Skip to main content

Table 2 Bit-security estimations under Core-SVP Model

From: Hybrid dual attack on LWE with arbitrary secrets

Name

Sec.

Claim

Assumption 1

Assumption 2

level

Dual

Ours

\(\Delta _{\text {dual}}\)

\(\Delta _{\text {claim}}\)

Dual

Ours

\(\Delta _{\text {dual}}\)

\(\Delta _{\text {claim}}\)

Kyber512

1

118

117

114

\(-3\)

\(-4\)

122

119

\(-3\)

+1

Kyber768

3

182

181

175

\(-6\)

\(-7\)

188

182

\(-6\)

0

Kyber1024

5

256

253

245

\(-8\)

\(-11\)

263

254

\(-9\)

\(-2\)

Saber512

1

118

117

114

\(-3\)

\(-4\)

122

119

\(-3\)

+1

Saber768

3

189

189

184

\(-5\)

\(-5\)

196

191

\(-5\)

+2

Saber1024

5

260

258

250

\(-8\)

\(-10\)

268

260

-8

0

Dilithium1024

2

123

123

121

\(-2\)

\(-2\)

126

124

\(-2\)

+1

Dilithium1280

3

182

181

179

\(-2\)

\(-3\)

186

183

\(-3\)

+1

Dilithium1792

5

252

251

246

\(-5\)

\(-6\)

257

252

\(-5\)

0

Frodo640

1

150

141

139

\(-2\)

147

145

\(-2\)

Frodo976

3

215

205

202

\(-3\)

212

209

\(-3\)

Frodo1344

5

280

270

264

\(-6\)

278

272

\(-6\)

NTRULPrime653

1

130

130

125

\(-5\)

\(-5\)

135

129

\(-6\)

\(-1\)

NTRULPrime761

2

155

155

148

\(-7\)

\(-8\)

161

153

\(-8\)

\(-2\)

NTRULPrime857

2

176

176

168

\(-8\)

\(-6\)

183

174

\(-9\)

\(-2\)

NTRULPrime953

3

197

195

187

\(-8\)

\(-10\)

202

193

\(-9\)

\(-4\)

NTRULPrime1013

4

210

209

200

\(-9\)

\(-10\)

217

207

\(-10\)

\(-3\)

NTRULPrime1277

5

271

269

256

\(-13\)

\(-15\)

279

264

\(-15\)

\(-7\)

  1. * Data for “Ours” uses Hybrid 2m estimator. \(\Delta _{\text {dual}}\) is the improvement over dual attack. \(\Delta _{\text {claim}}\) is the improvement over the claimed results.
  2. * For a fair comparison, data for “Dual” also comes from our estimator.
  3. * The claimed results of Frodo use a different cost model, thus we do not compare our results with the claimed results