The files in the attached archive are exactly the same as on our GitHub page (commit 3b10e430655ff16503ae4e3a1583bca528bb589f) and can, alternatively, be obtained using the “git clone” command. By running the Python script main.py, three figures from the CHES paper are reproduced. Besides *.png images, the script generates *.dat files that contain the data points in text format. The latter files were copied to our LaTeX folder in order to make plots with TikZ/Pgfplots. Because the systems of linear inequalities are generated randomly rather than deterministically, small (insignificant) differences with the figures in the CHES paper are bound to be present.

As is mentioned on our GitHub page, a fresh Python3 installation must be complemented with the following four packages: numpy, scipy, pycryptodome, matplotlib. Alternatively, Docker can be used, either through the Dockerfile or by downloading the 316MB image from our Cloud hosting service. By default, the Python code checks the correctness of both Kyber and randomly generated inequalities, so if there would be an issue with the configuration, an error is likely thrown.

Because we were aiming for smooth curves in our CHES paper, the default configuration of main.py is to perform many experiments, and the total execution time approaches 48 hours on a Windows PC with Python running inside a Linux virtual machine. If Docker images are used, an additional penalty may arise. Fortunately, the execution time can be lowered considerably by reproducing noisier versions of the CHES figures. If parameter ‘nb_of_runs’, which determines the amount of averaging, is lowered from 10 to 1, the script finishes almost 10 times faster. Alternatively, the step size on the horizontal axis (the number of inequalities) can be increased.

Lastly, main.py contains a minimal working example where a single system of 7000 inequalities for Kyber768 is verbosely solved. The execution time per iteration is printed to the terminal and was under 5 seconds on the two computers we have tried (this used to be 15 minutes per iteration in previous solvers). The total execution time (including all iterations) is printed to the terminal as well and was under one minute.