Handle out-of-range \alpha/\hat{\alpha} in Presigning

[fjarri]

Extracted from the discussion in #181

In Presigning (Fig. 8), Round 3, we decrypt \alpha_{i,j} and use them to construct \delta_i (the following issue applies similarly to \hat{\alpha}_{i,j} and \chi_i as well). In the happy path \delta_i is reduced mod q, so there are no range issues.

But if there is a problem, and we have to go into the error round (Fig. 9), we need to create a П^{dec} based on the non-reduced value of \delta_i. The proof requires it to be in ±2^{\ell^\prime}; if it's not, the later proof verification will fail. So if some node sends an \alpha_{i,j} that's out of the expected range, it will cause us to incriminate ourselves by sending out an invalid proof.

How can we deal with that? Possible solutions include:

• On receiving D_{i,j} and decrypting it into \alpha_{i,j}, check it is in the correct range. If not, publish the evidence with the message containing D_{i,j}, adding the revealed \alpha_{i,j} and the randomizer. Questions: 1) is that a sufficient proof (that is, are we sure it can't be forged)?; 2) is it safe to reveal \alpha_{i,j} assuming the session will be halted? I think it's yes to both, but I'm not sure.
• Send out some kind of a range proof along with D_{i,j}