Derivation of b unclear

cfrg / draft-irtf-cfrg-voprf

Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups

https://cfrg.github.io/draft-irtf-cfrg-voprf/#go.draft-irtf-cfrg-voprf.html

Other

38 stars 15 forks source link

Derivation of b unclear #380

Open jhoyla opened 1 year ago

jhoyla commented 1 year ago

In section {#random-scalar} the text reads:

As an optimization, if the group order is very close to a power of 2, it is acceptable to omit the rejection test completely. In particular, if the group order is p, and there is an integer b such that |p - 2b| is less than 2^(b/2), then RandomScalar can simply return a uniformly random integer of at most b bits.

This just reads like magic. It's not obvious how to choose b, or that any value of b satisfying the requirements is valid.

chris-wood commented 1 year ago

The salient point is that there exists an integer b such that the condition holds. We could add more explanation about why this is sufficient, but I'm inclined to not burden the reader with that.

armfazh commented 1 year ago

does it help to mention that p is a b-bit integer?