github/tfhe-rs
1
1
Fork 0
mirror of https://github.com/zama-ai/tfhe-rs.git synced 2026-01-09 14:47:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

chore(docs): add example estimator call

Browse Source
This commit is contained in:
Ben
2025-11-03 10:32:51 +00:00
committed by IceTDrinker
parent 058965c9f2
commit 5854c2c450
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tfhe/docs/getting-started/security-and-cryptography.md
View File

@@ -95,7 +95,23 @@ For example, when adding two ciphertexts, the sum could exceed the range of eith
## Security
By default, the cryptographic parameters provided by **TFHE-rs** ensure at least 128 bits of security. The security has been evaluated using the latest versions of the Lattice Estimator ([repository](https://github.com/malb/lattice-estimator)) with `red_cost_model = reduction.RC.BDGL16`.
By default, the cryptographic parameters provided by **TFHE-rs** ensure at least 128 bits of security. The security has been evaluated using the Lattice Estimator ([repository](https://github.com/malb/lattice-estimator), commit `352ddaf`) with `red_cost_model = reduction.MATZOV` which is currently the default cost model. To estimate the security of a TFHE-rs parameter set such as `V1_1_PARAM_MESSAGE_1_CARRY_1_KS_PBS_TUNIFORM_2M128`, the Lattice Estimator can be called in the following way:
```
from estimator import *
params_lwe = LWE.Parameters(n=879, q=2**64, Xs=ND.Binary, Xe=ND.TUniform(46))
LWE.estimate(params_lwe, deny_list=("arora-gb", "bkw"))
```
The output corresponds to a selection of attack costs (`usvp`, `bdd`, etc), each with running time `rop`. The security level is the `log2` of the smallest `rop` value (in this case `dual_hybrid` with `2^134.8`). Therefore, the security level of this parameter set is ~134 bits. The same technique can be applied to the GLWE parameters by replacing the LWE dimension `879` by `k*N = 512*4`, i.e. `n=2048` and `Xe=ND.TUniform(46)` by `Xe = ND.TUniform(17)`, that is:
```
from estimator import *
params_lwe = LWE.Parameters(n=512*4, q=2**64, Xs=ND.Binary, Xe=ND.TUniform(17))
LWE.estimate(params_lwe, deny_list=("arora-gb", "bkw"))
```
similarly, the lowest attack cost is once again `dual_hybrid` with `2^134.8`, leading to a security level of ~134 bits.
For the High-Level API the default parameters are selected with a bootstrapping failure probability (or error probability) fixed at $$p_{error} \le 2^{-128}$$ for all backends (x86 CPU, GPU and HPU).
A failure probability below $$2^{-128}$$ ensures that our implementation is resilient against attacks in the IND-CPA-D model [1]. In the case where only the IND-CPA model is considered, there is a possibility to choose parameters with a $$p_{error} \le 2^{-64}$$, see the dedicated [Parameters section](../fhe-computation/compute/parameters.md)