plra
commented
5 years ago You are correct in pointing out this difference between our implementation and BBF. However, for security we only need g to be a fixed generator (w.r.t. u and w) and its roots hard to compute. These criteria suffice for z = g^x to be a binding commitment to the logarithm x.
In the Rsa2048 case, you'll see that g is 2. This is certainly fixed, and since discrete logarithms are hard in the RSA group computing its roots is no easier than computing the roots of an arbitrary H_G(u, w).
For more detail see sections 3.2-3.3 of BBF (in particular, sections An attack and Non-interactive proofs).
HarryR
In https://github.com/cambrian/accumulator/blob/c1450aac7cc45011af40b48db02354c6a27a8a76/src/proof/poke2.rs#L19
And https://github.com/cambrian/accumulator/blob/c1450aac7cc45011af40b48db02354c6a27a8a76/src/proof/poke2.rs#L32
The NI-PoKE2 implementation uses the group generator, however the BBF'18 paper denotes that
g ← H_𝔾(u,w)in the non-interactive context. (see pg42, appendix D)I think this is significant, in the non-interactive context, because it ensures the whole equation is parameterised by
uandw, whereas without the 'hash to group' function being used for the generator ofg^xyou potentially weaken the proof.I can't see a 'hash to group' function in the source code.
What are your thoughts?