-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proven security for protocol #215
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thank you! I left a few small comments inline. We can merge once they are addressed.
Also, I'm curious, for some common sets of parameters, how do results given by this new approximation differ from the previous method?
For
As expected the difference is minimal and is largely due to the repeated use of the min operation. |
acf8d8b
to
a9a0e88
Compare
Maybe a little bit out of the context, but there is some "degradation" in computing the security level for composite/recursive protocols. If Since it is very easy, probably it's a good idea to have the formula as well for the composite/recursive system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Thank you! I left a couple of non-blocking comments inline.
Interesting! Would we need to estimate the depth of recursion for this? In general, I'm thinking that maybe we should create a separate issue to address any remaining improvements we can make to security estimation. |
If you want to be as accurate as possible in your security estimations, then I would say yes! All of the concerns regarding the security of the recursive/composite proof system are very good explained in this video from Dan Boneh. |
chore: minor nits
a9a0e88
to
75707a9
Compare
Addresses #204
This PR adds the ability to compute the proven security of the protocol given a set of parameters. It uses Habock and some additional observations and correction made by @benediamond (Ulvetanna).
One annoying thing is related to the repeated use of the min function. This leads to a potential loss of up to 2 bits of soundness. It is possible to avoid this by adding some extra logic to compare the exponents but I am still looking for something easier.