Understanding security level

michela_polito · May 15, 2025, 9:34am

Hi, I’m trying to understand how security level in TFHE works.
I read that Concrete has fixed 128 bits security level. But why? What does it depend on?

andrei-stoian-zama · May 16, 2025, 8:32am

128-bits is pretty standard to ensure sufficient security. Here is more information about it:

What do you mean by “what does it depend on”?

michela_polito · May 16, 2025, 6:16pm

Hi, thanks for the response!

I was wondering what parameters ensure that the security level is 128-bits.
I read that in encryption systems, like AES or RSA, the security level is determined by the size of the keys. So, I guess the LWE dimension if we’re considering LWE ciphertexts, am I right?

I suppose that for TFHE it’s different. After reading the article, I may be wrong, but does it depend on LWE dimension n, ciphertext modulus q, and the standard deviation sigma of the error distribution…?

bencrts · May 19, 2025, 4:06pm

Hi @michela_polito. The security level is indeed determined by the parameters you mention, plus the width of the secret distribution – which is typically binary in our case. There is a subtlety in that TFHE actually has two security levels: the security level of the LWE ciphertexts (which encrypt messages), and the security level of keys, e.g. the bootstrapping keys, which utilise different parameters.

In the case of bootstrapping keys, you can effectively replace the LWE dimension n with the polynomial size N multiplied by the GLWE rank k.

There are various trade-offs in the parameters. For example, increasing n (or N*k) would lead to a higher security level, but would in turn lead to larger ciphertexts and keys. Similarly, increasing the width of the error and/or secret distributions would lead to a higher security level, but would cause noise growth to be worse. All of these considerations need to be balanced when selecting custom parameters.

You can find some TFHE-like parameter sets in the lattice estimator here: lattice-estimator/estimator/schemes.py at main · malb/lattice-estimator · GitHub

You could also look at the parameters we use, e.g. in TFHE-rs, here: tfhe-rs/tfhe/src/shortint/parameters/v1_2/classic/gaussian at main · zama-ai/tfhe-rs · GitHub

Happy to answer any follow-up questions you have!

Ben

michela_polito · May 31, 2025, 10:28am

Hi @bencrts, I have another question!

Some days ago, I was looking at the secret keys info in the client.specs.json file. I have several of this files because I was trying to compare some data for different cases, like number of keys and LWE dimensions. While I was doing this, I noticed that all model’s output were encrypted with a secret key of LWE dimension equal to 32768. Why is that?

For context, the last layer is always a Linear with in_features=512 and out_features=10.

bencrts · June 2, 2025, 12:55pm

Hi @michela_polito. Would you mind sharing the code/parameters that you are refferring to? It will help me to give you the correct answer. Thanks!