Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proven security for protocol #215

Merged
merged 1 commit into from
Oct 16, 2023

Conversation

Al-Kindi-0
Copy link
Contributor

@Al-Kindi-0 Al-Kindi-0 commented Sep 25, 2023

Addresses #204
This PR adds the ability to compute the proven security of the protocol given a set of parameters. It uses Habock and some additional observations and correction made by @benediamond (Ulvetanna).
One annoying thing is related to the repeated use of the min function. This leads to a potential loss of up to 2 bits of soundness. It is possible to avoid this by adding some extra logic to compare the exponents but I am still looking for something easier.

Copy link
Collaborator

@irakliyk irakliyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thank you! I left a few small comments inline. We can merge once they are addressed.

Also, I'm curious, for some common sets of parameters, how do results given by this new approximation differ from the previous method?

air/src/proof/mod.rs Outdated Show resolved Hide resolved
air/src/proof/mod.rs Outdated Show resolved Hide resolved
air/src/proof/mod.rs Outdated Show resolved Hide resolved
air/src/proof/mod.rs Outdated Show resolved Hide resolved
@Al-Kindi-0
Copy link
Contributor Author

For fib-small:

  1. -q 38 -b 16 -g 20 -e 2:
    Before: Proof security: 118 bits (83 proven)
    Now: Proof security: 118 bits (82 proven)
  2. -q 38 -b 32 -g 20 -e 2:
    Before: Proof security: 118 bits (79 proven)
    Now: Proof security: 118 bits (78 proven)

As expected the difference is minimal and is largely due to the repeated use of the min operation.

@hecmas
Copy link

hecmas commented Oct 13, 2023

Maybe a little bit out of the context, but there is some "degradation" in computing the security level for composite/recursive protocols. If $\epsilon_1$ is the error for the "outer" proving system and $\epsilon_2$ is the error for the "inner" proving system, one can easily prove that $\epsilon_1 + \epsilon_2$ (sum of negligible terms is negligible) is the error for the composite/recursive system.
Assuming a sufficiently large number of recursive steps, one can achieve the degradation of the original security level by some bits. E.g., say $\epsilon_1 = \epsilon_2 = \frac{1}{2^{128}}$, then a one-depth recursive system has $\epsilon_1 + \epsilon_2 = \frac{1}{2^{127}}$ soundness error (127-bit security level) even tho the original systems had 128-bit security level.

Since it is very easy, probably it's a good idea to have the formula as well for the composite/recursive system.

Copy link
Collaborator

@irakliyk irakliyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thank you! I left a couple of non-blocking comments inline.

air/src/proof/mod.rs Outdated Show resolved Hide resolved
air/src/proof/mod.rs Outdated Show resolved Hide resolved
@irakliyk
Copy link
Collaborator

Maybe a little bit out of the context, but there is some "degradation" in computing the security level for composite/recursive protocols. If $\epsilon_1$ is the error for the "outer" proving system and $\epsilon_2$ is the error for the "inner" proving system, one can easily prove that $\epsilon_1 + \epsilon_2$ (sum of negligible terms is negligible) is the error for the composite/recursive system.
Assuming a sufficiently large number of recursive steps, one can achieve the degradation of the original security level by some bits. E.g., say $\epsilon_1 = \epsilon_2 = \frac{1}{2^{128}}$, then a one-depth recursive system has $\epsilon_1 + \epsilon_2 = \frac{1}{2^{127}}$ soundness error (127-bit security level) even tho the original systems had 128-bit security level.

Since it is very easy, probably it's a good idea to have the formula as well for the composite/recursive system.

Interesting! Would we need to estimate the depth of recursion for this?

In general, I'm thinking that maybe we should create a separate issue to address any remaining improvements we can make to security estimation.

@hecmas
Copy link

hecmas commented Oct 15, 2023

Interesting! Would we need to estimate the depth of recursion for this?

If you want to be as accurate as possible in your security estimations, then I would say yes!

All of the concerns regarding the security of the recursive/composite proof system are very good explained in this video from Dan Boneh.

@irakliyk irakliyk merged commit 4af4947 into facebook:main Oct 16, 2023
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants