duke
/
zips
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Proposed fix for Faerie Gold attack -- WIP. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
98.fix-faerie-gold.0
Daira Hopwood 8 years ago
parent
d616dea37e
commit
f32356a470
2 changed files with 46 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. BIN
      protocol/protocol.pdf
  2. 56
      protocol/protocol.tex

BIN
protocol/protocol.pdf
View File

Binary file not shown.

56
protocol/protocol.tex
View File

@ -95,8 +95,10 @@
\newcommand{\CoinAddressRand}{\mathsf{\uprho}}
\newcommand{\CoinAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}}
\newcommand{\CoinAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}}
\newcommand{\CoinAddressPreRand}{\mathsf{\upvarphi}}
\newcommand{\CoinCommitS}{\mathsf{s}}
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
\newcommand{\Memo}{\mathsf{memo}}
\newcommand{\CryptoBox}{\mathsf{crypto\_box}}
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
@ -109,12 +111,13 @@
\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}}
\newcommand{\CRH}{\mathsf{CRH}}
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
\newcommand{\CryptoBoxSealHash}{\mathtt{SHA256}}
\newcommand{\CryptoBoxSealHashbox}[1]{\CryptoBoxSealHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
\newcommand{\FullHash}{\mathtt{SHA256}}
\newcommand{\FullHashbox}[1]{\FullHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}}
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}}
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}}
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
\newcommand{\PRFrho}[1]{\PRF{#1}{\CoinAddressRand}}
\newcommand{\SHA}{\mathtt{SHA256Compress}}
\newcommand{\SHAName}{\term{SHA-256 compression}}
\newcommand{\SHAOrig}{\term{SHA-256}}
@ -264,6 +267,17 @@ independent.
\end{bytefield}
\end{lrbox}
\newsavebox{\rhobox}
\begin{lrbox}{\rhobox}
\begin{bytefield}[bitwidth=0.065em]{512}
\bitbox{242}{256 bit $\CoinAddressPreRand$} &
\bitbox{14}{1} &
\bitbox{14}{0} &
\bitbox{14}{$i$} &
\bitbox{228}{$\Trailing{253}(\hSig)$}
\end{bytefield}
\end{lrbox}
\nathan{Note: If we change input arity (i.e. $\NOld$), we need to be aware of how it
is associated with this bit-packing.}
@ -271,7 +285,8 @@ is associated with this bit-packing.}
\begin{aligned}
\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\
\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox}
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
\CoinAddressRandNew{i} &:= \PRFrho{\CoinAddressPreRand}(i, \hSig) &= \CRHbox{\rhobox}
\end{aligned}
\end{equation*}
@ -349,7 +364,7 @@ Define:
\begin{itemize}
\item[] $\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}) =
\CryptoBoxSealHashbox{\noncebox}$.
\FullHashbox{\noncebox}$.
\end{itemize}
Then to encrypt:
@ -381,7 +396,7 @@ will be ignored.
This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a
given \PourDescription, and with the nonce for each ciphertext component depending
on the index $i$. Also, $\CryptoBoxSealHash$ (the full hash, not the compression
on the index $i$. Also, $\FullHash$ (the full hash, not the compression
function) is used instead of $\mathsf{blake2b}$.
\subsubsection{Coin Commitments}
@ -536,9 +551,7 @@ some block height in the past, or the merkle root produced by a previous pour in
this transaction. \sean{We need to be more specific here.}
\item $\scriptSig$ which is a \script that creates conditions for acceptance of a
\PourDescription in a transaction. The $\SHA$ hash of this value is $\hSig$.
\daira{Why $\SHA$ and not $\SHAOrig$? The script is variable-length.}
\PourDescription in a transaction.
\item $\scriptPubKey$ which is a \script used to satisfy the conditions of the
$\scriptSig$.
@ -561,6 +574,25 @@ $\PourDescription$.
\end{list}
\subparagraph{Computation of $\hSig$}
\newsavebox{\hsigbox}
\begin{lrbox}{\hsigbox}
\begin{bytefield}[bitwidth=0.045em]{808}
\bitbox{80}{$\hSigInputVersionByte$} &
\bitbox{256}{256 bit $\snOld{0}$} &
\bitbox{24}{...} &
\bitbox{256}{256 bit $\snOld{\NOld-1}$} &
\bitbox{256}{$\scriptPubKey$}
\end{bytefield}
\end{lrbox}
Given a \PourDescription, we define:
\begin{itemize}
\item[] $\hSig := \FullHashbox{\hsigbox}$
\end{itemize}
\subparagraph{Merkle root validity}
A $\PourDescription$ is valid if $\rt$ is a Coin commitment tree root found in
@ -597,8 +629,8 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$.
A valid instance of $\PourProof$ assures that given a \term{primary input}
$(\rt, \snOld{1..\NOld}, \cmNew{1..\NNew}, \vpubOld, \vpubNew, \hSig, \h{1..\NOld})$,
a witness of \term{auxiliary input}
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{1..\NOld}, \cNew{1..\NNew})$
exists, where:
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{1..\NOld},
\cNew{1..\NNew}, \CoinAddressPreRand)$ exists, where:
\begin{list}{}{}
@ -636,6 +668,10 @@ $\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$
\subparagraph{Commitment integrity}
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment{\cNew{i}}$

Write Preview
Loading…
Cancel
Save