proofs

src/oprf/mod.rs

@@ -3,6 +3,8 @@ pub mod hybrid;
 pub mod ot;
 pub mod ring;
 pub mod ring_lpr;
+#[cfg(test)]
+mod security_proofs;
 pub mod voprf;
 
 pub use ring::{

src/oprf/voprf.rs

@@ -66,8 +66,15 @@ pub const COMMITMENT_LEN: usize = 32;
 const CHALLENGE_LEN: usize = 16;
 
 /// Maximum L∞ norm for response coefficients (for rejection sampling)
-/// Must be large enough to hide k but small enough for security
-const RESPONSE_BOUND: i32 = 32;
+/// z = m + e*k where m in [-MASK_BOUND, MASK_BOUND], e*k in [-48, 48]
+/// RESPONSE_BOUND must be > MASK_BOUND + 48 for high acceptance probability
+const RESPONSE_BOUND: i32 = 128;
+
+/// Mask sampling bound - must be large enough to statistically hide e*k
+/// For ZK: mask_bound >> challenge_scalar * key_bound
+/// challenge_scalar <= 16, key coeffs in [-3,3], so e*k <= 48
+/// We use mask_bound = 64 so z is usually in [-112, 112] < RESPONSE_BOUND
+const MASK_BOUND: i32 = 64;
 
 /// Number of rejection sampling attempts before giving up
 const MAX_REJECTION_ATTEMPTS: usize = 256;
@@ -377,8 +384,7 @@ pub fn generate_proof<R: RngCore>(
 
     // Try to generate proof with rejection sampling
     for _attempt in 0..MAX_REJECTION_ATTEMPTS {
-        // Step 1: Sample random mask m with small coefficients
-        let mask = random_small_ring(rng, RESPONSE_BOUND / 2);
+        let mask = random_small_ring(rng, MASK_BOUND);
         let mask_unsigned = signed_to_unsigned(&mask);
 
         // Step 2: Compute mask commitment t = H(m || m·a)