You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In response to #139 (comment) / proposing an ISISLattice class:
From what I gather from https://eprint.iacr.org/2023/1125.pdf ISIS is broken for bound v >= q sqrt(n/12) and for v \in (q, q sqrt(n/12)) its security is in question. Fixing n, there may be some limit v < q f(q) for secure ISIS parameterization, where f(q) grows inversely in q:
We also explicitly state that we believe the attacks presented in this work are far from optimised. As such, we suggest that appealing to the practical security of ISIS instances with v >= q is approached with great care and, if possible, not at all.
Unless someone intends to implement an estimator for these attacks, an ISISLattice class could print a warning when norm bounds are in this range, citing this paper, but still print out estimates. This would resolve the problem introduced by #139, that some currently secure parameterizations of schemes like Falcon will be claimed trivial when using the SISLattice estimator.
Not my area of expertise, but I believe the best lattice attacks on ISIS compute a basis for the preimage of the target, then find a short vector in that basis. I don't think that target being 0 in SIS has any special affect on the initial preimage/ kernel basis. So even though the black-box reductions I've seen from ISIS to SIS have some minor complications that might affect runtime, for actual attacks it will be the same--is that correct?
The text was updated successfully, but these errors were encountered:
In response to #139 (comment) / proposing an ISISLattice class:
From what I gather from https://eprint.iacr.org/2023/1125.pdf ISIS is broken for bound v >= q sqrt(n/12) and for v \in (q, q sqrt(n/12)) its security is in question. Fixing n, there may be some limit v < q f(q) for secure ISIS parameterization, where f(q) grows inversely in q:
Unless someone intends to implement an estimator for these attacks, an ISISLattice class could print a warning when norm bounds are in this range, citing this paper, but still print out estimates. This would resolve the problem introduced by #139, that some currently secure parameterizations of schemes like Falcon will be claimed trivial when using the SISLattice estimator.
Not my area of expertise, but I believe the best lattice attacks on ISIS compute a basis for the preimage of the target, then find a short vector in that basis. I don't think that target being 0 in SIS has any special affect on the initial preimage/ kernel basis. So even though the black-box reductions I've seen from ISIS to SIS have some minor complications that might affect runtime, for actual attacks it will be the same--is that correct?
The text was updated successfully, but these errors were encountered: