You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sharding the Hybrid protocol demonstrated that there exist more than one place where shards require coordinated randomness or shared data. For example: malicious shuffle requires shared MAC keys to properly shuffle inputs across many shards. Same goes for OPRF computation - all shards require access to the same key to mask values and produce consistent OPRF value across many shards.
While this problem was solved in #1394 by distributing keys from the leader shard and later attempted to be solved for PRF in #1408 by doing the same, it is not 100% clear where this method is actually secure. Yes, the threat model assumes shards can see each other's data, but the implications of sending secret data over network have never been properly analysed.
Note that to avoid code duplication and errors implementing custom key exchanges, we steered towards vending a shared PRSS (#1410) instance to protocols but it may have the same security issue as it requires key exchange. Although it may be easier to fix in one place
The text was updated successfully, but these errors were encountered:
Sharding the Hybrid protocol demonstrated that there exist more than one place where shards require coordinated randomness or shared data. For example: malicious shuffle requires shared MAC keys to properly shuffle inputs across many shards. Same goes for OPRF computation - all shards require access to the same key to mask values and produce consistent OPRF value across many shards.
While this problem was solved in #1394 by distributing keys from the leader shard and later attempted to be solved for PRF in #1408 by doing the same, it is not 100% clear where this method is actually secure. Yes, the threat model assumes shards can see each other's data, but the implications of sending secret data over network have never been properly analysed.
Note that to avoid code duplication and errors implementing custom key exchanges, we steered towards vending a shared PRSS (#1410) instance to protocols but it may have the same security issue as it requires key exchange. Although it may be easier to fix in one place
The text was updated successfully, but these errors were encountered: