zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The nonce input to the AEAD isn't long enough, so derive K^disclose_i using a PRF instead. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-02-26 01:56:04 +00:00
parent abb9da9937
commit e7ad03ac52
2 changed files with 48 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
protocol/protocol.pdf
View File

Binary file not shown.

96
protocol/protocol.tex
View File

@ -142,20 +142,17 @@
\newcommand{\Plaintext}{\mathbf{P}} \newcommand{\Plaintext}{\mathbf{P}}
\newcommand{\Ciphertext}{\mathbf{C}} \newcommand{\Ciphertext}{\mathbf{C}}
\newcommand{\Key}{\mathsf{K}} \newcommand{\Key}{\mathsf{K}}
\newcommand{\Nonce}{\mathsf{nonce}}
\newcommand{\Empty}{\varnothing}
\newcommand{\RandomSeed}{\mathsf{randomSeed}} \newcommand{\RandomSeed}{\mathsf{randomSeed}}
\newcommand{\TransmitPlaintext}[1]{\Plaintext^\enc_{#1}} \newcommand{\TransmitPlaintext}[1]{\Plaintext^\enc_{#1}}
\newcommand{\TransmitCiphertext}[1]{\Ciphertext^\enc_{#1}} \newcommand{\TransmitCiphertext}[1]{\Ciphertext^\enc_{#1}}
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}} \newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
\newcommand{\TransmitKeyCompare}[1]{\Key^*_{#1}} \newcommand{\TransmitKeyCompare}[1]{\Key^*_{#1}}
\newcommand{\DerivedKey}[1]{\Key^\disclose_{#1}}
\newcommand{\DiscloseCiphertext}[1]{\Ciphertext^\disclose_{#1}} \newcommand{\DiscloseCiphertext}[1]{\Ciphertext^\disclose_{#1}}
\newcommand{\SharedPlaintext}[1]{\Plaintext^\shared_{#1}} \newcommand{\SharedPlaintext}[1]{\Plaintext^\shared_{#1}}
\newcommand{\SharedCiphertext}{\Ciphertext^\shared} \newcommand{\SharedCiphertext}{\Ciphertext^\shared}
\newcommand{\SharedKey}[1]{\Key^\shared_{#1}} \newcommand{\SharedKey}[1]{\Key^\shared_{#1}}
\newcommand{\KDF}{\mathsf{KDF}} \newcommand{\KDF}{\mathsf{KDF}}
\newcommand{\Prenonce}{\mathsf{prenonce}}
\newcommand{\PkEncrypt}[1]{\mathsf{PkEncrypt}_{#1}}
\newcommand{\SymEncrypt}[1]{\mathsf{SymEncrypt}_{#1}} \newcommand{\SymEncrypt}[1]{\mathsf{SymEncrypt}_{#1}}
\newcommand{\SymDecrypt}[1]{\mathsf{SymDecrypt}_{#1}} \newcommand{\SymDecrypt}[1]{\mathsf{SymDecrypt}_{#1}}
\newcommand{\SymSpecific}{\mathsf{AEAD\_CHACHA20\_POLY1305}} \newcommand{\SymSpecific}{\mathsf{AEAD\_CHACHA20\_POLY1305}}
@ -170,6 +167,7 @@
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}} \newcommand{\PRFsn}[1]{\PRF{#1}{sn}}
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}} \newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
\newcommand{\PRFrho}[1]{\PRF{#1}{\CoinAddressRand}} \newcommand{\PRFrho}[1]{\PRF{#1}{\CoinAddressRand}}
\newcommand{\PRFdk}[1]{\PRF{#1}{dk}}
\newcommand{\SHA}{\mathtt{SHA256Compress}} \newcommand{\SHA}{\mathtt{SHA256Compress}}
\newcommand{\SHAName}{\term{SHA-256 compression}} \newcommand{\SHAName}{\term{SHA-256 compression}}
\newcommand{\SHAOrig}{\term{SHA-256}} \newcommand{\SHAOrig}{\term{SHA-256}}
@ -296,8 +294,6 @@ with indices $1$ through $\mathrm{N}$ inclusive. For example,
$\AuthPublicNew{\mathrm{1}..\NNew}$ means the sequence $[\AuthPublicNew{\mathrm{1}}, $\AuthPublicNew{\mathrm{1}..\NNew}$ means the sequence $[\AuthPublicNew{\mathrm{1}},
\AuthPublicNew{\mathrm{2}}, ...\;\AuthPublicNew{\NNew}]$. \AuthPublicNew{\mathrm{2}}, ...\;\AuthPublicNew{\NNew}]$.
$\Empty$ denotes an empty byte sequence.
\subsection{Cryptographic Functions} \subsection{Cryptographic Functions}
$\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function $\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function
@ -305,18 +301,21 @@ is used which takes a 512-bit block and produces a 256-bit hash. This is
different from the $\SHAOrig$ function, which hashes arbitrary-length strings. different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
\cite{sha256} \cite{sha256}
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. \changed{Four} \emph{independent} $\PRF{x}{}$ is a pseudo-random function seeded by $x$. \changed{Five} \emph{independent}
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, $\PRFpk{x}$\changed{, $\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, $\PRFpk{x}$\changed{,
and $\PRFrho{x}$}. It is required that $\PRFsn{x}$ \changed{and $\PRFrho{x}$} be $\PRFrho{x}$, and $\PRFdk{x}$}.
collision-resistant across all $x$ --- i.e. it should not be feasible to find
$(x, y) \neq (x', y')$ such that $\PRFsn{x}(y) = \PRFsn{x'}(y')$\changed{, and similarly It is required that $\PRFsn{x}$ \changed{and $\PRFrho{x}$} be collision-resistant
for $\PRFrho{}$}. across all $x$ --- i.e. it should not be feasible to find $(x, y) \neq (x', y')$
such that $\PRFsn{x}(y) = \PRFsn{x'}(y')$\changed{, and similarly for $\PRFrho{}$}.
In \Zcash, the $\SHAName$ function is used to construct all four of these In \Zcash, the $\SHAName$ function is used to construct all four of these
functions. The bits $\mathtt{00}$, $\mathtt{01}$, $\mathtt{10}$\changed{, and functions. The bits $\mathtt{00}$, $\mathtt{01}$, $\mathtt{10}$\changed{, and
$\mathtt{11}$} are included (respectively) within the blocks that are hashed, $\mathtt{11}$} are included (respectively) within the blocks that are hashed,
ensuring that the functions are independent. ensuring that the functions are independent.
\todo{Fix domain separation for $\PRFdk{x}$.}
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}} \newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
\newsavebox{\addrbox} \newsavebox{\addrbox}
@ -364,6 +363,18 @@ ensuring that the functions are independent.
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\newsavebox{\dkbox}
\begin{lrbox}{\dkbox}
\setchanged
\begin{bytefield}[bitwidth=0.065em]{512}
\bitbox{242}{256 bit $\DiscloseKey$} &
\bitbox{18}{?} &
\bitbox{18}{?} &
\bitbox{18}{\iminusone} &
\bitbox{204}{$\Leading{253}(\hSig)$}
\end{bytefield}
\end{lrbox}
\nathan{Note: If we change input or output arity (i.e. $\NOld$ or $\NNew$), we \nathan{Note: If we change input or output arity (i.e. $\NOld$ or $\NNew$), we
need to be aware of how it is associated with this bit-packing.} need to be aware of how it is associated with this bit-packing.}
@ -373,12 +384,13 @@ need to be aware of how it is associated with this bit-packing.}
\sn =\;& \PRFsn{\AuthPrivate}(\CoinAddressRand) &:= \CRHbox{\snbox} \\ \sn =\;& \PRFsn{\AuthPrivate}(\CoinAddressRand) &:= \CRHbox{\snbox} \\
\h{i} =\;& \PRFpk{\AuthPrivate}(i, \hSig) &:= \CRHbox{\pkbox} \\ \h{i} =\;& \PRFpk{\AuthPrivate}(i, \hSig) &:= \CRHbox{\pkbox} \\
\setchanged \CoinAddressRandNew{i} =\;&\setchanged \PRFrho{\CoinAddressPreRand}(i, \hSig) \setchanged \CoinAddressRandNew{i} =\;&\setchanged \PRFrho{\CoinAddressPreRand}(i, \hSig)
&\setchanged := \CRHbox{\rhobox} &\setchanged := \CRHbox{\rhobox} \\
\setchanged \DerivedKey{i} =\;&\setchanged \PRFdk{\DiscloseKey}(i, \hSig)
&\setchanged := \CRHbox{\dkbox}
\end{aligned} \end{aligned}
\end{equation*} \end{equation*}
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be \daira{Truncate the left-hand sides rather than the right-hand sides.}
253 bits?}
\section{Concepts} \section{Concepts}
@ -745,7 +757,7 @@ there exists a witness of \term{auxiliary input}:
\begin{itemize} \begin{itemize}
\item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld}, \item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
\changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew}, \changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew},
\CoinAddressPreRand, \SharedKey{}, \TransmitKey{1..\NOld}})$ \CoinAddressPreRand, \TransmitKey{1..\NNew}, \DerivedKey{1..\NOld}, \SharedKey{}})$
\end{itemize} \end{itemize}
where: where:
@ -786,33 +798,34 @@ $\AuthPublicOld{i} = \PRFaddr{\DiscloseKeyOld{i}}(1)$.
\subparagraph{Non-malleability} \subparagraph{Non-malleability}
for each $i \in \{1..\NOld\}$: for each $i \in \{1..\NOld\}$:
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$ $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
\changed{ \changed{
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$} \subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
for each $i \in \{1..\NNew\}$: for each $i \in \{1..\NNew\}$:
$\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$ $\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$.
} }
\subparagraph{Commitment integrity} \subparagraph{Commitment integrity}
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$ for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$.
\changed{ \changed{
\subparagraph{$\TransmitCiphertext{}$ integrity} \subparagraph{$\TransmitCiphertext{}$ integrity}
for each $i \in \{1..\NNew\}$: for each $i \in \{1..\NNew\}$:
$\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$. $\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
\subparagraph{$\DiscloseCiphertext{}$ integrity} \subparagraph{$\DiscloseCiphertext{}$ integrity}
for each $i \in \{1..\NOld\}$: for each $i \in \{1..\NOld\}$:
$\DiscloseCiphertext{i} = \SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Nonce(\hSig, i))$ $\DiscloseCiphertext{i} = \SymEncrypt{\DerivedKey{i}}(\SharedKey{})$
and $\DerivedKey{i} = \PRFdk{\DiscloseKeyOld{i}}(i, \hSig)$.
\subparagraph{$\SharedCiphertext$ integrity} \subparagraph{$\SharedCiphertext$ integrity}
$\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$ $\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{})$.
} }
\section{In-band secret distribution} \section{In-band secret distribution}
@ -842,15 +855,6 @@ All of the resulting ciphertexts are combined to form a \coinsCiphertext.
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\newsavebox{\noncebox}
\begin{lrbox}{\noncebox}
\setchanged
\begin{bytefield}[bitwidth=0.032em]{8}
\bitbox{256}{256 bit $\hSig$}
\bitbox{160}{8 bit $i-1$}
\end{bytefield}
\end{lrbox}
\newsavebox{\sharedbox} \newsavebox{\sharedbox}
\begin{lrbox}{\sharedbox} \begin{lrbox}{\sharedbox}
\setchanged \setchanged
@ -868,20 +872,18 @@ All of the resulting ciphertexts are combined to form a \coinsCiphertext.
\subsection{Encryption} \subsection{Encryption}
\changed{ \changed{
Let $\SymEncrypt{\Key}(\Plaintext, \Nonce)$ be the $\SymSpecific$ \cite{rfc7539} Let $\SymEncrypt{\Key}(\Plaintext)$ be the $\SymSpecific$ \cite{rfc7539}
encryption of plaintext $\Plaintext$ with empty ``additional data", nonce $\Nonce$, encryption of plaintext $\Plaintext$ with empty ``additional data", all-zero nonce,
and key $\Key$. and key $\Key$.
Similarly, let $\SymDecrypt{\Key}(\Ciphertext, \Nonce)$ be the $\SymSpecific$ Similarly, let $\SymDecrypt{\Key}(\Ciphertext)$ be the $\SymSpecific$
decryption of ciphertext $\Ciphertext$ with empty ``additional data", decryption of ciphertext $\Ciphertext$ with empty ``additional data", all-zero
nonce $\Nonce$, and key $\Key$. The result is either the plaintext byte sequence, nonce, and key $\Key$. The result is either the plaintext byte sequence,
or $\bot$ indicating failure to decrypt. or $\bot$ indicating failure to decrypt.
Define: Define:
$\KDF(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i) := \FullHashbox{\kdfbox}$. $\KDF(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i) := \FullHashbox{\kdfbox}$.
$\Nonce(\hSig, i) := \Justthebox{\noncebox}{-1.3ex}$.
} }
Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys
@ -905,14 +907,14 @@ $(\EphemeralPublic, \EphemeralPrivate)$, and a new $\SymSpecific$ key $\SharedKe
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic, \item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$. \TransmitPublicNew{i}, i)$.
\item Let $\TransmitCiphertext{i} := \item Let $\TransmitCiphertext{i} :=
\SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$. \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
\end{itemize} \end{itemize}
\item For $i$ in $\{1..\NOld\}$, \item For $i$ in $\{1..\NOld\}$,
\begin{itemize} \begin{itemize}
\item Let $\DiscloseCiphertext{i} := \item Let $\DerivedKey{i} := \PRFdk{\DiscloseKeyOld{i}}(i, \hSig)$.
\SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Nonce(\hSig, i))$. \item Let $\DiscloseCiphertext{i} := \SymEncrypt{\DerivedKey{i}}(\SharedKey{})$.
\end{itemize} \end{itemize}
\item Let $\SharedCiphertext := \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$. \item Let $\SharedCiphertext := \SymEncrypt{\SharedKey{}}(\SharedPlaintext{})$.
} }
\end{itemize} \end{itemize}
@ -939,7 +941,7 @@ $\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i})$ is defined as
\begin{itemize} \begin{itemize}
\item Let $\TransmitPlaintext{i} := \item Let $\TransmitPlaintext{i} :=
\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i}, \Empty)$. \SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$.
\item If $\TransmitPlaintext{i} = \bot$, return $\bot$. \item If $\TransmitPlaintext{i} = \bot$, return $\bot$.
\item Extract $\CoinPlaintext{i} = (\AuthPublicNew{i}, \ValueNew{i}, \item Extract $\CoinPlaintext{i} = (\AuthPublicNew{i}, \ValueNew{i},
\CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$. \CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$.
@ -972,11 +974,10 @@ will attempt to decrypt the corresponding \coinsCiphertext as follows:
\item Set $\SharedPlaintext{} := \bot$. \item Set $\SharedPlaintext{} := \bot$.
\item For $i$ in $\{1..\NNew\}$, \item For $i$ in $\{1..\NNew\}$,
\begin{itemize} \begin{itemize}
\item Let $\SharedKey{i} := \item Let $\DerivedKey{i} := \PRFdk{\DiscloseKey{}}(i, \hSig)$.
\SymDecrypt{\DiscloseKey{}}(\DiscloseCiphertext{i}, \Nonce(\hSig, i))$. \item Let $\SharedKey{i} := \SymDecrypt{\DerivedKey{i}}(\DiscloseCiphertext{i})$.
\item If $\SharedKey{i} = \bot$ then continue with the next $i$. \item If $\SharedKey{i} = \bot$ then continue with the next $i$.
\item Let $\SharedPlaintext{i} := \item Let $\SharedPlaintext{i} := \SymDecrypt{\SharedKey{i}}(\SharedCiphertext)$.
\SymDecrypt{\SharedKey{i}}(\SharedCiphertext, \Empty)$.
\item If $\SharedPlaintext{i} = \bot$ then continue with the next $i$. \item If $\SharedPlaintext{i} = \bot$ then continue with the next $i$.
\item Set $\SharedPlaintext{} := \SharedPlaintext{i}$ and exit the loop. \item Set $\SharedPlaintext{} := \SharedPlaintext{i}$ and exit the loop.
\end{itemize} \end{itemize}
@ -1018,8 +1019,7 @@ Note that:
in a given \PourDescription. in a given \PourDescription.
\item In addition to the Diffie-Hellman secret, the KDF takes as input the \item In addition to the Diffie-Hellman secret, the KDF takes as input the
public keys of both parties, and the index $i$. public keys of both parties, and the index $i$.
\item The nonce parameter to $\SymSpecific$ is not used for the public key \item The nonce parameter to $\SymSpecific$ is not used.
encryption.
\item The ephemeral secret $\EphemeralPrivate$ is included together with \item The ephemeral secret $\EphemeralPrivate$ is included together with
the \transmitKeypair public keys of the recipients, symmetrically the \transmitKeypair public keys of the recipients, symmetrically
encrypted to the \discloseKey. encrypted to the \discloseKey.