comment difference rough vs estimate

malb · Aug 22, 2024 · f6e4268 · f6e4268
1 parent e80ec6b
commit f6e4268
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -14,7 +14,20 @@ The main purpose of this estimator is to give designers an easy way to choose pa
 Quick Start
 -----------
 
-- Usage
+We currently provide evaluators for the security of the `LWE`, `NTRU`, and `SIS` problems. 
+Our estimator integrates simulators for the best known attacks against these problems, and provides
+bit-security estimates relying on heuristics to predict the cost of lattice reduction algorithms, the default being
+using `[MATZOV22] <https://zenodo.org/record/6412487>` for lattice reduction cost, and the GSA assumption 
+`[Schnorr03] <http://dx.doi.org/10.1007/3-540-36494-3_14>` for the reduction shape. 
+
+It is possible to evaluate attacks cost individually, or using the helper functions:
+- `*.estimator.rough`: fast routine that evaluates the security of the problem only against the usually most efficient
+   attacks. In this case, note that the concrete lattice reduction cost is evaluated using the non-default "Core-SVP" method
+   from `[USENIX:ADPS16] <https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_alkim.pdf>`.
+- `*.estimator`: extended routine that evaluates the security of the problem against all supported attacks. This uses the
+   default cost and shape model for lattice reduction.
+
+Usage examples:
 
   .. code-block:: python
     

diff --git a/estimator/lwe.py b/estimator/lwe.py
@@ -37,6 +37,9 @@ def rough(self, params, jobs=1, catch_exceptions=True):
         - Arora-GB only applies to bounded noise with at least `n^2` samples.
         - BKW is not competitive.
 
+        Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from
+        [USENIX:ADPS16].
+
         :param params: LWE parameters.
         :param jobs: Use multiple threads in parallel.
         :param catch_exceptions: When an estimate fails, just print a warning.

diff --git a/estimator/ntru.py b/estimator/ntru.py
@@ -33,6 +33,9 @@ def rough(self, params, jobs=1, catch_exceptions=True):
         - The dual hybrid MITM attack only applies to sparse secrets.
         - The dense sublattice attack only applies to possibly overstretched parameters
 
+        Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from
+        [USENIX:ADPS16].
+
         :param params: NTRU parameters.
         :param jobs: Use multiple threads in parallel.
         :param catch_exceptions: When an estimate fails, just print a warning.

diff --git a/estimator/sis.py b/estimator/sis.py
@@ -27,6 +27,9 @@ def rough(self, params, jobs=1, catch_exceptions=True):
         This function furthermore assumes the following heuristics:
         - None at the moment. May change as more algorithms are added.
 
+        Lattice reduction cost is evaluated based on the non-default "Core-SVP" method from
+        [USENIX:ADPS16].
+
         :param params: SIS parameters.
         :param jobs: Use multiple threads in parallel.
         :param catch_exceptions: When an estimate fails, just print a warning.