The same Domain is used for both G1 and G2 Hash()
AnomalRoil opened this issue · 3 comments
It appears that we are currently re-using the same domain for both G1 and G2 hash to curve functions:
Lines 135 to 140 in 21249c0
Lines 140 to 144 in 21249c0
with Domain
being:
Lines 14 to 16 in 21249c0
This is unfortunate as it makes us non-spec compliant 😢
Security-wise it shouldn't be an issue as long as we are not re-using the same secret on both G1 and G2.
This was unnoticed in drand-verify which is used to verify the new g1g2 swapped mainnet beacons in production. The same bug is implemented there, making it compatible to the bug.
Would it be a viable migration path to make this domain configurable in this library, spawn a new drand mainnet with the fix and shut down the G1/G2 swapped one at some point? That would allow all new users to have a bug free environment, restore the elegance and allow a smooth transition from classic mainnet and the buggy mainnet.
This was solved in #23 and the latest release is now compatible with the proper DST.
For the rest of the drand stack, a new scheme is being introduced that's RFC conformant in drand/drand#1249
and we'll be launching a new network meant for long term support and sunsetting the old G1 3s one (e.g. shutting it down after announcing its shutdown in a couple months, expect a blog post on drand.love about it later this week)