mirror of https://github.com/zcash/zips.git
Explain a variation on the Faerie Gold attack and why it is prevented.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f6da7897d8
commit
95fa51d785
|
@ -1950,7 +1950,7 @@ for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1
|
|||
|
||||
$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i} \in \range{0}{2^{64}-1}$.
|
||||
|
||||
\subparagraph{\Nullifier{} integrity}
|
||||
\subparagraph{\Nullifier{} integrity} \label{nullifierintegrity}
|
||||
|
||||
for each $i \in \setofOld$:
|
||||
$\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
|
||||
|
@ -3814,6 +3814,22 @@ that the derived $\NoteAddressRand$ values are unique, at least for
|
|||
any two \joinSplitDescriptions that get into a valid \blockchain.
|
||||
This is sufficient to prevent the Faerie Gold attack.
|
||||
|
||||
A variation on the attack attempts to cause the \nullifier of a sent
|
||||
\note to be repeated, without repeating $\NoteAddressRand$.
|
||||
However, since the \nullifier is computed as
|
||||
$\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
|
||||
the adversary either finds a collision on $\PRFnf{}$, or knows the
|
||||
\spendingKey $\AuthPrivate$. The former is assumed to be infeasible
|
||||
(see \crossref{abstractprfs}), while the latter is not be a valid
|
||||
attack because knowledge of $\AuthPrivate$ is intended to authorize
|
||||
spending the \note.
|
||||
|
||||
Importantly, ``\nullifier integrity'' (\crossref{nullifierintegrity})
|
||||
is enforced whether or not the $\EnforceMerklePath{i}$ flag is set
|
||||
for an input \note. If this were not the case then an adversary could
|
||||
perform the attack by creating a zero-valued \note with a repeated
|
||||
\nullifier, since the \nullifier does not depend on the value.
|
||||
|
||||
|
||||
\nsubsection{Internal hash collision attack and fix} \label{internalh}
|
||||
|
||||
|
@ -4089,7 +4105,8 @@ Filippo Valsorda, Zaki Manian, and no doubt others.
|
|||
\Zcash has benefited from security audits performed by NCC Group and
|
||||
Coinspect.
|
||||
|
||||
The Faerie Gold attack was found by Zooko Wilcox.
|
||||
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
|
||||
of variations on the attack was performed by Daira Hopwood and Sean Bowe.
|
||||
The internal hash collision attack was found by Taylor Hornby.
|
||||
The error in the \Zerocash proof of Balance relating to collision-resistance
|
||||
of $\PRFaddr{}$ was found by Daira Hopwood.
|
||||
|
@ -4103,6 +4120,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\subparagraph{2017.0-beta-2.4}
|
||||
|
||||
\begin{itemize}
|
||||
\item Explain a variation on the Faerie Gold attack and why it is prevented.
|
||||
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
|
||||
\end{itemize}
|
||||
|
||||
|
|
Loading…
Reference in New Issue