{
"cells": [
{
"cell_type": "markdown",
"id": "e9f819e3",
"metadata": {},
"source": [
"Notebook created: 2025-03-07 11:06:19 \n",
"Generated from: docs/algorithms/lwe-primal.rst "
]
},
{
"cell_type": "markdown",
"id": "42991b3d",
"metadata": {},
"source": [
"\n",
"<a id='lwe-primal-attacks'></a>"
]
},
{
"cell_type": "markdown",
"id": "5d495698",
"metadata": {},
"source": [
"# LWE Primal Attacks\n",
"\n",
"We construct an (easy) example LWE instance:"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "c6afe819",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"from estimator import *\n",
"params = LWE.Parameters(n=200, q=7981, Xs=ND.SparseTernary(16), Xe=ND.CenteredBinomial(4))\n",
"params"
]
},
{
"cell_type": "markdown",
"id": "66fbdee3",
"metadata": {},
"source": [
"The simplest (and quickest to estimate) model is solving via uSVP and assuming the Geometric Series\n",
"Assumption (GSA) [[Schnorr03]](../references.ipynb#schnorr03). The success condition was formulated in [[USENIX:ADPS16]](../references.ipynb#usenix-adps16) and\n",
"studied/verified in [[AC:AGVW17]](../references.ipynb#ac-agvw17), [[C:DDGR20]](../references.ipynb#c-ddgr20), [[PKC:PosVir21]](../references.ipynb#pkc-posvir21). The treatment of small secrets is\n",
"from [[ACISP:BaiGal14]](../references.ipynb#acisp-baigal14):"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "7fc1e8da",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"LWE.primal_usvp(params, red_shape_model=\"gsa\")"
]
},
{
"cell_type": "markdown",
"id": "38b0a7eb",
"metadata": {},
"source": [
"We get a similar result if we use the `GSA` simulator. We do not get the identical result because\n",
"we optimize β and d separately:"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "5f2ffe40",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"LWE.primal_usvp(params, red_shape_model=Simulator.GSA)"
]
},
{
"cell_type": "markdown",
"id": "9665f2e0",
"metadata": {},
"source": [
"To get a more precise answer we may use the CN11 simulator by Chen and Nguyen [[AC:CheNgu11]](../references.ipynb#ac-chengu11) (as [implemented in FPyLLL](https://github.com/fplll/fpylll/blob/master/src/fpylll/tools/bkz_simulator.py)):"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "c405dc7b",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"LWE.primal_usvp(params, red_shape_model=Simulator.CN11)"
]
},
{
"cell_type": "markdown",
"id": "396c8db6",
"metadata": {},
"source": [
"We can then improve on this result by first preprocessing the basis with block size β followed by a\n",
"single SVP call in dimension η [[RSA:LiuNgu13]](../references.ipynb#rsa-liungu13). We call this the BDD approach since this is\n",
"essentially the same strategy as preprocessing a basis and then running a CVP solver:"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "a2f6e6c4",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"LWE.primal_bdd(params, red_shape_model=Simulator.CN11)"
]
},
{
"cell_type": "markdown",
"id": "fd27fb40",
"metadata": {},
"source": [
"We can improve these results further by exploiting the sparse secret in the hybrid attack\n",
"[[C:HowgraveGraham07]](../references.ipynb#c-howgravegraham07) guessing ζ positions of the secret:"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "d4016b7b",
"metadata": {
"hide-output": false
},
"outputs": [],
"source": [
"LWE.primal_hybrid(params, red_shape_model=Simulator.CN11)"
]
}
],
"metadata": {
"date": 1741345579.026817,
"filename": "lwe-primal.rst",
"kernelspec": {
"display_name": "SageMath",
"language": "sage",
"name": "sagemath"
},
"title": "LWE Primal Attacks"
},
"nbformat": 4,
"nbformat_minor": 5
}