mirror of https://github.com/zcash/zips.git
Refine the security argument in the note about partitioning oracle attacks.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
1571c1b345
commit
b6e00e0d41
|
|
@ -746,6 +746,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\xDiscreteLogarithm}{\termandindex{Discrete Logarithm}{Discrete Logarithm Problem}}
|
||||
\newcommand{\xDecisionalDiffieHellmanProblem}{\term{Decisional Diffie--Hellman Problem}}
|
||||
\newcommand{\xDecisionalDiffieHellman}{\termandindex{Decisional Diffie--Hellman}{Decisional Diffie--Hellman Problem}}
|
||||
\newcommand{\partitioningOracleAttack}{\term{partitioning oracle attack}}
|
||||
\newcommand{\partitioningOracleAttacks}{\terms{partitioning oracle attack}}
|
||||
|
||||
\newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}}
|
||||
\newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}}
|
||||
|
|
@ -1110,6 +1112,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\notePlaintextLeadBytes}{\terms{note plaintext lead byte}}
|
||||
\newcommand{\notesCiphertextSprout}{\termandindex{transmitted notes ciphertext}{transmitted notes ciphertext (Sprout)}}
|
||||
\newcommand{\noteCiphertext}{\term{transmitted note ciphertext}}
|
||||
\newcommand{\noteCiphertexts}{\terms{transmitted note ciphertext}}
|
||||
\newcommand{\noteCiphertextSapling}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Sapling)}}
|
||||
\newcommand{\noteCiphertextsSapling}{\termandindex{transmitted note ciphertexts}{transmitted note ciphertext (Sapling)}}
|
||||
\newcommand{\noteCiphertextOrchard}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Orchard)}}
|
||||
|
|
@ -14323,34 +14326,40 @@ This degree of divergence from a uniform distribution on the scalar field is not
|
|||
expected to cause any weakness in \note encryption.
|
||||
} %sapling
|
||||
|
||||
For all shielded protocols, the checking of \noteCommitments makes ``partitioning
|
||||
oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least
|
||||
in the absence of side-channel attacks. \sapling{The following argument applies
|
||||
to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout
|
||||
(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
|
||||
$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were
|
||||
feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts
|
||||
successfully for two different \incomingViewingKeys $\InViewingKey_1$ and
|
||||
$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that
|
||||
\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have
|
||||
$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$.
|
||||
When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible
|
||||
given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the
|
||||
prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
|
||||
For all shielded protocols, the checking of \noteCommitments makes
|
||||
\defining{\partitioningOracleAttacks} \cite{LGR2021} against the \noteCiphertext
|
||||
infeasible, at least in the absence of side-channel attacks. \sapling{The following
|
||||
argument applies to \Sapling\nufive{ and \Orchard}, but can be adapted to \Sprout
|
||||
by replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
|
||||
$\DiversifiedTransmitPublic$, and using a fixed base. The decryption procedure
|
||||
for \noteCiphertexts in \Sapling\nufive{ and \Orchard} is specified in
|
||||
\crossref{decryptivk}; it ensures that a successful decryption cannot occur unless
|
||||
the decrypted \notePlaintext encodes a \note consistent with the \noteCommitment
|
||||
(encoded as the $\cmU$ field of the \outputDescription\nufive{ or the $\cmX$ field
|
||||
of the \actionDescription}). Suppose that it were feasible to find a pair of
|
||||
\noteCiphertext and \noteCommitment that decrypts successfully for two different
|
||||
\incomingViewingKeys $\InViewingKey_1$ and $\InViewingKey_2$. Assuming that the
|
||||
\noteCommitmentScheme is \binding and that \noteCommitment opens to a \note
|
||||
with $\DiversifiedTransmitPublic$ and $\DiversifiedTransmitBase$, we must have
|
||||
$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase)$.
|
||||
But this is impossible given that $\DiversifiedTransmitBase$ is a non-$\Zero$
|
||||
point in the prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
|
||||
\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
|
||||
canonical in the scalar field corresponding to that prime order.
|
||||
When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts
|
||||
hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$.
|
||||
|
||||
There is also a decryption procedure that makes use of \outgoingCiphertexts in
|
||||
\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
|
||||
(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case
|
||||
of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$)
|
||||
(via $\KADerivePublic{}$\canopy{, and also via $\PRFexpand{\NoteSeedBytes}$ in the case
|
||||
of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$})
|
||||
that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext,
|
||||
which is protected from partitioning oracle attacks as described above. It also checks
|
||||
which is protected from \partitioningOracleAttacks as described above. It also checks
|
||||
that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment.
|
||||
Since these are the only fields in an \outgoingCiphertext, partitioning oracle
|
||||
attacks against \outgoingCiphertexts are also prevented.}
|
||||
Since these are the only fields in an \outgoingCiphertext, even if a
|
||||
\partitioningOracleAttack occurred against an \outgoingCiphertext, it could not
|
||||
result in any equivocation of the decrypted data. Because $\OutViewingKey$ and
|
||||
$\OutCipherKey$ are each $256$ bits, \partitioningOracleAttacks that speed up a
|
||||
search for these keys (analogous to the attacks against Password-based AEAD in
|
||||
\cite{LGR2021}) are infeasible, even given knowledge of $\InViewingKey$.}
|
||||
|
||||
|
||||
\lsubsection{Omission in \ZerocashText{} security proof}{crprf}
|
||||
|
|
@ -14530,12 +14539,32 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\lsection{Change History}{changehistory}
|
||||
|
||||
|
||||
\historyentry{2021.2.18}{}
|
||||
\begin{itemize}
|
||||
\item Refine the security argument about \partitioningOracleAttacks in
|
||||
\crossref{inbandrationale}:\!\!
|
||||
\begin{itemize}
|
||||
\item The argument for decryption with an \incomingViewingKey does not need to
|
||||
depend on the \xDecisionalDiffieHellmanProblem, since $\DiversifiedTransmitBase$
|
||||
is committed to by the \noteCommitment as well as $\DiversifiedTransmitPublic$.
|
||||
\item It is necessary to say that the \noteCommitment is always checked for a
|
||||
successful decryption.
|
||||
\item Pedantically, it was not correct to conclude from the given security argument
|
||||
that \partitioningOracleAttacks against an \outgoingCiphertext are necessarily
|
||||
prevented, according to the definition in \cite{LGR2021}. Instead, the correct
|
||||
conclusions are that such attacks could not feasibly result in any equivocation
|
||||
of the decrypted data, or in recovery of $\OutViewingKey$ or $\OutCipherKey$.
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\historyentry{2021.2.17}{2021-12-01}
|
||||
\begin{itemize}
|
||||
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
|
||||
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
|
||||
instead of $\range{1}{2^{128}-1}$.
|
||||
\item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}.
|
||||
\item Add note in \crossref{inbandrationale} about resistance of \note encryption to
|
||||
\partitioningOracleAttacks \cite{LGR2021}.
|
||||
\item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge
|
||||
proofs.
|
||||
\item Add acknowledgement to Sasha Meyer.
|
||||
|
|
|
|||
Loading…
Reference in New Issue