patched IBE hashToCurve with ietf hashToField impl #12
Conversation
due to using a counter size of 32bits in the stream cipher, only up to 256TB may be encrypted before a nonce reuse would occur. This solution checks if the counter has reached the limit on every increment. This _may_ add overhead or _may_ be free on some engines and I haven't benchmarked it
- pulled some pieces out of noble - wrote an implementation of hashToField using https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.2 - created a patched hashToCurve
|
Took a first crack at this - only 3 tests failing including the go compatibility ones. |
|
What's the reason of having our own implementation of that ? |
|
In retrospect, I should have read the feedback from the audit more clearly - it looks like only the rejection sampling in |
|
Yeah, in theory Noble should implement what we need already. |
|
Can someone link then the reason and/or issue raised in the audit (or paste a summary etc), in this PR or issue here ? It'd be nice that this PR contains everything one needs to know to understand the reasons, impacts etc. |
|
Our H3 function is vulnerable to collision. But I'd argue it's not a problem since we do key-wrapping and keys have fixed sizes, but TBH, using HashToField and HashToField from the RFC is probably better |
| @@ -85,6 +89,10 @@ export class STREAM { | |||
| // Increments Big Endian Uint8Array-based counter. | |||
| // [0, 0, 0] => [0, 0, 1] ... => [0, 0, 255] => [0, 1, 0] | |||
| incrementCounter() { | |||
| if (this.counter == COUNTER_MAX) { | |||
There was a problem hiding this comment.
Wouldn't a greater or equal comparison be safer?
|
|
||
| // this patched `hashToCurve` uses a different implementation of `hashToField` than noble | ||
| // see: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16 | ||
| export async function hashToCurve(input: Uint8Array | string): Promise<PointG2> { |
There was a problem hiding this comment.
Can we use Noble's methods instead?
paulmillr/noble-bls12-381@8a18615
But let's keep the tests if these are not the same.
There was a problem hiding this comment.
we were actually using them already internally - I think we can just update the package and then change our h3 to comply
| expand: true, | ||
| } | ||
|
|
||
| export async function hashToField(message: Uint8Array, count: number, options: HashToFieldOptions = defaultsFromNoble): Promise<bigint[][]> { |
There was a problem hiding this comment.
Can we use the methods from Noble?
paulmillr/noble-bls12-381@8a18615
|
Closing this because I got the wrong end of the stick (was a good learning exercise though ;p) |
hashToFieldusing https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.2hashToCurve