Skip to main content

Table 2 Bit-security estimations under Core-SVP Model

From: Hybrid dual attack on LWE with arbitrary secrets

Name Sec. Claim Assumption 1 Assumption 2
level Dual Ours \(\Delta _{\text {dual}}\) \(\Delta _{\text {claim}}\) Dual Ours \(\Delta _{\text {dual}}\) \(\Delta _{\text {claim}}\)
Kyber512 1 118 117 114 \(-3\) \(-4\) 122 119 \(-3\) +1
Kyber768 3 182 181 175 \(-6\) \(-7\) 188 182 \(-6\) 0
Kyber1024 5 256 253 245 \(-8\) \(-11\) 263 254 \(-9\) \(-2\)
Saber512 1 118 117 114 \(-3\) \(-4\) 122 119 \(-3\) +1
Saber768 3 189 189 184 \(-5\) \(-5\) 196 191 \(-5\) +2
Saber1024 5 260 258 250 \(-8\) \(-10\) 268 260 -8 0
Dilithium1024 2 123 123 121 \(-2\) \(-2\) 126 124 \(-2\) +1
Dilithium1280 3 182 181 179 \(-2\) \(-3\) 186 183 \(-3\) +1
Dilithium1792 5 252 251 246 \(-5\) \(-6\) 257 252 \(-5\) 0
Frodo640 1 150 141 139 \(-2\) 147 145 \(-2\)
Frodo976 3 215 205 202 \(-3\) 212 209 \(-3\)
Frodo1344 5 280 270 264 \(-6\) 278 272 \(-6\)
NTRULPrime653 1 130 130 125 \(-5\) \(-5\) 135 129 \(-6\) \(-1\)
NTRULPrime761 2 155 155 148 \(-7\) \(-8\) 161 153 \(-8\) \(-2\)
NTRULPrime857 2 176 176 168 \(-8\) \(-6\) 183 174 \(-9\) \(-2\)
NTRULPrime953 3 197 195 187 \(-8\) \(-10\) 202 193 \(-9\) \(-4\)
NTRULPrime1013 4 210 209 200 \(-9\) \(-10\) 217 207 \(-10\) \(-3\)
NTRULPrime1277 5 271 269 256 \(-13\) \(-15\) 279 264 \(-15\) \(-7\)
  1. * Data for “Ours” uses Hybrid 2m estimator. \(\Delta _{\text {dual}}\) is the improvement over dual attack. \(\Delta _{\text {claim}}\) is the improvement over the claimed results.
  2. * For a fair comparison, data for “Dual” also comes from our estimator.
  3. * The claimed results of Frodo use a different cost model, thus we do not compare our results with the claimed results