Change default security level to ~100 bits

[bobbinth]

Current default security level of the proofs is around 110 bits (not 120 as mentioned in the docs). Getting more security than this would require running FRI in a quadratic extension of the base field. This should be a long-term goal, but for now, capping security at 100 bits should be sufficient.

This will allow us to reduce proof size by at least 30% because:

1. We can reduce number of queries in each proof from 50 to 40,
2. We can reduce size of nodes in a Merkle tree from 32 bytes to 24 bytes.

[pgrinaway]

First off, thanks for all the awesome work, this repo is great. Is there a straightforward formula to compute (even approximately) the security level from the ProofOptions?

Thanks!

EDIT: Is it actually pub fn security_level(&self, optimistic: bool) -> u32? If so, sorry for the frivolous question.

[bobbinth]

Yep - that's the right function, though it is missing one component. Specifically, the actual security level should be min between the current output of the function and 128 - log2(extended execution trace). For moderately large computations, extended trace is around 2²⁰ - so, security level should be capped around 110 bits.

You can find a bit more explanation about security level computation here.