Sapling spec (5.6.4) requires that pk_d is validated as prime-order, is this enforced? #3827
Labels
A-consensus
Area: Consensus rules
A-crypto
Area: Cryptography
Death By A Thousand Cuts
elliptic curves
I-SECURITY
Problems and improvements related to security.
NU1-sapling
Network upgrade: Sapling-specific tasks
protocol spec
special to Daira
Projects
The following issue came up in discussions of the Sapling security proof with @arielgabizon. In section 5.6.4 of the protocol spec, we have:
[Edit: Later the last paragraph was changed to:
]
Looking at the C++ implementation of
SaplingPaymentAddress
in zcash/Address.cpp and zcash/Address.hpp, it isn't clear that either point validity or the prime-order restriction are enforced when the address is decoded, as required.In sapling-crypto, the$\mathsf{pk_d}$ fields are declared with type
edwards::Point<E, PrimeOrder>
in Note and in PaymentAddress.However, despite the name,$\mathcal{O}_{\mathbb{J}}$ ). The stricter specification in the spec was intended.
edwards::Point<E, PrimeOrder>
means only that the point is in the prime-order subgroup, which does not mean the same thing as "prime order" (the latter excludes the zero pointIn addition, sapling-crypto:
So, I think the requirement of the spec to reject invalid addresses when they are decoded is not satisfied.
There doesn't appear to be any significant security issue here, because an adversary can't do anything by publishing an invalid address that they couldn't do by publishing an address and revealing its$\mathsf{ivk}$ . (If they construct a $\mathsf{pk'_d}$ by adding a torsion component to an honest party's $\mathsf{pk_d}$ , then they won't know the corresponding $\mathsf{ivk}$ , so I don't believe there are any attacks based on this. However, it should be noted that the Output circuit explicitly does not check the order of $\mathsf{pk_d}$ for the new note, or that it is on the curve. The Spend circuit does, so notes with an invalid $\mathsf{pk_d}$ cannot be spent.)
The text was updated successfully, but these errors were encountered: