ROS Audit: fix for sec. 3.1.

scripts/useful_bits_modp.py

@@ -10,9 +10,9 @@
 
 def useful_bits(p):
     return max(
-        n for n in range(p.bit_length() - 1, 0, -1)
-        if n + 1 + p.bit_length() - (alpha := p % 2 ** n).bit_length() -
-        (2 ** n - alpha).bit_length() >= 128
+        n for n in range(p.bit_length())
+        if n + p.bit_length() - 1 - (r := p % 2 ** n).bit_length() -
+        (2**n - r).bit_length() >= 128
     )
 
 

src/plugins/ark/common.rs

@@ -228,7 +228,7 @@ where
 {
     fn fill_challenge_bytes(&mut self, output: &mut [u8]) -> Result<(), IOPatternError> {
         let len_good = usize::min(
-            crate::plugins::bytes_uniform_modp(Fp::<C, N>::MODULUS_BIT_SIZE),
+            crate::plugins::random_bytes_in_random_modp(Fp::<C, N>::MODULUS),
             output.len(),
         );
         let len = crate::plugins::bytes_modp(Fp::<C, N>::MODULUS_BIT_SIZE);
@@ -242,14 +242,16 @@ where
     }
 }
 
+
+/// XXX. duplicate code
 impl<'a, H, C, const N: usize> ByteChallenges for Arthur<'a, H, Fp<C, N>>
 where
     C: FpConfig<N>,
     H: DuplexHash<Fp<C, N>>,
 {
     fn fill_challenge_bytes(&mut self, output: &mut [u8]) -> Result<(), IOPatternError> {
         let len_good = usize::min(
-            crate::plugins::bytes_uniform_modp(Fp::<C, N>::MODULUS_BIT_SIZE),
+            crate::plugins::random_bytes_in_random_modp(Fp::<C, N>::MODULUS),
             output.len(),
         );
         let len = crate::plugins::bytes_modp(Fp::<C, N>::MODULUS_BIT_SIZE);

src/plugins/ark/tests.rs

@@ -5,7 +5,7 @@ use crate::{
     ProofResult, Unit, UnitTranscript,
 };
 #[cfg(feature = "ark-bls12-381")]
-use ark_bls12_381::{Fq2, Fr};
+use ark_bls12_381::{Fq, Fq2, Fr};
 use ark_ff::Field;
 
 /// Test that the algebraic hashes do use the IV generated from the IO Pattern.
@@ -101,6 +101,19 @@ fn test_arkworks_end_to_end<F: Field, H: DuplexHash>() -> ProofResult<()> {
     Ok(())
 }
 
+#[cfg(feature = "ark-bls12-381")]
+#[test]
+fn test_squeeze_bytes_from_modp() {
+    use ark_ff::PrimeField;
+    use crate::plugins::random_bytes_in_random_modp;
+
+    let useful_bytes = random_bytes_in_random_modp(Fr::MODULUS);
+    assert_eq!(useful_bytes, 127 / 8);
+
+    let useful_bytes = random_bytes_in_random_modp(Fq::MODULUS);
+    assert_eq!(useful_bytes, 253 / 8);
+}
+
 #[cfg(feature = "ark-bls12-381")]
 #[test]
 fn test_arkworks() {

src/plugins/mod.rs

@@ -16,12 +16,44 @@ pub mod group;
 /// Proof of work (PoW) challenges.
 pub mod pow;
 
-/// Bits needed in order to obtain a (pseudo-random) uniform distribution in F.
+/// Bits needed in order to obtain a uniformly distributed random element of `modulus_bits`
 #[allow(unused)]
 pub(super) const fn bytes_uniform_modp(modulus_bits: u32) -> usize {
     (modulus_bits as usize + 128) / 8
 }
 
+/// Number of uniformly random bytes of in a uniformly-distributed element in `[0, b)`.
+///
+/// This function returns the maximum n for which
+/// `Uniform([b]) mod 2^n`
+/// and
+/// `Uniform([2^n])`
+/// are statistically indistinguishable.
+/// Given \(b = q 2^n + r\) the statistical distance
+/// is \(\frac{2r}{ab}(a-r)\).
+#[cfg(feature = "ark")]
+pub (super) fn random_bits_in_random_modp<const N: usize>(b: ark_ff::BigInt<N>) -> usize {
+    use ark_ff::BigInteger;
+    use ark_ff::BigInt;
+    // XXX. is it correct to have num_bits+1 here?
+    for n in (0..b.num_bits()+1).rev() {
+        // compute the remainder of b by 2^n
+        let r_bits = &b.to_bits_le()[..n as usize];
+        let r = BigInt::<N>::from_bits_le(r_bits);
+        let log2_a_minus_r = r_bits.into_iter().rev().skip_while(|&&bit| bit).count() as u32;
+        if b.num_bits() + n - 1 - r.num_bits() - log2_a_minus_r >= 128 {
+            return n as usize;
+        }
+    }
+    0
+}
+
+/// Same as above, but for bytes
+#[cfg(feature = "ark")]
+pub (super) fn random_bytes_in_random_modp<const N: usize>(modulus: ark_ff::BigInt<N>) -> usize {
+    random_bits_in_random_modp(modulus) / 8
+}
+
 /// Bits needed in order to encode an element of F.
 #[allow(unused)]
 pub(super) const fn bytes_modp(modulus_bits: u32) -> usize {