cjpatton
commented
2 years ago As far as how big the primes ought to be, I think we ought to aim for a soundness error of around 1/2^64 for any VDAF. Higher security levels can be targeted as desired.
For prio3, we should have:
- a 64-bit field. This would only be appropriate for instantiations that don't do Fiat-Shamir.
- a 96-bit field. Similarly, this would not be appropriate for Fiat-Shamir.
- a 128-bit field. This would be suitable for Fiat-Shamir.
For poplar1 we might reuse these fields, or pick new ones if the fields we pick for prio3 aren't suitable. We will also need:
- a 256-bit field (or close to it). It may be worthwhile to pick something suitable for prio3.
At this point we have fairly clear criteria for choosing fields for Prio. Namely, the prime modulus
pshould be of the form2^k * q + 1, wherekis large enough to support proof sizes we're interested in. The fact that the multiplicative group has a subgroup of order2^kis exploited for fast polynomial interpolation.kshould also be chosen to align with the word size of the machine, e.g.,32or64so that fast arithmetic can be generated for it (cc/ @armfazh).The requirements are different for Poplar, though any field we choose for Prio ought to be suitable for Poplar as well. The main difference I see is that we'll need a much larger field for the leaves of the IPDF tree than we need for the inner nodes. I wonder if the leaves could use
GF(2^255 - 19), since there are already fast, heavily vetted implementation of this field (namely for X25519 and ed25519)? @schoppmp do you have any other thoughts here?