New security estimation - More secure

[nicolasAmat]

Hi !

This PR changes the security estimation, and the security checking.

Run the python script named 'security_estimator.py' with SageMath. It will write new security estimations (number of bits of security) in the text file named 'security_estimations.txt'. But it's needed to run XPIR one time before to have XPIR parameters (n and q) ! This text file exists already if the user won't actualize the security (it permits to don't have the sage dependency...).

Next in 'NFLLWE.cpp', the function 'estimateSecurity' reads parmaters in the text file and the function 'checkParamsSecure' calls the function 'estimateSecurity'. I needed to change the function 'findMaxModulusBitsize' to make it correct and faster.

I wrote a readme file to explain how to use the security estimator.

All checks passed. And XPIR worked normally.

I hope you will like it.

Thx !

Nicolas

[carlosaguilarmelchor]

Thx for you contribution ! Can you

• do estimate security for a large span of parameters using kMaxPolyDegree and kMinPolyDegree
• define kMaxAggregatedModulusBitsize = 240 and use it to span through different moduli on your tests
• use it in getCryptoParams -> remove the dependency to the .abs file as you span a larger set of possibilities
• do a .ccp with your script and include it in nfllwe.cpp (this will imply that to change security estimates you will have to recompile xpir but removes the dependency on your txt file whose relative position can not be determined for a given app)

thx ! Carlos

[nicolasAmat]

Hi Carlos !

I did some changes... I wait for your feedback.

Thx !

Nicolas

[carlosaguilarmelchor]

for (unsigned int i = 1; i 59 <= p_size && i 60 <= kMaxAggregatedModulusBitsize; i++)

i59 should be i60. 60 should be replaced by a constant present in NFLParams.hpp

[carlosaguilarmelchor]

return --p_size;

shouldn' t it be p_size ?

[nicolasAmat]

Thank you very much for your feedback.

You're right, isn't --p_size but just p_size. It was from the original code and I forgot to change it. (the incrementation of estimated_k isn't needed anymore).

I did the others changes and 60 isn't hardcoded anymore !

I'm sorry !

Nicolas

[carlosaguilarmelchor]

1) return p_size;

this is the first value for which the checkParamsSecure function says it is NOT secure. The return value should in fact be p_size - kModulusBitsize

2) In that function you have the integer 60 hanging around you should use kModulusBitsize

3) The security parameters string returned by your script is now much less readable than the .txt file you had before. Can you do line returns to make it more readable ?

e.g.

string securityParameters = "\
512:60:28\n\
512:120:28\n\
...\
";

4) Isn't the git repository of Martin already cloned ? Shouldn't be the operation git pull ?

To have bettter security -> To update the security values with the latest script by Martin Albrecht do :

cd $XPIR-DIRECTORY/crypto/NFLLWESecurityEstimator/lwe-estimator
git pull 
cd ..
./sage
load ''NFLLWESecurityEstimator.py'

5) After loading the script isn't there a function to be run ? you should also tell the user that this will update the security estimations hardcoded in crypto/NFLLWESecurityEstimated.cpp and that he should recompile XPIR (or his application using the XPIR API) so that it is taken into account.

[nicolasAmat]

I did some improvements in the code. Thx for yours advices.

But I have a problem for 1#... I agree with you that I have to return p_size - kModulusBitsize; but all the checks with LWE and q != 180 don't pass... (but XPIR works).

It's a segmentation error, I have it for exemple : ./check-correctness.sh : ligne 62 : 7073 Erreur de segmentation $BASE_DIR/../server/pir_server $S_OPTION > /tmp/checkpirserver.stdout 2> /tmp/checkpirserver.stderr 1024000:1024:LWE:.*:2048:120 --reclvl 1 --alpha 0 *************** NOT CORRECT **********

I don't understand why... I'll try to understand.

Thx !

[nicolasAmat]

Hi !

To resolve the problem I changed parameters checked in XPIR/apps/tools/check-correctness.sh. Indeed, we can't check LWE parameters with a number of bits of security lower than 80, because those are rejected... To use these parameters we can improve the noise to increase the security... I can try it in the future.

I removed also the NFLLWESecurityEstimated.cpp file and I coded the parameters in the .hpp file. I modified the python script to be correct with it.

Is it OK for you ?

Thx !

Nicolas

[carlosaguilarmelchor]

Thank you !