|
|
|
|
|
|
by DoctorOetker
765 days ago
|
|
|
> But this also means that the coordinate must be sampled from a set large enough that the attacker cannot guess it by random chance. If the modulus is near ( 2 ^ 256 ), this is clearly the case. But with a modulus of ( 2 ^ 64 - 2 ^ 32 + 1 ), we're not quite there, and if we drop to ( 2 ^ 31 - 1 ), it's definitely not the case. Trying to fake a proof two billion times until one gets lucky is absolutely within the range of an attacker's capabilities. > To stop this, we sample r from an extension field. For example, you can define y where y ^ 3 = 5, and take combinations of 1, y and y ^ 2 . This reads like trying to increase entropy without adding entropy. Given the analogy of bruteforcing a low entropy preimage in a hash, Concatenating the secret preimage with itself, or adding capitalization on the second occurence etc. does not increase entropy, its just a constant factor in computational complexity which both attacker and defender suffer. I am probably misunderstanding what's written, but I suspect its due to the unclear exposition... |
|
|
But then when you choose a random point to test your polynomial, you randomly select from G = F[5^1/3], an extension of the original field. And test your polynomial using arithmetic in that larger field.
The increased entropy happens when you select at random from the extended field — there’s more elements in G than in F, so an attacker has a lower chance of guessing your random value.