tplooker
commented
2 years ago Can this now be close @BasileiosKal @dev0x1?
Closed BasileiosKal closed 1 year ago
tplooker
commented
2 years ago Can this now be close @BasileiosKal @dev0x1?
dev0x1
commented
2 years ago Can this now be close @BasileiosKal @dev0x1?
Yes, all changes are done wrt this.
BasileiosKal
commented
2 years ago Yeap this issue is fixed. Will keep open a litlle more though, to discuss a bit about the way we are creating random scalars. Will close after.
Right now, each random scalar is created by calling an rng and passing the output to hash_to_scalar. This is fine in most cases, but my preference (and what the spec does) would be to call an rng only once, pass the output to hash_to_scalar and get all the random scalars at once (for example to get 6 scalars call something like rand_scalars = hash_to_scalar::<X>(&rng_out, 6)).
This is to "reduce" the attack surface of an adversary that has (some) control over the rng i.e., to avoid entropy attacks (for some examples, see: http://blog.cr.yp.to/20140205-entropy.html).
the
Scalar::random(rng)operation from blstr (used in Proof::new_with_rng) uses rejection sampling to return a random scalar. This is both insecure and inconsistent with the spec. We should be usinghash_to_scalarinstead.