mirror of https://github.com/zcash/zips.git
Remaining fixes and clarifications for BCTV14 vulnerability.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
e17905a0a3
commit
0988966fdc
|
|
@ -7503,26 +7503,38 @@ It is computed as described in \cite[Appendix B]{BCTV2014a}, using the pairing p
|
|||
specified in \crossref{bnpairing}.
|
||||
|
||||
\pnote{
|
||||
Many details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, the \quadraticConstraintProgram verifying the \joinSplitStatement,
|
||||
or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
|
||||
\cite{WCBTV2015}, are not specified in this document.
|
||||
Many details of the \provingSystem are beyond the scope of this protocol document.
|
||||
For example, the \quadraticConstraintProgram verifying the \joinSplitStatement, or
|
||||
its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a},
|
||||
are not specified in this document. In 2015, Bryan Parno found a bug in this
|
||||
translation, which is corrected by the \libsnark implementation\footnote{Confusingly,
|
||||
the bug found by Bryan Parno was fixed in \libsnark in 2015, but that fix was
|
||||
incompletely described in the May 2015 update \cite[Theorem 2.4]{BCTV2014a-old}.
|
||||
It is described completely in \cite[Theorem 2.4]{BCTV2014a} and in
|
||||
\cite{Gabizon2019}.} \cite{WCBTV2015} \cite{Parno2015} \cite[Remark 2.5]{BCTV2014a}.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
given in \crossref{sproutparameters} that were generated for the \Zcash production \blockchain,
|
||||
together with a \provingSystem implementation that is interoperable with the \Zcash fork of
|
||||
\libsnark, to ensure compatibility.
|
||||
that were generated for the \Zcash production \blockchain, given in
|
||||
\crossref{bctvparameters}, together with a \provingSystem implementation that is
|
||||
interoperable with the \Zcash fork of \libsnark, to ensure compatibility.
|
||||
}
|
||||
|
||||
\vuln{
|
||||
$\BCTV$ is subject to a security vulnerability that could allow violation of Knowledge Soundness
|
||||
(and Soundness) \cite{CVE-2019-7167} \cite{SWB2019}. The consequence for \Zcash is that
|
||||
balance violation could have occurred before activation of the \Sapling network upgrade,
|
||||
although there is no evidence of this having happened. The vulnerability is believed
|
||||
to have been fully mitigated by activation of \Sapling. The use of $\BCTV$ in \Zcash is
|
||||
now limited to verifying proofs that were made prior to the \Sapling network upgrade.
|
||||
$\BCTV$ is subject to a security vulnerability, separate from \cite{Parno2015},
|
||||
that could allow violation of Knowledge Soundness (and Soundness) \cite{CVE-2019-7167}
|
||||
\cite{SWB2019} \cite{Gabizon2019}. The consequence for \Zcash is that balance violation
|
||||
could have occurred before activation of the \Sapling network upgrade, although there
|
||||
is no evidence of this having happened. Use of the vulnerability to produce false proofs
|
||||
is believed to have been fully mitigated by activation of \Sapling. The use of $\BCTV$
|
||||
in \Zcash is now limited to verifying proofs that were made prior to the \Sapling
|
||||
network upgrade.
|
||||
|
||||
Due to this issue, new forks of \Zcash{} \MUSTNOT use $\BCTV$, and any other users of
|
||||
the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
|
||||
|
||||
The vulnerability does not affect the Zero Knowledge property of the scheme (as
|
||||
described in any version of \cite{BCTV2014a} or as implemented in any version of
|
||||
\libsnark that has been used in \Zcash), even under subversion of the parameter
|
||||
generation \cite[Theorem 4.10]{BGG2016}.
|
||||
}
|
||||
|
||||
\introlist
|
||||
|
|
@ -8124,7 +8136,9 @@ For the \Zcash production \blockchain and testnet, the $\SHAFull$ hashes of the
|
|||
|
||||
These parameters were obtained by a multi-party computation described in
|
||||
\cite{BGG-mpc} and \cite{BGG2016}. \sapling{They are used only before \Sapling
|
||||
activation.}
|
||||
activation.} Due to the security vulnerability described in \crossref{bctv}, it is
|
||||
not recommended to use these parameters in new protocols, and it is recommended to
|
||||
stop using them in protocols other than \Zcash where they are currently used.
|
||||
|
||||
|
||||
\sapling{
|
||||
|
|
@ -9774,6 +9788,12 @@ of $\PRFaddr{}$ was found by Daira Hopwood.
|
|||
The errors in the proof of Ledger Indistinguishability mentioned in
|
||||
\crossref{truncation} were also found by Daira Hopwood.
|
||||
|
||||
The 2015 Soundness vulnerability in $\BCTV$ \cite{Parno2015} was found by
|
||||
Bryan Parno. An additional condition needed to resist this attack was
|
||||
documented by Ariel Gabizon \cite[section 3]{Gabizon2019}.
|
||||
The 2019 Soundness vulnerability in $\BCTV$ \cite{Gabizon2019}
|
||||
was found by Ariel Gabizon.
|
||||
|
||||
\sapling{
|
||||
The design of \Sapling is primarily due to Matthew Green, Ian Miers,
|
||||
Daira Hopwood, Sean Bowe, and Jack Grigg. A potential attack linking
|
||||
|
|
@ -9803,11 +9823,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\section{Change History}
|
||||
|
||||
\subparagraph{2019.0-beta-35}
|
||||
2019-02-05
|
||||
2019-02-08
|
||||
|
||||
\begin{itemize}
|
||||
\item Cite \cite{Gabizon2019} and acknowledge Ariel Gabizon.
|
||||
\item Correct [SBB2019] to \cite{SWB2019}.
|
||||
\item The $\BCTV$ vulnerability affected Soundness as well as Knowledge Soundness.
|
||||
\item The \cite{Gabizon2019} vulnerability affected Soundness of $\BCTV$
|
||||
as well as Knowledge Soundness.
|
||||
\item Clarify the history of the \cite{Parno2015} vulnerability and acknowledge
|
||||
Bryan Parno.
|
||||
\item Specify the difficulty adjustment change that occurred on the test network
|
||||
at \blockHeight $299188$.
|
||||
\sapling{
|
||||
|
|
|
|||
|
|
@ -13,9 +13,39 @@ pages 459--474; IEEE, 2014.}
|
|||
author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
|
||||
title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture},
|
||||
url={https://eprint.iacr.org/2013/879},
|
||||
urldate={2016-08-21},
|
||||
urldate={2019-02-08},
|
||||
howpublished={Cryptology ePrint Archive: Report 2013/879.
|
||||
Last revised May~19, 2015.}
|
||||
Last revised February~5, 2019.}
|
||||
}
|
||||
|
||||
@misc{BCTV2014a-old,
|
||||
presort={BCTV2014a-old},
|
||||
author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
|
||||
title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture
|
||||
({M}ay~19, 2015 version)},
|
||||
url={https://eprint.iacr.org/2013/879/20150519:172604},
|
||||
urldate={2019-02-08},
|
||||
howpublished={Cryptology ePrint Archive: Report 2013/879. Version: 20150519:172604.}
|
||||
}
|
||||
|
||||
@misc{Gabizon2019,
|
||||
presort={Gabizon2019},
|
||||
author={Ariel Gabizon},
|
||||
title={On the security of the {BCTV} {P}inocchio zk-{SNARK} variant},
|
||||
date={2019-02-05},
|
||||
url={https://github.com/arielgabizon/bctv/blob/master/bctv.pdf},
|
||||
urldate={2019-02-07},
|
||||
howpublished={Draft.}
|
||||
}
|
||||
|
||||
@misc{Parno2015,
|
||||
presort={Parno2015},
|
||||
author={Bryan Parno},
|
||||
title={A {N}ote on the {U}nsoundness of vn{T}iny{RAM}'s {SNARK}},
|
||||
url={https://eprint.iacr.org/2015/437},
|
||||
urldate={2019-02-08},
|
||||
howpublished={Cryptology ePrint Archive: Report 2015/437.
|
||||
Received May~6, 2015.}
|
||||
}
|
||||
|
||||
@misc{PHGR2013,
|
||||
|
|
|
|||
Loading…
Reference in New Issue