diff --git a/docs/algorithms/ntru.rst b/docs/algorithms/ntru.rst new file mode 100644 index 0000000..53d1c9a --- /dev/null +++ b/docs/algorithms/ntru.rst @@ -0,0 +1,56 @@ +.. _NTRU Primal Attacks: + +NTRU Primal Attacks +===================== + +We construct an (easy) example NTRU instance:: + + from estimator import * + params = NTRU.Parameters(n=200, q=7981, Xs=ND.UniformMod(3), Xe=ND.UniformMod(3)) + params + +The simplest (and quickest to estimate) model is solving via uSVP and assuming the Geometric Series +Assumption (GSA) [Schnorr03]_. The success condition was formulated in [USENIX:ADPS16]_ and +studied/verified in [AC:AGVW17]_, [C:DDGR20]_, [PKC:PosVir21]_. The treatment of small secrets is +from [ACISP:BaiGal14]_. Here, the NTRU instance is treated as a homoegeneous LWE instance:: + + NTRU.primal_usvp(params, red_shape_model="gsa") + +We get a similar result if we use the ``GSA`` simulator. We do not get the identical result because +we optimize β and d separately:: + + NTRU.primal_usvp(params, red_shape_model=Simulator.GSA) + +To get a more precise answer we may use the CN11 simulator by Chen and Nguyen [AC:CheNgu11]_ (as +`implemented in FPyLLL +_`):: + + NTRU.primal_usvp(params, red_shape_model=Simulator.CN11) + +We can then improve on this result by first preprocessing the basis with block size β followed by a +single SVP call in dimension η [RSA:LiuNgu13]_. We call this the BDD approach since this is +essentially the same strategy as preprocessing a basis and then running a CVP solver:: + + NTRU.primal_bdd(params, red_shape_model=Simulator.CN11) + +We can improve these results further by exploiting the sparse secret in the hybrid attack +[C:HowgraveGraham07]_ guessing ζ positions of the secret:: + + NTRU.primal_hybrid(params, red_shape_model=Simulator.CN11) + +In addition to the primal secret key recovery attack, this module supports the dense sublattice +attack as formulated in [EC:KirFou17]_, and refined/verified in [AC:DucWoe21]_. The baseline +dense sublattice attack uses a 'z-shape' variant of the Geometric Series Assumption, called the +ZGSA:: + + params.possibly_overstretched + NTRU.primal_dsd(params, red_shape_model=Simulator.ZGSA) + +Of course we can also use the CN11 simulator for this attack as well:: + + NTRU.primal_dsd(params, red_dhape_model=Simulator.CN11) + +**Note:** Currently, dense sublattice attack estimation is only supported if the distributions of +``f`` and ``g`` are equal. ``NTRU.primal_dsd()`` will return a ``NotImplementedError`` if this is +not the case. + diff --git a/docs/index.rst b/docs/index.rst index 7d20907..8e5e53a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -15,6 +15,7 @@ Lattice Estimator algorithms/lwe-dual algorithms/lwe-bkw algorithms/gb + algorithms/ntru contributing diff --git a/estimator/ntru_primal.py b/estimator/ntru_primal.py index 4b32aa2..8d9296a 100644 --- a/estimator/ntru_primal.py +++ b/estimator/ntru_primal.py @@ -200,6 +200,10 @@ def __call__( .. note :: Non-overstretched parameters (where the probability of Dense sublattice discovery is 0) will return β = d. """ + if params.Xs.stddev != params.Xe.stddev: + raise NotImplementedError("""Dense sublattice attack estimation currently unsupported for f and g with + different variances""") + params = NTRUParameters.normalize(params) # allow for a larger embedding lattice dimension: Bai and Galbraith m = params.m + params.n if params.Xs <= params.Xe else params.m