Closed mds1 closed 4 years ago
A 16-byte (or 128 bit) random number should theoretically provide sufficient security, as 128 bit keyspace is considered sufficiently secure for many high stakes usecases, i.e. Bitcoin private keys and seed phrases. That said, I don't feel fully qualified to say for sure that moving from 256 bits to 128 bits is definitely secure.
If we did decrease the size, the gains from a smaller number would primarily be:
This leads to another question, which is faster when scanning announcements:
Generally speaking, the bit security of ECDSA/ECC with n-bits is considered to be around n/2 due to the Pollard-Rho attack. Therefore, it does not make sense to waste performance and bandwidth to apply larger random numbers than 128 bits, since in that case, the security bottleneck would not be Umbra but Ethereum's applied elliptic-curve cryptography. Even today, after a decade of attacking AES, the best attack against AES-128 requires 2**{126.01} computation, hence AES-128 also provides approximately 128-bit security.
However, since the EVM has a word size of 256 bits, it might be the case that the ciphertext of AES-128 does not give any gas savings when it is logged out in the announcement.
All in all, given that we want a memo to be included in the random number, it would make sense to go with a 256-bit random number, where the first 128 bits is the memo, and the last 128-bits is the actual random number. And then the concatenation of these two parts would be encrypted with either AES or XOR.
given that we want a memo to be included in the random number, it would make sense to go with a 256-bit random number, where the first 128 bits is the memo, and the last 128-bits is the actual random number
Agreed, this is the approach we'll go with
To compute a stealth address for the recipient, the sender must generate a random number. Currently a 32-byte random number is used.
As part of the spec, determine if we should stick with a 32-byte random number or use a different size.