Weak transcript binding of proposals by reference

[bifurcation]

In #510 we changed from using full-size hash references to using truncated hashes. This is fine for cases where the reference is only acting as a reference, so unambiguous identification is the only concern.

For proposal references, however, the hash-based reference is also the way that the proposal is incorporated into the transcript. In this case, we end up with a looser binding with truncated hashes, since a malicious transcript need only match a subset of the bits of the hash.

This doesn’t seem like a huge issue in practice, since if the hash function is broken enough to allow 128-bit collisions, we likely have deeper problems. But it might mean that transcript integrity fails before other aspects of the protocol.

To fix this, we could either restore all hash-based identifiers to full size (basically, revert #510), or we could revert just the proposal references. The former would be more uniform; the latter would be more parsimonious. I’m pretty ambivalent between the two.

[bifurcation]

Virtual interim 2022-05-19:

• Support for doing something here, given 64-bit birthday bound on collisions given 128 bit identifiers
• Support for full-width everywhere