Fix MitM Babai e-admissability computation

docs/algorithms/lwe-dual.rst

@@ -18,7 +18,7 @@ We can improve these results by considering a dual hybrid attack as in [EC:Albre
 
     dual_hybrid(params)
 
-Further improvements are possible using a meet-in-the-middle approach [EPRINT:CHHS19]_::
+Further improvements are possible using a meet-in-the-middle approach [IEEE:CHHS19]_::
 
    dual_hybrid(params, mitm_optimization=True)
 

docs/references.rst

@@ -15,17 +15,16 @@ References
 .. [C:HowgraveGraham07] Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In A. Menezes, CRYPTO 2007 (pp. 150–169). : Springer, Heidelberg.
 .. [C:KirFou15] Paul Kirchner & Pierre-Alain Fouque. An improved BKW algorithm for LWE with applications to cryptography and lattices. In R. Gennaro, & M. J. B. Robshaw, CRYPTO 2015, Part~I (pp. 43–62). : Springer, Heidelberg.
 .. [CheNgu12] Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates (Full Version). 2012. http://www.di.ens.fr/~ychen/research/Full_BKZ.pdf
+.. [DCC:LaaMosPol15] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. In Designs, COdes and Cryptography 2015 (pp. 375-400). https://doi.org/10.1007/s10623-015-0067-5
 .. [Dilithium21] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-DILITHIUM. 2021 https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
 .. [EC:Albrecht17]  Albrecht, M. R. (2017). On dual lattice attacks against small-secret LWE and parameter choices in  HElib and SEAL. In J. Coron, & J. B. Nielsen, EUROCRYPT 2017, Part II (pp. 103–129). : Springer, Heidelberg.
 .. [EC:Ducas18] Léo Ducas (2018). Shortest vector from lattice sieving: A few dimensions for free. In J. B. Nielsen, & V. Rijmen, EUROCRYPT 2018, Part I (pp. 125–145). : Springer, Heidelberg.
 .. [EC:GamNgu08] Gama, N., Nguyen, P.Q. (2008). Predicting Lattice Reduction. In: Smart, N. (eds) Advances in Cryptology – EUROCRYPT 2008. EUROCRYPT 2008. Lecture Notes in Computer Science, vol 4965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-78967-3_3
 .. [EC:KirFou17] Kirchner, P., Fouque, PA. (2017). Revisiting Lattice Attacks on Overstretched NTRU Parameters. In: Coron, JS., Nielsen, J. (eds) Advances in Cryptology – EUROCRYPT 2017. EUROCRYPT 2017. Lecture Notes in Computer Science(), vol 10210. Springer, Cham. https://doi.org/10.1007/978-3-319-56620-7_1 
-.. [EPRINT:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://ia.cr/2019/1114pri
-.. [EPRINT:LaaMosPol14] Thijs Laarhoven, Michele Mosca, & Joop van de Pol. Finding shortest lattice vectors faster using quantum search. Cryptology ePrint Archive, Report 2014/907, 2014. https://eprint.iacr.org/2014/907.
-.. [EPRINT:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019.
-.. [EPRINT:Wun16] Wunderer, T. (2016). Revisiting the hybrid attack: improved analysis and refined security estimates. https://eprint.iacr.org/2016/733
+.. [IEEE:CHHS19] Cheon, J.H., Hhan, M., Hong, S. and Son, Y., 2019. A hybrid of dual and meet-in-the-middle attack on sparse and ternary secret LWE. IEEE Access, 7, pp.89497-89506. https://doi.org/10.1109/ACCESS.2019.2925425
 .. [INDOCRYPT:EspJouKha20] Espitau, T., Joux, A. and Kharchenko, N., 2020, December. On a dual/hybrid approach to small secret LWE. In International Conference on Cryptology in India (pp. 440-462). Springer, Cham. https://ia.cr/2020/515
 .. [JMC:AlbPlaSco15] Albrecht, M. R., Player, R., & Scott, S. (2015). On the concrete hardness of Learning with Errors. Journal of Mathematical Cryptology, 9(3), 169–203.
+.. [JMC:Wunderer19] Wunderer, T. (2019). A detailed analysis of the hybrid lattice-reduction and meet-in-the-middle attack. Journal of Mathematical Cryptology, 13(1), 1-26. https://doi.org/10.1515/jmc-2016-0044
 .. [Kyber17] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2017                     
 .. [Kyber20] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS-KYBER. 2020 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf
 .. [MATZOV22] MATZOV. Report on the Security of LWE: Improved Dual Lattice Attack. https://zenodo.org/record/6412487 2003
@@ -36,5 +35,6 @@ References
 .. [RSA:LiuNgu13] Liu, M., & Nguyen, P. Q.. Solving BDD by enumeration: an update. In E. Dawson, CT-RSA 2013 (pp. 293–309). : Springer, Heidelberg.
 .. [SAC:AlbCurWun19] Albrecht, M. R., Curtis, B. R., & Wunderer, T.. Exploring trade-offs in batch bounded distance decoding. In K. G. Paterson, & D. Stebila, SAC 2019 (pp. 467–491). : Springer, Heidelberg.
 .. [SODA:BDGL16] Becker, A., Ducas, L., Gama, N., & Laarhoven, T. (2016). New directions in nearest neighbor searching with applications to lattice sieving. In SODA 2016, (pp. 10–24).
-.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156.doi:10.1007/3-540-36494-3_14. url: http://dx.doi.org/10.1007/3-540-36494-3_14.
+.. [Schnorr03] Claus-Peter Schnorr. Lattice Reduction by Random Sampling and Birthday Methods. In: STACS2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin, Germany, February 27 - March 1, 2003, Proceedings. Ed. by Helmut Alt and Michel Habib. Vol. 2607. Lecture Notes in Computer Science. Springer, 2003, pp. 145–156. https://dx.doi.org/10.1007/3-540-36494-3_14
 .. [USENIX:ADPS16] Edem Alkim, Léo Ducas, Thomas Pöppelmann, & Peter Schwabe (2016). Post-quantum key exchange - A New Hope. In T. Holz, & S. Savage, 25th USENIX Security Symposium, USENIX Security 16 (pp. 327–343). USENIX Association.
+.. [WAHC:SonChe19] Son, Y. and Cheon, J.H., 2019. Revisiting the Hybrid Attack on sparse abd ternary LWE. Workshop on Applied Homomorphic Cryptography, WAHC2019. https://doi.org/10.1145/3338469.3358941

docs/schemes/hes.rst

@@ -17,7 +17,7 @@ Homomorphic Encryption Parameters
     >>> HESv111024128ternary
     LWEParameters(n=1024, q=134217728, Xs=D(σ=0.82), Xe=D(σ=3.00), m=1024, tag='HESv11ternary')
     >>> LWE.primal_hybrid(HESv111024128ternary)
-    rop: ≈2^182.5, red: ≈2^181.7, svp: ≈2^181.4, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-51.2, ↻: ≈2^53.4, tag: hybrid
+    rop: ≈2^184.3, red: ≈2^183.4, svp: ≈2^183.1, β: 345, η: 2, ζ: 134, |S|: ≈2^212.4, d: 1915, prob: ≈2^-52.9, ↻: ≈2^55.1, tag: hybrid
 
 ::
 

estimator/lwe_dual.py

@@ -364,7 +364,7 @@ def __call__(
         - When ζ > 1 and ``solver`` is ``exhaustive_search`` this function estimates
             the hybrid attack as given in [INDOCRYPT:EspJouKha20]_
         - When ζ > 1 and ``solver`` is ``mitm`` this function estimates the dual MITM
-            hybrid attack roughly following [EPRINT:CHHS19]_
+            hybrid attack roughly following [IEEE:CHHS19]_
 
         EXAMPLES::
 

estimator/lwe_primal.py

@@ -420,7 +420,7 @@ def ssf(x):
 
         if mitm and zeta > 0:
             if babai:
-                probability *= mitm_babai_probability(r, params.Xe.stddev, params.q)
+                probability *= mitm_babai_probability(r, params.Xe.stddev)
             else:
                 # TODO: the probability in this case needs to be analysed
                 probability *= 1

estimator/ntru.py

@@ -117,15 +117,15 @@ def __call__(
             usvp                 :: rop: ≈2^162.1, red: ≈2^162.1, δ: 1.003557, β: 470, d: 1317, tag: usvp
             bdd                  :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, d: 1306, tag: bdd
             bdd_hybrid           :: rop: ≈2^158.7, red: ≈2^157.7, svp: ≈2^157.7, β: 454, η: 489, ζ: 0, |S|: 1, d: ...
-            bdd_mitm_hybrid      :: rop: ≈2^233.0, red: ≈2^232.1, svp: ≈2^232.0, β: 469, η: 2, ζ: 178, |S|: ...
+            bdd_mitm_hybrid      :: rop: ≈2^235.7, red: ≈2^234.8, svp: ≈2^234.6, β: 469, η: 2, ζ: 178, |S|: ...
 
             >>> params = NTRU.Parameters(n=113, q=512, Xs=ND.UniformMod(3), Xe=ND.UniformMod(3))
             >>> _ = NTRU.estimate(params, catch_exceptions=False)
             usvp                 :: rop: ≈2^46.0, red: ≈2^46.0, δ: 1.011516, β: 59, d: 221, tag: usvp
             dsd                  :: rop: ≈2^37.9, red: ≈2^37.9, δ: 1.013310, β: 31, d: 226, tag: dsd
             bdd                  :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, d: 225, tag: bdd
             bdd_hybrid           :: rop: ≈2^42.4, red: ≈2^41.0, svp: ≈2^41.8, β: 41, η: 70, ζ: 0, |S|: 1, d: 226, ...
-            bdd_mitm_hybrid      :: rop: ≈2^55.6, red: ≈2^54.7, svp: ≈2^54.6, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ...
+            bdd_mitm_hybrid      :: rop: ≈2^55.8, red: ≈2^54.9, svp: ≈2^54.7, β: 41, η: 2, ζ: 32, |S|: ≈2^50.7, ...
         """
         params = params.normalize()
 

estimator/prob.py

@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 from sage.all import binomial, ZZ, log, ceil, RealField, oo, exp, pi
 from sage.all import RealDistribution, RR, sqrt, prod, erf
-from .nd import sigmaf
 from .conf import max_n_cache
 
 
@@ -78,40 +77,31 @@ def gaussian_cdf(mu, sigma, t):
     return RR((1/2)*(1 + erf((t - mu)/(sqrt(2)*sigma))))
 
 
-def mitm_babai_probability(r, stddev, q, fast=False):
+def mitm_babai_probability(r, stddev, fast=False):
     """
     Compute the "e-admissibility" probability associated to the mitm step, according to
-    [EPRINT:SonChe19]_
+    [WAHC:SonChe19]_
 
     :params r: the squared GSO lengths
     :params stddev: the std.dev of the error distribution
-    :params q: the LWE modulus
     :param fast: toggle for setting p = 1 (faster, but underestimates security)
     :return: probability for the mitm process
-
-    # NOTE: the model sometimes outputs negative probabilities, we set p = 0 in this case
     """
-
     if fast:
         # overestimate the probability -> underestimate security
         return 1
 
-    # get non-squared norms
-    alphaq = sigmaf(stddev)
-    probs = (
-        RR(
-            erf(s * sqrt(RR(pi)) / alphaq)
-            + (alphaq / s) * ((exp(-s * sqrt(RR(pi)) / alphaq) - 1) / RR(pi))
-        )
-        for s in map(sqrt, r)
-    )
-    p = RR(prod(probs))
-    return p if 0 <= p <= 1 else 0.0
+    # Note: `r` contains *square norms*, so convert to non-square norms.
+    # Follow the proof of Lemma 4.2 [WAHC:SonChe19]_, because that one uses standard deviation.
+    xs = [sqrt(.5 * ri) / stddev for ri in r]
+    p = prod(RR(erf(x) - (1 - exp(-x**2)) / (x * sqrt(pi))) for x in xs)
+    assert 0.0 <= p <= 1.0
+    return p
 
 
 def babai(r, norm):
     """
-    Babai probability following [EPRINT:Wun16]_.
+    Babai probability following [JMC:Wunderer19]_.
 
     """
     denom = float(2 * norm) ** 2

estimator/reduction.py

@@ -480,7 +480,7 @@ class LaaMosPol14(ReductionCost):
 
     def __call__(self, beta, d, B=None):
         """
-        Runtime estimation for quantum sieving following [EPRINT:LaaMosPol14]_ and [PhD:Laarhoven15]_.
+        Runtime estimation for quantum sieving following [DCC:LaaMosPol15]_ and [PhD:Laarhoven15]_.
 
         :param beta: Block size ≥ 2.
         :param d: Lattice dimension.