You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, instantiation of a RistrettoSecretKey using its ByteArray implementation does not differentiate between arrays that are expected to be canonical representations and those that are expected to use reduction.
These cases should be differentiated. The ByteArray implementation for RistrettoSecretKey should be modified to perform canonical byte parsing. A separate wide reduction method should be used for cases where a non-canonical representation is acceptable, and where wide reduction applies.
The text was updated successfully, but these errors were encountered:
Currently, creating a scalar `RistrettoSecretKey` [from a byte
array](https://github.com/tari-project/tari-crypto/blob/053119f2110aaf3089c7b9df96f50b8cc8d3217a/src/ristretto/ristretto_keys.rs#L90-L100)
performs modular reduction on 32 bytes. For cases where the input is
intended to be canonical, this is suboptimal. For cases where the input
is produced from a hashing operation, wide reduction should be used to
mitigate bias.
This work renames `SecretKey::from_bytes` to
`SecretKey::from_canonical_bytes` to support an underlying `ByteArray`
trait update. In the case of `RistrettoSecretKey`, it uses the curve
library's canonical parser and returns an error if the provided byte
slice is not a canonical scalar encoding.
It also adds a new `SecretKey::from_uniform_bytes` function that uses
wide reduction. For constructions like signatures and KDFs that use
hashing operations to produce scalar values, this function is used and
the underlying hashers are updated to produce 64-byte output in the case
of `RistrettoSecretKey`.
It updates the Schnorr signature API to support raw signing and
verification using challenge byte slices that are either canonical
encodings or uniform. It renames several existing functions for clarity.
It corrects a few typos that were discovered along the way.
Closes#189.
BREAKING CHANGE: This changes the way that scalars are produced from
byte arrays, modifies the `SecretKey` trait and corresponding
`RistrettoSecretKey` implementation, and updates the Schnorr signature
API.
Currently, instantiation of a
RistrettoSecretKey
using itsByteArray
implementation does not differentiate between arrays that are expected to be canonical representations and those that are expected to use reduction.These cases should be differentiated. The
ByteArray
implementation forRistrettoSecretKey
should be modified to perform canonical byte parsing. A separate wide reduction method should be used for cases where a non-canonical representation is acceptable, and where wide reduction applies.The text was updated successfully, but these errors were encountered: