search

malb / lattice-estimator

An attempt at a new LWE estimator
215 stars 49 forks source link

BDD / Hybrid-BDD speed improvement for FHE-sized parameters #97

Closed bencrts closed 8 months ago

bencrts commented 8 months ago

For BDD Before:

sage: %time LWE.primal_bdd(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 50min 50s, sys: 35.5 s, total: 51min 25s
Wall time: 51min 33s
rop: ≈2^186.3, red: ≈2^186.3, svp: ≈2^176.1, β: 531, η: 555, d: 127471, tag: bdd

After:

sage: sage: %time LWE.primal_bdd(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 36.4 s, sys: 633 ms, total: 37 s
Wall time: 37.3 s
rop: ≈2^186.3, red: ≈2^186.3, svp: ≈2^176.1, β: 531, η: 555, d: 127471, tag: bdd

The idea is that checking for the required SVP dimension from from 0 to n isn't needed, and we can check from 0 to some other value much smaller than n (arbitrarily chosen for now).

For Hybrid-BDD Before:

sage: %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
CPU times: user 14min 36s, sys: 1min 42s, total: 16min 19s
Wall time: 17min 4s
rop: ≈2^251.0, red: ≈2^250.1, svp: ≈2^249.9, β: 531, η: 2, ζ: 192, |S|: ≈2^304.3, d: 130945, prob: ≈2^-61.5, ↻: ≈2^63.7, tag: hybrid

After:

sage: %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 65536, q = 2**(2*log(schemes.SEAL22_32768.q))))
zeta_max = 236
CPU times: user 3min 57s, sys: 4.22 s, total: 4min 1s
Wall time: 4min 2s
rop: ≈2^251.0, red: ≈2^250.1, svp: ≈2^249.9, β: 531, η: 2, ζ: 192, |S|: ≈2^304.3, d: 130945, prob: ≈2^-61.5, ↻: ≈2^63.7, tag: hybrid

The idea here is that the number of secret co-efficients guessed, zeta, doesn't need to be checked between 0 and n and can instead be searched for in some range [0, zeta_max], where zeta_max is computed using a usvp estimate. A nice consequence of this change is that we can run hybrid attack estimates for very large values of n in a reasonable amount of time:

sage:  %time LWE.primal_hybrid(schemes.SEAL22_32768.updated(n = 132000, q = 2**(4*log(schemes.SEAL22_32768.q))))
CPU times: user 6min 53s, sys: 8.49 s, total: 7min 2s
Wall time: 7min 4s
rop: ≈2^441.0, red: ≈2^440.3, svp: ≈2^439.7, β: 535, η: 2, ζ: 239, |S|: ≈2^303.8, d: 263669, prob: ≈2^-249.6, ↻: ≈2^251.8, tag: hybrid