When constructing a padded input set, the last element is repeated to ensure proper sizing that matches the specified parameters. However, only the resulting padded set is used when producing the transcript hash.
This means collisions can occur. For example, the unpadded input set A, B, C, C will result in the same transcript hash as the input set A, B, C padded to length N = 4. This is not canonical.
The correct approach is to either use the unpadded input set in the transcript, or to include the unpadded length along with the padded input set.
When constructing a padded input set, the last element is repeated to ensure proper sizing that matches the specified parameters. However, only the resulting padded set is used when producing the transcript hash.
This means collisions can occur. For example, the unpadded input set
A, B, C, Cwill result in the same transcript hash as the input setA, B, Cpadded to lengthN = 4. This is not canonical.The correct approach is to either use the unpadded input set in the transcript, or to include the unpadded length along with the padded input set.