Spec precise VRF use in EC #390
Conversation
A small nitpick: Separating different usage of the same function with an additional input is called "domain separation" and is usually done by prefixing the message (rather than suffixing it) with a specific byte / integer whose length is known easily (i.e. if it's a byte it's easy). I could encode "t" in many ways while encoding a number on a byte is straightforward. So for simplicity of reading & implementing the specs, I would encourage the use of a clear fixed-size domain separation with a integer. Of course both of these suggestions are based on the fact that.. it's OK (i.e. lightweight) to change. If it's already implemented, since these are backward incompatible suggestions, then it's ok to leave it as it is. In any case, domain separation is definitely required here !! |
|
Great! This is exactly what I was asking @dignifiedquire, @nikkolasg. Thanks for this reply. Is this done anywhere else already @dignifiedquire, so I may draw inspiration? Otherwise, where would you recommend I "assign" the appropriate byte for each operation in the spec? |
|
To cite back the RFC, they're doing that in the hashing parts of the protocol, for example look at the |
|
As far as I know one of the primary reasons for prefix-based domain separation is a risk of length extension attacks on hash functions. |
Step 1. Define a tableVDF Personalizations (I believe this is the right technical term)
Step 2. Use the tableStep 3. Profit |
|
A quick convo w @dignifiedquire and @nikkolasg yielded the following back of the envelope impact for choice of BLS (64 B, 30ms verif time) vs secp (80 B, .3ms verif time). Over a year (~1M blocks) with 2 Verifs per block (ticket and electionProof), syncing chain from genesis would take:
Someone check my math. But seems both are fine. May be worth using BLS instead. |
|
on my macbook (not the fastest processor) I get 5ms per bls verify using our rust to go bindings. Verifications can be batched as well for improved performance, and done in parallel. I'm not super worried about the cpu cost of BLS. I also expect it to improve with optimizations. |
|
I agree. Even if it didn't it's nbd. However, the size gain is less than I thought though I forget the exact reason atm. Anyways, The time has come to merge or request a change. Turn to BLS, or do I merge? |
|
@sternhenri the signature length for bls12-381 should be 384 bits == 48 bytes. For some reason, the go code i'm using (go-bls-sigs) has signatures being 96 bytes. Not sure why that is. |
|
Per @nikkolasg out-of-band:
So this is the tradeoff vs secp (80B) re sizing, if I grok correctly,
Case 1 seems preferable to me. Either way Secp is a bit better than BLS in terms of size… Assuming I haven't said mistakes here @nikkolasg @whyrusleeping, I think we're ready to make a call... |
|
Last missing piece is hashing the VDFOutput into a usable source of randomness (colloquially known as fetching the ticket). We defer to #332 for defining the function which fetches randomness (hash fn used is blake2) |
…n of lookback in spec. woohoo
There was a problem hiding this comment.
reviewed with @henri
switch to bls will happen in a follow up pr
This PR covers #290 and is built atop #334 rather than master (sorry, worth merging 334 ahead of reviewing this one)
Important background in https://github.com/filecoin-project/research-private/issues/189
I made a few changes worth noting:
VRFOutput(i.e. the deterministic output from the VRFProof) on chain: while it is always needed for interacting with the VRF, it can be derived from the VRFProof (which is also needed), so I chose to minimize on-chain footprintinput | "t"for tickets andinput | "e") is I believe necessary for security reasons, lest SLE not be Secret (can you see why?). However, the current token addition is pretty clumsy. Any suggestions there @dignifiedquire ?mineractor to account for the necessary PK,SK pairs that need to be valid. I'm not too sure.