nirvantyagi
commented
4 years ago Commit https://github.com/nirvantyagi/orca/commit/5fa9b2d859eb37067aa0ab8bd6d09f2b7f39b121 identifies serialization mismatch.
Open nirvantyagi opened 4 years ago
nirvantyagi
commented
4 years ago Commit https://github.com/nirvantyagi/orca/commit/5fa9b2d859eb37067aa0ab8bd6d09f2b7f39b121 identifies serialization mismatch.
nirvantyagi
commented
4 years ago Commit https://github.com/nirvantyagi/orca/commit/d2139bfdee1d94284082ee459963719a7eb0a9ec pushes temporary workaround that parameterizes the algebraic MAC with ProjectiveCurve allowing the serialization to use the affine group element.
The fix is not robust; it only serializes the commitment group elements using the affine representation. These are the elements that are calculated in different ways so they end up in different projective representations. The public key and public parameters are serialized normally.
GroupProjective (https://github.com/scipr-lab/zexe/blob/master/algebra/src/curves/models/short_weierstrass_jacobian.rs#L221) serializes based on the (X, Y, Z) elliptic curve coordinates (https://github.com/scipr-lab/zexe/blob/master/algebra/src/curves/models/short_weierstrass_jacobian.rs#L267) which results in different serializations even when the group elements are "equal", i.e., project to the same affine point (https://github.com/scipr-lab/zexe/blob/master/algebra/src/curves/models/short_weierstrass_jacobian.rs#L234).
This means that if trying to generically work with GroupProjective as a Group, hashing two group elements that are supposed to be equal will result in different outputs. This breaks primitives that rely on Fiat-Shamir non-interactive challenges.