Disclose BCTV14 vulnerability.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2019-02-05 16:45:09 +00:00 · 2019-02-05 16:45:09 +00:00 · 9a7ebd326e
parent 9515d73aac
commit 9a7ebd326e
2 changed files with 82 additions and 38 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -367,6 +367,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}}
 \newcommand{\saplingcolor}{green}
 \newcommand{\overwintercolor}{blue}
+\newcommand{\vulncolor}{BrickRed}

 \iftoggle{issapling}{
  \newcommand{\sprout}[1]{}
@ -553,12 +554,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\representedPairing}{\term{represented pairing}}
 \newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}}
 \newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}}
-\newcommand{\PHGR}{\mathsf{PHGR13}}
+\newcommand{\BCTV}{\mathsf{BCTV14}}
 \newcommand{\Groth}{\mathsf{Groth16}}
 \newcommand{\GrothText}{\texorpdfstring{$\Groth$}{Groth16}}
-\newcommand{\EncodingOfPHGRProofs}{\titleterm{Encoding of PHGR13 Proofs}}
+\newcommand{\EncodingOfBCTVProofs}{\titleterm{Encoding of BCTV14 Proofs}}
 \newcommand{\EncodingOfGrothProofs}{\titleterm{Encoding of Groth16 Proofs}}
-\newcommand{\PHGRProvingSystem}{\titleterm{PHGR13}}
+\newcommand{\BCTVProvingSystem}{\titleterm{BCTV14}}
 \newcommand{\GrothProvingSystem}{\titleterm{Groth16}}
 \newcommand{\BNCurve}{\mathsf{BN\mhyphen{}254}}
 \newcommand{\BLSCurve}{\mathsf{BLS12\mhyphen{}381}}
@ -1720,6 +1721,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg

 \newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}}
 \newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}}
+\newcommand{\vuln}[1]{\needspace{3ex}{\color{\vulncolor}\subparagraph{Vulnerability disclosure:}{#1}}}
 \newcommand{\pnote}[1]{\subparagraph{Note:}{#1}}
 \newenvironment{pnotes}{\introlist\subparagraph{Notes:}\begin{itemize}}{\end{itemize}}
 \newcommand{\nnote}[1]{\subparagraph{Non-normative note:}{#1}}
@ -3587,7 +3589,7 @@ $\;\;\Prob{
 }$
 \end{securityrequirements}

-These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to
+These definitions are derived from those in \cite[Appendix C]{BCTV2014b}, adapted to
 state concrete security for a fixed circuit, rather than asymptotic security for
 arbitrary circuits. ($\ZKProve{}$ corresponds to $P$, $\ZKVerify{}$ corresponds to $V$,
 and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ in the notation of that appendix.)
@ -3606,7 +3608,7 @@ into account.}
 \vspace{2ex}

 \sprout{
-The \provingSystem is instantiated in \crossref{phgr}.
+The \provingSystem is instantiated in \crossref{bctv}.
 $\JoinSplit$ refers to this \provingSystem with the $\BNCurve$ pairing,
 specialized to the \joinSplitStatement given in \crossref{joinsplitstatement}.
 In this case we omit the key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$,
@ -3617,7 +3619,7 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
 \introlist
 \Zcash uses two \provingSystems:
 \begin{itemize}
-  \item $\PHGR$ (\crossref{phgr}) is used with the
+  \item $\BCTV$ (\crossref{bctv}) is used with the
        $\BNCurve$ pairing (\crossref{bnpairing}),
        to prove and verify the \Sprout \joinSplitStatement
        (\crossref{joinsplitstatement}) before \Sapling activation.
@ -3631,12 +3633,12 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
 \end{itemize}

 These specializations are: $\JoinSplit$ for the \Sprout
-\joinSplitStatement (with $\PHGR$ and $\BNCurve$, or $\Groth$ and
+\joinSplitStatement (with $\BCTV$ and $\BNCurve$, or $\Groth$ and
 $\BLSCurve$); $\Spend$ for the \Sapling \spendStatement; and $\Output$
 for the \Sapling \outputStatement.

 We omit the key subscripts on $\JoinSplitProve$ and
-$\JoinSplitVerify$, taking them to be either the $\PHGR$ \provingKey
+$\JoinSplitVerify$, taking them to be either the $\BCTV$ \provingKey
 and \verifyingKey defined in \crossref{sproutparameters}, or the
 \texttt{sprout-groth16.params} $\Groth$ \provingKey and \verifyingKey
 defined in \crossref{saplingparameters}, according to whether the proof
@ -3883,7 +3885,7 @@ where
        \primaryInput $(\rt, \nfOld{\allOld}, \cmNew{\allNew},\changed{ \vpubOld,}
        \vpubNew, \hSig, \h{\allOld})$ for the
        \joinSplitStatement defined in \crossref{joinsplitstatement}\sapling{ (this is
-        a $\PHGR$ proof before \Sapling activation, and a $\Groth$ proof after \Sapling
+        a $\BCTV$ proof before \Sapling activation, and a $\Groth$ proof after \Sapling
        activation)};
  \item $\TransmitCiphertext{\allNew} \typecolon \typeexp{\Ciphertext}{\NNew}$ is
        a sequence of ciphertext components for the encrypted output \notes.
@ -4322,8 +4324,8 @@ authorization differs between
 but (for a given \transactionVersion) the same \sighashTxHash algorithm is used.

 In the case of \Zcash, the
-\sprout{$\PHGR$ proving system used is}%
-\notsprout{$\PHGR$\sapling{ and $\Groth$} proving systems used are}%
+\sprout{$\BCTV$ proving system used is}%
+\notsprout{$\BCTV$\sapling{ and $\Groth$} proving systems used are}%
 \emph{malleable}, meaning that there is the potential for an adversary who does
 not know all of the \auxiliaryInputs to a proof, to malleate it in order to create a new proof
 involving related \auxiliaryInputs \cite{DSDCOPS2001}. This can be understood as similar
@ -4628,7 +4630,7 @@ similar to the check in \crossref{sproutspendauthority} that is part of the \joi
 The motivation for a separate signature is to allow devices that are limited in memory
 and computational capacity, such as hardware wallets, to authorize a \Sapling shielded spend.
 Typically such devices cannot create, and may not be able to verify, \zkSNARKProofs for
-a \statement of the size needed using the $\PHGR$ or $\Groth$ proving systems.
+a \statement of the size needed using the $\BCTV$ or $\Groth$ proving systems.

 \vspace{1ex}
 The verifying key of the signature must be revealed in the \spendDescription so that
@ -4824,7 +4826,7 @@ $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.}
 for each $i \in \setofNew$: $\cmNew{i} = \NoteCommitmentSprout(\nNew{i})$.

 \vspace{0.5ex}
-For details of the form and encoding of proofs, see \crossref{phgr}.
+For details of the form and encoding of proofs, see \crossref{bctv}.


 \sapling{
@ -7481,14 +7483,14 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon

 \subsubsection{\ZeroKnowledgeProvingSystems}

-\subsubsubsection{\PHGRProvingSystem} \label{phgr}
+\subsubsubsection{\BCTVProvingSystem} \label{bctv}

 \sapling{Before \Sapling activation,}
 \Zcash uses \zkSNARKs generated by a fork of \libsnark \cite{Zcash-libsnark}
-with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
+with the $\BCTV$ \provingSystem described in \cite{BCTV2014a}, which is a modification of
 the systems in \cite{PHGR2013} and \cite{BCGTV2013}.

-A $\PHGR$ proof consists of
+A $\BCTV$ proof consists of
 $(\Proof{A}  \typecolon \SubgroupGstar{1},\,
  \Proof{A}' \typecolon \SubgroupGstar{1},\,
  \Proof{B}  \typecolon \SubgroupGstar{2},\,
@ -7497,13 +7499,13 @@ $(\Proof{A}  \typecolon \SubgroupGstar{1},\,
  \Proof{C}' \typecolon \SubgroupGstar{1},\,
  \Proof{K}  \typecolon \SubgroupGstar{1},\,
  \Proof{H}  \typecolon \SubgroupGstar{1})$.
-It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
+It is computed as described in \cite[Appendix B]{BCTV2014a}, using the pairing parameters
 specified in \crossref{bnpairing}.

 \pnote{
 Many details of the \provingSystem are beyond the scope of this protocol
 document. For example, the \quadraticConstraintProgram verifying the \joinSplitStatement,
-or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2015}
+or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
 \cite{WCBTV2015}, are not specified in this document.
 In practice it will be necessary to use the specific proving and verification keys
 given in \crossref{sproutparameters} that were generated for the \Zcash production \blockchain,
@ -7511,11 +7513,23 @@ together with a \provingSystem implementation that is interoperable with the \Zc
 \libsnark, to ensure compatibility.
 }

-\introlist
-\subparagraph{\EncodingOfPHGRProofs} \vspace{1ex} \label{phgrencoding}
+\vuln{
+$\BCTV$ is subject to a security vulnerability that could allow violation of
+Knowledge Soundness \cite{CVE-2019-7167} \cite{SBB2019}. The consequence for \Zcash is that
+balance violation could have occurred before activation of the \Sapling network upgrade,
+although there is no evidence of this having happened. The vulnerability is believed
+to have been fully mitigated by activation of \Sapling. The use of $\BCTV$ in \Zcash is
+now limited to verifying proofs that were made prior to the \Sapling network upgrade.

-\newsavebox{\phgrbox}
-\begin{lrbox}{\phgrbox}
+Due to this issue, new forks of \Zcash{} \MUSTNOT use $\BCTV$, and any other users of
+the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
+}
+
+\introlist
+\subparagraph{\EncodingOfBCTVProofs} \vspace{1ex} \label{bctvencoding}
+
+\newsavebox{\bctvbox}
+\begin{lrbox}{\bctvbox}
 \setchanged
 \begin{bytefield}[bitwidth=0.021em]{2368}
    \sbitbox{264}{264-bit $\Proof{A}$} &
@ -7529,18 +7543,18 @@ together with a \provingSystem implementation that is interoperable with the \Zc
 \end{bytefield}
 \end{lrbox}

-A $\PHGR$ proof is encoded by concatenating the encodings of its elements;
+A $\BCTV$ proof is encoded by concatenating the encodings of its elements;
 for the $\BNCurve$ pairing this is:

 \begin{formulae}[leftmargin=0.2em]
-  \item $\Justthebox{\phgrbox}$
+  \item $\Justthebox{\bctvbox}$
 \end{formulae}

 The resulting proof size is 296 bytes.

 \vspace{0.8ex}
 \introlist
-In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2015}, the
+In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2014a}, the
 verifier \MUST check, for the encoding of each element, that:

 \begin{itemize}
@ -8281,11 +8295,11 @@ in $\vJoinSplit$. \\ \hline

 \sprout{
 $\geq 2$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JoinSplitDescription}\!\! \type{[$\nJoinSplit$]} &
-A \sequenceOfJoinSplitDescriptions{} using $\PHGR$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
+A \sequenceOfJoinSplitDescriptions{} using $\BCTV$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
 } %sprout
 \notsprout{
-$\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionPHGR13}\!\! \type{[$\nJoinSplit$]} &
-A \sequenceOfJoinSplitDescriptions{} using $\PHGR$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
+$\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionBCTV14}\!\! \type{[$\nJoinSplit$]} &
+A \sequenceOfJoinSplitDescriptions{} using $\BCTV$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline

 $\geq 4$ & \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionGroth16}\!\! \type{[$\nJoinSplit$]} &
 A \sequenceOfJoinSplitDescriptions{} using $\Groth$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
@ -8466,7 +8480,7 @@ $\h{\allOld}$ binding $\hSig$ to each $\AuthPrivate$ of the $\joinSplitDescripti
 computed as described in \crossref{sproutnonmalleability}. \\ \hline

 $296\notsprout{\;\dagger}$ & $\zkproof$ & \type{char[296]} & An encoding of the \zeroKnowledgeProof
-$\ProofJoinSplit$ (see \crossref{phgr}). \\ \hline
+$\ProofJoinSplit$ (see \crossref{bctv}). \\ \hline

 \notsprout{
 $192\;\ddagger$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof
@ -8480,7 +8494,7 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \
 \end{center}

 \notsprout{
-$\dagger$ $\PHGR$ proofs are used when the \transaction version is $2$ or $3$, i.e.\ before
+$\dagger$ $\BCTV$ proofs are used when the \transaction version is $2$ or $3$, i.e.\ before
 \Sapling activation.

 \sapling{$\ddagger$ $\Groth$ proofs are used when the \transaction version is $\geq 4$, i.e.\ after
@ -9706,7 +9720,7 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
          \Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
          \sapling{(The definition of \notes for \Sapling is different again.)}
    \item The length of proof encodings given in the paper is $288$
-          bytes. \sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
+          bytes. \sproutspecific{This differs from the $296$ bytes specified in \crossref{bctv},
          because both the $x$-coordinate and compressed $y$-coordinate of each
          point need to be represented. Although it is possible to encode a proof
          in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
@ -9783,7 +9797,20 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \intropart
 \section{Change History}

+\subparagraph{2019.0-beta-34}
+2019-02-05
+
+\begin{itemize}
+    \item Disclose a security vulnerability in $\BCTV$ that affected \Sprout
+          before activation of the \Sapling network upgrade (see \crossref{bctv}).
+    \item Rename PHGR13 to BCTV2014.
+    \item Rename reference [BCTV2015] to \cite{BCTV2014a}, and [BCTV2014] to \cite{BCTV2014b}.
+\end{itemize}
+
+\introlist
 \subparagraph{2018.0-beta-33}
+2018-11-14
+
 \begin{itemize}
    \item No changes to \Sprout.
 \sapling{
@ -10060,7 +10087,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
    \item Correct the encoding of a \fullViewingKey ($\OutViewingKey$ was missing).
    \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
    \item Improve cross-referencing.
-    \item Clarify the use of $\PHGR$ vs $\Groth$ proofs in \joinSplitStatements.
+    \item Clarify the use of $\BCTV$ vs $\Groth$ proofs in \joinSplitStatements.
    \item Clarify that the $\ssqrt{a}$ notation refers to the positive square root. (This matters for
          the conversion in \crossref{cctconversion}.)
    \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow
@ -10821,8 +10848,8 @@ described in \crossref{joinsplitstatement}.

 At the next lower level, each circuit is defined in terms of a
 \quadraticConstraintProgram (specifying a \rankOneConstraintSystem), as detailed
-in this section. In the $\PHGR$ or $\Groth$ proving systems, this program is
-translated to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2015}
+in this section. In the $\BCTV$ or $\Groth$ proving systems, this program is
+translated to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
 \cite{WCBTV2015}. The circuit descriptions given here are necessary to compute
 witness elements for each circuit, as well as the proving and verification keys.

--- a/protocol/zcash.bib
+++ b/protocol/zcash.bib
@ -8,8 +8,8 @@
 pages 459--474; IEEE, 2014.}
 }

-@misc{BCTV2015,
-   presort={BCTV2015},
+@misc{BCTV2014a,
+   presort={BCTV2014a},
   author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
   title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture},
   url={https://eprint.iacr.org/2013/879},
@ -51,8 +51,8 @@ Lecture Notes in Computer Science; Springer, 2013.},
   urldate={2016-09-01}
 }

-@inproceedings{BCTV2014,
-   presort={BCTV2014},
+@inproceedings{BCTV2014b,
+   presort={BCTV2014b},
   author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
   title={Scalable {Z}ero {K}nowledge via {C}ycles of {E}lliptic {C}urves (extended version)},
   booktitle={Advances in Cryptology - CRYPTO~2014},
@ -1183,3 +1183,20 @@ Proceedings of the 19th Annual International Cryptology Conference
   url={https://link.springer.com/content/pdf/10.1007/3-540-48405-1_35.pdf}, % not paywalled
   urldate={2018-06-05}
 }
+
+@misc{CVE-2019-7167,
+   presort={CVE-2019-7167},
+   author={{Common Vulnerabilities and Exposures}},
+   title={{CVE}-2019-7167},
+   url={https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7167},
+   urldate={2019-02-05}
+}
+
+@misc{SBB2019,
+   presort={SBB2019},
+   author={Josh Swihart and Benjamin Winston and Sean Bowe},
+   title={Zcash {C}ounterfeiting {V}ulnerability {S}uccessfully {R}emediated},
+   date={2019-02-05},
+   url={https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/},
+   urldate={2019-02-05}
+}