Closed BasileiosKal closed 1 year ago
Personally not sure how useful this will be above the transport layer however this would potentially make the suggestion in #227 easier to apply.
I'm a -1 to this proposal for the following reasons
(m^_1, ..., m^_U)
This issue does raise a good point that we could omit L from proof verify and deduce it based on length(m^_1, ..., m^_U) when decoding the proof.
This was suggested at the start of this work item as well, as the previous implementations of BBS+ used this approach. In my mind, U
is part of the public proof parameters along with the presentation header ph
, and does not need to be encoded in the proof itself.
Discussed on the WG call 9th of January. Consensus is that rn the added redundancy is useful in some rare cases. Will discuss closing this issue in the next WG call, with the potential of reopening after #227 is resolved
Discussed in the WG call 23d of January. Closing the issue with the potential of reopening after #227. Will also look into adding an implementation note describing this solution as a potential mitigation if one is needed.
Like this. I was doing something like this in my code but deriving U from the L value.
Opening to track a suggestion made by @andrewwhitehead in PR #230.
The idea IMU is to add
U
(total number of undisclosed messages) in the proof, i.e.,proof = (A', Abar, D, c, e^, r2^, r3^, s^, *U*, (m^_1, ..., m^_U))
.This will add some redundancy in case the proof gets accidentally truncated (or malformed in general).