mirror of https://github.com/zcash/zips.git
Add note about resistance of note encryption to partitioning oracle attacks \cite{LGR2021}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
67a4b35dcd
commit
d6a33fc056
|
@ -14323,6 +14323,35 @@ This degree of divergence from a uniform distribution on the scalar field is not
|
|||
expected to cause any weakness in \note encryption.
|
||||
} %sapling
|
||||
|
||||
For all shielded protocols, the checking of \noteCommitments makes ``partitioning
|
||||
oracle attacks'' \cite{LGR2021} against the \noteCiphertext infeasible, at least
|
||||
in the absence of side-channel attacks. \sapling{The following argument applies
|
||||
to \Sapling\nufive{ and \Orchard} but can be easily adapted to \Sprout
|
||||
(replacing $\InViewingKey$ with $\TransmitPrivate$, $\TransmitPublic$ with
|
||||
$\DiversifiedTransmitPublic$, and using a fixed base). Suppose that it were
|
||||
feasible to find a $(\noteCiphertext, \noteCommitment)$ pair that decrypts
|
||||
successfully for two different \incomingViewingKeys $\InViewingKey_1$ and
|
||||
$\InViewingKey_2$. Assuming that the \noteCommitmentScheme is \binding and that
|
||||
\noteCommitment opens to a \note containing $\DiversifiedTransmitPublic$, we must have
|
||||
$\DiversifiedTransmitPublic = \KAAgree{}(\InViewingKey_1, \DiversifiedTransmitBase_1) = \KAAgree{}(\InViewingKey_2, \DiversifiedTransmitBase_2)$.
|
||||
When $\DiversifiedTransmitBase_1 = \DiversifiedTransmitBase_2$, this is impossible
|
||||
given that $\DiversifiedTransmitBase_{\oneto{2}}$ are non-$\Zero$ points in the
|
||||
prime-order subgroup of the elliptic curve used for $\KA{}$ (i.e.,
|
||||
\Jubjub\nufive{ or \Pallas}), and that \incomingViewingKeys are checked to be
|
||||
canonical in the scalar field corresponding to that prime order.
|
||||
When $\DiversifiedTransmitBase_1 \neq \DiversifiedTransmitBase_2$, it contradicts
|
||||
hardness of the \xDiscreteLogarithmProblem on the curve used for $\KA{}$.
|
||||
|
||||
There is also a decryption procedure that makes use of \outgoingCiphertexts in
|
||||
\Sapling\nufive{ and \Orchard}, as specified in \crossref{decryptovk}. It checks
|
||||
(via $\KADerivePublic{}$, and also via $\PRFexpand{\NoteSeedBytes}$ in the case
|
||||
of post-\cite{ZIP-212} ciphertexts with $\notePlaintextLeadByte \neq \hexint{01}$)
|
||||
that the decrypted $\EphemeralPrivate$ value is consistent with the \noteCiphertext,
|
||||
which is protected from partitioning oracle attacks as described above. It also checks
|
||||
that the $\DiversifiedTransmitPublic$ value is consistent with the \noteCommitment.
|
||||
Since these are the only fields in an \outgoingCiphertext, partitioning oracle
|
||||
attacks against \outgoingCiphertexts are also prevented.}
|
||||
|
||||
|
||||
\lsubsection{Omission in \ZerocashText{} security proof}{crprf}
|
||||
|
||||
|
@ -14506,6 +14535,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
|
||||
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
|
||||
instead of $\range{1}{2^{128}-1}$.
|
||||
\item Add note about resistance of \note encryption to partitioning oracle attacks \cite{LGR2021}.
|
||||
\item Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge
|
||||
proofs.
|
||||
\item Add acknowledgement to Sasha Meyer.
|
||||
|
|
|
@ -1587,6 +1587,21 @@ generic composition paradigm},
|
|||
urldate={2021-09-01}
|
||||
}
|
||||
|
||||
@inproceedings{LGR2021,
|
||||
presort={LGR2021},
|
||||
author={Julia Len and Paul Grubbs and Thomas Ristenpart},
|
||||
title={Partitioning Oracle Attacks},
|
||||
booktitle={Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21, August~11--13, 2021)},
|
||||
year={2021},
|
||||
month={08},
|
||||
publisher={{USENIX} Association},
|
||||
isbn={978-1-939133-24-3},
|
||||
pages={195--212},
|
||||
url={https://www.usenix.org/conference/usenixsecurity21/presentation/len},
|
||||
urldate={2021-10-12},
|
||||
}
|
||||
|
||||
|
||||
@book{LG2004,
|
||||
presort={LG2004},
|
||||
author={Eddie Lenihan and Carolyn Eve Green},
|
||||
|
|
Loading…
Reference in New Issue