CGGMP avoids most of this by including ZK proofs that validate that the public keys are the product of two primes and that neither factor is "too big" (which would force the other factor to be too small if the overall modulus is large). However, I think we don't check the size of public Paillier moduli we receive from other parties, so small moduli might have small factors.
[x] Add a size check to the CommitmentScheme::from_message method
[x] Look through related types to see if we want to add a check anywhere else (e.g. AuxInfoPublic::new()?)
The recent GG18/20 vulnerability hinges on signer's Paillier public keys having no small factors.
CGGMP avoids most of this by including ZK proofs that validate that the public keys are the product of two primes and that neither factor is "too big" (which would force the other factor to be too small if the overall modulus is large). However, I think we don't check the size of public Paillier moduli we receive from other parties, so small moduli might have small factors.
CommitmentScheme::from_message
methodAuxInfoPublic::new()
?)