From 8a817b6ec4207c7d07623c532b64eabcd0e79f4b Mon Sep 17 00:00:00 2001 From: Ludo Pulles Date: Thu, 19 Sep 2024 22:32:04 +0200 Subject: [PATCH 1/2] Potential fix for #87 and #95 --- estimator/lwe_primal.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/estimator/lwe_primal.py b/estimator/lwe_primal.py index aca4de3..d75f6de 100644 --- a/estimator/lwe_primal.py +++ b/estimator/lwe_primal.py @@ -99,6 +99,8 @@ def cost_gsa( tau = False # Tau false ==> instance is homogeneous d = PrimalUSVP._solve_for_d(params, m, beta, tau, xi) if d is None else d + if d < beta: + d = beta # if d == β we assume one SVP call, otherwise poly calls. This makes the cost curve jump, so # we avoid it here. if d == beta and d < m: @@ -369,6 +371,10 @@ def cost( else: # we scaled the lattice so that χ_e is what we want eta = PrimalHybrid.svp_dimension(r, params.Xe) + if eta > d: + # Lattice reduction was not strong enough to "reveal" the LWE solution. + # A larger `beta` should perhaps be attempted. + return Cost(rop=oo) svp_cost = costf(red_cost_model, eta, eta) # when η ≪ β, lifting may be a bigger cost svp_cost["rop"] += PrimalHybrid.babai_cost(d - eta)["rop"] From 8821dae46e86acaefdf3eee439b92d6c2143f27c Mon Sep 17 00:00:00 2001 From: Ludo Pulles Date: Fri, 20 Sep 2024 21:07:17 +0200 Subject: [PATCH 2/2] Add tests for #87, #95, #106 --- estimator/lwe_primal.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/estimator/lwe_primal.py b/estimator/lwe_primal.py index d75f6de..87dda2b 100644 --- a/estimator/lwe_primal.py +++ b/estimator/lwe_primal.py @@ -199,6 +199,15 @@ def __call__( >>> LWE.primal_usvp(params, red_shape_model=Simulator.CN11, optimize_d=False) rop: ≈2^87.6, red: ≈2^87.6, δ: 1.006114, β: 209, d: 400, tag: usvp + >>> params = LWE.Parameters(n=384, q=2**7, Xs=ND.Uniform(0, 1), Xe=ND.CenteredBinomial(8), m=2*384) + >>> LWE.primal_usvp(params, red_cost_model=RC.BDGL16) # Issue #87 + rop: ≈2^161.8, red: ≈2^161.8, δ: 1.003634, β: 456, d: 595, tag: usvp + + >>> Xe=ND.DiscreteGaussian(stddev=3.19) + >>> params = LWE.Parameters(n=1030, m=2060, q=2**64, Xs=ND.Uniform(0, 1), Xe=Xe) + >>> LWE.primal_usvp(params, red_cost_model=RC.BDGL16) # Issue 95 + rop: ≈2^56.6, red: ≈2^56.6, δ: 1.009686, β: 91, d: 1618, tag: usvp + The success condition was formulated in [USENIX:ADPS16]_ and studied/verified in [AC:AGVW17]_, [C:DDGR20]_, [PKC:PosVir21]_. The treatment of small secrets is from [ACISP:BaiGal14]_. @@ -579,6 +588,15 @@ def __call__( >>> LWE.primal_bdd(params) rop: ≈2^43.7, red: ≈2^43.7, svp: ≈2^22.1, β: 40, η: 2, d: 1516, tag: bdd + We also test a LWE instance with a large error (coming from issue #106):: + + >>> LWE.primal_bdd(LWE.Parameters(n=256, q=12289, Xs=ND.UniformMod(2), Xe=ND.UniformMod(1024))) + rop: ≈2^116.3, red: ≈2^41.4, svp: ≈2^116.3, β: 40, η: 340, d: 340, tag: bdd + + >>> LWE.primal_bdd(LWE.Parameters(n=700, q=2**64, Xs=ND.UniformMod(2), Xe=ND.UniformMod(2**59))) + rop: ≈2^263.2, red: ≈2^42.8, svp: ≈2^263.2, β: 40, η: 867, d: 867, tag: bdd + + """ if zeta == 0: