Fix bug in random generator. Correct a proof

This commit is contained in:
jude 2023-02-13 14:36:58 +00:00
parent bffc7a3a66
commit c4f6c24469
4 changed files with 6 additions and 7 deletions

View File

@ -3,13 +3,14 @@ let p, q, pubKey, privKey;
class PubKey {
constructor(p, q) {
this.n = p * q;
this.g = this.n + 1n;
// this.g = this.n + 1n;
}
encrypt(m) {
// Compute g^m r^n mod n^2
let r = random2048();
// Resample to avoid modulo bias.
while (r >= this.n) {
r = random2048();
}

View File

@ -21,8 +21,8 @@ function generate_bigint() {
// Drop the MSB to force into range from above
intRepr >>= 1n;
// Add 2^127 to force into range from below
intRepr += 2n ** 127n;
// Add 2^2047 to force into range from below
intRepr += 2n ** 2047n;
return intRepr;
}

Binary file not shown.

View File

@ -37,8 +37,6 @@
Risk is a strategy game developed by Albert Lamorisse in 1957. It is a highly competitive game, in which players battle for control over regions of a world map by stationing units within their territories in order to launch attacks on neighbouring territories that are not in their control.
\section{Existing solutions}
For playing games over an internet connection, multiple solutions already exist. These can roughly be broken down into those that are centralised and those that are decentralised, although many decentralised systems rely on federated or centralised communications for peer discovery.
@ -271,7 +269,7 @@ ECMAScript introduced \texttt{BigInt}, which are, as described in the spec, "[in
\subsection{Generating large primes}
I chose to use primes of length 2048 bits. This is on the upper end of typical prime sizes for cryptography, as this generates $n = pq$ of length 4096 bits.
I chose to use primes of length 2048 bits. This is on the upper end of typical prime sizes for cryptography, as this generates $n = pq$ of length 4096 bits.
Generating these primes is a basic application of the Miller-Rabin primality test. This produces probabilistic primes, however upon completing sufficiently many rounds of verification, the likelihood of these numbers actually not being prime is dwarfed by the likelihood of hardware failure.
@ -286,7 +284,7 @@ The Paillier cryptosystem is otherwise generic over the choice of primes $p, q$.
\end{proposition}
\begin{proof}
WLOG, assume $p > q$. Suppose $\gcd(pq, (p - 1)(q - 1)) \neq 1$. Then, $q - 1 \mid p$. However, the bit-lengths of $p, q$ are identical. So $\lfloor \frac{1}{2}p \rfloor < q$. This is a contradiction to $q - 1 \mid p$, and so $\gcd(pq, (p - 1)(q - 1)) = 1$ as required.
WLOG, assume $p > q$. Suppose $\gcd(pq, (p - 1)(q - 1)) \neq 1$. Then, $q \mid p - 1$. However, the bit-lengths of $p, q$ are identical. So $\frac{1}{2}(p - 1) < q$. This is a contradiction to $q \mid p - 1$ (as 2 is the smallest possible divisor), and so we must have $\gcd(pq, (p - 1)(q - 1)) = 1$ as required.
\end{proof}
As the prime generation routine generates primes of equal length, this property is therefore guaranteed. The next optimisation is to select $g = 1 + n$.