Modify the range of the sampled random in `П^{enc-elg}`?

Question

Modify the range of the sampled random in `П^{enc-elg}`?

Opened this issue a year ago · 1 comments

П^{enc} (Fig. 14) prescribes sampling alpha from [-2^(l+eps), 2^(l+eps)]. Also takes an argument k in [-2^l, 2^l] and generates the challenge e in [-q, q] (where q is the curve order, with q < 2^l). Then, on the verifier side one of the checks is if alpha + e * k is in [-2^(l+eps), 2^(l+eps)].

Since e and k are externally determined (by arguments to the proof), would it be safe to generate alpha in a way that it won't fail that range check? That is, sample alpha from [-2^(l+eps) - e * k, 2^(l+eps) - e * k] instead?

Answer 1 · 2024-12-26T00:51:05.000Z

In the '24 version (see #157) enc is not used anymore, but the same question applies for enc-elg (Fig. 24).

Technically, the false positive here is quite unlikely, since eps = 2l. But would it hurt to check that z_1 is in range -2^(l+eps) - 2^(2l), 2^(l+eps) + 2^(2l)] to eliminate even that possibility?