You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #510 we changed from using full-size hash references to using truncated hashes. This is fine for cases where the reference is only acting as a reference, so unambiguous identification is the only concern.
For proposal references, however, the hash-based reference is also the way that the proposal is incorporated into the transcript. In this case, we end up with a looser binding with truncated hashes, since a malicious transcript need only match a subset of the bits of the hash.
This doesn’t seem like a huge issue in practice, since if the hash function is broken enough to allow 128-bit collisions, we likely have deeper problems. But it might mean that transcript integrity fails before other aspects of the protocol.
To fix this, we could either restore all hash-based identifiers to full size (basically, revert #510), or we could revert just the proposal references. The former would be more uniform; the latter would be more parsimonious. I’m pretty ambivalent between the two.
The text was updated successfully, but these errors were encountered:
In #510 we changed from using full-size hash references to using truncated hashes. This is fine for cases where the reference is only acting as a reference, so unambiguous identification is the only concern.
For proposal references, however, the hash-based reference is also the way that the proposal is incorporated into the transcript. In this case, we end up with a looser binding with truncated hashes, since a malicious transcript need only match a subset of the bits of the hash.
This doesn’t seem like a huge issue in practice, since if the hash function is broken enough to allow 128-bit collisions, we likely have deeper problems. But it might mean that transcript integrity fails before other aspects of the protocol.
To fix this, we could either restore all hash-based identifiers to full size (basically, revert #510), or we could revert just the proposal references. The former would be more uniform; the latter would be more parsimonious. I’m pretty ambivalent between the two.
The text was updated successfully, but these errors were encountered: