estimator.lwe_dual.MATZOV

class estimator.lwe_dual.MATZOV

See [AC:GuoJoh21] and [MATZOV22].

__call__(params: ~estimator.lwe_parameters.LWEParameters, red_cost_model=<estimator.reduction.MATZOV object>, log_level=1)

Optimizes cost of dual attack as presented in [MATZOV22].

See also [AC:GuoJoh21].

Parameters:

• params – LWE parameters

• red_cost_model – How to cost lattice reduction

The returned cost dictionary has the following entries:

• rop: Total number of word operations (≈ CPU cycles).

• red: Number of word operations in lattice reduction and

  short vector sampling.

• guess: Number of word operations in guessing and FFT.

• β: BKZ block size.

• ζ: Number of guessed coordinates.

• t: Number of coordinates in FFT part mod p.

• d: Lattice dimension.

Methods

Hf(Xs)
Nf(params, m, beta_bkz, beta_sieve, k_enum, ...)	Required number of samples to distinguish with advantage.
T_fftf(k, p)	The time complexity of the FFT in dimension k with modulus p.
T_tablef(D)	Time complexity of updating the table in each iteration.
__init__()
cost(beta, params[, m, p, k_enum, k_fft, ...])	Theorem 7.6

Attributes

C_add
C_mul
C_prog