Add security estimate in unique decoding regime #356
Conversation
There was a problem hiding this comment.
Did a pass, apart from some small minor docs improvements looks good to me.
One comment, it might be interesting to have an intermediate conjecture setting, such as Conjecture 8.4 in proximity gaps. This sits between the Toy problem and the provable in terms of strenght.
air/src/proof/mod.rs
Outdated
| H::COLLISION_RESISTANCE, | ||
| ) | ||
| } | ||
| /// This is Conjecture 1 in https://eprint.iacr.org/2021/582. |
There was a problem hiding this comment.
Maybe mention this is re the "Toy problem".
| /// Computes conjectured security level for the specified proof parameters. | ||
| fn get_conjectured_security( | ||
| options: &ProofOptions, | ||
| base_field_bits: u32, | ||
| trace_domain_size: usize, | ||
| collision_resistance: u32, | ||
| ) -> u32 { | ||
| ) -> ConjecturedSecurityBits { | ||
| // compute max security we can get for a given field size | ||
| let field_size = base_field_bits * options.field_extension().degree(); | ||
| let field_security = field_size - (trace_domain_size * options.blowup_factor()).ilog2(); |
There was a problem hiding this comment.
As far as I can tell, Conjecture 1 in ethSTARK does not include the trace domain size? Might be good to add a reference to where that comes from.
There was a problem hiding this comment.
Indeed, this is a sort of hybrid between the conjecture on the toy problem (or more succinctly toy conjecture) and conjecture 8.4 in the proximity gaps paper.
As you suggest, it might make more sense to remove the domain size from the above so as to match the toy conjecture exactly and then add an additional "security mode" to capture Conjecture 8.4 with the exponents therein equal to 1.
| @@ -241,7 +261,7 @@ fn get_proven_security( | |||
| base_field_bits: u32, | |||
| trace_domain_size: usize, | |||
| collision_resistance: u32, | |||
| ) -> u32 { | |||
| ) -> ProvenSecurityBits { | |||
| let m_min: usize = 3; | |||
There was a problem hiding this comment.
Maybe add a comment re the strategy used to compute m?
air/src/proof/mod.rs
Outdated
| ) as u32 | ||
| ) as u32; | ||
|
|
||
| let unique_decoding = cmp::min( |
There was a problem hiding this comment.
Move to before list_decoding as it does not depend on m?
air/src/proof/mod.rs
Outdated
| /// Computes the largest proximity parameter m needed for Theorem 8 | ||
| /// in <https://eprint.iacr.org/2022/1216.pdf> to work. | ||
| /// Computes the largest proximity parameter m such that eta is greater than 0 in Theorem 1 in | ||
| /// https://eprint.iacr.org/2021/582. |
There was a problem hiding this comment.
Thm 1 in ethSTARK is the Johnson bound, which does not mention m at all. Maybe we should refer to the definition of eta here.
There was a problem hiding this comment.
Indeed, it is hidden in the proof. Expanded the comment in order to make it easier to get the point
|
@irakliyk can you do a pass on this PR? This way I can build the next PR on the changes in this one. |
As the title says.
It also simplifies the estimate in LDR and moreover gives the round-by-round (knowledge) soundness error now.