zcash-hackworks
/
zcash-patched-for-explorer
mirror of https://github.com/zcash-hackworks/zcash-patched-for-explorer.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Auto merge of #1094 - ThisIsNotOfficialCodeItsJustForks:t488-document-side-channel-attacks, r=ebfull 

Add security warnings doc with warning about side channels.

Closes #5. Closes #785. Closes #488. Closes #784.

Let's only merge this once we're sure the warning is at least as strong as it needs to be (and thus sufficient to close those tickets).
This commit is contained in:
zkbot 2016-07-19 17:39:27 +00:00
parent d20d866d89 b722000231
commit 431604c7d9
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -19,8 +19,15 @@ proving scheme which preserves confidentiality of transaction metadata.
Participation in the Zcash project is subject to a [Code of Conduct](code_of_conduct.md).
Security Warnings
-----------------
See important security warnings in
[doc/security-warnings.md](doc/security-warnings.md).
License
-------
Zcash Core is released under the terms of the MIT license. See [COPYING](COPYING) for more
information or see http://opensource.org/licenses/MIT.

39
doc/security-warnings.md Normal file
View File

@ -0,0 +1,39 @@
Security Warnings
====================
Security Audit
--------------
Zcash has not yet been subjected to a formal third-party security review. This
section will be updated with links to security audit reports in the future.
x86-64 Linux Only
-----------------------
There are [known bugs](https://github.com/scipr-lab/libsnark/issues/26) which
make proving keys generated on 64-bit systems unusable on 32-bit and big-endian
systems. It's unclear if a warning will be issued in this case, or if the
proving system will be silently compromised.
Side-Channel Attacks
--------------------
This implementation of Zcash is not resistant to side-channel attacks. You
should assume (even unprivileged) users who are running on the hardware, or who
are physically near the hardware, that your `zcashd` process is running on will
be able to:
- Determine the values of your secret spending keys, as well as which notes you
are spending, by observing cache side-channels as you perform a JoinSplit
operation. This is due to probable side-channel leakage in the libsnark
proving machinery.
- Determine which notes you own by observing cache side-channel information
leakage from the incremental witnesses as they are updated with new notes.
- Determine which notes you own by observing the trial decryption process of
each note ciphertext on the blockchain.
You should ensure no other users have the ability to execute code (even
unprivileged) on the hardware your `zcashd` process runs on until these
vulnerabilities are fully analyzed and fixed.