A Refined Hardness Estimation of LWE in Two-Step Mode

Abstract

Recently, researchers have proposed many LWE estimators, such as lattice-estimator (Albrecht et al, Asiacrypt 2017) and leaky-LWE-Estimator (Dachman-Soled et al, Crypto 2020), while the latter has already been used in estimating the security level of Kyber and Dilithium using only BKZ. However, we prove in this paper that solving LWE by combining a lattice reduction step (by LLL or BKZ) and a target vector searching step (by enumeration or sieving), which we call a Two-step mode, is more efficient than using only BKZ.

Moreover, we give a refined LWE estimator in Two-step mode by analyzing the relationship between the probability distribution of the target vector and the solving success rate in a Two-step mode LWE solving algorithm. While the latest Two-step estimator for LWE, which is the “primal-bdd” mode in lattice-estimator (https://github.com/malb/lattice-estimator), does not take into account some up-to-date results and lacks a thorough theoretical analysis. Under the same gate-count model, our estimation for NIST PQC standards drops by 2.1–3.4 bits (2.2–4.6 bits while considering more flexible blocksize and jump strategy) compared with leaky-LWE-Estimator.

Furthermore, we also give a conservative estimation for LWE from the Two-step solving algorithm. Compared with the Core-SVP model, which is used in previous conservative estimations, our estimation relies on weaker assumptions and outputs higher evaluation results than the Core-SVP model. For NIST PQC standards, our conservative estimation is 4.17–8.11 bits higher than the Core-SVP estimation. Hence our estimator can give a closer estimation for both upper bound and lower bound of LWE hardness.

1 Introduction

As an important branch in post-quantum cryptography, lattice-based cryptography has shown its potential in several cryptographic primitives, such as key establishment [1], digital signature [2, 3], hash function [4] and other more advanced cryptography constructions like identity-based encryption [5], attribute-based encryption [6], functional encryption [7], and homomorphic encryption [8].

One of the advantages of lattice-based cryptography is that the security of lattice-based cryptography schemes is guaranteed by the hardness of lattice problems with worst-case to average-case reduction, such as the Learning with Errors problem (LWE). It has been proved that solving the LWE problem is at least as hard as some worst-case lattice problem like the Shortest Independent Vector problem (SIVP) or the Bound Distance Decoding (BDD) problem. In the post-quantum standardization process held by the National Institute of Standards and technique (NIST), many lattice-based cryptographic schemes (e.g. [1,2,3]) are selected as standards to resist the threat of quantum computer. One of the most important problems in standardization is the parameter selection. To select more compact but still safe security parameters for lattice-based schemes, it is necessary to give a concrete hardness estimation for lattice-based problems. In this paper, we focus on LWE, which is the most widely used lattice-based problem.

There are various methods for solving LWE, such as BDD attack [9], Arora-Ge attack [10], BKW attack [11], primal attack [12, 13], dual attack [14] and hybrid attacks [15] based on lattice reduction algorithm. Among them, the primal attack [12, 13] is most practical in breaking actual LWE-based schemes, and the concrete hardness of LWE is often estimated by calculating the cost of the primal attack. A primal attack translates LWE to a unique Shortest Vector Problem (uSVP) by constructing a special lattice basis with Kannan’s embedding technique [16].

In particular, a long series of works, e.g. [12, 13, 17,18,19] have proposed the evaluation of the hardness of LWE under the primal attack. In 2015, the work of Albrecht et al. [17] gives concrete estimations for various families of LWE instances. Later, a simple yet conservative estimation method was given by [12] named the Core-SVP model. It proposed a success condition in solving LWE by BKZ with fixed blocksize \(\beta \) and estimated its cost as a single call to the SVP oracle, which is a lattice sieve with dimension \(\beta \). Since the Core-SVP model ignores both the number of calls to the SVP oracle in one BKZ tour and the number of BKZ tours, the evaluation result by the Core-SVP model is often considered to be conservative enough. In 2017, Albrecht et al. [13] verified the attack success condition proposed in [12] by experiments.

However, the experiment results shown in [13, 20] both illustrate that when the blocksize of BKZ is smaller than the estimation given in [12], it still has a non-negligible probability in solving the LWE instance. This phenomenon is mainly caused by the randomness of the target vector which actually follows the discrete Gaussian distribution rather than a fixed expected value. To solve this problem, Dachman-Soled et al. [19] proposed the first estimator which describes the relationship between the probability of successfully solving LWE and the blocksize \(\beta \) of BKZ used in solving LWE, which is called “leaky-LWE-Estimator”. According to the experiment results of [21], the estimator proposed in [19] and their simplified version [21] can well predict the behavior of BKZ solving LWE with smaller blocksize \(\beta \). In fact, the leaky-LWE-Estimator has been used for estimating the concrete security strength of the lattice-based post-quantum cryptography (PQC) standardization [1, 2] selected by NIST [22] in 2022.

Specifically, the leaky-LWE-Estimator first uses the technique in [19] to calculate the expected value of BKZ blocksize of solving LWE and calculate the total number of logic circuit gates needed to solve LWE by calling the gate-count algorithm proposed in [23]. It is noticeable that the leaky-LWE-Estimator also considers the influence of dimension-for-free (d4f) technique [24], which leads to a decrease in the estimation result. Moreover, it is worth pointing out that the Core-SVP model did not consider the influence brought by d4f, which threatens the conservativeness of the Core-SVP model.

However, the main problem in the leaky-LWE-Estimator and Core-SVP model is that they only use the BKZ algorithm as the underlying LWE solver, instead of combining BKZ reduction with a final search step (we call it a Two-step mode for solving LWE). In this work, we prove that the Two-step LWE-solving strategy is more efficient than the underlying LWE solver in earlier LWE estimators (such as leaky-LWE-Estimator [19]) which only uses BKZ, thus the BKZ-only estimators may output an over-optimistic estimation.

A Two-step LWE-solving strategy is divided into a lattice reduction step (by LLL or BKZ) and a target vector searching step (by enumeration or sieving). Although the Two-step mode is often considered a folklore approach to solving LWE, only few works bring it into practice. The first Two-step LWE-solving attack was proposed in [9], where they reduce LWE into a BDD problem, and call an enumeration for finding the closest vector in the last searching step. In [25], the authors show that an additional post-processing step using enumeration can increase the success rate in solving \(\gamma \)-SVP with \(\gamma =1.05\), but it is not known whether the post-processing step has same acceleration when applied to LWE. For solving LWE with sieving instead of enumeration, the G6K framework [26] presented a solving algorithm that is also a combination of BKZ and conditional sieving. However, it is different from the Two-step strategy in previous works, and its efficiency has not been theoretically analyzed.

In the context of LWE estimation, Albrecht et al use the “primal_bdd” function in lattice-estimator [27] to estimate the hardness of LWE through a primal attack using one BKZ reduction and a sieve in the searching step. However, in estimating the dimension of the last sieving, “primal_bdd” estimation only considers the expected norm of the target vector rather than analyzing the relationship between the probability distribution of the target vector and the solving success rate of Two-step mode. So it is necessary to give a more refined Two-step LWE estimator that considers the success probability of the last sieve algorithm and provides extensive experimental evidence of its accuracy. Besides, the Two-step attack proposed in [28] can also improve the efficiency of the Two-step attack in “primal_bdd” by applying the improved progressive BKZ reduction and allowing PnjBKZ with jump value > 1.

Furthermore, there is an open question proposed in Sect. 5.3 (Q7) of Kyber’s document that a security estimation error interval exists in NIST lattice-based standardization. This security estimation error interval is caused by using different reduction strategies to evaluate the security. Particularly, the reduction strategy considered by leaky-LWE-Estimator [19] is a trivial progressive BKZ, and in [12, 13, 17, 18] they consider a fixed blocksize BKZ algorithm to solve LWE. The paper [29] mentioned that a large dimension of sieve in the final process costs less than a BKZ. The trivial reduction strategies above can be further improved by a more efficient reduction strategy like the optimized blocksize and jump selection strategy proposed in [28] which has already shown its efficiency in solving LWE instances¹. To ensure the security and narrow the security estimation error interval of lattice-based NIST standard schemes, it is necessary to evaluate the impact of the combination of the Two-step solving strategy and the optimized blocksize and jump selection strategy on the security of NIST selected lattice-based schemes.

Contributions. In this paper, we improve the estimation of LWE hardness from the following aspects:

• We formally prove that the Two-step mode is more efficient in solving uSVP than the BKZ-only mode under Geometric Series Assumption, and extend the result to solving LWE which considers the distribution of LWE error term.

• We construct an LWE hardness estimator which underlying LWE solver is the Two-step LWE solving algorithm, and we calculate the success probability for solving LWE at each step. In the reduction phase, we give a heuristic assumption that each BKZ tour totally randomizes the lattice basis, which is also implicitly implied by the leaky-LWE-estimator [19], so that the success probability of different BKZ tours can be considered independent. In the searching phase, however, the success probability is accumulated after each step. By calculation of the success rate, we show that the expected cost for solving LWE by Two-step mode is much lower than by BKZ-only mode as in [19].

• To verify the accuracy of our estimation, we did extensive experiments of solving LWE by different sieving dimensions in the searching phase. The results of these experiments are consistent with our estimation, which means the expected time cost of solving LWE by our estimator is accurate. Moreover, we re-evaluate the security bit of NIST PQC schemes by our Two-step LWE hardness estimator. When using the same trivial reduction strategy in leaky-LWE-Estimator [19], the security bit drops by 2.1–3.4 bits. Besides, when using the optimized blocksize and jump selection strategy proposed in paper [28], the security bit drops by 2.2–4.6 bits.

• We also give a more accurate lower bound estimation which is a conservative Two-step solving mode estimation for LWE. Compared with the commonly used Core-SVP model, our conservative estimation relies on weaker assumptions. Meantime, our conservative estimation has higher estimation results than the Core-SVP model (while d4f not considered). For NIST PQC standards, our conservative estimation is 4.17–8.11 bits higher than the Core-SVP estimation. Therefore, we give more accurate estimations on both the upper bound and lower bound of the hardness of LWE.

All detailed codes of our Two-step LWE Estimator with different reduction strategies are already open-sourced².

Organization. In Sect. 2 we give the preliminaries, notations, and the basic knowledge of lattice problems. In Sect. 3 we prove that the Two-step solving mode is more efficient in solving uSVP than the BKZ-only mode. In Sect. 4 we construct a refined Two-step security estimator for solving LWE. The experiments results in Sect. 5 verify the accuracy of our Two-step security estimator and the efficiency of the Two-step solving mode. In Sect. 6 we give a conservative estimation for LWE from a Two-step solving algorithm. Based on our Two-step security estimator and lower bound estimation estimator we give more accurate both upper bound and lower bound estimation of LWE in NIST PQC schemes in Sect. 7.

2 Preliminaries

2.1 Notations and Basic Definitions

In this paper, all vectors are denoted by bold lowercase letters and are to be read as column vectors. We write a matrix \(\textbf{B}\) as \(\textbf{B} = (\textbf{b}_0 ,\cdots , \textbf{b}_{d-1})\) where \(\textbf{b}_i\) is the \((i+1)\)-th column vector of \(\textbf{B}\). The Euclidean norm of a vector \(\textbf{v}\) is denoted by \(\Vert \textbf{v}\Vert \). A lattice \(\mathcal {L}\) generated by the basis \(\textbf{B}\) is denoted by \(\mathcal {L}(\textbf{B}) = \{\textbf{Bx} | \textbf{x} \in \mathbb {Z}^d \}\). Here lattice basis matrix \(\textbf{B} \in \mathbb {R}^{d\times d}\) needs to be full rank d. We denote \( \textbf{B}^* = (\textbf{b}_0^* , \cdots , \textbf{b}^*_{d-1})\) as the Gram-Schmidt orthogonalization of \(\textbf{B}\), in which \({\textbf{b}}_i^* = {\textbf{b}}_i - \sum _{j=0}^{i-1} \mu _{i,j} {\textbf{b}}_j^* \), \(\mu _{i,j} =\langle \textbf{b}_i,\textbf{b}_j^*\rangle / \Vert \textbf{b}_j^* \Vert ^2\). We denote the orthogonal projection to the span of \((\textbf{b}_0 ,\cdots , \textbf{b}_{i-1})\) by \(\pi _i\), for \(i \in \{0, \cdots , d-1 \}\), i.e. \(\forall \textbf{v}\), \(\pi _i(\textbf{v}) = \textbf{v} - \sum _{j=0}^{i-1}\omega _j \textbf{b}_j^*\), in which \(\omega _j =\langle \textbf{v},\textbf{b}_j^*\rangle / \Vert \textbf{b}_j^* \Vert ^2\). For \(i,j\in \mathbb {Z}_d\) and \(0 \le i < j \le d-1\), given an arbitrary d-dimensional vector \(\textbf{v}=(v_0,\cdots , v_{d-1})\), define \(\textbf{v}_{[i:j]}\) as \((v_i,\cdots ,v_{j-1})\) with size \(j-i\). For a lattice basis \(\textbf{B}\), let \(\textbf{B}_{[i:j]}\leftarrow (\textbf{b}_i,\cdots ,\textbf{b}_{j-1})\). Moreover, we denote \(\textbf{B}_{\pi [i:j]}\) as the local projected block \((\pi _i (\textbf{b}_i), \cdots , \pi _i(\textbf{b}_{j-1}))\), and call \(\mathcal {L}_{\pi [i:j]}\) the lattice generated by \(\textbf{B}_{\pi [i:j]}\). We use \(\textbf{B}_{\pi [i]}\) and \(\mathcal {L}_{\pi [i]}\) as shorthands for \(\textbf{B}_{\pi [i:d]}\) and \(\mathcal {L}_{\pi [i:d]}\). An important invariant value of the lattice \(\mathcal {L}(\textbf{B})\) is its volume \(\mathrm{{Vol}}(\mathcal {L}(\textbf{B})) = \prod _{i=0}^{d-1} \Vert {\textbf{b}}_{i}^{*} \Vert \). The length of the shortest non-zero vector of a lattice \(\mathcal {L}(\textbf{B})\) can be denoted by \(\lambda _1(\mathcal {L}(\textbf{B}))\). We use the abbreviations \(\mathrm{{Vol}}(\textbf{B}) = \mathrm{{Vol}}(\mathcal {L} (\textbf{B}))\) and \(\lambda _1(\textbf{B}) = \lambda _1 (\mathcal {L}(\textbf{B}))\).

Notations for Algorithms Description. Let BKZ-\(\beta \)/PnjBKZ-\((\beta ,J)\) be an abbreviation of a one-tour BKZ/PnjBKZ with blocksize \(\beta \) and \(\textsf{jump}\) value J, and J is omitted when \(J=1\). Assume \(\textbf{B} = (\textbf{b}_0 ,\cdots , \textbf{b}_{d-1})\), its Gram-Schmidt basis is \(\textbf{B}^* = (\textbf{b}^*_0 ,\cdots , \textbf{b}^*_{d-1})\). Let \({\textsf{rr}}(\mathbf{{B}}) = (\Vert \mathbf{{b}}_0^*\Vert ,\cdots , \Vert \mathbf{{b}}_{d-1}^*\Vert )\), abbreviate to \({\textsf{rr}}\). \(\textsf{rr}_{[i:j]} = (\Vert \mathbf{{b}}_{i-1}^*\Vert ,\cdots , \Vert \mathbf{{b}}_{j-1}^*\Vert )\). Let \(\textsf{rr}[i]\) be the \((i+1)\)-th element of \(\textsf{rr}\).

Denote BKZSim as the BKZ simulator proposed in [30]. The simulation for PnjBKZ is denoted as \(\textrm{PnjBKZSim}(\textsf{rr}(\mathbf{{B}}),\beta ,J,t)\) which simulates a PnjBKZ-\((\beta ,J)\) with t tours on lattice \(\mathcal {L}(\mathbf{{B}})\) and return the new lengths, where the PnjBKZ simulator was proposed in [28]. Moreover, if we have a blocksize and jump strategy \(\textsf{S}\) that stores a series of \((\beta _i, J_i)\), then \(\textrm{PnjBKZSim}(\textsf{rr},\textsf{S})\) means iteratively calling a tour of PnjBKZ-\((\beta _i,J_i)\) simulator on \(\textsf{rr}\), where \((\beta _i,J_i) \in \textsf{S}\). Let BKZ-\(\beta \) reduced basis be the lattice basis after calling sufficient tours of BKZ-\(\beta \). For simplification, we use \(\beta \) to imply the quality of a BKZ-\(\beta \) reduced basis. Let \(\sharp \)tours(BKZ-\(\beta \))/\(\sharp \)tours(PnjBKZ-\((\beta ,J)\)) be the minimum tours for BKZ-\(\beta \)/PnjBKZ-\((\beta ,J)\) to reach a BKZ-\(\beta \)/PnjBKZ-\((\beta ,J)\) reduced basis, abbreviated as \(\sharp \)tours. Denote t as the number of tours for implementing BKZ/PnjBKZ with a fixed blocksize (and jump) \(\beta \)/\((\beta ,J)\).

Let \(T_\textrm{BKZ}(\beta )\)/\(T_\textrm{pnjBKZ}(\beta ,J)\) be the time cost of one BKZ/PnjBKZ tour with blocksize \(\beta \) and jump value J. For a specific blocksize and jump strategy \(\textsf{S} =[(\beta _0,J_0),\cdots , (\beta _{n-1},J_{n-1})]\), we let \(T_\textrm{BKZs}(\textsf{S})\)/\(T_\textrm{pnjBKZs}(\textsf{S})\) be total time cost for a series of BKZ/PnjBKZ reduction with strategy \(\textsf{S}\), abbreviate it as \(T_\textrm{BKZs}\)/\(T_\textrm{pnjBKZs}\).

In the searching step, we will consider a high dimension sieve and we denote \(T_\textrm{sieve}(d_\textrm{svp})\) as the time cost of sieve dimension \(d_\textrm{svp}\), abbreviate it as \(T_\textrm{sieve}\). Let \(\textrm{PSC}\) be the expected sieve cost to find the target vector.

Definition 1

(The Gaussian Distribution [21]) Let \(\sigma ,u \in \mathbb {R}\) be the standard deviation and the mean value respectively, a continuous Gaussian Distribution denoted as \(N(u,\sigma ^2)\). Its probabilistic density function \(\rho _{N(u,\sigma ^2)} = e^{-\frac{(x-u)^2}{2\sigma ^2}} \big / \sigma \sqrt{2\pi }\).

Definition 2

(Chi-Squared Distribution [21]) Given n random variables \(X_i \sim N(0, 1)\), the random variables \(X_0^2+\cdots + X_{n-1}^2\) follows a chi-squared distribution \(\chi _n^2\) over \(\mathbb {R}^*\) of mean n and variance 2n with probabilistic density function \(\rho _{\chi _n^2}(x) = x^{\frac{n}{2}-1}e^{-\frac{x}{2}}/2^{\frac{n}{2}}\varGamma (n/2)\). Given n random variables \(Y_i \sim N(0, \sigma ^2)\), the random variables \(Y_0^2+\cdots + Y_{n-1}^2\) follows a scaled chi-squared distribution \(\sigma ^2 \cdot \chi _n^2\) over \(\mathbb {R}^*\) of mean \(n\sigma ^2\) and variance \(2n\sigma ^2\).

Heuristic 1

(Gaussian Heuristic [24]) The expected first minimum of a lattice \(\mathcal {L}\) (denoted as \( \lambda _1 (\mathcal {L}(\textbf{B}))\)) according to the Gaussian Heuristic denoted by \(\textrm{GH}(\mathcal {L})\) is given by \(\lambda _1 (\mathcal {L}(\textbf{B})) \approx \textrm{GH}(\mathcal {L}) = {\left( \varGamma (\frac{d}{2}+1)\cdot \mathrm{{Vol}}(\mathcal {L})\right) }^{\frac{1}{d}} \big / \sqrt{\pi } \approx \sqrt{d/(2\pi e)} \cdot \mathrm{{Vol}}(\mathcal {L})^{\frac{1}{d}}\) We also write \(\textrm{GH}(\textbf{B})=\textrm{GH}(\mathcal {L}(\textbf{B}))\) and \(\textrm{GH}(\textsf{rr}_{[i:j]})=\textrm{GH}({\mathbf{{B}}_{\pi {[i:j]}}})\).

Definition 3

(HKZ reduction and BKZ reduction [24]) The basis \(\textbf{B}\) of a lattice \(\mathcal {L}\) is HKZ reduced if \(\textbf{b}_i^*=\lambda _1(\mathcal {L}(\textbf{B}_{\pi [i: d]}))\), for all \(i<d\). \(\mathcal {L}\) is BKZ-\(\beta \) reduced if \(\textbf{b}_i^*=\lambda _1(\mathcal {L}(\textbf{B}_{\pi [i:\min \{i+\beta , d \}]}))\), for all \(i<d\).

Definition 4

(Root Hermite Factor [31]) For a basis \(\textbf{B}\) of d-dimensional lattice, the root Hermite factor is defined as \(\delta = \left( \Vert \textbf{b}_0 \Vert / \mathrm{{Vol}}(\textbf{B})^{1/d}\right) ^{1/d},\) for estimating the equality of the output vector of BKZ. For larger blocksize, it follows the asymptotic formula \(\delta (\beta )^{2(\beta -1)} = \frac{\beta }{2\pi e} (\beta \pi )^{1/\beta }.\)

Heuristic 2

(Geometric Series Assumption (GSA) [26]) Let \(\textbf{B}\) be a lattice basis after lattice reduction, then Geometric Series Assumption states that \(\Vert \textbf{b}_i^* \Vert \approx \alpha \cdot \Vert \textbf{b}_{i-1}^*\Vert \), \(0 < \alpha < 1\). Combine the GSA with root-Hermite factor (Definition 4) and \(Vol(\mathcal {L}(\mathbf{{B}})) = \prod _{i=0}^{d-1}\Vert \textbf{b}_i^* \Vert \), it infers that \(\alpha = \delta ^{-\frac{2d}{d-1}} \approx \delta ^{-2}\).

2.2 Lattice Hard Problems

Definition 5

(unique Shortest Vector Problem(uSVP\(_\gamma \)) [32]) Given an arbitrary basis \(\textbf{B}\) on lattice \(\mathcal {L} = \mathcal {L}(\textbf{B})\), \(\mathcal {L}\) satisfies the condition \(\gamma \lambda _1(\textbf{B}) < \lambda _2(\textbf{B})\) (\(\gamma > 1\), \(\lambda _2(\textbf{B})\) is norm of the second shortest vector which is linearly independent to the shortest vector), find the shortest non-zero vector \(\textbf{v}\) s.t. \(\Vert \textbf{v} \Vert = \lambda _1(\textbf{B})\).

Definition 6

(LWE\(_{m,n,q,D_\sigma }\) Distribution [33,34,35]) Given some samples \(m\in \mathbb {Z}\), a secret vector length \(n\in \mathbb {Z}\), a modulo \(q\in \mathbb {Z}\), a probability distribution \(D_\sigma \). Uniformly sample a matrix \(\textbf{A} \in \mathbb {Z}_q^{m\times n}\) and sample a secret vector \(\textbf{s}\in \mathbb {Z}_q^n\) from a specific distribution, randomly sample a relatively small noise vector \(\textbf{e}\in \mathbb {Z}_q^m\) from Gaussian distribution \(D_\sigma \) whose standard deviation is \(\sigma \). The LWE distribution \(\varPsi \) is constructed by the pair \((\textbf{A},\textbf{b}= \textbf{A}\textbf{s}+\textbf{e})\in (\mathbb {Z}_q^{m\times n},\mathbb {Z}_q^m)\) sampled as above.

Definition 7

(Search LWE\(_{m,n,q,D_\sigma }\) problem [33,34,35]) Given a pair \((\textbf{A},\textbf{b})\) sampled from LWE distribution \(\varPsi \) compute the pair \((\textbf{s} , \textbf{e})\).

2.3 Primal Attack

Albrecht et al. [36] firstly presented the primal attack for the LWE problem, which reduced Standard Form LWE problem to an uSVP\(_{\gamma }\) by Kannan’s embedding technique [16]. \(\left( \textbf{A},\textbf{b} \right) \) are LWE instances and the form of the embedding lattice basis is as \(\textbf{B}_{\textbf{A}',\textbf{b}} = \begin{pmatrix} \textbf{A}' &{} \textbf{b}\\ \textbf{0}^T &{} 1 \end{pmatrix}, \textbf{A}' = \textbf{P}^{-1}\begin{pmatrix} q\textbf{I}_{m-n} &{} \bar{\textbf{A} } \\ \textbf{O}&{} \textbf{I}_{n}\\ \end{pmatrix}\), here \(\textbf{P}\in \mathbb {Z}^{m\times m}\) is a permutation matrix such that \(\textbf{P} \cdot \textbf{A} = \left( \bar{\textbf{A} }^{T} , \textbf{I}_{n}\right) ^{T} \). Then there is a unusually short lattice vector \(\textbf{v}\)=(\(\textbf{e}\),1) in this embedding lattice \(\textbf{B}_{\textbf{A}',\textbf{b}}\) whose norm \(\Vert \textbf{v}\Vert \approx \sigma \sqrt{m} \) is shorter than \(\lambda _2(\mathcal {L})\). Thus LWE is reduced to a uSVP on the embedding lattice.

2.4 Core-SVP Model [12]

Core-SVP model [12] only considers using the BKZ algorithm with a fixed blocksize \(\beta \) to perform Primal Attack and evaluate the time cost. [12, 13] give a success condition of such attack: For the minimal blocksize \(\beta \) in the BKZ algorithm (or its variant) to ensure that the following inequality is satisfied \(\Vert \textbf{v}\Vert \sqrt{\beta /d} \le \delta ^{2\beta -d}\mathrm{{Vol}}(\mathcal {L}(\textbf{B}))^{1/d}\), the unique shortest vector \(\textbf{v}\) will be found by BKZ in time \(T(\beta )\) which is an exponential function of \(\beta \). This success condition based on GSA (Heuristic 2) is a brief justification for the estimation given in [12]. Here \(\delta \) is the root of the Hermit factor of lattice basis. [37] gives the following relation between the blocksize and the root Hermite factor \(\delta (\beta )\approx \left( ((\pi \beta )^{1/\beta }\beta )/(2\pi e) \right) ^{1/(2(\beta -1))}\).

Core-SVP model considers neither the number of calls to \(\beta \)-dimension SVP Oracle during one tour of the BKZ algorithm with blocksize \(\beta \), nor the number of BKZ tours needed to satisfy the success condition. Therefore, the Core-SVP model [12] is considered a conservative LWE security evaluation model. The accurate upper bound number of BKZ tours needed to reach BKZ-\(\beta \) reduced basis is still unknown [38], but [30] suggests that a polynomial number of BKZ-\(\beta \) tours seems sufficient to obtain a lattice basis with Hermite factor near \(\delta (\beta )\). When the SVP Oracle used by the BKZ algorithm is BDGL sieving [39], the time cost of solving LWE under Core-SVP model is \(T(\beta )\approx O(2^{0.292\beta })\).

2.5 PnjBKZ

PnjBKZ is a BKZ-type reduction algorithm that uses Pump as its SVP oracle. Unlike classical BKZ, PnjBKZ performs the SVP oracle with an adjustable \(\textsf{jump}\) no less than 1. Specifically, running a PnjBKZ with blocksize \(\beta \) and \(\textsf{jump}\)=J, after executing the SVP oracle on a certain block \({\textbf{B}}_{\left[ i:i+\beta \right] }\), the next SVP oracle will be executed on the \(\textbf{B}_{\left[ i+J:i+\beta +J \right] }\) block with a \(\textsf{jump}\) count J rather than \(\textbf{B}_{\left[ i+1:i+\beta +1 \right] }\).

2.6 Dimension for Free (d4f) Technique

D4f technique [24] can bring sub-exponential time speedup and memory decrease for sieve algorithms. In this paper, we consider the theoretical d4f estimation given in [24] as \(\textrm{d4f}(\beta )= \beta \ln (4/3)/\ln (\beta /2\pi e) \), which means that solving \(\beta \)-dimension SVP needs only \(\beta -\textrm{d4f}(\beta )\) dimensional sieving.

2.7 Leaky-LWE-Estimator

The leaky-LWE-Estimator [19] proposed a probabilistic method in LWE estimation as opposed to the GSA-intersect, which relates the solving probability of LWE instance to BKZ blocksizes. The estimator was later applied to the NIST PQC standards such as Kyber and Dilithium along with the estimation in [39], which gives an accurate estimation for LWE rather than a conservative lower bound like Core-SVP model [12]. The leaky-LWE-Estimator [19] computes an expected value \(\bar{\beta }\) of the blocksize needed to solve an LWE instance by simulating how the quality of the lattice basis changes during lattice reduction, and estimating the success probability in finding the target vector at each block of the progressive BKZ. Then it substitutes \(\bar{\beta }\) into the gate count and memory cost by the list decoding estimation in [23] and obtains a cost estimation for LWE with specific input parameters. Besides, to simplify the calculation process in Leaky-LWE-Estimator, [21] presented a simpler version that has the same estimation results as [19].

One main difference between leaky-LWE-Estimator and Core-SVP model is that leaky-LWE-Estimator uses the BKZ 2.0 simulator [30] denoted as BKZSim to simulate how the lattice basis changed during the reduction of progressive BKZ, which can be used to estimate the number of calls to SVP Oracle with different dimensions and the quality of the lattice basis reduced by a series of BKZ. Another difference is that the leaky-LWE-Estimator considers the length of the target vector as a random variable that follows the chi-square distribution rather than some fixed value. In addition, the leaky-LWE-Estimator uses the gate count method proposed in [23] instead of computational complexity to estimate the hardness of LWE. The detail of the leaky-LWE-Estimator is given in Algorithm 1. Here \(\chi _{\beta }^{2}\) in Algorithm 1 is the chi-squared distribution with degree \(\beta \) of freedom.

After calling Algorithm 1 to obtain the expected value of BKZ blocksize \(\bar{\beta }\) for solving LWE, leaky-LWE-Estimator will call the Gate-count algorithm in [23] to calculate the number of gates (time cost): \(\texttt {ppgate}(\bar{\beta })=C^2 \cdot \texttt {agps20gates} (\bar{\beta }-\texttt {d4f}(\bar{\beta }))\) and memory cost: \(\texttt {bit}(\bar{\beta })=8(\bar{\beta }-\texttt {d4f}(\bar{\beta }))\cdot \texttt {agps20vectors} (\bar{\beta }-\texttt {d4f}(\bar{\beta }))\) for solving the LWE respectively. Here the Gate-count algorithm [23] can analyze the cost of sieving with a classical and quantum circuit and \(C=\frac{1}{1-2^{-0.292}}\) is a constant used to simulate the time cost of progressive sieving when BDGL16 sieving [39] is used and progressive BKZ blocksize. More detail about functions \(\texttt {agps20gates}(\cdot )\) can be seen in [40].

2.8 PnjBKZ Simulator

The first step in the two-step solving mode is using a series of well-chosen BKZ tours to reduce the lattice basis. Compared with classical BKZ algorithm, the PnjBKZ algorithm (see Sect. 2.5 and Algorithm 3 for more detail) is a more efficient lattice reduction algorithm which allows more flexible choice of blocks to be processed in BKZ which uses a sieving algorithm \(\textsf{Pump}\) as its SVP oracle.

The PnjBKZ simulator is a polynomial time algorithm to simulate how the quality of the lattice basis changes during the reduction by using the optimized reduction strategy of PnjBKZ-\((\beta ,J)\) with \(J >1\) in [28] without actually running the time-consuming (exponential time cost according to blocksize) PnjBKZ algorithm. The PnjBKZ simulator uses the Gaussian Heuristic and the property of HKZ reduction to estimate how the logarithms of the Gram-Schmidt norms of lattice basis changed after one tour of PnjBKZ-\((\beta ,J)\). For convenience, we declare the notation of PnjBKZ simulation in Sect. 2.

3 Efficiency of Two-Step Solving Mode

In this section, we will show that the Two-step solving mode is more efficient in solving uSVP\(_\gamma \) compared with the BKZ-only mode. We use Theorem 1 to illustrate this claim and give the corresponding proof under GSA.

Theorem 1

Assume Gaussian Heuristic (Heuristic 1), GSA(Heuristic 2) and Heuristic 4 in [28] hold. Let d be the dimension of lattice, \(d\ge 100\), we assume that the uSVP\(_\gamma \) instance can be solved by BKZ-only mode through a BKZ-\(\beta \) reduced basis with \(\frac{d+16}{9}\le \beta \le \frac{d}{2}\), and let the time cost for sieving on d-dimensional lattice be \(2^{c\cdot d+c_0}\) where \(c\le 0.35\). Then there exists a parameter choice for the Two-step mode which solves the uSVP\(_\gamma \) instance in less time than the BKZ-only mode.

Proof

Let \(\mathcal {L}\) be the lattice, \(\mathbf{{B}}\) be its basis and d be the dimension of \(\mathcal {L}\), suppose the unique shortest vector is \(\mathbf{{v}}\). Without loss of generality, we set \(\textrm{Vol}(\mathcal {L})=1\), let \(M = \Vert \mathbf{{v}} \Vert \) be the length of its unique shortest vector. Assume all the orthogonal projections of \(\mathbf{{v}}\) onto the k-dimensional projection sub-lattice \(\mathcal {L}_{\pi [d-k]}\) have expected norm \(\sqrt{\frac{k}{d}} \cdot M\). Let \(\delta (\beta )\) be the root Hermite factor of a BKZ-\(\beta \) reduced basis. Assuming GSA holds, the length of the basis can be estimated by \((\delta (\beta )^d,\delta (\beta )^{d\cdot \frac{d-3}{d-1}},...,\delta (\beta )^{-d})\).

Since the projection \(\pi _{d-\beta }(\mathbf{{v}})\) is expected to be the shortest non-zero vector of \(\mathcal {L}_{\pi [d-\beta ]}\), i.e. \(\Vert \pi _{d-\beta } (\mathbf{{v}}) \Vert \le \lambda _1(\mathcal {L}_{\pi [d-\beta ]}) \approx \textrm{GH}(\mathcal {L}_{\pi [d-\beta ]})\), then

$$\begin{aligned} \sqrt{\frac{\beta }{2\pi e}}\cdot \delta (\beta )^{-\frac{d(d-\beta )}{d-1}}\ge \sqrt{\frac{\beta }{d}}\cdot M \end{aligned}$$

Next, suppose that the same instance is solved by a Two-step mode on a BKZ-\(\beta '\) reduced basis with a \(d_\textrm{svp}\) dimensional sieving, where \(\beta '<\beta <d_\textrm{svp}\). Then:

$$\begin{aligned} \sqrt{\frac{d_\textrm{svp}}{2\pi e}}\cdot \delta (\beta ')^{-\frac{d(d-d_\textrm{svp})}{d-1}}\ge \sqrt{\frac{d_\textrm{svp}}{2\pi e}}\cdot \delta (\beta )^{-\frac{d(d-\beta )}{d-1}} \ge \sqrt{\frac{d_\textrm{svp}}{d}}\cdot M \end{aligned}$$

We find a condition such that the inequality above holds. Since \(d_\textrm{svp}>\beta \), we only need to ensure that \(\delta (\beta ')^{-\frac{d(d-d_\textrm{svp})}{d-1}}\ge \delta (\beta )^{-\frac{d(d-\beta )}{d-1}}\). Take logarithm on both sides, and consider that \(\delta (\beta )=(\frac{\beta }{2\pi e}\cdot (\beta \pi )^{\frac{1}{\beta }})^{\frac{1}{2(\beta -1)}}\), we need to ensure that:

$$\begin{aligned} \frac{d-\beta }{d-d_\textrm{svp}}\ge \frac{\frac{1}{2(\beta '-1)}\cdot (\log \frac{\beta '}{2\pi e}+\frac{1}{\beta '}\log (\beta '\pi ))}{\frac{1}{2(\beta -1)}\cdot (\log \frac{\beta }{2\pi e}+\frac{1}{\beta }\log (\beta \pi ))} \end{aligned}$$

Since \(0<\beta '<\beta \), it infers that \(\beta ' \log \frac{\beta '}{2\pi e}+\log (\beta '\pi ) < \beta \log \frac{\beta }{2\pi e}+\log (\beta \pi )\) always holds. We only need to ensure that:

$$\begin{aligned} \frac{d-\beta }{d-d_\textrm{svp}}\ge \frac{\beta (\beta -1)}{\beta '(\beta '-1)} \end{aligned}$$

Here we consider a special case where \(\beta '=\beta -1\), since if the condition is satisfied under this case, then it is surely satisfied for the optimal choice of \(\beta ',d_\textrm{svp}\). We write \(d_\textrm{gap}=d_\textrm{svp}-\beta \). We choose \(d_\textrm{gap}\) to satisfy the condition above, which means that:

$$\begin{aligned} 1+\frac{d_\textrm{gap}}{d-\beta -d_\textrm{gap}}\ge 1+\frac{2}{\beta -2} \end{aligned}$$

Let T be the time to generate a BKZ-\((\beta -1)\) reduced basis, under the heuristic assumption that generating a BKZ-\(\beta \) reduced basis requires at least one BKZ-\(\beta \) tour, the time of BKZ-only mode \(T_\mathrm{BKZ-only}\ge T+T_\textrm{BKZ}(\beta )\), and the time of Two-step mode \(T_\mathrm{Two-step}=T+T_\textrm{sieve}(\beta +d_\textrm{gap})\), so we only need to show that for a choice of \(d_\textrm{gap}\) satisfies the condition above, \(T_\textrm{sieve}(\beta +d_\textrm{gap})\le (d-\beta +1)T_\textrm{sieve}(\beta )\le T_\textrm{BKZ}(\beta )\). Let \(T_\textrm{sieve}(d)=2^{c\cdot d+c_0}\) be the sieve cost model, then we only need to show that \(2^{c\cdot d_\textrm{gap}}\le d-\beta +1\).

Now we choose \(d_\textrm{gap}\)=\(\frac{2(d-\beta +1)}{\beta -2}\) which satisfies the condition. By our assumption, \(d\le 9\beta -16\), so we have that \(d_\textrm{gap}\le 16\). For \(c\le 0.35\), \(2^{c\cdot d_\textrm{gap}}\le 49\), since we assume that \(d\ge 100\) and \(d\ge 2\beta \), \(d-\beta \ge 50\), thus the condition is satisfied.    \(\square \)

All current LWE estimators only consider the security strength of LWE under the BKZ-only solving mode. However, according to Theorem 1, we know that a Two-step mode is more efficient in solving uSVP\(_\gamma \) and we should analyze the impact of Two-step mode on the hardness of LWE which can be reduced to uSVP\(_\gamma \) under primal attack. So in the following section, we propose a refined Two-step LWE Estimator to evaluate the concrete hardness of LWE by considering Two-step solving mode.

4 A Refined Two-Step Security Estimator for Solving LWE

In this section, we give the details of our refined Two-step security estimator for solving LWE. The detail of our Two-step LWE Estimator is shown in Sect. 4.1. Then the verification experiments of our Two-step LWE Estimator are shown in Sect. 5. In addition, we re-estimate the hardness of LWE instances in NIST PQC schemes by our Two-step LWE Estimator under a trivial reduction strategy and an optimized reduction strategy [28] respectively in Sect. 7.1.

In this section, we build our estimator mainly based on leaky-LWE estimator [19]. In fact, constructing our Two-step LWE Estimator based on other security evaluators (such as the LWE-estimator by Albrecht et al. [17]) can also obtain similar conclusions that the Two-step mode of solving LWE will result in a decrease of the estimated security bit. More analysis and estimation results can be seen in Appendix A.

4.1 Two-Step LWE Estimator with Trivial Strategy

In this part, we give the detail about our Two-step LWE Estimator (Algorithm 2) (See footnote 2).

Before we give details of our Two-step LWE Estimator, let us briefly review the leaky-LWE-Estimator which we mainly focus on. Leaky-LWE-Estimator is used by NIST selected PQC schemes [1, 2] to evaluate the security strength of LWE, and is more refined than previous LWE estimators as it considers the randomness of target vector rather than fixed expected value and uses BKZ simulator rather than an estimation from GSA. For BKZ reduction, it used the trivial progressive strategy where the blocksize \(\beta \) is increased by 1 each tour.

We use similar notations in [21]: \(\textrm{W}\) be the event of solving LWE during running Progressive PnjBKZ or the final high-dimension Pump of Two-step mode, \(\textrm{W}_{\beta }^{(1)}\) be the event of solving LWE by using BKZ-\(\beta \), \(\textrm{F}_{\beta }^{(1)}=\lnot \textrm{W}_{\beta }^{(1)}\) and \(\textrm{W}_{(d_\textrm{svp})}^{(2)}\) as the event that a \(d_\textrm{svp}\)-dimension Pump solved LWE. Here \(\Pr [\textrm{W}_{\beta }^{(1)}]=\Pr \left[ x \leftarrow \chi _\beta ^2 \bigg | x \le (\textsf{rr}{[d-\beta ]})^2 \right] \), and \(\textsf{rr}{[d-\beta ]}\) is the length of the first Gram-Schmidt vector of projective sub-lattice \(\mathcal {L}_{\pi [d-\beta :d]}\) of current lattice basis which has been reduced by Progressive BKZ with reduction strategy \(\textsf{S}= \{\beta _i =i + 2 \mid i=1,...,\mathrm end \} \). In Two-step mode we partition \(\textrm{W}\) as:

$$\begin{aligned} \begin{aligned} \Pr [\textrm{W}]= & \Pr [\textrm{W}_{\beta _1}^{(1)}]+\Pr [\textrm{W}_{\beta _2}^{(1)}\wedge \textrm{F}_{\beta _1}^{(1)}]+\Pr [\textrm{W}_{\beta _3}^{(1)}\wedge \textrm{F}_{\beta _2}^{(1)} \wedge \textrm{F}_{\beta _1}^{(1)}] \\ &+\cdots +\Pr \left[ \textrm{W}_{\beta _\textrm{end}} ^{(1)}\wedge \bigwedge _{j=1}^\mathrm{end-1}\textrm{F}_{\beta _j}^{(1)} \right] +\Pr \left[ \textrm{W}_{d_\textrm{svp}}^{(2)}\wedge \bigwedge _{j=1}^\textrm{end}\textrm{F}_{\beta _j}^{(1)} \right] \\ = & \sum _{i=1}^\textrm{end}\Pr \left[ \textrm{W}_{\beta _i} ^{(1)}\wedge \bigwedge _{i>1,j=1}^{i-1}\textrm{F}_{\beta _j}^{(1)} \right] +\Pr \left[ \textrm{W}_{d_\textrm{svp}}^{(2)} \right] \cdot \Pr \left[ \bigwedge _{j=1}^\textrm{end}\textrm{F}_{\beta _j}^{(1)} \right] \end{aligned} \end{aligned}$$

(1)

Here \(\textrm{W}_{d_\textrm{svp}} ^{(2)}\) means during the process of the final sieve, \(d_\textrm{svp}\)-dimension progressive sieving finds the projection vector of the target vector and \(\textrm{F}_{d_\textrm{svp}}^{(2)}=\lnot \textrm{W}_{d_\textrm{svp}} ^{(2)}\). Event \(\textrm{W}_{d_\textrm{svp}} ^{(2)}\) happened means all BKZ-\(\beta \) in the reduction step fail to find the target vector, other else it will not call the final high-dimension sieve. So event \(\textrm{W}_{d_\textrm{svp}} ^{(2)}\) is independent with all events \(\textrm{F}_{\beta _j}^{(1)}\). When evaluating the concrete hardness of a LWE instance, the value of \(d_\textrm{svp}\) will be set to solve this LWE with a probability above 0.999. Set \(\textrm{end}\) as the index of the last block in the BKZ reduced sequence and \(d_\textrm{start}\) is the dimension of the initial projection sub-lattice in the final sieve.

It is worth noticing that leaky-LWE-Estimator is based on a Heuristic assumption that events \(\textrm{W}_{\beta _i}^{(1)}\) and \(\textrm{F}_{\beta _j}^{(1)}\) for \(i \ne j\) are independent. See the discussion in Sect. 4.1 of [21] or the implementation of leaky-LWE-Estimator: Algorithm 1 for more details. The Heuristic assumption that events \(\textrm{W}_{\beta _i}^{(1)}\) and \(\textrm{F}_{\beta _j}^{(1)}\) for \(i \ne j\) are independent which leaky-LWE-Estimator based on, is reasonable to some extent if we assume that the lattice basis will be re-randomized each time it is reduced by a stronger BKZ reduction. Below we reformulate this assumption formally:

Heuristic 3

The lattice basis is randomized each time by a reduction of BKZ-\(\beta \) with larger \(\beta \). Then events \(\textrm{W}_{\beta _i}^{(1)}\) and \(\textrm{F}_{\beta _j}^{(1)}\) for \(i \ne j\) are independent.

Besides, set event \(\textrm{E}_{\beta _i}^{(1)}\) for \(i \in \{1,2,... \}\) as the event that solving LWE during the process of running Progressive BKZ: BKZ-\(\beta _1,\cdots ,\) BKZ-\(\beta _i\). Based on Heuristic 3, we have \(\small \Pr \left[ \textrm{W}_{\beta _i} ^{(1)}\wedge \bigwedge _{i>1,j=1}^{i-1}\textrm{F}_{\beta _j}^{(1)} \right] =\Pr \left[ \textrm{W}_{\beta _i} ^{(1)} \right] \cdot \Pr \left[ \bigwedge _{i>1,j=1}^{i-1}\textrm{F}_{\beta _j}^{(1)}\right] \) and

$$\begin{aligned} \begin{aligned} \Pr [\textrm{E}_{\beta _i}^{(1)}]=\Pr [\textrm{E}_{\beta _{i-1}}^{(1)}]+\Pr [\textrm{W}_{\beta _i}^{(1)}] \cdot \left( 1-\Pr [\textrm{E}_{\beta _{i-1}}^{(1)}] \right) . \end{aligned} \end{aligned}$$

(2)

We will use Eq. (2) to calculate the cumulative probability of solving LWE during reduction step, see line 8 of Algorithm 2.

However, the same method cannot be used to calculate the probability of solving LWE during the final sieve. Specifically, we use a progressive sieve algorithm as the final sieve, thus we also need to calculate the probability of solving LWE during each step of the progressive sieve. Specifically, we use \(\textrm{W}_i^{(2)},\textrm{F}_i^{(2)}\) as the success rate and failing rate that LWE can be solved using a i-dimensional progressive sieve (which performs sieving on projected sub-lattices with dimensions from 2 to i). Unlike in a progressive BKZ, the lattice basis will not change during sieving. Therefore, the similar Heuristic assumption that events \(\textrm{W}_{i}^{(2)}\) and \(\textrm{F}_{j}^{(2)}\) for \(i\ne j\) are independent cannot be established.

On the contrary, instead of considering that events \(\textrm{W}_{(i)}^{(2)}\) and \(\textrm{F}_{(j)}^{(2)}\) for \(i\ne j\) are independent, we consider that there is an inclusive relationship between \(\textrm{W}_{(i)}^{(2)}\) and \(\textrm{W}_{(j)}^{(2)}\) for \(j\le i\), i.e. \(\textrm{W}_{(i)}^{(2)}\supseteq \textrm{W}_{(j)}^{(2)}\). Since the lattice basis will not change during the progressive sieving of Pump and running an i-dimension progressive sieving, it will run a j-dimension progressive sieving at first, for \(j\le i\).

Setting event \(\textrm{E}_{\beta }^{(2)}\) as the progressive sieving finds the projection of the target vector exactly after a \(\beta \)-dimensional sieve. More specifically, during one progressive sieving, all the sieving dimensions smaller than \(\beta \) failed to find the target vector but succeeded when the sieving dimension equals \(\beta \). We give the following Heuristic assumption.

Heuristic 4

For \(i \in \{2,...,d_\textrm{svp}\}\), \(\textrm{W}_{i}^{(2)}\supseteq \textrm{W}_{i-1}^{(2)}\supseteq \textrm{W}_{i-2}^{(2)}\cdots \supseteq \textrm{W}_{2}^{(2)}\). Then \(\textrm{E}_{i}^{(2)}=\textrm{W}_{i}^{(2)}-\textrm{W}_{i-1}^{(2)}\).

Set \(\Pr \left[ \textrm{W}_{d_\textrm{start}-1}^{(2)} \right] \)=0, based on Heuristic 4 we calculate \(\Pr \left[ \textrm{E}_{d_\textrm{svp}}^{(2)} \right] \) by

$$\begin{aligned} \begin{aligned} \Pr \left[ \textrm{E}_{d_\textrm{svp}}^{(2)} \right] =\Pr \left[ \textrm{W}_{d_\textrm{svp}}^{(2)} \right] -\Pr \left[ \textrm{W}_{d_\textrm{svp}-1}^{(2)} \right] , \end{aligned} \end{aligned}$$

(3)

which is the key equality to calculate the number of gate in searching step. Then, the cumulative probability of solving LWE in Two-step LWE estimator can be expressed by

$$\begin{aligned} \begin{aligned} \Pr [\textrm{W}]&=\Pr [\textrm{E}_{\beta _{\textrm{end} }}^{(1)}]+\left( 1- \Pr [\textrm{E}_{\beta _{\textrm{end} }}^{(1)}] \right) \sum _{i = d_\textrm{start}}^{d_\textrm{svp}}\Pr \left[ \textrm{E}_{i}^{(2)} \right] \\ &=\Pr [\textrm{E}_{\beta _{\textrm{end} }}^{(1)}]+\left( 1- \Pr [\textrm{E}_{\beta _{\textrm{end} }}^{(1)}] \right) \Pr \left[ \textrm{W}_{d_\textrm{svp}}^{(2)} \right] ,\\ \end{aligned} \end{aligned}$$

(4)

see the line 15 of Algorithm 2 for more details.

Gates Count of Reduction Step. In this part, we introduce how to count the number of Gates when we solved LWE in the reduction step. After we calculate each \(\Pr [\textrm{E}_{\beta _i}^{(1)}]\) value for \(i \in \{1,2,... \}\) by using Eq. (2) in the reduction step, we can calculate the expected value of gate count \(G_1\) of reduction step. We evaluate the expected value of gates counts \(G_1\) of reduction step by Eq. (5), see line 7 of Algorithm 2 for more details. Let \(\texttt {gate}(\beta )\) be the gate count of a sieve algorithm with dimension \(\beta \), \(\texttt {pgate}(\beta ) = C\cdot \texttt {gate}(\beta )\) be the gate count of a progressive sieve algorithm with dimension \(\beta \) and let \(\texttt {pbgate}(\beta ) = \texttt {pgate}(\beta ) \cdot (d-\beta +1)\) be the gate count of a BKZ-\(\beta \), then \(G_1\) can be expressed as

$$\begin{aligned} \begin{aligned} G_1=\sum _{i=1}^\textrm{end} \Pr [\textrm{W}_{\beta _i}^{(1)}] \cdot \left( 1-\Pr [\textrm{E}_{\beta _{i-1}}^{(1)}] \right) \cdot \left[ \sum _{l=0}^{i} \texttt {pbgate}(\beta _l-\texttt {d4f}(\beta _l))\right] . \end{aligned} \end{aligned}$$

(5)

Gates Count of Searching Step. In this part, we introduce how to calculate the numbers of Gates when we solved LWE in the searching step. When we solved uSVP in the searching step, it meant that all the BKZ tours in the reduction step failed to find the target vector. Thus, based on Eq. (3) to calculate \(\Pr \left[ \textrm{E}_{i}^{(2)} \right] \), \(i \in \{d_\textrm{start},\dots ,d_\textrm{svp}\}\), we use Eq. (6) to calculate the expected value of gates of the searching step, see line 14 of Algorithm 2 for more details.

$$\begin{aligned} \begin{aligned} G_2= & \sum _{i = d_\textrm{start}}^{d_\textrm{svp}}\Pr \left[ \textrm{E}_{i}^{(2)} \right] \cdot \left( 1-\Pr [\textrm{E}_{\beta _\textrm{end}}^{(1)}] \right) \cdot \\ & \left[ \left( \sum _{l=0}^{\textrm{end}} \texttt {pbgate}\left( \beta _l-\texttt {d4f}(\beta _l) \right) \right) + \texttt {pgate}\left( i-\texttt { d4f}(i)\right) \right] \end{aligned} \end{aligned}$$

(6)

When considering the cost of solving LWE during the searching step, it means that all BKZ tours in the reduction step failed to find the target vector. We calculate the \(\Pr \left[ \bigwedge _{j=1}^\textrm{end}\textrm{F}_{\beta _j}^{(1)} \right] \) in Eq. (6) to represent the probability of all BKZ tours in the reduction step failed to find the target vector. Besides, before starting the large dimensional sieve in the searching step, the total time cost of solving the uSVP in the searching step already contains the full-time cost of all BKZ tours in the reduction step. Therefore, the total gate count of the reduction step is \(\sum _{l=0}^{\textrm{end}} \texttt {pbgate}(\beta _l-\texttt {d4f}(\beta _l))\) and when the dimension of SVP Oracle we considered equals to \(d_\textrm{svp}\), the gate count of searching step is \(\texttt {pgate}(d_\textrm{svp} - \texttt {d4f}(d_\textrm{svp}))\). Here, the \(\texttt {d4f}(j)\) is calculated by Sect. 2.6.

Finally, the total gate count for the Two-step mode of solving LWE \(G :=G_1+G_2\).

Memory Count of Two-Step LWE Concrete Estimator. The memory count of the Two-step LWE concrete estimator is similar to gate count, just replace the function gate(\(\beta \)) with the memory cost function bit(\(\beta \)) which declares the memory cost of one sieve algorithm with dimension \(\beta \). Since the memory cost of the final sieve and (progressive) BKZ with the same dimension is equal to the memory cost of one sieve algorithm with the same dimension, the memory count of the reduction process in our Two-step LWE Estimator is

$$\begin{aligned} \begin{aligned} B_1=\sum _{i=1}^\textrm{end}\left[ \Pr [\textrm{W}_{\beta _i}^{(1)}] \cdot \left( 1-\Pr [\textrm{E}_{\beta _{i-1}}^{(1)}] \right) \right] \cdot \texttt {bit}(\beta _l-\texttt {d4f}(\beta _l)), \end{aligned} \end{aligned}$$

(7)

and the memory count of searching step is

$$\begin{aligned} \begin{aligned} B_2= & \sum _{i = d_\textrm{start}}^{d_\textrm{svp}}\Pr \left[ \textrm{E}_{i}^{(2)} \right] \cdot \left( 1-\Pr [\textrm{E}_{(\beta _\textrm{end})}^{(1)}] \right) \cdot \max \{ \texttt {bit}\left( \beta _\textrm{end}-\texttt {d4f}(\beta _\textrm{end})\right) ,\texttt {bit}\left( i-\texttt { d4f}(i)\right) \}. \end{aligned} \end{aligned}$$

(8)

The total memory count for Two-step mode of solving LWE \(B :=B_1+B_2\).

4.2 Two-Step LWE Estimator with Refined Strategy

In this section, we adapt the Two-step LWE-estimator to Improved Progressive PnjBKZ [28], which calls a series of PnjBKZ to reduce the basis first and finds a good timing to use a Pump algorithm to search the unique shortest vector. The concrete process is as Algorithm 3.

We point out the main differences between the estimator with improved progressive PnjBKZ and the estimator in Sect. 4.1. First, the use of PnjBKZ allows us to adjust the reduction strategy more freely. Instead of the trivial reduction strategy \(\textsf{S}= \{(\beta _i=i+2, J_i=1)\mid i=1, \cdots \} \) used in leaky-LWE-Estimator and Sect. 4.1, we can choose a more efficient reduction strategy given by the blocksize and jump strategy enumeration algorithm (EnumBS) in [28].

Secondly, we use the PnjBKZ simulator [28] instead of the original BKZ simulator to simulate how the quality of lattice basis changes during the reduction by a series of PnjBKZ with \(J>1\). The simulator is purely based on the Gaussian Heuristic, which avoids the problem that GSA (Heuristic 2) is not strictly held during the reduction of PnjBKZ. Also, the gate count of a PnjBKZ-\((\beta ,J)\) tour is calculated as \(\texttt {pbgate}(\beta ,J) = \texttt {pgate}(\beta ) \cdot (d-\beta +1)/J\).

The gate count and memory count can be calculated similarly, we only need to replace the events \(\textrm{W}_{\beta _i}^{(1)},\textrm{F}_{\beta _i}^{(1)}\) by \(\textrm{W}_{(\beta _i,J_i)}^{(1)},\textrm{F}_{(\beta _i,J_i)}^{(1)}\) which allow \(J>1\) when calculating the probability. We omit further details here.

5 Experiments on Verifying the Accuracy of Two-Step LWE Estimator

In Sect. 5.1, we mainly focus on the success probabilities of solving LWE by Two-step mode, especially the success probabilities of the last sieve with different sieving dimensions. We give the detail of our verification experiments to verify Heuristic 4 and the accuracy of Eq. (3) and Eq. (4) which are the key equations to calculate the gate number of the searching step. Then we give an experiment to verify the efficiency of the Two-step mode compared with the BKZ-only mode in Sect. 5.2. Finally in Sect. 5.3 we compare the Two-step LWE Estimator using different reduction strategies with the leaky-LWE-Estimator.

5.1 Verification Experiments for Success Probability

In particular, we use different parameters of the LWE instances³ to test the success probabilities of the final sieve when using different progressive sieving dimensions shown in Fig. 1.⁴ We choose four different LWE parameters (\(n=40\), \(\alpha =0.005\), \(q=1601\), \(m=1600\)), (\(n=40\), \(\alpha =0.015\), \(q=1601\), \(m=1600\)), (\(n = 60,\alpha = 0.005\), \(q = 3607\)), (\(n=45\), \(\alpha =0.010\), \(q=2027\), \(m=2025\)) for our experiments. For each LWE parameter, we initialize 100 random LWE instances to construct 100 different lattice bases. Each lattice basis corresponds to an uSVP instance with a different target vector. Then we use BKZ/PnjBKZ to do pre-processing by some trivial reduction strategy \(\textsf{S}\). Using LWE parameter (\(n=40\), \(\alpha =0.005\), \(q=1601\), \(m=1600\)) for example, we set \(\textsf{S}=\{\beta _1=10,...,\beta _\textrm{end}=17\}\). Here, 100 different LWE instances under the same parameter are used to fit the distribution of the error vector.

After pre-processing, we set the key parameter \(\kappa \in \{0,...,d-1 \}\) to determine the size of the final sieve in the searching phase. In [12], it is assumed that one can solve an LWE by solving a \(d-\kappa \) dimension SVP on \(\mathcal {L}_{\pi [\kappa : d]}\) as long as \(\sigma \sqrt{d-\kappa } < \textrm{GH}(\mathcal {L}_{\pi [\kappa , d]})\). Here \(\sigma \sqrt{d-\kappa }\) is the expected norm of the projected target vector. However, since we consider the square sum of the length of the projected target vector as a chi-squared distribution with \(d-\kappa \) degrees of freedom, we calculate the cumulative probability of solving LWE when using a high-dimension Pump in Sect. 4 by Eq. (4), and the line 15 of Algorithm 2. To verify the Heuristic 4 and the accuracy of Eq. (4), we test the actual success rate of solving LWE under different lattice sieving with different \(\kappa \) value.

More precisely, we set \(d_\textrm{svp}=d-\kappa \) in lattice sieving from 30 to d by adjusting the value of \(\kappa \) and use each sieve with different \(d_\textrm{svp}\) value to try to find the solution of LWE on 100 different lattice basis after pre-processing. Meantime, we record the actual success rate of each sieve with different \(d_\textrm{svp}\) values on 100 different lattice bases. Finally, we compare the actual success rate of each sieve with different \(d_\textrm{svp}\) with our estimation success rate of solving LWE by the final sieve in Eq. (4), and the line 15 of Algorithm 2. See Fig. 1 for more detail.

From Fig. 1 we can see that the predication of the success rate of solving LWE given by Eq. (4) is consistent with the experimental results, which means our analysis and estimation in Sect. 4.1 is accurate.

Fig. 1.

Verification experiments of the fitness of the theoretical total success probability \(P(d_\textrm{svp}) =\) Eq. (4) (the dashed line) to the actual success probability. Test 100 trials and count the success rate for each \(d_\textrm{svp}\).

5.2 Verification Experiments for Efficiency of Two-Step Mode

In this part, we give an experiment to verify the efficiency of the Two-step mode. In the experiment, we test the public keys of Kyber512, Kyber1024, Dilithium-II, and Dilithium-V as the input LWE instances, then call a Two-step Estimator with \(\textsf{S}[\beta ] = \{\beta _i | 3 \le \beta _i \le \beta \}\). The estimator stops at \(\beta = \beta _\textrm{end}\) such that the accumulated probability of \(\textsf{S}[\beta _\textrm{end}]\) is no less than 0.999, i.e. \(\sum _{i=1}^\textrm{end} \Big [ \textrm{Pr}[W_{\beta _i} ^{(1)} ] \cdot \) \( \left( 1- \textrm{Pr} [E_{i-1}^{(1)}] \right) \Big ] \ge 0.999\), which is also the condition in leaky-LWE-Estimator.

The Fig. 2 shows the gate count [23] of Two-step mode under different reduction strategy \(\textsf{S}[\beta ]\), where \(\beta \in \{ 3, \dots , \beta _\textrm{end}\}\) and estimated the number of gates given by the leaky-LWE-Estimator. The x-axis of Fig. 2 is the final blocksize \(\beta \) in reduction strategy \(\textsf{S}[\beta ]\). Figure 2 reflects that in solving LWE, the Two-step mode is more efficient than that of using BKZ reduction only and the security estimation given by the leaky-LWE-Estimator [19] is indeed an over-optimistic estimation. Besides, there is optimal timing \(\beta _\textrm{op}\) for ending the reduction and entering the searching step as the quality of the lattice basis improved gradually by progressive BKZ.

Fig. 2.

Two-step efficiency verification Experiment.

5.3 The Comparison of Different Estimation Modes

In this part, we compare our Two-step mode estimator using different reduction strategies and different gate count models with the leaky-LWE-Estimator.

Fig. 3.

The relation among the growth of cumulated cost and the success probability. Comparison between the output of cumulated Cost Version of [21](Algorithm 1) and Two-step mode(Algorithm 2, this work) for lwe challenge \((n,\alpha ) \in \{(40,0.025), (80,0.005) \}\) and on Kyber 512 and Kyber 1024 [1]. “Two-step(\(\textsf{S}_0\))” uses a trial progressive BKZ+Pump in Two-step mode to estimate security. “Two-step(\(\textsf{S}_\textrm{op}\))” uses a progressive BKZ+Pump with the optimized strategy selected by EnumBS [28] in Two-step mode to estimate security. We set \(\varDelta \log _2\textrm{G}\) as the gate count difference between our estimator and the leaky-LWE-estimator both using the same gate count (See footnote 5).

We draw Fig. 3 to describe the relationship between the success rate of solving LWE estimated by different estimators and the corresponding number of gates. The blue line in Fig. 3 is the relationship between the expected gates count and the accumulation success probability of solving LWE by pure progressive BKZ with trivial reduction strategy \(S_0\). These Two-step lines in Fig. 3 are the relationship between the expected gates count and the accumulation success probability of solving LWE by Two-step mode whose reduction step also used a trivial reduction strategy \(S_1:\) \(S_1 \subsetneqq S_0\) (In Two-step mode the reduction step will end earlier than in BKZ-only mode). These Enumbs lines in Fig. 3 are also the relationship between the expected gates count and the accumulation success probability of solving LWE by Two-step mode while the reduction strategy is the optimized blocksize and jump selection strategy.⁵

From Fig. 3 we can see that in both the LWE challenge instances and the LWE instances in NIST standard algorithms, the accumulation success probability of solving LWE by Two-step mode approaches 1 is much faster than that of the leaky-LWE-Estimator. In addition, the expected number of gates in the Two-step solving mode is smaller than that of the leaky-LWE-Estimator when the accumulation success probability of solving LWE approaches 1. Therefore, the evaluation result shows that the leaky-LWE-Estimator gives an optimistic estimation. Besides, both the optimized blocksize and jump selection strategy and the improved list-decoding technique proposed in [41], which fixed the estimate done in [23] of the list decoding technique proposed in [39], can further decrease the estimated security strength by replacing the trivial reduction strategy or gate-count model in Two-step mode. See Fig. 3 for more details about the difference between different estimation models.

6 Improved Conservative Estimation for LWE

Above we consider the LWE estimation by practical solving algorithms. However, since lattice solving algorithms have been developing fast in recent years, such estimation can hardly be considered stable. Many researchers in the field prefer using a theoretical and conservative estimation to estimate the security level of a lattice-based algorithm. In literature, the most used theoretical estimation for LWE-based cryptosystems is the Core-SVP model, first given in NewHope [12]. Many lattice-based algorithms including Kyber and Dilithium use the estimation result of the Core-SVP model to match the security level requirements proposed by NIST.

However, the Core-SVP model can hardly be called accurate. First, the Core-SVP model ignores many coefficients in the estimation, which lowers the estimation result from one aspect. Second, the dimension for free technique has not been taken into account, which causes the estimation result to be higher than expected from another aspect. Despite these two weaknesses of Core-SVP model, there is another main problem in the Core-SVP model, as the underlying solving algorithm in the Core-SVP model is of BKZ-only mode. So for the Core-SVP estimation to hold, it must implicitly assume that a BKZ-only mode lattice solving algorithm is optimal, while such assumption is overthrown by our discussion in Sect. 3 that a Two-step mode is more efficient than a BKZ-only mode.

In this section, we give a new theoretical lower-bound security estimation for LWE hardness, based on the Two-step solving mode, which relies on weaker assumption than the Core-SVP model. By our estimation result (see Sect. 7.2), our estimation is higher than the Core-SVP model without considering d4f. While taking d4f into consideration, our estimation turns out to be lower than the Core-SVP estimation, which shows that the original Core-SVP model is in fact not conservative enough without d4f.

6.1 Theoretical Lower-Bound Security Estimation of LWE Hardness

The idea is simple: we use the time cost of the last lattice sieving in a Two-step mode to estimate the hardness of solving uSVP\(_\gamma \) or LWE. Considering that Two-step mode is currently the most efficient way in solving uSVP\(_\gamma \) and we omit the time cost of the BKZ reduction step, our estimation is conservative enough.

The main problem in constructing such a lower-bound estimation is to determine the lattice basis quality as the input of lattice sieving step, since we are impossible to give the optimal strategy for BKZ reduction step. So we take an alternative approach: we find the exact basis length \(\textsf{rr}\), such that the best strategy for solving uSVP\(_\gamma \) from a basis with length \(\textsf{rr}\) is by performing sieving algorithm on a \(d_\textrm{svp}\) dimensional sublattice rather than performing more BKZ tours before the final lattice sieving.

For simplicity reason, we also assume geometric series assumption (GSA, see Heuristic 2) as in Core-SVP model, so \(\textsf{rr}\) can be uniquely determined by the lattice volume V and the root Hermite factor (RHF) \(\delta \) of the basis. Let \(\textsf{rhf}(\delta ,\beta )\) be the new RHF of the basis after current basis with RHF \(\delta \) reduced by a BKZ-\(\beta \) tour, and \(d_\textrm{svp}=\textsf{md}(\delta ,M)\) be the minimum dimension such that a \(d_\textrm{svp}\) dimension sieving on \(\mathcal {L}_{\pi \left[ d- d_\textrm{svp}:d \right] }\) can recover the unique shortest vector of length M from a lattice basis with RHF \(\delta \).

Moreover, we can take dimension for free into account, and let the time cost of sieving on a \(d_\textrm{svp}\) dimensional lattice be \(T_\textrm{sieve}(d_\textrm{svp})=2^{c(d_\textrm{svp}-\texttt {d4f}(d_\textrm{svp}))}\), and \(T_\textrm{BKZ}(\beta )=(d-\beta +1)\cdot 2^{c(\beta -\texttt {d4f}(\beta ))}\). Then the condition above can be expressed as the following inequality: \(\forall \beta , T_\textrm{sieve}(\textsf{md}(\delta ,M))\le T_\textrm{BKZ}(\beta )+T_\textrm{sieve}(\textsf{md}(\textsf{rhf}(\delta ,\beta ),M))\).

It is not hard to show that if \(\delta \) satisfies this condition, then any \(\delta '<\delta \) also satisfies this condition. We only need to find the maximum \(\delta \) satisfying this condition, and we use \(T_\textrm{sieve}(\textsf{md}(\delta ,M))\) for the estimation. Next, we explain how to calculate the value \(\textsf{rhf}(\delta ,\beta )\) and \(\textsf{md}(\delta ,M)\).

Let \(\delta (\beta )\) be the RHF of a BKZ-\(\beta \) reduced basis. Then if \(\delta >\delta (\beta )\), using Gaussian Heuristic, the length of \(\textbf{b}_1\) in the lattice basis after a BKZ-\(\beta \) tour can be estimated as: \(\textrm{GH}(\mathsf {rr_{[0:\beta ]}}=(\delta ^d V^{1/d}, \alpha \delta ^d V^{1/d} ,..., \alpha ^{\beta -1} \delta ^d V^{1/d} ))\), where \(\alpha =\delta ^{-\frac{d-1}{2d}}\) and d is the dimension of lattice basis. Then the RHF of the basis after a BKZ-\(\beta \) tour can be calculated by: \(\textsf{rhf}(\delta ,\beta )\approx (\sqrt{\frac{\beta }{2\pi e}}\cdot \delta ^{\frac{d\cdot (d-\beta )}{d-1}})^{\frac{1}{d}}=\delta ^{\frac{d-\beta }{d-1}} \cdot (\sqrt{\frac{\beta }{2\pi e}})^{\frac{1}{d}}\) and for \(\delta \le \delta (\beta )\), we simply let \(\textsf{rhf}(\delta ,\beta )=\delta \).

Next, we estimate the expected dimension of the last lattice sieving. Let M be the expected length of the unique shortest vector, and \(M_{d_\textrm{svp}}=M\cdot \sqrt{d_\textrm{svp}/d}\) be the expected length of the projection of M on a \(d_\textrm{svp}\) dimensional sublattice. We should have that \(M_{d_\textrm{svp}}< \textrm{GH}(\textsf{rr}_{[d-d_\textrm{svp}:d]}=(\delta ^{-d}\cdot V^{1/d}\cdot \alpha ^{-d_\textrm{svp}+1},...,\delta ^{-d}\cdot V^{1/d}\cdot \alpha ^{-1},\delta ^{-d}\cdot V^{1/d}))\). Thus we have:

$$M\cdot \sqrt{d_\textrm{svp}/d}< V^{1/d}\cdot \sqrt{\frac{d_\textrm{svp}}{2\pi e}}\cdot \delta ^{\frac{d\cdot (d_\textrm{svp}-d)}{d-1}}$$

and the minimum \(d_\textrm{svp}\) can be recovered by solving the inequation above.

Combining all the things above, we get a lower bound estimation for solving LWE using the Two-step mode. We also explicitly write out the algorithm for lower bound estimation by Algorithm 4.

Note that in Algorithm 4, we only perform searching on all BKZ-\(\beta \) reduced basis to ensure that the estimation can be done in a reasonable time. This may decrease the estimated time by a small amount, so the estimation only becomes more conservative.

We prove that the new estimation is conservative enough under GSA and two simple heuristic assumptions. We show that our assumptions are strictly weaker than the implicit assumptions in the Core-SVP model, so our estimation is in fact more solid than the Core-SVP estimation.

Heuristic 5

BKZ is the optimal algorithm for lattice reduction, i.e. generating a lattice basis satisfying GSA.

Since the Core-SVP model only uses BKZ to estimate the hardness of LWE and also assumes GSA on BKZ-\(\beta \) reduce basis, our assumption is obviously weaker than the implicit assumption in the Core-SVP model.

Heuristic 6

The best way of solving uSVP\(_\gamma \) or LWE is by performing lattice sieving on a projected sublattice on a reduced lattice basis satisfying GSA.

We note that in the underlying solving algorithm of the Core-SVP model, the unique shortest vector is recovered by sieving on the last \(\beta \)-size block in the lattice, which is only a special case of our assumption. So our assumption is also strictly weaker than the implicit assumption in Core-SVP model.

Theorem 2

Assume that Gaussian Heuristic (Heuristic 1), GSA (Heuristic 2), Heuristic 5, 6, and Heuristic 4 in [28] hold, then the estimated cost of our lower bound estimation is strictly lower than the actual cost for solving uSVP\(_\gamma \) in almost all lattices.

Proof

Let \(\delta ,\ d_\textrm{svp}\) be the intermediate result in our lower bound estimation, i.e. the unique shortest vector is found by performing \(d_\textrm{svp}\)-dimensional lattice sieving on a lattice basis satisfying GSA which RHF is \(\delta \).

Let \(\mathcal {A}\) be the optimal algorithm in solving uSVP\(_\gamma \). By Heuristic 6, we assume that \(\mathcal {A}\) solves uSVP\(_\gamma \) by performing \(d'_\textrm{svp}\)-dimensional lattice sieving on a lattice basis satisfying GSA which RHF is \(\delta '\). Furthermore, since in Heuristic 5, we assume that a lattice basis satisfying GSA should be found by BKZ, let \(\beta '\) be the blocksize of the last BKZ tour before the final sieving, and \(\delta ''\) be the RHF of lattice basis before this BKZ-\(\beta '\) tour. We consider the following cases.

1. (1)

   \(\delta '\ge \delta \), so \(d'_\textrm{svp}\ge d_\textrm{svp}\), thus the running time of \(\mathcal {A}\) is larger than \(T_\textrm{sieve}(d_\textrm{svp})\).

2. (2)

   \(\delta ''\le \delta \), by the definition of \(\delta \), we can see that \(T_\textrm{BKZ}(\beta ')+T_\textrm{sieve}(d'_\textrm{svp})>T_\textrm{sieve}(\textsf{md}(\delta '',M))\), so by replacing the final BKZ-\(\beta '\) tour and lattice sieving with a single lattice sieving, the running time of \(\mathcal {A}\) decreases, which contradicts with the optimality of \(\mathcal {A}\).

3. (3)

   \(\delta '<\delta <\delta ''\). Then \(\textsf{rhf}(\delta ,\beta ' )<\delta '\), so \(T_\textrm{BKZ}(\beta ')+T_\textrm{sieve}(d'_\textrm{svp})>T_\textrm{BKZ}(\beta ')+T_\textrm{sieve}(\textsf{md}(\textsf{rhf}(\delta ,\beta ' ),M))\ge T_\textrm{sieve}(d_\textrm{svp})\).

Thus we have the result.    \(\square \)

7 Two-Step Security Estimation of LWE in NIST Schemes

In this section based on our refined Two-step security estimator, we give a more accurate upper bound estimation of LWE in NIST PQC schemes in Sect. 7.1. Next, based on our conservative estimation for LWE in Sect. 6, we give the lower bound estimation of LWE in NIST PQC schemes in Sect. 7.2.

7.1 Security Upper Bound Estimation of LWE in NIST PQC Schemes

Two-Step Security Estimation of LWE of NIST PQC Schemes. In this part, we will estimate the security strength of LWE instances of NIST PQC schemes by our Two-step LWE hardness estimator in Sect. 4.1. Besides we use the same blocksize and jump selection strategy: trivial \(\textsf{S}_0=[\beta _0=3,\beta _1=4,...,\beta _\textrm{end}]\) strategy in the reduction step of Two-step mode and the only difference between with leaky-LWE-Estimator is that we consider a Two-step LWE solving mode.

Table 1. Security Upper bound Estimation results of different estimators for NIST schemes with different blocksize and jump solving strategies.\(^{\natural }\)

The evaluation results show that even without further optimizing the blocksize and jump selection, the Two-step mode strategy can effectively reduce the estimated security bit of LWE instances in NIST PQC schemes. In particular, under the RAM model, i.e., it assumes that access into even exponentially large memory is free, the estimated security bit of LWE in NIST schemes [22] can be reduced by 2.1–3.4 bits. See Table 1 for details. Here G and B in Table 1 respectively represent the total log number of logic circuits for event \(\textrm{W}\) happened and the maximum memory needed for event \(\textrm{W}\) happened, that both are calculated by Gate-count algorithm [23].

Optimized Blocksize and Jump Selection Strategy and Two-Step Mode. In this part, we quantitatively analyze the impact of the combination of the Two-step LWE solving mode and optimized blocksize and jump selection strategy proposed in [28] on NIST PQC schemes. We change the reduction strategy in the reduction step of Two-step mode from trivial \(\textsf{S}_0\) to the optimized blocksize and jump selection strategy \(\textsf{S}_\textrm{op}\) proposed in [28]. In other words, we still use Eq. (1), but the reduction strategy used in Eq. (1) is replaced by the optimized blocksize and jump selection strategy proposed in [28].

The evaluation results show that the combination of the optimized blocksize and jump selection and the Two-step mode strategy can indeed effectively reduce the estimated security bit of LWE. Specifically, under the RAM model, the estimated security bit of LWE in NIST schemes [22] can be reduced by 2.2–4.6 bits. See Table 1 for details. Here G and B in Table 1 respectively represent the total log number of logic circuits for event \(\textrm{W}\) happened and the maximum memory needed for event \(\textrm{W}\) happened, that both are calculated by Gate-count algorithm [23] under the optimized blocksize and jump selection.

Table 2. The security lower bound estimation of NIST lattice-based standardization\(^{\dag }\).

In practice, without considering the RAM model, a large Pump dimension in Two-step mode will indeed lead to an extra cost while accessing exponentially large memory, which will somewhat partially offset the above-claimed decrease of security hardness. However, it is unclear what the practical influence of increasing memory cost is on the total time cost. In fact, it is still an open question, see Q5 in Sect. 5.3 of [1]. Besides, although [42] gave an experimental analysis of an idealized model for the sieve algorithm, its theoretical analysis of hidden probabilistic overhead in near-neighbors search still remains an open problem. So our analysis in this section does not address these two parts.

7.2 Lower Bound Estimation of LWE in NIST PQC Schemes

In this part, we will calculate the lower-bound security estimation of NIST lattice-based standardization. As the dimension of the embedding lattice basis \(d=m+n+1\) can be further optimized by appropriately choosing the number of LWE samples \(m\in \{1,...,m_\textrm{max}\}\). We numerically optimize the number of LWE samples m to minimize the lower-bound security estimation by Algorithm 5. See Table 2 for more detail. Table 2 illustrates that by optimizing the number of LWE samples m, compared with the conservative estimation given by the Core-SVP model, the lower-bound security estimation of NIST lattice-based standardization calculated by Algorithm 5 increased by \(4.17\sim 8.11\) bits. However, when considering d4f technique, compared with the conservative estimation given by the Core-SVP model, the security bit of NIST lattice-based standardization will decrease by 3.42–14.76 bits under our new lower-bound security estimation. It indicates that the Core-SVP model is not conservative enough to offset the influence of the d4f technique.

Furthermore, Table 2 also shows that there indeed exist a \(\beta _\textrm{optimal}\) s.t \(d_\textrm{svp}=\textsf{md}(\delta (\beta _\textrm{optimal}),M)\), for any \(\beta ' \in \{\beta _\textrm{optimal}+1,..., d\}, \delta ' =\textsf{rhf}(\delta (\beta ),\beta ')\) satisfied \(T_\textrm{sieve}(d_\textrm{svp}) < T_\textrm{BKZ}(\beta ') + T_\textrm{sieve}\left( \textsf{md}(\delta ' ,M) \right) \) under the parameter of NIST lattice-based standardization [1, 2]. See Table 2 for more detail.

8 Conclusion

In this paper, we construct a Two-step LWE hardness estimator which estimates the hardness of LWE under primal attack using a combination of BKZ and sieving. To verify the accuracy of our Two-step LWE hardness estimator, we did extensive experiments, and the experiment results are consistent with our estimation. Besides, we also propose a conservative estimation for LWE considering the attack in Two-step mode. Compared with the most conservative Core-SVP model, our conservative estimation relies on weaker assumptions.

To figure out the influence of the Two-step mode on security estimation of NIST PQC schemes, We re-evaluate the concrete hardness of schemes by our Two-step LWE hardness estimator with a trivial reduction strategy and optimized blocksize and jump selection strategy. Evaluation results show that the upper bound security estimation given by the leaky-LWE-Estimator [19] is an over-optimistic estimation and the security bit drops by 2.1–3.4 bits under trivial reduction strategy and drops by \(2.2--4.6\) bits under optimized blocksize and jump selection strategy. For the lower bound security bit of NIST PQC schemes, our conservative estimation is \(4.17--8.11\) bits higher than the Core-SVP estimation. Therefore, we give more accurate estimations on both the upper bound and lower bound of the hardness of LWE.

A Appendix. Two-Step LWE Estimator Based on Classical LWE Estimator

In this Appendix A, we will show that based on other lwe estimators for instance the lwe estimator proposed by Albrecht et al in [33], to construct Two-step LWE estimator. The evaluation results show that Two-step mode also is more efficient in solving LWE than using BKZ algorithm only.

In particular, same as the LWE estimation proposed in [33], we also based on GSA to give a time cost model of the Two-step solving mode. Then we show that there is an optimal timing for ending the reduction and entering the searching step as the quality of lattice basis improved gradually by progressive BKZ.

Two-Step LWE Solving Mode. The Two-step mode we considered here will call progressive BKZ first for lattice reduction and call a Pump algorithm to find the target vector on the well-reduced lattice basis at the searching step. We set \(T_1(\beta )\) as the time cost of obtaining a BKZ-\(\beta \) reduced basis in the reduction step. Then we set \(T_2(\beta )\) as the time cost of calling Pump to find the target vector on BKZ-\(\beta \) reduced basis in the searching step. Then the total cost of such a special Two-step LWE solving mode control by reduction parameter \(\beta \) is \(T_1(\beta )+T_2(\beta )\).

In the following parts, we will consider that Two-step mode is more efficient than bkz-only mode in the evaluation model of lattice-estimator [17].

Simple Time Cost Model of Reduction Step. Let \(\sharp \textrm{tours}\) be the minimum number of tours that each BKZ-\(\beta \) during progressive BKZ reduction needed to obtain the BKZ-\(\beta \) reduced basis. First of all, we set \(T_1(\beta )=\sharp \textrm{tours} \cdot \sum _{i=2}^{\beta }(d-i+1)\cdot 2 ^{c\cdot i}\le \sharp \textrm{tours} \cdot C(d-\beta +1)\cdot 2 ^{c\beta }\) be the time cost of progressive BKZ from BKZ-2 to BKZ-\(\beta \). Here c is the coefficients related to the sieving algorithm. For example, when using BDGL sieving \(c=0.292\) by using the classical computer and \(c=0.265\) by using the quantum computer. And \(C=1/(1-2^{-c})\approx \)5.46 as the limit of ratio between \( {\textstyle \sum _{i\le \beta }^{}2^{ci+o(i)}} \) and \(2^{c\beta +o(\beta )}\) when \(\beta \) grows. When using the heuristic used in lattice-estimator [17] \(\sharp \textrm{tours}\)=1, which assumed that after reduction of the progressive BKZ-\(\beta \) for each blocksize running once only, one can obtain the BKZ-\(\beta \) reduced basis. Thus, we get the time cost \(T_1(\beta )\) of the reduction step which can obtain a BKZ-\(\beta \) reduced basis.

Simple Time Cost Model of Search Step. Secondly, to evaluate the time cost of the search step, we need to describe the relationship between the quality of the lattice basis and the time cost of a final pump in the search step of the Two-step mode. We choose the estimation in [43] which is based on GSA and uses the information of the current lattice basis to give a more refined upper bound of d4f value when solving LWE compared to the asymptotically upper bound of the d4f value proposed in [24]. The asymptotically upper bound of d4f value given in [24] holds if and only if that lattice \(\mathcal {L}\) needs to be BKZ-d/2 reduced. Here d is the dimension of the lattice basis. Since we use a progressive reduction to gradually improve the quality of the lattice basis, at the beginning of reduction, the quality of the initial lattice basis is far away from BKZ-d/2 reduced. Therefore the asymptotically upper bound of d4f value given in [24] is inaccurate until proper reduction is done to achieve that lattice \(\mathcal {L}\) is BKZ-d/2 reduced.

Here we directly use the result of [43] that for the embedding lattice, \(\mathcal {L}\) in prime attack with dimension d and the root hermit factor of this lattice basis is \(\delta (\beta )\), to find the target vector \(\textbf{t} = \left( \textbf{e},1 \right) \) in this lattice \(\mathcal {L}\) by final sieve. Here \(\textbf{e}\) is the error vector of the LWE instance. Based on GSA, \(\lambda _{1} \left( \mathcal {L}_{\left[ f:d \right] } \right) =\sqrt{\frac{d-f}{2\pi e} }\frac{\left| \textrm{det} \left( L \right) \right| ^{\frac{1}{d} } }{\delta (\beta )^{\scriptscriptstyle f}}\) and Substituting it into the optimistic condition \( \textrm{GH} \left( \mathcal {L}_{\left[ f:d \right] } \right) \) \( \sqrt{4/3}\ge \) \(\pi _{f}(\lambda _1\left( \mathcal {L} \right) )\approx \sqrt{\frac{d-f}{d} } \sigma \sqrt{d}\) from [24], we get the sieving dimension of the last sieve in searching step \(d_\textrm{sieving}(\delta (\beta ))\):

$$\begin{aligned} d_\textrm{sieving}(\delta (\beta ))\ge d - \log _{\delta (\beta ) }{\frac{ \left| \textrm{det} \left( \mathcal {L} \right) \right| ^{\frac{1}{d}} \sqrt{2} }{\sigma \sqrt{3\pi e } } } \; \end{aligned}$$

(9)

where the optimistic condition \( \textrm{GH} \left( \mathcal {L}_{\left[ f:d \right] } \right) \cdot \sqrt{4/3}\ge \) \(\pi _{f}(\lambda _1\left( \mathcal {L} \right) )\) given in [24] by accounting the fact that the \(d-f\) dimensional sieving algorithm on \(\mathcal {L}_{\left[ f:d \right] }\) heuristically finds all vectors up to norm \( \textrm{GH} \left( \mathcal {L}_{\left[ f:d \right] } \right) \cdot \sqrt{4/3}\) and \(\sigma \) is the standard deviation of LWE instances. In standard form LWE the expected length of the target vector in the embedding lattice is \(\sigma \sqrt{d} \)⁶. Here \(\delta (\beta )\) is the root Hermit factor of the current lattice basis which is one of the lattice basis quality measurement values controlled by \(\beta \).

Then we set \(T_2(\beta )= 2 ^{c\cdot d_\textrm{sieving}(\delta (\beta )) }\) as the simple time cost evaluation of the searching step which calls a pump on a BKZ-\(\beta \) reduced lattice basis with sieving dimension \(d_\textrm{sieving}(\delta (\beta ))\). Here minimum \(d_\textrm{sieving}(\delta (\beta ))\) is calculated by Eq. (9) which describes the relationship between the current quality of lattice basis and the sieving dimension of the last pump in searching step. It shows that a better BKZ-\(\beta \) reduced basis (smaller \(\delta \) value) can decrease the time cost of \(T_2(\beta )\) since a more reduced lattice basis can obtain a bigger dimension for free value when we use the high dimension pump to search the projected of target vector.

Simple Time Cost Model of Two-Step Mode. Finally, we give a simple time cost model \(T(\beta )\) of a special Two-step mode that ends BKZ reduction when the lattice basis is BKZ-\(\beta \) reduced and use the Pump to find the target vector by considering the length of the target vector as fixed expected value. We calculate \(T(\beta )\) by Eq. (10):

$$\begin{aligned} T(\beta ) = T_1(\beta ) + T_2(\beta )=\sharp \textrm{tours} \cdot C(d-\beta +1)\cdot 2 ^{c\beta }+2 ^{c\cdot d_\textrm{sieving}(\delta (\beta )) } \end{aligned}$$

(10)

Comparison Between Two-Step Mode and BKZ-Only Mode. We set \(T_\mathrm{bkz-only}=\sharp \textrm{tours} \cdot C(d-\beta _\textrm{adps16}+1)\cdot 2 ^{c\beta _\textrm{adps16} }\). Here \(\beta _\textrm{adps16}\) is the blocksize estimated from [12] which is minimal \(\beta _\textrm{adps16}\) s.t \(\sigma \sqrt{\beta _\textrm{adps16}} \approx \Vert \pi _{d-\beta _\textrm{adps16}}\left( \textbf{t} \right) \Vert \le \textrm{GH}(\textbf{B} _{\pi [d-\beta _\textrm{adps16}]})\) holds. This \(\beta _\textrm{adps16}\) is minimal blocksize to make BKZ-only mode successful. In the calculation of both \(T_1(\beta )\) and \(T_\mathrm{bkz-only}\), we use the same heuristic that after one tour reduction of the progressive BKZ-\(\beta \) that blocksize \(\beta \) gradually increased from 2 to \(\beta \), one can obtain the BKZ-\(\beta \) reduced basis. Finally, we choose the parameters of Kyber-1024 and Dilithum-V as an example, we set \(c=0.292\) and respectively calculate \(T(\beta )\) under different lattice reduction qualities and \(T_\mathrm{bkz-only}\). See Fig. 4 for more detail.

Fig. 4.

\(T(\beta )\) by Eq. (10) with different reduction quality.

From Fig. 4 we can see that as the quality of the lattice basis increased (the x-axis reflects that the current lattice basis is BKZ-\(\beta \) reduced), the total time cost \(T(\beta )\) of solving LWE by using Two-step mode under our simple time cost model will decrease first then increase. So there is an optimal timing of entry in the searching step to make the \(T(\beta )\) minimum, which we use the red line to indicate this location. Besides the minimum total cost of solving LWE by using Two-step mode \(T(\beta )\) is smaller than that of \(T_\mathrm{bkz-only}\) which only uses progressive BKZ to solve LWE. In fact all blue points in Fig. 4 have a smaller time cost compared with \(T_\mathrm{bkz-only}\). Therefore, we observed that in solving LWE, the Two-step mode is more efficient than that of using BKZ reduction only based on the model of Albrecht et al. to construct the Two-step estimator.