ECVRF-P256-SHA256-SWU #13
Conversation
|
|
||
| // HashToCurve implements the Simplified SWU algorithm from section 5.4.1.3. | ||
| // SWU is implemented with running time that is independent of the input | ||
| // alpha (so-called "constant-time"). |
There was a problem hiding this comment.
There should probably be some big warning here, as the big.int operations are not necessarily constant-time in Go (golang/go#20654, bnb-chain/tss-lib#44). This probably also affects other parts of the implementation, and we should check if there is any risk.
There was a problem hiding this comment.
Added the warning. Will need to think about the constant time bit for the other parts of the impl.
| // and 10 above can be implemented as follows: | ||
| // | ||
| // e = (w ^ ((p-1)/2))+1 mod p | ||
| // (At this point, e is 0, 1, or 2, as an integer.) |
There was a problem hiding this comment.
It think the code looks correct according to the IETF document, but could there be an error in the document:
If e = {0, 1, 2}, then b = {0, 1, 1}. However, 11) says that if e is {0, 1} then we should use x. Otherwise r*x.
The cmov selects x when b = 1 (hence when e is 1 or 2), and r*x when b = 0. This seems to be an error?
There was a problem hiding this comment.
That is a good point. @reyzin - should the spec be modified?
current text:
11. If e is equal to 0 or 1 then final_x = x; else final_x = r * x mod p
observed behavior:
11. If e is equal to 1 or 2 then final_x = x; else final_x = r * x mod p
There was a problem hiding this comment.
I take that back, upon closer inspection, revision 07 of the spec, this entire algorithm has been replaced with https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-07
There was a problem hiding this comment.
Ok, that also solves this :-). I noticed there are a few more smaller changes in the new version (mostly some 0 bytes added to the hashes).
|
I am tempted to commit this as is and release a 0.6 version to correspond to draft version 0.6 before going over everything to make the 0.7 changes. what do you think? |
|
Sounds good to me. The references are anyhow to the 0.6 version. |
ECVRF-P256-SHA256-SWU is identical to ECVRF-P256-SHA256-TAI except that
the ECVRF_hash_to_curve function is as specified in
Section 5.4.1.3 and suite_string = 0x02 = int_to_string(2, 1).
ECVRF_hash_to_curve_Simplified_SWU implements ECVRF_hash_to_curve using the simplified Shallue-Woestijne [SW06] and Ulas [Ulas07] algorithm from Section 7 of [BCIMRT10] (see also [I-D.irtf-cfrg-hash-to-curve]).
It can be implemented with running time that is independent of the input
alpha (so-called "constant-time"). Generally, this method can be
used for any curve with prime p that is congruent to 3 modulo 4;
however, the (very unlikely) case of d=0 in step 6 below may need to
be handled differently depending on the curve equation, to ensure
that the result is a point on the curve.
https://tools.ietf.org/html/draft-irtf-cfrg-vrf-06#section-5.4.1.3