mirror of https://github.com/zcash/zips.git
NCC audit: Fix type confusion between integers and field elements (including additional cases
not found in the audit, involving nullifiers and cm_x). Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
7ccbf44c30
commit
5d15a3d91e
|
|
@ -5188,7 +5188,7 @@ where
|
|||
\item $\rt{Orchard} \typecolon \MerkleHash{Orchard}$ is an \anchor (\crossref{blockchain}) for the
|
||||
output \treestate of a previous \block;
|
||||
\vspace{-0.25ex}
|
||||
\item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note;
|
||||
\item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note;
|
||||
\vspace{-0.25ex}
|
||||
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey
|
||||
that should be used to validate $\spendAuthSig$;
|
||||
|
|
@ -5196,7 +5196,7 @@ where
|
|||
\item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature,
|
||||
validated as specified in \crossref{spendauthsig};
|
||||
\vspace{-0.25ex}
|
||||
\item $\cmX \typecolon \GroupPx$ is the result of applying $\ExtractP$ to the \noteCommitment for
|
||||
\item $\cmX \typecolon \range{0}{\ParamP{q}-1}$ is the result of applying $\ExtractP$ to the \noteCommitment for
|
||||
the output \note;
|
||||
\vspace{-0.25ex}
|
||||
\item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is
|
||||
|
|
@ -5246,7 +5246,13 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
|
|||
\end{consensusrules}
|
||||
|
||||
\vspace{-1.5ex}
|
||||
\nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.}
|
||||
\begin{nnotes}
|
||||
\vspace{-0.25ex}
|
||||
\item $\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.
|
||||
\vspace{-0.25ex}
|
||||
\item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked
|
||||
to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$.
|
||||
\end{nnotes}
|
||||
} %nufive
|
||||
|
||||
|
||||
|
|
@ -6724,9 +6730,9 @@ A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that give
|
|||
\begin{formulae}
|
||||
\item $\oparen\rt{Orchard} \typecolon \MerkleHash{Orchard},\\
|
||||
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
|
||||
\hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\
|
||||
\hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\
|
||||
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
|
||||
\hparen\cmX \typecolon \GroupPx,\vspace{0.2ex}\\
|
||||
\hparen\cmX \typecolon \range{0}{\ParamP{q}-1},\vspace{0.2ex}\\
|
||||
\hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\
|
||||
\hparen\enableOutputs \typecolon \bit\cparen$,
|
||||
\end{formulae}
|
||||
|
|
@ -6793,7 +6799,7 @@ $\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmi
|
|||
\vNew{},
|
||||
\NoteUniqueRandNew{},
|
||||
\NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$,
|
||||
where $\NoteUniqueRandNew{} = \nfOld{}$.
|
||||
where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Enable spend flag}{actionenablespend}
|
||||
|
|
@ -6823,7 +6829,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
|||
|
||||
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
|
||||
\item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
|
||||
\emph{not} checked in this circuit.
|
||||
\emph{not} checked in this circuit. Also, $\cmX$ is \emph{not} checked to be in $\GroupPx$.
|
||||
\end{pnotes}
|
||||
|
||||
\vspace{-1ex}
|
||||
|
|
@ -9150,7 +9156,7 @@ Let $\EdDSABase$ be the base point given in \cite{BDLSY2012}.
|
|||
Define $\ItoLEOSP{}$, $\LEOStoBSP{}$, and $\LEBStoIP{}$ as in \crossref{endian}.
|
||||
|
||||
Define $\reprBytesEdSpecific \typecolon \GroupEdSpecific \rightarrow \ReprEdSpecificBytes$ such
|
||||
that $\reprBytesEdSpecific\Of{x, y} = \ItoLEOSP{256}\big(y + 2^{255} \smult \tilde{x}\big)$, where
|
||||
that $\reprBytesEdSpecific\Of{(x, y)} = \ItoLEOSP{256}\big(\kern-0.1em(y \bmod p) + 2^{255} \smult \tilde{x}\big)$, where
|
||||
$\tilde{x} = x \bmod 2$.\footnotewithlabel{coordinatenames}{Here we use the $(x, y)$ naming of coordinates in
|
||||
\cite{BDLSY2012}, which is different from the $(u, \varv)$ naming used for coordinates of \ctEdwardsCurves
|
||||
in \crossref{jubjub} and in \crossref{ecbackground}.}
|
||||
|
|
@ -9804,7 +9810,7 @@ instantiated as follows using $\SinsemillaShortCommitAlg$:
|
|||
\SinsemillaShortCommit{\CommitIvkRand}\big(\ascii{z.cash:Orchard-CommitIvk},$
|
||||
\vspace{-1ex}
|
||||
\item \hspace{20.5em} $\ItoLEBSP{\BaseLength{Orchard}}(\AuthSignPublic) \bconcat
|
||||
\ItoLEBSP{\BaseLength{Orchard}}(\NullifierKey)\kern-0.1em\big) \pmod{\ParamP{r}}$
|
||||
\ItoLEBSP{\BaseLength{Orchard}}(\NullifierKey)\kern-0.1em\big)$
|
||||
\item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$.
|
||||
\end{formulae}
|
||||
|
||||
|
|
@ -10197,7 +10203,7 @@ as in \crossref{endian}, and similarly for
|
|||
$\LEBStoIP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \binaryrange{\ell}$.
|
||||
|
||||
Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
|
||||
that $\reprJ\Of{u, \varv} = \ItoLEBSP{256}\big(\varv + 2^{255} \smult \tilde{u}\big)$, where
|
||||
that $\reprJ\big((u, \varv)\big) = \ItoLEBSP{256}\big(\kern-0.1em(\varv \bmod \ParamJ{q}) + 2^{255} \smult \tilde{u}\big)$, where
|
||||
$\tilde{u} = u \bmod 2$.
|
||||
|
||||
\vspace{-1ex}
|
||||
|
|
@ -10442,7 +10448,7 @@ Define $\reprG{} \typecolon \GroupG{} \rightarrow \ReprG{}$ such that
|
|||
\vspace{-1ex}
|
||||
\begin{tabular}{@{\hskip 1.5em}r@{\;}l}
|
||||
$\reprG{}\big(\ZeroG{}\big)$ &$= \ItoLEBSP{256}(0)$ \\
|
||||
$\reprG{}\big((x, y)\big)$ &$= \ItoLEBSP{256}\big(x + 2^{255} \smult \tilde{y}\big)$, where $\tilde{y} = y \bmod 2$.
|
||||
$\reprG{}\big((x, y)\big)$ &$= \ItoLEBSP{256}\big(\kern-0.1em(x \bmod \ParamG{q}) + 2^{255} \smult \tilde{y}\big)$, where $\tilde{y} = y \bmod 2$.
|
||||
\end{tabular}
|
||||
|
||||
\vspace{1ex}
|
||||
|
|
@ -10476,8 +10482,12 @@ $\abstJ\Of{P\Repr}$ is computed as follows:
|
|||
\vspace{-1ex}
|
||||
Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}.
|
||||
|
||||
Define $\GroupPstarx$ be the set of $x$-coordinates of points on the \pallasCurve,
|
||||
i.e.\ $\setof{x \typecolon \GF{\ParamP{q}} \suchthat x^3 + \ParamP{b}\text{ is square in }\GF{\ParamP{q}}}$.
|
||||
Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on the \pallasCurve, i.e.
|
||||
|
||||
\vspace{-1ex}
|
||||
\begin{formulae}
|
||||
\item $\GroupPstarx := \bigsetof{x \typecolon \range{0}{\ParamP{q}-1} \suchthat x^3 + \ParamP{b} \pmod{\ParamP{q}} \text{ is square in }\GF{\ParamP{q}}}$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Define $\GroupPx := \GroupPstarx \union \setof{0}$.
|
||||
|
|
@ -13941,6 +13951,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Restrict the definition of a \swEllipticCurve in \crossref{pallasandvesta} to
|
||||
base fields of characteristic greater than $3$.
|
||||
\item Define $\GroupG{}$ in \crossref{concretegrouphashpallasandvesta}.
|
||||
\item Fix type confusion between integers and field elements (including additional
|
||||
cases not found in the audit, involving \nullifiers and $\cmX$).
|
||||
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
|
||||
\end{itemize}
|
||||
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.
|
||||
|
|
|
|||
Loading…
Reference in New Issue