We use the same PRF to compute both pid and wid. This might allow for a mechanism reuse attack: \pidE \gets \hash(manifesto), \wid{\pid_E} = \PRF[\sk_A][\pid_E] = \PRF[\sk_A][\cid] = \pid_A.
This attack might be prevented due to the PPK that proves the correctness of \pid_E, which will not pass if \pid_E = \hash(manifesto).
There is a branch for this in no-mechanism-reuse. If this is a non-issue, delete that branch.
dbosk
commented
6 years ago
We use the same PRF to compute both pid and wid. This might allow for a mechanism reuse attack: \pidE \gets \hash(manifesto), \wid{\pid_E} = \PRF[\sk_A][\pid_E] = \PRF[\sk_A][\cid] = \pid_A.
This attack might be prevented due to the PPK that proves the correctness of \pid_E, which will not pass if \pid_E = \hash(manifesto).
There is a branch for this in
no-mechanism-reuse. If this is a non-issue, delete that branch.