zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add a caveat about reuse of rivk between PRF^expand and Commit^ivk. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-31 21:18:03 +01:00
parent 3826d43930
commit 6c3099843d
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
protocol/protocol.tex
View File

@ -3787,6 +3787,9 @@ All of these \pseudoRandomFunctions are instantiated in \crossref{concreteprfs}.
i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should
not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and} not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and}
$\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}. $\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}.
\nufive{
\item See the note in \crossref{orchardkeycomponents} for a security caveat about the use of $\PRFexpand{}$.
} %nufive
\end{securityrequirements} \end{securityrequirements}
\vspace{-2ex} \vspace{-2ex}
@ -4926,6 +4929,17 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
\vspace{-0.5ex} \vspace{-0.5ex}
\item Address generators \MAY encode information in the \diversifierIndex \item Address generators \MAY encode information in the \diversifierIndex
that can be recovered by the recipient of a payment, given the \diversifierKey. that can be recovered by the recipient of a payment, given the \diversifierKey.
\vspace{-0.5ex}
\item $\CommitIvkRandom$ is used both as a randomizer for $\CommitIvk{}$, and as a
key for $\PRFexpand{}$ to derive $\DiversifierKey$ and $\OutViewingKey$.
If $\DiversifierKey$ and $\OutViewingKey$ are known to an adversary, then
this reuse prevents proving that the use of $\CommitIvk{}$ in this context is
perfectly \hiding. It is also not sufficient to model $\PRFexpand{}$ only as a PRF.
In practice, we believe it would be extremely surprising if there were an
exploitable interaction between scalar multiplication used in $\CommitIvk{}$,
and $\BlakeTwobGeneric$ used to instantiate $\PRFexpand{}$. It is possible,
albeit somewhat inelegantly, to model this usage by a joint assumption on \Pallas
scalar multiplication and $\PRFexpand{}$.
\end{pnotes} \end{pnotes}
\vspace{-2ex} \vspace{-2ex}
@ -14194,6 +14208,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Correct and clarify \theoremref{thmsinsemillacr} and \theoremref{thmsinsemillaex}. \item Correct and clarify \theoremref{thmsinsemillacr} and \theoremref{thmsinsemillaex}.
\item Clarify that a \dummyNote should be created if no real \Orchard \note is being \item Clarify that a \dummyNote should be created if no real \Orchard \note is being
spent in an \actionTransfer. spent in an \actionTransfer.
\item Add a caveat in \crossref{orchardkeycomponents} about reuse of $\CommitIvkRandom$
between $\PRFexpand{}$ and $\CommitIvk{}$.
\item Section \crossref{concreteorchardkdf} should be in \nufivecolorname. \item Section \crossref{concreteorchardkdf} should be in \nufivecolorname.
} %nufive } %nufive
\item Correct the set of inputs to $\PRFexpand{}$ used for \cite{ZIP-32}\nufive{ and \Orchard} \item Correct the set of inputs to $\PRFexpand{}$ used for \cite{ZIP-32}\nufive{ and \Orchard}