feat(security): increase LWE noise sigma to 25.0

[igor53627]

Closes #68

Increases the LWE noise standard deviation (σ) from 8.0 to 25.0 to improve security margins against lattice attacks.

Verification:

• Gas: No impact (verified via BenchmarkTLOS.s.sol).
• Correctness: Error margin (4σ ≈ 100) is negligible compared to the decryption threshold (q/4 ≈ 16380).

---

Note

Strengthens LWE security by removing deterministic noise tied to public seeds and increasing noise variance.

• Rust: generate_tlos now accepts an injected Rng for noise; removed seeding noise from circuit_seed. Updated src/bin/generate_tlos.rs to use thread_rng, and tests to pass seeded ChaCha20Rng. lwe.rs sets NOISE_SIGMA to 25.0 and threads RNG through encode_gate/encrypt_bit_seeded.
• Solidity script: BenchmarkTLOS.s.sol adds a distinct noiseSeed and updates _generateBVector to take noiseSeed, decoupling e from puzzleSeed with clear warnings.
• Docs: Added docs/tasks/issue-65-secret-noise-fix.md outlining the vulnerability and required decoupling of e from public seeds.

^{Written by Cursor Bugbot for commit 5567b72. Configure here.}

Summary by CodeRabbit

• Bug Fixes

  • Fixed security vulnerability in noise generation that could enable unauthorized secret recovery
  • Decoupled noise generation from public seeds to ensure independent entropy source
  • Updated noise parameters for enhanced cryptographic security

• Documentation

  • Added security advisory documenting vulnerability details and remediation strategy

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5567b72

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

A cryptographic security fix decoupling noise generation from public seeds to prevent secret recovery. Changes include introducing independent entropy sources (noiseSeed parameter in Solidity, RNG parameter in Rust), externalizing RNG handling in the generator, and increasing the Gaussian noise standard deviation from 8.0 to 25.0 for hardened security.

Changes

Cohort / File(s)	Summary
Documentation docs/tasks/issue-65-secret-noise-fix.md	New document detailing a vulnerability where noise derived from public seeds enables secret recovery, plus implementation plan requiring independent entropy for noise in both Rust and Solidity components.
Noise Hardening src/lwe.rs	Updates Gaussian noise standard deviation constant from 8.0 to 25.0 to increase resistance against lattice reduction attacks. No functional changes to noise sampling or encryption flow.
RNG Externalization src/generator.rs, src/bin/generate_tlos.rs	Refactors generate_tlos to accept an external RNG parameter instead of creating one internally, enabling independent entropy control; binary updated to pass thread_rng.
Solidity Noise Separation scripts/BenchmarkTLOS.s.sol	Extends _generateBVector to accept a separate noiseSeed parameter, decoupling B-vector noise generation from the circuit seed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 With whispered seeds no more we bound our noise,
Now entropy flows free through coded joys!
At sigma twenty-five, the lattice bends,
Where secrets stay safe and error truly ends. 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes significant out-of-scope changes beyond the linked issue #68: refactoring noise generation to decouple from public seeds (issue #65), modifying function signatures in generator.rs and benchmark script, and adding new documentation that are not part of the #68 requirement.	Consider separating changes into two PRs: one for issue #68 (sigma increase only) and another for issue #65 (noise decoupling refactoring) to maintain focus and ease review.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(security): increase LWE noise sigma to 25.0' accurately describes the main change: raising the LWE noise sigma parameter from 8.0 to 25.0 for security improvements.
Linked Issues check	✅ Passed	The PR implements the primary requirement from issue #68 by changing NOISE_SIGMA from 8.0 to 25.0 in src/lwe.rs, which directly addresses the security hardening objective against lattice reduction attacks.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5567b72dae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update estimator sigma to match new NOISE_SIGMA

With NOISE_SIGMA now set to 25, the security estimation helper estimate_main_lwe_security in src/security/lattice_estimator.rs still hardcodes stddev: 8.0, so anyone running the estimator for documentation or audit numbers will compute the old σ=8 security margin rather than the new σ=25 parameters. Consider wiring the estimator to NOISE_SIGMA (or updating the constant there) to keep security results accurate.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/lwe.rs (1)

1-4: Update module documentation to reflect σ=25.

The module-level doc comment on line 3 still references σ=8, but the actual NOISE_SIGMA constant has been changed to 25.0. This creates a documentation-code mismatch.

Proposed fix

 //! Layer 2: LWE encryption for control function hiding.
 //!
-//! Uses standard LWE with Gaussian noise (n=384, q=65521, σ=8) providing
+//! Uses standard LWE with Gaussian noise (n=384, q=65521, σ=25) providing
 //! ~2^112 post-quantum security against lattice attacks.

scripts/BenchmarkTLOS.s.sol (1)

44-44: Update sigma value in log message.

The console log still references sigma=8, but NOISE_SIGMA in src/lwe.rs has been changed to 25.0 in this PR.

Proposed fix

-        console.log("LWE Dimension: n=384, sigma=8 (~2^112 PQ security)");
+        console.log("LWE Dimension: n=384, sigma=25 (~2^112 PQ security)");

🧹 Nitpick comments (1)

docs/tasks/issue-65-secret-noise-fix.md (1)

29-49: Optional: Adjust nested list indentation to 2 spaces.

Static analysis flagged inconsistent list indentation (4 spaces instead of the preferred 2 spaces per MD007). This is purely cosmetic and won't affect rendering.

Example fix for one section

 ### 1. Rust Generator (`src/`)
 -   **`src/lwe.rs`**:
-    -   Review `encrypt_bit` and `encrypt_bit_seeded`.
-    -   Ensure that while `A` is derived from the seed, the `Rng` passed for noise generation is initialized with true entropy (or a secret), not the public circuit seed.
+  - Review `encrypt_bit` and `encrypt_bit_seeded`.
+  - Ensure that while `A` is derived from the seed, the `Rng` passed for noise generation is initialized with true entropy (or a secret), not the public circuit seed.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 458ea84 and 5567b72.

📒 Files selected for processing (5)

• docs/tasks/issue-65-secret-noise-fix.md
• scripts/BenchmarkTLOS.s.sol
• src/bin/generate_tlos.rs
• src/generator.rs
• src/lwe.rs

🧰 Additional context used

📓 Path-based instructions (5)

src/*.rs

📄 CodeRabbit inference engine (AGENTS.md)

Rust implementation must have modular structure: circuit.rs for topology layer mixing, lwe.rs for LWE encryption, wire_binding.rs for algebraic binding, and generator.rs for deployment data generation

Files:

• src/generator.rs
• src/lwe.rs

{**/*.sol,src/lwe.rs}

📄 CodeRabbit inference engine (AGENTS.md)

Production LWE layer must use parameters: n=384 dimension, σ=8 Gaussian noise, q=65521 modulus, achieving ~2^112 PQ security

Files:

• src/lwe.rs
• scripts/BenchmarkTLOS.s.sol

**/*.sol

📄 CodeRabbit inference engine (AGENTS.md)

**/*.sol: Use Forge for building and testing Solidity contracts with commands: forge build for compilation and forge test for running tests
Solidity contracts must use seed-derived a vectors with 11 bytes per gate for storage optimization

Files:

• scripts/BenchmarkTLOS.s.sol

{**/*.sol,src/wire_binding.rs}

📄 CodeRabbit inference engine (AGENTS.md)

Layer 3 wire binding must implement full-rank 64x64 linear hash over Z_q for inter-gate algebraic consistency; do NOT claim collision resistance as the linear system is trivially solvable

Files:

• scripts/BenchmarkTLOS.s.sol

scripts/Benchmark*.s.sol

📄 CodeRabbit inference engine (AGENTS.md)

Benchmark scripts must use Tenderly RPC by sourcing ~/.zsh_secrets and running: forge script scripts/BenchmarkTLOS.s.sol --rpc-url "$TENDERLY_RPC" --broadcast --unlocked -vvv

Files:

• scripts/BenchmarkTLOS.s.sol

🧠 Learnings (10)

📓 Common learnings

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to {**/*.sol,src/lwe.rs} : Production LWE layer must use parameters: n=384 dimension, σ=8 Gaussian noise, q=65521 modulus, achieving ~2^112 PQ security

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to contracts/*.sol : Hash-PoW layer must provide commit-time randomness bound with configurable difficulty and default enabled state for Layer 5 security

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Five-layer security model must be implemented in order: (1) Topology layer - structural mixing, (2) LWE layer - control function hiding, (3) Wire binding layer - algebraic binding, (4) Planted LWE puzzle - 2^76 search space, (5) Hash-PoW - commit-time randomness (default enabled)

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to **/*.sol : Solidity contracts must use seed-derived a vectors with 11 bytes per gate for storage optimization

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to src/*.rs : Rust implementation must have modular structure: circuit.rs for topology layer mixing, lwe.rs for LWE encryption, wire_binding.rs for algebraic binding, and generator.rs for deployment data generation

Applied to files:

• src/generator.rs

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to {**/*.sol,src/wire_binding.rs} : Layer 3 wire binding must implement full-rank 64x64 linear hash over Z_q for inter-gate algebraic consistency; do NOT claim collision resistance as the linear system is trivially solvable

Applied to files:

• src/generator.rs

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to {**/*.sol,src/lwe.rs} : Production LWE layer must use parameters: n=384 dimension, σ=8 Gaussian noise, q=65521 modulus, achieving ~2^112 PQ security

Applied to files:

• src/generator.rs
• docs/tasks/issue-65-secret-noise-fix.md
• src/lwe.rs

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Five-layer security model must be implemented in order: (1) Topology layer - structural mixing, (2) LWE layer - control function hiding, (3) Wire binding layer - algebraic binding, (4) Planted LWE puzzle - 2^76 search space, (5) Hash-PoW - commit-time randomness (default enabled)

Applied to files:

• docs/tasks/issue-65-secret-noise-fix.md
• scripts/BenchmarkTLOS.s.sol

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to contracts/WeakLWEPuzzle*.sol : Testing puzzle variants must include WeakLWEPuzzleV5 (n=32, 2^51 security), WeakLWEPuzzleV6 (n=24, 2^38 security), and WeakLWEPuzzleV7 (n=48, 2^76 security) for parameter validation

Applied to files:

• docs/tasks/issue-65-secret-noise-fix.md
• scripts/BenchmarkTLOS.s.sol

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to scripts/Benchmark*.s.sol : Benchmark scripts must use Tenderly RPC by sourcing `~/.zsh_secrets` and running: `forge script scripts/BenchmarkTLOS.s.sol --rpc-url "$TENDERLY_RPC" --broadcast --unlocked -vvv`

Applied to files:

• scripts/BenchmarkTLOS.s.sol

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to **/{WeakLWEPuzzleV7,*Puzzle*}.sol : Production Layer 4 puzzle (WeakLWEPuzzleV7) must use: n=48 secret dimension, m=72 samples, q=2039 modulus, error range {-2,-1,0,1,2}, threshold=300, ensuring 3^48 ≈ 2^76 search space

Applied to files:

• scripts/BenchmarkTLOS.s.sol

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to **/*.sol : Solidity contracts must use seed-derived a vectors with 11 bytes per gate for storage optimization

Applied to files:

• scripts/BenchmarkTLOS.s.sol

📚 Learning: 2026-01-13T11:05:17.527Z

Learnt from: CR
Repo: igor53627/tlos PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-01-13T11:05:17.527Z
Learning: Applies to test/*.t.sol : Test contracts must include comprehensive layer-specific tests: production contract tests in TLOSWithPuzzleV5.t.sol (61 tests), isolated layer testing via TLOSWithPuzzleV5Harness.sol, and puzzle variant tests in PuzzleVariants.t.sol (12 tests covering V5/V6/V7)

Applied to files:

• scripts/BenchmarkTLOS.s.sol

🧬 Code graph analysis (1)

src/bin/generate_tlos.rs (1)

src/generator.rs (1)

• generate_tlos (28-81)

🪛 markdownlint-cli2 (0.18.1)

docs/tasks/issue-65-secret-noise-fix.md

31-31: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

32-32: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

34-34: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

35-35: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

39-39: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

40-40: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

41-41: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

42-42: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

43-43: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

48-48: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

49-49: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (7)

src/lwe.rs (1)

28-29: Verify σ=25 against documented security parameters.

This change increases NOISE_SIGMA from 8.0 to 25.0. The PR objectives state this improves security margins while preserving correctness (4σ=100 << q/4≈16380).

However, the coding guidelines specify: "Production LWE layer must use parameters: n=384 dimension, σ=8 Gaussian noise, q=65521 modulus, achieving ~2^112 PQ security."

Please confirm whether the coding guidelines should be updated to reflect this new parameter, or if there are considerations that require keeping σ=8 in certain contexts. Based on learnings, the documented spec requires σ=8.

src/bin/generate_tlos.rs (1)

29-30: LGTM! Secure RNG usage for noise generation.

Using thread_rng() (which wraps OsRng for cryptographic security) properly decouples noise generation from the public circuit_seed. This addresses the security vulnerability where deterministic noise from public seeds would allow secret recovery.

scripts/BenchmarkTLOS.s.sol (2)

52-58: LGTM! Good security documentation and noise seed separation.

The warning comment clearly documents that production must use true entropy, and the separate noiseSeed properly decouples noise generation from the puzzle seed. This prevents the algebraic attack vector described in issue #65.

---

120-154: LGTM! Correct noise/matrix seed separation.

The implementation correctly:

• Derives A matrix coefficients from the public seed (line 124, 129)
• Derives error e from the separate noiseSeed (line 142)

This aligns with the security requirements: public seeds for reproducible A, independent entropy for noise e.

src/generator.rs (2)

22-32: LGTM! Well-designed RNG externalization.

The generic R: Rng parameter provides flexibility for both:

• Production: callers can pass OsRng or thread_rng() for cryptographic security
• Testing: callers can pass a seeded ChaCha20Rng for deterministic reproducibility

The doc comment on line 27 appropriately emphasizes that the RNG MUST be cryptographically secure for production use.

---

141-156: LGTM! Good test coverage for deterministic generation.

The test correctly verifies that identical RNG seeds produce identical outputs, confirming the externalized RNG approach enables reproducible generation when needed (e.g., for testing or debugging).

docs/tasks/issue-65-secret-noise-fix.md (1)

1-54: LGTM! Clear and thorough security documentation.

This task document effectively:

• Explains the vulnerability (deterministic noise from public seeds enables secret recovery)
• Documents the required fix (decouple noise from public matrix generation)
• Provides implementation guidance for both Rust and Solidity components
• Lists clear acceptance criteria

The implementation changes in this PR align well with this documented plan.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[igor53627]

Confimred via local Forge simulation that increasing σ to 25.0 has zero impact on gas costs, as the on-chain verification logic (sub/mod/comparison) remains identical in complexity.