Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

Fix randomness computation #5785

Closed
burdges opened this issue Apr 25, 2020 · 3 comments · Fixed by #5876
Closed

Fix randomness computation #5785

burdges opened this issue Apr 25, 2020 · 3 comments · Fixed by #5876

Comments

@burdges
Copy link

burdges commented Apr 25, 2020
edited
Loading

At https://github.com/paritytech/substrate/blob/master/frame/babe/src/lib.rs#L577 we use RawVRFOutput directly for randomness, which should never happen.

You should call schnorrkel::VRFInOut::make_bytes similar to what sc_consensus_babe::authorship::check_primary_threshold does. In schnorrkel, we produce these VRFInOuts inside vrf_sign* and vrf_verify*, so you could call make_bytes once on block import, and save those bytes as non-serialized block metadata.

If you'd rather reproduce those bytes again elsewhere, then you recreate the VRFInOut by first creating the transcript with sc_consensus_babe::authorship::make_transcript and calling schnorrkel::PublicKey::vrf_attach_hash/schnorrkel::VRFOutput::attach_input_hash with the signers public key and the schnorrkel::VRFOutput (the actual bytes being used here).

I should apologize for not making this aspect of schnorrkel as missuse resistant as possible, but exposing VRFOutput separate from VRFProof, and exposing these VRFInOuts simplified the interface dramatically. I should rename schnorrkel::VRFOutput to VRFPreOutput really.
@sorpaas sorpaas mentioned this issue Apr 26, 2020
Closed
burdges added a commit to w3f/ring-vrf that referenced this issue Apr 26, 2020
@burdges
s/VRFOutput/VRFPreOut/g
4383429 
We should not call this VRFOutput since that proved too confusing, ala
paritytech/substrate#5785
burdges added a commit to w3f/schnorrkel that referenced this issue Apr 26, 2020
@burdges
Correct VRFOutput name to VRFPreOut
1dbd707 
We should not call this VRFOutput since that proved too confusing, ala
paritytech/substrate#5785

s/VRF_OUTPUT/VRF_PREOUT/g
s/VRFOutput/VRFPreOut/g
burdges added a commit to w3f/schnorrkel that referenced this issue Apr 26, 2020
@burdges
Correct VRFOutput name to VRFPreOut
030e686 
We should not call this VRFOutput since that proved too confusing, ala
paritytech/substrate#5785

s/VRF_OUTPUT/VRF_PREOUT/g
s/VRFOutput/VRFPreOut/g
s/to_output/to_preout/g
@burdges
Copy link
Author

burdges commented Apr 26, 2020

I've renamed the VRFOutput type to VRFPreOut in w3f/schnorrkel@030e686 to reduce confusion in future, but I have not yet published an ew version and any update should be completely orthogonal to #5788

@burdges burdges mentioned this issue Apr 26, 2020
Open
@Demi-Marie
Copy link
Contributor

Is this a security hazard @burdges?

@burdges
Copy link
Author

burdges commented Apr 26, 2020

We safe from any attacks I know because Ristretto accepts only one point encoding. It'd degrade the randomness by a factor of 8 if we'd used another VRF like VEd25519 instead: w3f/ring-vrf#15

We do need Wei's fix in #5788 because (a) the make_bytes methods give us the VRF's PRF-like assumptions in the security proof, and (b) validators could conceivably choose related keys. We
forbid (b) but it becomes more likely if folks play games like w3f/General-Grants-Program#273

@sorpaas sorpaas mentioned this issue May 4, 2020
Merged
@FlorianFranzen FlorianFranzen mentioned this issue Jan 25, 2021
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@burdges @Demi-Marie