Merge branch 'dev/SIS' of github.com:hunterkipt/lattice-estimator int…

…o dev/SIS
malb · Feb 6, 2024 · b9602bb · b9602bb
2 parents e1d2980 + 49d8e4f
commit b9602bb
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 22 deletions.
diff --git a/README.rst b/README.rst
@@ -38,24 +38,24 @@ Quick Start
     dual                 :: rop: ≈2^149.9, mem: ≈2^97.1, m: 512, β: 424, d: 1024, ↻: 1, tag: dual
     dual_hybrid          :: rop: ≈2^145.6, mem: ≈2^140.5, m: 512, β: 408, d: 1004, ↻: 1, ζ: 20, tag: dual_hybrid
 
+  .. code-block:: python
+
+    >>> from estimator import *
     >>> schemes.Dilithium2_MSIS_WkUnf
     SISParameters(n=1024, q=8380417, length_bound=350209, m=2304, norm=+Infinity, tag='Dilithium2_MSIS_WkUnf')
-   
-    >>> SIS.lattice(schemes.Dilithium2_MSIS_WkUnf)
-    rop: ≈2^152.2, red: ≈2^151.3, sieve: ≈2^151.1, β: 427, η: 433, ζ: 0, d: 2304, prob: 1, ↻: 1, tag: infinity
-   
+
     >>> r = SIS.estimate.rough(schemes.Dilithium2_MSIS_WkUnf)
     lattice              :: rop: ≈2^123.5, red: ≈2^123.5, sieve: ≈2^-332.2, β: 423, η: 423, ζ: 1, d: 2303, prob: 1, ↻: 1, tag: infinity
-   
+
     >>> r = SIS.estimate(schemes.Dilithium2_MSIS_WkUnf)
     lattice              :: rop: ≈2^152.2, red: ≈2^151.3, sieve: ≈2^151.1, β: 427, η: 433, ζ: 0, d: 2304, prob: 1, ↻: 1, tag: infinity
 
+  .. code-block:: python
+
+    >>> from estimator import *
     >>> schemes.Falcon512_SKR
     NTRUParameters(n=512, q=12289, Xs=D(σ=4.05), Xe=D(σ=4.05), m=512, tag='Falcon512_SKR', ntru_type='circulant')
    
-    >>> NTRU.primal_usvp(schemes.Falcon512_SKR)
-    rop: ≈2^165.1, red: ≈2^165.1, δ: 1.003489, β: 483, d: 1020, tag: usvp
-   
     >>> r = NTRU.estimate.rough(schemes.Falcon512_SKR)
     usvp                 :: rop: ≈2^140.5, red: ≈2^140.5, δ: 1.003499, β: 481, d: 544, tag: usvp
    
@@ -68,9 +68,6 @@ Quick Start
     >>> schemes.Falcon512_Unf
     SISParameters(n=512, q=12289, length_bound=5833.9072, m=1024, norm=2, tag='Falcon512_Unf')
    
-    >>> SIS.lattice(schemes.Falcon512_Unf)
-    rop: ≈2^146.4, red: ≈2^146.4, δ: 1.003882, β: 415, d: 1024, tag: euclidean
-   
     >>> r = SIS.estimate.rough(schemes.Falcon512_Unf)
     lattice              :: rop: ≈2^121.2, red: ≈2^121.2, δ: 1.003882, β: 415, d: 1024, tag: euclidean
    

diff --git a/estimator/lwe_bkw.py b/estimator/lwe_bkw.py
@@ -2,7 +2,8 @@
 """
 See :ref:`Coded-BKW for LWE` for what is available.
 """
-from sage.all import ZZ, ceil, log, floor, sqrt, var, find_root, erf, oo, cached_function
+from sage.all import ZZ, ceil, log, floor, sqrt, find_root, erf, oo, cached_function, RR
+
 from .lwe_parameters import LWEParameters
 from .util import local_minimum
 from .cost import Cost
@@ -44,18 +45,21 @@ def ntest(n, ell, t1, t2, b, q):
             return 0
 
         # solve for ntest by aiming for ntop == 0
-        ntest = var("ntest")
-        sigma_set = sqrt(q ** (2 * (1 - ell / ntest)) / 12)
-        ncod = sum(CodedBKW.N(i, sigma_set, b, q) for i in range(1, t2 + 1))
-        ntop = n - ncod - ntest - t1 * b
+        def ntop(ntest):
+            # Patch so that `find_root` (which uses float) doesn't error
+            ntest = RR(ntest)
+            sigma_set = sqrt(q ** (2 * (1 - ell / ntest)) / 12)
+            ncod = sum(CodedBKW.N(i, sigma_set, b, q) for i in range(1, t2 + 1))
+            res = n - ncod - ntest - t1 * b
+            return res
 
         try:
             start = max(int(round(find_root(ntop, 2, n - t1 * b + 1, rtol=0.1))) - 1, 2)
         except RuntimeError:
             start = 2
         ntest_min = 1
         for ntest in range(start, n - t1 * b + 1):
-            if abs(ntop(ntest=ntest).n()) >= abs(ntop(ntest=ntest_min).n()):
+            if abs(ntop(ntest).n()) >= abs(ntop(ntest_min).n()):
                 break
             ntest_min = ntest
         return int(ntest_min)

diff --git a/estimator/lwe_primal.py b/estimator/lwe_primal.py
@@ -300,10 +300,20 @@ def gaussian_heuristic_log_input(r):
 
         d = len(r)
         r = [log(x) for x in r]
-        for i, _ in enumerate(r):
-            if gaussian_heuristic_log_input(r[i:]) < D.stddev**2 * (d - i):
-                return ZZ(d - (i - 1))
-        return ZZ(2)
+
+        if d > 4096:
+            for i, _ in enumerate(r):
+                # chosen since RC.ADPS16(1754, 1754).log(2.) = 512.168000000000
+                j = d - 1754 + i
+                if gaussian_heuristic_log_input(r[j:]) < D.stddev**2 * (d - j):
+                    return ZZ(d - (j - 1))
+            return ZZ(2)
+
+        else:
+            for i, _ in enumerate(r):
+                if gaussian_heuristic_log_input(r[i:]) < D.stddev**2 * (d - i):
+                    return ZZ(d - (i - 1))
+            return ZZ(2)
 
     @staticmethod
     @cached_function
@@ -588,8 +598,23 @@ def __call__(
             log_level=log_level + 1,
         )
 
+        def find_zeta_max(params, red_cost_model):
+            usvp_cost = primal_usvp(params, red_cost_model=red_cost_model)["rop"]
+            zeta_max = 1
+            while zeta_max < params.n:
+                # TODO: once support_size() is supported for NTRU, remove the below try/except
+                try:
+                    if params.Xs.support_size(zeta_max) > usvp_cost:
+                        # double it for mitm
+                        return 2 * zeta_max
+                    zeta_max +=1
+                except NotImplementedError:
+                    return params.n
+            return params.n
+
         if zeta is None:
-            with local_minimum(0, params.n, log_level=log_level) as it:
+            zeta_max = find_zeta_max(params, red_cost_model)
+            with local_minimum(0, min(zeta_max, params.n), log_level=log_level) as it:
                 for zeta in it:
                     it.update(
                         f(