From a14bf33c69f821ac22e5c1d461ef2fe622087b48 Mon Sep 17 00:00:00 2001 From: Arthur Meyre Date: Wed, 15 Jan 2025 10:46:25 +0100 Subject: [PATCH] chore(docs): fix various issues with the docs --- .../security_and_cryptography.md | 6 +-- tfhe/docs/guides/strings.md | 12 +++--- .../fine-grained-apis/boolean/parameters.md | 4 +- .../fine-grained-apis/shortint/parameters.md | 40 +++++++++---------- 4 files changed, 29 insertions(+), 33 deletions(-) diff --git a/tfhe/docs/getting_started/security_and_cryptography.md b/tfhe/docs/getting_started/security_and_cryptography.md index 0277060bed..08d86e70c7 100644 --- a/tfhe/docs/getting_started/security_and_cryptography.md +++ b/tfhe/docs/getting_started/security_and_cryptography.md @@ -40,7 +40,7 @@ $$b = (\sum_{i = 0}^{n-1}{a_i * s_i}) + plaintext$$ Now that the encryption scheme is defined, let's review the example of the addition between ciphertexts to illustrate why it is slower to compute over encrypted data. -To add two ciphertexts, we must add their $mask$ and $body$: +To add two ciphertexts, we must add their $$mask$$ and $$body$$: $$ ct_0 = (a_{0}, ..., a_{n-1}, b) \\ ct_1 = (a_{0}^{\prime}, ..., a_{n-1}^{\prime}, b^{\prime}) \\ ct_{2} = ct_0 + ct_1 \\ ct_{2} = (a_{0} + a_{0}^{\prime}, ..., a_{n-1} + a_{n-1}^{\prime}, b + b^{\prime})\\ b + b^{\prime} = (\sum_{i = 0}^{n-1}{a_i * s_i}) + plaintext + (\sum_{i = 0}^{n-1}{a_i^{\prime} * s_i}) + plaintext^{\prime}\\ b + b^{\prime} = (\sum_{i = 0}^{n-1}{(a_i + a_i^{\prime})* s_i}) + \Delta m + \Delta m^{\prime} + e + e^{\prime}\\ @@ -65,7 +65,7 @@ To ensure security, LWE requires random noise to be added to the message during TFHE scheme draws this random noise either from: - A Centered Normal Distribution with a standard deviation parameter. The choice of standard deviation impacts the security level: increasing the standard deviation enhances security while keeping other factors constant. -- A Tweaked Uniform (TUniform) Distribution with a bound parameter $2^b$ defined as follows: any value in the interval $(−2^b, ... , 2^b)$ is selected with probability $1/2^{b+1}$, with the two end points $−2^b$ and $2^b$ being selected with probability $1/2^{b+2}$. The main advantage of this distribution is to be bounded, whereas the usual Central Normal Distribution one is not. In some practical cases, this can simplify the use of homomorphic computation. The choice of the bound impacts the security level: increasing the bound enhances security while keeping other factors constant. +- A Tweaked Uniform (TUniform) Distribution with a bound parameter $$2^b$$ defined as follows: any value in the interval $$(−2^b, ... , 2^b)$$ is selected with probability $$1/2^{b+1}$$, with the two end points $$−2^b$$ and $$2^b$$ being selected with probability $$1/2^{b+2}$$. The main advantage of this distribution is to be bounded, whereas the usual Central Normal Distribution one is not. In some practical cases, this can simplify the use of homomorphic computation. The choice of the bound impacts the security level: increasing the bound enhances security while keeping other factors constant. **TFHE-rs** encodes the noise in the least significant bits of each plaintext. Each leveled computation increases the value of the noise. If too many computations are performed, the noise will eventually overflow into the message bits and lead to an incorrect result. @@ -95,7 +95,7 @@ For example, when adding two ciphertexts, the sum could exceed the range of eith By default, the cryptographic parameters provided by **TFHE-rs** ensure at least 128 bits of security. The security has been evaluated using the latest versions of the Lattice Estimator ([repository](https://github.com/malb/lattice-estimator)) with `red_cost_model = reduction.RC.BDGL16`. -The default parameters for the **TFHE-rs** library are chosen considering the IND-CPA security model, and are selected with a bootstrapping failure probability fixed at p\_error = $2^{-40}$. In particular, it is assumed that the results of decrypted computations are not shared by the secret key owner with any third parties, as such an action can lead to leakage of the secret encryption key. If you are designing an application where decryptions must be shared, you will need to craft custom encryption parameters which are chosen in consideration of the IND-CPA^D security model \[1]. +The default parameters for the **TFHE-rs** library are chosen considering the IND-CPA security model, and are selected with a bootstrapping failure probability fixed at p\_error = $$2^{-64}$$. In particular, it is assumed that the results of decrypted computations are not shared by the secret key owner with any third parties, as such an action can lead to leakage of the secret encryption key. If you are designing an application where decryptions must be shared, you will need to craft custom encryption parameters which are chosen in consideration of the IND-CPA^D security model \[1]. \[1][ Li, Baiyu, et al. "Securing approximate homomorphic encryption using differential privacy." Annual International Cryptology Conference. Cham: Springer Nature Switzerland, 2022.](https://eprint.iacr.org/2022/816.pdf) diff --git a/tfhe/docs/guides/strings.md b/tfhe/docs/guides/strings.md index 1b0bc8a880..ff25350133 100644 --- a/tfhe/docs/guides/strings.md +++ b/tfhe/docs/guides/strings.md @@ -21,7 +21,7 @@ A variety of common operations are supported for `FheAsciiString`. These include - **Search**: `find` / `rfind` -When encrypting strings, you can add padding to hide the actual length of strings. +When encrypting strings, you can add padding to hide the actual length of strings. The null character (b'\0') is used as the padding. Here is an example: @@ -41,13 +41,13 @@ use tfhe::safe_serialization::safe_serialize; fn main() { let config = ConfigBuilder::default().build(); let (cks, sks) = generate_keys(config); - + set_server_key(sks); - + let r = FheAsciiString::try_encrypt("café is french for coffee", &cks); // As the input string is not strictly ASCII, it is not compatible assert!(r.is_err()); - + let string = FheAsciiString::try_encrypt("tfhe-rs", &cks).unwrap(); // This adds 3 chars of padding to the chars of the input string let padded_string = FheAsciiString::try_encrypt_with_padding("tfhe-rs", 3, &cks).unwrap(); @@ -61,7 +61,7 @@ fn main() { // The two strings created with padding, have the same // memory/disk footprint, even though the lengths are not the same assert_eq!(buffer1.len(), buffer2.len()); - + // When a string has no padding, its length is known in clear let len = string.len(); assert!(matches!(len, FheStringLen::NoPadding(7))); @@ -80,7 +80,7 @@ fn main() { // Padded and un-padded strings are equal if the content is assert!(padded_string.eq(&string).decrypt(&cks)); - + let prefix = ClearString::new("tfhe".to_string()); let (stripped_string, has_been_stripped) = string.strip_prefix(&prefix); // Notice that stripping, makes the string as being considered as padded diff --git a/tfhe/docs/references/fine-grained-apis/boolean/parameters.md b/tfhe/docs/references/fine-grained-apis/boolean/parameters.md index 110446abaf..595db76822 100644 --- a/tfhe/docs/references/fine-grained-apis/boolean/parameters.md +++ b/tfhe/docs/references/fine-grained-apis/boolean/parameters.md @@ -8,13 +8,13 @@ Some cryptographic parameters will require tuning to ensure both the correctness To make it simpler, **we've provided two sets of parameters**, which ensure correct computations for a certain probability with the standard security of 128 bits. There exists an error probability due to the probabilistic nature of the encryption, which requires adding randomness (noise) following a Gaussian distribution. If this noise is too large, the decryption will not give a correct result. There is a trade-off between efficiency and correctness: generally, using a less efficient parameter set (in terms of computation time) leads to a smaller risk of having an error during homomorphic evaluation. -In the two proposed sets of parameters, the only difference lies in this error probability. The default parameter set ensures an error probability of at most $$2^{-40}$$ when computing a programmable bootstrapping (i.e., any gates but the `not`). The other one is closer to the error probability claimed in the original [TFHE paper](https://eprint.iacr.org/2018/421), namely $$2^{-165}$$, but it is up-to-date regarding security requirements. +In the two proposed sets of parameters, the only difference lies in this error probability. The default parameter set ensures an error probability of at most $$2^{-64}$$ when computing a programmable bootstrapping (i.e., any gates but the `not`). The other one is closer to the error probability claimed in the original [TFHE paper](https://eprint.iacr.org/2018/421), namely $$2^{-165}$$, but it is up-to-date regarding security requirements. The following array summarizes this: | Parameter set | Error probability | | :-------------------: | :---------------: | -| DEFAULT\_PARAMETERS | $$2^{-40}$$ | +| DEFAULT\_PARAMETERS | $$2^{-64}$$ | | TFHE\_LIB\_PARAMETERS | $$2^{-165}$$ | ## User-defined parameters diff --git a/tfhe/docs/references/fine-grained-apis/shortint/parameters.md b/tfhe/docs/references/fine-grained-apis/shortint/parameters.md index e2eeaf8482..19f7280ae4 100644 --- a/tfhe/docs/references/fine-grained-apis/shortint/parameters.md +++ b/tfhe/docs/references/fine-grained-apis/shortint/parameters.md @@ -1,6 +1,6 @@ # Cryptographic Parameters -All parameter sets provide at least 128-bits of security according to the [Lattice-Estimator](https://github.com/malb/lattice-estimator), with an error probability equal to $$2^{-40}$$ when using programmable bootstrapping. This error probability is due to the randomness added at each encryption (see [here](../../../getting\_started/security\_and\_cryptography.md) for more details about the encryption process). +All parameter sets provide at least 128-bits of security according to the [Lattice-Estimator](https://github.com/malb/lattice-estimator), with an error probability equal to $$2^{-64}$$ when using programmable bootstrapping. This error probability is due to the randomness added at each encryption (see [here](../../../getting\_started/security\_and\_cryptography.md) for more details about the encryption process). ## Parameters and message precision @@ -57,26 +57,22 @@ use tfhe::shortint::parameters::DynamicDistribution; fn main() { // WARNING: might be insecure and/or incorrect // You can create your own set of parameters - let param = ClassicPBSParameters::new( - LweDimension(656), - GlweDimension(2), - PolynomialSize(512), - DynamicDistribution::new_gaussian_from_std_dev( - StandardDev(0.000034119201269311964), - ), - DynamicDistribution::new_gaussian_from_std_dev( - StandardDev(0.00000004053919869756513), - ), - DecompositionBaseLog(8), - DecompositionLevelCount(2), - DecompositionBaseLog(3), - DecompositionLevelCount(4), - MessageModulus(4), - CarryModulus(1), - MaxNoiseLevel::new(2), - 2.0f64.powi(-40), - CiphertextModulus::new_native(), - EncryptionKeyChoice::Big, - ); + let param = ClassicPBSParameters { + lwe_dimension: LweDimension(879), + glwe_dimension: GlweDimension(1), + polynomial_size: PolynomialSize(2048), + lwe_noise_distribution: DynamicDistribution::new_t_uniform(46), + glwe_noise_distribution: DynamicDistribution::new_t_uniform(17), + pbs_base_log: DecompositionBaseLog(23), + pbs_level: DecompositionLevelCount(1), + ks_base_log: DecompositionBaseLog(3), + ks_level: DecompositionLevelCount(5), + message_modulus: MessageModulus(4), + carry_modulus: CarryModulus(4), + max_noise_level: MaxNoiseLevel::new(5), + log2_p_fail: -71.625, + ciphertext_modulus: CiphertextModulus::new_native(), + encryption_key_choice: EncryptionKeyChoice::Big, + }; } ```