You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The code is not so idiomatic for rust cryptography code:
Unecessary Vecs abound. Arkworks needs alloc anyways, but Vecs are still jarring, and likely leave secrets in the heap, where stack usage tends to whipe them for free.
Around the Vecs: Why does the GAffine enum exist? Is drand producing curve points on both G1 and G2? I suppose drand must do so, since you provide hashes to both G1 and G2, but why does drand do this?
Also..
If you want time lock encryption, then you often want proofs of correctness too. It's extremely complext doing so once an AEAD enters the picture, so likely people employ a simpler trick: hash the pairing to create another secret key usk for which you reveal its public key upk early, reveal their secret r for early decryption, and retroactively invalidate participation in the protocol if upk does not match the tlock pairing output usk, as derived either from r or the tlock expiring. I realize this is not what the drand tlock paper does, but it's the cheapest proofs of correctness for those who require one.
As is, it's maybe easier if drand tlock users fork and/or re-implement this, using their specific situation, so maybe the easiest solution to all of this is simply add a few comments to the code that reference whatever spec drand or whatever is working off here? In particular how the G1 and/or G2 evaluation comes from drand.
The text was updated successfully, but these errors were encountered:
The code is not so idiomatic for rust cryptography code:
Around the Vecs: Why does the GAffine enum exist? Is drand producing curve points on both G1 and G2? I suppose drand must do so, since you provide hashes to both G1 and G2, but why does drand do this?
Also..
If you want time lock encryption, then you often want proofs of correctness too. It's extremely complext doing so once an AEAD enters the picture, so likely people employ a simpler trick: hash the pairing to create another secret key
uskfor which you reveal its public keyupkearly, reveal their secretrfor early decryption, and retroactively invalidate participation in the protocol ifupkdoes not match the tlock pairing outputusk, as derived either fromror the tlock expiring. I realize this is not what the drand tlock paper does, but it's the cheapest proofs of correctness for those who require one.As is, it's maybe easier if drand tlock users fork and/or re-implement this, using their specific situation, so maybe the easiest solution to all of this is simply add a few comments to the code that reference whatever spec drand or whatever is working off here? In particular how the G1 and/or G2 evaluation comes from drand.
The text was updated successfully, but these errors were encountered: