mirror of https://github.com/zcash/zips.git
Generalize the description of the InternalH attack to include finding collisions on (a_pk, rho).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
95fa51d785
commit
920186e24e
|
@ -3843,11 +3843,11 @@ commitment at a 128-bit security level. Specifically, the internal
|
||||||
hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits
|
hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits
|
||||||
(motivated by providing statistical hiding security). This allows an
|
(motivated by providing statistical hiding security). This allows an
|
||||||
attacker, with a work factor on the order of $2^{64}$, to find distinct
|
attacker, with a work factor on the order of $2^{64}$, to find distinct
|
||||||
values of $\NoteAddressRand$ with colliding outputs of the truncated
|
pairs $(\AuthPublic, \NoteAddressRand)$ and $(\AuthPublic', \NoteAddressRand')$
|
||||||
hash, and therefore the same \noteCommitment. This would have allowed
|
with colliding outputs of the truncated hash, and therefore the same
|
||||||
such an attacker to break the Balance property by double-spending
|
\noteCommitment. This would have allowed such an attacker to break the
|
||||||
\notes, potentially creating arbitrary amounts of currency for themself
|
Balance property by double-spending \notes, potentially creating arbitrary
|
||||||
\cite{HW2016}.
|
amounts of currency for themself \cite{HW2016}.
|
||||||
|
|
||||||
\Zcash uses a simpler construction with a single $\FullHashName$ evaluation
|
\Zcash uses a simpler construction with a single $\FullHashName$ evaluation
|
||||||
for the commitment. The motivation for the nested construction in \Zerocash
|
for the commitment. The motivation for the nested construction in \Zerocash
|
||||||
|
@ -4121,6 +4121,9 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Explain a variation on the Faerie Gold attack and why it is prevented.
|
\item Explain a variation on the Faerie Gold attack and why it is prevented.
|
||||||
|
\item Generalize the description of the InternalH attack to include finding
|
||||||
|
collisions on $(\AuthPublic, \NoteAddressRand)$ rather than just on
|
||||||
|
$\NoteAddressRand$.
|
||||||
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
|
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue