Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verification should ensure VRFPreOut has prime order #15

Open
burdges opened this issue Apr 26, 2020 · 0 comments
Open

Verification should ensure VRFPreOut has prime order #15

burdges opened this issue Apr 26, 2020 · 0 comments
Assignees
@burdges

Comments

@burdges
Copy link
Collaborator

burdges commented Apr 26, 2020

We do not currently force the VRF pre-output to lie in the prime order subgroup, but instead ask users call VRFInOut::make_ methods. In schnorrkel, if users missues the VRF pre-outout ala paritytech/substrate#5785 then they only loose the random oracle assumption or whatever, but here our cofactor creates a real exploit. We should maybe fix this by force the VRF pre-output to lie in the prime order subgroup.

I think this approach works cleanly:

  • dleq_proove: multiply R and Hr by the cofactor before hashing,
  • dleq_verify: multiply c and s by the cofactor so that R and Hr get multiplied by the cofactor
  • shorten_dleq and vrf_verify_batch: multiply R and Hr by the cofactor directly

We could however only push Hr and c * pk into the prime order subgroup, and avoid doing so for R, which marginally speeds up verification and might improve something somehow.

I'd rather address some zcash issues first though, so that vrf_verify_batch works and tests work for it and shorten_dleq.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@burdges burdges

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@burdges