-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZIP 312: change randomizer handling #895
base: main
Are you sure you want to change the base?
Conversation
zips/zip-0312.rst
Outdated
channel. In Re-Randomized FROST, an additional value called `randomizer` needs | ||
to be generated by the Coordinator and sent along with the message and | ||
commitments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the math not work out if each participant generates a share of alpha and commits to it in round 1, then uses their share in round 2? If it didn't then I guess the way to remove the trust assumption on the Coordinator here would be to still do that commitment in round 1, and then have a round 1.5 that is just participants revealing their alpha shares, but that would turn this into a three-round protocol, or two-round with preprocessing (where participants precompute and save their shares of both R and alpha), which isn't ideal for some usage scenarios where the Coordinator is trusted. Maybe that should be left as an option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One way to reduce the requirements on the Coordinator's RNG is to have it generate the randomizer by hashing the commitments and an extra random seed. The participants then recalculate it using that hash. The Coordinator can grind on the seed in order to create a subliminal channel, but this means you're not trusting the Coordinator's RNG. (Also, no participant can grind on their contribution in order to influence the randomizer, because the Coordinator only reveals the seed after it has the commitments.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -228,6 +191,14 @@ that the given SIGHASH matches the data sent from the Coordinator, or compute th | |||
SIGHASH themselves from that data. However, the specific mechanism for that process | |||
is outside the scope of this ZIP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the mechanism for using FROST for transaction spend auth should not be outside the scope of this ZIP, given that this ZIP is "FROST for Spend Authorization Multisignatures" (rather than the smaller-scoped "Re-randomized FROST"). However, I agree that most of the content that mechanism would entail is what would go into creating and checking PCZTs, so what we should do here is incorporate by reference the ZIP that eventually contains that specification (#693), and then either use it as appropriate directly in this section, or divide the specification into "Re-randomized FROST" (for more general consumption) and "Using Re-randomized FROST for Zcash transactions" (which then augments it further with the Zcash-specific logic like PCZT usage).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, let's leave this pending until we get more concrete on PCZTs
zips/zip-0312.rst
Outdated
suggested in [#frost-rerandomized]_. This is not an issue as long the | ||
`randomizer` is generated uniformly at random, which is done in the Zcash | ||
specification. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's an overspecification to imply that the randomizer needs to be generated uniformly at random. As suggested above, it could be chosen depending on the commitments sent in round 1.
Also, the spec actually says to generate the randomizer
Define
$\mathsf{RedDSA.GenRandom} ⦂ () \rightarrow \mathsf{RedDSA.Random}$ as:
- Choose a byte sequence
$T$ uniformly at random on$\mathbb{B}^{\mathbb{Y}[(\ell_{\mathsf{H}} + 128) / 8]}$ .- Return
$\mathsf{H}^⊛(T)$ .
Note that the output range of
To refine my suggestion,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great idea. I went ahead with it in 62833e6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK with suggestions.
Co-authored-by: Daira-Emma Hopwood <[email protected]>
zips/zip-0312.rst
Outdated
used by the Coordinator and the second is used by participants. The | ||
`encode_signing_commitments` function SHOULD return the byte serialization of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is somewhat confusing, given that random_bytes
gets its own paragraph. Separate encode_signing_commitments
into its own paragraph, and then maybe turn those two paragraphs into bullet points? or something that clarifies these are references to functions defined elsewhere that are used by the two new helper functions, not the two new helper functions being defined. Maybe also import the references first, and then say "Two new helper functions are defined" immediately before the actual definitions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I restructured this in c74bed5
zips/zip-0312.rst
Outdated
Randomizer Generation | ||
''''''''''''''''''''' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this above Re-Randomized FROST
and make it a same-level section. So this ZIP's Specification section then has:
- Key Generation
- Randomizer Generation
- Re-Randomized FROST
- Round One - Commitment
- Round Two - Signature Share Generation
- Signature Share Verification and Aggregation
- Ciphersuites
- FROST(Jubjub, BLAKE2b-512)
- FROST(Pallas, BLAKE2b-512)
which then means that the "Re-Randomized FROST" sub-section is just focused on modifications to FROST, and everything else is stuff canonically specified in ZIP 312 (although maybe parts of "Key Generation" move elsewhere to e.g. ZIP 32, but we'll figure that out in #883).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, done in c74bed5
zips/zip-0312.rst
Outdated
Implementations MAY choose another encoding as long as all values (the | ||
identifier, binding nonce and hiding nonce for each participant) are | ||
unambiguously encoded. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a risk here that a Coordinator and Participant (or multiple Participants) might have different implementations, and attempt to use them in the same signing session. That would be incompatible and cause a failure, which violates the defintion of MAY in RFC 2119:
- MAY This word, or the adjective "OPTIONAL", mean that an item is
truly optional. One vendor may choose to include the item because a
particular marketplace requires it or because the vendor feels that
it enhances the product while another vendor may omit the same item.
An implementation which does not include a particular option MUST be
prepared to interoperate with another implementation which does
include the option, though perhaps with reduced functionality. In the
same vein an implementation which does include a particular option
MUST be prepared to interoperate with another implementation which
does not include the option (except, of course, for the feature the
option provides.)
So we will need to specify the full encoding here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in c74bed5 by using the serialization function from the RFC
Co-authored-by: Jack Grigg <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed comments in did some additional improvements/cleanups
zips/zip-0312.rst
Outdated
Implementations MAY choose another encoding as long as all values (the | ||
identifier, binding nonce and hiding nonce for each participant) are | ||
unambiguously encoded. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in c74bed5 by using the serialization function from the RFC
zips/zip-0312.rst
Outdated
Randomizer Generation | ||
''''''''''''''''''''' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, done in c74bed5
zips/zip-0312.rst
Outdated
used by the Coordinator and the second is used by participants. The | ||
`encode_signing_commitments` function SHOULD return the byte serialization of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I restructured this in c74bed5
Changes to randomizer handling after I realized that it couldn't possibly be generated using the message as an input. It does simplify things too.
Some additional fixes (using "Re-Randomized FROST" consistently; updating Owners)