Closed BasileiosKal closed 1 year ago
Discussed on 12th of December WG call, related to #230, rough consensus appeared to be that we could simplify this procedure and not even invoke encode_for_hash, instead take msg
and called hash_to_scalar directly. We also discussed removing the length check and adding a note around DST lengths.
Discussed on WG call 9th of January. Net step is to open PR with the proposed approach to have a solid base for further discussion.
Is there any actual reason to add the length of the messages in MapMessageToScalarAsHash??
It probably doesn’t hurt security even with weak hash functions (especially since the hash is moded), however I don’t think it adds anything either. Most hash-functions (e.g., sha-2 and the Merkle–Damgard functions in general), encode the length of the message either way in the pad.
+ I don’t think we have to worry about length extension attacks, even if they where possible -which are not-.