github/concrete
1
1
Fork 0
mirror of https://github.com/zama-ai/concrete.git synced 2026-02-15 07:05:09 -05:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Ben
2021-08-09 12:57:26 +01:00
committed by GitHub
parent 279e3211cf
commit cbcc3cc8c9
1 changed files with 52 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
README.rst
View File

@@ -1,202 +1,64 @@
Security Estimates for the Learning with Errors Problem
=======================================================
Parameter curves for Concrete
=============
This `Sage <http://sagemath.org>`__ module provides functions for estimating the concrete security
of `Learning with Errors <https://en.wikipedia.org/wiki/Learning_with_errors>`__ instances.
This Github repository contains the code needed to generate the Parameter curves used inside Zama. The repository contains the following files:
The main intend of this estimator is to give designers an easy way to choose parameters resisting
known attacks and to enable cryptanalysts to compare their results and ideas with other techniques
known in the literature.
- estimator.py, a copy of the LWE Estimator
- scripts.py, a copy of all scripts required to generate the parameter curves
- data/, a folder containing the data generated for previous curves. This folder currently contains "v0.sobj", i.e. the data used for the v0 curves
Example
-------------------
This is an example of how to generate the parameter curves using the v0.sobj data file.
Usage Examples
--------------
::
sage: load("estimator.py")
sage: n, alpha, q = Param.Regev(128)
sage: costs = estimate_lwe(n, alpha, q)
usvp: rop: ≈2^57.3, red: ≈2^57.3, δ_0: 1.009214, β: 101, d: 349, m: 220
dec: rop: ≈2^61.9, m: 229, red: ≈2^61.9, δ_0: 1.009595, β: 93, d: 357, babai: ≈2^46.8, babai_op: ≈2^61.9, repeat: 293, ε: 0.015625
dual: rop: ≈2^81.1, m: 380, red: ≈2^81.1, δ_0: 1.008631, β: 115, d: 380, |v|: 688.951, repeat: ≈2^17.0, ε: 0.007812
sage: load("scripts.py")
sage: interps = []
sage: results = load("v0.sobj")
sage: for result in results:
sage: interps.append(interpolate_result(result, log_q = 64))
sage: interps
[(-0.040476778656126484, 1.143346508563902),
(-0.03417207792207793, 1.4805194805194737),
(-0.029681716023268107, 1.752723426758335),
(-0.0263748887657055, 2.0121439233304894),
(-0.023730136557783763, 2.1537066948924095),
(-0.021604493958972515, 2.2696862472846204),
(-0.019897520946588438, 2.4423829771964796),
(-0.018504919354426233, 2.6634073426215745),
(-0.017254242957361113, 2.7353702447139026),
(-0.016178309410530816, 2.8493969373734758),
(-0.01541034709414119, 3.1982749283836283),
(-0.014327640360322604, 2.899270827311096)]
::
Online
------
You can `run the estimator
online <http://aleph.sagemath.org/?z=eJxNjcEKwjAQBe-F_kPoqYXYjZWkKHgQFPyLkOhii6mJyWrx782hiO84MPOcN9e6GohC2gHYkezrckdqfbzBZJwFN-MKE42TIR8hmhnOp8MRfqgNn6opiwdnxoXBcPZke9ZJxZlohRDbXknVSbGMMyXlpi-LhKTfGK1PWK-zr7O1NFHnz_ov2HwBPwsyhw==&lang=sage>`__
using the `Sage Math Cell <http://aleph.sagemath.org/>`__ server.
Coverage
--------
At present the following algorithms are covered by this estimator.
- meet-in-the-middle exhaustive search
- Coded-BKW [C:GuoJohSta15]
- dual-lattice attack and small/sparse secret variant [EC:Albrecht17]
- lattice-reduction + enumeration [RSA:LinPei11]
- primal attack via uSVP [USENIX:ADPS16,ACISP:BaiGal14]
- Arora-Ge algorithm [ICALP:AroGe11] using Gröbner bases
[EPRINT:ACFP14]
The following distributions for the secret are supported:
- ``"normal"`` : normal form instances, i.e. the secret follows the noise distribution (alias: ``True``)
- ``"uniform"`` : uniform mod q (alias: ``False``)
- ``(a,b)`` : uniform in the interval ``[a,…,b]``
- ``((a,b), h)`` : exactly ``h`` components are ``∈ [a,…,b]\{0}``, all other components are zero
We note that distributions of the form ``(a,b)`` are assumed to be of fixed Hamming weight, with ``h = round((b-a)/(b-a+1) * n)``.
Above, we use `cryptobib <http://cryptobib.di.ens.fr>`__-style bibtex keys as references.
Documentation
-------------
Documentation for the ``estimator`` is available `here <https://lwe-estimator.readthedocs.io/>`__.
Evolution
---------
This code is evolving, new results are added and bugs are fixed. Hence, estimations from earlier
versions might not match current estimations. This is annoying but unavoidable at present. We
recommend to also state the commit that was used when referencing this project.
We also encourage authors to let us know if their paper uses this code. In particular, we thrive to
tag commits with those cryptobib ePrint references that use it. For example, `this commit
<https://bitbucket.org/malb/lwe-estimator/src/6295aa59048daa5d9598378386cb61887a1fe949/?at=EPRINT_Albrecht17>`__
corresponds to this `ePrint entry <https://ia.cr/2017/047>`__.
Contributions
-------------
Our intent is for this estimator to be maintained by the research community. For example, we
encourage algorithm designers to add their own algorithms to this estimator and we are happy to help
with that process.
More generally, all contributions such as bugfixes, documentation and tests are welcome. Please go
ahead and submit your pull requests. Also, dont forget to add yourself to the list of contributors
below in your pull requests.
At present, this estimator is maintained by Martin Albrecht. Contributors are:
- Benjamin Curtis
- Cedric Lefebvre
- Fernando Virdia
- Florian Göpfert
- James Owen
- Léo Ducas
- Markus Schmidt
- Martin Albrecht
- Rachel Player
- Sam Scott
Please follow `PEP8 <https://www.python.org/dev/peps/pep-0008/>`__ in your submissions. You can use
`flake8 <http://flake8.pycqa.org/en/latest/>`__ to check for compliance. We use the following flake8
configuration (to allow longer line numbers and more complex functions):
Finding the value of n_{alpha} is done manually. We can also verify the interpolants which are generated at the same time:
::
[flake8]
max-line-length = 120
max-complexity = 16
ignore = E22,E241
# verify the interpolant used for lambda = 256 (which is interps[-1])
sage: z = verify_interpolants(interps[-1], (128,2048), 64)
[... code runs, can take ~10 mins ...]
# find the index corresponding to n_alpha, which is where security drops below the target security level (256 here)
sage: n_alpha = find_nalpha(z, 256)
653
# so the model in this case is
(-0.014327640360322604, 2.899270827311096, 653)
# which corresponds to
# sd(n) = max(-0.014327640360322604 * n + 2.899270827311096, -logq + 2), n >= 653
::
Bugs
----
TODO List
-------------------
If you run into a bug, please open an `issue on bitbucket
<https://bitbucket.org/malb/lwe-estimator/issues?status=new&status=open>`__. Also, please check
first if the issue has already been reported.
Citing
------
If you use this estimator in your work, please cite
| Martin R. Albrecht, Rachel Player and Sam Scott. *On the concrete hardness of Learning with Errors*.
| Journal of Mathematical Cryptology. Volume 9, Issue 3, Pages 169203, ISSN (Online) 1862-2984,
| ISSN (Print) 1862-2976 DOI: 10.1515/jmc-2015-0016, October 2015
A pre-print is available as
Cryptology ePrint Archive, Report 2015/046, 2015. https://eprint.iacr.org/2015/046
An updated version of the material covered in the above survey is available in
`Rachel Player's PhD thesis <https://pure.royalholloway.ac.uk/portal/files/29983580/2018playerrphd.pdf>`__.
License
-------
The esimator is licensed under the `LGPLv3+ <https://www.gnu.org/licenses/lgpl-3.0.en.html>`__ license.
Parameters from the Literature
------------------------------
The following estimates for various schemes from the literature illustrate the behaviour of the
``estimator``. These estimates do not necessarily correspond to the claimed security levels of the
respective schemes: for several parameter sets below the claimed security level by the designers is
lower than the complexity estimated by the ``estimator``. This is usually because the designers
anticipate potential future improvements to lattice-reduction algorithms and strategies. We
recommend to follow the designers decision. We intend to extend the estimator to cover these more
optimistic (from an attackers point of view) estimates in the future … pull requests welcome, as
always.
`New Hope <http://ia.cr/2015/1092>`__ ::
sage: load("estimator.py")
sage: n = 1024; q = 12289; stddev = sqrt(16/2); alpha = alphaf(sigmaf(stddev), q)
sage: _ = estimate_lwe(n, alpha, q, reduction_cost_model=BKZ.sieve)
usvp: rop: ≈2^313.1, red: ≈2^313.1, δ_0: 1.002094, β: 968, d: 2096, m: 1071
dec: rop: ≈2^410.0, m: 1308, red: ≈2^410.0, δ_0: 1.001763, β: 1213, d: 2332, babai: ≈2^395.5, babai_op: ≈2^410.6, repeat: ≈2^25.2, ε: ≈2^-23.0
dual: rop: ≈2^355.5, m: 1239, red: ≈2^355.5, δ_0: 1.001884, β: 1113, repeat: ≈2^307.0, d: 2263, c: 1
`Frodo <http://ia.cr/2016/659>`__ ::
sage: load("estimator.py")
sage: n = 752; q = 2^15; stddev = sqrt(1.75); alpha = alphaf(sigmaf(stddev), q)
sage: _ = estimate_lwe(n, alpha, q, reduction_cost_model=BKZ.sieve)
usvp: rop: ≈2^173.0, red: ≈2^173.0, δ_0: 1.003453, β: 490, d: 1448, m: 695
dec: rop: ≈2^208.3, m: 829, red: ≈2^208.3, δ_0: 1.003064, β: 579, d: 1581, babai: ≈2^194.5, babai_op: ≈2^209.6, repeat: 588, ε: 0.007812
dual: rop: ≈2^196.2, m: 836, red: ≈2^196.2, δ_0: 1.003104, β: 569, repeat: ≈2^135.0, d: 1588, c: 1
`TESLA <http://ia.cr/2015/755>`__ ::
sage: load("estimator.py")
sage: n = 804; q = 2^31 - 19; alpha = sqrt(2*pi)*57/q; m = 4972
sage: _ = estimate_lwe(n, alpha, q, m=m, reduction_cost_model=BKZ.sieve)
usvp: rop: ≈2^129.3, red: ≈2^129.3, δ_0: 1.004461, β: 339, d: 1937, m: 1132
dec: rop: ≈2^144.9, m: 1237, red: ≈2^144.9, δ_0: 1.004148, β: 378, d: 2041, babai: ≈2^130.9, babai_op: ≈2^146.0, repeat: 17, ε: 0.250000
dual: rop: ≈2^139.4, m: 1231, red: ≈2^139.4, δ_0: 1.004180, β: 373, repeat: ≈2^93.0, d: 2035, c: 1
`SEAL <https://www.microsoft.com/en-us/research/project/simple-encrypted-arithmetic-library/>`__ ::
sage: load("estimator.py")
sage: n = 2048; q = 2^54 - 2^24 + 1; alpha = 8/q; m = 2*n
sage: _ = estimate_lwe(n, alpha, q, secret_distribution=(-1,1), reduction_cost_model=BKZ.sieve, m=m)
Warning: the LWE secret is assumed to have Hamming weight 1365.
usvp: rop: ≈2^129.7, red: ≈2^129.7, δ_0: 1.004479, β: 337, d: 3914, m: 1865, repeat: 1, k: 0, postprocess: 0
dec: rop: ≈2^144.4, m: ≈2^11.1, red: ≈2^144.4, δ_0: 1.004154, β: 377, d: 4272, babai: ≈2^131.2, babai_op: ≈2^146.3, repeat: 7, ε: 0.500000
dual: rop: ≈2^134.2, m: ≈2^11.0, red: ≈2^134.2, δ_0: 1.004353, β: 352, repeat: ≈2^59.6, d: 4091, c: 3.909, k: 32, postprocess: 10
`LightSaber <https://www.esat.kuleuven.be/cosic/pqcrypto/saber/files/SABER_KEM_Round_2.zip>`__ ::
sage: load("estimator.py")
sage: n = 512
sage: q = 8192
sage: alpha_0 = alphaf(sqrt(10/4.0), q, sigma_is_stddev=True) # error
sage: alpha_1 = alphaf(sqrt(21/4.0), q, sigma_is_stddev=True) # secret
sage: primal_usvp(n, alpha_0, q, secret_distribution=alpha_1, m=n, reduction_cost_model=BKZ.ADPS16) # not enough samples
Traceback (most recent call last):
...
NotImplementedError: secret size 0.000701 > error size 0.000484
sage: primal_usvp(n, alpha_1, q, secret_distribution=alpha_0, m=n, reduction_cost_model=BKZ.ADPS16)
rop: 2^118.0
red: 2^118.0
delta_0: 1.003955
beta: 404
d: 1022
m: 509
There are several updates which are still required.
1. Consider Hybrid attacks (WIP, Michael + Ben are coding up hybrid-dual/hybrid-decoding estimates)
2. Consider MITM attacks for small values of n (WIP, Michael has coded this up in the Zama internal estimator, I just need to add it to the parameter curves code).
3. As part of (2), the version of the LWE Estimator used needs to be edited to use Zama's internal estimator.
4. Add an example of how to _generate_ the parameter curves in the first place.
5. CI/CD stuff for new pushes to the external LWE Estimator.
6. Fully automate the process of finding n_{alpha} for each curve.
7. Functionality for q =! 64? This is covered by the curve, but we currently don't account for it in the models, and it needs to be done manually.