mirror of https://github.com/zcash/zips.git
Add a caveat about reuse of rivk between PRF^expand and Commit^ivk.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
3826d43930
commit
6c3099843d
|
@ -3787,6 +3787,9 @@ All of these \pseudoRandomFunctions are instantiated in \crossref{concreteprfs}.
|
|||
i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should
|
||||
not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and}
|
||||
$\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}.
|
||||
\nufive{
|
||||
\item See the note in \crossref{orchardkeycomponents} for a security caveat about the use of $\PRFexpand{}$.
|
||||
} %nufive
|
||||
\end{securityrequirements}
|
||||
|
||||
\vspace{-2ex}
|
||||
|
@ -4926,6 +4929,17 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
|
|||
\vspace{-0.5ex}
|
||||
\item Address generators \MAY encode information in the \diversifierIndex
|
||||
that can be recovered by the recipient of a payment, given the \diversifierKey.
|
||||
\vspace{-0.5ex}
|
||||
\item $\CommitIvkRandom$ is used both as a randomizer for $\CommitIvk{}$, and as a
|
||||
key for $\PRFexpand{}$ to derive $\DiversifierKey$ and $\OutViewingKey$.
|
||||
If $\DiversifierKey$ and $\OutViewingKey$ are known to an adversary, then
|
||||
this reuse prevents proving that the use of $\CommitIvk{}$ in this context is
|
||||
perfectly \hiding. It is also not sufficient to model $\PRFexpand{}$ only as a PRF.
|
||||
In practice, we believe it would be extremely surprising if there were an
|
||||
exploitable interaction between scalar multiplication used in $\CommitIvk{}$,
|
||||
and $\BlakeTwobGeneric$ used to instantiate $\PRFexpand{}$. It is possible,
|
||||
albeit somewhat inelegantly, to model this usage by a joint assumption on \Pallas
|
||||
scalar multiplication and $\PRFexpand{}$.
|
||||
\end{pnotes}
|
||||
|
||||
\vspace{-2ex}
|
||||
|
@ -14194,6 +14208,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Correct and clarify \theoremref{thmsinsemillacr} and \theoremref{thmsinsemillaex}.
|
||||
\item Clarify that a \dummyNote should be created if no real \Orchard \note is being
|
||||
spent in an \actionTransfer.
|
||||
\item Add a caveat in \crossref{orchardkeycomponents} about reuse of $\CommitIvkRandom$
|
||||
between $\PRFexpand{}$ and $\CommitIvk{}$.
|
||||
\item Section \crossref{concreteorchardkdf} should be in \nufivecolorname.
|
||||
} %nufive
|
||||
\item Correct the set of inputs to $\PRFexpand{}$ used for \cite{ZIP-32}\nufive{ and \Orchard}
|
||||
|
|
Loading…
Reference in New Issue