keytransparency icon indicating copy to clipboard operation
keytransparency copied to clipboard

Published 20 hours ago verified publisher icon google

VRF Standardization - Replace H2 with SHA256

Open gdbelvin opened this issue 8 years ago • 1 comments

The NSEC5 paper gives the full proof of why H2 is unnecessary in the context of this particular VRF. Because of the way H2 is used in the VRF,

  • H2 only needs to produce unique numbers between 1 and N-1 for each input.
  • A uniform distribution is not a requirement.
  • Attacking the VRF means finding a new m that produces the same output. To attack through H2, fix x and find x' s.t. H(x') == H(x).

Therefore, the VRF is using the full strength of the hash function. Only 128 bits are needed for 128 bit security.

Proposal: replace H2 with SHA256[:128]

gdbelvin avatar Jun 20 '17 18:06 gdbelvin

cc @reyzin

gdbelvin avatar Aug 17 '18 12:08 gdbelvin