Expose subgroup check for signatures #35
Conversation
Signed-off-by: Kirk Baird <[email protected]>
Signed-off-by: Kirk Baird <[email protected]>
| unsafe { | ||
| $sig_to_aff(&mut sig, &self.point); | ||
| $sig_in_group(&sig) | ||
| } |
There was a problem hiding this comment.
Here is a "philosophical" problem. Why would one need such a method? Customarily you'd need to perform the group check on incoming data, i.e. right after deserialization. But then it's affine coordinates... Yes, one can say "this is for completeness or symmetry." I for one have kind of a problem with such approach, because it effectively goes against the spirit of security. I mean we should concentrate on making the least amount of code work as well as possible, as opposed to producing as much [symmetric] code as possible. Now, from the group-check algorithm's perspective input doesn't have to be affine. So solving it the suggested way is a waste, and not insignificant, because inversion is ~1/3-1/4 of the group-check. So how come the interface takes affine? It was argued that since input is always affine (straight after deserialization), providing an affine-only interface is sufficient. To summarize, if there is a legitimate need for group-checking non-affine points, then it's not a proper way to solve this. Proper way would be to add additional C interface...
There was a problem hiding this comment.
We've decided to do subgroup checking for Signatures/AggregateSignatures at verification time rather than deserialisation time. Our reasoning is we deserialise a large quantity of signatures from the database for slashing protection and the slasher, where a large proportion will not be verified (and/or have already been verified). So it was wasteful to do the subgroup check at deserialisation time.
In terms of converting it to affine I agree this is inefficient and if it is to be kept should use a method with takes projective points.
There was a problem hiding this comment.
"Straight after deserialization" doesn't have to be literal. I should have used "from" instead of "after," right? I mean question is how come out-of-deserialization affine point becomes non-affine at all, not necessarily the moment next to deserialization.
Again, if there is a legitimate need for group-checking non-affine points, there is better way than suggested. In other words question is is there actual need?
There was a problem hiding this comment.
I think the need is there as most of the signatures we have in our database are AggregateSignatures and when we do eventually use them it will use the aggregate verify functions.
We do deserialise them as Signatures first and then convert them to AggregateSignatures though this is all during the deserialisation process. It would add a fair bit of complexity to store them as Signatures (affine) until the first verification and then convert them to AggregateSignatures (projective) keeping them as projective afterwards for any future aggregations/verifications.
So it would be preferable to have a projective version of the subgroup checks for AggregateSignatures but we can work around it if need be.
There was a problem hiding this comment.
Give me some time then:-)
There was a problem hiding this comment.
Thanks :) no rush, whenever you've got time is good.
|
Solution is in #44. Closing this. Thanks! |
What has been changed
Adds the binding to rust which allows the subgroup check to be made for signatures.