|
|
@ -1950,7 +1950,7 @@ for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1 |
|
|
|
|
|
|
|
$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i} \in \range{0}{2^{64}-1}$. |
|
|
|
|
|
|
|
\subparagraph{\Nullifier{} integrity} |
|
|
|
\subparagraph{\Nullifier{} integrity} \label{nullifierintegrity} |
|
|
|
|
|
|
|
for each $i \in \setofOld$: |
|
|
|
$\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$. |
|
|
@ -3814,6 +3814,22 @@ that the derived $\NoteAddressRand$ values are unique, at least for |
|
|
|
any two \joinSplitDescriptions that get into a valid \blockchain. |
|
|
|
This is sufficient to prevent the Faerie Gold attack. |
|
|
|
|
|
|
|
A variation on the attack attempts to cause the \nullifier of a sent |
|
|
|
\note to be repeated, without repeating $\NoteAddressRand$. |
|
|
|
However, since the \nullifier is computed as |
|
|
|
$\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if |
|
|
|
the adversary either finds a collision on $\PRFnf{}$, or knows the |
|
|
|
\spendingKey $\AuthPrivate$. The former is assumed to be infeasible |
|
|
|
(see \crossref{abstractprfs}), while the latter is not be a valid |
|
|
|
attack because knowledge of $\AuthPrivate$ is intended to authorize |
|
|
|
spending the \note. |
|
|
|
|
|
|
|
Importantly, ``\nullifier integrity'' (\crossref{nullifierintegrity}) |
|
|
|
is enforced whether or not the $\EnforceMerklePath{i}$ flag is set |
|
|
|
for an input \note. If this were not the case then an adversary could |
|
|
|
perform the attack by creating a zero-valued \note with a repeated |
|
|
|
\nullifier, since the \nullifier does not depend on the value. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{Internal hash collision attack and fix} \label{internalh} |
|
|
|
|
|
|
@ -4089,7 +4105,8 @@ Filippo Valsorda, Zaki Manian, and no doubt others. |
|
|
|
\Zcash has benefited from security audits performed by NCC Group and |
|
|
|
Coinspect. |
|
|
|
|
|
|
|
The Faerie Gold attack was found by Zooko Wilcox. |
|
|
|
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis |
|
|
|
of variations on the attack was performed by Daira Hopwood and Sean Bowe. |
|
|
|
The internal hash collision attack was found by Taylor Hornby. |
|
|
|
The error in the \Zerocash proof of Balance relating to collision-resistance |
|
|
|
of $\PRFaddr{}$ was found by Daira Hopwood. |
|
|
@ -4103,6 +4120,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\subparagraph{2017.0-beta-2.4} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Explain a variation on the Faerie Gold attack and why it is prevented. |
|
|
|
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|