From cbcc3cc8c947cd135c4da4b87614d0e7237623d5 Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 9 Aug 2021 12:57:26 +0100 Subject: [PATCH] update --- README.rst | 242 ++++++++++++----------------------------------------- 1 file changed, 52 insertions(+), 190 deletions(-) diff --git a/README.rst b/README.rst index ebe6db180..a1aeedbe7 100644 --- a/README.rst +++ b/README.rst @@ -1,202 +1,64 @@ -Security Estimates for the Learning with Errors Problem -======================================================= +Parameter curves for Concrete +============= -This `Sage `__ module provides functions for estimating the concrete security -of `Learning with Errors `__ instances. +This Github repository contains the code needed to generate the Parameter curves used inside Zama. The repository contains the following files: -The main intend of this estimator is to give designers an easy way to choose parameters resisting -known attacks and to enable cryptanalysts to compare their results and ideas with other techniques -known in the literature. +- estimator.py, a copy of the LWE Estimator +- scripts.py, a copy of all scripts required to generate the parameter curves +- data/, a folder containing the data generated for previous curves. This folder currently contains "v0.sobj", i.e. the data used for the v0 curves + +Example +------------------- +This is an example of how to generate the parameter curves using the v0.sobj data file. -Usage Examples --------------- :: - sage: load("estimator.py") - sage: n, alpha, q = Param.Regev(128) - sage: costs = estimate_lwe(n, alpha, q) - usvp: rop: ≈2^57.3, red: ≈2^57.3, δ_0: 1.009214, β: 101, d: 349, m: 220 - dec: rop: ≈2^61.9, m: 229, red: ≈2^61.9, δ_0: 1.009595, β: 93, d: 357, babai: ≈2^46.8, babai_op: ≈2^61.9, repeat: 293, ε: 0.015625 - dual: rop: ≈2^81.1, m: 380, red: ≈2^81.1, δ_0: 1.008631, β: 115, d: 380, |v|: 688.951, repeat: ≈2^17.0, ε: 0.007812 + sage: load("scripts.py") + sage: interps = [] + sage: results = load("v0.sobj") + sage: for result in results: + sage: interps.append(interpolate_result(result, log_q = 64)) + sage: interps + [(-0.040476778656126484, 1.143346508563902), + (-0.03417207792207793, 1.4805194805194737), + (-0.029681716023268107, 1.752723426758335), + (-0.0263748887657055, 2.0121439233304894), + (-0.023730136557783763, 2.1537066948924095), + (-0.021604493958972515, 2.2696862472846204), + (-0.019897520946588438, 2.4423829771964796), + (-0.018504919354426233, 2.6634073426215745), + (-0.017254242957361113, 2.7353702447139026), + (-0.016178309410530816, 2.8493969373734758), + (-0.01541034709414119, 3.1982749283836283), + (-0.014327640360322604, 2.899270827311096)] +:: -Online ------- - -You can `run the estimator -online `__ -using the `Sage Math Cell `__ server. - -Coverage --------- - -At present the following algorithms are covered by this estimator. - -- meet-in-the-middle exhaustive search -- Coded-BKW [C:GuoJohSta15] -- dual-lattice attack and small/sparse secret variant [EC:Albrecht17] -- lattice-reduction + enumeration [RSA:LinPei11] -- primal attack via uSVP [USENIX:ADPS16,ACISP:BaiGal14] -- Arora-Ge algorithm [ICALP:AroGe11] using Gröbner bases - [EPRINT:ACFP14] - -The following distributions for the secret are supported: - -- ``"normal"`` : normal form instances, i.e. the secret follows the noise distribution (alias: ``True``) -- ``"uniform"`` : uniform mod q (alias: ``False``) -- ``(a,b)`` : uniform in the interval ``[a,…,b]`` -- ``((a,b), h)`` : exactly ``h`` components are ``∈ [a,…,b]\{0}``, all other components are zero - -We note that distributions of the form ``(a,b)`` are assumed to be of fixed Hamming weight, with ``h = round((b-a)/(b-a+1) * n)``. - -Above, we use `cryptobib `__-style bibtex keys as references. - -Documentation -------------- - -Documentation for the ``estimator`` is available `here `__. - -Evolution ---------- - -This code is evolving, new results are added and bugs are fixed. Hence, estimations from earlier -versions might not match current estimations. This is annoying but unavoidable at present. We -recommend to also state the commit that was used when referencing this project. - -We also encourage authors to let us know if their paper uses this code. In particular, we thrive to -tag commits with those cryptobib ePrint references that use it. For example, `this commit -`__ -corresponds to this `ePrint entry `__. - -Contributions -------------- - -Our intent is for this estimator to be maintained by the research community. For example, we -encourage algorithm designers to add their own algorithms to this estimator and we are happy to help -with that process. - -More generally, all contributions such as bugfixes, documentation and tests are welcome. Please go -ahead and submit your pull requests. Also, don’t forget to add yourself to the list of contributors -below in your pull requests. - -At present, this estimator is maintained by Martin Albrecht. Contributors are: - -- Benjamin Curtis -- Cedric Lefebvre -- Fernando Virdia -- Florian Göpfert -- James Owen -- Léo Ducas -- Markus Schmidt -- Martin Albrecht -- Rachel Player -- Sam Scott - -Please follow `PEP8 `__ in your submissions. You can use -`flake8 `__ to check for compliance. We use the following flake8 -configuration (to allow longer line numbers and more complex functions): +Finding the value of n_{alpha} is done manually. We can also verify the interpolants which are generated at the same time: :: - [flake8] - max-line-length = 120 - max-complexity = 16 - ignore = E22,E241 + # verify the interpolant used for lambda = 256 (which is interps[-1]) + sage: z = verify_interpolants(interps[-1], (128,2048), 64) + [... code runs, can take ~10 mins ...] + # find the index corresponding to n_alpha, which is where security drops below the target security level (256 here) + sage: n_alpha = find_nalpha(z, 256) + 653 + + # so the model in this case is + (-0.014327640360322604, 2.899270827311096, 653) + # which corresponds to + # sd(n) = max(-0.014327640360322604 * n + 2.899270827311096, -logq + 2), n >= 653 +:: -Bugs ----- +TODO List +------------------- -If you run into a bug, please open an `issue on bitbucket -`__. Also, please check -first if the issue has already been reported. - -Citing ------- - -If you use this estimator in your work, please cite - - | Martin R. Albrecht, Rachel Player and Sam Scott. *On the concrete hardness of Learning with Errors*. - | Journal of Mathematical Cryptology. Volume 9, Issue 3, Pages 169–203, ISSN (Online) 1862-2984, - | ISSN (Print) 1862-2976 DOI: 10.1515/jmc-2015-0016, October 2015 - -A pre-print is available as - - Cryptology ePrint Archive, Report 2015/046, 2015. https://eprint.iacr.org/2015/046 - -An updated version of the material covered in the above survey is available in -`Rachel Player's PhD thesis `__. - -License -------- - -The esimator is licensed under the `LGPLv3+ `__ license. - - -Parameters from the Literature ------------------------------- - -The following estimates for various schemes from the literature illustrate the behaviour of the -``estimator``. These estimates do not necessarily correspond to the claimed security levels of the -respective schemes: for several parameter sets below the claimed security level by the designers’ is -lower than the complexity estimated by the ``estimator``. This is usually because the designers -anticipate potential future improvements to lattice-reduction algorithms and strategies. We -recommend to follow the designers’ decision. We intend to extend the estimator to cover these more -optimistic (from an attacker’s point of view) estimates in the future … pull requests welcome, as -always. - -`New Hope `__ :: - - sage: load("estimator.py") - sage: n = 1024; q = 12289; stddev = sqrt(16/2); alpha = alphaf(sigmaf(stddev), q) - sage: _ = estimate_lwe(n, alpha, q, reduction_cost_model=BKZ.sieve) - usvp: rop: ≈2^313.1, red: ≈2^313.1, δ_0: 1.002094, β: 968, d: 2096, m: 1071 - dec: rop: ≈2^410.0, m: 1308, red: ≈2^410.0, δ_0: 1.001763, β: 1213, d: 2332, babai: ≈2^395.5, babai_op: ≈2^410.6, repeat: ≈2^25.2, ε: ≈2^-23.0 - dual: rop: ≈2^355.5, m: 1239, red: ≈2^355.5, δ_0: 1.001884, β: 1113, repeat: ≈2^307.0, d: 2263, c: 1 - -`Frodo `__ :: - - sage: load("estimator.py") - sage: n = 752; q = 2^15; stddev = sqrt(1.75); alpha = alphaf(sigmaf(stddev), q) - sage: _ = estimate_lwe(n, alpha, q, reduction_cost_model=BKZ.sieve) - usvp: rop: ≈2^173.0, red: ≈2^173.0, δ_0: 1.003453, β: 490, d: 1448, m: 695 - dec: rop: ≈2^208.3, m: 829, red: ≈2^208.3, δ_0: 1.003064, β: 579, d: 1581, babai: ≈2^194.5, babai_op: ≈2^209.6, repeat: 588, ε: 0.007812 - dual: rop: ≈2^196.2, m: 836, red: ≈2^196.2, δ_0: 1.003104, β: 569, repeat: ≈2^135.0, d: 1588, c: 1 - -`TESLA `__ :: - - sage: load("estimator.py") - sage: n = 804; q = 2^31 - 19; alpha = sqrt(2*pi)*57/q; m = 4972 - sage: _ = estimate_lwe(n, alpha, q, m=m, reduction_cost_model=BKZ.sieve) - usvp: rop: ≈2^129.3, red: ≈2^129.3, δ_0: 1.004461, β: 339, d: 1937, m: 1132 - dec: rop: ≈2^144.9, m: 1237, red: ≈2^144.9, δ_0: 1.004148, β: 378, d: 2041, babai: ≈2^130.9, babai_op: ≈2^146.0, repeat: 17, ε: 0.250000 - dual: rop: ≈2^139.4, m: 1231, red: ≈2^139.4, δ_0: 1.004180, β: 373, repeat: ≈2^93.0, d: 2035, c: 1 - -`SEAL `__ :: - - sage: load("estimator.py") - sage: n = 2048; q = 2^54 - 2^24 + 1; alpha = 8/q; m = 2*n - sage: _ = estimate_lwe(n, alpha, q, secret_distribution=(-1,1), reduction_cost_model=BKZ.sieve, m=m) - Warning: the LWE secret is assumed to have Hamming weight 1365. - usvp: rop: ≈2^129.7, red: ≈2^129.7, δ_0: 1.004479, β: 337, d: 3914, m: 1865, repeat: 1, k: 0, postprocess: 0 - dec: rop: ≈2^144.4, m: ≈2^11.1, red: ≈2^144.4, δ_0: 1.004154, β: 377, d: 4272, babai: ≈2^131.2, babai_op: ≈2^146.3, repeat: 7, ε: 0.500000 - dual: rop: ≈2^134.2, m: ≈2^11.0, red: ≈2^134.2, δ_0: 1.004353, β: 352, repeat: ≈2^59.6, d: 4091, c: 3.909, k: 32, postprocess: 10 - -`LightSaber `__ :: - - sage: load("estimator.py") - sage: n = 512 - sage: q = 8192 - sage: alpha_0 = alphaf(sqrt(10/4.0), q, sigma_is_stddev=True) # error - sage: alpha_1 = alphaf(sqrt(21/4.0), q, sigma_is_stddev=True) # secret - sage: primal_usvp(n, alpha_0, q, secret_distribution=alpha_1, m=n, reduction_cost_model=BKZ.ADPS16) # not enough samples - Traceback (most recent call last): - ... - NotImplementedError: secret size 0.000701 > error size 0.000484 - - sage: primal_usvp(n, alpha_1, q, secret_distribution=alpha_0, m=n, reduction_cost_model=BKZ.ADPS16) - rop: 2^118.0 - red: 2^118.0 - delta_0: 1.003955 - beta: 404 - d: 1022 - m: 509 +There are several updates which are still required. + 1. Consider Hybrid attacks (WIP, Michael + Ben are coding up hybrid-dual/hybrid-decoding estimates) + 2. Consider MITM attacks for small values of n (WIP, Michael has coded this up in the Zama internal estimator, I just need to add it to the parameter curves code). + 3. As part of (2), the version of the LWE Estimator used needs to be edited to use Zama's internal estimator. + 4. Add an example of how to _generate_ the parameter curves in the first place. + 5. CI/CD stuff for new pushes to the external LWE Estimator. + 6. Fully automate the process of finding n_{alpha} for each curve. + 7. Functionality for q =! 64? This is covered by the curve, but we currently don't account for it in the models, and it needs to be done manually.