Closed cjpatton closed 1 month ago
This was decided in https://github.com/cfrg/draft-irtf-cfrg-vdaf/issues/32#issuecomment-1465432536 and you are correct, it is needed for the concrete security of the fixed-key AES construction. I'll send a PR to clarify this.
We require the binder string to be generated at random, but we don't prescribe its length or say why it needs to be random:
https://github.com/cfrg/draft-irtf-cfrg-vdaf/blob/3ac03623c4680b28d1517af0a16dd513e1d0c310/draft-irtf-cfrg-vdaf.md?plain=1#L3710-L3714
I believe this has to do with how
XofFixedKeyAes128
affects the concrete security ofPoplar1
, but I don't remember the details. Let's make sure this is documented. Furthermore, we need to define the length so that the user knows how many bytes to sample. I'd suggest renaming the binder tononce
and addingIdpf.NONCE_SIZE
as a constraint onIdpf
. (Poplar1
may need to be modified accordingly.)