Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Soundness for bus interaction id #2470

Open
qwang98 opened this issue Feb 11, 2025 · 3 comments
Open

Soundness for bus interaction id #2470

qwang98 opened this issue Feb 11, 2025 · 3 comments

Comments

@qwang98
Copy link
Collaborator

qwang98 commented Feb 11, 2025 

          So if my math is right, 16 bit means that after 100 samples, we have a ~7% chance of a collision, which would break soundness. 100 machine pairs does not seem so far fetched, especially with auto pre-compiles. Would it be much harder to ensure uniqueness? If yes, we could at least go to 24 or 30 bits, no? That would reduce the chance a lot.

(The chance of a collision after x samples should be 1 - math.prod(2**16 - i for i in range(x)) / 2**(16*x).)

Originally posted by @georgwiese in #2446 (comment)
@qwang98
Copy link
Collaborator Author

qwang98 commented Feb 11, 2025
edited
Loading

Not sure if we are still concerned by this @Schaeff.

Currently, we pass the 16 bit interaction id to finger print with the payloads. Depending on which field extension is used, if in the case of BB, the interaction id gets converted from an expression to a field extension (an array of expressions) by padding zeros. For example, interaction id 123 becomes Fp4(123, 0, 0, 0).

Therefore, in practice, at least at the level after PIL function is called, bus interaction id field extension can always hold 64 bits in 1, 2, or 4 columns (depending on the field extension). If we want to map the hashed interaction id to 2^64 instead of 2^16, this in theory shouldn't create any additional witness columns.

However, a key challenge remains in how to pass a 64 bit number to an array of columns in PIL when the count of columns isn't known. Besides, all our current APIs treat interaction ID as a single column, so would need to change up things a lot.

@Schaeff
Copy link
Collaborator

Schaeff commented Feb 11, 2025

Yes good point, to be honest the hash idea was mostly to simplify implementation, so that we don't need to store a map of each operation to their id. It was introduced in the context of a PR which was already quite large.

So I suspect either we could

  • increase the number of bits to 24 or 30 bits as suggested by @georgwiese
  • move back to the original idea and precompute a map of IDs starting from 1 etc

@qwang98 qwang98 mentioned this issue Feb 12, 2025
Merged
github-merge-queue bot pushed a commit that referenced this issue Feb 14, 2025
@qwang98
30-bit bus interaction ID (#2474)
187c796 
Solves #2470. Depends on #2465. Approval will only works after merging
#2465.

The following is a response to #2470 and motivation of this PR: 

Chance of collission:
For 24-bits:
100 interactions: 0.000295000053831429
1000 interactions: 0.02933425835911685
10000 interactions: 0.9492338975723106

For 30-bits (theoretically the largest we could get to without changing
pil code due to field prime of bb and m31):
100 interactions: 4.610036260510597e-06
1000 interactions: 0.0004650875835883195
10000 interactions: 0.04549425469529611

Neither look ideal, but I think after
#2469, bus linker mode should
always have 2 bus interactions only. For user defined bus interactions,
they can intentionally input IDs that don't clash, so I think just using
30-bit interaction id should be good enough for 29 bits of security
(under 2 interactions linker case).
@leonardoalt
Copy link
Member

Was this done in #2474?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@leonardoalt @Schaeff @qwang98