mirror of
https://github.com/zama-ai/concrete.git
synced 2026-02-08 03:25:05 -05:00
68 lines
3.6 KiB
Markdown
68 lines
3.6 KiB
Markdown
Parameter Curves
|
|
=========
|
|
|
|
To select secure cryptographic parameters for usage in Concrete, we utilize the [Lattice-Estimator](https://github.com/malb/lattice-estimator). In particular, we use the following workflow:
|
|
|
|
1. Data Acquisition
|
|
- For a given value of $$(n, q = 2^{64}, \sigma)$$ we obtain raw data from the Lattice Estimator, which ultimately leads to a security level $$\lambda$$. All relevant attacks in the Lattice Estimator are considered.
|
|
- Increase the value of $$\sigma$$, until the tuple $$(n, q = 2^{64}, \sigma)$$ satisfies the target level of security $$\lambda_{target}$$.
|
|
- Repeat for several values of $$n$$.
|
|
|
|
2. Model Generation for $$\lambda = \lambda_{target}$$.
|
|
- At this point, we have several sets of points $$\{(n, q = 2^{64}, \sigma)\}$$ satisfying the target level of security $$\lambda_{target}$$. From here, we fit a model to this raw data ($$\sigma$$ as a function of $$n$$).
|
|
|
|
3. Model Verification.
|
|
- For each model, we perform a verification check to ensure that the values output from the function $$\sigma(n)$$ provide the claimed level of security, $$\lambda_{target}$$.
|
|
|
|
These models are then used as input for Concrete, to ensure that the parameter space explored by the compiler attains the required security level. Note that we consider the `RC.BDGL16` lattice reduction cost model within the Lattice Estimator.
|
|
Therefore, when computing our security estimates, we use the call `LWE.estimate(params, red_cost_model = RC.BDGL16)` on the input parameter set `params`.
|
|
|
|
Usage
|
|
---------
|
|
|
|
To generate the raw data from the lattice estimator, use::
|
|
|
|
make generate-curves
|
|
|
|
by default, this script will generate parameter curves for {80, 112, 128, 192} bits of security, using $$log_2(q) = 64$$.
|
|
|
|
To compare the current curves with the output of the lattice estimator, use:
|
|
|
|
make compare-curves
|
|
|
|
this will compare the four curves generated above against the output of the version of the lattice estimator found in the [third_party folder](https://github.com/zama-ai/concrete/tree/main/third_party).
|
|
|
|
To generate the associated cpp and rust code, use::
|
|
|
|
make generate-code
|
|
|
|
further advanced options can be found inside the Makefile.
|
|
|
|
Example
|
|
---------
|
|
|
|
To look at the raw data gathered in step 1., we can look in the [sage-object folder](https://github.com/zama-ai/concrete/tree/main/tools/parameter-curves/sage-object). These objects can be loaded in the following way using SageMath:
|
|
|
|
sage: X = load("128.sobj")
|
|
|
|
entries are tuples of the form: $$(n, log_2(q), log_2(\sigma), \lambda)$$. We can view individual entries via::
|
|
|
|
sage: X["128"][0]
|
|
(2366, 64.0, 4.0, 128.51)
|
|
|
|
To view the interpolated curves we load the `verified_curves.sobj` object inside the [sage-object folder](https://github.com/zama-ai/concrete/tree/main/tools/parameter-curves/sage-object).
|
|
|
|
sage: curves = load("verified_curves.sobj")
|
|
|
|
This object is a tuple containing the information required for the four security curves ({80, 112, 128, 192} bits of security). Looking at one of the entries:
|
|
|
|
sage: curves[2][:3]
|
|
(-0.026599462343105267, 2.981543184145991, 128)
|
|
|
|
Here we can see the linear model parameters $$(a = -0.026599462343105267, b = 2.981543184145991)$$ along with the security level 128. This linear model can be used to generate secure parameters in the following way: for $$q = 2^{64}$$, if we have an LWE dimension of $$n = 1536$$, then the required noise size is:
|
|
|
|
$$ \sigma = a * n + b = -37.85 $$
|
|
|
|
This value corresponds to the logarithm of the relative error size. Using the parameter set $$(n, log(q), \sigma = 2^{64 - 37.85})$$ in the Lattice Estimator confirms a 128-bit security level.
|
|
|