mirror of https://github.com/zcash/zips.git
Add note about resistance of note encryption to partitioning oracle attacks \cite{LGR2021}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
67a4b35dcd
commit
d6a33fc056
|
@ -14323,6 +14323,35 @@ This degree of divergence from a uniform distribution on the scalar field is not
|
||||||
expected to cause any weakness in \note encryption.
|
expected to cause any weakness in \note encryption.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
For all shielded protocols, the checking of \noteCommitments makes ``partitioning
|
||||||
|
oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least
|
||||||
|
in the absence of side-channel attacks. \sapling{The following argument applies
|
||||||
|
to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout
|
||||||
|
(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
|
||||||
|
$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were
|
||||||
|
feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts
|
||||||
|
successfully for two different \incomingViewingKeys $\InViewingKey_1$ and
|
||||||
|
$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that
|
||||||
|
\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have
|
||||||
|
$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$.
|
||||||
|
When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible
|
||||||
|
given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the
|
||||||
|
prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
|
||||||
|
\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
|
||||||
|
canonical in the scalar field corresponding to that prime order.
|
||||||
|
When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts
|
||||||
|
hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$.
|
||||||
|
|
||||||
|
There is also a decryption procedure that makes use of \outgoingCiphertexts in
|
||||||
|
\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
|
||||||
|
(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case
|
||||||
|
of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$)
|
||||||
|
that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext,
|
||||||
|
which is protected from partitioning oracle attacks as described above. It also checks
|
||||||
|
that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment.
|
||||||
|
Since these are the only fields in an \outgoingCiphertext, partitioning oracle
|
||||||
|
attacks against \outgoingCiphertexts are also prevented.}
|
||||||
|
|
||||||
|
|
||||||
\lsubsection{Omission in \ZerocashText{} security proof}{crprf}
|
\lsubsection{Omission in \ZerocashText{} security proof}{crprf}
|
||||||
|
|
||||||
|
@ -14506,6 +14535,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
|
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
|
||||||
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
|
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
|
||||||
instead of $\range{1}{2^{128}-1}$.
|
instead of $\range{1}{2^{128}-1}$.
|
||||||
|
\item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}.
|
||||||
\item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge
|
\item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge
|
||||||
proofs.
|
proofs.
|
||||||
\item Add acknowledgement to Sasha Meyer.
|
\item Add acknowledgement to Sasha Meyer.
|
||||||
|
|
|
@ -1587,6 +1587,21 @@ generic composition paradigm},
|
||||||
urldate={2021-09-01}
|
urldate={2021-09-01}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@inproceedings{LGR2021,
|
||||||
|
presort={LGR2021},
|
||||||
|
author={Julia Len and Paul Grubbs and Thomas Ristenpart},
|
||||||
|
title={Partitioning Oracle Attacks},
|
||||||
|
booktitle={Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21, August~11--13, 2021)},
|
||||||
|
year={2021},
|
||||||
|
month={08},
|
||||||
|
publisher={{USENIX} Association},
|
||||||
|
isbn={978-1-939133-24-3},
|
||||||
|
pages={195--212},
|
||||||
|
url={https://www.usenix.org/conference/usenixsecurity21/presentation/len},
|
||||||
|
urldate={2021-10-12},
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
@book{LG2004,
|
@book{LG2004,
|
||||||
presort={LG2004},
|
presort={LG2004},
|
||||||
author={Eddie Lenihan and Carolyn Eve Green},
|
author={Eddie Lenihan and Carolyn Eve Green},
|
||||||
|
|
Loading…
Reference in New Issue