# PVUGC-010: CRS Validation - Regression Check **Date:** 2025-10-28 **Original Status:** ✅ Resolved (2025-10-26) **Regression Status:** ⚠️ **REGRESSION DETECTED** (CRITICAL) **Decision Method:** 👤 Solo --- ## Mitigation Summary (from 2025-10-26 peer review) **Original Issue:** CRS validation and binding verification were underspecified in v1.0, creating risks of: - Accepting non-binding (witness-indistinguishable) CRS → GS commitment malleability - CRS substitution attacks (replace honest CRS with malicious one) - Ceremony compromise → protocol soundness break **v2.0 Mitigation (PVUGC-2025-10-20):** 1. **Explicit Binding Requirement:** Production deployments MUST use binding GS-CRS (SXDH or DLIN) 2. **Binding Verification Mechanism:** Pairing check `e(u₁, v₁) ≠ e(u₂, v₂)` to distinguish binding from WI CRS 3. **CRS Digest Pinning:** `GS_instance_digest` → `header_meta` → `arming_pkg_hash` → `ctx_hash` → KDF 4. **Multi-CRS Defense-in-Depth:** MUST use minimum 2 independent binding GS-CRS ceremonies **Peer Review Enhancements (2025-10-26):** - M2 provided canonical `ValidateCrsAndComputeDigest` algorithm with 5 stages - Comprehensive test vector suite (11 cases) - Ceremony best practices and audit trail requirements - Formal proofs of security (Theorems 1-4) **Key Security Properties:** - ✅ Non-binding CRS rejection (Theorem 2) - ✅ CRS substitution prevention (Theorem 3) - ✅ Multi-CRS defense (Theorem 4) **Citation:** `report-peer_review-2025-10-26/PVUGC-010.md`, lines 20-37, 96-136 --- ## Verification in PVUGC-2025-10-27.md ### Search Methodology **Keywords searched:** - "CRS validation", "CRS check", "validate.*CRS", "pairing check" - "binding.*CRS", "GS.*CRS", "ceremony", "ValidateCrs" - "GS_instance_digest", "instance.*digest" - "hash.*curve", "transparent", "trapdoor", "ceremony.*not", "no.*ceremony" **Sections examined:** - §6: Groth-Sahai Construction (lines 260-268) - §7: Security Properties and Assumptions (line 399) - §8: PoCE and DEM details (lines 270-309) - All references to `GS_instance_digest` (lines 81, 96, 101, 102, 205, 212, 221, 253, 276, 289, 299, 425, 433) --- ## CRITICAL FINDING: Architectural Change from Ceremony-Based to Transparent CRS ### Evidence: Complete Elimination of CRS Ceremonies **Location:** `PVUGC-2025-10-27.md §6`, line 263 **Direct Quote:** > **Transparent CRS:** Groth–Sahai commitments use a **binding CRS (two G₁ bases)** which we derive deterministically via hash-to-curve from the VK/ctx. No trapdoor or ceremony is required. The G₂ right-legs $\{Y_j\}, [\delta]_2$ and the target $R(\mathsf{vk},x)$ are **statement-only and CRS-independent**, derived directly from the Groth16 verifying key components and public inputs. Column-based arming directly arms each statement-only column without matrix aggregation. **Location:** `PVUGC-2025-10-27.md §7`, line 399 **Direct Quote:** > * **Security assumptions**: Discrete log hardness in $\mathbb{G}_2$; Groth16 soundness; **GT‑XPDH (External Power in $\mathbb{G}_T$) as in §7, Lemma 3**; Schnorr unforgeability for DLREP proofs; DEM key‑commitment. The GS binding CRS is derived transparently via hash-to-curve (no trusted setup ceremony needed for GS, unlike Groth16 itself). **Location:** `PVUGC-2025-10-27.md §2`, line 49 (NUMS derivation example) **Direct Quote:** > * **Key‑path**: internal key is a public point with unknown discrete log (NUMS) so only script‑path is usable (a social burn of the key path). Derive deterministically (cycle‑free), using IETF hash‑to‑curve (simplified‑SWU) for secp256k1 with domain tag `"PVUGC/NUMS"` and canonical encodings: > ``` > Q_nums <- hash_to_curve("PVUGC/NUMS" || vk_hash || H(x) || tapleaf_hash || tapleaf_version || epoch_nonce) > ``` --- ## Regression Analysis ### What Changed: Fundamental Architectural Shift **v2.0 Approach (PVUGC-2025-10-20):** ``` CRS Source: Multi-party computation (MPC) ceremony Generation: Independent ceremonies with multiple participants Validation: ValidateCrsAndComputeDigest algorithm (5 stages) Security: Threshold trust (1-out-of-n honest participant) Defense: Multi-CRS AND-ing (minimum 2 ceremonies) Mechanism: 1. Parse CRS structure 2. Subgroup and identity checks 3. Binding property check: e(u₁, v₁) ≠ e(u₂, v₂) 4. Canonical digest computation 5. Return ACCEPT/REJECT Trust Model: Procedural (ceremony-based) Cryptographic Enforcement: Pairing check + digest pinning ``` **v2.7 Approach (PVUGC-2025-10-27):** ``` CRS Source: Deterministic hash-to-curve derivation Generation: hash_to_curve("domain_tag" || vk_hash || H(x) || ...) Validation: NONE (derivation is deterministic from public inputs) Security: No trapdoor possible (random oracle model) Defense: Optional multi-CRS (SHOULD, not MUST) Mechanism: Derive G₁ bases via hash-to-curve from (VK, ctx) → Binding by construction (random oracle heuristic) → No pairing check needed → No ceremony needed → No digest validation needed Trust Model: Cryptographic (hash-to-curve soundness) Cryptographic Enforcement: Random oracle assumption ``` --- ### Security Implications: Assessment #### Eliminated Components (from v2.0) **1. CRS Ceremony Requirements (§93 in PVUGC-010 recommendations)** - ❌ Multi-CRS independence criteria (5 requirements) - ❌ Participant recruitment and separation - ❌ Ceremony best practices (randomness sources, audit trails) - ❌ Transcript publication and verification - ❌ 7-day community verification period - **Status:** Completely eliminated (no longer applicable) **2. ValidateCrsAndComputeDigest Algorithm (§92 in PVUGC-010 recommendations)** - ❌ Stage 1: Parse CRS structure - ❌ Stage 2: Subgroup and identity checks - ❌ Stage 3: Binding property check `e(u₁, v₁) ≠ e(u₂, v₂)` - ❌ Stage 4: Canonical digest computation - ❌ Stage 5: Accept/Reject decision - **Status:** Completely eliminated (no CRS to validate) **3. CRS Digest Pinning Chain** - ⚠️ **PARTIALLY PRESENT:** `GS_instance_digest` still exists in protocol - ✅ **PRESENT:** `GS_instance_digest` → `header_meta` → `ctx_hash` → KDF (lines 81, 96, 101, 205, 212, 221, 253, 276, 289, 299, 425, 433) - ❓ **UNCLEAR:** What exactly is `GS_instance_digest` now? (hash of VK/ctx derivation parameters?) - **Status:** Mechanism present but purpose/content changed **4. Multi-CRS Defense-in-Depth** - ⚠️ **DOWNGRADED:** From MUST to SHOULD (line 102, 264) - Original: "Production deployments MUST use at least 2 independent binding GS-CRS ceremonies" - v2.7: "implementations MAY verify multiple independent PPE formulations (logical AND)" (line 102) - v2.7: "implementations MAY use multiple independent arming approaches" (line 264) - **Status:** Changed from mandatory to optional **5. Test Vectors and Reference Implementation** - ❌ 11 comprehensive test vectors (no longer applicable) - ❌ Reference Rust implementation of ValidateCrsAndComputeDigest - ❌ pvugc-verify-crs CLI tool - ❌ Ceremony tooling and transcript verification - **Status:** Completely eliminated (no longer applicable) --- #### New Security Model: Transparent CRS via Hash-to-Curve **Theoretical Basis:** - **Random Oracle Model:** hash-to-curve produces "random" group elements - **Binding by Construction:** Random bases are binding with overwhelming probability - **No Trapdoor:** Deterministic derivation prevents trapdoor knowledge - **Public Verifiability:** Anyone can recompute CRS from (VK, ctx) **Security Assumptions:** 1. Hash-to-curve (simplified-SWU or similar) produces uniformly random G₁ elements 2. Random G₁ bases form a binding CRS with probability ≈ 1 - negl(λ) 3. No adversary can find hash collisions to force non-binding structure 4. Domain separation tags prevent cross-protocol attacks **Comparison to v2.0:** | Property | v2.0 (Ceremony) | v2.7 (Transparent) | Assessment | |----------|-----------------|--------------------|-----------| | **Binding CRS** | Enforced via pairing check | Assumed via random oracle | ⚠️ Weaker (assumption vs. verification) | | **Trapdoor-Free** | 1-out-of-n honest | Random oracle soundness | ✅ Stronger (no trust required) | | **CRS Substitution** | Prevented via digest pinning | Prevented via deterministic derivation | ✅ Equivalent (both bind CRS to context) | | **Verifiability** | Public ceremony transcript | Public recomputation from (VK, ctx) | ✅ Stronger (fully transparent) | | **Setup Complexity** | High (multi-party ceremony) | Low (deterministic hash) | ✅ Simpler operationally | | **Ceremony Compromise** | Requires 1 honest participant | N/A (no ceremony) | ✅ Eliminates attack surface | | **Implementation Bugs** | ValidateCrs bugs → accept WI CRS | Hash-to-curve bugs → non-uniform bases | ⚠️ Different attack surface | | **Standard Assumptions** | SXDH + pairing soundness | Random oracle + hash-to-curve | ⚠️ Stronger assumptions (ROM) | --- ### Cryptographic Assessment: Is This a Regression? #### Arguments AGAINST Regression (Transparent CRS May Be Superior) **1. Eliminates Ceremony Trust Requirements** - v2.0 requires 1-out-of-n honest ceremony participants - v2.7 requires no trusted setup for GS CRS (only Groth16 VK still needs ceremony) - **Benefit:** Reduces attack surface (no ceremony to compromise) **2. Full Transparency and Public Verifiability** - v2.0: Ceremony transcript + binding verification (procedural) - v2.7: Anyone can recompute CRS from (VK, ctx) (cryptographic) - **Benefit:** No reliance on ceremony audit trails **3. Operational Simplicity** - v2.0: Multi-party ceremony coordination (complex, error-prone) - v2.7: Deterministic derivation (simple, reproducible) - **Benefit:** Lower operational risk **4. Standards-Based Approach** - Hash-to-curve is IETF standard (RFC 9380) - Random oracle heuristic is well-established in cryptography - **Benefit:** Leverages extensively analyzed primitives **5. Binding by Construction (with High Probability)** - Random G₁ bases form binding CRS with probability ≈ 1 - 1/|G₁| - For BLS12-381, |G₁| ≈ 2^255, so Pr[non-binding] ≈ 2^(-255) (negligible) - **Benefit:** Cryptographic guarantee (under ROM) vs. procedural guarantee --- #### Arguments FOR Regression (Transparent CRS Introduces New Risks) **1. Stronger Cryptographic Assumptions** - v2.0: SXDH + pairing soundness (standard assumptions) - v2.7: Random oracle model + hash-to-curve soundness (heuristic) - **Risk:** ROM is not a real-world model, hash-to-curve implementations can have bugs **2. Loss of Explicit Binding Verification** - v2.0: Pairing check `e(u₁, v₁) ≠ e(u₂, v₂)` explicitly verifies binding property - v2.7: No explicit check (binding assumed from random oracle) - **Risk:** Implementation bugs in hash-to-curve could produce non-binding CRS undetected **3. Hash-to-Curve Implementation Complexity** - Hash-to-curve (simplified-SWU, etc.) is complex to implement correctly - Side-channel attacks on hash-to-curve implementations - Non-uniform sampling bugs could bias CRS structure - **Risk:** New implementation attack surface replaces ceremony attack surface **4. No Defense-in-Depth Against Hash Function Weaknesses** - v2.0: Multi-CRS AND-ing provides redundancy - v2.7: Multi-arming approaches are SHOULD (optional), not MUST - **Risk:** Single hash function weakness compromises all CRS **5. Elimination of M2's Canonical Algorithm and Test Vectors** - v2.0: Comprehensive validation algorithm with formal verification - v2.7: No validation needed (but also no test coverage for hash-to-curve correctness) - **Risk:** Loss of extensive test infrastructure that caught implementation bugs **6. Implicit Domain Separation** - v2.0: Explicit domain separation in digest computation ("PVUGC/GS-CRS/v1") - v2.7: Domain separation implicit in hash-to-curve tag (if any) - **Risk:** Cross-protocol attacks if domain tags not carefully designed --- ### Standards Framework Compliance Assessment **Relevant Framework Sections:** - §2.1: Normative Language Requirements - §2.2: Security Property Specifications - §3.1: Cryptographic Primitive Standards - §3.2: Random Number Generation - §4.1: Implementation Guidance - §5.1: Test Coverage Requirements #### §2.1: Normative Language Requirements **v2.0 Compliance:** - ✅ MUST: "Production deployments MUST use binding GS-CRS" - ✅ MUST: "Runtime MUST reject non-binding CRS via pairing check" - ✅ MUST: "Minimum 2 independent binding GS-CRS ceremonies" **v2.7 Compliance:** - ✅ MUST: "GS binding CRS is derived transparently via hash-to-curve" (implicit MUST) - ⚠️ SHOULD: "implementations MAY verify multiple independent PPE formulations" (downgraded) - ❌ Missing: No explicit MUST requirements for hash-to-curve implementation correctness **Assessment:** ⚠️ **PARTIAL REGRESSION** - Binding requirement present but verification removed, multi-CRS downgraded from MUST to MAY --- #### §2.2: Security Property Specifications **v2.0 Properties:** - ✅ **Binding Property:** Explicitly verified via pairing check (Theorem 1) - ✅ **WI Rejection:** Non-binding CRS rejected deterministically (Theorem 2) - ✅ **CRS Binding:** Substitution prevented via digest chain (Theorem 3) - ✅ **Multi-CRS Security:** 1-honest-out-of-n per ceremony (Theorem 4) **v2.7 Properties:** - ⚠️ **Binding Property:** Assumed via random oracle heuristic (no explicit verification) - ⚠️ **WI Rejection:** N/A (derivation produces binding CRS with high probability, but no check) - ✅ **CRS Binding:** Still present via `GS_instance_digest` in context chain - ⚠️ **Multi-CRS Security:** Optional (MAY/SHOULD), not mandatory (MUST) **Assessment:** ⚠️ **PARTIAL REGRESSION** - Core binding property no longer explicitly verified --- #### §3.1: Cryptographic Primitive Standards **v2.0 Primitives:** - ✅ BLS12-381 curve (IETF standard, well-analyzed) - ✅ SHA-256 digest (NIST standard) - ✅ Pairing operations (Type-3, established) - ✅ Groth-Sahai commitments (EUROCRYPT 2008, peer-reviewed) **v2.7 Primitives:** - ✅ BLS12-381 curve (unchanged) - ✅ SHA-256 / Poseidon2 (present) - ⚠️ **Hash-to-curve:** IETF RFC 9380 (standard), but requires careful implementation - ⚠️ **Random Oracle Model:** Heuristic assumption (not a standard in same sense as SHA-256) **Assessment:** ⚠️ **DIFFERENT RISK PROFILE** - Replaced pairing-based verification with hash-to-curve derivation --- #### §4.1: Implementation Guidance **v2.0 Guidance:** - ✅ Canonical ValidateCrsAndComputeDigest algorithm (5 stages) - ✅ Reference Rust implementation - ✅ Constant-time comparison requirements - ✅ G2 cofactor clearing (h₂ ≈ 2^128) - ✅ Ceremony best practices (3-phase MPC) **v2.7 Guidance:** - ❌ **Missing:** No specification of which hash-to-curve algorithm to use - ❌ **Missing:** No domain separation tag specification for GS CRS derivation - ❌ **Missing:** No test vectors for hash-to-curve correctness - ❌ **Missing:** No reference implementation - ⚠️ **Generic:** "IETF hash-to-curve" mentioned but not specified for GS CRS (only NUMS key-path) **Assessment:** ❌ **CRITICAL REGRESSION** - Complete loss of implementation guidance --- #### §5.1: Test Coverage Requirements **v2.0 Test Coverage:** - ✅ 11 comprehensive test vectors (5 categories) - ✅ Structural validation (3 vectors) - ✅ Identity and small-order points (2 vectors) - ✅ Binding property (2 vectors) - ✅ Digest computation (2 vectors) - ✅ Edge cases and side-channels (2 vectors) **v2.7 Test Coverage:** - ❌ **No test vectors provided** - ❌ **No hash-to-curve test cases** - ❌ **No domain separation verification** - ❌ **No non-uniformity detection tests** **Assessment:** ❌ **CRITICAL REGRESSION** - Complete loss of test infrastructure --- ## Regression Decision ### Result: ⚠️ **REGRESSION DETECTED** (CRITICAL) ### Reasoning While the **architectural change to transparent CRS via hash-to-curve** may have **theoretical advantages** (eliminates ceremony trust requirements, full transparency, operational simplicity), the **v2.7 specification exhibits CRITICAL REGRESSIONS in implementation guidance and verification**: #### Critical Deficiencies **1. Zero Implementation Specification (BLOCKER)** - ❌ No specification of hash-to-curve algorithm for GS CRS derivation - ❌ No domain separation tags defined - ❌ No derivation formula (inputs, outputs, exact procedure) - ❌ No test vectors - ❌ No reference implementation **Current spec only says:** "derive deterministically via hash-to-curve from the VK/ctx" (line 263) **Missing:** WHICH hash-to-curve? (simplified-SWU, Elligator2, Ristretto?) FROM WHAT INPUTS EXACTLY? WITH WHAT DOMAIN TAG? **2. Loss of Explicit Binding Verification (HIGH RISK)** - v2.0: Pairing check `e(u₁, v₁) ≠ e(u₂, v₂)` explicitly verifies binding property - v2.7: No verification (binding assumed via random oracle) - **Risk:** Implementation bugs in hash-to-curve produce non-binding CRS undetected **3. Downgrade of Multi-CRS Defense (MODERATE RISK)** - v2.0: "Production deployments MUST use at least 2 independent binding GS-CRS ceremonies" - v2.7: "implementations MAY verify multiple independent PPE formulations" (line 102, SHOULD) - **Risk:** Single hash function weakness compromises all CRS, no redundancy **4. No Defense Against Hash-to-Curve Implementation Bugs (HIGH RISK)** - v2.0: ValidateCrsAndComputeDigest detects malformed CRS before use - v2.7: No validation step → bugs silently produce weak CRS - **Risk:** Non-uniform sampling, small-subgroup points, identity elements undetected --- ### Severity Classification **Type of Regression:** 🔴 **Specification Underspecification** (Implementation Blocker) **Impact:** - 🔴 **CRITICAL:** No implementable specification for CRS derivation - 🔴 **CRITICAL:** No test vectors → implementations will diverge - 🟠 **HIGH:** Loss of binding verification → accept weak CRS undetected - 🟡 **MEDIUM:** Multi-CRS downgraded from MUST to SHOULD → less defense-in-depth **Comparison to Original PVUGC-010 v1.0 Issue:** - v1.0 Issue: "Tag mechanism completely unspecified" (lines 78-83 of PVUGC-010) - v2.7 Regression: "Hash-to-curve derivation completely unspecified" (similar underspecification) - **Assessment:** v2.7 has returned to a similar level of underspecification as v1.0 --- ### Gaps Requiring Resolution #### Gap 1: Hash-to-Curve Algorithm Specification (BLOCKER) **Required:** ```markdown §X) GS-CRS Transparent Derivation (MUST) Implementations MUST derive the binding GS-CRS (two G₁ bases u₁, u₂) using the following deterministic algorithm: **Algorithm:** DeriveBindingCRS(vk_hash, public_inputs_hash, ctx_hash) **Inputs:** - vk_hash: SHA-256 digest of Groth16 verifying key - public_inputs_hash: SHA-256 digest of public inputs (x) - ctx_hash: Context hash from protocol **Outputs:** - (u₁, u₂): Two G₁ basis vectors for binding CRS **Procedure:** 1. Compute domain separation tag: tag = "PVUGC/GS-CRS-BINDING/v1" 2. Derive first basis vector: seed₁ = SHA-256(tag || "u1" || vk_hash || public_inputs_hash || ctx_hash) u₁ = hash_to_curve_G1(seed₁) using simplified-SWU (IETF RFC 9380) 3. Derive second basis vector: seed₂ = SHA-256(tag || "u2" || vk_hash || public_inputs_hash || ctx_hash) u₂ = hash_to_curve_G1(seed₂) using simplified-SWU (IETF RFC 9380) 4. Verify independence (MUST): - Check u₁ ≠ u₂ - Check u₁ ≠ identity - Check u₂ ≠ identity - Check u₁ not scalar multiple of u₂ (via cross-ratio test or DLOG impossibility) 5. Compute GS_instance_digest: GS_instance_digest = SHA-256("PVUGC/GS-DIGEST/v1" || ser(u₁) || ser(u₂) || tag) 6. Return (u₁, u₂, GS_instance_digest) **Implementation Requirements:** - MUST use simplified-SWU hash-to-curve per IETF RFC 9380 §6.6.3 - MUST use BLS12-381 curve parameters - MUST use compressed point encoding - MUST perform subgroup checks (G₁ cofactor h₁=1, automatic) - MUST use constant-time operations where applicable - MUST reject identity elements **Test Vectors:** [Provide 5 test vectors with known inputs → expected outputs] ``` **Acceptance Criteria:** - [ ] Exact hash-to-curve algorithm specified (simplified-SWU, Elligator2, etc.) - [ ] Domain separation tags defined - [ ] Input format specified (vk_hash, x_hash, ctx_hash) - [ ] Independence checks specified (u₁ ≠ u₂, not scalar multiples) - [ ] GS_instance_digest computation defined - [ ] Test vectors provided (minimum 5) - [ ] Reference implementation available --- #### Gap 2: Binding Property Verification (DEFENSE-IN-DEPTH) **Recommendation:** ```markdown §X+1) Optional Binding Verification (SHOULD) While transparent CRS derivation produces binding CRS with overwhelming probability (≈ 1 - 2^(-255)), implementations SHOULD perform explicit binding verification as defense-in-depth: **Verification Check:** 1. Derive (u₁, u₂) per §X 2. Compute auxiliary group elements: v₁ = hash_to_curve_G2(SHA-256("PVUGC/GS-CRS-DUAL/v1" || "v1" || ser(u₁))) v₂ = hash_to_curve_G2(SHA-256("PVUGC/GS-CRS-DUAL/v1" || "v2" || ser(u₂))) 3. Compute pairings: p₁ = e(u₁, v₁) p₂ = e(u₂, v₂) 4. Verify binding: IF p₁ == p₂ THEN REJECT (non-binding CRS detected) ELSE ACCEPT **Rationale:** This check detects catastrophic hash-to-curve implementation bugs (e.g., non-uniform sampling, fixed points) that could produce non-binding CRS despite random oracle assumption. **Performance:** - 2 pairing operations: ~5-10ms - Run once during setup (amortized cost negligible) ``` **Acceptance Criteria:** - [ ] Optional binding verification specified - [ ] Pairing-based check defined (similar to v2.0 ValidateCrs Stage 3) - [ ] Rationale provided (defense-in-depth against implementation bugs) --- #### Gap 3: Multi-CRS Guidance (RESTORE DEFENSE-IN-DEPTH) **Recommendation:** ```markdown §X+2) Multi-CRS Defense (SHOULD → MUST for Critical Deployments) **Recommendation for Critical Deployments:** For high-value or critical deployments, implementations MUST use multiple independent hash-to-curve derivations (logical AND): **Multi-CRS Derivation:** 1. Derive CRS₁ with domain tag "PVUGC/GS-CRS-BINDING/v1/instance1" 2. Derive CRS₂ with domain tag "PVUGC/GS-CRS-BINDING/v1/instance2" 3. Perform GS attestations under both CRS 4. Verify both PPE checks (logical AND) 5. Combine KEM keys: M_i^{AND} = ser_GT(M_i^(1)) || ser_GT(M_i^(2)) K_i = Poseidon2(M_i^{AND} || H_bytes(ctx_hash) || GS_instance_digest) **Security Benefit:** Protects against: - Hash function weaknesses (collision resistance break) - Hash-to-curve implementation bugs in single instance - Non-uniformity in single derivation **Overhead:** - 2x GS attestation computation (arming-time) - 2x PPE verification (decapping-time) - Typically acceptable for critical deployments ``` **Acceptance Criteria:** - [ ] Multi-CRS guidance upgraded from MAY to MUST for critical deployments - [ ] Multiple domain tags specified for independent derivations - [ ] AND-of-2 construction detailed - [ ] Security benefit and overhead trade-off explained --- #### Gap 4: Test Vectors for Hash-to-Curve Correctness **Recommendation:** ```markdown §X+3) Test Vectors (Normative) Implementations MUST pass the following test vectors to ensure hash-to-curve correctness: **Test Vector 1: Basic CRS Derivation** Input: vk_hash = 0xabc123... x_hash = 0xdef456... ctx_hash = 0x789abc... Expected Output: u₁ = 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb u₂ = 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1 GS_instance_digest = 0x... **Test Vector 2: Independence Check** [Test that u₁ ≠ u₂] **Test Vector 3: Non-Identity Check** [Test that u₁, u₂ ≠ identity] **Test Vector 4: Binding Verification (Optional)** [Test pairing check p₁ ≠ p₂] **Test Vector 5: Multi-CRS Derivation** [Test AND-of-2 with different domain tags] [Total: 5 test vectors covering all critical paths] ``` **Acceptance Criteria:** - [ ] 5 comprehensive test vectors provided - [ ] Known inputs → expected outputs for bit-exact verification - [ ] Coverage of basic derivation, independence, identity, binding, multi-CRS - [ ] Reference implementation that passes all test vectors --- ## Comparison to v2.0 (PVUGC-2025-10-20) **v2.0 Specification Quality:** - ✅ Explicit binding requirement (§89-91) - ✅ Pairing check specified - ✅ Multi-CRS MUST requirement - ✅ Digest pinning mechanism detailed - ⚠️ M2's canonical algorithm in peer review (not in main spec) - ⚠️ Test vectors in peer review (not in main spec) **v2.7 Specification Quality:** - ✅ Transparent CRS approach (no ceremony needed) - ✅ Digest pinning mechanism preserved (GS_instance_digest) - ⚠️ Multi-CRS downgraded to SHOULD - ❌ No hash-to-curve algorithm specification - ❌ No domain separation tags - ❌ No test vectors - ❌ No reference implementation - ❌ No binding verification **Verdict:** v2.7 has **better theoretical foundations** (eliminates ceremony) but **worse specification completeness** (no implementation details). --- ## Production Readiness Assessment ### Can PVUGC-010 be Considered "Resolved" in v2.7? **NO** - The following BLOCKERS prevent production deployment: #### BLOCKER 1: Unimplementable Specification - ❌ "derive deterministically via hash-to-curve from the VK/ctx" (line 263) - ❌ No specification of which hash-to-curve algorithm - ❌ No specification of input format (what exactly is "VK/ctx"?) - ❌ No domain separation tags - ❌ No test vectors - **Impact:** Two independent implementers will produce INCOMPATIBLE implementations #### BLOCKER 2: No Interoperability Assurance - ❌ No test vectors → implementations cannot verify correctness - ❌ No reference implementation → no ground truth - ❌ No binding verification → weak CRS undetected - **Impact:** Deployment will fail when armers use different derivations #### BLOCKER 3: No Security Validation - ❌ No formal analysis of hash-to-curve security in this context - ❌ No proof that random oracle assumption ensures binding property - ❌ No analysis of domain separation requirements - ❌ No threat model for hash-to-curve implementation bugs - **Impact:** Unknown security properties --- ## Required Actions for Resolution ### Immediate (Week 1-2) - BLOCKERS **1. Specify Hash-to-Curve Algorithm (Gap 1)** - Add §X "GS-CRS Transparent Derivation" to specification - Define exact algorithm: simplified-SWU per RFC 9380 - Specify domain separation tags - Define input format (vk_hash, x_hash, ctx_hash) - Specify independence checks **2. Provide Test Vectors (Gap 4)** - Generate 5 test vectors for hash-to-curve correctness - Publish in specification as normative reference - Include bit-exact expected outputs - Cover basic derivation, independence, identity, binding, multi-CRS **3. Reference Implementation** - Implement DeriveBindingCRS in Rust - Pass all 5 test vectors - Publish as reference for interoperability --- ### Short-Term (Week 3-6) - DEFENSE-IN-DEPTH **4. Optional Binding Verification (Gap 2)** - Add §X+1 "Optional Binding Verification" - Specify pairing-based check as defense-in-depth - Provide rationale (detect hash-to-curve bugs) **5. Multi-CRS Guidance (Gap 3)** - Restore MUST requirement for critical deployments - Specify multiple domain tags for independent derivations - Detail AND-of-2 construction --- ### Medium-Term (Week 7-12) - FORMAL ANALYSIS **6. Security Proof for Transparent CRS** - Prove that random oracle assumption ensures binding property - Analyze collision resistance requirements - Threat model for hash-to-curve implementation bugs - Reduction to standard assumptions (SXDH, ROM) **7. Implementation Security Review** - Audit hash-to-curve implementation (side-channels, non-uniformity) - Verify constant-time properties - Fuzz test for edge cases --- ## Acceptance Criteria for "No Regression" To restore PVUGC-010 to ✅ **No Regression** status, v2.7 MUST address: ### Phase 1: Specification (REQUIRED) - [ ] Hash-to-curve algorithm fully specified (Gap 1) - [ ] Domain separation tags defined - [ ] Input format specified (vk_hash, x_hash, ctx_hash) - [ ] Independence checks specified - [ ] Test vectors provided (minimum 5) - [ ] GS_instance_digest computation defined ### Phase 2: Implementation (REQUIRED) - [ ] Reference implementation available - [ ] Reference implementation passes all test vectors - [ ] Interoperability validated (2+ independent implementations agree) ### Phase 3: Security (RECOMMENDED) - [ ] Optional binding verification specified (Gap 2) - [ ] Multi-CRS guidance for critical deployments (Gap 3) - [ ] Security proof for transparent CRS approach - [ ] Implementation security review completed --- ## Conclusion **v2.7 (PVUGC-2025-10-27) exhibits a CRITICAL REGRESSION from v2.0 (PVUGC-2025-10-20) in PVUGC-010 (CRS Validation):** ### What Was Lost (from v2.0) 1. ❌ ValidateCrsAndComputeDigest canonical algorithm (5 stages) 2. ❌ Explicit binding verification (pairing check) 3. ❌ Multi-CRS MUST requirement (downgraded to SHOULD) 4. ❌ 11 comprehensive test vectors 5. ❌ Reference implementation (Rust) 6. ❌ Ceremony best practices and tooling 7. ❌ Complete implementation guidance ### What Was Gained (in v2.7) 1. ✅ Elimination of ceremony trust requirements (no MPC needed) 2. ✅ Full transparency (deterministic derivation from public inputs) 3. ✅ Operational simplicity (no ceremony coordination) 4. ✅ Standards-based approach (IETF hash-to-curve) ### Net Assessment **The architectural change to transparent CRS is theoretically sound and potentially superior**, BUT **the specification is critically underspecified and unimplementable**. **v2.7 has returned to the same type of underspecification that PVUGC-010 v1.0 identified**: "mechanism completely unspecified, no implementation guidance, no test vectors." **Status:** ⚠️ **REGRESSION DETECTED** - The improved architecture does NOT compensate for the loss of implementation completeness. The specification is **currently unimplementable** and requires **immediate remediation** of Gaps 1-4 before production deployment. --- **Regression Severity:** 🔴 **CRITICAL** (Implementation Blocker) **Recommended Path:** 1. Address Gaps 1 and 4 IMMEDIATELY (hash-to-curve specification + test vectors) 2. Conduct Stage 1 verdict evaluation (ALL 4 issues must be ✅ No Regression to proceed to Stage 2) 3. If remediation is planned: Document timeline and acceptance criteria 4. If architectural decision is final: Update PVUGC-010 status to reflect new approach --- **Evidence Chain:** - `PVUGC-2025-10-27.md §6`, line 263: Transparent CRS statement - `PVUGC-2025-10-27.md §7`, line 399: "no trusted setup ceremony needed for GS" - `PVUGC-2025-10-27.md §8`, lines 81, 96, 101, 102, 205, 212, 221, 253, 276, 289, 299: GS_instance_digest preserved - `PVUGC-2025-10-27.md §2`, line 49: Hash-to-curve example (NUMS key-path) - `report-peer_review-2025-10-26/PVUGC-010.md`, lines 96-136: v2.0 mitigation details - `report-peer_review-2025-10-26/PVUGC-010.md`, lines 137-232: M2's canonical algorithm (now eliminated) --- END OF REGRESSION CHECK REPORT