Dmitry Khovratovich has completed the audit of our proof of custody construction. The highlights are:
- He improved the previous best algorithm for key recovery from the Legendre PRF to O(sqrt(p) log p) from O(p log p) previously. He published a paper about it here. This is a nice improvement on the previous algorithms but not very worrying for us as his attack is only very effective for a very large number (O(sqrt(p))) of queries, whereas we expose a tiny number. For a smaller number of queries M, the time complexity resolves to O(p log M/M).
- He found several problems that make the proof of custody independent from the validator keys by carefully crafting the blocks. This is indeed a problem of the construction I originally suggested, but he suggested a very nice remedy in the form of a polynomial Universal Hash Function that provably fixes this problem and stays very close to the current framework
Audit report:Legendre (7).pdf
Suggested updated construction: legendre_proof_of_custody_uhf.pdf
Also: At Crypto'19, we announced some bounties for breaking the Legendre PRF that can be found here: https://legendreprf.org/bounties
Dmitry Khovratovich has completed the audit of our proof of custody construction. The highlights are:
Audit report:Legendre (7).pdf
Suggested updated construction: legendre_proof_of_custody_uhf.pdf
Also: At Crypto'19, we announced some bounties for breaking the Legendre PRF that can be found here: https://legendreprf.org/bounties