diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 44d964cd..58fe6e50 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -746,6 +746,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\xDiscreteLogarithm}{\termandindex{Discrete Logarithm}{Discrete Logarithm Problem}} \newcommand{\xDecisionalDiffieHellmanProblem}{\term{Decisional Diffie--Hellman Problem}} \newcommand{\xDecisionalDiffieHellman}{\termandindex{Decisional Diffie--Hellman}{Decisional Diffie--Hellman Problem}} +\newcommand{\partitioningOracleAttack}{\term{partitioning oracle attack}} +\newcommand{\partitioningOracleAttacks}{\terms{partitioning oracle attack}} \newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}} \newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}} @@ -1110,6 +1112,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\notePlaintextLeadBytes}{\terms{note plaintext lead byte}} \newcommand{\notesCiphertextSprout}{\termandindex{transmitted notes ciphertext}{transmitted notes ciphertext (Sprout)}} \newcommand{\noteCiphertext}{\term{transmitted note ciphertext}} +\newcommand{\noteCiphertexts}{\terms{transmitted note ciphertext}} \newcommand{\noteCiphertextSapling}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Sapling)}} \newcommand{\noteCiphertextsSapling}{\termandindex{transmitted note ciphertexts}{transmitted note ciphertext (Sapling)}} \newcommand{\noteCiphertextOrchard}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Orchard)}} @@ -14323,34 +14326,40 @@ This degree of divergence from a uniform distribution on the scalar field is not expected to cause any weakness in \note encryption. } %sapling -For all shielded protocols, the checking of \noteCommitments makes ``partitioning -oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least -in the absence of side-channel attacks. \sapling{The following argument applies -to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout -(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with -$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were -feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts -successfully for two different \incomingViewingKeys $\InViewingKey_1$ and -$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that -\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have -$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$. -When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible -given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the -prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e., +For all shielded protocols, the checking of \noteCommitments makes +\defining{\partitioningOracleAttacks} \cite{LGR2021} against the \noteCiphertext +infeasible, at least in the absence of side-channel attacks. \sapling{The following +argument applies to \Sapling\nufive{ and \Orchard}, but can be adapted to \Sprout +by replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with +$\DiversifiedTransmitPublic$, and using a fixed base. The decryption procedure +for \noteCiphertexts in \Sapling\nufive{ and \Orchard} is specified in +\crossref{decryptivk}; it ensures that a successful decryption cannot occur unless +the decrypted \notePlaintext encodes a \note consistent with the \noteCommitment +(encoded as the $\cmU$ field of the \outputDescription\nufive{ or the $\cmX$ field +of the \actionDescription}). Suppose that it were feasible to find a pair of +\noteCiphertext and \noteCommitment that decrypts successfully for two different +\incomingViewingKeys $\InViewingKey_1$ and $\InViewingKey_2$. Assuming that the +\noteCommitmentScheme is \binding and that \noteCommitment opens to a \note +with $\DiversifiedTransmitPublic$ and $\DiversifiedTransmitBase$, we must have +$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase)$. +But this is impossible given that $\DiversifiedTransmitBase$ is a non-$\Zero$ +point in the prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e., \Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be canonical in the scalar field corresponding to that prime order. -When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts -hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$. There is also a decryption procedure that makes use of \outgoingCiphertexts in \Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks -(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case -of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$) +(via $\KADerivePublic{}$\canopy{, and also via $\PRFexpand{\NoteSeedBytes}$ in the case +of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$}) that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext, -which is protected from partitioning oracle attacks as described above. It also checks +which is protected from \partitioningOracleAttacks as described above. It also checks that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment. -Since these are the only fields in an \outgoingCiphertext, partitioning oracle -attacks against \outgoingCiphertexts are also prevented.} +Since these are the only fields in an \outgoingCiphertext, even if a +\partitioningOracleAttack occurred against an \outgoingCiphertext, it could not +result in any equivocation of the decrypted data. Because $\OutViewingKey$ and +$\OutCipherKey$ are each $256$ bits, \partitioningOracleAttacks that speed up a +search for these keys (analogous to the attacks against Password-based AEAD in +\cite{LGR2021}) are infeasible, even given knowledge of $\InViewingKey$.} \lsubsection{Omission in \ZerocashText{} security proof}{crprf} @@ -14530,12 +14539,32 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \lsection{Change History}{changehistory} +\historyentry{2021.2.18}{} +\begin{itemize} + \item Refine the security argument about \partitioningOracleAttacks in + \crossref{inbandrationale}:\!\! + \begin{itemize} + \item The argument for decryption with an \incomingViewingKey does not need to + depend on the \xDecisionalDiffieHellmanProblem, since $\DiversifiedTransmitBase$ + is committed to by the \noteCommitment as well as $\DiversifiedTransmitPublic$. + \item It is necessary to say that the \noteCommitment is always checked for a + successful decryption. + \item Pedantically, it was not correct to conclude from the given security argument + that \partitioningOracleAttacks against an \outgoingCiphertext are necessarily + prevented, according to the definition in \cite{LGR2021}. Instead, the correct + conclusions are that such attacks could not feasibly result in any equivocation + of the decrypted data, or in recovery of $\OutViewingKey$ or $\OutCipherKey$. + \end{itemize} +\end{itemize} + + \historyentry{2021.2.17}{2021-12-01} \begin{itemize} \item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and} \crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$ instead of $\range{1}{2^{128}-1}$. - \item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}. + \item Add note in \crossref{inbandrationale} about resistance of \note encryption to + \partitioningOracleAttacks \cite{LGR2021}. \item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge proofs. \item Add acknowledgement to Sasha Meyer.