LWE 评估器

源码：https://github.com/malb/lattice-estimator

文档：https://lattice-estimator.readthedocs.io/en/latest/readme_link.html#

作者：Martin Albrecht、Léo Ducas 等人

源文件分析

estimator 文件树

.
├── __init__.py
├── __pycache__
│   ├── __init__.cpython-310.pyc
│   ├── conf.cpython-310.pyc
│   ├── cost.cpython-310.pyc
│   ├── errors.cpython-310.pyc
│   ├── gb.cpython-310.pyc
│   ├── io.cpython-310.pyc
│   ├── lwe.cpython-310.pyc
│   ├── lwe_bkw.cpython-310.pyc
│   ├── lwe_dual.cpython-310.pyc
│   ├── lwe_guess.cpython-310.pyc
│   ├── lwe_parameters.cpython-310.pyc
│   ├── lwe_primal.cpython-310.pyc
│   ├── nd.cpython-310.pyc
│   ├── prob.cpython-310.pyc
│   ├── reduction.cpython-310.pyc
│   ├── schemes.cpython-310.pyc
│   ├── simulator.cpython-310.pyc
│   └── util.cpython-310.pyc
├── conf.py
├── cost.py
├── errors.py
├── gb.py
├── io.py
├── lwe.py
├── lwe_bkw.py
├── lwe_dual.py
├── lwe_guess.py
├── lwe_parameters.py
├── lwe_primal.py
├── nd.py
├── prob.py
├── reduction.py
├── schemes.py
├── simulator.py
└── util.py

nd.py

from .nd import NoiseDistribution as ND

离散高斯分布：

• DiscreteGaussian(stddev, mean=0, n=None)，均值为 $mean$，标准差为 $stddev$

• DiscreteGaussianAlpha(alpha, q, mean=0, n=None)，均值为 $mean$，标准差为 $stddev=\frac{alpha\cdot q}{\sqrt{2\pi }}$

中心二项分布：CenteredBinomial(eta, n=None)，均值为 $mean=0$，标准差为 $stddev=\sqrt{\frac{eta}{2}}$

均匀分布：

• Uniform(a, b, n=None)，均值为 $mean=\frac{a+b}{2}$，标准差为 $stddev=\sqrt{\frac{(b-a{)}^2}{12}}$

• UniformMod(q, n=None)，均值为 $mean=0$，标准差为 $stddev=\sqrt{\frac{q^2}{12}}$

稀疏三元分布：ND.SparseTernary(n,p,m)，均值为 $mean=\frac{p-m}{n}$，标准差为 $stddev=\sqrt{\frac{p\cdot (1-mean{)}^2+m\cdot (-1-mean{)}^2+(n-p-m)\cdot mea{n}^2}{n}}$

lwe_parameters.py

from .lwe_parameters import LWEParameters as Parameters

设置参数：LWE.Parameters(n, q, Xs, Xe)

• （标准）LWE 的维度为 $n$，模数为 $q$
• 秘密的分布为 $Xs$
• 噪声的分布为 $Xe$

schemes.py

定义了一些知名密码方案的参数：

• Kyber、Saber、NTRU、Frodo、TFHE、FHEW
• SEAL、HElib

lwe.py

from . import lwe as LWE

包含的攻击方案有：Coded-BKW、Primal-uSVP、Primal-BDD、Primal-BDD-Hybrid、Primal-BDD-MITM-Hybrid、Dual、Dual-Hybrid、Dual-MITM-Hybrid、Arora-Ge，

from .lwe_primal import primal_usvp, primal_bdd, primal_hybrid
from .lwe_bkw import coded_bkw
from .lwe_guess import exhaustive_search, mitm, distinguish, guess_composition
from .lwe_dual import dual, dual_hybrid
from .gb import arora_gb

粗略估计（较快）：rough(self, params, jobs=1, catch_exceptions=True)

完全估计（很慢）：__call__(self,params,jobs=1,catch_exceptions=True)

简单使用

在工作目录 /lattice-estimator-main 下启动 wsl，并进入 sage 环境

1. 导入 estimator 模块，

>>> from estimator import *

2. 设置 LWE 的参数（玩具），

>>> params = LWE.Parameters(n=128, q=12289, Xs=ND.CenteredBinomial(2), Xe=ND.CenteredBinomial(1))
LWEParameters(n=128, q=12289, Xs=D(σ=1.00), Xe=D(σ=0.71), m=+Infinity, tag=None)

3. 启动评估器，

>>> LWE.estimate(params, jobs=16) #执行全部评估，启用多线程
>>> LWE.estimate.rough(params) #遵从某些假设和启发式，粗略估计

4. 查看评估结果，

arora-gb             :: rop: ≈2^38.5, dreg: 3, mem: ≈2^36.9, t: 1, m: ≈2^20.0, tag: arora-gb, ↻: 3, ζ: 1
bkw                  :: rop: ≈2^53.0, m: ≈2^43.3, mem: ≈2^44.3, b: 3, t1: 0, t2: 12, ℓ: 2, #cod: 111, #top: 0, #test: 17, tag: coded-bkw
usvp                 :: rop: ≈2^62.4, red: ≈2^62.4, δ: 1.007602, β: 145, d: 146, tag: usvp
bdd                  :: rop: ≈2^41.0, red: ≈2^41.0, svp: ≈2^21.1, β: 40, η: 2, d: 267, tag: bdd
bdd_hybrid           :: rop: ≈2^41.2, red: ≈2^41.2, svp: ≈2^32.1, β: 40, η: 2, ζ: 7, |S|: ≈2^11.0, d: 301, prob: 0.993, ↻: 1, tag: hybrid
bdd_mitm_hybrid      :: rop: ≈2^41.2, red: ≈2^41.2, svp: ≈2^16.5, β: 40, η: 2, ζ: 0, |S|: 1, d: 308, prob: 0.996, ↻: 1, tag: hybrid
dual                 :: rop: ≈2^42.2, mem: 19, m: 179, β: 40, d: 307, ↻: 1, tag: dual
dual_hybrid          :: rop: ≈2^42.1, mem: ≈2^31.8, m: 175, β: 40, d: 288, ↻: 1, ζ: 15, tag: dual_hybrid
{'arora-gb': rop: ≈2^38.5, dreg: 3, mem: ≈2^36.9, t: 1, m: ≈2^20.0, tag: arora-gb, ↻: 3, ζ: 1,
 'bkw': rop: ≈2^53.0, m: ≈2^43.3, mem: ≈2^44.3, b: 3, t1: 0, t2: 12, ℓ: 2, #cod: 111, #top: 0, #test: 17, tag: coded-bkw,
 'usvp': rop: ≈2^62.4, red: ≈2^62.4, δ: 1.007602, β: 145, d: 146, tag: usvp,
 'bdd': rop: ≈2^41.0, red: ≈2^41.0, svp: ≈2^21.1, β: 40, η: 2, d: 267, tag: bdd,
 'bdd_hybrid': rop: ≈2^41.2, red: ≈2^41.2, svp: ≈2^32.1, β: 40, η: 2, ζ: 7, |S|: ≈2^11.0, d: 301, prob: 0.993, ↻: 1, tag: hybrid,
 'bdd_mitm_hybrid': rop: ≈2^41.2, red: ≈2^41.2, svp: ≈2^16.5, β: 40, η: 2, ζ: 0, |S|: 1, d: 308, prob: 0.996, ↻: 1, tag: hybrid,
 'dual': rop: ≈2^42.2, mem: 19, m: 179, β: 40, d: 307, ↻: 1, tag: dual,
 'dual_hybrid': rop: ≈2^42.1, mem: ≈2^31.8, m: 175, β: 40, d: 288, ↻: 1, ζ: 15, tag: dual_hybrid,
 'dual_mitm_hybrid': rop: ≈2^47.5, mem: ≈2^45.1, m: 187, k: 25, ↻: 1, β: 58, d: 288, ζ: 27, tag: dual_mitm_hybrid}

5. 计算安全强度（以 uSVP 的 $\beta =145$ 为例），

>>> class = 145 * 0.292 #经典安全性(bits)
42.3400

>>> quantum = 145 * 0.265 #量子安全性(bits)
38.4250