LWE Primal Attacks#

We construct an (easy) example LWE instance:

from estimator import *
params = LWE.Parameters(n=200, q=7981, Xs=ND.SparseTernary(384, 16), Xe=ND.CenteredBinomial(4))

The simplest (and quickest to estimate) model is solving via uSVP and assuming the Geometric Series Assumption (GSA) [Schnorr03]. The success condition was formulated in [USENIX:ADPS16] and studied/verified in [AC:AGVW17], [C:DDGR20], [PKC:PosVir21]. The treatment of small secrets is from [ACISP:BaiGal14]:

LWE.primal_usvp(params, red_shape_model="gsa")

We get a similar result if we use the GSA simulator. We do not get the identical result because we optimize β and d separately:

LWE.primal_usvp(params, red_shape_model=Simulator.GSA)

To get a more precise answer we may use the CN11 simulator by Chen and Nguyen [AC:CheNgu11] (as implemented in FPyLLL <https://github.com/fplll/fpylll/blob/master/src/fpylll/tools/bkz_simulator.py>_):

LWE.primal_usvp(params, red_shape_model=Simulator.CN11)

We can then improve on this result by first preprocessing the basis with block size β followed by a single SVP call in dimension η [RSA:LiuNgu13]. We call this the BDD approach since this is essentially the same strategy as preprocessing a basis and then running a CVP solver:

LWE.primal_bdd(params, red_shape_model=Simulator.CN11)

We can improve these results further by exploiting the sparse secret in the hybrid attack [C:HowgraveGraham07] guessing ζ positions of the secret:

LWE.primal_hybrid(params, red_shape_model=Simulator.CN11)