Hi, and thanks for your talk at the NIST STPPA workshop.
I'm curious about the curve and hash-to-curve functions used in MiniPSI. If I understand the code correctly, MiniPSI's hash-to-curve is implemented as H(x) = EccPoint::randomize(hash(x)), which in turn computes g^hash(x). This is not a random oracle, and doesn't work for at least DDH-based PSI, and I would suspect most other PSI as well: from g^a, you can easily compute H(x)^a and vice-versa, which enables a dictionary attack on the PSI protocol.
But maybe I'm misreading the code here?
Hi, and thanks for your talk at the NIST STPPA workshop.
I'm curious about the curve and hash-to-curve functions used in MiniPSI. If I understand the code correctly, MiniPSI's hash-to-curve is implemented as H(x) = EccPoint::randomize(hash(x)), which in turn computes g^hash(x). This is not a random oracle, and doesn't work for at least DDH-based PSI, and I would suspect most other PSI as well: from g^a, you can easily compute H(x)^a and vice-versa, which enables a dictionary attack on the PSI protocol.
But maybe I'm misreading the code here?