zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zips/zip-0212.html

318 lines
27 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>ZIP 212: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext</title>
<meta charset="utf-8" />
<script src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js?config=TeX-AMS-MML_HTMLorMML"></script>
<meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="css/style.css"></head>
<body>
<section>
<pre>ZIP: 212
Title: Allow Recipient to Derive Sapling Ephemeral Secret from Note Plaintext
Owners: Sean Bowe &lt;sean@electriccoin.co&gt;
Status: Implemented (zcashd)
Category: Consensus
Created: 2019-03-31
License: MIT</pre>
<section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a rel="bookmark" href="#terminology"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The key words "MUST", "MUST NOT", "SHOULD NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
<p>The function
<span class="math">\(\mathsf{ToScalar}\)</span>
is defined as in Section 4.4.2 of the Zcash Protocol Specification. <a id="id2" class="footnote_reference" href="#protocol">2</a></p>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This ZIP proposes a new note plaintext format for Sapling Outputs in transactions. The new format allows recipients to check the well-formedness of the ephemeral Diffie-Hellman key in the Output to avoid an assumption on zk-SNARK soundness for preventing diversified address linkability.</p>
</section>
<section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The Sapling payment protocol contains a feature called "diversified addresses" which allows a single incoming viewing key to receive payments on an enormous number of distinct and unlinkable payment addresses. This feature allows users to maintain many payment addresses without paying additional overhead during blockchain scanning.</p>
<p>The feature works by allowing payment addresses to become a tuple
<span class="math">\((\mathsf{pk_d}, \mathsf{d})\)</span>
of a public key
<span class="math">\(\mathsf{pk_d}\)</span>
and
<span class="math">\(88\)</span>
-bit diversifier
<span class="math">\(\mathsf{d}\)</span>
such that
<span class="math">\(\mathsf{pk_d} = [\mathsf{ivk}] GH(\mathsf{d})\)</span>
for some incoming viewing key
<span class="math">\(\mathsf{ivk}\)</span>
. The hash function
<span class="math">\(GH(\mathsf{d})\)</span>
maps from a diversifier to prime order elements of the Jubjub elliptic curve. It is possible for a user to choose many
<span class="math">\(\mathsf{d}\)</span>
to create several distinct and unlinkable payment addresses of this form.</p>
<p>In order to make a payment to a Sapling address, an ephemeral secret
<span class="math">\(\mathsf{esk}\)</span>
is sampled by the sender and an ephemeral public key
<span class="math">\(\mathsf{epk} = [\mathsf{esk}] GH(\mathsf{d})\)</span>
is included in the Output description. Then, a shared Diffie-Hellman secret is computed by the sender as
<span class="math">\([\mathsf{esk}] [8] \mathsf{pk_d}\)</span>
. The recipient can recover this shared secret without knowledge of the particular
<span class="math">\(\mathsf{d}\)</span>
by computing
<span class="math">\([\mathsf{ivk}] [8] \mathsf{epk}\)</span>
. This shared secret is then used as part of note decryption.</p>
<p>Naively, the recipient cannot know which
<span class="math">\((\mathsf{pk_d}, \mathsf{d})\)</span>
was used to compute the shared secret, but the sender is asked to include the
<span class="math">\(\mathsf{d}\)</span>
within the note plaintext to reconstruct the note. However, if the recipient has more than one known address, an attacker could use a different payment address to perform secret exchange and, by observing the behavior of the recipient, link the two diversified addresses together. (This attacker strategy was discovered by Brian Warner earlier in the design of the Sapling protocol.)</p>
<p>In order to prevent this attack, the protocol currently forces the sender to prove knowledge of the discrete logarithm of
<span class="math">\(\mathsf{epk}\)</span>
with respect to the
<span class="math">\(\mathsf{g_d} = GH(\mathsf{d})\)</span>
included within the note commitment. This
<span class="math">\(\mathsf{g_d}\)</span>
is determined by
<span class="math">\(\mathsf{d}\)</span>
and recomputed during note decryption, and so the recipient will either be unable to decrypt the note or the sender will be unable to perform the attack.</p>
<p>However, this check occurs as part of the zero-knowledge proof statement and so relies on the soundness of the underlying zk-SNARK in Sapling, and therefore it relies on relatively strong cryptographic assumptions and a trusted setup. It would be preferable to force the sender to transfer sufficient information in the note plaintext to allow deriving
<span class="math">\(\mathsf{esk}\)</span>
, so that, during note decryption, the recipient can check that
<span class="math">\(\mathsf{epk} = [\mathsf{esk}] \mathsf{g_d}\)</span>
(for the expected
<span class="math">\(\mathsf{g_d}\)</span>
) and ignore the payment as invalid otherwise. This forms a line of defense in the case that soundness of the zk-SNARK does not hold.</p>
<p>Merely sending
<span class="math">\(\mathsf{esk}\)</span>
to the recipient in the note plaintext would require us to enlarge the note plaintext, but also would compromise the proof of IND-CCA2 security for in-band secret distribution. We avoid both of these concerns by using a key derivation to obtain both
<span class="math">\(\mathsf{esk}\)</span>
and
<span class="math">\(\mathsf{rcm}\)</span>
.</p>
</section>
<section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The specification in this ZIP is intended to be aligned with version 2020.1.15 of the Zcash Protocol Specification <a id="id3" class="footnote_reference" href="#protocol">2</a>. See the Change History of that document for relevant corrections.</p>
<p>Pseudo random functions (PRFs) are defined in section 4.2.1 of the Zcash Protocol Specification <a id="id4" class="footnote_reference" href="#protocol-abstractprfs">4</a>. We will be adapting
<span class="math">\(\mathsf{PRF^{expand}}\)</span>
for the purposes of this ZIP. This function is keyed by a 256-bit key
<span class="math">\(\mathsf{sk}\)</span>
and takes an arbitrary length byte sequence as input, returning a
<span class="math">\(64\)</span>
-byte sequence as output.</p>
<section id="changes-to-sapling-note-plaintexts"><h3><span class="section-heading">Changes to Sapling Note plaintexts</span><span class="section-anchor"> <a rel="bookmark" href="#changes-to-sapling-note-plaintexts"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>Note plaintext encodings are specified in section 5.5 of the Zcash Protocol Specification <a id="id5" class="footnote_reference" href="#protocol-notept">5</a>. Currently, the encoding of a Sapling note plaintext requires that the first byte take the form
<span class="math">\(\textbf{0x01}\)</span>
, indicating the version of the note plaintext. In addition, a
<span class="math">\(256\)</span>
-bit
<span class="math">\(\mathsf{rcm}\)</span>
field exists within the note plaintext and encoding.</p>
<p>Following the activation of this ZIP, senders of Sapling notes MUST use the following new note plaintext format:</p>
<ul>
<li>The first byte of the encoding MUST take the form
<span class="math">\(\textbf{0x02}\)</span>
(representing the new note plaintext version).</li>
<li>The field
<span class="math">\(\mathsf{rcm}\)</span>
of the encoding is renamed to
<span class="math">\(\mathsf{rseed}\)</span>
. This field
<span class="math">\(\mathsf{rseed}\)</span>
of the Sapling note plaintext no longer takes the type of
<span class="math">\(\mathsf{NoteCommit^{Sapling}.Trapdoor}\)</span>
but instead is a
<span class="math">\(32\)</span>
-byte sequence.</li>
</ul>
<p>The requirement that
<span class="math">\(\mathsf{rseed}\)</span>
(previously,
<span class="math">\(\mathsf{rcm}\)</span>
) be a scalar of the Jubjub elliptic curve, when interpreted as a little endian integer, is removed from the description of note plaintexts in sections 4.17.2 and 4.17.3 of the Zcash Protocol Specification. <a id="id6" class="footnote_reference" href="#protocol-saplingdecryptivk">6</a> <a id="id7" class="footnote_reference" href="#protocol-saplingdecryptovk">7</a></p>
</section>
<section id="changes-to-the-process-of-sending-sapling-notes"><h3><span class="section-heading">Changes to the process of sending Sapling notes</span><span class="section-anchor"> <a rel="bookmark" href="#changes-to-the-process-of-sending-sapling-notes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The process of sending notes in Sapling is described in section 4.6.2 of the Zcash Protocol Specification <a id="id8" class="footnote_reference" href="#protocol-saplingsend">8</a>. During this process, the sender samples
<span class="math">\(\mathsf{rcm^{new}}\)</span>
uniformly at random. In addition, the process of encrypting a note is described in section 4.17.1 of the Zcash Protocol Specification <a id="id9" class="footnote_reference" href="#protocol-saplingencrypt">3</a>. During this process, the sender also samples the ephemeral private key
<span class="math">\(\mathsf{esk}\)</span>
uniformly at random.</p>
<p>After the activation of this ZIP, the sender MUST instead sample a uniformly random
<span class="math">\(32\)</span>
-byte sequence
<span class="math">\(\mathsf{rseed}\)</span>
. The note plaintext takes
<span class="math">\(\mathsf{rseed}\)</span>
in place of
<span class="math">\(\mathsf{rcm^{new}}\)</span>
.</p>
<p>
<span class="math">\(\mathsf{rcm^{new}}\)</span>
MUST be computed by the sender as the output of
<span class="math">\(\mathsf{ToScalar}(\mathsf{PRF^{expand}_{rseed}}([4]))\)</span>
.</p>
<p>
<span class="math">\(\mathsf{esk}\)</span>
MUST be computed by the sender as the output of
<span class="math">\(\mathsf{ToScalar}(\mathsf{PRF^{expand}_{rseed}}([5]))\)</span>
.</p>
</section>
<section id="changes-to-the-process-of-receiving-sapling-notes"><h3><span class="section-heading">Changes to the process of receiving Sapling notes</span><span class="section-anchor"> <a rel="bookmark" href="#changes-to-the-process-of-receiving-sapling-notes"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>The process of receiving notes in Sapling is described in sections 4.17.2 and 4.17.3 of the Zcash Protocol Specification. <a id="id10" class="footnote_reference" href="#protocol-saplingdecryptivk">6</a> <a id="id11" class="footnote_reference" href="#protocol-saplingdecryptovk">7</a></p>
<p>There is a "grace period" of 32256 blocks starting from the block at which this ZIP activates, during which note plaintexts with lead byte 0x01 MUST still be accepted.</p>
<p>Let ActivationHeight be the activation height of this ZIP, and let GracePeriodEndHeight be ActivationHeight + 32256.</p>
<p>The height of a transaction in a mined block is defined as the height of that block. An implementation MAY also decrypt mempool transactions, in which case the height used is the height of the next block at the time of the check. An implementation SHOULD NOT attempt to decrypt mempool transactions without having obtained a best-effort view of the current block chain height.</p>
<p>When the recipient of a note (either using an incoming viewing key or a full viewing key) is able to decrypt a note plaintext, it performs the following check on the plaintext lead byte, based on the height of the containing transaction:</p>
<ul>
<li>If the height is less than ActivationHeight, then only 0x01 is accepted as the plaintext lead byte.</li>
<li>If the height is at least ActivationHeight and less than GracePeriodEndHeight, then either 0x01 or 0x02 is accepted as the plaintext lead byte.</li>
<li>If the height is at least GracePeriodEndHeight, then only 0x02 is accepted as the plaintext lead byte.</li>
</ul>
<p>If the plaintext lead byte is not accepted then the note MUST be discarded. However, if an implementation decrypted the note from a mempool transaction and it was accepted at that time, but it is later mined in a block after the end of the grace period, then it MAY be retained.</p>
<p>A note plaintext with lead byte 0x02 contains a field
<span class="math">\(\mathsf{rseed}\)</span>
that is a
<span class="math">\(32\)</span>
-byte sequence rather than a scalar value
<span class="math">\(\mathsf{rcm}\)</span>
. The recipient, during decryption and in any later contexts, will interpret the value
<span class="math">\(\mathsf{rcm}\)</span>
as the output of
<span class="math">\(\mathsf{ToScalar}(\mathsf{PRF^{expand}_{rseed}}([4]))\)</span>
. Further, the recipient MUST compute
<span class="math">\(\mathsf{esk}\)</span>
as
<span class="math">\(\mathsf{ToScalar}(\mathsf{PRF^{expand}_{rseed}}([5]))\)</span>
and check that
<span class="math">\(\mathsf{epk} = [\mathsf{esk}] \mathsf{g_d}\)</span>
and fail decryption if this check is not satisfied.</p>
</section>
<section id="consensus-rule-change-for-coinbase-transactions"><h3><span class="section-heading">Consensus rule change for coinbase transactions</span><span class="section-anchor"> <a rel="bookmark" href="#consensus-rule-change-for-coinbase-transactions"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
<p>After the activation of this ZIP, any Sapling output of a coinbase transaction that is decrypted to a note plaintext as specified in <a id="id12" class="footnote_reference" href="#zip-0213">10</a>, MUST have note plaintext lead byte equal to 0x02.</p>
<p>This applies even during the “grace period”, and also applies to funding stream outputs <a id="id13" class="footnote_reference" href="#zip-0207">9</a> sent to shielded payment addresses, if there are any.</p>
</section>
</section>
<section id="rationale"><h2><span class="section-heading">Rationale</span><span class="section-anchor"> <a rel="bookmark" href="#rationale"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The attack that this prevents is an interactive attack that requires an adversary to be able to break critical soundness properties of the zk-SNARKs underlying Sapling. It is potentially valid to assume that this cannot occur, due to other damaging effects on the system such as undetectable counterfeiting. However, we have attempted to avoid any instance in the protocol where privacy (even against interactive attacks) depended on strong cryptographic assumptions. Acting differently here would be confusing for users that have previously been told that "privacy does not depend on zk-SNARK soundness" or similar claims.</p>
<p>It is possible for us to infringe on the length of the <code>memo</code> field and ask the sender to provide
<span class="math">\(\mathsf{esk}\)</span>
within the existing note plaintext without modifying the transaction format, but this would harm users who have come to expect a
<span class="math">\(512\)</span>
-byte memo field to be available to them. Changes to the memo field length should be considered in a broader context than changes made for cryptographic purposes.</p>
<p>It is possible to transmit a signature of knowledge of a correct
<span class="math">\(\mathsf{esk}\)</span>
rather than
<span class="math">\(\mathsf{esk}\)</span>
itself, but this appears to be an unnecessary complication and is likely slower than just supplying
<span class="math">\(\mathsf{esk}\)</span>
.</p>
<p>The grace period is intended to mitigate loss-of-funds risk due to non-conformant sending wallet implementations. The intention is that during the grace period (of about 4 weeks), it will be possible to identify wallets that are still sending plaintexts according to the old specification, and cajole their developers to make the required updates. For the avoidance of doubt, such wallets are non-conformant because it is a "MUST" requirement to <em>immediately</em> switch to sending note plaintexts with lead byte 0x02 (and the other changes in this specification) at the upgrade. Note that nodes will clear their mempools when the upgrade activates, which will clear all plaintexts with lead byte 0x01 that were sent conformantly and not mined before the upgrade.</p>
</section>
<section id="security-and-privacy-considerations"><h2><span class="section-heading">Security and Privacy Considerations</span><span class="section-anchor"> <a rel="bookmark" href="#security-and-privacy-considerations"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The changes made in this proposal prevent an interactive attack that could link together diversified addresses by only breaking the knowledge soundness assumption of the zk-SNARK. It is already assumed that the adversary cannot defeat the EC-DDH assumption of the Jubjub elliptic curve, for it could perform a linkability attack trivially in that case.</p>
<p>In the naive case where the protocol is modified so that
<span class="math">\(\mathsf{esk}\)</span>
is supplied directly to the recipient (rather than derived through
<span class="math">\(\mathsf{rseed}\)</span>
) this would lead to an instance of key-dependent encryption, which is difficult or perhaps impossible to prove secure using existing security notions. Our approach of using a key derivation, which ultimately queries an oracle, allows a proof for IND-CCA2 security to be written by reprogramming the oracle to return bogus keys when necessary.</p>
</section>
<section id="deployment"><h2><span class="section-heading">Deployment</span><span class="section-anchor"> <a rel="bookmark" href="#deployment"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This proposal will be deployed with the Canopy network upgrade. <a id="id14" class="footnote_reference" href="#zip-0251">11</a></p>
</section>
<section id="reference-implementation"><h2><span class="section-heading">Reference Implementation</span><span class="section-anchor"> <a rel="bookmark" href="#reference-implementation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>In zcashd:</p>
<ul>
<li><a href="https://github.com/zcash/zcash/pull/4578">https://github.com/zcash/zcash/pull/4578</a></li>
</ul>
<p>In librustzcash:</p>
<ul>
<li><a href="https://github.com/zcash/librustzcash/pull/258">https://github.com/zcash/librustzcash/pull/258</a></li>
</ul>
</section>
<section id="acknowledgements"><h2><span class="section-heading">Acknowledgements</span><span class="section-anchor"> <a rel="bookmark" href="#acknowledgements"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The discovery that diversified address unlinkability depended on the zk-SNARK knowledge assumption was made by Sean Bowe and Zooko Wilcox.</p>
</section>
<section id="references"><h2><span class="section-heading">References</span><span class="section-anchor"> <a rel="bookmark" href="#references"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<table id="rfc2119" class="footnote">
<tbody>
<tr>
<th>1</th>
<td><a href="https://www.rfc-editor.org/rfc/rfc2119.html">RFC 2119: Key words for use in RFCs to Indicate Requirement Levels</a></td>
</tr>
</tbody>
</table>
<table id="protocol" class="footnote">
<tbody>
<tr>
<th>2</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf">Zcash Protocol Specification, Version 2020.1.15 or later</a></td>
</tr>
</tbody>
</table>
<table id="protocol-saplingencrypt" class="footnote">
<tbody>
<tr>
<th>3</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#saplingencrypt">Zcash Protocol Specification, Version 2020.1.15. Section 4.17.1: Encryption (Sapling)</a></td>
</tr>
</tbody>
</table>
<table id="protocol-abstractprfs" class="footnote">
<tbody>
<tr>
<th>4</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#abstractprfs">Zcash Protocol Specification, Version 2020.1.15. Section 4.1.2: Pseudo Random Functions</a></td>
</tr>
</tbody>
</table>
<table id="protocol-notept" class="footnote">
<tbody>
<tr>
<th>5</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#notept">Zcash Protocol Specification, Version 2020.1.15. Section 5.5: Encodings of Note Plaintexts and Memo Fields</a></td>
</tr>
</tbody>
</table>
<table id="protocol-saplingdecryptivk" class="footnote">
<tbody>
<tr>
<th>6</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#saplingdecryptivk">Zcash Protocol Specification, Version 2020.1.15. Section 4.17.2: Decryption using an Incoming Viewing Key (Sapling)</a></td>
</tr>
</tbody>
</table>
<table id="protocol-saplingdecryptovk" class="footnote">
<tbody>
<tr>
<th>7</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#saplingdecryptovk">Zcash Protocol Specification, Version 2020.1.15. Section 4.17.3: Decryption using a Full Viewing Key (Sapling)</a></td>
</tr>
</tbody>
</table>
<table id="protocol-saplingsend" class="footnote">
<tbody>
<tr>
<th>8</th>
<td><a href="https://zips.z.cash/protocol/protocol.pdf#saplingsend">Zcash Protocol Specification, Version 2020.1.15. Section 4.6.2: Sending Notes (Sapling)</a></td>
</tr>
</tbody>
</table>
<table id="zip-0207" class="footnote">
<tbody>
<tr>
<th>9</th>
<td><a href="zip-0207">ZIP 207: Split Founders' Reward</a></td>
</tr>
</tbody>
</table>
<table id="zip-0213" class="footnote">
<tbody>
<tr>
<th>10</th>
<td><a href="zip-0213">ZIP 213: Shielded Coinbase</a></td>
</tr>
</tbody>
</table>
<table id="zip-0251" class="footnote">
<tbody>
<tr>
<th>11</th>
<td><a href="zip-0251">ZIP 251: Deployment of the Canopy Network Upgrade</a></td>
</tr>
</tbody>
</table>
</section>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink