From 4ef578706b2ce52dd29b681eeb36921729a67dcf Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 19 Jan 2022 17:58:40 +0000 Subject: [PATCH] In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 26 ++++++++++++++++++++++++++ protocol/zcash.bib | 20 ++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index dc82cfbf..437db263 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -237,6 +237,7 @@ \def\tempstring{#1}% \xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]% \xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]% + \xStrSubstitute{\tempstring}{Damgard1989}{Damgård1989}[\tempstring]% \tempstring \restoreexpandmode } @@ -1543,6 +1544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}} \newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}} +\newcommand{\CommitPrimeAlg}{\mathsf{COMM}'} +\newcommand{\CommitPrime}[1]{\CommitPrimeAlg_{#1}} \newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}} \newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}} \newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}} @@ -14096,6 +14099,26 @@ A side benefit is that this reduces the cost of computing the evaluations needed to compute each \noteCommitment from three to two, saving a total of four \shaCompress evaluations in the \joinSplitStatement. +\sproutspecificpnote{ +The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness +appended after the commitment input. The commitment input can be split into two +blocks, call them $x$ of length $64$ bytes, and $y$ of the remaining length ($9$ bytes). +Let $\CommitPrime{r}(z \typecolon \byteseq{41})$ be the \commitmentScheme that applies +$\SHACompress$ with the first $32$ bytes of $z$ in the IV, and the rest of $z$ +($9$ bytes), the randomness $r$ ($32$ bytes), and padding up to $64$ bytes in the +$\SHACompress$ input block. Then we have +$\NoteCommit{Sprout}{r}(x \bconcat y) = \CommitPrime{r}(\SHACompress(x) \bconcat y)$. +Suppose we make the reasonable assumption that $\CommitPrimeAlg$ is a computationally +\binding and \hiding \commitmentScheme. If $\SHACompress$ is \collisionResistant with +the standard IV\footnote{If $\SHACompress$ is not \collisionResistant with the +standard IV, then \shaHash is not \collisionResistant for a $2$-block input.}, then +$\NoteCommitAlg{Sprout}$ is as secure for \binding as $\CommitPrimeAlg$. Also +$\NoteCommitAlg{Sprout}$ is as secure for \hiding as $\CommitPrimeAlg$ (without +any assumption on $\SHACompress$). This effectively rules out potential concerns +about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any +security problem for $\NoteCommitAlg{Sprout}$. +} %sproutspecificpnote + \sproutspecificpnote{ \Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes, \Zcash does not support the ``everlasting anonymity'' property described in @@ -14524,6 +14547,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced by the \joinSplitStatement, and that there is no consensus rule to check it directly. + \item In \crossref{internalh}, add a security argument for why the \shaHash-based + \commitmentScheme $\NoteCommitAlg{Sprout}$ is \binding and \hiding, under reasonable + assumptions about $\SHACompress$. \end{itemize} diff --git a/protocol/zcash.bib b/protocol/zcash.bib index 954b300a..03734ca4 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -473,6 +473,26 @@ Received March~20, 2012.} urldate={2021-03-08} } +@inproceedings{Damgard1989, + presort={Damgard1989}, + shorthand={Damgård1989}, + author={Ivan Damgård}, + title={A Design Principle for Hash Functions}, + date={1990}, % publication year + booktitle={Advances in Cryptology - CRYPTO~'89. +Proceedings of the 9th Annual International Cryptology Conference +(Santa Barbara, California, USA, August~20--24, 1989)}, + volume={435}, + series={Lecture Notes in Computer Science}, + editor={Giles Brassard}, + pages={416--427}, + publisher={Springer}, + isbn={978-0-387-34805-6}, + doi={10.1007/0-387-34805-0_39}, + url={https://link.springer.com/chapter/10.1007/0-387-34805-0_39}, + urldate={2022-01-19} +} + @misc{NIST2016, presort={NIST2016}, author={NIST},