As opposed to what I claimed in #43, I've stuck to comparing the indices instead of the enckeys, because then don't need the array of all enckeys during decryption. Moreover, it seems a bit cleaner from a cryptographic point of view: We know for sure that our index belongs only to us, whereas our enckey could also belong to someone else in the sense that the attacker can claim to have the same enckey (at least in pure EncPedPop where we don't disallow duplicate pubkeys).
I doubt that comparing indices instead of enckeys makes a difference in terms of code complexity. The ugly thing (also for implementers) on master is the omission of the self_share in the array on the wire, which is hard to get right (easy off-by-one errors etc), and which this PR also gets rid off.
jonasnick
commented
1 month ago
Alternative to #43.
As opposed to what I claimed in #43, I've stuck to comparing the indices instead of the enckeys, because then don't need the array of all enckeys during decryption. Moreover, it seems a bit cleaner from a cryptographic point of view: We know for sure that our index belongs only to us, whereas our enckey could also belong to someone else in the sense that the attacker can claim to have the same enckey (at least in pure EncPedPop where we don't disallow duplicate pubkeys).
I doubt that comparing indices instead of enckeys makes a difference in terms of code complexity. The ugly thing (also for implementers) on master is the omission of the self_share in the array on the wire, which is hard to get right (easy off-by-one errors etc), and which this PR also gets rid off.