marsella
commented
1 year ago This issue isn't super actionable without a clear list of what should be incorporated into the transcripts. Sadly, the paper does not do a good job specifying what needs to be included.
- Section 1.2.7 discusses NIZKs, but it focuses primarily on the technique and not on the practical construction of the challenge.
- Section 2.3.1 explains the transformation to NIZKs using Fiat-Shamir. It says
the Prover computes the challenge
eby querying the oracle on a suitable input, which incorporates the theorem and the first message.
This doesn't account for the broader context -- session identifiers, player identifiers, fixed parameters, key-specific parameters, and perhaps other content -- that must be incorporated into these proofs to affix them to a single protocol instantiation (e.g. make them actually UC-secure).
indomitableSwan
When using Fiat-Shamir for non-interaction, we need to make sure we're incorporating all the public information we need to into the proof transcript before hashing (this is something implementors are still messing up in practice: https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/ ). This includes information like the session identifier, other player ids, and public variables such as public keys. The paper probably does a good job about specifying what needs to be included, but we need to make sure we're including it (and it's probably best to include anything possibly relevant just in case).
Mechanically, I'm thinking the way to handle this is to allow our zkproofs to take an external transcript (see #49).