You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently in the draft there are several key places we need to do subgroup checks on points, for example to validate a public key post de-serialization. However in some places we are implicitly relying on the octet_to_point function to perform this role and other places we are doing it as an explicit step in the procedure. We need to make this consistent, the options are
Consistently rely on the octet_to_point_g* implementation and add a security consideration that documents this function MUST perform the relevant subgroup check.
Explicitly document anywhere in the procedure where a subgroup check is required.
IMO 2 feels like a safer but more verbose option to me.
The text was updated successfully, but these errors were encountered:
Maybe a middle-of-the-road solution would be to define explicitly octets_to_point as an operation in the spec, that calls octets_to_point_g1 and does the checks. For example, something like:
result = octets_to_point_g1(point_octets)
Inputs:
- point_octets, octet string
Parameters:
- SubgroupCheck_g1, a function that on input a point P, returns VALID if P
is in the G1 subgroup and INVALID in any other case.
Procedure:
1. P = octets_to_point_g1(point_octets)
2. if P is INVALID, return INVALID
3. if SubgroupCheck_g1(P) is INVALID, return INVALID
4. if P = Identity_G1, return INVALID
5. return P
Note: the identity check is not always necessary above, but it can be nice to have.
Discussed on WG call 20th of September, we believe the major inconsistencies around this check are resolved, closing for now and will re-open if some where missed.
Currently in the draft there are several key places we need to do subgroup checks on points, for example to validate a public key post de-serialization. However in some places we are implicitly relying on the
octet_to_point
function to perform this role and other places we are doing it as an explicit step in the procedure. We need to make this consistent, the options areoctet_to_point_g*
implementation and add a security consideration that documents this function MUST perform the relevant subgroup check.IMO 2 feels like a safer but more verbose option to me.
The text was updated successfully, but these errors were encountered: