Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add UniRng a random scalar generator #130

Closed
wants to merge 1 commit into from
Closed

Add UniRng a random scalar generator #130

wants to merge 1 commit into from

Conversation

moCello
Copy link
Member

@moCello moCello commented Nov 17, 2023

Resolves: #129

@moCello moCello force-pushed the mocello/uni-random branch 6 times, most recently from 47a9944 to 300e852 Compare November 22, 2023 11:16
@moCello moCello marked this pull request as draft November 22, 2023 14:18
@moCello moCello marked this pull request as ready for review November 22, 2023 17:08
@moCello moCello requested a review from HDauven November 22, 2023 17:08
vlopes11
vlopes11 reviewed Nov 23, 2023
View reviewed changes
src/scalar/dusk.rs
/// let _scalar = BlsScalar::random(rng);
/// ```
#[derive(Clone, Copy, Debug, Default)]
pub struct UniScalarRng<R>(R);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned on the JubJub PR, I think adding a new RNG will increase type complexity & degradate performance (i.e. we need to copy the numbers into an array, and then read the numbers from the same array to generate a scalar). I suggest just adding it as a function of the scalar

@moCello
Copy link
Member Author

moCello commented Nov 24, 2023

After extensive discussions we decided to not change the random scalar generation because it was deemed secure enough for our purposed:

We will use this paper to determine whether the current implementation of the random scalar implementation as done in the Field trait implmentation is cryptographically safe.

In the current implementation of random, we sample a random element with 512 bits, and reduce it by the modulo of the field of BlsScalar to generate a valid scalar.

For BlsScalar we have:

p := 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
p = 52435875175126190479447740508185965837690552500527637822603658699938581184513

and

s := 2^512
s = 13407807929942597099574024998205846127479365820592393377723561443721764030073546976801874298166903427690031858186486050853753882811946569946433649006084096

To check whether the above approach is secure, we do the following:

For p < s calculate r and m so that

s = rp + m

This leads to:

r := 255699135089535202043525422716183576215815630510683217819334674386498370757523

and

m := s - p * r
m = 3294906474794265442129797520630710739278575682199800681788903916070560242797

Now we can check whether:

r > 2^64 * root(m/p)
r > 2^64 * root(0.06283687387289490447)
r > 18446744073709551616 * 0.25067284231223554

This clearly holds true, which means that we fall in the first conversion of the paper above, and can safely sample an element from the field over 2^512 (which is an array of 64 bytes) and take it modulo p.

This concludes that we don't need to make any adjustments to the current implementation of random scalar generation.

@moCello moCello closed this Nov 24, 2023
@moCello moCello deleted the mocello/uni-random branch November 24, 2023 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vlopes11 vlopes11 vlopes11 left review comments

@ZER0 ZER0 Awaiting requested review from ZER0

@ureeves ureeves Awaiting requested review from ureeves

@herr-seppia herr-seppia Awaiting requested review from herr-seppia

@HDauven HDauven Awaiting requested review from HDauven

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Inject uniformly distributed randomness into Scalar::random
3 participants
@moCello @vlopes11 @HDauven