diff --git a/docs/algorithms/sis-lattice.rst b/docs/algorithms/sis-lattice.rst index 6f27307..dc0a867 100644 --- a/docs/algorithms/sis-lattice.rst +++ b/docs/algorithms/sis-lattice.rst @@ -6,7 +6,7 @@ SIS Lattice Attacks We construct an (easy) example SIS instance:: from estimator import * - params = SIS.Parameters(n=113, q=2048, length_bound=512, norm="l2") + params = SIS.Parameters(n=113, q=2048, length_bound=512, norm=2) params The simplest (and quickest to estimate) model is solving for the SIS instance with a euclidian norm length bound and assuming the Gaussian heuristic [CheNgu12]_.Then, we can solve for the required root hermite factor [EC:GamNgu08]_ that will guarantee BKZ outputs a short enough vector:: @@ -17,7 +17,7 @@ The exact reduction shape model doesn't matter when using euclidian norm bounds, For infinity norm length bounds, we have two separate analyses. Both follow the same basic strategy. We use the worst case euclidian norm bound as a lower bound on the hardness. Then, we analyze the probability of obtaining a short vector where every coordinate meets the infinity norm constraint. When sqrt(m)*length_bound is less than the modulus q, we follow the analysis of the MATZOV report ([MATZOV22]_ P.18). We simulate the cost of generating *many* short vectors and treat each coordinate of the vector as an i.i.d Gaussian random variable with standard deviation equal to the length(s) of these short vectors divided by the square root of the dimension.:: - params = SIS.Parameters(n=113, q=2048, length_bound=50, norm="linf") + params = SIS.Parameters(n=113, q=2048, length_bound=50, norm=oo) SIS.lattice(params) When sqrt(m)*length_bound is **greater than** the modulus, we follow the analysis present in the NIST round 3 Dilithium specification ([Dilithium21]_ P.35). Here, since BKZ can now produce q vectors at the given length bound (which will always satisfy the bound), we explicitly account for the q-ary structure of the lattice. Every coordinate corresponding to a q-vector yields uniformly random values, while the middle region of the basis produces Gaussian random variables as above. To explicitly account for this q-ary structure, use the ``ZGSA`` simulator.:: diff --git a/estimator/simulator.py b/estimator/simulator.py index c0d7d98..ad1c5bd 100644 --- a/estimator/simulator.py +++ b/estimator/simulator.py @@ -271,7 +271,7 @@ def LGSA(d, n, q, beta, xi=1, tau=1, dual=False): >>> print(["{0:0.2f}".format(RR(log(r_ , 2))) for r_ in LGSA(d, n, q, beta, xi, tau)]) ['4.82', '4.69', '4.57', '4.44', '4.32', '4.19', '4.07', '3.94', '3.82', '3.69', '3.57', '3.44'] - The CN11 simulator is supposed to be the most accurate shape estimator, comming from [ChenNgu12]_. + The CN11 simulator is supposed to be the most accurate shape estimator, comming from [CheNgu12]_. >>> print(["{0:0.2f}".format(RR(log(r_ , 2))) for r_ in CN11(d, n, q, beta, xi, tau)]) ['4.94', '4.79', '4.62', '4.45', '4.27', '4.10', '3.95', '3.83', '3.73', '3.66', '3.61', '3.60'] diff --git a/estimator/sis_parameters.py b/estimator/sis_parameters.py index 7b7b211..77d255b 100644 --- a/estimator/sis_parameters.py +++ b/estimator/sis_parameters.py @@ -35,9 +35,9 @@ def updated(self, **kwds): # TODO Add docstrings for SIS scheme parameters base >>> from estimator import * >>> schemes.Dilithium3_MSIS_WkUnf - SISParameters(n=1536, q=8380417, length_bound=724481, m=3072, norm='linf', tag='Dilithium3_MSIS_WkUnf') + SISParameters(n=1536, q=8380417, length_bound=724481, m=3072, norm=+Infinity, tag='Dilithium3_MSIS_WkUnf') >>> schemes.Dilithium3_MSIS_WkUnf.updated(m=4096) - SISParameters(n=1536, q=8380417, length_bound=724481, m=4096, norm='linf', tag='Dilithium3_MSIS_WkUnf') + SISParameters(n=1536, q=8380417, length_bound=724481, m=4096, norm=+Infinity, tag='Dilithium3_MSIS_WkUnf') """ d = dict(self.__dict__)