Add note about resistance of note encryption to partitioning oracle attacks \cite{LGR2021}.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -14323,6 +14323,35 @@ This degree of divergence from a uniform distribution on the scalar field is not
 expected to cause any weakness in \note encryption.
 } %sapling
 
+For all shielded protocols, the checking of \noteCommitments makes ``partitioning
+oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least
+in the absence of side-channel attacks. \sapling{The following argument applies
+to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout
+(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
+$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were
+feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts
+successfully for two different \incomingViewingKeys $\InViewingKey_1$ and
+$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that
+\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have
+$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$.
+When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible
+given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the
+prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
+\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
+canonical in the scalar field corresponding to that prime order.
+When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts
+hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$.
+
+There is also a decryption procedure that makes use of \outgoingCiphertexts in
+\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
+(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case
+of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$)
+that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext,
+which is protected from partitioning oracle attacks as described above. It also checks
+that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment.
+Since these are the only fields in an \outgoingCiphertext, partitioning oracle
+attacks against \outgoingCiphertexts are also prevented.}
+
 
 \lsubsection{Omission in \ZerocashText{} security proof}{crprf}
 
@@ -14506,6 +14535,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
     \item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
           \crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
           instead of $\range{1}{2^{128}-1}$.
+    \item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}.
     \item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge
           proofs.
     \item Add acknowledgement to Sasha Meyer.

protocol/zcash.bib

@@ -1587,6 +1587,21 @@ generic composition paradigm},
    urldate={2021-09-01}
 }
 
+@inproceedings{LGR2021,
+   presort={LGR2021},
+   author={Julia Len and Paul Grubbs and Thomas Ristenpart},
+   title={Partitioning Oracle Attacks},
+   booktitle={Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21, August~11--13, 2021)},
+   year={2021},
+   month={08},
+   publisher={{USENIX} Association},
+   isbn={978-1-939133-24-3},
+   pages={195--212},
+   url={https://www.usenix.org/conference/usenixsecurity21/presentation/len},
+   urldate={2021-10-12},
+}
+
+
 @book{LG2004,
    presort={LG2004},
    author={Eddie Lenihan and Carolyn Eve Green},