Allow the Merkle path validity check in the Action circuit to pass if any output of

MerkleCRH^Orchard is 0, and add a note in \crossref{merklepath} arguing that this is safe. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-30 14:36:43 +01:00 · 2021-06-30 14:36:43 +01:00 · 1ed8e47d56
parent 0b7aeae33e
commit 1ed8e47d56
1 changed files with 29 additions and 14 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -5927,22 +5927,31 @@ Given such a \merklePath, it is possible to verify that \merkleLeafNode
 $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$.

 \sapling{
-\pnote{
-For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
-\merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
-of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
-inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
-as specified in \crossref{cctmerklepath}.
-} %pnote
-} %sapling
-
+\begin{pnotes}
+  \item For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
+        \merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
+        of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
+        inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
+        as specified in \crossref{cctmerklepath}.
 \nufive{
-\pnote{
-For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
-\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows inputs
-to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded.
-} %pnote
+  \item For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
+        \crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows
+        inputs to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement
+        encoded.
+  \item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
+        validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
+        $0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
+        $0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at
+        \crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
+        $\ZeroP$. Allowing the validity check to pass in that case models the fact that
+        incomplete addition is used to implement Sinsemilla in the circuit. As proven in
+        \theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
+        nontrivial discrete logarithm relation. Since we assume finding such a relation to be
+        infeasible, we can argue that it is safe to allow an adversary to create a proof that
+        passes the Merkle validity check in such a case.
 } %nufive
+\end{pnotes}
+} %sapling


 \lsubsection{SIGHASH Transaction Hashing}{sighash}
@ -7074,6 +7083,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
  \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
        input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
        from the previous \merkleLayer.
+  \item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
+        such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
+        This allows nondeterministic, incomplete addition to be used in the circuit for $\SinsemillaHash$.
  \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
        or that $\NoteCommitRandNew{} < \ParamP{r}$.
  \item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) =
@ -14435,6 +14447,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
          disruptive to change them at this point in the Network Upgrade Process, and
          because it is necessary to track $\bot$ outputs in order to correctly model
          non-determinism in the \actionCircuit.)
+    \item Allow the Merkle path validity check in the \actionCircuit to pass if any
+          output of $\MerkleCRH{Orchard}$ is $0$, and add a note in \crossref{merklepath}
+          arguing that this is safe.
 } % nufive
    \item No changes before \NUFive.
 \end{itemize}