You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The h() function in hash.rs hashes to a subgroup element by truncating
a 64-byte BLAKE2B hash to BlsScalar::SIZE=32 bytes, then clearing the
top 2 bytes to obtain a value less than 2254:
/// Hash an arbitrary slice of bytes into a [`BlsScalar`]fnh(msg:&[u8]) -> BlsScalar{letmut digest:[u8;BlsScalar::SIZE] = Blake2b::digest(msg).into();// Truncate the contract id to fit bls
digest[31] &= 0x3f;let hash:Option<BlsScalar> = BlsScalar::from_bytes(&digest).into();
hash.unwrap_or_default()}
However with such an implementation, certain subgroup elements cannot be
reached: as the subgroup size
0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 is
approx. 2254.857.
It means that certain points will never be reached by h0(), and
certain scalars will never be reached by h1() (approx.
2253.7.
This appears to us not to be exploitable, but it would be safer to
implement the standard hash_to_field() function, as defined in the Hashing to Ellpitic
Curve
RFC and implemented in zkcrypto/bls12_381.
Possible Solution
We can use our BlsScalar::hash_to_scalar(msg) here.
The text was updated successfully, but these errors were encountered:
Summary
From the audit report point BLS01:
The
h()
function in hash.rs hashes to a subgroup element by truncatinga 64-byte BLAKE2B hash to
BlsScalar::SIZE=32
bytes, then clearing thetop 2 bytes to obtain a value less than 2254:
However with such an implementation, certain subgroup elements cannot be
reached: as the subgroup size
0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 is
approx. 2254.857.
It means that certain points will never be reached by
h0()
, andcertain scalars will never be reached by
h1()
(approx.2253.7.
This appears to us not to be exploitable, but it would be safer to
implement the standard
hash_to_field()
function, as defined in theHashing to Ellpitic
Curve
RFC and implemented in
zkcrypto/bls12_381.
Possible Solution
We can use our
BlsScalar::hash_to_scalar(msg)
here.The text was updated successfully, but these errors were encountered: