chilldkg: fix enc_secshare deserialization #76
Conversation
There was a problem hiding this comment.
ACK. Thanks @siv2r.
Scalar(int_from_bytes(...)) is also used for generating pads (self_pad and ecdh). I think this is acceptable since we’re generating random numbers,
Acceptable, but probably better to do this in a consistent way unless you really want to wrap around.
|
The wrapping around (when creating a scalar from the tagged hash output) occurs in both bip-frost-dkg/python/secp256k1proto/bip340.py Lines 29 to 32 in 6780889 bip-frost-dkg/python/secp256k1proto/bip340.py Lines 66 to 69 in 6780889 I assumed we generally don’t want to raise a |
|
I think the proper way is to change secp256k1proto to split Then we can use the appropriate function everywhere. (Not sure if we want to touch bip340.py though, I tried to keep this as close as possible to the reference code in the BIP, so it's okay to work with integers there and keep the explicit
The wrapping there was intentional: Wrapping is not only acceptable when the input is uniformly random (or a hash), it yields simpler code because it removes an error path. This was the rationale for why we wrap in BIP340, after a long discussion. But the ECDH implementation is supposed to replicate whatever libsecp256k1 does, and it errors out in case of overflow... And then, if we wrap in ECDH, we may as well wrap in Anyway, ACK. Happy to see a PR that implements the above changes but we can also do it later. |
Agree |
While deserializing recovery data, for
enc_secshare, we should useScalar.from_bytes(...)instead ofScalar(int_from_bytes(...)). The latter does not raise aValueErrorfor overflowed values; it silently applies modulo to produce a validScalarelement!Scalar(int_from_bytes(...))is also used for generating pads (self_padandecdh). I think this is acceptable since we’re generating random numbers, not deserializing data.