search

relic-toolkit / relic

Code
Other
453 stars 179 forks source link

ENDOM BN curve 256 has different initialization parameters in Main and in the code under Latest #214

Closed oliviervibe closed 2 years ago

oliviervibe commented 2 years ago

The initialization parameters of BN curves 256 are different in the Main branch and the code that can be downloaded under latest. Both codes are version 0,5.0

Main:

define BN_P256_A "0"

define BN_P256_B "11"

define BN_P256_X "B64000000000FF2F2200000085FD5480B0001F44B6B88BF142BC818F95E3E6AE"

define BN_P256_Y "4"

define BN_P256_R "B64000000000FF2F2200000085FD547FD8001F44B6B7F4B7C2BC818F7B6BEF99"

define BN_P256_H "1"

define BN_P256_MAPU "1"

Latest:

define BN_P256_A "0"

define BN_P256_B "11"

define BN_P256_X "B64000000000FF2F2200000085FD5480B0001F44B6B88BF142BC818F95E3E6AE"

define BN_P256_Y "4"

define BN_P256_R "B64000000000FF2F2200000085FD547FD8001F44B6B7F4B7C2BC818F7B6BEF99"

define BN_P256_H "1"

define BN_P256_BETA "B64000000000FF2E2F00000085FC555230001F445D656FB022BC77236CD54C89"

define BN_P256_LAMB "B64000000000FF2D3C00000085FB562050001F44040FF68D82BC6CB6D9E8694E"

The issue is that if I have keys generated with the params with BETA and LANDA and I found out that they are not compatible with the code without BETA and LANDA of the main branch.

Why were those parameters removed as now the main branch is completely breaking the compatibility with the previous versions??

I wanted to use the code of the main branch because the one of the "latest" doesn't compile for Windows 64.

dfaranha commented 2 years ago

The parameters are not hard-coded anymore and are computed at configuration time in src/ep/relic_ep_param.c. This makes it much easier to include new parameter sets, and the code is cleaner as a result.

You are doing something wrong if you are relying on BETA and LAMBDA being defined explicitly, as these are internal symbols. You should be interacting with the library through the API only.

I have bumped the repository version to 0.6.0 to avoid confusion with the previous release.

oliviervibe commented 2 years ago

Thanks, We're only using pc_map, g1_map, g2_map and g1/g2 operations to implement our IBE.

I have been using the lib 0.4.1 for some time and I was trying to move our code to the latest and I took the main branch.

In both cases I traced the values of different results and I found out that the g1_map and g2_map results are different when running with 0.4.1 or the current main branch.

In both cases the HASH used is SHA256 but the code of g1_map and g2_map has completely changed, giving different results for the same value.

This is what's seems to cause the Keys that we generated using relic 0.4.1 to be unusable with the code using the latest main branch.

Map with 0.4.1 g1_map(olivier@skynet.com): 0317AA4E4B963FCF19E6BDE8730093F8145E0AD608B58D2ADFF1B70D08E7BF91BA g2_map(cyber@skynet.com): 027FA564A8409CD115EDC9D883547CD9694E0CADCDEAD6ABF912369ED54C1073929D539C89ACC1EEE94ED83FE503403346A6E803C0586D7FA5EE8B8D3612E8253E

Map with 0.5 main g1_map(olivier@skynet.com): 02819C5065E8FCE03A0A7847E83F550FEA409FF446B37F5D10F3110F1DEFDECD5B g2_map(cyber@skynet.com): 03728B84093DC58BABBE1A1EB41A6FA91CDFFBEFBFE22B6408DC54C70E566EB582AC67A9CD890C9505637E4ACD309A142F0FEA894A02F340CA11A822C8FCC3C4C7

I understand your point with the parameters and I thought that this change of parameters was causing the issue I have.

I also did the same calculation with the 0.5 and that case g2_map is same as with 0.4.1 but g1_map is different.

Could you tell me why the method to calculate g1_map and g2_map was changed? Is there a way to configure the library so the g1_map/g2_map functions would give the same result as the 0.4.1 version?

dfaranha commented 2 years ago

There was a huge refactoring of the hash-to-curve functions in early 2020 to update the algorithms to the state of the art in https://eprint.iacr.org/2019/403.pdf

The earlier code you are using does not exist in the library anymore.

oliviervibe commented 2 years ago

Thanks for the information.

I noticed that the g1_map/g2_map functions of the 0.6 version (main branch) are also different from the 0.5 version.

As the 0.5 was initiated in 2020, is the 0.6 version also incompatible with the 0.5, and part of the support of the update to the latest improvement of hashing data to the groups?

I have tested both 0.5 and 0.6 with our IBE implementation and they work fine. Are the hashing functions of the 0.6 now stable and won't be changed soon?

dfaranha commented 2 years ago

There are no plans to change it until the next release sometime early next year (unless the state of the art changes dramatically until then).

dfaranha commented 1 year ago

Just a heads up, the hashing functions will change again because the state of the art changed dramatically: https://eprint.iacr.org/2022/759

oliviervibe commented 1 year ago

Thanks for the info!

I appreciate.

Best Olivier Rouit

Senior Embedded Security Architect VIBE Cybersecurity International LLC

Email and MS Teams: @.*** Web: https://vibecyber.com Skype: orouit

[cid:bf440a07-1590-4142-903c-69bbdbb93005]

From: Diego F. Aranha @.> Sent: Tuesday, October 11, 2022 9:44 PM To: relic-toolkit/relic @.> Cc: Olivier Rouit @.>; Author @.> Subject: Re: [relic-toolkit/relic] ENDOM BN curve 256 has different initialization parameters in Main and in the code under Latest (Issue #214)

Just a heads up, the hashing functions will change again because the state of the art changed dramatically: https://eprint.iacr.org/2022/759

— Reply to this email directly, view it on GitHubhttps://github.com/relic-toolkit/relic/issues/214#issuecomment-1274709323, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AN6LQ2W5MOZ4IKQ7JKFGNZLWCVVLVANCNFSM5H6ZYHUQ. You are receiving this because you authored the thread.Message ID: @.***>