Currently for N bits in the key as path part, we apply the constraint: resident * 2^N + path
The path part is constrainted to less than 2^N, while we have no constraint on resident so malice provider would be easy to manufacture a field setting part of its low N bit non-zero when being multiplied with 2^N, so as to detour the path part.
To resolve this issue, Additional constraint to restrict resident * 2^N less than Fp is required. A simple way is constraint resident not larger than 2^128 and N less than a suitable value, for example, 120. (Consider we have as much as 2^48 keys, we need ~100 bits, or say 2^100 slots avaliable to kept the chance of collision low enough according to the birthday principle)
Currently for N bits in the key as path part, we apply the constraint:
resident * 2^N + pathThe path part is constrainted to less than 2^N, while we have no constraint on
residentso malice provider would be easy to manufacture a field setting part of its low N bit non-zero when being multiplied with 2^N, so as to detour the path part.To resolve this issue, Additional constraint to restrict
resident * 2^Nless than Fp is required. A simple way is constraintresidentnot larger than 2^128 and N less than a suitable value, for example, 120. (Consider we have as much as 2^48 keys, we need ~100 bits, or say 2^100 slots avaliable to kept the chance of collision low enough according to the birthday principle)