Concrete
WebsiteLibrariesProducts & ServicesDevelopersSupport
2.7
2.7
  • Welcome
  • Get Started
    • What is Concrete?
    • Installation
    • Quick start
    • Compatibility
    • Terminology
  • Core features
    • Overview
    • Table lookups (basics)
    • Non-linear operations
    • Advanced features
      • Bit extraction
      • Common tips
      • Extensions
  • Compilation
    • Combining compiled functions
      • With composition
      • With modules
    • Key-related options for faster execution
      • Multi precision
      • Multi parameters
    • Compression
    • Reusing arguments
    • Common errors
  • Execution / Analysis
    • Simulation
    • Debugging and artifact
    • GPU acceleration
    • Other
      • Statistics
      • Progressbar
      • Formatting and drawing
  • Guides
    • Configure
    • Manage keys
    • Deploy
  • Tutorials
    • See all tutorials
    • Part I: Concrete - FHE compiler
    • Part II: The Architecture of Concrete
  • References
    • API
  • Explanations
    • Compiler workflow
    • Compiler internals
      • Table lookups
      • Rounding
      • Truncating
      • Floating points
      • Comparisons
      • Min/Max operations
      • Bitwise operations
      • Direct circuits
      • Tagging
    • Security
    • Frontend fusing
  • Developers
    • Contributing
    • Release note
    • Feature request
    • Bug report
    • Project layout
    • Compiler backend
      • Adding a new backend
    • Optimizer
    • MLIR FHE dialects
      • FHELinalg dialect
      • FHE dialect
      • TFHE dialect
      • Concrete dialect
      • Tracing dialect
      • Runtime dialect
      • SDFG dialect
    • Call FHE circuits from other languages
Powered by GitBook

Libraries

  • TFHE-rs
  • Concrete
  • Concrete ML
  • fhEVM

Developers

  • Blog
  • Documentation
  • Github
  • FHE resources

Company

  • About
  • Introduction to FHE
  • Media
  • Careers
On this page
  • Parameter Curves
  • Usage
  • Example

Was this helpful?

Export as PDF
  1. Explanations

Security

PreviousTaggingNextFrontend fusing

Last updated 10 months ago

Was this helpful?

Parameter Curves

To select secure cryptographic parameters for usage in Concrete, we utilize the . In particular, we use the following workflow:

  1. Data Acquisition

    • For a given value of (n,q=264,σ)(n, q = 2^{64}, \sigma)(n,q=264,σ) we obtain raw data from the Lattice Estimator, which ultimately leads to a security level λ\lambdaλ. All relevant attacks in the Lattice Estimator are considered.

    • Increase the value of σ\sigmaσ, until the tuple (n,q=264,σ)(n, q = 2^{64}, \sigma)(n,q=264,σ) satisfies the target level of security λtarget\lambda_{target}λtarget​.

    • Repeat for several values of nnn.

  2. Model Generation for λ=λtarget\lambda = \lambda_{target}λ=λtarget​.

    • At this point, we have several sets of points {(n,q=264,σ)}\{(n, q = 2^{64}, \sigma)\}{(n,q=264,σ)} satisfying the target level of security λtarget\lambda_{target}λtarget​. From here, we fit a model to this raw data (σ\sigmaσ as a function of nnn).

  3. Model Verification.

    • For each model, we perform a verification check to ensure that the values output from the function σ(n)\sigma(n)σ(n) provide the claimed level of security, λtarget\lambda_{target}λtarget​.

These models are then used as input for Concrete, to ensure that the parameter space explored by the compiler attains the required security level. Note that we consider the RC.BDGL16 lattice reduction cost model within the Lattice Estimator. Therefore, when computing our security estimates, we use the call LWE.estimate(params, red_cost_model = RC.BDGL16) on the input parameter set params.

The cryptographic parameters are chosen considering the IND-CPA security model, and are selected with a bootstrapping failure probability fixed by the user. In particular, it is assumed that the results of decrypted computations are not shared by the secret key owner with any third parties, as such an action can lead to leakage of the secret encryption key. If you are designing an application where decryptions must be shared, you will need to craft custom encryption parameters which are chosen in consideration of the IND-CPA^D security model [1].

[1] Li, Baiyu, et al. “Securing approximate homomorphic encryption using differential privacy.” Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2022. https://eprint.iacr.org/2022/816.pdf

Usage

To generate the raw data from the lattice estimator, use::

make generate-curves

by default, this script will generate parameter curves for {80, 112, 128, 192} bits of security, using log2(q)=64log_2(q) = 64log2​(q)=64.

To compare the current curves with the output of the lattice estimator, use:

make compare-curves

To generate the associated cpp and rust code, use::

make generate-code

further advanced options can be found inside the Makefile.

Example

sage: X = load("128.sobj")

entries are tuples of the form: (n,log2(q),log2(σ),λ)(n, log_2(q), log_2(\sigma), \lambda)(n,log2​(q),log2​(σ),λ). We can view individual entries via::

sage: X["128"][0]
(2366, 64.0, 4.0, 128.51)
sage: curves = load("verified_curves.sobj")

This object is a tuple containing the information required for the four security curves ({80, 112, 128, 192} bits of security). Looking at one of the entries:

sage: curves[2][:3]
(-0.026599462343105267, 2.981543184145991, 128)

Here we can see the linear model parameters (a=−0.026599462343105267,b=2.981543184145991)(a = -0.026599462343105267, b = 2.981543184145991)(a=−0.026599462343105267,b=2.981543184145991) along with the security level 128. This linear model can be used to generate secure parameters in the following way: for q=264q = 2^{64}q=264, if we have an LWE dimension of n=1536n = 1536n=1536, then the required noise size is:

σ=a∗n+b=−37.85\sigma = a * n + b = -37.85σ=a∗n+b=−37.85

This value corresponds to the logarithm of the relative error size. Using the parameter set (n,log(q),σ=264−37.85)(n, log(q), \sigma = 2^{64 - 37.85})(n,log(q),σ=264−37.85) in the Lattice Estimator confirms a 128-bit security level.

this will compare the four curves generated above against the output of the version of the lattice estimator found in the .

To look at the raw data gathered in step 1., we can look in the . These objects can be loaded in the following way using SageMath:

To view the interpolated curves we load the verified_curves.sobj object inside the .

Lattice-Estimator
third_party folder
sage-object folder
sage-object folder