Implement a different PRNG for deriving challenge for NI proofs

LFDT-Lockness / paillier-zk

Zero-knoledge proofs of some paillier cryptosystem properties for use in CGGMP21

Apache License 2.0

1 stars 1 forks source link

Implement a different PRNG for deriving challenge for NI proofs #22

Closed survived closed 1 year ago

survived commented 1 year ago

Problem with current approach of deriving a challenge is that it truncates entropy to 256 bits. Depending on choice of security level, implementation might need a higher security level. Suggested approach to address that is to have our own implementation of PRNG (RngCore) that calculates i-th chunk of 32 random bytes as H(i || ..args).

survived commented 1 year ago

I see two ways to implement this PRNG:

Accept seed: Fn(Digest) -> Output<Digest> \ i-th chunk of randomness would be
```
seed(Digest::new().chain(i))
```

Accept seed: &[&[u8]] \ i-th chunk of randomness would be

Digest::new()
   .chain(i)
   .chain(seed[0])
   /* ... */
   .chain(seed[n-1])
   .finalize()

survived commented 1 year ago

Let me know if you have other ideas @d86leader