Code Monkey home page Code Monkey logo

Comments (7)

goldbe avatar goldbe commented on August 26, 2024 1

Jan: the second option is not a good idea, because one could choose a hash that is too short, and then the VRF is not secure (to the same bit level as the curve). For instance, you could have a 384-bit curve but then someone could decide to use the SHA-256 hash. Not good.

from nsec5-draft.

fcelda avatar fcelda commented on August 26, 2024

Nice catch. So how we are gonna write this down? I'm not sure how to express the bit length of the curve as I failed to find it in SEC1 which we use to refer to for EC definitions. In Section 5 of the draft, we already have 2n = ceil(log2(q)/8) which tells something similar. But I'm not sure if we are happy with this formula. Anyway, the number of high bits to clear in Hash output should be hLen - ceil(log2(q)). Right? Does it make sense?

Another options is to keep this up to the particular instantiation of EC VRF. We just provide Hash to be a fixed parameter in the general definition. The instantiation then says what Hash is. So for example with EC-VRF-P256-SHA256, Hash is said to be SHA-256. If someone wants a different instantiation with a curve that has a length less than 256 bits, Hash can be defined as "truncated" SHA-256.

from nsec5-draft.

fcelda avatar fcelda commented on August 26, 2024

I agree. So the first option it is. Are you comfortable with me updating the draft using the syntax I've used?

from nsec5-draft.

reyzin avatar reyzin commented on August 26, 2024

Jan, you wrote: "Anyway, the number of high bits to clear in Hash output should be hLen - ceil(log2(q))." Note quite, because it's not q, but the size of the field over which the curve is defined. If you don't mind, I will try to update the draft, since I've already spent some time thinking how to do it.

from nsec5-draft.

fcelda avatar fcelda commented on August 26, 2024

Sure. Go ahead.

from nsec5-draft.

goldbe avatar goldbe commented on August 26, 2024

So, after discussion with Leo we decide that all the curves we specify now (or ever will specify ie P256, Ed25519, Ed448) are over finite fields F where the bitlength of field elements in F are divisible by 16. This made things easier because we now don't need to clear anything in the hash output. So I made this change in 5ceb74d
which also specifies that the output length of Hash is 2n octets, which is also the octet length of field elements in F.

from nsec5-draft.

fcelda avatar fcelda commented on August 26, 2024

Looks good.

from nsec5-draft.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.