This repository has been archived by the owner on Oct 11, 2024. It is now read-only.
VRF uniqueness is violated #567
Assignees
Labels
Comments
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Apr 26, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
Merged
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Apr 26, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
May 11, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Jun 15, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Jun 20, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Jun 20, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
to gdbelvin/keytransparency
that referenced
this issue
Jun 21, 2017
Fixes google#567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof.
gdbelvin
added a commit
that referenced
this issue
Jun 21, 2017
* Ensure VRF uniqueness Fixes #567 VRF uniqueness could be violated because the VRF output itself was not included in the the computation of `s`, the commitment to the VRF and zero knowledge proof. * Reorder vrf to match CONIKS paper * Add TODOs for migrating to NSEC5 * Use binary.Write to write fixed with integers * Add test vectors * Adjust notation for code clarity
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Thanks to Sharon Goldberg and Leonid Reyzin for finding the error.
An attacker can choose a different
rs when computings. Rather thans = H2(m, [r]G, [r]H), the attacker computess = H2(m, [a]G, [b]H)and claims that the VRF output is[(b-a)/s + k] Hrather than[k]Handt = a-sk.This checks out because the verifier checks that
s == H2(m, [t]G + [s]([k]G), [t]H + [s]VRF).s == H2(m, [a]G, [b]H)Because
[t]G+[s]([k]G) = [a]G.[t]H + [s]VRF = [a-sk]H + [b-a+sk]H = [b]H.The attack succeeds at producing a non-unique value for VRF.
http://eprint.iacr.org/2012/577.pdf Page 4:
The text was updated successfully, but these errors were encountered: