Vrf uniqueness was violated (quickfix)#176
Conversation
it is called s in the s in the CONIKS paper/in KT (in the cfrg draft and other literature it is called c, though)
- add unique identifier: also hash h=H1(m), g^x and h^x (the VRF output) and not only with random nonce r (g^r, h^r); additionally hash m into H2 (as before) - like in the paper add the base-point and public-key - skip outdated test-vectors - unrelated: remove formatting version of test-output where no placeholder is used fixes #175
|
cc @r2ishiguro |
|
@liamsi , I just wonder if you had considered this IETF draft? https://tools.ietf.org/html/draft-goldbe-vrf-00 |
|
Yes, we (the CONIKS team) are currently discussing to switch to this IETF draft (a good alternative would be OWS's vxeddsa). I think it's a good idea to implement the IETF version soon. If we do so, sure, let's keep the code in sync! |
|
I would propose to implement two versions independently and share test-vectors. What do you think of this idea? I still need to discuss with my team-members, though. |
|
You mean, we implement the same algorithm (probably EC-VRF-ED25519-SHA256?) independently and compare the results? Sounds good to me, but after that I'd like to share one implementation. Maybe we can create a new repository just for VRF in GitHub, or we can refer to the coniks-sys or coname repository. |
|
Yes, sounds good to me! |
I think a single dedicated repo makes sense as the VRF might become useful for other projects, too. Did you also have a look on vxeddsa BTW? (it is conceptually very similar to the VRF already used here and in coname but it doesn't suffer from this uniqueness problem) |
|
I looked it over. It looks the same except the way the hash value is constructed. The draft looks simpler and if it doesn't require SHA3, it might have a benefit a little bit. |
|
Here's a result from my implementation: alpha: 6d657373616765 I used golang.org/x/crypto/ed25519.GenerateKey() to generate (x, P). As for implementation, I used "golang.org/x/crypto/ed25519/internal/edwards25519" but it's internal so I couldn't import it. I copied it as-is into my repository for now.. Maybe we should ask Google to incorporate VRF into ed25519...? |
|
I tried, as far as I remember the pull request never got looked at. Clarification: this was for the now-broken vrf from the original coniks paper, a better-justified design might have a better chance. |
Vxeddsa doesn't use SHA3 either. Also, vxeddsa's hash_to_curve might be faster. We have a work in progress PR on that, too: #167 |
|
@r2ishiguro @andres-erbsen Would either of you be willing to review this PR? It LGTM, but it'd be great to have a more expert review before we merge this. |
|
LGTM, too. FYI, I'm exchanging emails with Sharon and Leonid about the test vectors. They seem to be "tweaking" the spec right now. I'll keep you informed. |
|
Thanks @r2ishiguro! And sounds good, hopefully we can get the ball rolling on that soon. |
5 participants
Adopt VRF to update in CONIKS paper …
fixes #175