Lattice Part 9: Concrete Security of Lattice Schemes — Primal, Dual, BKZ

maocred@gmail.com (Halois) — Wed, 25 Sep 2024 12:00:00 +0800

Reading: Peikert’s survey as the wide-angle frame¹, Albrecht-Player-Scott for concrete-LWE attack modeling², Chen-Nguyen for BKZ quality heuristics³, the Homomorphic Encryption Standard for published parameter-table practice⁴, and the LWE Estimator for the operational interface between these papers and actual numbers⁵.

Parts 0-3 fixed the geometric vocabulary: bases, reduced bases, SVP/CVP, cosets, and short modular witnesses. A deployed lattice scheme then adds concrete parameters such as dimension, modulus, secret distribution, error distribution, and sample count. None of those symbols, by itself, proves that one parameter set costs an attacker $2^{128}$ steps. That last sentence is not a theorem output. It is an attacker model layered on top of the theorem.

So this chapter stays on the attacker side of the interface. The real objects are primal attacks, dual attacks, BKZ block size, root-Hermite factor, and the estimator-style chain that turns $(n,q,\chi,k,m)$ into a work factor only after a long list of modeling decisions has been fixed.

This chapter therefore separates asymptotic hardness claims from concrete parameter-setting practice. It defines primal and dual attack viewpoints clearly, then uses concrete security estimation and attack-cost modeling to map parameter choices to attack-cost estimates.

In that exact sense, the goal is to connect BKZ quality assumptions to concrete lattice-scheme security reasoning rather than to repeat a security badge from the reduction side.

Concrete Security on As it was

Lattice Part 9: Concrete Security of Lattice Schemes — Primal, Dual, BKZ