mirror of https://github.com/zcash/zips.git
Add a caveat about reuse of rivk between PRF^expand and Commit^ivk.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
3826d43930
commit
6c3099843d
|
@ -3787,6 +3787,9 @@ All of these \pseudoRandomFunctions are instantiated in \crossref{concreteprfs}.
|
||||||
i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should
|
i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should
|
||||||
not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and}
|
not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and}
|
||||||
$\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}.
|
$\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}.
|
||||||
|
\nufive{
|
||||||
|
\item See the note in \crossref{orchardkeycomponents} for a security caveat about the use of $\PRFexpand{}$.
|
||||||
|
} %nufive
|
||||||
\end{securityrequirements}
|
\end{securityrequirements}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
@ -4926,6 +4929,17 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
\item Address generators \MAY encode information in the \diversifierIndex
|
\item Address generators \MAY encode information in the \diversifierIndex
|
||||||
that can be recovered by the recipient of a payment, given the \diversifierKey.
|
that can be recovered by the recipient of a payment, given the \diversifierKey.
|
||||||
|
\vspace{-0.5ex}
|
||||||
|
\item $\CommitIvkRandom$ is used both as a randomizer for $\CommitIvk{}$, and as a
|
||||||
|
key for $\PRFexpand{}$ to derive $\DiversifierKey$ and $\OutViewingKey$.
|
||||||
|
If $\DiversifierKey$ and $\OutViewingKey$ are known to an adversary, then
|
||||||
|
this reuse prevents proving that the use of $\CommitIvk{}$ in this context is
|
||||||
|
perfectly \hiding. It is also not sufficient to model $\PRFexpand{}$ only as a PRF.
|
||||||
|
In practice, we believe it would be extremely surprising if there were an
|
||||||
|
exploitable interaction between scalar multiplication used in $\CommitIvk{}$,
|
||||||
|
and $\BlakeTwobGeneric$ used to instantiate $\PRFexpand{}$. It is possible,
|
||||||
|
albeit somewhat inelegantly, to model this usage by a joint assumption on \Pallas
|
||||||
|
scalar multiplication and $\PRFexpand{}$.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
@ -14194,6 +14208,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\item Correct and clarify \theoremref{thmsinsemillacr} and \theoremref{thmsinsemillaex}.
|
\item Correct and clarify \theoremref{thmsinsemillacr} and \theoremref{thmsinsemillaex}.
|
||||||
\item Clarify that a \dummyNote should be created if no real \Orchard \note is being
|
\item Clarify that a \dummyNote should be created if no real \Orchard \note is being
|
||||||
spent in an \actionTransfer.
|
spent in an \actionTransfer.
|
||||||
|
\item Add a caveat in \crossref{orchardkeycomponents} about reuse of $\CommitIvkRandom$
|
||||||
|
between $\PRFexpand{}$ and $\CommitIvk{}$.
|
||||||
\item Section \crossref{concreteorchardkdf} should be in \nufivecolorname.
|
\item Section \crossref{concreteorchardkdf} should be in \nufivecolorname.
|
||||||
} %nufive
|
} %nufive
|
||||||
\item Correct the set of inputs to $\PRFexpand{}$ used for \cite{ZIP-32}\nufive{ and \Orchard}
|
\item Correct the set of inputs to $\PRFexpand{}$ used for \cite{ZIP-32}\nufive{ and \Orchard}
|
||||||
|
|
Loading…
Reference in New Issue