diff --git a/new_scripts.py b/new_scripts.py index 38dd212ce..20e7fc265 100644 --- a/new_scripts.py +++ b/new_scripts.py @@ -186,5 +186,286 @@ c = int(sys.argv[3]) # run the code generate_zama_curves64(sd_range= (b,c), target_security_levels=[a], name="{}".format(a)) +from estimator_new import * +from sage.all import oo, save, load +from math import log2 +import multiprocessing +def old_models(security_level, sd, logq=32): + """ + Use the old model as a starting point for the data gathering step + :param security_level: the security level under consideration + :param sd : the standard deviation of the LWE error distribution Xe + :param logq : the (base 2 log) value of the LWE modulus q + """ + + def evaluate_model(a, b, stddev=sd): + return (stddev - b)/a + + models = dict() + + models["80"] = (-0.04049295502947623, 1.1288318226557081 + logq) + models["96"] = (-0.03416314056943681, 1.4704806061716345 + logq) + models["112"] = (-0.02970984362676178, 1.7848907787798667 + logq) + models["128"] = (-0.026361288425133814, 2.0014671315214696 + logq) + models["144"] = (-0.023744534465622812, 2.1710601038230712 + logq) + models["160"] = (-0.021667220727651954, 2.3565507936475476 + logq) + models["176"] = (-0.019947662046189942, 2.5109588704235803 + logq) + models["192"] = (-0.018552804646747204, 2.7168913723130816 + logq) + models["208"] = (-0.017291091126923574, 2.7956961446214326 + logq) + models["224"] = (-0.016257546811508806, 2.9582401000615226 + logq) + models["240"] = (-0.015329741032015766, 3.0744579055889782 + logq) + models["256"] = (-0.014530554319171845, 3.2094375376751745 + logq) + + (a, b) = models["{}".format(security_level)] + n_est = evaluate_model(a, b, sd) + + return round(n_est) + + +def estimate(params, red_cost_model=RC.BDGL16, skip=("arora-gb", "bkw")): + """ + Retrieve an estimate using the Lattice Estimator, for a given set of input parameters + :param params: the input LWE parameters + :param red_cost_model: the lattice reduction cost model + :param skip: attacks to skip + """ + + est = LWE.estimate(params, red_cost_model=red_cost_model, deny_list=skip) + + return est + + +def get_security_level(est, dp=2): + """ + Get the security level lambda from a Lattice Estimator output + :param est: the Lattice Estimator output + :param dp: the number of decimal places to consider + """ + attack_costs = [] + # note: key does not need to be specified est vs est.keys() + for key in est: + attack_costs.append(est[key]["rop"]) + # get the security level correct to 'dp' decimal places + security_level = round(log2(min(attack_costs)), dp) + + return security_level + + +def inequality(x, y): + """ A utility function which compresses the conditions x < y and x > y into a single condition via a multiplier + :param x: the LHS of the inequality + :param y: the RHS of the inequality + """ + if x <= y: + return 1 + + if x > y: + return -1 + + +def automated_param_select_n(params, target_security=128): + """ A function used to generate the smallest value of n which allows for + target_security bits of security, for the input values of (params.Xe.stddev,params.q) + :param params: the standard deviation of the error + :param target_security: the target number of bits of security, 128 is default + + EXAMPLE: + sage: X = automated_param_select_n(Kyber512, target_security = 128) + sage: X + 456 + """ + + # get an estimate based on the prev. model + print("n = {}".format(params.n)) + n_start = old_models(target_security, log2(params.Xe.stddev), log2(params.q)) + # n_start = max(n_start, 450) + # TODO: think about throwing an error if the required n < 450 + + params = params.updated(n=n_start) + costs2 = estimate(params) + security_level = get_security_level(costs2, 2) + z = inequality(security_level, target_security) + + # we keep n > 2 * target_security as a rough baseline for mitm security (on binary key guessing) + while z * security_level < z * target_security: + # TODO: fill in this case! For n > 1024 we only need to consider every 256 (optimization) + params = params.updated(n = params.n + z * 8) + costs = estimate(params) + security_level = get_security_level(costs, 2) + + if -1 * params.Xe.stddev > 0: + print("target security level is unattainable") + break + + # final estimate (we went too far in the above loop) + if security_level < target_security: + # we make n larger + print("we make n larger") + params = params.updated(n=params.n + 8) + costs = estimate(params) + security_level = get_security_level(costs, 2) + + print("the finalised parameters are n = {}, log2(sd) = {}, log2(q) = {}, with a security level of {}-bits".format(params.n, + log2(params.Xe.stddev), + log2(params.q), + security_level)) + + if security_level < target_security: + params.updated(n=None) + + return params, security_level + + +def generate_parameter_matrix(params_in, sd_range, target_security_levels=[128], name="default_name"): + """ + :param params_in: a initial set of LWE parameters + :param sd_range: a tuple (sd_min, sd_max) giving the values of sd for which to generate parameters + :param target_security_levels: a list of the target number of bits of security, 128 is default + :param name: a name to save the file + """ + + (sd_min, sd_max) = sd_range + for lam in target_security_levels: + for sd in range(sd_min, sd_max + 1): + print("run for {}".format(lam, sd)) + Xe_new = nd.NoiseDistribution.DiscreteGaussian(2**sd) + (params_out, sec) = automated_param_select_n(params_in.updated(Xe=Xe_new), target_security=lam) + + try: + results = load("{}.sobj".format(name)) + except: + results = dict() + results["{}".format(lam)] = [] + + results["{}".format(lam)].append((params_out.n, log2(params_out.q), log2(params_out.Xe.stddev), sec)) + save(results, "{}.sobj".format(name)) + + return results + + +def generate_zama_curves64(sd_range=[2, 58], target_security_levels=[128], name="default_name"): + """ + The top level function which we use to run the experiment + + :param sd_range: a tuple (sd_min, sd_max) giving the values of sd for which to generate parameters + :param target_security_levels: a list of the target number of bits of security, 128 is default + :param name: a name to save the file + """ + if __name__ == '__main__': + + D = ND.DiscreteGaussian + vals = range(sd_range[0], sd_range[1]) + pool = multiprocessing.Pool(2) + init_params = LWE.Parameters(n=1024, q=2 ** 64, Xs=D(0.50, -0.50), Xe=D(2 ** 55), m=oo, tag='params') + inputs = [(init_params, (val, val), target_security_levels, name) for val in vals] + res = pool.starmap(generate_parameter_matrix, inputs) + + return "done" + + +# The script runs the following commands +import sys +# grab values of the command-line input arguments +a = int(sys.argv[1]) +b = int(sys.argv[2]) +c = int(sys.argv[3]) +# run the code +generate_zama_curves64(sd_range= (b,c), target_security_levels=[a], name="{}".format(a)) + +import numpy as np +from sage.all import save, load + +def sort_data(security_level): + from operator import itemgetter + + # step 1. load the data + X = load("{}.sobj".format(security_level)) + + # step 2. sort by SD + x = sorted(X["{}".format(security_level)], key = itemgetter(2)) + + # step3. replace the sorted value + X["{}".format(security_level)] = x + + return X + +def generate_curve(security_level): + + # step 1. get the data + X = sort_data(security_level) + + # step 2. group the n and sigma data into lists + N = [] + SD = [] + for x in X["{}".format(security_level)]: + N.append(x[0]) + SD.append(x[2] + 0.5) + + # step 3. perform interpolation and return coefficients + (a,b) = np.polyfit(N, SD, 1) + + return a, b + + +def verify_curve(security_level, a = None, b = None): + + # step 1. get the table and max values of n, sd + X = sort_data(security_level) + n_max = X["{}".format(security_level)][0][0] + sd_max = X["{}".format(security_level)][-1][2] + + # step 2. a function to get model values + def f_model(a, b, n): + return ceil(a * n + b) + + # step 3. a function to get table values + def f_table(table, n): + for i in range(len(table)): + n_val = table[i][0] + if n < n_val: + pass + else: + j = i + break + + # now j is the correct index, we return the corresponding sd + return table[j][2] + + # step 3. for each n, check whether we satisfy the table + n_min = max(2 * security_level, 450, X["{}".format(security_level)][-1][0]) + print(n_min) + print(n_max) + + for n in range(n_max, n_min, - 1): + model_sd = f_model(a, b, n) + table_sd = f_table(X["{}".format(security_level)], n) + print(n , table_sd, model_sd, model_sd >= table_sd) + + if table_sd > model_sd: + print("MODEL FAILS at n = {}".format(n)) + return "FAIL" + + return "PASS", n_min + + +def generate_and_verify(security_levels, log_q, name = "verified_curves"): + + data = [] + + for sec in security_levels: + print("WE GO FOR {}".format(sec)) + # generate the model for security level sec + (a_sec, b_sec) = generate_curve(sec) + # verify the model for security level sec + res = verify_curve(sec, a_sec, b_sec) + # append the information into a list + data.append((a_sec, b_sec - log_q, sec, res[0], res[1])) + save(data, "{}.sobj".format(name)) + + return data + +# To verify the curves we use +generate_and_verify([80, 96, 112, 128, 144, 160, 176, 192, 256], log_q = 64) +