Potential bias when sampling mod N
cronokirby opened this issue · comments
Lúcás Meier commented
There are a few places where we an integer mod N by sampling the same number of random bits as N, and then reducing modulo N.
e.g.
https://github.com/taurusgroup/cmp-ecdsa/blob/main/pkg/math/sample/sample.go#L35
https://github.com/taurusgroup/cmp-ecdsa/blob/main/pkg/math/sample/sample.go#L51
This has a good amount of bias, although it's probably not exploitable.
We should probably do rejection sampling, or bump up the security parameter. The former is probably faster.
It would also be a good idea to unify this logic behind a sampler function, this logic is repeated atm in different places.