In the discussion of partitioning oracle attacks on note encryption in

\crossref{inbandrationale}, we now use the fact that g_d has order greater
than the maximum value of ivk, rather than assuming that g_d is a non-zero
point in the prime-order subgroup. (In the case of Sapling, the circuits
only enforce that g_d is not a small-order point, not that it is in the
prime-order subgroup. It is true that honestly generated addresses have
prime-order g_d which would have been sufficient for the security argument
against this class of attacks, but the chosen fix is more direct.)

Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -14438,8 +14438,8 @@ For all shielded protocols, the checking of \noteCommitments makes
 \defining{\partitioningOracleAttacks} \cite{LGR2021} against the \noteCiphertext
 infeasible, at least in the absence of side-channel attacks. \sapling{The following
 argument applies to \Sapling\nufive{ and \Orchard}, but can be adapted to \Sprout
-by replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
-$\DiversifiedTransmitPublic$, and using a fixed base. The decryption procedure
+by replacing $\InViewingKey$ with $\TransmitPrivate$, $\DiversifiedTransmitPublic$
+with $\TransmitPublic$, and using a fixed base. The decryption procedure
 for \noteCiphertexts in \Sapling\nufive{ and \Orchard} is specified in
 \crossref{decryptivk}; it ensures that a successful decryption cannot occur unless
 the decrypted \notePlaintext encodes a \note consistent with the \noteCommitment
@@ -14450,10 +14450,9 @@ of the \actionDescription}). Suppose that it were feasible to find a pair of
 \noteCommitmentScheme is \binding and that \noteCommitment opens to a \note
 with $\DiversifiedTransmitPublic$ and $\DiversifiedTransmitBase$, we must have
 $\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase)$.
-But this is impossible given that $\DiversifiedTransmitBase$ is a non-$\Zero$
-point in the prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
-\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
-canonical in the scalar field corresponding to that prime order.
+But this is impossible given that $\DiversifiedTransmitBase$ has order greater than
+the maximum value of $\InViewingKey$ that can be an output of $\CRHivk{}$\nufive{ or
+$\CommitIvkAlg$}.
 
 There is also a decryption procedure that makes use of \outgoingCiphertexts in
 \Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
@@ -14654,6 +14653,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 
 \begin{itemize}
     \item Change Daira Emma Hopwood's name.
+\sapling{
+    \item In the discussion of partitioning oracle attacks on \note encryption in \crossref{inbandrationale},
+          we now use the fact that $\DiversifiedTransmitBase$ has order greater than the maximum value of
+          $\InViewingKey$, rather than assuming that $\DiversifiedTransmitBase$ is a non-zero point
+          in the prime-order subgroup. (In the case of \Sapling, the circuits only enforce that
+          $\DiversifiedTransmitBase$ is not a small-order point, not that it is in the prime-order
+          subgroup. It is true that honestly generated addresses have prime-order $\DiversifiedTransmitBase$
+          which would have been sufficient for the security argument against this class of attacks,
+          but the chosen fix is more direct.)
+} %sapling
 \end{itemize}