-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Predicate attack against current DEAP impl #3
Comments
I agree that a fix is needed. Will make the protocol easier to reason about if both inputs are checked to be equal. |
right. And with this attack the
it should be impossible to attack encryption/decryption circuits because the Apparently this attack does not apply to the way we impl tlsn. Do you agree with the above @sinui0 ? |
I do agree, I don't think this is a practical attack against TLSN |
This (and DEAP) will be moved to TLSNotary project. The solution is simple, the follower proves their input by simply sending their input MACs to the leader. Afterwards the leader uses it as a public input to the ZK phase. |
I just realized there is an predicate attack against our current DEAP impl we overlooked which doesn't require malicious garbling or OT to perform.
The
Follower
simply has to choose different inputs for each execution. This depends on the function in question but generally the follower can select different inputs such that:where$x$ and $y$ are the $y$ which satisfies this.
Follower
andLeader
inputs respectively. This leaks an arbitrary predicate ofThis attack is also present in standard Dual-ex, but we overlooked mitigating it. Fortunately the mitigation is relatively simple (but will require some work).
We need to implement the
CommittedReceiver
counter-part to ourCommittedSender
impl. Then during DEAP finalization, we can check that theFollower
provided the same inputs to both executions by validating their OT choices.It's still not clear whether this is something we need to mitigate for our application, the
Follower
s only input is the PMS share to the PRF and it seems that it would be infeasible to select a predicate that affects the AES-CTR circuit.The text was updated successfully, but these errors were encountered: