From e999eaed3c7ef7f0360de2989310dd54a74b3173 Mon Sep 17 00:00:00 2001 From: Guilhem Niot Date: Fri, 23 Aug 2024 20:05:56 +0200 Subject: [PATCH] update with comments --- README.rst | 11 ++++++----- docs/algorithms/lwe-dual.rst | 2 +- docs/algorithms/sis-lattice.rst | 2 +- estimator/conf.py | 5 +++++ estimator/lwe.py | 10 +++++----- estimator/ntru.py | 10 +++++----- estimator/sis.py | 10 +++++----- 7 files changed, 28 insertions(+), 22 deletions(-) diff --git a/README.rst b/README.rst index 77bed7b..ce08131 100644 --- a/README.rst +++ b/README.rst @@ -16,14 +16,15 @@ Quick Start We currently provide evaluators for the security of the `LWE`, `NTRU`, and `SIS` problems. Our estimator integrates simulators for the best known attacks against these problems, and provides -bit-security estimates relying on heuristics to predict the cost of lattice reduction algorithms, the default being -using `[MATZOV22] ` for lattice reduction cost, and the GSA assumption -`[Schnorr03] ` for the reduction shape. +bit-security estimates relying on heuristics to predict the cost and shape of lattice reduction algorithms. The default +models are configured in `conf.py `. It is possible to evaluate attacks cost individually, or using the helper functions: - `*.estimator.rough`: fast routine that evaluates the security of the problem only against the usually most efficient - attacks. In this case, note that the concrete lattice reduction cost is evaluated using the non-default "Core-SVP" method - from `[USENIX:ADPS16] `. + attacks. Note that it uses a non-default cost model for lattice reduction, most often used in the literature for ease of + comparison, and will thus return different numbers than the rest of the API. Refer to + `its documentation ` + for details. - `*.estimator`: extended routine that evaluates the security of the problem against all supported attacks. This uses the default cost and shape model for lattice reduction. diff --git a/docs/algorithms/lwe-dual.rst b/docs/algorithms/lwe-dual.rst index 893199a..fe37582 100644 --- a/docs/algorithms/lwe-dual.rst +++ b/docs/algorithms/lwe-dual.rst @@ -22,6 +22,6 @@ Further improvements are possible using a meet-in-the-middle approach [EPRINT:CH dual_hybrid(params, mitm_optimization=True) -We consider the variant fron [MATZOV22]_:: +We consider the variant from [MATZOV22]_:: matzov(params) diff --git a/docs/algorithms/sis-lattice.rst b/docs/algorithms/sis-lattice.rst index a228a7f..af9a770 100644 --- a/docs/algorithms/sis-lattice.rst +++ b/docs/algorithms/sis-lattice.rst @@ -32,5 +32,5 @@ Another option is to simulate a rerandomization of the basis, such that the q-ve SIS.lattice(params.updated(length_bound=70), red_shape_model=Simulator.LGSA) -**Note:** Currently, lattice attack estimation is only avalailable for euclidean (``2``) and infinity (``oo``) norms. ``SIS.lattice()`` will return a ``NotImplementedError`` if one of these two norms are not selected. +**Note:** Currently, lattice attack estimation is only available for euclidean (``2``) and infinity (``oo``) norms. ``SIS.lattice()`` will return a ``NotImplementedError`` if one of these two norms are not selected. diff --git a/estimator/conf.py b/estimator/conf.py index a133d6c..38fa7ed 100644 --- a/estimator/conf.py +++ b/estimator/conf.py @@ -7,10 +7,15 @@ from .reduction import RC from sage.all import exp +""" +Default models used to evaluate the cost and shape of lattice reduction. +This influences the concrete estimated cost of attacks. +""" red_cost_model = RC.MATZOV red_cost_model_classical_poly_space = RC.ABLR21 red_shape_model = "gsa" red_simulator = GSA + mitm_opt = "analytical" max_n_cache = 10000 diff --git a/estimator/lwe.py b/estimator/lwe.py index 9f3afb8..0aa8012 100644 --- a/estimator/lwe.py +++ b/estimator/lwe.py @@ -25,11 +25,14 @@ class Estimate: def rough(self, params, jobs=1, catch_exceptions=True): """ - This function makes the following somewhat routine assumptions: + This function makes the following (non-default) somewhat routine assumptions to evaluate the cost of lattice + reduction, and to provide comparable numbers with most of the literature: - The GSA holds. - The Core-SVP model holds. + Provided numbers are notably not directly comparable with the rest of our API, when using the default cost models. + This function furthermore assumes the following heuristics: - The primal hybrid attack only applies to sparse secrets. @@ -37,9 +40,6 @@ def rough(self, params, jobs=1, catch_exceptions=True): - Arora-GB only applies to bounded noise with at least `n^2` samples. - BKW is not competitive. - Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from - [USENIX:ADPS16]. - :param params: LWE parameters. :param jobs: Use multiple threads in parallel. :param catch_exceptions: When an estimate fails, just print a warning. @@ -96,7 +96,7 @@ def __call__( catch_exceptions=True, ): """ - Run all estimates. + Run all estimates, based on the default cost and shape models for lattice reduction. :param params: LWE parameters. :param red_cost_model: How to cost lattice reduction. diff --git a/estimator/ntru.py b/estimator/ntru.py index b16b451..400272e 100644 --- a/estimator/ntru.py +++ b/estimator/ntru.py @@ -22,20 +22,20 @@ class Estimate: def rough(self, params, jobs=1, catch_exceptions=True): """ - This function makes the following somewhat routine assumptions: + This function makes the following (non-default) somewhat routine assumptions to evaluate the cost of lattice + reduction, and to provide comparable numbers with most of the literature: - The ZGSA holds. - The Core-SVP model holds. + Provided numbers are notably not directly comparable with the rest of our API, when using the default cost models. + This function furthermore assumes the following heuristics: - The primal hybrid attack only applies to sparse secrets. - The dual hybrid MITM attack only applies to sparse secrets. - The dense sublattice attack only applies to possibly overstretched parameters - Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from - [USENIX:ADPS16]. - :param params: NTRU parameters. :param jobs: Use multiple threads in parallel. :param catch_exceptions: When an estimate fails, just print a warning. @@ -94,7 +94,7 @@ def __call__( catch_exceptions=True, ): """ - Run all estimates. + Run all estimates, based on the default cost and shape models for lattice reduction. :param params: NTRU parameters. :param red_cost_model: How to cost lattice reduction. diff --git a/estimator/sis.py b/estimator/sis.py index cd673c2..ba90a7c 100644 --- a/estimator/sis.py +++ b/estimator/sis.py @@ -19,17 +19,17 @@ class Estimate: def rough(self, params, jobs=1, catch_exceptions=True): """ - This function makes the following somewhat routine assumptions: + This function makes the following (non-default) somewhat routine assumptions to evaluate the cost of lattice + reduction, and to provide comparable numbers with most of the literature: - The LGSA holds. - The Core-SVP model holds. + Provided numbers are notably not directly comparable with the rest of our API, when using the default cost models. + This function furthermore assumes the following heuristics: - None at the moment. May change as more algorithms are added. - Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from - [USENIX:ADPS16]. - :param params: SIS parameters. :param jobs: Use multiple threads in parallel. :param catch_exceptions: When an estimate fails, just print a warning. @@ -77,7 +77,7 @@ def __call__( catch_exceptions=True, ): """ - Run all estimates. + Run all estimates, based on the default cost and shape models for lattice reduction. :param params: SIS parameters. :param red_cost_model: How to cost lattice reduction.