estimator.lwe_dual.dual_hybrid#

estimator.lwe_dual.dual_hybrid(params: ~estimator.lwe_parameters.LWEParameters, success_probability: float = 0.99, red_cost_model=<estimator.reduction.MATZOV object>, mitm_optimization=False, opt_step=8, fft=False)[source]#

Dual hybrid attack from [INDOCRYPT:EspJouKha20].

Parameters:

  • params – LWE parameters.

  • success_probability – The success probability to target.

  • red_cost_model – How to cost lattice reduction.

  • mitm_optimization – One of “analytical” or “numerical”. If True a default from the conf module is picked, False disables MITM.

  • opt_step – Control robustness of optimizer.

  • fft – use the FFT distinguisher from [AC:GuoJoh21]. (ignored for sparse secrets)

The returned cost dictionary has the following entries:

  • rop: Total number of word operations (≈ CPU cycles).

  • mem: Total amount of memory used by solver (in elements mod q).

  • red: Number of word operations in lattice reduction.

  • δ: Root-Hermite factor targeted by lattice reduction.

  • β: BKZ block size.

  • ζ: Number of guessed coordinates.

  • h1: Number of non-zero components among guessed coordinates (if secret distribution is sparse)

  • prob: Probability of success in guessing.

  • repetitions: How often we are required to repeat the attack.

  • d: Lattice dimension.

  • t: Number of secrets to guess mod 2 (only if fft is True)