Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Epic: Rigorous Domain Separation #8974

Open
iAmMichaelConnor opened this issue Oct 2, 2024 · 0 comments
Open

Epic: Rigorous Domain Separation #8974

iAmMichaelConnor opened this issue Oct 2, 2024 · 0 comments
Labels
A-protocol Area: relates to designing / explaining the protocol A-security Area: Relates to security. Something is insecure. T-epic T-tech-debt Type: Tech debt

Comments

@iAmMichaelConnor
Copy link
Contributor

You might wonder "Why is this an Epic and not a regular Issue?". It's because this will be pain-staking. It will require an epic amount of effort. And perhaps it'll need to be subdivided into little tasks.

Domain separation is needed for:

  • Deriving Grumpkin generator points that have "nothing up our sleeves". (That is, points that are derived in a way where we can demonstrate that there can't have possibly been anything fishy going on in how those points were chosen).
  • Hashing things.

I believe we're still using enums (or similar) to list all hashing domain separators. The problem with this approach is it's very flakey: If someone splices a new item somewhere into the middle of the enum, then all domain separators below it change, and suddenly the whole network is broken, or all testnet apps which rely on the stability of those constants are broken, or audits are invalidated, etc.

A less-flakey way to derive hashing domain separators is to simply use a string for each. E.g. "az_note_hash_tree", or something. The zcash spec exemplifies this well. Now, the strings we choose will need to have a bit-decomposition that fits within a single field element. Starting each string with "az_" feels like a neat way to further domain-separate all of our domain-separators to Aztec! We'll have to take a view as to whether "az_" is using too many bits of our allotted field of space, in which case we'd need to choose something even shorter! Maybe camelCase is fewer bits than snake_case for the messages, actually.

Anyway, what we'd end up with is a list of strings; a string for every type of "domain" that needs a domain separator.

This suggestion - of using strings - assumes that it's ok for us to use-up an entire field for the purposes of domain separation. If that's not the case, we might be stuck with the current approach of enums.

As for deriving grumpkin generator points, we'll need to discuss this. We'll need to revisit how it was done for Aztec Connect, and determine if that's appropriate for us.
@iAmMichaelConnor iAmMichaelConnor added A-security Area: Relates to security. Something is insecure. A-protocol Area: relates to designing / explaining the protocol T-epic T-tech-debt Type: Tech debt labels Oct 2, 2024
@github-project-automation github-project-automation bot moved this to Todo in A3 Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-protocol Area: relates to designing / explaining the protocol A-security Area: Relates to security. Something is insecure. T-epic T-tech-debt Type: Tech debt
Projects
A3
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iAmMichaelConnor