estimator.lwe.Estimate.rough#
- Estimate.rough(params, jobs=1, catch_exceptions=True, quiet=False)[source]#
This function makes the following (non-default) somewhat routine assumptions to evaluate the cost of lattice reduction, and to provide comparable numbers with most of the literature:
The GSA holds.
The Core-SVP model holds.
Provided numbers are notably not directly comparable with the rest of our API, when using the default cost models.
This function furthermore assumes the following heuristics:
The primal hybrid attack only applies to sparse secrets.
The dual hybrid MITM attack only applies to sparse secrets.
Arora-GB only applies to bounded noise with at least n^2 samples.
BKW is not competitive.
- Parameters:
params – LWE parameters.
jobs – Use multiple threads in parallel.
catch_exceptions – When an estimate fails, just print a warning.
quiet – suppress printing
EXAMPLE
>>> from estimator import * >>> _ = LWE.estimate.rough(schemes.Kyber512) usvp :: rop: ≈2^118.6, red: ≈2^118.6, δ: 1.003941, β: 406, d: 998, tag: usvp dual_hybrid :: rop: ≈2^115.5, red: ≈2^115.3, guess: ≈2^112.3, β: 395, p: 5, ζ: 0, t: 40, β': 395... >>> _ = LWE.estimate.rough(schemes.Kyber512, quiet=True)