Uniqueness of VRF is violated #175
Comments
|
Cross referencing google/keytransparency#567 |
liamsi
added a commit
that referenced
this issue
May 14, 2017
- add unique identifier: also hash h=H1(m), g^x and h^x (the VRF output) and not only with random nonce r (g^r, h^r); additionally hash m into H2 (as before) - like in the paper add the base-point and public-key - skip outdated test-vectors - unrelated: remove formatting version of test-output where no placeholder is used fixes #175
This was referenced May 14, 2017
masomel
pushed a commit
that referenced
this issue
Jun 6, 2017
* renamed c, cH, ... with s, sH it is called s in the CONIKS paper/in KT (in the cfrg draft and other literature it is called c, though) * Adopt VRF to update in CONIKS paper - add unique identifier: also hash h=H1(m), g^x and h^x (the VRF output) and not only with random nonce r (g^r, h^r); additionally hash m into H2 (as before) - like in the paper add the base-point and public-key - skip outdated test-vectors - unrelated: remove formatting version of test-output where no placeholder is used fixes #175
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An attacker can choose a different rs when computing s. Rather than
s = H2(h, [r]G, [r]H), the attacker computes
s = H2(h, [a]G, [b]H) and claims that the VRF output is
[(b-a)/s + k] H rather than[k]H and t = a-sk.
This checks out because the verifier checks that
s == H2(h, [t]G + [s]([k]G), [t]H + [s]VRF).
s == H2(h, [a]G, [b]H)
Because
[t]G+[s]([k]G) = [a]G.
[t]H + [s]VRF = [a-sk]H + [b-a+sk]H = [b]H.
The attack succeeds at producing a non-unique value for VRF.
http://eprint.iacr.org/2012/577.pdf Page 4:
Thanks to Sharon Goldberg and Leonid Reyzin for reporting this bug.
The text was updated successfully, but these errors were encountered: