This PR disallows using the padding public key as a public key in a location where a bit is active.
This prevents an attack where a malicious prover could use the padding public keys, which are defined currently to be the generator, as part of the used public keys in a block. This is bad, since the secret key against these is known - it's just one.
An alternative solution would have been to use an element with an unknown discrete log against the generator as the padding value. This is worse, in my opinion, since we'd have to convince that the discrete log is unknown. It's somewhat OK if we use a hash to derive it, but still requires to inspire confidence in it.
Tested
Added a test that shows the proofs fail when the padding value is used.
Description
This PR disallows using the padding public key as a public key in a location where a bit is active.
This prevents an attack where a malicious prover could use the padding public keys, which are defined currently to be the generator, as part of the used public keys in a block. This is bad, since the secret key against these is known - it's just
one.An alternative solution would have been to use an element with an unknown discrete log against the generator as the padding value. This is worse, in my opinion, since we'd have to convince that the discrete log is unknown. It's somewhat OK if we use a hash to derive it, but still requires to inspire confidence in it.
Tested
Added a test that shows the proofs fail when the padding value is used.