Some of the weirdness we uncovered while addressing #113 and #465 is due to an assumption in the last line of Fig 28:
The proof guarantees that each p, q > 2^ell (assuming 2^(2ell + ε ≈ √N0).
We don't check that assumption in the proof itself. In #466 we aim to check that assumption in at least one place, but it seems like it's worth checking in the proof verification itself as well, so we don't rely on it having been handled elsewhere.
[ ] Add modulus size check in proof verification
[ ] Review tests (especially those mentioned in #465) and consider adding "small modulus" and "large modulus" tests that fail if the assumption doesn't hold.
Some of the weirdness we uncovered while addressing #113 and #465 is due to an assumption in the last line of Fig 28:
We don't check that assumption in the proof itself. In #466 we aim to check that assumption in at least one place, but it seems like it's worth checking in the proof verification itself as well, so we don't rely on it having been handled elsewhere.