Option for simplified output?

[bencrts]

This was mentioned by Nigel at the first FHE.org conference: it might be nice to have a way to switch on a simplified output which just gives you a security level. Perhaps we could add something like:

def get_security_level(est, dp=2):
    """
    Get the security level lambda from a Lattice Estimator output
    :param est: the Lattice Estimator output
    :param dp: the number of decimal places to consider
    """
    attack_costs = []

    for key in est.keys():
        attack_costs.append(est[key]["rop"])

    security_level = round(log(min(attack_costs),2), dp)

    return security_level

This would be used like:

sage: from estimator import *
sage: est = LWE.estimate(schemes.TFHE630)
bkw                  :: rop: ≈2^153.1, m: ≈2^139.4, mem: ≈2^132.6, b: 4, t1: 0, t2: 24, ℓ: 3, #cod: 552, #top: 0, #test: 78, tag: coded-bkw
usvp                 :: rop: ≈2^124.5, red: ≈2^124.5, δ: 1.004497, β: 335, d: 1123, tag: usvp
bdd                  :: rop: ≈2^131.0, red: ≈2^115.1, svp: ≈2^131.0, β: 301, η: 393, d: 1095, tag: bdd
bdd_hybrid           :: rop: ≈2^185.3, red: ≈2^115.9, svp: ≈2^185.3, β: 301, η: 588, ζ: 0, |S|: 1, d: 1704, prob: 1, ↻: 1, tag: hybrid
bdd_mitm_hybrid      :: rop: ≈2^265.5, red: ≈2^264.5, svp: ≈2^264.5, β: 301, η: 2, ζ: 215, |S|: ≈2^189.2, d: 1489, prob: ≈2^-146.6, ↻: ≈2^148.8, tag: hybrid
dual                 :: rop: ≈2^128.7, mem: ≈2^72.0, m: 551, β: 346, d: 1181, ↻: 1, tag: dual
dual_hybrid          :: rop: ≈2^119.8, mem: ≈2^115.5, m: 516, β: 314, d: 1096, ↻: 1, ζ: 50, tag: dual_hybrid

sage: get_security_level(est)
119.76

to let users turn their cost strings into a security level value.

[malb]

Something seems off about your example? But wouldn't this also be solved by documenting "pick the lowest of these"? I'm mostly concerned that if we make it "too easy" then people might use it without understanding what they're doing? But maybe that fear is overblown?

[bencrts]

Good spot, copy/paste error -- fixed it. Another option could be to have an est.simple() method which removes all the attack parameters and returns only rop values for each attack, e.g:

bkw                  :: rop: ≈2^153.1
usvp                 :: rop: ≈2^124.5
bdd                  :: rop: ≈2^131.0
bdd_hybrid           :: rop: ≈2^185.3
bdd_mitm_hybrid      :: rop: ≈2^265.5
dual                 :: rop: ≈2^128.7
dual_hybrid          :: rop: ≈2^119.8

which might also address your concern. I don't feel particularly strongly about this, I just mentioned at the FHE.org event that I would open an issue and completely forgot to do it until now.

[malb]

Do we think this would make much of a difference since we already list rop first? I honestly don't know! Maybe other people would like to chime in on this discussion? So perhaps we leave this ticket open and when the issue comes up again, you direct people to voice their preferences here?

[bencrts]

Works for me!

[macknight]

Hi,

A simplified output is good. Focusing is important, giving the new users the first glimpse of the hardness. At first, when looking at the output, I was totally confused, trying to figuring out the meanings of each output param. it's like INFO, DEBUG mode output switch. So INFO should be the default option.

BR

[macknight]

Good spot, copy/paste error -- fixed it. Another option could be to have an est.simple() method which removes all the attack parameters and returns only rop values for each attack, e.g:

bkw                  :: rop: ≈2^153.1
usvp                 :: rop: ≈2^124.5
bdd                  :: rop: ≈2^131.0
bdd_hybrid           :: rop: ≈2^185.3
bdd_mitm_hybrid      :: rop: ≈2^265.5
dual                 :: rop: ≈2^128.7
dual_hybrid          :: rop: ≈2^119.8

which might also address your concern. I don't feel particularly strongly about this, I just mentioned at the FHE.org event that I would open an issue and completely forgot to do it until now.

And a first title line would look even better.

ALGORITHM NAME :: rop: (-bits security) bkw :: rop: ≈2^153.1 usvp :: rop: ≈2^124.5 bdd :: rop: ≈2^131.0 bdd_hybrid :: rop: ≈2^185.3 bdd_mitm_hybrid :: rop: ≈2^265.5 dual :: rop: ≈2^128.7 dual_hybrid :: rop: ≈2^119.8