tfeneuil
/
LeakLWE2
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Fork of the official github repository of the framework Leaky-LWE-Estimator, a Sage Toolkit to attack and estimate the hardness of LWE with Side Information. https://github.com/lducas/leaky-LWE-Estimator
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
LeakLWE2/README.md

README.md 14KB
Raw Permalink Normal View History

First Commit
4 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307 
  1. # A Sage Toolkit to attack and estimate the hardness of LWE with Side Information

  2. 

  3. This repository contains the artifacts associated to the article

  4. 

  5. [DDGR20] **LWE with Side Information: Attacks and Concrete Security Estimation**

  6. by _Dana Dachman-Soled, Léo Ducas, Huijing Gong, Mélissa Rossi_

  7. https://eprint.iacr.org/2020/292.pdf

  8. 

  9. The code is written for Sage 9.0 (Python 3 Syntax).

  10. 

  11. ## Organization

  12. The library itself is to be found in the `framework` folder. 

  13. `Sec5.2_validation` and `Sec6_applications` contain the code to reproduce our experiments.

  14. 

  15. 

  16. ## How to use the full-fledged version

  17. The full-fledged implementation is called when the class of the instance is DBDD. Let us create a small LWE instance and estimate its security in bikz. The code should be run from the directories `Sec5.2_validation` or `Sec6_applications`.

  18. ```sage

  19. sage: load("../framework/instance_gen.sage")

  20. ....: n = 70

  21. ....: m = n

  22. ....: q = 3301

  23. ....: D_s = build_centered_binomial_law(40)

  24. ....: D_e = D_s

  25. ....: A, b, dbdd = initialize_from_LWE_instance(DBDD, n, q, m, D_e, D_s)

  26. ....: # In such parameter range, no need to integrate q-vectors

  27. ....: beta, delta = dbdd.estimate_attack()

  28. ``` 

  29. ```text

  30.       Build DBDD from LWE      

  31.  n= 70   m= 70   q=3301 

  32.        Attack Estimation      

  33.  dim=141     δ=1.012362      β=45.40

  34. ```

  35. 

  36. Our full-fledged implementation contains an attack procedure that runs BKZ with iterating gradually the block size. It then compares the recovered secret with the actual one.

  37. 

  38. ```sage

  39. sage: secret = dbdd.attack()

  40. ```

  41. ```text

  42.        Running the Attack      

  43. Running BKZ-42   Success ! 

  44. ```

  45. 

  46. Here, the block size stopped at 42 while an average blocksize of 45.40 has been estimated. Let us now create four vectors v for making perfect hints. To simulate side information, we compute the hints with the function dbdd.leak(v).

  47. 

  48. ```sage

  49. sage: # Simulating perfect hints

  50. ....: v0 = vec([randint(0, 1) for i in range(m + n)])

  51. ....: v1 = vec([randint(0, 1) for i in range(m + n)])

  52. ....: v2 = vec([randint(0, 1) for i in range(m + n)])

  53. ....: v3 = vec([randint(0, 1) for i in range(m + n)]) 

  54. ....: # Computing l = <vi, s>

  55. ....: dbdd.leak(v0), dbdd.leak(v1), dbdd.leak(v2), dbdd.leak(v3)

  56. ```

  57. ```text

  58. (27, -62, -45, -47)

  59. ```

  60. 

  61. Let us now integrate the perfect hints into our instance.

  62. 

  63. ```sage

  64. sage: # Integrate perfect hints

  65. ....: _ = dbdd.integrate_perfect_hint(v0, 27) 

  66. ....: _ = dbdd.integrate_perfect_hint(v1, -62) 

  67. ....: _ = dbdd.integrate_perfect_hint(v2, -45) 

  68. ....: _ = dbdd.integrate_perfect_hint(v3, -47)

  69. ```

  70. ```text

  71.  integrate perfect hint   u0 + u1 + u7 + u8 + u9 + ... = 27     Worthy hint !   dim=140, δ=1.01252643, β=41.93 

  72.  integrate perfect hint   u0 + u2 + u8 + u9 + u10 + ... = -62   Worthy hint !   dim=139, δ=1.01275412, β=38.42 

  73.  integrate perfect hint   u0 + u1 + u3 + u4 + u7 + ... = -45    Worthy hint !   dim=138, δ=1.01293851, β=34.78 

  74.  integrate perfect hint   u1 + u9 + u11 + u12 + u13 + ... = -47 Worthy hint !   dim=137, δ=1.01314954, β=30.91 

  75. ```

  76. 

  77. The cost of the lattice attack has decreased by around 14 bikz. Let us now create four vectors v for making modular hints. To simulate side information, we compute the hint with the function dbdd.leak(v) with different moduli. 

  78. 

  79. ```sage

  80. sage: # Simulating modular hints

  81. ....: v0 = vec([randint(0, 1) for i in range(m + n)])

  82. ....: v1 = vec([randint(0, 1) for i in range(m + n)])

  83. ....: v2 = vec([randint(0, 1) for i in range(m + n)])

  84. ....: v3 = vec([randint(0, 1) for i in range(m + n)]) 

  85. ....: # Computing l = <vi, s> mod k

  86. ....: dbdd.leak(v0)%2, dbdd.leak(v1)%3, dbdd.leak(v2)%4, dbdd.leak(v3)%5

  87. ```

  88. ```text

  89. (1, 1, 2, 3)

  90. ```

  91. 

  92. Let us now integrate the modular hints into our instance. We assume smoothness. In other words, the lattice is sparsified but the covariance matrix and average remain the same.

  93. 

  94. ```sage

  95. sage: # Integrate modular hints

  96. ....: _ = dbdd.integrate_modular_hint(v0, 1, 2, True) 

  97. ....: _ = dbdd.integrate_modular_hint(v1, 1, 3, True) 

  98. ....: _ = dbdd.integrate_modular_hint(v2, 2, 4, True) 

  99. ....: _ = dbdd.integrate_modular_hint(v3, 3, 5, True)

  100. ```

  101. ```text

  102. integrate modular hint   (smooth)   u2 + u3 + u4 + ... = 1 MOD 2        Worthy hint !   dim=137, δ=1.01318729, β=30.55 

  103. integrate modular hint   (smooth)   u0 + u2 + u10 + ... = 1 MOD 3       Worthy hint !   dim=137, δ=1.01319931, β=29.98 

  104. integrate modular hint   (smooth)   u0 + u4 + u9 + ... = 2 MOD 4        Worthy hint !   dim=137, δ=1.01327415, β=29.24 

  105. integrate modular hint   (smooth)   u2 + u3 + u6 + ... = 3 MOD 5        Worthy hint !   dim=137, δ=1.01331577, β=28.37 

  106. ```

  107. 

  108. As modular hints contain less information than perfect ones, especially for low modulus, the cost of the lattice attack decreased by only 3 bikz. Let us do the same for approximate hints. To simulate side information, we compute the hint with the function dbdd.leak(v) and manually change the value to represent the measurement noise. 

  109. 

  110. ```sage

  111. sage: # Simulating approximate hints

  112. ....: v0 = vec([randint(0, 1) for i in range(m + n)])

  113. ....: v1 = vec([randint(0, 1) for i in range(m + n)])

  114. ....: v2 = vec([randint(0, 1) for i in range(m + n)])

  115. ....: v3 = vec([randint(0, 1) for i in range(m + n)]) 

  116. ....: # Computing l = <vi, s> + noise

  117. ....: dbdd.leak(v0) + 2, dbdd.leak(v1) + 1, dbdd.leak(v2) - 1, dbdd.leak(v3)

  118. ```

  119. ```text

  120. (-19, -29, -16, 1)

  121. ```

  122. 

  123. Let us now integrate the approximate hints into our instance. We assume that we want to condition the new information with the prior one and not to erase the previous distribution.

  124. 

  125. ```sage

  126. sage: # Integrate approximate hints

  127. ....: var = 10

  128. ....: _ = dbdd.integrate_approx_hint(v0, -19, var, aposteriori=False) 

  129. ....: _ = dbdd.integrate_approx_hint(v1, -29, var, aposteriori=False) 

  130. ....: _ = dbdd.integrate_approx_hint(v2, -16, var, aposteriori=False) 

  131. ....: _ = dbdd.integrate_approx_hint(v3, 1, var, aposteriori=False)

  132. ```

  133. ```text

  134. integrate approx hint   (conditionning)

  135.       u0 + u4 + u5 + u6 + u8 + ... = -19 + χ(σ²=10.000)      Worthy hint !   dim=137, δ=1.01322376, β=29.74 

  136. integrate approx hint   (conditionning)

  137.      u0 + u5 + u6 + u7 + u8 + ... = -29 + χ(σ²=10.000)       Worthy hint !   dim=137, δ=1.01329667, β=28.56 

  138. integrate approx hint   (conditionning)

  139.      u0 + u4 + u5 + u7 + u12 + ... = -16 + χ(σ²=10.000)      Worthy hint !   dim=137, δ=1.01337366, β=27.24 

  140. integrate approx hint   (conditionning)

  141.      u1 + u2 + u3 + u4 + u5 + ... = 1 + χ(σ²=10.000)         Worthy hint !   dim=137, δ=1.01340026, β=25.77

  142. ```

  143. 

  144. Here, the cost of the lattice reduction attack has decreased by 3 bikz.

  145. While all the hints have been integrated, we finally estimate the security and run the attack again.

  146. 

  147. ```sage

  148. sage: beta, delta = dbdd.estimate_attack()

  149. ....: secret = dbdd.attack()

  150. ```

  151. ```text

  152.        Attack Estimation       

  153.  dim=137     δ=1.013400      β=25.77  

  154.   

  155.        Running the Attack      

  156. Running BKZ-27   Success ! 

  157. ```

  158. 

  159. This time, BKZ stopped at blocksize 27 while the estimation was around 26 bikz.

  160. 

  161. ## How to use the lightweight version

  162. 

  163. The lightweight implementation is called when the class of the DBDD instance is `DBDD_predict`. While the heavy basis of the lattice is not stored, only its volume and dimension are stored. Let us create an LWE instance. Before estimating the cost of the lattice reduction attack in bikz, one needs to integrate the q vectors (i.e. drop some LWE samples). Then, the security is computed in bikz thanks to the volume and dimension of the lattice. 

  164. 

  165. ```sage

  166. sage: load("../framework/instance_gen.sage")

  167. ....: n = 512

  168. ....: m = n

  169. ....: q = 2 ^ 15

  170. ....: D_e = {-2: 0.05, -1: 0.20, 0: 0.5, 1: 0.20, 2: 0.05}

  171. ....: D_s = D_e

  172. ....: A, b, dbdd = initialize_from_LWE_instance(DBDD_predict, n, q, m, D_e, D_s)

  173. ....: _ = dbdd.integrate_q_vectors(q, report_every=20)

  174. ....: beta, delta = dbdd.estimate_attack()

  175. ```

  176. ```text

  177.       Build DBDD from LWE      

  178.  n=512   m=512   q=32768 

  179.        Integrating q-vectors      

  180.  [...20]   integrate short vector hint

  181.     Worthy hint !   dim=1024, δ=1.00518248, β=270.72

  182.  

  183.        Attack Estimation      

  184.  dim=1016    δ=1.005183      β=270.69 

  185.  ```

  186. 

  187.  We now create a new LWE instance (necessary because the q vectors should always been included at the end). And, we create 4 vectors and simulate side information. Here we only integrate perfect hints.

  188. 

  189. ```sage

  190.  sage: load("../framework/instance_gen.sage")

  191. ....: A, b, dbdd = initialize_from_LWE_instance(DBDD_predict, n, q, m, D_e, D_s)

  192. ....: # Simulating hints

  193. ....: v0 = vec([1 if i < m / 2 else 0 for i in range(m + n)])

  194. ....: v1 = vec([0 if i < m / 2 else 1 for i in range(m + n)])

  195. ....: v2 = vec([1 if i < m else 0 for i in range(m + n)])

  196. ....: v3 = vec([1 if i < m / 4 else 0 for i in range(m + n)])

  197. ....: # Computing l = <vi, s>

  198. ....: dbdd.leak(v0), dbdd.leak(v1), dbdd.leak(v2), dbdd.leak(v3)

  199.  ```

  200.  ```text

  201.      Build DBDD from LWE      

  202.  n=512   m=512   q=32768 

  203. (33, 9, 56, 12)

  204.  ```

  205. 

  206.  The hints must be now integrated and we assess the lattice reduction cost. Due to the shape of our vectors, new short vector hints must be integrated. 

  207. 

  208. ```sage

  209.  sage: # Integrate hints

  210. ....: _ = dbdd.integrate_perfect_hint(v0, 33) 

  211. ....: _ = dbdd.integrate_perfect_hint(v1, 9)

  212. ....: _ = dbdd.integrate_perfect_hint(v2, 56)

  213. ....: _ = dbdd.integrate_perfect_hint(v3, 12)

  214. ....: M = q * identity_matrix(n + m)

  215. ....: V = vec(M[0] - M[1])

  216. ....: i = 0

  217. ....: while dbdd.integrate_short_vector_hint(V):

  218. ....:     i += 1

  219. ....:     V = vec(M[i] - M[i + 1])

  220. ....: beta, delta = dbdd.estimate_attack()

  221.  ```

  222.  ```text

  223.  integrate perfect hint   u0 + u1 + u2 + u3 + u4 + ... = 33      Worthy hint !   dim=1024, δ=1.00519338, β=269.83 

  224.  integrate perfect hint   u256 + u257 + u258 + u259 ... = 9      Worthy hint !   dim=1023, δ=1.00520492, β=268.91 

  225.  integrate perfect hint   u0 + u1 + u2 + u3 + u4 + ... = 56      Worthy hint !   dim=1022, δ=1.00521752, β=268.03 

  226.  integrate perfect hint   u0 + u1 + u2 + u3 + u4 + ... = 12      Worthy hint !   dim=1021, δ=1.00522793, β=267.19 

  227.  integrate short vector hint   32768*c0 - 32768*c1 ∈ Λ    Not sure if in Λ,       Unworthy hint, Rejected. 

  228.        Attack Estimation      

  229.  dim=1021    δ=1.005228      β=267.19

  230.   ```

  231. 

  232. 

  233. Here, with 4 perfect hints, the cost of the lattice reduction attack has decreased by around 3 bikz. The blocksize may be actually below 267.19 as there may be residual short vector hints.

  234. 

  235. ## How to use the super lightweight version

  236. 

  237. The super lightweight implementation is called when the class of the instance is `DBDD_predict_diag`. Here, we assume that the covariance matrix is always diagonal. Let us create an LWE instance. We integrate the q vectors (i.e. drop some LWE samples) and compute the security in bikz. 

  238. 

  239. ```sage

  240. sage: load("../framework/instance_gen.sage")

  241. ....: n = 512

  242. ....: m = n

  243. ....: q = 2 ^ 15

  244. ....: D_e = {-2: 0.05, -1: 0.20, 0: 0.5, 1: 0.20, 2: 0.05}

  245. ....: D_s = D_e

  246. ....: A, b, dbdd = initialize_from_LWE_instance(DBDD_predict_diag, n, q, m, D_e, D_s)

  247. ....: _ = dbdd.integrate_q_vectors(q, report_every=20)

  248. ....: beta, delta = dbdd.estimate_attack()

  249. ```

  250. ```text

  251.        Build DBDD from LWE      

  252.  n=512   m=512   q=32768 

  253.        Integrating q-vectors      

  254.  [...20]   integrate short vector hint        Worthy hint !   dim=1024, δ=1.00518248, β=270.72 

  255.        Attack Estimation      

  256.  dim=1016    δ=1.005183      β=270.69

  257. ```

  258. 

  259. We create 20 canonical (necessary to keep the covariance matrix diagonal) vectors for integrating perfect hints.

  260. 

  261. ```sage

  262. sage: A, b, dbdd = initialize_from_LWE_instance(DBDD_predict_diag, n, q, m, D_e, D_s)

  263. ....: # Simulating hints

  264. ....: v = [[] for _ in range(20)]

  265. ....: for i in range(20):

  266. ....:     v[i] = canonical_vec(m + n, i)

  267. ```

  268. ```text

  269.      Build DBDD from LWE      

  270.  n=512   m=512   q=32768

  271. ```

  272. The perfect hints are integrated into a new instance and the security is estimated.

  273. ```sage

  274. sage: # Integrate hints

  275. ....: for i in range(20):

  276. ....:     _ = dbdd.integrate_perfect_hint(v[i], dbdd.leak(v[i]))

  277. ....: _ = dbdd.integrate_q_vectors(q, report_every=20)

  278. ....: beta, delta = dbdd.estimate_attack()

  279. ```

  280. ```text

  281. integrate perfect hint   u0 = -2         Worthy hint !   dim=1024, δ=1.00519245, β=270.02 

  282. integrate perfect hint   u1 = -1         Worthy hint !   dim=1023, δ=1.00520080, β=269.31 

  283. integrate perfect hint   u2 = 1          Worthy hint !   dim=1022, δ=1.00520918, β=268.61 

  284. integrate perfect hint   u3 = 0          Worthy hint !   dim=1021, δ=1.00521757, β=267.91 

  285. integrate perfect hint   u4 = 1          Worthy hint !   dim=1020, δ=1.00522774, β=267.21 

  286. integrate perfect hint   u5 = 1          Worthy hint !   dim=1019, δ=1.00523618, β=266.51 

  287. integrate perfect hint   u6 = 0          Worthy hint !   dim=1018, δ=1.00524465, β=265.81 

  288. integrate perfect hint   u7 = -2         Worthy hint !   dim=1017, δ=1.00525490, β=265.11 

  289. integrate perfect hint   u8 = 0          Worthy hint !   dim=1016, δ=1.00526341, β=264.41 

  290. integrate perfect hint   u9 = 0          Worthy hint !   dim=1015, δ=1.00527195, β=263.71 

  291. integrate perfect hint   u10 = 2         Worthy hint !   dim=1014, δ=1.00528229, β=263.01 

  292. integrate perfect hint   u11 = 0         Worthy hint !   dim=1013, δ=1.00529087, β=262.32 

  293. integrate perfect hint   u12 = 0         Worthy hint !   dim=1012, δ=1.00529947, β=261.62 

  294. integrate perfect hint   u13 = 2         Worthy hint !   dim=1011, δ=1.00530810, β=260.93 

  295. integrate perfect hint   u14 = 0         Worthy hint !   dim=1010, δ=1.00531856, β=260.23 

  296. integrate perfect hint   u15 = 2         Worthy hint !   dim=1009, δ=1.00532723, β=259.54 

  297. integrate perfect hint   u16 = 1         Worthy hint !   dim=1008, δ=1.00533593, β=258.85 

  298. integrate perfect hint   u17 = 0         Worthy hint !   dim=1007, δ=1.00534647, β=258.16 

  299. integrate perfect hint   u18 = -1        Worthy hint !   dim=1006, δ=1.00535522, β=257.46 

  300. integrate perfect hint   u19 = 1         Worthy hint !   dim=1005, δ=1.00536399, β=256.77 

  301.        Integrating q-vectors      

  302.  [...20]   integrate short vector hint   32768*c1023 ∈ Λ      Worthy hint !   dim=1004, δ=1.00536426, β=256.76 

  303.  [...20]   integrate short vector hint   32768*c1003 ∈ Λ      Worthy hint !   dim=984, δ=1.00536755, β=256.54 

  304.        Attack Estimation       

  305.  dim=979     δ=1.005368      β=256.53  

  306.  ```

  307.   The integration of 20 perfect hints implies here a loss of 13 bikz.