estimator.lwe_dual.dual_hybrid

estimator.lwe_dual.dual_hybrid(params: estimator.lwe_parameters.LWEParameters, success_probability: float = 0.99, red_cost_model=<estimator.reduction.MATZOV object>, use_lll=True, mitm_optimization=False, opt_step=8, fft=False)

Dual hybrid attack from [INDOCRYPT:EspJouKha20].

Parameters

• params – LWE parameters.

• success_probability – The success probability to target.

• red_cost_model – How to cost lattice reduction.

• use_lll – Use LLL calls to produce more small vectors [EC:Albrecht17].

• mitm_optimization – One of “analytical” or “numerical”. If True a default from the conf module is picked, False disables MITM.

• opt_step – Control robustness of optimizer.

• fft – use the FFT distinguisher from [AC:GuoJoh21]. (ignored for sparse secrets)

The returned cost dictionary has the following entries:

• rop: Total number of word operations (≈ CPU cycles).

• mem: Total amount of memory used by solver (in elements mod q).

• red: Number of word operations in lattice reduction.

• δ: Root-Hermite factor targeted by lattice reduction.

• β: BKZ block size.

• ζ: Number of guessed coordinates.

• h1: Number of non-zero components among guessed coordinates (if secret distribution is sparse)

• prob: Probability of success in guessing.

• repetitions: How often we are required to repeat the attack.

• d: Lattice dimension.

• t: Number of secrets to guess mod 2 (only if fft is True)