+-x into 2x

[maurges]

In the initial implementation I forgot that the notation for y <- +-a means that y <- [0; 2a]. This patch changes the generation functions to account for that

While making this change, I also refactored tests and added a new category of tests: check that the probablity to reject a correct proof is similar to the one in paper. This helps to show that the change above didn't break security (at least completely)

[survived]

Openssl (and maybe some other) backends of unknown_order ignore provided source of randomness. I just can imagine someone choosing openssl backend and, as a result, getting unintuitive errors and unexpected behavior.

Can we detect somehow which backend is chosen and produce compiler_error! (if it's possible to detect on compile-time) or panic! (if we can determine backend only in runtime)?

[maurges]

I think it's easier to forbid openssl as a feature, since a backend is explicitly selected with this crate. I'll disable it in the next commit

[maurges]

Done

[survived]

You can do that, but one can bypass that by setting pailler-zk.deafult-features = false, and turning openssl feature on directly on unknown-order. If we can't check which backend is used, we should at least add a note, that this backend is not supported

[survived]

We don't have any root-level docs or readme where we could mention that, I'm fine if you open an issue to remember mention it in the docs in the future

[maurges]

Ok, makes sense. Let's make this and the discussion below into a separate documentation MR

[survived]

I see you added a lot of docs. Is it a right time to add #[forbid(missing_docs)] to the top of lib.rs or not yet?

[maurges]

Found another case of non-determinism that slipped me by, and fixed it. Should be completely ready now

[maurges]

Oh god, and now CI fails with that exact test, what happened

[maurges]

I'm not sure what happened there with CI. I debugged it locally, and the proofs are computed deterministically

[survived]

I recommend you to use rand_dev in tests rather than OsRng. It prints seed to stdout when constructed, so you can locally reproduce whatever issue you have on CI (assuming tests are 100% deterministic with fixed randomness source)

[maurges]

Owners: survived

=)) Good crate though, will use it

The problem with determinism here is that it's easy to accidentally use functions from unknown_order that use OsRng implicitly.

[survived]

it's easy to accidentally use functions from unknown_order that use OsRng

Should we then add a script that greps BigNumber::prime and others bad functions and fails CI if it found any of them in the project?

[survived]

So still unresolved things in this PR

• Document crate, enforce #![forbid(missing_docs)]
  • Add a warning that openssl backend of unknown order is not supported
• Deterministic reproducible tests (i.e. rand_dev)
  • Detect invocations of functions like BigNumber::prime in CI and recommend using their appropriate alternatives like BigNumber::prime_from_rng

If you don't want to resolve any of them within this PR, please just open an issue so we could keep track of them.

[maurges]

I think all those 4 changes are out of scope of this MR at least, yes. Let me make the issues for them

[maurges]

See #9, #10, #11

[survived]

Great, thanks!