From d6a33fc056e41593e64e0b596c388122eec71cc5 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 1 Dec 2021 18:02:29 +0000 Subject: [PATCH] Add note about resistance of note encryption to partitioning oracle attacks \cite{LGR2021}. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 30 ++++++++++++++++++++++++++++++ protocol/zcash.bib | 15 +++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index d156a6ba..94572aa8 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -14323,6 +14323,35 @@ This degree of divergence from a uniform distribution on the scalar field is not expected to cause any weakness in \note encryption. } %sapling +For all shielded protocols, the checking of \noteCommitments makes ``partitioning +oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least +in the absence of side-channel attacks. \sapling{The following argument applies +to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout +(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with +$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were +feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts +successfully for two different \incomingViewingKeys $\InViewingKey_1$ and +$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that +\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have +$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$. +When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible +given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the +prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e., +\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be +canonical in the scalar field corresponding to that prime order. +When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts +hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$. + +There is also a decryption procedure that makes use of \outgoingCiphertexts in +\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks +(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case +of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$) +that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext, +which is protected from partitioning oracle attacks as described above. It also checks +that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment. +Since these are the only fields in an \outgoingCiphertext, partitioning oracle +attacks against \outgoingCiphertexts are also prevented.} + \lsubsection{Omission in \ZerocashText{} security proof}{crprf} @@ -14506,6 +14535,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and} \crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$ instead of $\range{1}{2^{128}-1}$. + \item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}. \item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge proofs. \item Add acknowledgement to Sasha Meyer. diff --git a/protocol/zcash.bib b/protocol/zcash.bib index 3eabc6fa..155baae9 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -1587,6 +1587,21 @@ generic composition paradigm}, urldate={2021-09-01} } +@inproceedings{LGR2021, + presort={LGR2021}, + author={Julia Len and Paul Grubbs and Thomas Ristenpart}, + title={Partitioning Oracle Attacks}, + booktitle={Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21, August~11--13, 2021)}, + year={2021}, + month={08}, + publisher={{USENIX} Association}, + isbn={978-1-939133-24-3}, + pages={195--212}, + url={https://www.usenix.org/conference/usenixsecurity21/presentation/len}, + urldate={2021-10-12}, +} + + @book{LG2004, presort={LG2004}, author={Eddie Lenihan and Carolyn Eve Green},