tl;dr: How to think clearly about domain separation in your protocols.
For hashing
Explain Aptos’s strategy.
For proof systems
A domain separator in the context of proof systems (e.g., $\Sigma$-protocols, ZK range proofs, etc.) should consist of three things1:
- Protocol identifier, which can often be split up into:
- higher-level protocol identifier: e.g., “Confidential Assets v1 on Aptos”
- lower-level relation identifier: e.g., “PedEq”
- Session identifier
- chosen by the user
- specifies the context where this proof is valid
- e.g., “Alice (
0x1) is paying Bob (0x2) at time $t$”) - motivation is to prevent replay attacks (e.g., PoK of SK) or cross-protocol attacks
- this one is trickier, I think: in some settings the “session” accumulates naturally in the statement being proven
- e.g., in Aptos Confidential Assets, the “session” is represented by the confidential balances of the users & their addresses
- Statement identifier
- i.e., be sure to hash the public statement being proven
- here people forget that “public parameters” are part of the statement!
- e.g., in a Schnorr proof it is crucial to hash the generator $G$!
This suggests that a domain separator dst should consist of:
- a
protocol_id - a
session_id - a
statement, which is already an argument to a proof system anyway
References
For cited works, see below 👇👇
-
These are thoughts inspired from talking to Michele Orrù and reading a few of the $\Sigma$-protocol standardization drafts. ↩
PREVIOUS$\Sigma$-phore