Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prio3: Align spec with revised paper #105

Merged
merged 3 commits into from
Aug 24, 2022
Merged

Prio3: Align spec with revised paper #105

merged 3 commits into from
Aug 24, 2022
+140 −77

Conversation

cjpatton
Copy link
Collaborator

@cjpatton cjpatton commented Aug 16, 2022
edited
Loading

Partially addresses #102.

A bug was found in [BBCGGI+19] that leads to an attack on the robustness
of Prio3. The attack is based on an observation in Appendix A of the
paper "A New Paradigm for Collision-Free Hashing: Incrementality at
Reduced Cost" from Bellare and Micciancio (Eurocrypt 1997). In short,
the attack allows a malicious Client to construct invalid input shares
for which the Aggregators would compute a k_joint_rand of its
choosing.

This bug was patched in Section 6.2.3 of
https://eprint.iacr.org/archive/2019/188/20220727:184451 as follows:
Instead of XORing joint randomness shares computed by the
Aggregators, k_joint_rand is computed by hashing the shares. This
change patches the Prio3 spec in kind.

@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from b9a89e9 to 4c49104 Compare August 16, 2022 02:06
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch from 32ff590 to c0ee1fd Compare August 16, 2022 02:13
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch 2 times, most recently from 5cee6ce to d99544a Compare August 16, 2022 02:15
divergentdave
divergentdave reviewed Aug 16, 2022
View reviewed changes
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch 2 times, most recently from 92d31b4 to e933503 Compare August 16, 2022 15:29
@cjpatton cjpatton requested a review from divergentdave August 16, 2022 15:54
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from e933503 to 06ec588 Compare August 16, 2022 16:41
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch from c0ee1fd to d684990 Compare August 16, 2022 17:11
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch 3 times, most recently from 9b3f4ef to c2ea50c Compare August 16, 2022 17:25
cjpatton
cjpatton commented Aug 16, 2022
View reviewed changes
draft-irtf-cfrg-vdaf.md
> TODO(issue #106) Decide if it's safe to model this construction as a random
> oracle. `PrgAes128.derive_seed()` is used for the Fiat-Shamir heuristic in
> Prio3 ({{prio3}}). A fixed-key is used for this step (the all-zero string). A
> reasoanble starting point would be to model AES as an ideal cipher.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filed #106.

@cjpatton cjpatton marked this pull request as ready for review August 16, 2022 17:26
tgeoghegan
tgeoghegan reviewed Aug 16, 2022
View reviewed changes
@cjpatton cjpatton mentioned this pull request Aug 16, 2022
Merged
@cjpatton cjpatton changed the title poc: Prio3: Align spec with revised paper Prio3: Align spec with revised paper Aug 16, 2022
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch from d684990 to 6da1b7a Compare August 16, 2022 21:35
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch 2 times, most recently from ee1a02c to 4f569cb Compare August 17, 2022 00:30
divergentdave
divergentdave approved these changes Aug 17, 2022
View reviewed changes
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch from 6da1b7a to b6cf76b Compare August 23, 2022 16:16
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from 4f569cb to 4591bf3 Compare August 23, 2022 16:39
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch 2 times, most recently from bb59f30 to 87f0cc6 Compare August 24, 2022 16:52
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from 4591bf3 to 825063f Compare August 24, 2022 16:54
@cjpatton cjpatton force-pushed the cjpatton/102/codepoints branch from 87f0cc6 to 875da0e Compare August 24, 2022 18:59
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from 825063f to 6166162 Compare August 24, 2022 21:41
@cjpatton cjpatton changed the base branch from cjpatton/102/codepoints to main August 24, 2022 21:44
@cjpatton
poc: Prio3: Align spec with revised paper
15f8300 
A bug was found in [BBCGGI+19] that leads to an attack on the robustness
of Prio3. The attack is based on an observation in Appendix A of the
paper "A New Paradigm for Collision-Free Hashing: Incrementality at
Reduced Cost" from Bellare and Micciancio (Eurocrypt 1997). In short,
the attack allows a malicious Client to construct invalid input shares
for which the Aggregators would compute a `k_joint_rand` of its
choosing.

This bug was patched in Section 6.2.3 of
https://eprint.iacr.org/archive/2019/188/20220727:184451 as follows:
Instead of XORing joint randomness shares computed by the
Aggregators, `k_joint_rand` is computed by hashing the shares. This
change patches the Prio3 spec in kind.
@cjpatton
nit: Escape asterisk in Change Log
e3a74b4 
This improves syntax highlighting in vim.
@cjpatton
Prio3: Align joint randmoness derivation with revised paper
529c503
@cjpatton cjpatton force-pushed the cjpatton/102/bug-fix/1 branch from 6166162 to 529c503 Compare August 24, 2022 21:46
@cjpatton cjpatton merged commit adce91e into main Aug 24, 2022
@cjpatton cjpatton deleted the cjpatton/102/bug-fix/1 branch August 26, 2022 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgeoghegan tgeoghegan

@divergentdave divergentdave

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cjpatton @divergentdave @tgeoghegan