mirror of https://github.com/zcash/zips.git
Generalize the description of the InternalH attack to include finding collisions on (a_pk, rho).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
95fa51d785
commit
920186e24e
|
@ -3843,11 +3843,11 @@ commitment at a 128-bit security level. Specifically, the internal
|
|||
hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits
|
||||
(motivated by providing statistical hiding security). This allows an
|
||||
attacker, with a work factor on the order of $2^{64}$, to find distinct
|
||||
values of $\NoteAddressRand$ with colliding outputs of the truncated
|
||||
hash, and therefore the same \noteCommitment. This would have allowed
|
||||
such an attacker to break the Balance property by double-spending
|
||||
\notes, potentially creating arbitrary amounts of currency for themself
|
||||
\cite{HW2016}.
|
||||
pairs $(\AuthPublic, \NoteAddressRand)$ and $(\AuthPublic', \NoteAddressRand')$
|
||||
with colliding outputs of the truncated hash, and therefore the same
|
||||
\noteCommitment. This would have allowed such an attacker to break the
|
||||
Balance property by double-spending \notes, potentially creating arbitrary
|
||||
amounts of currency for themself \cite{HW2016}.
|
||||
|
||||
\Zcash uses a simpler construction with a single $\FullHashName$ evaluation
|
||||
for the commitment. The motivation for the nested construction in \Zerocash
|
||||
|
@ -4121,6 +4121,9 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
|
||||
\begin{itemize}
|
||||
\item Explain a variation on the Faerie Gold attack and why it is prevented.
|
||||
\item Generalize the description of the InternalH attack to include finding
|
||||
collisions on $(\AuthPublic, \NoteAddressRand)$ rather than just on
|
||||
$\NoteAddressRand$.
|
||||
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
|
||||
\end{itemize}
|
||||
|
||||
|
|
Loading…
Reference in New Issue