|
|
@ -3843,11 +3843,11 @@ commitment at a 128-bit security level. Specifically, the internal |
|
|
|
hash of $\AuthPublic$ and $\NoteAddressRand$ is truncated to 128 bits |
|
|
|
(motivated by providing statistical hiding security). This allows an |
|
|
|
attacker, with a work factor on the order of $2^{64}$, to find distinct |
|
|
|
values of $\NoteAddressRand$ with colliding outputs of the truncated |
|
|
|
hash, and therefore the same \noteCommitment. This would have allowed |
|
|
|
such an attacker to break the Balance property by double-spending |
|
|
|
\notes, potentially creating arbitrary amounts of currency for themself |
|
|
|
\cite{HW2016}. |
|
|
|
pairs $(\AuthPublic, \NoteAddressRand)$ and $(\AuthPublic', \NoteAddressRand')$ |
|
|
|
with colliding outputs of the truncated hash, and therefore the same |
|
|
|
\noteCommitment. This would have allowed such an attacker to break the |
|
|
|
Balance property by double-spending \notes, potentially creating arbitrary |
|
|
|
amounts of currency for themself \cite{HW2016}. |
|
|
|
|
|
|
|
\Zcash uses a simpler construction with a single $\FullHashName$ evaluation |
|
|
|
for the commitment. The motivation for the nested construction in \Zerocash |
|
|
@ -4121,6 +4121,9 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Explain a variation on the Faerie Gold attack and why it is prevented. |
|
|
|
\item Generalize the description of the InternalH attack to include finding |
|
|
|
collisions on $(\AuthPublic, \NoteAddressRand)$ rather than just on |
|
|
|
$\NoteAddressRand$. |
|
|
|
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|