We have “rebooted” the LWE Estimator as the Lattice Estimator. This was born out of frustration with the limitations of the old codebase.

Here is how we had to express, e.g., NIST Round 1 Kyber512 for the “Estimate all the {LWE, NTRU} schemes!” project:
n = 512 sd = 1.5811388300841898 q = 7681 alpha = sqrt(2*pi)*sd/RR(q) m = n secret_distribution = "normal" primal_usvp(n, alpha, q, secret_distribution=secret_distribution, m=m)
In contrast, here’s how we express NIST Round 3 Kyber512 now:
from estimator import * Kyber512 = LWE.Parameters( n=2 * 256, q=3329, Xs=ND.CenteredBinomial(3), Xe=ND.CenteredBinomial(3), m=2 * 256, tag="Kyber 512", )
That is, the user should not have to pretend their input distributions are some sort of Gaussians, the estimator should be able to handle standard distributions used in cryptography. Hopefully this makes using the estimator less errorprone.

It is wellestablished by now that making the Geometric Series Assumption for “primal attacks” on the Learning with Errors problem can be somewhat off. It is more precise to use a simulator to predict the shape after lattice reduction but the old estimator did not support this. Now we do:
lwe.primal_usvp(Kyber512, red_shape_model="GSA")
rop: ≈2^141.2, red: ≈2^141.2, δ: 1.004111, β: 382, d: 973, tag: usvp
lwe.primal_usvp(Kyber512, red_shape_model="CN11")
rop: ≈2^144.0, red: ≈2^144.0, δ: 1.004038, β: 392, d: 976, tag: usvp
The design is (hopefully) modular enough that you can plug in your favourite simulator.

The algorithms we costed were getting outdated. For example, we had these (really slow) estimates for the “decoding attack” that was essentially equivalent to computing a BKZϐ reduced basis followed by calling an SVP oracle in some dimension η. This is now implemented as
primal_bdd
.lwe.primal_bdd(Kyber512, red_shape_model="CN11")
rop: ≈2^140.5, red: ≈2^139.3, svp: ≈2^139.6, β: 375, η: 409, d: 969, tag: bdd
Similarly, our estimates for dual and hybrid attacks hadn’t kept up with the state of the art. Michael and Ben (both now at Zama) contributed code to fix that and have blogged about it here.
lwe.dual_hybrid(Kyber512)
rop: ≈2^157.7, mem: ≈2^153.6, m: 512, red: ≈2^157.4, δ: 1.003726, β: 440, d: 1008, ↻: ≈2^116.5, ζ: 16, tag: dual_hybrid
lwe.primal_hybrid(Kyber512)
rop: ≈2^276.4, red: ≈2^276.4, svp: ≈2^155.3, β: 381, η: 2, ζ: 0, S: 1, d: 1007, prob: ≈2^133.2, ↻: ≈2^135.4, tag: hybrid
We’re still not complete (e.g. BKW with sieving is missing), but the more modular design, e.g. the onebigPythonfiletorulethemall is no more, should make it easier to update the code.
 The rename is motivated by our ambition to add estimation modules for attacks on NTRU (not just viewing it as LWE) and SIS, too.
For most users, the usage should be fairly simple, e.g.
params = LWE.Parameters(n=700, q=next_prime(2^13), Xs=ND.UniformMod(3), Xe=ND.CenteredBinomial(8), m=1400, tag="KewLWE") _ = LWE.estimate.rough(params)
usvp :: rop: ≈2^153.9, red: ≈2^153.9, δ: 1.003279, β: 527, d: 1295, tag: usvp dual_hybrid :: rop: ≈2^178.9, mem: ≈2^175.1, m: 691, red: ≈2^178.7, δ: 1.002943, β: 612, d: 1360, ↻: 1, ζ: 31, tag: dual_hybrid
_ = LWE.estimate(params)
bkw :: rop: ≈2^210.4, m: ≈2^198.0, mem: ≈2^199.0, b: 15, t1: 0, t2: 16, ℓ: 14, #cod: 603, #top: 0, #test: 98, tag: codedbkw usvp :: rop: ≈2^182.3, red: ≈2^182.3, δ: 1.003279, β: 527, d: 1295, tag: usvp bdd :: rop: ≈2^178.7, red: ≈2^178.1, svp: ≈2^177.2, β: 512, η: 543, d: 1289, tag: bdd dual :: rop: ≈2^207.8, mem: ≈2^167.1, m: 695, red: ≈2^207.6, δ: 1.002926, β: 617, d: 1394, ↻: ≈2^165.5, tag: dual dual_hybrid :: rop: ≈2^201.3, mem: ≈2^197.4, m: 676, red: ≈2^201.1, δ: 1.003008, β: 594, d: 1341, ↻: ≈2^141.9, ζ: 35, tag: dual_hybrid
If you are an attack algorithm designer, we would appreciate if you would contribute estimates for your algorithm to the estimator. If we already have support for it implemented, we would appreciate if you could compare our results against what you expect. If you are a scheme designer, we would appreciate if you could check if our results match what you expect. If you find suspicious behaviour or bugs, please open an issue on GitHub.
You can read the documentation here and play with the new estimator in your browser here (beware that Binder has a pretty low timeout, though).