mirror of https://github.com/zcash/zips.git
In the discussion of partitioning oracle attacks on note encryption in
\crossref{inbandrationale}, we now use the fact that g_d has order greater than the maximum value of ivk, rather than assuming that g_d is a non-zero point in the prime-order subgroup. (In the case of Sapling, the circuits only enforce that g_d is not a small-order point, not that it is in the prime-order subgroup. It is true that honestly generated addresses have prime-order g_d which would have been sufficient for the security argument against this class of attacks, but the chosen fix is more direct.) Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f0ef9cf1f1
commit
5f0bed973e
|
@ -14438,8 +14438,8 @@ For all shielded protocols, the checking of \noteCommitments makes
|
|||
\defining{\partitioningOracleAttacks} \cite{LGR2021} against the \noteCiphertext
|
||||
infeasible, at least in the absence of side-channel attacks. \sapling{The following
|
||||
argument applies to \Sapling\nufive{ and \Orchard}, but can be adapted to \Sprout
|
||||
by replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
|
||||
$\DiversifiedTransmitPublic$, and using a fixed base. The decryption procedure
|
||||
by replacing $\InViewingKey$ with $\TransmitPrivate$, $\DiversifiedTransmitPublic$
|
||||
with $\TransmitPublic$, and using a fixed base. The decryption procedure
|
||||
for \noteCiphertexts in \Sapling\nufive{ and \Orchard} is specified in
|
||||
\crossref{decryptivk}; it ensures that a successful decryption cannot occur unless
|
||||
the decrypted \notePlaintext encodes a \note consistent with the \noteCommitment
|
||||
|
@ -14450,10 +14450,9 @@ of the \actionDescription}). Suppose that it were feasible to find a pair of
|
|||
\noteCommitmentScheme is \binding and that \noteCommitment opens to a \note
|
||||
with $\DiversifiedTransmitPublic$ and $\DiversifiedTransmitBase$, we must have
|
||||
$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase)$.
|
||||
But this is impossible given that $\DiversifiedTransmitBase$ is a non-$\Zero$
|
||||
point in the prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
|
||||
\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
|
||||
canonical in the scalar field corresponding to that prime order.
|
||||
But this is impossible given that $\DiversifiedTransmitBase$ has order greater than
|
||||
the maximum value of $\InViewingKey$ that can be an output of $\CRHivk{}$\nufive{ or
|
||||
$\CommitIvkAlg$}.
|
||||
|
||||
There is also a decryption procedure that makes use of \outgoingCiphertexts in
|
||||
\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
|
||||
|
@ -14654,6 +14653,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
|
||||
\begin{itemize}
|
||||
\item Change Daira Emma Hopwood's name.
|
||||
\sapling{
|
||||
\item In the discussion of partitioning oracle attacks on \note encryption in \crossref{inbandrationale},
|
||||
we now use the fact that $\DiversifiedTransmitBase$ has order greater than the maximum value of
|
||||
$\InViewingKey$, rather than assuming that $\DiversifiedTransmitBase$ is a non-zero point
|
||||
in the prime-order subgroup. (In the case of \Sapling, the circuits only enforce that
|
||||
$\DiversifiedTransmitBase$ is not a small-order point, not that it is in the prime-order
|
||||
subgroup. It is true that honestly generated addresses have prime-order $\DiversifiedTransmitBase$
|
||||
which would have been sufficient for the security argument against this class of attacks,
|
||||
but the chosen fix is more direct.)
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue