duke
/
zips
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Explain a variation on the Faerie Gold attack and why it is prevented. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
zips115.update-testnet-fr-addresses.1
Daira Hopwood 7 years ago
parent
f6da7897d8
commit
95fa51d785
1 changed files with 20 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      protocol/protocol.tex

22
protocol/protocol.tex
View File

@ -1950,7 +1950,7 @@ for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1
$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i} \in \range{0}{2^{64}-1}$.
\subparagraph{\Nullifier{} integrity}
\subparagraph{\Nullifier{} integrity} \label{nullifierintegrity}
for each $i \in \setofOld$:
$\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
@ -3814,6 +3814,22 @@ that the derived $\NoteAddressRand$ values are unique, at least for
any two \joinSplitDescriptions that get into a valid \blockchain.
This is sufficient to prevent the Faerie Gold attack.
A variation on the attack attempts to cause the \nullifier of a sent
\note to be repeated, without repeating $\NoteAddressRand$.
However, since the \nullifier is computed as
$\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
the adversary either finds a collision on $\PRFnf{}$, or knows the
\spendingKey $\AuthPrivate$. The former is assumed to be infeasible
(see \crossref{abstractprfs}), while the latter is not be a valid
attack because knowledge of $\AuthPrivate$ is intended to authorize
spending the \note.
Importantly, ``\nullifier integrity'' (\crossref{nullifierintegrity})
is enforced whether or not the $\EnforceMerklePath{i}$ flag is set
for an input \note. If this were not the case then an adversary could
perform the attack by creating a zero-valued \note with a repeated
\nullifier, since the \nullifier does not depend on the value.
\nsubsection{Internal hash collision attack and fix} \label{internalh}
@ -4089,7 +4105,8 @@ Filippo Valsorda, Zaki Manian, and no doubt others.
\Zcash has benefited from security audits performed by NCC Group and
Coinspect.
The Faerie Gold attack was found by Zooko Wilcox.
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
of variations on the attack was performed by Daira Hopwood and Sean Bowe.
The internal hash collision attack was found by Taylor Hornby.
The error in the \Zerocash proof of Balance relating to collision-resistance
of $\PRFaddr{}$ was found by Daira Hopwood.
@ -4103,6 +4120,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\subparagraph{2017.0-beta-2.4}
\begin{itemize}
\item Explain a variation on the Faerie Gold attack and why it is prevented.
\item Rename $\mathsf{enforce}_i$ to $\EnforceMerklePath{i}$.
\end{itemize}

Write Preview
Loading…
Cancel
Save