTurns a  g into a standard .lol Evaluate a . computation using a cryptographic generator gN, seeded by system entropy. Note that the updated generator is not returned. 8Data type, functions, and instances for complex numbers.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone+.=>?@AHMVX,lol9Newtype wrapper (with slightly different instances) for Number.Complex.lol@Rounds the real and imaginary components to the nearest integer.lol t/ is a complex value with magnitude 1 and phase t \bmod 2\cdot\pi).lol#Real component of a complex number. lol(Imaginary component of a complex number. lol:Embeds a scalar as the real component of a complex number. lolCustom instance replacing the one provided by numeric prelude: it always returns 0 as the remainder of a division. (The NP instance sometimes has precision issues, because it yields nonzero remainders, which is a problem for divG methods.)    Alternate Prelude.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental<POSIX \( \def\Z{\mathbb{Z}} \) \( \def\C{\mathbb{C}} \)None+,-.1=>?@ACHMSUVXkR(lolRepresents that the target ring can "noisily encode" values from the source ring, in either "most significant digit" (MSD) or "least significant digit" (LSD) encodings, and provides conversion factors between the two types of encodings.lolThe factor that converts an element from LSD to MSD encoding in the target field, with associated scale factor to apply to correct the resulting encoded value.lolRepresents that a can be rescaled to b-, as an "approximate" additive homomorphism.lolFun-dep version of Lift.lolThe type of representatives of b.lolRepresents that b can be lifted to a "short" a congruent to b.lolRepresents that b is a quotient group of a. lolRepresents that a is a subgroup of b."lol0Represents a quotient group modulo some integer.%lol Poor man's .'lol4The characteristic of a ring, represented as a type.(lolInverted entries of .)lol*A default implementation of rescaling for " types.*lolBDeterministically round to the nearest value in the desired coset.+lol Version of  with an error message.,lolApply any applicative to a  value.-lolExpose the monad of a  value..lolHide the monad of a  value./lol7Use a singleton as a witness to extract a value from a  value.0lolTransformer version of /.2lol+Product ring as an (almost) integral domain3lol!Product ring as an (almost) field4lolPair as product ring9lolProduct ring of \Z_qs as a \Z_q (with $ modulus):lolReduce into product ring.;lolLift product ring of \Z_qs to $<lol%Rescale up by a product of five rings=lol%Rescale up by a product of four rings>lol&Rescale up by a product of three rings?lol$Rescale up by a product of two rings@lolRescale up to a product ring of \Z_qsAlolRescale up to a product ring of \Z_qsBlol"Rescale a (multi-)product ring of \Z_qsClolRescale a product ring of \Z_qsDlol'Rescale down by a product ring of five \Z_qsElol'Rescale down by a product ring of four \Z_qsFlol(Rescale down by a product ring of three \Z_qsGlol&Rescale down by a product ring of two \Z_qsHlolRescale a product ring of \Z_qsIlolEncode for a product ring( a` VZ_|}~zy{UT,) !"#$%*+&/01'(-.234657:89;<=>?@ABCDEFGHIJKLMNOPQRS[\]^bcdefghijklmnopqrstuvwx     !"./0 #$%&'()*+,-123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~   !"#$%&'()*+,-./0.%&"#$ !(' a` VZ_|}~zy{UT,) !"$%*+&/01'(-.NOPQRS[\]^bcdefghijklmnopqrstuvwx     #  )*+,-./0 Gaussian sampling.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone+XvYJlolUsing polar form of Box-Muller transform, returns a pair of centered, Gaussian-distributed real numbers with scaled variance svar = true variance * (2*pi). See < Thttp://www.alpheratz.net/murison/Maple/GaussianDistribution/GaussianDistribution.pdf this link> for details.Klol Generate n0 real, independent gaussians of scaled variance svar = true variance * (2*pi).lol|Execute an action repeatedly until its result fails to satisfy a predicate, and return that result (discarding all others).JKJK >Interfaces for "gadgets," decomposition, and error correction.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone,-.=>?@AHPVXkLlol&Error correction relative to a gadget.Mlol4Error-correct a "noisy" encoding of an element (see S7), returning the encoded element and the error vector.Nlol#Decomposition relative to a gadget.OlolThe ring that u decomposes over.PlolYield a short vector  x  such that  \langle g, x\rangle = u .QlolGadget) vectors, parameterized by an index type.RlolThe gadget vector over u.SlolYield an error-tolerant encoding of an element with respect to the gadget. (Mathematically, this should just be the product of the input with the gadget, but it is a class method to allow for optimized implementations.)Tlol#Dummy type representing the gadget  [1,b,b^2,\ldots] .Ulol#Dummy type representing the gadget  [1] .VlolDecompose a list entry-wise.WlolDecompose a matrix entry-wise.Xlol6Product ring: concatenate gadgets over component ringsYlol<Product ring: concatenate decompositions for component ringsZlol Product ring LMNOPQSRTUVW QSRNOPLMVWUT 7Abstract interfaces for operations on cyclotomic rings.(c) Chris Peikert, 2018-GPL-3ecrockett0@gmail.com experimentalPOSIX \( \def\Z{\mathbb{Z}} \) \( \def\F{\mathbb{F}} \) \( \def\Q{\mathbb{Q}} \) \( \def\Tw{\text{Tw}} \) \( \def\Tr{\text{Tr}} \) \( \def\O{\mathcal{O}} \)None ,>@AHSUVX*+[lolRescaling on cyclotomics from one base ring to another. (This is a separate class because there are optimized rescaling algorithms that can't be implemented using a.)\lolRescale in the given basis.]lol'Lift a cyclotomic in a specified basis.^lol#Lift in the specified basis (where * indicates that any x may be used)._lol,Fold over coefficients in a specified basis.`lol#Fold in the specified basis (where * indicates that any x may be used).alol+Map over coefficients in a specified basis.blol"Map in the specified basis (where * indicates that any x may be used).clol+Relative CRT sets of cyclotomic extensions.dlolThe relative mod-r CRT set of the extension.elolCyclotomic extensions  \O_{m'}/\O_m .flol"Embed into a cyclotomic extension.gloltThe "tweaked trace" (twace) ( Tw(x) = (hat{m} / hat{m}') cdot Tr((g' / g) cdot x) ), which is the left-inverse of f (i.e., twace . embed == id).hlol6The relative powerful/decoding bases of the extension.ilolZYield the coefficient vector with respect to the given (relative) basis of the extension.jlolfSampling from tweaked Gaussian distributions, discretized to mod-p cosets of cyclotomic number rings.klolxSample from the tweaked Gaussian with scaled variance ( v cdot p^2 ), deterministically rounded to the given coset of  R_p  using the decoding basis.llolSampling from  discretized> tweaked Gaussian distributions over cyclotomic number rings.mlolqSample from the tweaked Gaussian with given scaled variance, deterministically rounded using the decoding basis.nlolLSampling from tweaked Gaussian distributions over cyclotomic number fields.ololESample from the "tweaked" Gaussian distribution ( t cdot D ), where  D  has scaled variance  v .qlol!Yield the scaled squared norm of  g_m \cdot e W under the canonical embedding, namely, ( hat{m}^{-1} cdot | sigma(g_m cdot e) |^2 ).rlolOperations on cyclotomics.slol Multiply by the special element  g .tlolDivide by the special element  g  , returning *' if the input is not evenly divisible.ulol!Yield an equivalent element that mayc be in powerful/decoding/CRT representation. This can serve as an optimization hint. E.g., call w4 prior to multiplying a value by many other values.vlol!Yield an equivalent element that mayc be in powerful/decoding/CRT representation. This can serve as an optimization hint. E.g., call w4 prior to multiplying a value by many other values.wlol!Yield an equivalent element that mayc be in powerful/decoding/CRT representation. This can serve as an optimization hint. E.g., call w4 prior to multiplying a value by many other values.xlol1Used to specify a basis for cyclotomic operations{loli# specialized to the powerful basis.|loli# specialized to the decoding basis.}lolConvenient specializations of b.~lolConvenient specializations of b.lolConvenient specializations of b.lolConvenient specializations of `.lolConvenient specializations of `.lolConvenient specializations of `.lol/Reduce on a cyclotomic (in an arbitrary basis).lolConvenient specializations of ^.lolConvenient specializations of ^.lolConvenient specializations of ^.lol\# specialized to the powerful basis.lol\# specialized to the decoding basis..[\]^_`abcdeighfjklmnopqrwvustxyz{|}~.xyzrwvustpqnolmjkeighf{|cdab}~_`]^[\ 5Functions related to the Chinese Remainder Transform.I(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017 GPL-3 ecrockett0@email.com  experimental $POSIX \( \def\C{\mathbb{C}} \) None+,-=>?@AHVXkܝlol,A ring with a ring embedding into some ring  r0 that has an invertible CRT transformation for every positive index m.lol Embeds from r to  rlolProjects from  r to rlolaA ring that (possibly) supports invertible Chinese remainder transformations of various indices.The values of  for different indices m- should be consistent, in the sense that if \omega_m,  \omega_{m'} are respectively mth, m'th roots of unity where m divides m'#, then it should be the case that \omega_{m'}^{m'/m}=\omega_m.lol for a given index mn. The method itself may be slow, but the function it returns should be fast, e.g., via internal memoization.lol^Information that characterizes the (invertible) Chinese remainder transformation over a ring R (represented by the type r ), namely: a function that returns the ith power of some  principal m'th root of unity (for any integer i)the multiplicative inverse of  \hat{m}\in R.lolReturns *lolReturns *lolReturns *lolReturns *lol'For testing ergonomics, we also have a % instance of  for complex numbers.lolComplex numbers have  for any index mlol Product ringlol Embeds into the complex numbers \C(. (May not have sufficient precision.)lol Embeds into the complex numbers \C.lol Embeds into the complex numbers \C.lol Embeds into the complex numbers \C.lol Self-embedlol Product ringYInterface for cyclotomic tensors, and helper functions for tensor indexing.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIX \( \def\Z{\mathbb{Z}} \) \( \def\Tw{\text{Tw}} \) \( \def\Tr{\text{Tr}} \) \( \def\CRT{\text{CRT}} \) \( \def\O{\mathcal{O}} \)None,-.>@AHPSUVXkqP7lol2A Kronecker product of zero of more matrices over r.lolA 7 that supports relative CRT sets for the element type fp) representing a prime-order finite field.lol Relative mod-p CRT set of  \O_{m'}/\O_{m}  in the decoding basis.lolOA coefficient tensor that supports taking norms under the canonical embedding.lol Given the coefficient tensor of e( with respect to the decoding basis of R&, yield the (scaled) squared norm of  g_m \cdot e) under the canonical embedding, namely, .\hat{m}^{-1} \cdot \| \sigma(g_m \cdot e) \|^2.lol5A coefficient tensor that supports Gaussian sampling.lol6Sample from the "tweaked" Gaussian error distribution t\cdot D in the decoding basis, where D has scaled variance v.lolREncapsulates functions related to the Chinese-remainder representation/transform.lolFA tuple of all the operations relating to the CRT basis, in a single % value for safety. Clients should typically not use this method directly, but instead call the corresponding top-level functions: the elements of the tuple correpond to the functions , , , , .lolA tuple of all the extension-related operations involving the CRT bases, for safety. Clients should typically not use this method directly, but instead call the corresponding top-level functions: the elements of the tuple correpond to the functions , .lol,Encapsulates multiplication and division by g_mlol Multiply by g_m in the powerful/decoding basislol Multiply by g_m in the powerful/decoding basislol Divide by g_m& in the powerful/decoding basis. The %j output indicates that the operation may fail, which happens exactly when the input is not divisible by g_m.lol Divide by g_m& in the powerful/decoding basis. The %j output indicates that the operation may fail, which happens exactly when the input is not divisible by g_m.lolKEncapsulates linear transformations needed for cyclotomic ring arithmetic. The type t m r6 represents a cyclotomic coefficient tensor of index m over base ring r. Most of the methods represent linear transforms corresponding to operations in particular bases. CRT-related methods are wrapped in %K because they are well-defined only when a CRT basis exists over the ring r for index m.WARNING:5 as with all fixed-point arithmetic, the methods in  may result in overflow (and thereby incorrect answers and potential security flaws) if the input arguments are too close to the bounds imposed by the base type. The acceptable range of inputs for each method is determined by the linear transform it implements.lol3Convert a scalar to a tensor in the powerful basis.lolGConvert between the decoding-basis and powerful-basis representations.lolGConvert between the decoding-basis and powerful-basis representations.lolThe twaceS linear transformation, which is the same in both the powerful and decoding bases.lolThe embed> linear transformations, for the powerful and decoding bases.lolThe embed> linear transformations, for the powerful and decoding bases.lolMap a tensor in the powerfuldecodingCRT basis, representing an \O_{m'}/ element, to a vector of tensors representing \O_m$ elements in the same kind of basis.lolThe relative powerful basis of  \O_{m'}/\O_{m}  , w.r.t. the powerful basis of  \O_{m'} .lol%Convenience value indicating whether  exists.lolcYield a tensor for a scalar in the CRT basis. (This function is simply an appropriate entry from .)lol Multiply by g_mG in the CRT basis. (This function is simply an appropriate entry from .)lol Divide by g_mH in the CRT basis. (This function is simply an appropriate entry from .)lolHThe CRT transform. (This function is simply an appropriate entry from .)lolPThe inverse CRT transform. (This function is simply an appropriate entry from .)lolSThe "tweaked trace" function for tensors in the CRT basis: For cyclotomic indices  m \mid m', 5\Tw(x) = (\hat{m}/\hat{m}') \cdot \Tr((g'/g) \cdot x)6. (This function is simply an appropriate entry from .)lolEmbed a tensor with index m* in the CRT basis to a tensor with index m'G in the CRT basis. (This function is simply an appropriate entry from .)lolFor a prime power p^e, converts any matrix M for prime p to \vec{1}_(p^{e-1}) \otimes M, where \vec{1} denotes the all-1s vector.lol Extract the (i,j) element of a .lolA  \varphi(m)(-by-1 matrix of the CRT coefficients of g_m, for mth cyclotomic.lolA  \varphi(m)0-by-1 matrix of the inverse CRT coefficients of g_m, for mth cyclotomic.lolThe "tweaked" \CRT^* matrix: %\CRT^* \cdot \text{diag}(\sigma(g_m)).lolThe "tweaked" \CRT^* matrix (for prime powers): %\CRT^* \cdot \text{diag}(\sigma(g_p)).lolA (p-1)(-by-1 matrix of the CRT coefficients of g_p, for pth cyclotomic.lolA (p-1)0-by-1 matrix of the inverse CRT coefficients of g_p , for the pth cyclotomic.lol1Base-(p) digit reversal; input and output are in [p^e].lol Convert a \Z_m^*# index to a linear tensor index in [m].lolFor a prime power p^e1, map a tensor index to the corresponding power j \in [\varphi(p^e)], as in the powerful basis.lolFor a prime power p^e3, map a tensor index to the corresponding element i \in \Z_{p^e}^*.lol Convert a \Z_m^* index to a linear tensor index.lol Inverse of .lol=Correspondences between the one-dim indexes into a basis of \O_{m'}=, and pair indices into [extension basis of ( O_{m'}/O_m )] \otimes [basis of \O_m]. The correspondences are the same for Pow, Dec, and CRT bases because they all have such a factorization. The first argument is the list of (\varphi(m),\varphi(m'))) pairs for the (merged) prime powers of m,(m').lolqA collection of useful information for working with tensor extensions. The first component is a list of triples (p,e,e') where e, e') are respectively the exponents of prime p in m, m'. The next two components are  \varphi(m) and  \varphi(m')!. The final component is a pair ! ( \varphi(p^e), \varphi(p^{e'}))) for each triple in the first component.lol A vector of  \varphi(m) entries, where the i;th entry is the index into the powerful/decoding basis of \O_{m'} of the i+th entry of the powerful/decoding basis of \O_m.lol A vector of  \varphi(m) blocks of \varphi(m')/\varphi(m)T consecutive entries. Each block contains all those indices into the CRT basis of \O_{m'}A that "lie above" the corresponding index into the CRT basis of \O_m.lolA lookup table for  applied to indices  [\varphi(m')].lolA lookup table for  applied to indices  [\varphi(m')].lolSame as 7, but only includes the second component of each pair.lolThe i_0th entry of the i_1th vector is   (i_1,i_0).lolConvenient reindexing functionsMaps an index of the extension ring array to its corresponding index in the base ring array (if it exists), with sign, under the decoding basis.--4|Safely exposes a "sentinel" indicating usage of either CRT basis over a base ring, or over its extension ring.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIXNone ,->@AHUVXkU :An implementation of modular arithmetic over the integers.I(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017 GPL-3 ecrockett0@email.com  experimental @POSIX \( \def\Z{\mathbb{Z}} \) \( \def\C{\mathbb{C}} \) None+,-.=>?@AHIMUVXkfZlol The ring \Z_q of integers modulo q!, using underlying integer type z.lol(An infinite list of primes greater than lower and congruent to 1 mod m.lolYield a  principal mth root of unity \omega_m \in \Z_q^*. The implementation requires q3 to be prime. It works by finding a generator of \Z_q^* and raising it to the  (q-1)/m4 power. Therefore, outputs for different values of m are consistent, i.e., \omega_{m'}^(m'/m) = \omega_m.lol The base-(b) gadget for modulus q$, over integers (not mod anything).lolSYield the error vector for a noisy multiple of the gadget (all over the integers).lol Embeds into the complex numbers  \C .lolmodulus qlolbase blol input vector v = s cdot g^t + elolerror e7An implementation of modular arithmetic over the reals.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimental<POSIX \( \def\Z{\mathbb{Z}} \) \( \def\R{\mathbb{R}} \)None+,-=>?@AHMVXklIlolThe additive group  \R/(q\Z)  of reals modulo q(, using underlying floating-point type r.,Basic (unoptimized) finite field arithmetic.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental!POSIX \( \def\F{\mathbb{F}} \)None+,-./>@AHIMVXka lol"Convenience data type for writing  instances.lolRepresents fields over which we can get irreducible polynomials of desired degrees. (An instance of this class is defined in !Crypto.Lol.Types.IrreducibleChar2 and exported from Crypto.Lol.Types.)lol=This wrapper for a list of coefficients is used to define a \F_{p^d}#-module structure for tensors over \F_p of dimension n, where d \mid n.lol&Constraint synonym for a finite field.lol%Constraint synonym for a prime field.lol$A finite field of given degree over \F_p.lolYield a list of length exactly d* (i.e., including trailing zeros) of the \F_p.-coefficients with respect to the power basis.lol"Yield a field element given up to d/ coefficients with respect to the power basis.lolThe order of the field: size (GF fp d) =  p^d lolTrace into the prime subfield.lol#Traces of the power basis elements \{1, x, x^2, \ldots, x^{d-1}\}.lol!Convenience function for writing  instances.Orphan instance of  for characteristic-2 fields.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone+-/=>?@AHVXk#5@Concrete types needed to instantiate cryptographic applications.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental<POSIX \( \def\Z{\mathbb{Z}} \) \( \def\R{\mathbb{R}} \)None      Multiplicative groups mod q.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental!POSIX \( \def\Z{\mathbb{Z}} \)None+,-.>@AHUVXklolThe multiplicative order of p (the argument) modulo m . Requires  \gcd(p,m)=1.lolGiven p', returns a partition of the cosets of \Z_{m'}^* / <p>y (specified by representatives), where the cosets in each component are in bijective correspondence with the cosets of  \Z_m^* / <p>, under the natural ((bmod m)) homomorphism.6$Infrastructure for benchmarking Lol.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone&'-.=>?@AHSVXlolMake a  Benchmark from a function and its inputlolMake a  Benchmark" from an IO function and its input7Benchmarks for the Tensor interface.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone .>HVXhlolBenchmarks for single-index Tensor, operations. There must be a CRT basis for O_m over r%. These cover the same functions as  cycBenches1H, but may have different performance due to how GHC interacts with Lol.lolBenchmarks for inter-ring Tensor, operations. There must be a CRT basis for O_{m'} over r%. These cover the same functions as  cycBenches1H, but may have different performance due to how GHC interacts with Lol.8&Pretty-printing for benchmark results.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone"#P lol'Options for printing benchmark summary.lolCharacter width of row labelslol Verbositylol Which levels of Lol to benchmarklolWhich operations to benchmarklolWhich parameters to benchmarklolHow many times larger a benchmark must be (compared to the minimum benchmark for that parameter, across all levels), to be printed in redlolCharacter width of data columnslolVerbosity of benchmark output.lol*prints a '.' when each benchmark completeslol,prints a one-line summary for each benchmarklol/prints full criterion output for each benchmarklolThe report runtime, in seconds.9EPretty-printing for benchmark results across levels of the Lol stack.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone"#d\ lol.Options for the diagnostic benchmark printout.lolCharacter width of row labelslol VerbositylolFWhich levels of Lol to benchmark. The empty list means run all levels.lolGWhich operations to benchmark. The empty list means run all benchmarks.lolHow many times larger a benchmark must be (compared to the minimum benchmark for that parameter, across all levels), to be printed in redlolCharacter width of data columns!lol#Runs all benchmarks with verbosity ."lolTakes benchmark options an a benchmark group nested as params/level/op, and prints a table comparing operations across all selected levels of Lol.  !":MPretty-printing for benchmark results within a single level of the Lol stack.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone"# #lol(Options for the simple benchmark format.$lolCharacter width of row labels%lol Verbosity&lolWhich level of Lol to benchmark'lolGWhich operations to benchmark. The empty list means run all benchmarks.(lolGWhich parameters to benchmark. The empty list means run all parameters.)lolCharacter width of data columns+lol#Runs all benchmarks with verbosity .,lolTakes benchmark options an a benchmark group nested as params/level/op, and prints a table comparing operations across all selected levels of Lol. #$'%()*&+,;Infrastructure for testing Lol.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone&'-=>?@AHSVX/lolMake a Test< given a name, a testing function, and a parameter generator0lolMake a TestN given a name, a monadic (IO only) testing function, and a parameter generator1lolMake a Test given a name and a  value2lolMake a Test& given a name and a monadic (IO only)  value3lolApply parameters to a list of Test. WXY-./0123None27=?@A̹4545None27=?@A767896789None27=?@AGHIJKGHIJKNone27=?@A[YZ[YZ[None27=?@AijklijklNone27=?@Aoz{|}~z{|}~None27=?@ANone27=?@AЋNone27=?@A!>Convenient interfaces for serialization with protocol buffers.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone ,-=>?HVXި lolKConversion between Haskell types and their protocol buffer representations.lol:Convert from a type to its protocol buffer representation.lol.Convert from a protocol buffer representation.lol)Constraint synonym for end-to-end readingparsing writing of  types.lol0Serialize a Haskell type to its protocol buffer .lolRead a protocol buffer  to a Haskell type.lol*Read a serialized protobuffer from a file.lol4Writes any auto-gen'd proto object to path/filename.lolVRead a protocol buffer stream at the given path and convert it to typed Haskell data.lolBWrite a protocol buffer stream for Haskell data to the given path.  8Provides applicative-like functions for indexed vectors.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIXNone"#+,-.456=>?@AHIMVXklol/Indexed Zip Vector: a wrapper around a (boxed)  that has zip-py  behavior, analogous to  for lists. The index m9 enforces proper lengths (and is necessary to implement ).lol DeconstructorlolVSmart constructor that checks whether length of input is right (should be totient of m).lolUnzip an IZipVector.bFunctions from one cyclotomic ring to another that are linear over a common subring.G(c) Eric Crockett, 2011-2018 Chris Peikert, 2011-2018GPL-3ecrockett0@gmail.com experimental#POSIX \( \def\lcm{\text{lcm}} \)None,.1=>?@AHIMUVXklolQA convenient constraint synonym for extending a linear function to larger rings.lolAn E-linear function from R to S.lol Construct an E8-linear function given a list of its output values (in S$) on the relative decoding basis of R/EM. The number of elements in the list must not exceed the size of the basis.lol1Evaluates the given linear function on the input.lol=Lift the linear function in the specified basis (or any, if *B is given). The powerful basis is generally best, geometrically.lol0Change the underlying cyclotomic representation.lol Extend an E-linear function R\to S to an E'-linear function R'\to S'./A low-level implementation of cyclotomic rings.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalsPOSIX \( \def\Z{\mathbb{Z}} \) \( \def\F{\mathbb{F}} \) \( \def\Q{\mathbb{Q}} \) \( \def\O{\mathcal{O}} \)None&'+,-./=>?@AHMSUVXk6X*lol=separate class because some base rings don't have a CRT basislol3Convert to an appropriate CRT-basis representation.lol)Convert to powerful-basis representation.lol)Convert to decoding-basis representation.lol1Constraints needed for CRT-related operations on  data.lol'Convenient synonym for random sampling.lol1Convenient synonym for either CRT representation.lolKNullary index type representing the CRT basis over extension of base ring.lol=Nullary index type representing the CRT basis over base ring.lol3Nullary index type representing the decoding basis.lol%Represents a cyclotomic ring such as  \Z[\zeta_m],  \Z_q[\zeta_m], and  \Q(\zeta_m)! in an explicit representation: t is the ( type for storing coefficient tensors; m is the cyclotomic index; rep is the representation (e.g., , , , ); r. is the base ring of the coefficients (e.g., \Z, \Z_q).3Nullary index type representing the powerful basis.lol"Embed a scalar from the base ring.lol"Embed a scalar from the base ring.lol multiply by the special element glol multiply by the special element glol multiply by the special element glolDivide by the special element g_m. WARNING: this implementation is not a constant-time algorithm, so information about the argument may be leaked through a timing channel.lol Similar to .lol Similar to .lol!Yield the scaled squared norm of  g_m \cdot e* under the canonical embedding, namely, .\hat{m}^{-1} \cdot \| \sigma(g_m \cdot e) \|^2 .lol6Sample from the "tweaked" Gaussian error distribution t\cdot D in the decoding basis, where D has scaled variance v.lolSample from the tweaked Gaussian with given scaled variance, deterministically rounded using the decoding basis. (This implementation uses  o precision to generate the Gaussian sample, which might not be sufficient for rigorous proof-based security.)loluSample from the tweaked Gaussian with scaled variance (v cdot p^2), deterministically rounded to the given coset of R_p6 using the decoding basis. (This implementation uses  m precision to generate the Gaussian sample, which may not be sufficient for rigorous proof-based security.)lol5Embed into an extension ring, for the powerful basis.lolEEmbed into an extension ring, for the CRT basis. (The output is an (. because the extension ring might not support .)lol Similar to . (The output is an (+ because the extension ring might support , in which case we never use .)lol-Twace into a subring, for the powerful basis.lol-Twace into a subring, for the decoding basis.lol=Twace into a subring, for the CRT basis. (The output is an (' because the subring might not support .) lol Similar to . (The output is an ($ because the subring might support , in which case we never use .) lol Yield the \O_m-coefficients of an \O_{m'}1-element, with respect to the relative powerful \O_m-basis. lol Yield the \O_m-coefficients of an \O_{m'}1 element, with respect to the relative decoding \O_m-basis. lolThe relative powerful basis of \O_{m'} / \O_m. lol The relative mod-(r) CRT set of \O_{m'} / \O_mm, represented with respect to the powerful basis (which seems to be the best choice for typical use cases).lolConvenient version of  for ( CRT basis type. lolapply coefficient-wise!lolapply coefficient-wise"lolapply coefficient-wise#lolapply coefficient-wise*lolR_p is an \F_{p^d} -module when d divides  \varphi(m), by applying d -dimensional \F_p-linear transform on d&-dim chunks of powerful basis coeffs.2lol'only for appropriate CRT representation3lol3only for appropriate CRT representation (otherwise # would violate internal invariant)"     "     <Benchmarks for .G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone .>HUVXh@AlolBenchmarks for single-index , operations. There must be a CRT basis for O_m over r%. These cover the same functions as  cycBenches1H, but may have different performance due to how GHC interacts with Lol.BlolBenchmarks for inter-ring , operations. There must be a CRT basis for O_{m'} over r%. These cover the same functions as  cycBenches2H, but may have different performance due to how GHC interacts with Lol.AB An implementation of cyclotomic rings that hides and automatically manages the internal representations of ring elements.G(c) Eric Crockett, 2011-2018 Chris Peikert, 2011-2018GPL-3ecrockett0@gmail.com experimentalPOSIX \( \def\Z{\mathbb{Z}} \) \( \def\F{\mathbb{F}} \) \( \def\Q{\mathbb{Q}} \) \( \def\Tw{\text{Tw}} \) \( \def\Tr{\text{Tr}} \) \( \def\O{\mathcal{O}} \)None&',-./1=>?@AHMSUVXhkqk+Clol Go between H and , in a desired representation.HlolA cyclotomic ring such as  \Z[\zeta_m] ,  \Z_q[\zeta_m] , or  \Q[\zeta_m] : t is the Tensor( type for storing coefficient tensors; m is the cyclotomic index; r. is the base ring of the coefficients (e.g., \ \Q ,  \Z ,  \Z_q ).lolIUnderlying GADT for a cyclotomic ring in one of several representations.lolConvenience wrapper.lolConvenience wrapper.lol Unwrap a  as a " in powerful-basis representation.lol Unwrap a  as a " in decoding-basis representation.lolForce to a non-% constructor (for internal use only).lol?Force to powerful-basis representation (for internal use only).lol?Force to decoding-basis representation (for internal use only).lol6Force to a CRT representation (for internal use only).MlolCpromoted from base ring, using the decoding basis for best geometryNlolCpromoted from base ring, using the powerful basis for best geometryPlolpromoted from base ringQlol identity rescale (more specific)Uloluses  0 precision for the intermediate Gaussian samplesYlolR_p is an \F_{p^d} -module when d divides  \varphi(m), by applying d -dimensional \F_p-linear transform on d%-dim chunks of powerful basis coeffs.tlol6convenient rescale-down by multiple components at onceulol6convenient rescale-down by multiple components at oncevlol6convenient rescale-down by multiple components at oncewlol.specialized (faster) rescale-down by a single \Z_qxlol$rescale up by one additional modulusylol no-op rescale for Cyc over pairszlol#rescale from one modulus to another{lol#rescale from one modulus to another|lolbRescales relative to the powerful basis. This instance is provided for convenience, but usage of [E is preferred to explicitly specify which basis by which to rescale.loluses  & for the intermediate Gaussian samplesloluses  % for the intermediate Gaussian sampleloladditive group  K/qR 8, limited to powerful- or decoding-basis representationlolmcyclotomic ring of integers with unbounded precision, limited to powerful- or decoding-basis representation.lolgcyclotomic over a product base ring, represented as a product of cyclotomics over the individual ringsCDEFGHHCDEFG=%Primary interface to the Lol library.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIX \( \def\Z{\mathbb{Z}} \) \( \def\C{\mathbb{C}} \) \( \def\Q{\mathbb{Q}} \) \( \def\R{\mathbb{R}} \) \( \def\F{\mathbb{F}} \) \( \def\O{\mathcal{O}} \)Nonepo a` VZ_|}~zy{UT,) !"#$%*+&/01'(-.234657:89;<=>?@ABCDEFGHIJKLMNOPQRS[\]^bcdefghijklmnopqrstuvwx     !"./0 #$%&'()*+,-123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~   !"#$%&'()*+,-./0LMNOPQSRTUVW[\]^_`abcdefhgijklmnopqrtsuvwxzy{|}~CDEFGH!Pretty print type parameters.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental!POSIX \( \def\C{\mathbb{C}} \)None&',-.=>?@AHSUVXklol0Constraint synonym for printing test parameters.lol/Wrapper type for printing test/benchmark names.lol Converts ( syntax into nested pair representation.lol4Convenient syntax for multiplication of moduli in a .lolPrint a showable type argument.9 >Tests for modular arithmetic.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone&'+.1=>?@AUVXhklol-Tests for modular arithmetic implementations.?Tests for the Tensor interface.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone+,-.>@AHUVXhk@Tests for the H interface.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone -.>HUVXhlolTests for single-index H+ operations. There must be a CRT basis for O_m over r.lolTests for inter-ring H+ operations. There must be a CRT basis for O_{m'} over r.AHigh-level tensor tests.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@gmail.com experimentalPOSIXNone -.>HUVXhqlolDefault parameters for BC tests.$Infrastructure for benchmarking lol.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental!POSIX \( \def\C{\mathbb{C}} \)None WXY-./0123302/1-.XWY"6Functions and types for working with ring-LWR samples.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2018GPL-3ecrockett0@gmail.com experimentalPOSIXNone,>lol)Common constraints for working with RLWR.lolAn RLWR sample  (a,b) \in R_q \times R_p.lol%An RLWR sample with the given secret.lolThe b( component of an RLWR sample for secret s and given a, produced by rounding a\cdot s in the decoding basis.#AFunctions and types for working with continuous ring-LWE samples.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2018GPL-3ecrockett0@gmail.com experimental<POSIX \( \def\Z{\mathbb{Z}} \) \( \def\R{\mathbb{R}} \)None +,>HVXklol4Common constraints for working with continuous RLWE.lolA continuous RLWE sample  (a,b) \in R_q \times K/(qR) . The base type rrq represents  \R/q\Z &, the additive group of reals modulo  q .lolCA continuous RLWE sample with the given scaled variance and secret.lol=The error term of an RLWE sample, given the purported secret.lolThe qB of the error term of an RLWE sample, given the purported secret.lolGives  c^2 7 such that the Gaussian mass outside a ball of radius  c  is approximately  \epsilon " (i.e., the Gaussian measure for  \| x^2 \| > c^2 \cdot n  is ( approx epsilon ).)lolA bound such that the q% of a continuous error generated by o with scaled variance v (over the mTth cyclotomic field) is less than the bound except with probability approximately  \varepsilon .lolthe scaled variancelol \varepsilon $BFunctions and types for working with discretized ring-LWE samples.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2018GPL-3ecrockett0@gmail.com experimentalPOSIXNone +,>@AHVXky lol2Common constraints for working with discrete RLWE. lolA discrete RLWE sample  (a,b) \in R_q \times R_q . lolAA discrete RLWE sample with the given scaled variance and secret. lol=The error term of an RLWE sample, given the purported secret. lolThe qB of the error term of an RLWE sample, given the purported secret.lolA bound such that the q+ of a discretized error term generated by m with scaled variance v (over the mSth cyclotomic field) is less than the bound except with probability approximately \epsilon.lolthe scaled variancelol\epsilon          DBenchmarks for the H interface.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone .>HUVXhololBenchmarks for single-index H, operations. There must be a CRT basis for O_m over r.lolBenchmarks for inter-ring H, operations. There must be a CRT basis for O_{m'} over r.E"Default high-level benchmarks for FG implementations.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimentalPOSIXNone -.>HUVXhqՋlolBenchmark parameters reported in the paper. We suggest running these benchmarks to quickly compare performance on your system or with your FG backend.lolGCollection of all single-index operations at all levels of the library.lolECollection of all inter-ring operations at all levels of the library.$Infrastructure for benchmarking lol.G(c) Eric Crockett, 2011-2017 Chris Peikert, 2011-2017GPL-3ecrockett0@email.com experimental!POSIX \( \def\C{\mathbb{C}} \)Noneؙ* !"#$'%()*&+,AB%AB,+#$'%()*&"! %None27=?@AC&None27=?@A'None27=?@AO'()*'()*(None27=?@A89:;89:;)None27=?@AkIJKLIJKL*None27=?@AZ[\]Z[\]+None27=?@A݇klmnklmnHIJKLMHNOHNPHQRHSTHSUHIVHIWHIXHYZHY[HY\HY]K^_K^`HIaHIbHIcHIdHIeHfgHYhHYiK^jHIkHIlK^mHnoHpqKrsKrtKruKrvKrwHxyz{|H}~KrKrHKrH}H}KrHHKrKrKr,,,,,,,,,...................HHHIHIHHHHK^HnHIHIHIHpHpHYHYHHQHQHQHQHQHQHQHQHQHQHQHQHHHHHHHHHHHHHHHHHHHHHHHHHHnHnHnHHYHYHYHYHpHpHpHpHpHpHNHNHNHNHNHNHNHNHNHNHNHNHNHNHNHN HN HN HN HN HNHNHNHNHNHNHNHHSHSHIHIHIHIHIHK^K^ K^!K^"K^#K^$K^%&'()*+)*,-./-01-02-03-04-05-06-07-89-8:-8;-8<-8=-8>-8?-8@-8A-8B-8C-8D-8E-8F-8G-8H-8I-8J-KL-KM-NO-PQ-PR-PS-PT-UV-UW-UX-YZ-[\-[]-[^-[_-[`-ab-ac-ad-ae-fg-hi-hj-hk-hl-hm-no-np-nq-nr-2s-2t-2u-23-2v-2w-xy-xz-x{-x|-x}-x~---------,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,------------------------------------------------------------------------- - - - - ------------------- -!-"-#-$-%-&-'-(-)-*-+-,---.-/-0-1-2-3-4-5-6-7-8-9-:-;-<-=->-?-@-A-B-C-D-E-F-G-H-I-J-K-L-M-N-O-P-Q-R-S-T-U-V-W-X-Y-Z-[-\-]-^-_-`-a-b-c-d-e-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z-{-|-}-~--..............................~.`................................................      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/{/|/}~                                                                                                    !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGCHIJKLMNOPQRSTUVWXYZ[\]^_`abcddefghijklmnoopqrstuvwxyz{|}~667788889999999999::::::::::;;;;;;;     1  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a+4&'b()c/defghijklmnopqrstuvwxyz{|}~<<                                                                                                                                   ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4!5!6!7!F!8!9!:!;!<!=!>!?!@!A!B!C!D!E!F!G!H!I!J!K>L?M?N?O?P@Q@RASATAUAVAWAX"Y"Z"["\#]#Z#[#^#_#`#a$]$Z$[$^$_$aDbDcEdEeEf%%&g&g&&&h&i&j&k&l&m&n&o&p&q&r&s&t'u'u'''v'w'x'y'z'{'|'}'~''''((((((((((((((((()))))))))))))))))*****************+++++++++++++++++......---h_-U_-f_-P_-._-8_-K_-_-0_-[_-Y_-2_-N_-x_-_-_K^tK^u-fv///HHHHHH 4 4 4 4 4 4 4 4 4 4 4 4     8 8 88 888 88 88 8 8 8 8 8 8       ! "HI #H $ %HI & ' (  ) * + , - .  / 0 1 2  3  4  5 6"lol-0.7.0.0-99Sl5s4bLTiKp8f4w6eppSCrypto.Lol.PreludeCrypto.Lol.FactoredCrypto.Lol.TestsCrypto.Lol.BenchmarksCrypto.Lol.Types.ProtoCrypto.Lol.ReflectsCrypto.Lol.Types.IFunctorCrypto.Lol.Types.RandomCrypto.Lol.Types.Unsafe.ComplexCrypto.Lol.GaussRandomCrypto.Lol.GadgetCrypto.Lol.Cyclotomic.LanguageCrypto.Lol.CRTransCrypto.Lol.Cyclotomic.TensorCrypto.Lol.Types.Unsafe.ZqBasicCrypto.Lol.Types.Unsafe.RRqCrypto.Lol.Types.FiniteField!Crypto.Lol.Types.IrreducibleChar2Crypto.Lol.Types.ZmStarCrypto.Proto.LolCrypto.Proto.Lol.KCrypto.Proto.Lol.KqCrypto.Proto.Lol.KqProductCrypto.Proto.Lol.RCrypto.Proto.Lol.RqCrypto.Proto.Lol.RqProductCrypto.Proto.Lol.LinearRqCrypto.Proto.Lol.TypeRepCrypto.Lol.Types.IZipVectorCrypto.Lol.Cyclotomic.LinearCrypto.Lol.Cyclotomic.CycRepCrypto.Lol.Cyclotomic.CycCrypto.Lol.Utils.ShowTypeCrypto.Lol.RLWE.RLWRCrypto.Lol.RLWE.ContinuousCrypto.Lol.RLWE.DiscreteCrypto.Proto.RLWECrypto.Proto.RLWE.SampleCont#Crypto.Proto.RLWE.SampleContProductCrypto.Proto.RLWE.SampleDisc#Crypto.Proto.RLWE.SampleDiscProductCrypto.Proto.RLWE.SampleRLWR#Crypto.Proto.RLWE.SampleRLWRProductCrypto.Lol.PosBinDefsCrypto.Lol.PosBinCrypto.Lol.FactoredDefsCrypto.Lol.Types.NumericNumericPreludeNumericAlgebra.IntegralDomaindivMod!Crypto.Lol.Cyclotomic.CRTSentinelCrypto.Lol.TypesCrypto.Lol.Utils.Benchmarks#Crypto.Lol.Benchmarks.TensorBenchesCrypto.Lol.Utils.PrettyPrint'Crypto.Lol.Utils.PrettyPrint.Diagnostic"Crypto.Lol.Utils.PrettyPrint.TableCrypto.Lol.Utils.Tests#Crypto.Lol.Benchmarks.CycRepBenches Crypto.LolCrypto.Lol.Tests.ZqTestsCrypto.Lol.Tests.TensorTestsCrypto.Lol.Tests.CycTestsCrypto.Lol.Tests.DefaultCrypto.Lol.Types.UnsafeZqBasic Crypto.Lol.Benchmarks.CycBenchesCrypto.Lol.Benchmarks.DefaultCrypto.Lol.CyclotomicTensorbaseGHC.Base++ghc-primGHC.PrimseqGHC.Listfilterzip System.IOprint Data.Tuplefstsnd otherwisemap$GHC.EnumenumFrom enumFromThen enumFromToenumFromThenTo GHC.Classes==>=fail>>=>>fmapreturnGHC.Real realToFracBoundedEnumEqMonadFunctorOrdGHC.ReadReadGHC.ShowShow GHC.TypesBoolCharDoubleFloatIntGHC.IntInt64 integer-gmpGHC.Integer.TypeInteger GHC.MaybeMaybeOrderingIO Data.EitherEitherFalseNothingJustTrueLeftRightLTEQGTsubPosaddPosPosOSBinB1D0D1unFunPPprimePP exponentPPPrimeBin PrimePowerPPFactoredfMulfPPMul fOddRadicalfDivfDividesfLCMfGCDppToFpToPPpToFpFreeGHC.IOFilePathGHC.ErrerrorString=<< Data.FoldablemapM_ sequence_Data.TraversablesequencemapM/=(QuickCheck-2.13.2-1FftnVviu6BCWJanU0jy5VTest.QuickCheck.Gen chooseAnychooseGenreadListconst.idShowSshowmaxBoundminBound Text.ReadreadreadIOreadLn appendFile writeFilereadFileinteract getContentsgetLinegetCharputStrLnputStrputCharGHC.IO.ExceptionioError userErrorIOErrornotElemallanyorand concatMapconcatminimummaximumelemlengthnullfoldl1foldr1foldlfoldr Data.OldListunwordswordsunlineslinesreadseitherlex readParen readsPrecText.ParserCombinators.ReadPReadSfromEnumtoEnumpredsucc showParen showStringshowCharshowsshowList showsPrecunzip3unzipzipWith3zipWithzip3!!lookupreversebreakspansplitAtdroptake dropWhile takeWhilecycle replicaterepeatiteratescanr1scanrscanl1scanlinitlasttailhead Data.MaybemaybeuncurrycurryasTypeOfuntil$!flip<$ undefined<=compare&&||not<>'constraints-0.11-737EajojrXBJDpY6FfxUvRData.Constraint\\4criterion-measurement-0.1.2.0-CJ77UTddVc1A6Gw4flVs1JCriterion.Measurement.Types Benchmarkbgroup.numeric-prelude-0.4.3.1-GLVs2EURYm8HYU8YS44WztAlgebra.RealTranscendentalatan2Algebra.RealRingapproxRationalroundtruncatefloorceilingfraction splitFractionAlgebra.Transcendental^?atanhacoshasinhtanhcoshsinhatanacosasintancossin**logBaselogexppiAlgebra.Algebraic^/sqrtAlgebra.Module*>Algebra.ToInteger fieldPower ringPower fromIntegral toIntegerAlgebra.RealIntegralquotRemremquotAlgebra.ToRational toRational Algebra.Field fromRational^- fromRational'recip/ Number.Ratio% denominator numeratorRationalAlgebra.AbsolutesignumAlgebra.PrincipalIdealDomainextendedEuclideuclidlcmgcd extendedGCD Algebra.Units stdUnitInvstdUnit stdAssociateisUnitoddevendividesmoddiv Algebra.Ringproduct1productsqr fromIntegerone*Algebra.ZeroTestableisZeroAlgebra.Additivesum1sumsubtractnegate-+zeroNumericPrelude.Basecatch(utility-ht-0.0.14-BWOIGcMmaZCHGwnWSG1Ym4Data.Bool.HT.Private ifThenElse.protocol-buffers-2.4.13-LCdXUjV5rrw51yxqTmiwfvText.ProtocolBuffers.Basic uFromString uToString'singletons-2.5.1-KJmZfbYqxQ32cjJxSvMnMwData.Singletons.InternalSing-test-framework-0.8.2.0-LaZ367R4wOxFevG2MxhVHqTest.Framework.Core testGroupTestSPosAddPosSubPos AddPosSym0 AddPosSym1 SubPosSym0 SubPosSym1SSym0SSym1OSym0SOSSsSubPossAddPosposToIntBinCPosCSBinD1Sym0D1Sym1D0Sym0D0Sym1B1Sym0SB1SD0SD1intToPosbinToIntintToBinreifyPos reifyPosIreifyBin reifyBinIposTypebinTypeposDecbinDecintDecprimesprimeP64P63P62P61P60P59P58P57P56P55P54P53P52P51P50P49P48P47P46P45P44P43P42P41P40P39P38P37P36P35P34P33P32P31P30P29P28P27P26P25P24P23P22P21P20P19P18P17P16P15P14P13P12P11P10P9P8P7P6P5P4P3P2P1B128B127B126B125B124B123B122B121B120B119B118B117B116B115B114B113B112B111B110B109B108B107B106B105B104B103B102B101B100B99B98B97B96B95B94B93B92B91B90B89B88B87B86B85B84B83B82B81B80B79B78B77B76B75B74B73B72B71B70B69B68B67B66B65B64B63B62B61B60B59B58B57B56B55B54B53B52B51B50B49B48B47B46B45B44B43B42B41B40B39B38B37B36B35B34B33B32B31B30B29B28B27B26B25B24B23B22B21B20B19B18B17B16B15B14B13B12B11B10B9B8B7B6B5B4B3B2 SFactored SPrimePower SPrimeBin ExponentPPPrimePPUnPPUnFSPPsUnFsUnPPFPPMulFMulPToFPToPPPpToFFGCDFLCMFDividesFDiv FOddRadicalsPpToFsPToPPsPToFCoprimeDividesFactPPowPrimePFree reifyPrime reifyPrimeI reifyPPow reifyPPowI reifyFact reifyFactI transDivides gcdDivides lcmDivides lcm2DividespSplitTheorems pFreeDividesppToPPppPPowppsFact valuePrime valueFact totientFact valueHatFact radicalFactoddRadicalFactvalueFtotientF valueHatFradicalF oddRadicalF primePPow exponentPPow valuePPow totientPPow valueHatPPow radicalPPowoddRadicalPPowvaluePP totientPP valueHatPP radicalPP oddRadicalPPvaluePvalueHatpTypeppTypefTypepDecppDecfDec intToFactrime659Prime653Prime647Prime643Prime641Prime631Prime619Prime617Prime613Prime607Prime601Prime599Prime593Prime587Prime577Prime571Prime569Prime563Prime557Prime547Prime541Prime523Prime521Prime509Prime503Prime499Prime491Prime487Prime479Prime467Prime463Prime461Prime457Prime449Prime443Prime439Prime433Prime431Prime421Prime419Prime409Prime401Prime397Prime389Prime383Prime379Prime373Prime367Prime359Prime353Prime349Prime347Prime337Prime331Prime317Prime313Prime311Prime307Prime293Prime283Prime281Prime277Prime271Prime269Prime263Prime257Prime251Prime241Prime239Prime233Prime229Prime227Prime223Prime211Prime199Prime197Prime193Prime191Prime181Prime179Prime173Prime167Prime163Prime157Prime151Prime149Prime139Prime137Prime131Prime127Prime113Prime109Prime107Prime103Prime101Prime97Prime89Prime83Prime79Prime73Prime71Prime67Prime61Prime59Prime53Prime47Prime43Prime41Prime37Prime31Prime29Prime23Prime19Prime17Prime13Prime11Prime7Prime5Prime3Prime2Reflectsvalue$fReflectsTYPEqr$fReflectsFactoredmi$fReflectsPrimePowerppi$fReflectsPrimeBinpi$fReflectsBinai$fReflectsPosai$fReflectsNataiIFunctorIFEltfmapIzipWithIMatrix PolynomialPID RealIntegralAbsolute ToIntegerOrdFloatRealTranscendentalTranscendental Algebraic RealFieldRealRingField ToRationalIntegralDomainModuleRingAdditive ZeroTestablemaxminabs realToField^modinvdecomp roundMultroundScalarCentered divModCent CryptoRandevalCryptoRandIO$fRandomGenCryptoRand$fCryptoRandomGenCryptoRandComplexComplex' roundComplexcisrealimagfromReal$fRandomComplex$fNFDataComplex $fCComplex $fCComplex0 $fCComplex1 $fCComplex2 $fCComplex3 $fEqComplex $fShowComplex$fMonadRandomTaggedT$fNFDataTaggedTEncodelsdToMSDRescalerescaleLift'liftLiftOfLiftReducereduceSubgroup fromSubgroupModModRepmodulus EnumerablevaluesCharOfmsdToLSD rescaleMod roundCoset fromJust'pureTpeelTpasteT withWitness withWitnessT $fRandom(,)$fC(,)$fC(,)0$fC(,)1 $fDefaultBool$fVectorVectorMaybe$fMVectorMVectorMaybe $fUnboxMaybe$fMod(,) $fReducea(,) $fLift'(,) $fRescalef(,) $fRescalee(,) $fRescaled(,) $fRescalec(,) $fRescaleb(,) $fRescalea(,) $fRescale(,)a$fRescale(,)a0 $fRescale(,)f $fRescale(,)e $fRescale(,)d $fRescale(,)c $fRescale(,)b $fEncodes(,) realGaussian realGaussiansCorrectcorrect DecomposeDecompOf decomposeGadgetgadgetencodeBaseBGadTrivGad decomposeListdecomposeMatrix$fGadgetkgad(,)$fDecomposekgad(,)$fCorrectkgad(,) RescaleCyc rescaleCycLiftCycliftCyc FoldableCycfoldrCyc FunctorCycfmapCyc CRTSetCyccrtSet ExtensionCycembedtwacepowBasis coeffsCycCosetGaussianCyc cosetGaussianRoundedGaussianCycroundedGaussian GaussianCyctweakedGaussian GSqNormCycgSqNorm CyclotomicmulGdivG advisePow adviseDec adviseCRTBasisPowDec coeffsPow coeffsDecfmapAnyfmapPowfmapDecfoldrAnyfoldrPowfoldrDec reduceCycliftAnyliftPowliftDec rescalePow rescaleDecCRTEmbedCRTExttoExtfromExtCRTranscrtInfoCRTInfo$fCRTransMaybeInteger$fCRTransMaybeInt64$fCRTransMaybeInt$fCRTransMaybeDouble$fCRTransMaybeComplex$fCRTransIdentityComplex$fCRTransmon(,)$fCRTEmbedInteger$fCRTEmbedInt64 $fCRTEmbedInt$fCRTEmbedDouble$fCRTEmbedComplex $fCRTEmbed(,)Kron TensorCRTSet crtSetDec TensorGSqNorm gSqNormDecTensorGaussiantweakedGaussianDec TensorCRTcrtFuncs crtExtFuncsTensorGmulGPowmulGDecdivGPowdivGDec TensorPowDec scalarPowpowToDecdecToPow twacePowDecembedPowembedDeccoeffs powBasisPow hasCRTFuncs scalarCRTmulGCRTdivGCRTcrtcrtInvtwaceCRTembedCRTindexKgCRTKgInvCRTKtwCRTsdigitRevzmsToIndexFact indexInfoextIndicesPowDec extIndicesCRTbaseIndicesPowbaseIndicesDecbaseIndicesCRTextIndicesCoeffsZqBunZqBgoodQs$fRandomZqBasic$fCorrectTYPEBaseBGadZqBasic$fDecomposeTYPEBaseBGadZqBasic$fGadgetTYPEBaseBGadZqBasic$fCorrectTYPETrivGadZqBasic$fDecomposeTYPETrivGadZqBasic$fGadgetTYPETrivGadZqBasic $fCZqBasic $fCZqBasic0 $fCZqBasic1 $fCZqBasic2$fCRTEmbedZqBasic$fCRTransMaybeZqBasic$fEncodeZqBasicZqBasic$fRescaleZqBasicZqBasic$fLift'ZqBasic$fReduceIntegerZqBasic$fReducezZqBasic $fModZqBasic$fEnumerableZqBasic $fEqZqBasic $fOrdZqBasic $fCZqBasic3 $fShowZqBasic$fNFDataZqBasicRRq$fSubgroupZqBasicRRq $fRandomRRq$fRescaleRRqRRq $fLift'RRq $fReducerRRq$fCRRq$fEqRRq$fCRRq0 $fShowRRq $fNFDataRRqXIrreduciblePolyirreduciblePoly TensorCoeffsCoeffsunCoeffsGFCtx PrimeFieldGFtoListfromListsizetrace^^ $fRandomGF$fCGFTensorCoeffs$fCRTransMaybeGF$fCGF$fCGF0$fEnumerableGF$fEqGF$fShowGF$fCGF1$fCGF2 $fNFDataGF$fCTensorCoeffs$fIrreduciblePolyaorderpartitionCosetsmkBench mkBenchIOtensorBenches1tensorBenches2VerbProgressAbridgedFullDiagnosticOptsDOpts$sel:verb:DOpts$sel:levels:DOpts$sel:benches:DOpts$sel:redThreshold:DOpts$sel:colWidth:DOpts$sel:testNameWidth:DOptsdefaultDiagnosticOptsprettyBenchesDiagnostic TableOptsTOptsverblevelbenchesparamscolWidth testNameWidthdefaultTableOptsprettyBenchesTable ApproxEqual=~= testWithGen testIOWithGentestWithoutGentestIOWithoutGen nestGroup protoInfofileDescriptorProtoKmxs $fTextMsgK $fTextTypeK$fReflectDescriptorK$fGPBK$fMessageAPImsg'->K$fWireK $fDefaultK $fMergeableK$fShowK$fEqK$fOrdK$fDataK $fGenericKKqq $fTextMsgKq $fTextTypeKq$fReflectDescriptorKq$fGPBKq$fMessageAPImsg'->Kq$fWireKq $fDefaultKq $fMergeableKq$fShowKq$fEqKq$fOrdKq$fDataKq $fGenericKq KqProductkqs$fTextMsgKqProduct$fTextTypeKqProduct$fReflectDescriptorKqProduct$fGPBKqProduct$fMessageAPImsg'->KqProduct$fWireKqProduct$fDefaultKqProduct$fMergeableKqProduct$fShowKqProduct $fEqKqProduct$fOrdKqProduct$fDataKqProduct$fGenericKqProductR $fTextMsgR $fTextTypeR$fReflectDescriptorR$fGPBR$fMessageAPImsg'->R$fWireR $fDefaultR $fMergeableR$fShowR$fEqR$fOrdR$fDataR $fGenericRRq $fTextMsgRq $fTextTypeRq$fReflectDescriptorRq$fGPBRq$fMessageAPImsg'->Rq$fWireRq $fDefaultRq $fMergeableRq$fShowRq$fEqRq$fOrdRq$fDataRq $fGenericRq RqProductrqs$fTextMsgRqProduct$fTextTypeRqProduct$fReflectDescriptorRqProduct$fGPBRqProduct$fMessageAPImsg'->RqProduct$fWireRqProduct$fDefaultRqProduct$fMergeableRqProduct$fShowRqProduct $fEqRqProduct$fOrdRqProduct$fDataRqProduct$fGenericRqProductLinearRqer$fTextMsgLinearRq$fTextTypeLinearRq$fReflectDescriptorLinearRq $fGPBLinearRq$fMessageAPImsg'->LinearRq$fWireLinearRq$fDefaultLinearRq$fMergeableLinearRq$fShowLinearRq $fEqLinearRq $fOrdLinearRq$fDataLinearRq$fGenericLinearRqTypeRepab$fTextMsgTypeRep$fTextTypeTypeRep$fReflectDescriptorTypeRep $fGPBTypeRep$fMessageAPImsg'->TypeRep $fWireTypeRep$fDefaultTypeRep$fMergeableTypeRep $fShowTypeRep $fEqTypeRep $fOrdTypeRep $fDataTypeRep$fGenericTypeRep Protoable ProtoTypetoProto fromProto ProtoReadablemsgPutmsgGet readProtoTypewriteProtoTypeparseProtoFilewriteProtoFile$fProtoableFingerprint$fProtoable(,) $fProtoable[] IZipVector unIZipVector iZipVectorunzipIZV $fCVector$fProtoableIZipVector$fProtoableIZipVector0$fProtoableIZipVector1$fProtoableIZipVector2$fProtoableIZipVector3$fProtoableIZipVector4$fApplicativeIZipVector$fShowIZipVector$fEqIZipVector$fNFDataIZipVector$fFunctorIZipVector$fFoldableIZipVector$fTraversableIZipVector $fCIZipVector ExtendLinCtxLinear linearDecevalLinliftLinfmapLin extendLin$fProtoableLinear$fReduceLinearLinear $fCLinear $fShowLinear$fNFDataLineartoCRTtoPowtoDecCRTEltCycRepPCCycRepECCycRepECDPmulGCRTCdivGCRTC embedCRTC embedCRTEtwacePowtwaceDec twaceCRTC twaceCRTE$fProtoableCycRep$fNFDataCycRep$fNFDataCycRep0$fNFDataCycRep1$fNFDataCycRep2 $fShowCycRep $fShowCycRep0 $fShowCycRep1 $fShowCycRep2$fRandomCycRep$fRandomCycRep0$fTraversableCycRep$fTraversableCycRep0$fFoldableCycRep$fFoldableCycRep0$fFoldableCycRep1$fApplicativeCycRep$fApplicativeCycRep0$fFunctorCycRep$fFunctorCycRep0$fIFunctorCycRep$fIFunctorCycRep0$fRescaleCycRepCycRep$fRescaleCycRepCycRep0 $fLift'CycRep$fLift'CycRep0$fReduceCycRepCycRep$fReduceCycRepCycRep0 $fCGFCycRep $fCrCycRep $fCrCycRep0 $fCCycRep $fCCycRep0 $fCCycRep1$fRandomEither $fCrEither $fCEither $fCEither0 $fToPowDectEr $fToPowDectCr $fToPowDectDr $fToPowDectPr $fToCRTtEr $fToCRTtCr $fToCRTtDr $fToCRTtPr $fEqCycRep $fEqCycRep0 $fCCycRep2 $fEqCycRep1 $fCCycRep3cycRepBenches1cycRepBenches2UnCyccycPowcycDecunCycPowunCycDecCyc$fProtoableCycG $fNFDataCycG $fShowCycG $fRandomCycG$fCorrectkgadCycG$fDecomposekgadCycG$fReduceCycGCycG$fGadgetkgadCycG$fRescaleCycCycGaa$fRescaleCycCycGab$fCRTSetCycCycGZqBasic$fExtensionCycCycGr$fCosetGaussianCycCycG$fGaussianCycCycG$fGSqNormCycCycGr$fCyclotomicCycG $fCGFCycG$fCrCycG$fCCycG$fCCycG0$fEqCycG$fCCycG1$fFunctorCycCycGab$fFoldableCycCycGr$fProtoableCyc$fProtoableCyc0$fProtoableCyc1$fProtoableCyc2 $fNFDataCyc $fNFDataCyc0 $fNFDataCyc1 $fRandomCyc $fRandomCyc0 $fRandomCyc1$fCorrectkgadCyc$fDecomposekgadCyc$fDecomposekgadCyc0$fReduceCycCyc$fReduceCycCyc0$fReduceCycCyc1$fReduceCycCyc2$fGadgetkgadCyc$fGadgetkgadCyc0$fRescaleCycCyc(,)e$fRescaleCycCyc(,)d$fRescaleCycCyc(,)c$fRescaleCycCyc(,)b$fRescaleCycCycb(,)$fRescaleCycCyc(,)(,)$fRescaleCycCycRRqRRq$fRescaleCycCycZqBasicZqBasic$fRescaleCycCyc$fCRTSetCycCycZqBasic$fExtensionCycCycRRq$fExtensionCycCyc(,)$fExtensionCycCycZqBasic$fExtensionCycCycInt64$fExtensionCycCycDouble$fCosetGaussianCycCyc$fGaussianCycCyc$fRoundedGaussianCycCyc$fGSqNormCycCycInt64$fGSqNormCycCycDouble$fCyclotomicCyc $fC(,)Cyc$fCCyc$fCCyc0$fCCyc1$fEqCyc$fCCyc2$fCCyc3$fCCyc4$fFunctorCycCycIntegerInteger$fFoldableCycCycInteger$fFoldableCycCycZqBasic$fFoldableCycCycInt64$fFoldableCycCycDouble $fLiftCycCyc$fFoldableCycCycRRq $fUnCyct(,) $fUnCyctRRq$fUnCyctZqBasic $fUnCyctInt64$fUnCyctDouble $fNFDataCyc2 $fNFDataCyc3 $fNFDataCyc4 $fShowCyc $fShowCyc0 $fShowCyc1 $fShowCyc2 $fShowCyc3 $fShowCyc4 $fRandomCyc2 $fRandomCyc3 $fRandomCyc4$fCyclotomicCyc0$fCyclotomicCyc1$fCyclotomicCyc2$fCCyc5$fCCyc6$fCCyc7$fCCyc8$fCCyc9$fCCyc10$fCCyc11$fCCyc12$fCCyc13$fCCyc14$fEqCyc0$fEqCyc1$fCCyc15$fCCyc16$fCCyc17$fFunctorCycCyc(,)Integer$fFunctorCycCycRRqInteger$fFunctorCycCycZqBasicInteger$fFunctorCycCycDoubleInteger$fFunctorCycCycInt64Integer$fFunctorCycCyc(,)(,)$fFunctorCycCyc(,)RRq$fFunctorCycCyc(,)ZqBasic$fFunctorCycCyc(,)Double$fFunctorCycCyc(,)Int64$fFunctorCycCycRRq(,)$fFunctorCycCycRRqRRq$fFunctorCycCycRRqZqBasic$fFunctorCycCycRRqDouble$fFunctorCycCycRRqInt64$fFunctorCycCycZqBasic(,)$fFunctorCycCycZqBasicRRq$fFunctorCycCycZqBasicZqBasic$fFunctorCycCycZqBasicDouble$fFunctorCycCycZqBasicInt64$fFunctorCycCycDouble(,)$fFunctorCycCycDoubleRRq$fFunctorCycCycDoubleZqBasic$fFunctorCycCycDoubleDouble$fFunctorCycCycDoubleInt64$fFunctorCycCycInt64(,)$fFunctorCycCycInt64RRq$fFunctorCycCycInt64ZqBasic$fFunctorCycCycInt64Double$fFunctorCycCycInt64Int64ShowTypeArgTypeZqshowType $fShowArgType$fShowArgType0$fShowArgType1$fShowArgType2$fShowArgType3$fShowArgType4$fShowArgType5$fShowArgType6$fShowArgType7$fShowArgType8$fShowArgType9$fShowArgType10$fShowArgType11$fShowArgType12$fShowArgType13$fShowArgType14$fShowArgType15$fShowArgType16$fShowArgType17zqTests tensorTests1tensorCrtTests1 tensorTests2tensorCrtTests2 cycTests1 cycTests2defaultZqTests zqTensorTestsint64TensorTestsdblTensorTestscpxTensorTestscycTestsRLWRCtxSamplesample roundedProdRLWECtx errorTerm errorGSqNorm tailGaussian errorBound cycBenches1 cycBenches2defaultLolBenches oneIdxBenches twoIdxBenches SampleCont$fTextMsgSampleCont$fTextTypeSampleCont$fReflectDescriptorSampleCont$fGPBSampleCont$fMessageAPImsg'->SampleCont$fWireSampleCont$fDefaultSampleCont$fMergeableSampleCont$fShowSampleCont$fEqSampleCont$fOrdSampleCont$fDataSampleCont$fGenericSampleContSampleContProduct$fTextMsgSampleContProduct$fTextTypeSampleContProduct$$fReflectDescriptorSampleContProduct$fGPBSampleContProduct#$fMessageAPImsg'->SampleContProduct$fWireSampleContProduct$fDefaultSampleContProduct$fMergeableSampleContProduct$fShowSampleContProduct$fEqSampleContProduct$fOrdSampleContProduct$fDataSampleContProduct$fGenericSampleContProduct SampleDisc$fTextMsgSampleDisc$fTextTypeSampleDisc$fReflectDescriptorSampleDisc$fGPBSampleDisc$fMessageAPImsg'->SampleDisc$fWireSampleDisc$fDefaultSampleDisc$fMergeableSampleDisc$fShowSampleDisc$fEqSampleDisc$fOrdSampleDisc$fDataSampleDisc$fGenericSampleDiscSampleDiscProduct$fTextMsgSampleDiscProduct$fTextTypeSampleDiscProduct$$fReflectDescriptorSampleDiscProduct$fGPBSampleDiscProduct#$fMessageAPImsg'->SampleDiscProduct$fWireSampleDiscProduct$fDefaultSampleDiscProduct$fMergeableSampleDiscProduct$fShowSampleDiscProduct$fEqSampleDiscProduct$fOrdSampleDiscProduct$fDataSampleDiscProduct$fGenericSampleDiscProduct SampleRLWR$fTextMsgSampleRLWR$fTextTypeSampleRLWR$fReflectDescriptorSampleRLWR$fGPBSampleRLWR$fMessageAPImsg'->SampleRLWR$fWireSampleRLWR$fDefaultSampleRLWR$fMergeableSampleRLWR$fShowSampleRLWR$fEqSampleRLWR$fOrdSampleRLWR$fDataSampleRLWR$fGenericSampleRLWRSampleRLWRProduct$fTextMsgSampleRLWRProduct$fTextTypeSampleRLWRProduct$$fReflectDescriptorSampleRLWRProduct$fGPBSampleRLWRProduct#$fMessageAPImsg'->SampleRLWRProduct$fWireSampleRLWRProduct$fDefaultSampleRLWRProduct$fMergeableSampleRLWRProduct$fShowSampleRLWRProduct$fEqSampleRLWRProduct$fOrdSampleRLWRProduct$fDataSampleRLWRProduct$fGenericSampleRLWRProductSingIvaluePPs totientPPs radicalPPs oddRadicalPPs factorize' factorizeMathObj.MatrixTMathObj.PolynomialAlgebra.RealField $fCDouble $fNFDataTdeepseq-1.4.4.0Control.DeepSeqNFData $fNFDataT0(crypto-api-0.13.3-BcWUv99dv4OGoOCPBMHYMX Crypto.RandomCryptoRandomGen!random-1.1-3ypV4EIycgb35PKjTYYr5q System.Random RandomGen*MonadRandom-0.5.1.2-21KIqpioshE9pTS7rjbtWRControl.Monad.Trans.Random.LazyRandTfromJust/tagged-transformer-0.8.1-Bi0fXCdyrVHGSFDxj0LhppData.Functor.Trans.TaggedTagged Data.Proxy asProxyTypeOfProxyKProxywitnessTtagTWith untagTSelftagTSelfunproxyTproxyTasTaggedTypeOf reflectedM reflected mapTaggedTretagtagTwitnesstagWith untagSelftagSelfunproxyproxyuntagtagTaggedTTagTuntagT iterateWhileppKron twCRTsPPow gCRTPrime gInvCRTPrime indexToPow indexToZms zmsToIndex zmsToIndexPP toIndexPair baseIndexDec fromIndexPair ESentinel CSentinel crtSentinel crtCSentinel crtESentinel scalarCRTCScrtCScrtInvCS mulGCRTCS divGCRTCS embedCRTCS twaceCRTCSprincipalRootUnitygadgetZcorrectZ powTraces OptsInternallevels redThreshold getRuntimetestNamecol getTableNamegetBenchParams getBenchLvl getBenchFunc getReportsTest.QuickCheck.PropertyTestablebytestring-0.10.8.2Data.ByteString.Lazy.Internal ByteString&vector-0.12.1.2-FWeXzqARiSu45G657Sieqk Data.VectorVector ApplicativeControl.ApplicativeZipListpureToCRTtoPowCECycGcycPCcycPE unCycGPow unCycGDecembed'SubtoPow'toDec'toCRT' D:R:CyctmRRq0D:R:CyctmInteger0 D:R:Cyctm(,)0