BLS Hash to G2 #898
Comments
|
Judging from today's BLS standardisation call, it sounds like the constant-time Fouque-Tibouchi method may be preferable to hash and increment. |
|
My gut is to leave this bug until we have the standard we all intend to conform on (probably Fouque-Tibouchi) to prevent everyone from opening up their bls implementations. That said, my gut could be wrong as it is knowingly leaving insecure crypto sitting around. Any other opinions? |
|
Per @JustinDrake's comment #1000 (comment)
Do you think this bugfix should be delayed/removed from June 30 Frozen milestone? |
|
I agree with Danny, i.e. "leave this bug until we have the standard". The latest standardisation direction is to move to the new Wahby-Boneh hash function. https://eprint.iacr.org/2019/403 Removed from |
|
I don't suggest closing a known bug issue unless it is either fixed or a warning is added to the spec itself |
Issues
The hash and test method used for mapping a message to G2 point is not incremented correctly.
How it currently behaves
Currently the function hashes to an x value then increments this x-value until a valid curve point is found.
How it should behave
In the case where the initial hash(m) does not generate a valid curve point:
The message is modify either by:
a) Incrementing the appended \x01 and \x02 bytes for each failed attempt
b) Modifying the message in some other incremental way
Hash this new set of bytes and check if it is a valid curve point.
Modify the message again and repeat this process until a valid point is discovered
Additional Info
It may be worth waiting for clarification from the standardization process before deciding how to modify the original message.
The text was updated successfully, but these errors were encountered: