From 5d15a3d91e47fba66e9dd9f681828864a7331132 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 26 Mar 2021 14:48:45 +0000 Subject: [PATCH] NCC audit: Fix type confusion between integers and field elements (including additional cases not found in the audit, involving nullifiers and cm_x). Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 76ede533..32f7284c 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -5188,7 +5188,7 @@ where \item $\rt{Orchard} \typecolon \MerkleHash{Orchard}$ is an \anchor (\crossref{blockchain}) for the output \treestate of a previous \block; \vspace{-0.25ex} - \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; + \item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note; \vspace{-0.25ex} \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; @@ -5196,7 +5196,7 @@ where \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature, validated as specified in \crossref{spendauthsig}; \vspace{-0.25ex} - \item $\cmX \typecolon \GroupPx$ is the result of applying $\ExtractP$ to the \noteCommitment for + \item $\cmX \typecolon \range{0}{\ParamP{q}-1}$ is the result of applying $\ExtractP$ to the \noteCommitment for the output \note; \vspace{-0.25ex} \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is @@ -5246,7 +5246,13 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc \end{consensusrules} \vspace{-1.5ex} -\nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.} +\begin{nnotes} + \vspace{-0.25ex} + \item $\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$. + \vspace{-0.25ex} + \item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked + to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$. +\end{nnotes} } %nufive @@ -6724,9 +6730,9 @@ A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that give \begin{formulae} \item $\oparen\rt{Orchard} \typecolon \MerkleHash{Orchard},\\ \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ - \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ + \hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ - \hparen\cmX \typecolon \GroupPx,\vspace{0.2ex}\\ + \hparen\cmX \typecolon \range{0}{\ParamP{q}-1},\vspace{0.2ex}\\ \hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\ \hparen\enableOutputs \typecolon \bit\cparen$, \end{formulae} @@ -6793,7 +6799,7 @@ $\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmi \vNew{}, \NoteUniqueRandNew{}, \NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$, -where $\NoteUniqueRandNew{} = \nfOld{}$. +where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$. \vspace{-0.5ex} \snarkcondition{Enable spend flag}{actionenablespend} @@ -6823,7 +6829,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) \item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are - \emph{not} checked in this circuit. + \emph{not} checked in this circuit. Also, $\cmX$ is \emph{not} checked to be in $\GroupPx$. \end{pnotes} \vspace{-1ex} @@ -9150,7 +9156,7 @@ Let $\EdDSABase$ be the base point given in \cite{BDLSY2012}. Define $\ItoLEOSP{}$, $\LEOStoBSP{}$, and $\LEBStoIP{}$ as in \crossref{endian}. Define $\reprBytesEdSpecific \typecolon \GroupEdSpecific \rightarrow \ReprEdSpecificBytes$ such -that $\reprBytesEdSpecific\Of{x, y} = \ItoLEOSP{256}\big(y + 2^{255} \smult \tilde{x}\big)$, where +that $\reprBytesEdSpecific\Of{(x, y)} = \ItoLEOSP{256}\big(\kern-0.1em(y \bmod p) + 2^{255} \smult \tilde{x}\big)$, where $\tilde{x} = x \bmod 2$.\footnotewithlabel{coordinatenames}{Here we use the $(x, y)$ naming of coordinates in \cite{BDLSY2012}, which is different from the $(u, \varv)$ naming used for coordinates of \ctEdwardsCurves in \crossref{jubjub} and in \crossref{ecbackground}.} @@ -9804,7 +9810,7 @@ instantiated as follows using $\SinsemillaShortCommitAlg$: \SinsemillaShortCommit{\CommitIvkRand}\big(\ascii{z.cash:Orchard-CommitIvk},$ \vspace{-1ex} \item \hspace{20.5em} $\ItoLEBSP{\BaseLength{Orchard}}(\AuthSignPublic) \bconcat - \ItoLEBSP{\BaseLength{Orchard}}(\NullifierKey)\kern-0.1em\big) \pmod{\ParamP{r}}$ + \ItoLEBSP{\BaseLength{Orchard}}(\NullifierKey)\kern-0.1em\big)$ \item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \end{formulae} @@ -10197,7 +10203,7 @@ as in \crossref{endian}, and similarly for $\LEBStoIP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \binaryrange{\ell}$. Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such -that $\reprJ\Of{u, \varv} = \ItoLEBSP{256}\big(\varv + 2^{255} \smult \tilde{u}\big)$, where +that $\reprJ\big((u, \varv)\big) = \ItoLEBSP{256}\big(\kern-0.1em(\varv \bmod \ParamJ{q}) + 2^{255} \smult \tilde{u}\big)$, where $\tilde{u} = u \bmod 2$. \vspace{-1ex} @@ -10442,7 +10448,7 @@ Define $\reprG{} \typecolon \GroupG{} \rightarrow \ReprG{}$ such that \vspace{-1ex} \begin{tabular}{@{\hskip 1.5em}r@{\;}l} $\reprG{}\big(\ZeroG{}\big)$ &$= \ItoLEBSP{256}(0)$ \\ - $\reprG{}\big((x, y)\big)$ &$= \ItoLEBSP{256}\big(x + 2^{255} \smult \tilde{y}\big)$, where $\tilde{y} = y \bmod 2$. + $\reprG{}\big((x, y)\big)$ &$= \ItoLEBSP{256}\big(\kern-0.1em(x \bmod \ParamG{q}) + 2^{255} \smult \tilde{y}\big)$, where $\tilde{y} = y \bmod 2$. \end{tabular} \vspace{1ex} @@ -10476,8 +10482,12 @@ $\abstJ\Of{P\Repr}$ is computed as follows: \vspace{-1ex} Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}. -Define $\GroupPstarx$ be the set of $x$-coordinates of points on the \pallasCurve, -i.e.\ $\setof{x \typecolon \GF{\ParamP{q}} \suchthat x^3 + \ParamP{b}\text{ is square in }\GF{\ParamP{q}}}$. +Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on the \pallasCurve, i.e. + +\vspace{-1ex} +\begin{formulae} + \item $\GroupPstarx := \bigsetof{x \typecolon \range{0}{\ParamP{q}-1} \suchthat x^3 + \ParamP{b} \pmod{\ParamP{q}} \text{ is square in }\GF{\ParamP{q}}}$. +\end{formulae} \vspace{-0.5ex} Define $\GroupPx := \GroupPstarx \union \setof{0}$. @@ -13941,6 +13951,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Restrict the definition of a \swEllipticCurve in \crossref{pallasandvesta} to base fields of characteristic greater than $3$. \item Define $\GroupG{}$ in \crossref{concretegrouphashpallasandvesta}. + \item Fix type confusion between integers and field elements (including additional + cases not found in the audit, involving \nullifiers and $\cmX$). \item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent. \end{itemize} \item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.