diff --git a/.gitbook.yaml b/.gitbook.yaml index b5e8413487..488cfb66e7 100644 --- a/.gitbook.yaml +++ b/.gitbook.yaml @@ -36,11 +36,11 @@ redirects: howto/debug: execution-analysis/debug.md howto/call_from_other_language: explanations/call_from_other_language.md dev/fusing: explanations/fusing.md - dev/backends/README: explanations/backends/README.md + dev/backends: explanations/backends/README.md dev/backends/new_backend: explanations/backends/new_backend.md + dev/compilation: dev/compilation/compiler_workflow.md dev/compilation/optimizer: explanations/optimizer.md dev/compilation/dialects: explanations/dialects.md - dev/compilation/README: explanations/compilation/README.md dev/compilation/FHELinalgDialect: explanations/FHELinalgDialect.md dev/compilation/FHEDialect: explanations/FHEDialect.md dev/compilation/TFHEDialect: explanations/TFHEDialect.md @@ -48,5 +48,6 @@ redirects: dev/compilation/TracingDialect: explanations/TracingDialect.md dev/compilation/RTDialect: explanations/RTDialect.md dev/compilation/SDFGDialect: explanations/SDFGDialect.md - dev/security/security_curves: explanations/security_curves.md + dev/security/security_curves: explanations/security.md + explanations/security_curves: explanations/security.md dev/setup/layout: explanations/layout.md diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 313d9eb73f..1a393ea9f8 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -62,7 +62,7 @@ ## Explanations -* [Compiler workflow](dev/compilation/README.md) +* [Compiler workflow](dev/compilation/compiler_workflow.md) * [Frontend fusing](explanations/fusing.md) * [Compiler backend](explanations/backends/README.md) * [Adding a new backend](explanations/backends/new_backend.md) @@ -75,7 +75,7 @@ * [Tracing dialect](explanations/TracingDialect.md) * [Runtime dialect](explanations/RTDialect.md) * [SDFG dialect](explanations/SDFGDialect.md) -* [Security](explanations/security_curves.md) +* [Security](explanations/security.md) * [Call FHE circuits from other languages](explanations/call_from_other_language.md) * [Project layout](explanations/layout.md) diff --git a/docs/dev/compilation/README.md b/docs/dev/compilation/compiler_workflow.md similarity index 100% rename from docs/dev/compilation/README.md rename to docs/dev/compilation/compiler_workflow.md diff --git a/docs/explanations/optimizer.md b/docs/explanations/optimizer.md index 114c0ecc37..88b0363eb5 100644 --- a/docs/explanations/optimizer.md +++ b/docs/explanations/optimizer.md @@ -2,7 +2,7 @@ `concrete-optimizer` is a tool that selects appropriate cryptographic parameters for a given fully homomorphic encryption (FHE) computation. These parameters have an impact on the security, correctness, and efficiency of the computation. -The computation is guaranteed to be secure with the given level of security (see [here](./security_curves.md) for details) which is typically 128 bits. The correctness of the computation is guaranteed up to a given failure probability. A surrogate of the execution time is minimized which allows for efficient FHE computation. +The computation is guaranteed to be secure with the given level of security (see [here](./security.md) for details) which is typically 128 bits. The correctness of the computation is guaranteed up to a given failure probability. A surrogate of the execution time is minimized which allows for efficient FHE computation. The cryptographic parameters are degrees of freedom in the FHE algorithms (bootstrapping, keyswitching, etc.) that need to be fixed. The search space for possible crypto-parameters is finite but extremely large. The role of the optimizer is to quickly find the most efficient crypto-parameters possible while guaranteeing security and correctness. @@ -14,7 +14,7 @@ The security level is chosen by the user. We typically operate at a fixed securi An independent public research tool, the [lattice estimator](https://github.com/malb/lattice-estimator), is used to estimate the security level. The lattice estimator is maintained by FHE experts. For a given set of crypto-parameters, this tool considers all possible attacks and returns a security level. -For each security level, a parameter curve of the appropriate minimal error level is pre-computed using the lattice estimator, and is used as an input to the optimizer. Learn more about the parameter curves [here](./security_curves.md). +For each security level, a parameter curve of the appropriate minimal error level is pre-computed using the lattice estimator, and is used as an input to the optimizer. Learn more about the parameter curves [here](./security.md). ### Correctness diff --git a/docs/explanations/security_curves.md b/docs/explanations/security.md similarity index 94% rename from docs/explanations/security_curves.md rename to docs/explanations/security.md index 4e056497b4..04d85379e4 100644 --- a/docs/explanations/security_curves.md +++ b/docs/explanations/security.md @@ -5,17 +5,17 @@ To select secure cryptographic parameters for usage in Concrete, we utilize the [Lattice-Estimator](https://github.com/malb/lattice-estimator). In particular, we use the following workflow: 1. Data Acquisition - - For a given value of $$(n, q = 2^{64}, \sigma)$$ we obtain raw data from the Lattice Estimator, which ultimately leads to a security level $$\lambda$$. All relevant attacks in the Lattice Estimator are considered. - - Increase the value of $$\sigma$$, until the tuple $$(n, q = 2^{64}, \sigma)$$ satisfies the target level of security $$\lambda_{target}$$. + - For a given value of $$(n, q = 2^{64}, \sigma)$$ we obtain raw data from the Lattice Estimator, which ultimately leads to a security level $$\lambda$$. All relevant attacks in the Lattice Estimator are considered. + - Increase the value of $$\sigma$$, until the tuple $$(n, q = 2^{64}, \sigma)$$ satisfies the target level of security $$\lambda_{target}$$. - Repeat for several values of $$n$$. -2. Model Generation for $$\lambda = \lambda_{target}$$. +2. Model Generation for $$\lambda = \lambda_{target}$$. - At this point, we have several sets of points $$\{(n, q = 2^{64}, \sigma)\}$$ satisfying the target level of security $$\lambda_{target}$$. From here, we fit a model to this raw data ($$\sigma$$ as a function of $$n$$). 3. Model Verification. - - For each model, we perform a verification check to ensure that the values output from the function $$\sigma(n)$$ provide the claimed level of security, $$\lambda_{target}$$. + - For each model, we perform a verification check to ensure that the values output from the function $$\sigma(n)$$ provide the claimed level of security, $$\lambda_{target}$$. -These models are then used as input for Concrete, to ensure that the parameter space explored by the compiler attains the required security level. Note that we consider the `RC.BDGL16` lattice reduction cost model within the Lattice Estimator. +These models are then used as input for Concrete, to ensure that the parameter space explored by the compiler attains the required security level. Note that we consider the `RC.BDGL16` lattice reduction cost model within the Lattice Estimator. Therefore, when computing our security estimates, we use the call `LWE.estimate(params, red_cost_model = RC.BDGL16)` on the input parameter set `params`. {% hint style="warning" %} @@ -36,7 +36,7 @@ To compare the current curves with the output of the lattice estimator, use: make compare-curves -this will compare the four curves generated above against the output of the version of the lattice estimator found in the [third_party folder](https://github.com/zama-ai/concrete/tree/main/third_party). +this will compare the four curves generated above against the output of the version of the lattice estimator found in the [third_party folder](https://github.com/zama-ai/concrete/tree/main/third_party). To generate the associated cpp and rust code, use:: @@ -47,7 +47,7 @@ further advanced options can be found inside the Makefile. ## Example To look at the raw data gathered in step 1., we can look in the [sage-object folder](https://github.com/zama-ai/concrete/tree/main/tools/parameter-curves/sage-object). These objects can be loaded in the following way using SageMath: - + sage: X = load("128.sobj") entries are tuples of the form: $$(n, log_2(q), log_2(\sigma), \lambda)$$. We can view individual entries via:: @@ -68,5 +68,5 @@ Here we can see the linear model parameters $$(a = -0.026599462343105267, b = 2. $$ \sigma = a * n + b = -37.85 $$ -This value corresponds to the logarithm of the relative error size. Using the parameter set $$(n, log(q), \sigma = 2^{64 - 37.85})$$ in the Lattice Estimator confirms a 128-bit security level. +This value corresponds to the logarithm of the relative error size. Using the parameter set $$(n, log(q), \sigma = 2^{64 - 37.85})$$ in the Lattice Estimator confirms a 128-bit security level.