search

junyechen1996 / draft-chen-cfrg-vdaf-pine

VDAF to support aggregating real number vectors with L2-norm bound
Other
4 stars 0 forks source link

Update the base parameters for ZK/soundness error of 2^-100 #63

Closed cjpatton closed 7 months ago

cjpatton commented 7 months ago

We will target ZK/soundness bounds of at most 2^-100. The following parameters are optimal for communication overhead:

ALPHA = 8.7 NUM_WR_CHECKS = 100 NUM_WR_SUCCESSES = 100

junyechen1996 commented 7 months ago

I saw 2 proofs with Field64 based on our current analysis:

User parameters:
|l2_norm   |frac_bits |dimension |chunk_len |field     |proofs    |r         |r_succ    |-log2(eta)|-log2(zk) |-log2(sound)        |
|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:-------------------|
|1         |15        |1000      |57        |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |1000      |57        |Field128  |1         |100       |100       |107       |100       |99                  |
|1         |15        |10000     |110       |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |10000     |110       |Field128  |1         |100       |100       |107       |100       |99                  |
|1         |15        |100000    |319       |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |100000    |319       |Field128  |1         |100       |100       |107       |100       |99                  |

Should we update number of proofs to 2 for now?

cjpatton commented 7 months ago

I saw 2 proofs with Field64 based on our current analysis:

User parameters:
|l2_norm   |frac_bits |dimension |chunk_len |field     |proofs    |r         |r_succ    |-log2(eta)|-log2(zk) |-log2(sound)        |
|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:---------|:-------------------|
|1         |15        |1000      |57        |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |1000      |57        |Field128  |1         |100       |100       |107       |100       |99                  |
|1         |15        |10000     |110       |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |10000     |110       |Field128  |1         |100       |100       |107       |100       |99                  |
|1         |15        |100000    |319       |Field64   |2         |100       |100       |107       |100       |99                  |
|1         |15        |100000    |319       |Field128  |1         |100       |100       |107       |100       |99                  |

Should we update number of proofs to 2 for now?

Good catch! The analysis doesn't account for offline attacks against Fiat-Shamir. Personally, I'm more comfortable with three proofs than two, based on our analysis in https://github.com/cfrg/draft-irtf-cfrg-vdaf/issues/311.

junyechen1996 commented 7 months ago

LGTM. I'm good with merging this.