Estimate All the {LWE, NTRU} Schemes!

“…Concretely, in the quantum setting, the lower bounds of enumeration and sieving cross in dimensions roughly 300-400 in the HKZ-basis model or beyond 500 in the Rankin-basis model, depending on how many enumerations are allowed. We note that in high dimension, our lower bound for enumeration with 10 10 HKZ bases is somewhat close to the numerical extrapolation of [17, (2)], called Core-Enum+O(1) in [2]. Upper/lower bounds on the classical/quantum cost of enumeration with cylinder pruning, using strongly-reduced basis models.…”

“…The security level is the base-2 logarithm of the cost, which is divided by two in the quantum computing model [6,24]. We also draw the curve of 2 0.292n and 2 0.265n which are simplified lower bounds of the cost for solving SVP-n used in [2] for classical and quantum computers, respectively.…”

“…Unfortunately, security estimates for lattice problems are known to be difficult: many different assessments exist in the research literature, which is reflected in the wide range of security estimates in NIST submissions (see [2]), depending on the model used. One reason is that the performance of lattice algorithms depends on many parameters: we do not know how to select these parameters optimally, and we do not know how far from optimal are current parameter selections.…”

“…4. For comparison, we also displayed several curves from [2]: 2 0.292n and 2 0.265n as the simplified classical/quantum complexity of sieve algorithms, and the numerical extrapolation of enumeration cost of [17, (2)]. …”

Lower Bounds on Lattice Enumeration with Extreme Pruning

“…Concretely, in the quantum setting, the lower bounds of enumeration and sieving cross in dimensions roughly 300-400 in the HKZ-basis model or beyond 500 in the Rankin-basis model, depending on how many enumerations are allowed. We note that in high dimension, our lower bound for enumeration with 10 10 HKZ bases is somewhat close to the numerical extrapolation of [17, (2)], called Core-Enum+O(1) in [2]. Upper/lower bounds on the classical/quantum cost of enumeration with cylinder pruning, using strongly-reduced basis models.…”

“…The security level is the base-2 logarithm of the cost, which is divided by two in the quantum computing model [6,24]. We also draw the curve of 2 0.292n and 2 0.265n which are simplified lower bounds of the cost for solving SVP-n used in [2] for classical and quantum computers, respectively.…”

“…Unfortunately, security estimates for lattice problems are known to be difficult: many different assessments exist in the research literature, which is reflected in the wide range of security estimates in NIST submissions (see [2]), depending on the model used. One reason is that the performance of lattice algorithms depends on many parameters: we do not know how to select these parameters optimally, and we do not know how far from optimal are current parameter selections.…”

“…4. For comparison, we also displayed several curves from [2]: 2 0.292n and 2 0.265n as the simplified classical/quantum complexity of sieve algorithms, and the numerical extrapolation of enumeration cost of [17, (2)]. …”

Lower Bounds on Lattice Enumeration with Extreme Pruning

“…[36,22,33,18,20,26,10]), which makes security estimates tricky. Lattice-based NIST submissions use varying cost models, which gives rise to a wide range of security estimates [5]. The biggest source of divergence is the cost assessment of a subroutine to find nearly shortest lattice vectors in certain dimensions (typically the blocksize of reduction algorithms), which is chosen among two families: sieving [3,36,33,26,14] and enumeration.…”

Quantum Lattice Enumeration and Tweaking Discrete Pruning

Towards Practical Lattice-Based One-Time Linkable Ring Signatures