-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix bounds (b, b_1, b_2) on logproof #262
Conversation
The prior bounds for the short discrete log proof were not quite accurate for some inputs. Specifically, the following changes were made to match the paper: - b: log2(B) + 1 -> ⌈log2(B)⌉ + 1 - b₁: log2(mdB + d||f||_inf) -> ⌈log2(mdB + d||f||_inf)⌉ - b₂ log2(q) + 1 -> ⌈log2(q)⌉ Specifically, b₂ was correct unless q was a power of 2, which essentially never happens in practice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Logic looks right, and double checked that this matches the paper. Only thing I'm not sure of is if the check for power of two needs to be constant time or not. I think since it is only being used when computing things from public params it is okay.
So another option, closer to what the standard library does for uints (which is call
It is certainly cleaner looking, so that seems nice. I may switch to this since it is more readable. This isn't taking into account negative numbers, which I do not think |
In this context, constant time doesn't mean O(1), it means the time it takes to execute doesn't change depending on the input. The original version was definitely not constant time, since it short circuited at the second 1 bit it found. So a timing attack could reveal e.g. that the number was not a power of two and, with enough runs & statistical analysis, even which bit position is 1. Unfortunately, even leaking 1 bit can be catastrophic 😞 What I was saying above was that these |
Ah I see! The newer version may be more immune to timing attacks; I unfortunately don't know if the underlying As you mentioned, it is currently only being used on public parameters, which are agreed on before running the SDLP. But it will be good to keep in mind in case we need the same computation on a more sensitive input. |
The prior bounds for the short discrete log proof were not quite accurate for some inputs. Specifically, the following changes were made to match the paper:
Specifically, b₂ was correct unless q was a power of 2, which essentially never happens in practice.