Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Differentiate scalar creation by canonical and reduction cases #189

Closed
AaronFeickert opened this issue Aug 1, 2023 · 0 comments · Fixed by #194
Closed

Differentiate scalar creation by canonical and reduction cases #189

AaronFeickert opened this issue Aug 1, 2023 · 0 comments · Fixed by #194

Comments

@AaronFeickert
Copy link
Contributor

Currently, instantiation of a RistrettoSecretKey using its ByteArray implementation does not differentiate between arrays that are expected to be canonical representations and those that are expected to use reduction.

These cases should be differentiated. The ByteArray implementation for RistrettoSecretKey should be modified to perform canonical byte parsing. A separate wide reduction method should be used for cases where a non-canonical representation is acceptable, and where wide reduction applies.

stringhandler pushed a commit that referenced this issue Sep 28, 2023
Currently, creating a scalar `RistrettoSecretKey` [from a byte
array](https://github.com/tari-project/tari-crypto/blob/053119f2110aaf3089c7b9df96f50b8cc8d3217a/src/ristretto/ristretto_keys.rs#L90-L100)
performs modular reduction on 32 bytes. For cases where the input is
intended to be canonical, this is suboptimal. For cases where the input
is produced from a hashing operation, wide reduction should be used to
mitigate bias.

This work renames `SecretKey::from_bytes` to
`SecretKey::from_canonical_bytes` to support an underlying `ByteArray`
trait update. In the case of `RistrettoSecretKey`, it uses the curve
library's canonical parser and returns an error if the provided byte
slice is not a canonical scalar encoding.

It also adds a new `SecretKey::from_uniform_bytes` function that uses
wide reduction. For constructions like signatures and KDFs that use
hashing operations to produce scalar values, this function is used and
the underlying hashers are updated to produce 64-byte output in the case
of `RistrettoSecretKey`.

It updates the Schnorr signature API to support raw signing and
verification using challenge byte slices that are either canonical
encodings or uniform. It renames several existing functions for clarity.

It corrects a few typos that were discovered along the way.

Closes #189.

BREAKING CHANGE: This changes the way that scalars are produced from
byte arrays, modifies the `SecretKey` trait and corresponding
`RistrettoSecretKey` implementation, and updates the Schnorr signature
API.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant