Discrete Log needs a Cutoff

Right now, the discrete log code will happily run forever if you give it a really huge number. Such a thing might manifest when decrypting a corrupt ciphertext, where the discrete log of a “random” number is likely to be enormous. Or worse, it might not have a solution at all. (Most elements mod P are not reachable from the generator.)

Quick summary

The discrete log function needs to take as input an optional “maximum” value. If the dlog cache computation reaches a number greater than the maximum, then we declare that there does not exist a discrete log and trigger an error.

How to indicate the error

We could return None, changing the type signature of the code from returning int to Optional[int]. Or, we could return something obviously out-of-bounds like -1. Either way, the ability for discrete-log to fail needs to propagate through all the decryption code that calls it.

What’s a reasonable bound for triggering the error

The simplest answer is “how many ballots are there”, then multiply a fudge factor. If we’re dealing with an election with a million ballots, then we’re not going to have any homomorphic sums greater than a million, so bounding at 1.1 million seems reasonable. The hard part is propagating the error bound from the high-level computation (here I am computing a homomorphic tally) down to the low-level computation (here I am decrypting a single ElGamal ciphertext).

Setting the bound

Have a dlog_set_global_error_bound method or some such thing which can be called from far away, and store the state in a private variable inside the dlog package. Have a default value which is on the big-ish side, but which isn’t completely bonkers. What’s the biggest number we might ever reasonably want to decrypt? What’s the population of the largest state in the U.S.? That would be California (~40 million). So a conservative default upper bound might be 100 million, and then we could make it much smaller if/when we knew any better for any specific computation.