search

poanetwork / threshold_crypto

A pairing-based threshold cryptosystem for collaborative decryption and signatures used in HoneybadgerBFT implementation
Other
186 stars 71 forks source link

Question: Should there be any prevention for base_val going to zero? #111

Closed vihu closed 3 years ago

vihu commented 3 years ago

Relevant line: https://github.com/poanetwork/threshold_crypto/blob/a7fbfa4522835010b6037fb45388c7b04ee14194/src/poly.rs#L407

I was wondering whether the error message here could be a little more precise, it's not technically a case of duplicate points right? The base_value has evaluated to 0 and we cannot calculate the inverse of a zero. If the maintainers think this is a legit issue, I can write a simple PR to handle the error when base_val = 0 slightly better.

base_val: Fr(0x0000000000000000000000000000000000000000000000000000000000000001)
x: Fr(0x0000000000000000000000000000000000000000000000000000000000000005)
base_val: Fr(0x240b05316b5d7259626ee4c2210e53a7be5ca1190606475794dfebf90c05c140)
x: Fr(0x0000000000000000000000000000000000000000000000000000000000000006)
base_val: Fr(0x43c8d1b8535f2005c738b9b5ae27f71b4ae55b99e931a33b3a59735555fa919e)
x: Fr(0x0000000000000000000000000000000000000000000000000000000000000007)
base_val: Fr(0x0000000000000000000000000000000000000000000000000000000000000000)
x: Fr(0x0000000000000000000000000000000000000000000000000000000000000008)
thread '<unnamed>' panicked at 'sample points must be distinct', /home/rahul/dev/threshold_crypto/src/poly.rs:417:49
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
afck commented 3 years ago

It's been a while since I worked on this, so I might misremember, but:

In the i-th iteration of the loop, base is a nonzero i-th degree polynomial that is zero on the first i sample points. Since an i-th degree polynomial can have at most i zeros, if the points are distinct, the value at the next point x must always be nonzero.

Specifically, base is the polynomial (X - s[0]) * (X - s[1]) * … * (X - s[i - 1]), which is nonzero in s[i] unless s[i] is a duplicate of one of the earlier sample points.

vihu commented 3 years ago

It's been a while since I worked on this, so I might misremember, but:

In the i-th iteration of the loop, base is a nonzero i-th degree polynomial that is zero on the first i sample points. Since an i-th degree polynomial can have at most i zeros, if the points are distinct, the value at the next point x must always be nonzero.

Specifically, base is the polynomial (X - s[0]) * (X - s[1]) * … * (X - s[i - 1]), which is nonzero in s[i] unless s[i] is a duplicate of one of the earlier sample points.

I see, so as long as the points are distinct it's impossible for base to go to zero. Thanks for the explanation :)