hannahdaviscrypto
commented
1 year ago - [ ] Prio3: Current construction admits an attack on robustness that results in at least a quadratic loss in security. This can be (provably) fixed by incorporating the nonce into the joint randomness computation: https://github.com/cfrg/draft-irtf-cfrg-vdaf/pull/117
Prio3 uses a variant of the Fiat-Shamir transform to derive random coins for its underlying proof system from the inputs to each aggregator. However, this derivation doesn't include the nonce, which means that a malicious client can submit the same set of input shares multiple times under different nonces and they will be processed with the same joint randomness. This introduces a threat to robustness. As a toy example, there is a degenerate FLP that is sound with L bits of security when each set of input shares is submitted at most once, but is vulnerable to an 2^(L/2)-query attack if they can be submitted under many nonces.