ECVRF_hash_to_curve1 not usable when input must be kept secret?

fcelda / nsec5-draft

Working Copy of the NSEC5 Specification

15 stars 2 forks source link

ECVRF_hash_to_curve1 not usable when input must be kept secret? #18

Closed reyzin closed 7 years ago

reyzin commented 7 years ago

The draft says "this algorithm MUST NOT be used in applications where the VRF input alpha must be kept secret" because of possible timing attacks. However, timing attacks may be not possible in some settings, may be mitigated in others, and anyway, as the draft itself says, the leakage is very small (expected 1 bit). Does MUST NOT really belong there?

goldbe commented 7 years ago

You're right. We could say SHOULD NOT.

goldbe commented 7 years ago

Or, we could put in a sentence like the one you wrote above.

goldbe commented 7 years ago

Made this change in https://github.com/fcelda/nsec5-draft/commit/1a0bc30bf292fe769f2e34002fbf2c1c50da5525