The `MAX_SAFE_SCALAR` val in ristretto group is not proper

Question

The `MAX_SAFE_SCALAR` val in ristretto group is not proper

3for opened this issue 5 years ago · 3 comments

Two question:

The max scalar val is not proper.
Actually the order of curve25519 is not 2^255-1, it's 2^{252} + 27742317777372353535851937790883648493.

 pub static ref NEW_MAX_SAFE_EXPONENT: Integer = {
    //2^\{252\} + 27742317777372353535851937790883648493
    let str_max_scalar = "7237005577332262213973186563042994240857116359379907606001950938285454250989";
    Integer::from_str_radix(str_max_scalar, 10).unwrap()
  };
  pub static ref NEW_MAX_SAFE_SCALAR: Scalar = {
    let mut digits: [u8; 32] = [0; 32];
    NEW_MAX_SAFE_EXPONENT.write_digits(&mut digits, Order::LsfLe);
    Scalar::from_bytes_mod_order(digits)
  };

when remaining >= *MAX_SAFE_EXPONENT the while loop is not proper for it will break the binding property ----for different values can be opened to the same commitment.

    let exp_c = Ristretto::exp(&bp, &(NEW_MAX_SAFE_EXPONENT.clone() + &int(20)));
    let exp_d = Ristretto::exp(&bp, &int(20));
    let exp_e = Ristretto::exp(&bp, &(NEW_MAX_SAFE_EXPONENT.clone() * &int(11) + &int(20)));
    assert_eq!(exp_c, exp_d); //break commitment binding property 
    assert_eq!(exp_e, exp_d); //break commitment binding property

Answer 1 · 2019-12-14T22:05:42.000Z

Thanks for the clarification! The Ristretto abstraction is definitely one of the more experimental parts of this crate, and any contributions would be greatly appreciated.

Unfortunately, the organization sponsoring this crate no longer exists, and its development is now inactive. I'd like to find a maintainer at some point...

Answer 2 · 2019-12-16T02:25:00.000Z

Well, I'm a new learner not quailified to be the maintianer right now. Maybe it's possible with your help?
Seemed that the Ristretto abstraction can be used for pedersen commitment further?

Answer 3 · 2019-12-18T08:15:05.000Z

Both in func test_poe_small_exp and test_poke2, the proof Q: Rsa2048::elem(1) will not always hold, for the quotient q val will not always be zero.

    // sage: w = power_mod(2,exp, modulus)
    let base = Rsa2048::unknown_order_elem();
    let exp = Integer::from_str(
      "47837607866886756167333839869251273774207619337757918597995294777816250058331116325341018110",
    )
    .unwrap();
    let w = Integer::from_str("15237009150211370041572066643854992199159670014401836849321696862635102033487835342310727017245109132166684919786539411147576425083300413858833269356670380323733544946009726244587299888075528737163608201739522141432863879185104979614488213225007619266202959930396741246840028757785072423669876995919918707162762105031693124069429835211177047936412676083097631109112467835488434055566930455343640875193245804869807246696358272733220445826908935579926381184476706321520364895733176015236667338933737155347587968575990509888262873494415904958502766481314251287061092434837169635961698728491245532926158449261934834101518").unwrap();
    let result = Rsa2048::elem(w);
    let proof = Poe::<Rsa2048>::prove(&base, &exp, &result);
    // Assertion failed below! For q:734303333060010, exp:47837607866886756167333839869251273774207619337757918597995294777816250058331116325341018110, l:65146930039846659110574410709908462074864792983648741996010930151428109491451
    assert!(
      proof
        == Poe {
          Q: Rsa2048::elem(1)
        }
    );