Tjaden Hess's Avatar

Tjaden Hess

@tjade273.bsky.social

26 Followers  |  68 Following  |  9 Posts  |  Joined: 02.05.2023  |  1.4555

Latest posts by tjade273.bsky.social on Bluesky


Post image

Would the fact that this tag is an TOPRF output prevent the attack? The fake realm would need to have the OPRF private key from the original realm in order for the โ€œphase 2โ€ to complete, assuming itโ€™s not possible to swap in the malicious realm in between phases (would need to look at code)

05.06.2025 20:51 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Looks like the cost is dominated by a size-3 elliptic curve MSM per guess. The work should be ~the same order of magnitude as edDSA signing operations. So on the order of 100k guesses per second on consumer hardware.

21.02.2024 13:25 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I donโ€™t see how a hash existence oracle could be more useful than a username existence oracle, which already exists.

The pedersen proof thing was implemented so it may just come down to โ€œproof of knowledge of the actual username+discriminationโ€ is easier to reason about/ harder to fuck up

20.02.2024 23:57 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

The current implementation code limits the discriminators to a 64-bit representable value

20.02.2024 23:51 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

I guess the question is: What kind of adversary knows H(username, discriminator) but not username and discriminator?

20.02.2024 23:46 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

I had considered that it also forces Alice to prove that the hash was constructed properly, but

* I donโ€™t know why that would be important
* It doesnโ€™t actually prove the discriminator is in the correct range, nickname is valid, etc

20.02.2024 23:43 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Yeah, I get that this system ensures Bob knows the hash input, but donโ€™t see why that lends any security over knowing the hash output. Maybe they intend to use the hash for something else, and might leak it? But that could just be solved with domain separation.

20.02.2024 23:42 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 0

Right, but I guess the question is โ€œwhy do we want a Pedersen commitment to the nicknameโ€

Maybe some fun future feature that needs it for more zk proofs?

Given the desire for a pedersen commitment, the design makes sense (hash prevents brute-forcing the nickname and discriminator independently)

20.02.2024 23:37 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Any idea why they use this pedersen hash

nickname*G1 + discriminator*G2 + H(nickname, discriminator)*G3

rather than just

H(nickname, discriminator)*G

along with a simple Schnorr proof?

I canโ€™t think of any properties the former gives over the latter

20.02.2024 23:18 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

@tjade273 is following 20 prominent accounts