-
Notifications
You must be signed in to change notification settings - Fork 8
Conversation
|
||
// HashToCurve implements the Simplified SWU algorithm from section 5.4.1.3. | ||
// SWU is implemented with running time that is independent of the input | ||
// alpha (so-called "constant-time"). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should probably be some big warning here, as the big.int operations are not necessarily constant-time in Go (golang/go#20654, bnb-chain/tss-lib#44). This probably also affects other parts of the implementation, and we should check if there is any risk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the warning. Will need to think about the constant time bit for the other parts of the impl.
// and 10 above can be implemented as follows: | ||
// | ||
// e = (w ^ ((p-1)/2))+1 mod p | ||
// (At this point, e is 0, 1, or 2, as an integer.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It think the code looks correct according to the IETF document, but could there be an error in the document:
If e = {0, 1, 2}
, then b = {0, 1, 1}
. However, 11) says that if e is {0, 1} then we should use x
. Otherwise r*x
.
The cmov selects x
when b = 1 (hence when e is 1 or 2), and r*x
when b = 0. This seems to be an error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a good point. @reyzin - should the spec be modified?
current text:
11. If e is equal to 0 or 1 then final_x = x; else final_x = r * x mod p
observed behavior:
11. If e is equal to 1 or 2 then final_x = x; else final_x = r * x mod p
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I take that back, upon closer inspection, revision 07 of the spec, this entire algorithm has been replaced with https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-07
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that also solves this :-). I noticed there are a few more smaller changes in the new version (mostly some 0 bytes added to the hashes).
I am tempted to commit this as is and release a 0.6 version to correspond to draft version 0.6 before going over everything to make the 0.7 changes. what do you think? |
Sounds good to me. The references are anyhow to the 0.6 version. |
ECVRF-P256-SHA256-SWU is identical to ECVRF-P256-SHA256-TAI except that
the ECVRF_hash_to_curve function is as specified in
Section 5.4.1.3 and suite_string = 0x02 = int_to_string(2, 1).
ECVRF_hash_to_curve_Simplified_SWU implements ECVRF_hash_to_curve using the simplified Shallue-Woestijne [SW06] and Ulas [Ulas07] algorithm from Section 7 of [BCIMRT10] (see also [I-D.irtf-cfrg-hash-to-curve]).
It can be implemented with running time that is independent of the input
alpha (so-called "constant-time"). Generally, this method can be
used for any curve with prime p that is congruent to 3 modulo 4;
however, the (very unlikely) case of d=0 in step 6 below may need to
be handled differently depending on the curve equation, to ensure
that the result is a point on the curve.
https://tools.ietf.org/html/draft-irtf-cfrg-vrf-06#section-5.4.1.3