From bfcfeb77a7f5866dbf728a247e537248ab303655 Mon Sep 17 00:00:00 2001 From: Christopher Patton Date: Fri, 10 Nov 2023 13:01:04 +0100 Subject: [PATCH] Prio3: Improve domain separation for multi-proof mode The query randomness is correlated for different values of `Prio3.PROOFS`. To provide defense in depth in case the same verification key is used for different versions, prepend the binder with `bytes(Prio3.PROOFS)`. For consistency, do the same for the prove randomness and each Helper's share of the proofs. Also, do the same for joint randomness in case `Prio3.PROOFS == 1`. --- draft-irtf-cfrg-vdaf.md | 9 ++++----- poc/vdaf_prio3.py | 9 ++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/draft-irtf-cfrg-vdaf.md b/draft-irtf-cfrg-vdaf.md index e1e87b14..e4acfd47 100644 --- a/draft-irtf-cfrg-vdaf.md +++ b/draft-irtf-cfrg-vdaf.md @@ -2600,7 +2600,7 @@ def helper_proofs_share(Prio3, agg_id, k_share): Prio3.Flp.Field, k_share, Prio3.domain_separation_tag(USAGE_PROOF_SHARE), - byte(agg_id), + byte(Prio3.PROOFS) + byte(agg_id), Prio3.Flp.PROOF_LEN * Prio3.PROOFS, ) @@ -2616,7 +2616,7 @@ def prove_rands(Prio3, k_prove): Prio3.Flp.Field, k_prove, Prio3.domain_separation_tag(USAGE_PROVE_RANDOMNESS), - b'', + byte(Prio3.PROOFS), Prio3.Flp.PROVE_RAND_LEN * Prio3.PROOFS, ) @@ -2625,7 +2625,7 @@ def query_rands(Prio3, verify_key, nonce): Prio3.Flp.Field, verify_key, Prio3.domain_separation_tag(USAGE_QUERY_RANDOMNESS), - nonce, + byte(Prio3.PROOFS) + nonce, Prio3.Flp.QUERY_RAND_LEN * Prio3.PROOFS, ) @@ -2646,12 +2646,11 @@ def joint_rand_seed(Prio3, k_joint_rand_parts): def joint_rands(Prio3, k_joint_rand_seed): """Derive the joint randomness from its seed.""" - binder = b'' if Prio3.PROOFS == 1 else byte(Prio3.PROOFS) return Prio3.Xof.expand_into_vec( Prio3.Flp.Field, k_joint_rand_seed, Prio3.domain_separation_tag(USAGE_JOINT_RANDOMNESS), - binder, + byte(Prio3.PROOFS), Prio3.Flp.JOINT_RAND_LEN * Prio3.PROOFS, ) ~~~ diff --git a/poc/vdaf_prio3.py b/poc/vdaf_prio3.py index cab7bc9e..34be0a88 100644 --- a/poc/vdaf_prio3.py +++ b/poc/vdaf_prio3.py @@ -300,7 +300,7 @@ def helper_proofs_share(Prio3, agg_id, k_share): Prio3.Flp.Field, k_share, Prio3.domain_separation_tag(USAGE_PROOF_SHARE), - byte(agg_id), + byte(Prio3.PROOFS) + byte(agg_id), Prio3.Flp.PROOF_LEN * Prio3.PROOFS, ) @@ -318,7 +318,7 @@ def prove_rands(Prio3, k_prove): Prio3.Flp.Field, k_prove, Prio3.domain_separation_tag(USAGE_PROVE_RANDOMNESS), - b'', + byte(Prio3.PROOFS), Prio3.Flp.PROVE_RAND_LEN * Prio3.PROOFS, ) @@ -328,7 +328,7 @@ def query_rands(Prio3, verify_key, nonce): Prio3.Flp.Field, verify_key, Prio3.domain_separation_tag(USAGE_QUERY_RANDOMNESS), - nonce, + byte(Prio3.PROOFS) + nonce, Prio3.Flp.QUERY_RAND_LEN * Prio3.PROOFS, ) @@ -352,12 +352,11 @@ def joint_rand_seed(Prio3, k_joint_rand_parts): @classmethod def joint_rands(Prio3, k_joint_rand_seed): """Derive the joint randomness from its seed.""" - binder = b'' if Prio3.PROOFS == 1 else byte(Prio3.PROOFS) return Prio3.Xof.expand_into_vec( Prio3.Flp.Field, k_joint_rand_seed, Prio3.domain_separation_tag(USAGE_JOINT_RANDOMNESS), - binder, + byte(Prio3.PROOFS), Prio3.Flp.JOINT_RAND_LEN * Prio3.PROOFS, )