mirror of https://github.com/zcash/zips.git
Disclose BCTV14 vulnerability.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
9515d73aac
commit
9a7ebd326e
|
@ -367,6 +367,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}}
|
||||
\newcommand{\saplingcolor}{green}
|
||||
\newcommand{\overwintercolor}{blue}
|
||||
\newcommand{\vulncolor}{BrickRed}
|
||||
|
||||
\iftoggle{issapling}{
|
||||
\newcommand{\sprout}[1]{}
|
||||
|
@ -553,12 +554,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\representedPairing}{\term{represented pairing}}
|
||||
\newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}}
|
||||
\newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}}
|
||||
\newcommand{\PHGR}{\mathsf{PHGR13}}
|
||||
\newcommand{\BCTV}{\mathsf{BCTV14}}
|
||||
\newcommand{\Groth}{\mathsf{Groth16}}
|
||||
\newcommand{\GrothText}{\texorpdfstring{$\Groth$}{Groth16}}
|
||||
\newcommand{\EncodingOfPHGRProofs}{\titleterm{Encoding of PHGR13 Proofs}}
|
||||
\newcommand{\EncodingOfBCTVProofs}{\titleterm{Encoding of BCTV14 Proofs}}
|
||||
\newcommand{\EncodingOfGrothProofs}{\titleterm{Encoding of Groth16 Proofs}}
|
||||
\newcommand{\PHGRProvingSystem}{\titleterm{PHGR13}}
|
||||
\newcommand{\BCTVProvingSystem}{\titleterm{BCTV14}}
|
||||
\newcommand{\GrothProvingSystem}{\titleterm{Groth16}}
|
||||
\newcommand{\BNCurve}{\mathsf{BN\mhyphen{}254}}
|
||||
\newcommand{\BLSCurve}{\mathsf{BLS12\mhyphen{}381}}
|
||||
|
@ -1720,6 +1721,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
|
||||
\newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}}
|
||||
\newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\vuln}[1]{\needspace{3ex}{\color{\vulncolor}\subparagraph{Vulnerability disclosure:}{#1}}}
|
||||
\newcommand{\pnote}[1]{\subparagraph{Note:}{#1}}
|
||||
\newenvironment{pnotes}{\introlist\subparagraph{Notes:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\nnote}[1]{\subparagraph{Non-normative note:}{#1}}
|
||||
|
@ -3587,7 +3589,7 @@ $\;\;\Prob{
|
|||
}$
|
||||
\end{securityrequirements}
|
||||
|
||||
These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to
|
||||
These definitions are derived from those in \cite[Appendix C]{BCTV2014b}, adapted to
|
||||
state concrete security for a fixed circuit, rather than asymptotic security for
|
||||
arbitrary circuits. ($\ZKProve{}$ corresponds to $P$, $\ZKVerify{}$ corresponds to $V$,
|
||||
and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ in the notation of that appendix.)
|
||||
|
@ -3606,7 +3608,7 @@ into account.}
|
|||
\vspace{2ex}
|
||||
|
||||
\sprout{
|
||||
The \provingSystem is instantiated in \crossref{phgr}.
|
||||
The \provingSystem is instantiated in \crossref{bctv}.
|
||||
$\JoinSplit$ refers to this \provingSystem with the $\BNCurve$ pairing,
|
||||
specialized to the \joinSplitStatement given in \crossref{joinsplitstatement}.
|
||||
In this case we omit the key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$,
|
||||
|
@ -3617,7 +3619,7 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
|
|||
\introlist
|
||||
\Zcash uses two \provingSystems:
|
||||
\begin{itemize}
|
||||
\item $\PHGR$ (\crossref{phgr}) is used with the
|
||||
\item $\BCTV$ (\crossref{bctv}) is used with the
|
||||
$\BNCurve$ pairing (\crossref{bnpairing}),
|
||||
to prove and verify the \Sprout \joinSplitStatement
|
||||
(\crossref{joinsplitstatement}) before \Sapling activation.
|
||||
|
@ -3631,12 +3633,12 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
|
|||
\end{itemize}
|
||||
|
||||
These specializations are: $\JoinSplit$ for the \Sprout
|
||||
\joinSplitStatement (with $\PHGR$ and $\BNCurve$, or $\Groth$ and
|
||||
\joinSplitStatement (with $\BCTV$ and $\BNCurve$, or $\Groth$ and
|
||||
$\BLSCurve$); $\Spend$ for the \Sapling \spendStatement; and $\Output$
|
||||
for the \Sapling \outputStatement.
|
||||
|
||||
We omit the key subscripts on $\JoinSplitProve$ and
|
||||
$\JoinSplitVerify$, taking them to be either the $\PHGR$ \provingKey
|
||||
$\JoinSplitVerify$, taking them to be either the $\BCTV$ \provingKey
|
||||
and \verifyingKey defined in \crossref{sproutparameters}, or the
|
||||
\texttt{sprout-groth16.params} $\Groth$ \provingKey and \verifyingKey
|
||||
defined in \crossref{saplingparameters}, according to whether the proof
|
||||
|
@ -3883,7 +3885,7 @@ where
|
|||
\primaryInput $(\rt, \nfOld{\allOld}, \cmNew{\allNew},\changed{ \vpubOld,}
|
||||
\vpubNew, \hSig, \h{\allOld})$ for the
|
||||
\joinSplitStatement defined in \crossref{joinsplitstatement}\sapling{ (this is
|
||||
a $\PHGR$ proof before \Sapling activation, and a $\Groth$ proof after \Sapling
|
||||
a $\BCTV$ proof before \Sapling activation, and a $\Groth$ proof after \Sapling
|
||||
activation)};
|
||||
\item $\TransmitCiphertext{\allNew} \typecolon \typeexp{\Ciphertext}{\NNew}$ is
|
||||
a sequence of ciphertext components for the encrypted output \notes.
|
||||
|
@ -4322,8 +4324,8 @@ authorization differs between
|
|||
but (for a given \transactionVersion) the same \sighashTxHash algorithm is used.
|
||||
|
||||
In the case of \Zcash, the
|
||||
\sprout{$\PHGR$ proving system used is}%
|
||||
\notsprout{$\PHGR$\sapling{ and $\Groth$} proving systems used are}%
|
||||
\sprout{$\BCTV$ proving system used is}%
|
||||
\notsprout{$\BCTV$\sapling{ and $\Groth$} proving systems used are}%
|
||||
\emph{malleable}, meaning that there is the potential for an adversary who does
|
||||
not know all of the \auxiliaryInputs to a proof, to malleate it in order to create a new proof
|
||||
involving related \auxiliaryInputs \cite{DSDCOPS2001}. This can be understood as similar
|
||||
|
@ -4628,7 +4630,7 @@ similar to the check in \crossref{sproutspendauthority} that is part of the \joi
|
|||
The motivation for a separate signature is to allow devices that are limited in memory
|
||||
and computational capacity, such as hardware wallets, to authorize a \Sapling shielded spend.
|
||||
Typically such devices cannot create, and may not be able to verify, \zkSNARKProofs for
|
||||
a \statement of the size needed using the $\PHGR$ or $\Groth$ proving systems.
|
||||
a \statement of the size needed using the $\BCTV$ or $\Groth$ proving systems.
|
||||
|
||||
\vspace{1ex}
|
||||
The verifying key of the signature must be revealed in the \spendDescription so that
|
||||
|
@ -4824,7 +4826,7 @@ $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.}
|
|||
for each $i \in \setofNew$: $\cmNew{i} = \NoteCommitmentSprout(\nNew{i})$.
|
||||
|
||||
\vspace{0.5ex}
|
||||
For details of the form and encoding of proofs, see \crossref{phgr}.
|
||||
For details of the form and encoding of proofs, see \crossref{bctv}.
|
||||
|
||||
|
||||
\sapling{
|
||||
|
@ -7481,14 +7483,14 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon
|
|||
|
||||
\subsubsection{\ZeroKnowledgeProvingSystems}
|
||||
|
||||
\subsubsubsection{\PHGRProvingSystem} \label{phgr}
|
||||
\subsubsubsection{\BCTVProvingSystem} \label{bctv}
|
||||
|
||||
\sapling{Before \Sapling activation,}
|
||||
\Zcash uses \zkSNARKs generated by a fork of \libsnark \cite{Zcash-libsnark}
|
||||
with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
|
||||
with the $\BCTV$ \provingSystem described in \cite{BCTV2014a}, which is a modification of
|
||||
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
|
||||
|
||||
A $\PHGR$ proof consists of
|
||||
A $\BCTV$ proof consists of
|
||||
$(\Proof{A} \typecolon \SubgroupGstar{1},\,
|
||||
\Proof{A}' \typecolon \SubgroupGstar{1},\,
|
||||
\Proof{B} \typecolon \SubgroupGstar{2},\,
|
||||
|
@ -7497,13 +7499,13 @@ $(\Proof{A} \typecolon \SubgroupGstar{1},\,
|
|||
\Proof{C}' \typecolon \SubgroupGstar{1},\,
|
||||
\Proof{K} \typecolon \SubgroupGstar{1},\,
|
||||
\Proof{H} \typecolon \SubgroupGstar{1})$.
|
||||
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
|
||||
It is computed as described in \cite[Appendix B]{BCTV2014a}, using the pairing parameters
|
||||
specified in \crossref{bnpairing}.
|
||||
|
||||
\pnote{
|
||||
Many details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, the \quadraticConstraintProgram verifying the \joinSplitStatement,
|
||||
or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2015}
|
||||
or its translation to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
|
||||
\cite{WCBTV2015}, are not specified in this document.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
given in \crossref{sproutparameters} that were generated for the \Zcash production \blockchain,
|
||||
|
@ -7511,11 +7513,23 @@ together with a \provingSystem implementation that is interoperable with the \Zc
|
|||
\libsnark, to ensure compatibility.
|
||||
}
|
||||
|
||||
\introlist
|
||||
\subparagraph{\EncodingOfPHGRProofs} \vspace{1ex} \label{phgrencoding}
|
||||
\vuln{
|
||||
$\BCTV$ is subject to a security vulnerability that could allow violation of
|
||||
Knowledge Soundness \cite{CVE-2019-7167} \cite{SBB2019}. The consequence for \Zcash is that
|
||||
balance violation could have occurred before activation of the \Sapling network upgrade,
|
||||
although there is no evidence of this having happened. The vulnerability is believed
|
||||
to have been fully mitigated by activation of \Sapling. The use of $\BCTV$ in \Zcash is
|
||||
now limited to verifying proofs that were made prior to the \Sapling network upgrade.
|
||||
|
||||
\newsavebox{\phgrbox}
|
||||
\begin{lrbox}{\phgrbox}
|
||||
Due to this issue, new forks of \Zcash{} \MUSTNOT use $\BCTV$, and any other users of
|
||||
the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
|
||||
}
|
||||
|
||||
\introlist
|
||||
\subparagraph{\EncodingOfBCTVProofs} \vspace{1ex} \label{bctvencoding}
|
||||
|
||||
\newsavebox{\bctvbox}
|
||||
\begin{lrbox}{\bctvbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.021em]{2368}
|
||||
\sbitbox{264}{264-bit $\Proof{A}$} &
|
||||
|
@ -7529,18 +7543,18 @@ together with a \provingSystem implementation that is interoperable with the \Zc
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
A $\PHGR$ proof is encoded by concatenating the encodings of its elements;
|
||||
A $\BCTV$ proof is encoded by concatenating the encodings of its elements;
|
||||
for the $\BNCurve$ pairing this is:
|
||||
|
||||
\begin{formulae}[leftmargin=0.2em]
|
||||
\item $\Justthebox{\phgrbox}$
|
||||
\item $\Justthebox{\bctvbox}$
|
||||
\end{formulae}
|
||||
|
||||
The resulting proof size is 296 bytes.
|
||||
|
||||
\vspace{0.8ex}
|
||||
\introlist
|
||||
In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2015}, the
|
||||
In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2014a}, the
|
||||
verifier \MUST check, for the encoding of each element, that:
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -8281,11 +8295,11 @@ in $\vJoinSplit$. \\ \hline
|
|||
|
||||
\sprout{
|
||||
$\geq 2$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JoinSplitDescription}\!\! \type{[$\nJoinSplit$]} &
|
||||
A \sequenceOfJoinSplitDescriptions{} using $\PHGR$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
|
||||
A \sequenceOfJoinSplitDescriptions{} using $\BCTV$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
|
||||
} %sprout
|
||||
\notsprout{
|
||||
$\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionPHGR13}\!\! \type{[$\nJoinSplit$]} &
|
||||
A \sequenceOfJoinSplitDescriptions{} using $\PHGR$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
|
||||
$\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionBCTV14}\!\! \type{[$\nJoinSplit$]} &
|
||||
A \sequenceOfJoinSplitDescriptions{} using $\BCTV$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
|
||||
|
||||
$\geq 4$ & \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionGroth16}\!\! \type{[$\nJoinSplit$]} &
|
||||
A \sequenceOfJoinSplitDescriptions{} using $\Groth$ proofs, each encoded as in \crossref{joinsplitencoding}. \\ \hline
|
||||
|
@ -8466,7 +8480,7 @@ $\h{\allOld}$ binding $\hSig$ to each $\AuthPrivate$ of the $\joinSplitDescripti
|
|||
computed as described in \crossref{sproutnonmalleability}. \\ \hline
|
||||
|
||||
$296\notsprout{\;\dagger}$ & $\zkproof$ & \type{char[296]} & An encoding of the \zeroKnowledgeProof
|
||||
$\ProofJoinSplit$ (see \crossref{phgr}). \\ \hline
|
||||
$\ProofJoinSplit$ (see \crossref{bctv}). \\ \hline
|
||||
|
||||
\notsprout{
|
||||
$192\;\ddagger$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof
|
||||
|
@ -8480,7 +8494,7 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \
|
|||
\end{center}
|
||||
|
||||
\notsprout{
|
||||
$\dagger$ $\PHGR$ proofs are used when the \transaction version is $2$ or $3$, i.e.\ before
|
||||
$\dagger$ $\BCTV$ proofs are used when the \transaction version is $2$ or $3$, i.e.\ before
|
||||
\Sapling activation.
|
||||
|
||||
\sapling{$\ddagger$ $\Groth$ proofs are used when the \transaction version is $\geq 4$, i.e.\ after
|
||||
|
@ -9706,7 +9720,7 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
|
|||
\Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
|
||||
\sapling{(The definition of \notes for \Sapling is different again.)}
|
||||
\item The length of proof encodings given in the paper is $288$
|
||||
bytes. \sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
|
||||
bytes. \sproutspecific{This differs from the $296$ bytes specified in \crossref{bctv},
|
||||
because both the $x$-coordinate and compressed $y$-coordinate of each
|
||||
point need to be represented. Although it is possible to encode a proof
|
||||
in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
|
||||
|
@ -9783,7 +9797,20 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\intropart
|
||||
\section{Change History}
|
||||
|
||||
\subparagraph{2019.0-beta-34}
|
||||
2019-02-05
|
||||
|
||||
\begin{itemize}
|
||||
\item Disclose a security vulnerability in $\BCTV$ that affected \Sprout
|
||||
before activation of the \Sapling network upgrade (see \crossref{bctv}).
|
||||
\item Rename PHGR13 to BCTV2014.
|
||||
\item Rename reference [BCTV2015] to \cite{BCTV2014a}, and [BCTV2014] to \cite{BCTV2014b}.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2018.0-beta-33}
|
||||
2018-11-14
|
||||
|
||||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
|
@ -10060,7 +10087,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Correct the encoding of a \fullViewingKey ($\OutViewingKey$ was missing).
|
||||
\item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
|
||||
\item Improve cross-referencing.
|
||||
\item Clarify the use of $\PHGR$ vs $\Groth$ proofs in \joinSplitStatements.
|
||||
\item Clarify the use of $\BCTV$ vs $\Groth$ proofs in \joinSplitStatements.
|
||||
\item Clarify that the $\ssqrt{a}$ notation refers to the positive square root. (This matters for
|
||||
the conversion in \crossref{cctconversion}.)
|
||||
\item Model the group hash as a random oracle. This appears to be unavoidable in order to allow
|
||||
|
@ -10821,8 +10848,8 @@ described in \crossref{joinsplitstatement}.
|
|||
|
||||
At the next lower level, each circuit is defined in terms of a
|
||||
\quadraticConstraintProgram (specifying a \rankOneConstraintSystem), as detailed
|
||||
in this section. In the $\PHGR$ or $\Groth$ proving systems, this program is
|
||||
translated to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2015}
|
||||
in this section. In the $\BCTV$ or $\Groth$ proving systems, this program is
|
||||
translated to a \quadraticArithmeticProgram \cite[section 2.3]{BCTV2014a}
|
||||
\cite{WCBTV2015}. The circuit descriptions given here are necessary to compute
|
||||
witness elements for each circuit, as well as the proving and verification keys.
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
pages 459--474; IEEE, 2014.}
|
||||
}
|
||||
|
||||
@misc{BCTV2015,
|
||||
presort={BCTV2015},
|
||||
@misc{BCTV2014a,
|
||||
presort={BCTV2014a},
|
||||
author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
|
||||
title={Succinct {N}on-{I}nteractive {Z}ero {K}nowledge for a von {N}eumann {A}rchitecture},
|
||||
url={https://eprint.iacr.org/2013/879},
|
||||
|
@ -51,8 +51,8 @@ Lecture Notes in Computer Science; Springer, 2013.},
|
|||
urldate={2016-09-01}
|
||||
}
|
||||
|
||||
@inproceedings{BCTV2014,
|
||||
presort={BCTV2014},
|
||||
@inproceedings{BCTV2014b,
|
||||
presort={BCTV2014b},
|
||||
author={Eli Ben-Sasson and Alessandro Chiesa and Eran Tromer and Madars Virza},
|
||||
title={Scalable {Z}ero {K}nowledge via {C}ycles of {E}lliptic {C}urves (extended version)},
|
||||
booktitle={Advances in Cryptology - CRYPTO~2014},
|
||||
|
@ -1183,3 +1183,20 @@ Proceedings of the 19th Annual International Cryptology Conference
|
|||
url={https://link.springer.com/content/pdf/10.1007/3-540-48405-1_35.pdf}, % not paywalled
|
||||
urldate={2018-06-05}
|
||||
}
|
||||
|
||||
@misc{CVE-2019-7167,
|
||||
presort={CVE-2019-7167},
|
||||
author={{Common Vulnerabilities and Exposures}},
|
||||
title={{CVE}-2019-7167},
|
||||
url={https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7167},
|
||||
urldate={2019-02-05}
|
||||
}
|
||||
|
||||
@misc{SBB2019,
|
||||
presort={SBB2019},
|
||||
author={Josh Swihart and Benjamin Winston and Sean Bowe},
|
||||
title={Zcash {C}ounterfeiting {V}ulnerability {S}uccessfully {R}emediated},
|
||||
date={2019-02-05},
|
||||
url={https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/},
|
||||
urldate={2019-02-05}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue