distaff icon indicating copy to clipboard operation
distaff copied to clipboard
verified publisher icon GuildOfWeavers

Change default security level to ~100 bits

Open bobbinth opened this issue 5 years ago • 2 comments

Current default security level of the proofs is around 110 bits (not 120 as mentioned in the docs). Getting more security than this would require running FRI in a quadratic extension of the base field. This should be a long-term goal, but for now, capping security at 100 bits should be sufficient.

This will allow us to reduce proof size by at least 30% because:

  1. We can reduce number of queries in each proof from 50 to 40,
  2. We can reduce size of nodes in a Merkle tree from 32 bytes to 24 bytes.

bobbinth avatar Aug 23 '20 07:08 bobbinth

First off, thanks for all the awesome work, this repo is great. Is there a straightforward formula to compute (even approximately) the security level from the ProofOptions?

Thanks!

EDIT: Is it actually pub fn security_level(&self, optimistic: bool) -> u32? If so, sorry for the frivolous question.

pgrinaway avatar Aug 31 '20 20:08 pgrinaway

Yep - that's the right function, though it is missing one component. Specifically, the actual security level should be min between the current output of the function and 128 - log2(extended execution trace). For moderately large computations, extended trace is around 220 - so, security level should be capped around 110 bits.

You can find a bit more explanation about security level computation here.

bobbinth avatar Sep 01 '20 01:09 bobbinth