Merge pull request #96 from hunterkipt/dev/SIS

Add SIS Estimate Functionality

README.rst

@@ -38,6 +38,45 @@ Quick Start
     dual                 :: rop: ≈2^149.9, mem: ≈2^97.1, m: 512, β: 424, d: 1024, ↻: 1, tag: dual
     dual_hybrid          :: rop: ≈2^145.6, mem: ≈2^140.5, m: 512, β: 408, d: 1004, ↻: 1, ζ: 20, tag: dual_hybrid
 
+    >>> schemes.Dilithium2_MSIS_WkUnf
+    SISParameters(n=1024, q=8380417, length_bound=350209, m=2304, norm=+Infinity, tag='Dilithium2_MSIS_WkUnf')
+   
+    >>> SIS.lattice(schemes.Dilithium2_MSIS_WkUnf)
+    rop: ≈2^152.2, red: ≈2^151.3, sieve: ≈2^151.1, β: 427, η: 433, ζ: 0, d: 2304, prob: 1, ↻: 1, tag: infinity
+   
+    >>> r = SIS.estimate.rough(schemes.Dilithium2_MSIS_WkUnf)
+    lattice              :: rop: ≈2^123.5, red: ≈2^123.5, sieve: ≈2^-332.2, β: 423, η: 423, ζ: 1, d: 2303, prob: 1, ↻: 1, tag: infinity
+   
+    >>> r = SIS.estimate(schemes.Dilithium2_MSIS_WkUnf)
+    lattice              :: rop: ≈2^152.2, red: ≈2^151.3, sieve: ≈2^151.1, β: 427, η: 433, ζ: 0, d: 2304, prob: 1, ↻: 1, tag: infinity
+
+    >>> schemes.Falcon512_SKR
+    NTRUParameters(n=512, q=12289, Xs=D(σ=4.05), Xe=D(σ=4.05), m=512, tag='Falcon512_SKR', ntru_type='circulant')
+   
+    >>> NTRU.primal_usvp(schemes.Falcon512_SKR)
+    rop: ≈2^165.1, red: ≈2^165.1, δ: 1.003489, β: 483, d: 1020, tag: usvp
+   
+    >>> r = NTRU.estimate.rough(schemes.Falcon512_SKR)
+    usvp                 :: rop: ≈2^140.5, red: ≈2^140.5, δ: 1.003499, β: 481, d: 544, tag: usvp
+   
+    >>> r = NTRU.estimate(schemes.Falcon512_SKR)
+    usvp                 :: rop: ≈2^165.1, red: ≈2^165.1, δ: 1.003489, β: 483, d: 1020, tag: usvp
+    bdd                  :: rop: ≈2^160.6, red: ≈2^159.6, svp: ≈2^159.6, β: 463, η: 496, d: 1022, tag: bdd
+    bdd_hybrid           :: rop: ≈2^160.6, red: ≈2^159.6, svp: ≈2^159.6, β: 463, η: 496, ζ: 0, |S|: 1, d: 1024, prob: 1, ↻: 1, tag: hybrid
+    bdd_mitm_hybrid      :: rop: ≈2^349.3, red: ≈2^349.3, svp: ≈2^204.8, β: 481, η: 2, ζ: 0, |S|: 1, d: 1024, prob: ≈2^-182.6, ↻: ≈2^184.8, tag: hybrid
+
+    >>> schemes.Falcon512_Unf
+    SISParameters(n=512, q=12289, length_bound=5833.9072, m=1024, norm=2, tag='Falcon512_Unf')
+   
+    >>> SIS.lattice(schemes.Falcon512_Unf)
+    rop: ≈2^146.4, red: ≈2^146.4, δ: 1.003882, β: 415, d: 1024, tag: euclidian
+   
+    >>> r = SIS.estimate.rough(schemes.Falcon512_Unf)
+    lattice              :: rop: ≈2^121.2, red: ≈2^121.2, δ: 1.003882, β: 415, d: 1024, tag: euclidian
+   
+    >>> r = SIS.estimate(schemes.Falcon512_Unf)
+    lattice              :: rop: ≈2^146.4, red: ≈2^146.4, δ: 1.003882, β: 415, d: 1024, tag: euclidian
+
 - `Try it in your browser <https://mybinder.org/v2/gh/malb/lattice-estimator/jupyter-notebooks?labpath=..%2F..%2Ftree%2Fprompt.ipynb>`__.
 - `Read the documentation <https://lattice-estimator.readthedocs.io/en/latest/>`__.
 

docs/algorithms/ntru.rst

@@ -36,7 +36,7 @@ In addition to the primal secret key recovery attack, this module supports the d
 
 Of course we can also use the CN11 simulator for this attack as well::
 
-    NTRU.primal_dsd(params, red_dhape_model=Simulator.CN11)
+    NTRU.primal_dsd(params, red_shape_model=Simulator.CN11)
 
 **Note:** Currently, dense sublattice attack estimation is only supported if the distributions of ``f`` and ``g`` are equal. ``NTRU.primal_dsd()`` will return a ``NotImplementedError`` if this is not the case.
 

docs/algorithms/sis-lattice.rst

@@ -0,0 +1,36 @@
+.. _SIS Lattice Attacks:
+
+SIS Lattice Attacks
+=====================
+
+We construct an (easy) example SIS instance::
+
+    from estimator import *
+    params = SIS.Parameters(n=113, q=2048, length_bound=512, norm=2) 
+    params
+
+The simplest (and quickest to estimate) model is solving for the SIS instance with a euclidian norm length bound and assuming the Gaussian heuristic.Then, we can solve for the required root hermite factor [EC:GamNgu08]_ that will guarantee BKZ outputs a short enough vector::
+
+    SIS.lattice(params)
+
+The exact reduction shape model does not matter when using euclidian norm bounds, as the required block size is calculated directly from the length bound. 
+
+For infinity norm length bounds, we have two separate analyses. Both follow the same basic strategy. We use the worst case euclidian norm bound as a lower bound on the hardness. Then, we analyze the probability of obtaining a short vector where every coordinate meets the infinity norm constraint. When sqrt(m)*length_bound is less than the modulus q, we follow the analysis of the MATZOV report ([MATZOV22]_ P.18). We simulate the cost of generating *many* short vectors and treat each coordinate of the vector as an i.i.d Gaussian random variable with standard deviation equal to the length(s) of these short vectors divided by the square root of the dimension.::
+
+    params = SIS.Parameters(n=113, q=2048, length_bound=50, norm=oo)
+    SIS.lattice(params)
+
+When sqrt(m)*length_bound is **greater than** the modulus, we follow the analysis present in the NIST round 3 Dilithium specification ([Dilithium21]_ P.35). Here, since BKZ can now produce q vectors at the given length bound (which will always satisfy the bound), we explicitly account for the q-ary structure of the lattice. Every coordinate corresponding to a q-vector yields uniformly random values, while the middle region of the basis produces Gaussian random variables as above. To explicitly account for this q-ary structure, use the ``ZGSA`` simulator.:: 
+
+    SIS.lattice(params.updated(length_bound=70), red_shape_model=Simulator.ZGSA)
+
+To get a more precise answer we may use the CN11 simulator by Chen and Nguyen [AC:CheNgu11]_ (as `implemented in FPyLLL <https://github.com/fplll/fpylll/blob/master/src/fpylll/tools/bkz_simulator.py>`__)::
+
+    SIS.lattice(params.updated(length_bound=70), red_shape_model=Simulator.CN11)
+
+Another option is to simulate a rerandomization of the basis, such that the q-vectors are *forgotten*. This results in the ``LGSA`` simulator, where the short, unit vectors are still present in the basis. See Figure 12 in the Dilithium submission for an example. We can then improve on this result by first preprocessing the basis with block size β followed by a single SVP call in dimension η [RSA:LiuNgu13]_. ::
+
+    SIS.lattice(params.updated(length_bound=70), red_shape_model=Simulator.LGSA)
+
+**Note:** Currently, lattice attack estimation is only avalailable for euclidian (``2``) and infinity (``oo``) norms. ``SIS.lattice()`` will return a ``NotImplementedError`` if one of these two norms are not selected.
+

docs/api_doc.rst

@@ -20,10 +20,12 @@ API Reference
    estimator.ntru_parameters
    estimator.ntru_primal
    estimator.ntru
+   estimator.sis_lattice
+   estimator.sis
    estimator.gb
    estimator.nd
    estimator.prob
-   estimator.reduction     
+   estimator.reduction
    estimator.simulator
    estimator.util
 

docs/index.rst

@@ -16,6 +16,7 @@ Lattice Estimator
    algorithms/lwe-bkw
    algorithms/gb
    algorithms/ntru
+   algorithms/sis-lattice
 
    contributing
 

docs/references.rst

@@ -14,8 +14,10 @@ References
 .. [C:HowgraveGraham07] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In A. Menezes, CRYPTO 2007 (pp. 150–169). : Springer, Heidelberg.
 .. [C:KirFou15] Paul Kirchner & Pierre-Alain Fouque. An improved BKW algorithm for LWE with applications to cryptography and lattices. In R. Gennaro, & M. J. B. Robshaw, CRYPTO 2015, Part~I (pp. 43–62). : Springer, Heidelberg.
 .. [CheNgu12] Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates (Full Version). 2012. http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
+.. [Dilithium21] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-DILITHIUM. 2021 https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
 .. [EC:Albrecht17]  Albrecht, M. R. (2017). On dual lattice attacks against small-secret LWE and parameter choices in  HElib and SEAL. In J. Coron, & J. B. Nielsen, EUROCRYPT 2017, Part II (pp. 103–129). : Springer, Heidelberg.
 .. [EC:Ducas18] Léo Ducas (2018). Shortest vector from lattice sieving: A few dimensions for free. In J. B. Nielsen, & V. Rijmen, EUROCRYPT 2018, Part I (pp. 125–145). : Springer, Heidelberg.
+.. [EC:GamNgu08] Gama, N., Nguyen, P.Q. (2008). Predicting Lattice Reduction. In: Smart, N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78967-3_3
 .. [EC:KirFou17] Kirchner, P., Fouque, PA. (2017). Revisiting Lattice Attacks on Overstretched NTRU Parameters. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_1 
 .. [EPRINT:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://ia.cr/2019/1114pri
 .. [EPRINT:LaaMosPol14] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. Cryptology ePrint Archive, Report 2014/907, 2014. https://eprint.iacr.org/2014/907.

estimator/__init__.py

@@ -1,11 +1,12 @@
 # -*- coding: utf-8 -*-
 
-__all__ = ['ND', 'Logging', 'RC', 'Simulator', 'LWE', 'NTRU', 'schemes']
+__all__ = ['ND', 'Logging', 'RC', 'Simulator', 'LWE', 'NTRU', 'SIS', 'schemes']
 
 from .nd import NoiseDistribution as ND
 from .io import Logging
 from .reduction import RC
 from . import simulator as Simulator
 from . import lwe as LWE
 from . import ntru as NTRU
+from . import sis as SIS
 from . import schemes

estimator/prob.py

@@ -64,6 +64,20 @@ def conditional_chi_squared(d1, d2, lt, l2):
     return proba
 
 
+def gaussian_cdf(mu, sigma, t):
+    """
+    Compute the cdf of a continuous gaussian random variable with mean mu and standard deviation
+    sigma (i.e. computes Pr(X <= t), where X is a gaussian random variable).
+
+    :params mu: the mean of the gaussian random variable.
+    :params sigma: the standard deviation of the gaussian random variable.
+    :params t: the limit at which to calculate the cdf.
+
+    :returns: the evaluation of the cdf at t.
+    """
+    return RR((1/2)*(1 + erf((t - mu)/(sqrt(2)*sigma))))
+
+
 def mitm_babai_probability(r, stddev, q, fast=False):
     """
     Compute the "e-admissibility" probability associated to the mitm step, according to

estimator/schemes.py

@@ -1,6 +1,8 @@
+from sage.all import oo
 from .nd import NoiseDistribution, stddevf
 from .lwe_parameters import LWEParameters
 from .ntru_parameters import NTRUParameters
+from .sis_parameters import SISParameters
 
 # NIST PQC Round 3 Finalists
 
@@ -78,6 +80,11 @@
     tag="FireSaber",
 )
 
+#
+# NTRU
+#
+#
+
 NTRUHPS2048509Enc = NTRUParameters(
     n=508,
     q=2048,
@@ -114,6 +121,67 @@
     tag="NTRUHRSS701",
 )
 
+#
+# Dilithium
+#
+#
+# https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
+# Table 1, Page 8
+
+Dilithium2_MSIS_WkUnf = SISParameters(
+    n=256*4,
+    q=8380417,
+    length_bound=350209,
+    m=256*9,
+    norm=oo,
+    tag="Dilithium2_MSIS_WkUnf"
+)
+
+Dilithium2_MSIS_StrUnf = SISParameters(
+    n=256*4,
+    q=8380417,
+    length_bound=380929,
+    m=256*9,
+    norm=oo,
+    tag="Dilithium2_MSIS_StrUnf"
+)
+
+Dilithium3_MSIS_WkUnf = SISParameters(
+    n=256*6,
+    q=8380417,
+    length_bound=724481,
+    m=256*6*2,
+    norm=oo,
+    tag="Dilithium3_MSIS_WkUnf"
+)
+
+Dilithium3_MSIS_StrUnf = SISParameters(
+    n=256*6,
+    q=8380417,
+    length_bound=1048576,
+    m=256*6*2,
+    norm=oo,
+    tag="Dilithium3_MSIS_StrUnf"
+)
+
+Dilithium5_MSIS_WkUnf = SISParameters(
+    n=256*8,
+    q=8380417,
+    length_bound=769537,
+    m=256*8*2,
+    norm=oo,
+    tag="Dilithium5_MSIS_WkUnf"
+)
+
+Dilithium5_MSIS_StrUnf = SISParameters(
+    n=256*8,
+    q=8380417,
+    length_bound=1048576,
+    m=256*8*2,
+    norm=oo,
+    tag="Dilithium5_MSIS_StrUnf"
+)
+
 NISTPQC_R3 = (
     Kyber512,
     Kyber768,
@@ -127,6 +195,50 @@
     NTRUHRSS701Enc,
 )
 
+#
+# Falcon
+#
+#
+# https://falcon-sign.info/falcon.pdf
+# Table 3.3 (P. 51)
+
+Falcon512_Unf = SISParameters(
+    n=512,
+    q=12289,
+    length_bound=5833.9072,
+    m=1024,
+    norm=2,
+    tag="Falcon512_Unf"
+)
+
+Falcon512_SKR = NTRUParameters(
+    n=512,
+    q=12289,
+    Xs=NoiseDistribution.DiscreteGaussian(4.0532),
+    Xe=NoiseDistribution.DiscreteGaussian(4.0532),
+    m=512,
+    ntru_type='circulant',
+    tag="Falcon512_SKR"
+)
+
+Falcon1024_Unf = SISParameters(
+    n=1024,
+    q=12289,
+    length_bound=8382.4081,
+    m=2048,
+    norm=2,
+    tag="Falcon1024_Unf"
+)
+
+Falcon1024_SKR = NTRUParameters(
+    n=1024,
+    q=12289,
+    Xs=NoiseDistribution.DiscreteGaussian(2.866),
+    Xe=NoiseDistribution.DiscreteGaussian(2.866),
+    m=1024,
+    ntru_type='circulant',
+    tag="Falcon1024_SKR"
+)
 
 # FrodoKEM
 # https://frodokem.org/files/FrodoKEM-specification-20210604.pdf#page=24