-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Not exploitable) flaw in the proof of Balance when PRF^addr is not collision-resistant #836
Comments
Now that is a good catch. Please keep a note of this and all other typos/errors you've found in those proofs. I doubt anyone has cycles now, but we'll update them in the next 2-3 weeks.
|
@matthewdgreen I added a label for that: Zerocash paper. (Note that some of those issues are closed because they have been addressed in our spec.) |
For the fix to our spec, see zcash/zips@75b8750 |
Fix is just to require it's collision resistant too ? On Wed, Apr 6, 2016, 9:51 AM Daira Hopwood notifications@github.com wrote:
|
@imichaelmiers wrote:
Yes. |
Wow, awesome attack! |
Provably-not-exploitable security bugs are my favourite kind :-p |
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
@ebfull Why is this on the agenda today? |
The spec is updated and we've blogged about this, sufficient to close. |
The abstract Zerocash protocol requires PRFaddr only to be a PRF; it is not specified to be collision-resistant. This reveals a flaw in the proof of the Balance property. The flaw is not exploitable for the actual instantiation of PRFaddr in either Zerocash, or Zcash Protocol 2016.0/1 (to be Zcash 1.0), which is collision-resistant assuming that SHA256Compress is.
Suppose that an adversary finds a collision on PRFaddr such that ask1 and ask2 are distinct spending keys for the same apk. Because the note commitment is to apk, but the nullifier is computed from ask (and ρ), the adversary is able to double-spend the note, once with each ask. This is not detected because each spend reveals a different nullifier. The JoinSplit statements are still valid because they can only check that the ask in the witness is some preimage of the apk used in the note commitment.
The error is in the proof of Balance in section D.3. For the "A violates Condition I" case, the proof says:
But the openings don't actually contain aoldsk at all; they contain aoldpk.
The same argument is also relied on in the "A violates Condition II" case.
The proof is easily repairable — just rely on collision resistance of PRFaddr (on both its arguments) to argue that distinct aoldsk,1 and aoldsk,2, together with constraint 1(b) [address matching] of the JoinSplit statement, implies distinct aoldpk,1 and aoldpk,2, therefore distinct openings of COMM.
Thanks to @elibensasson for drawing my attention to the fact that it might not be sufficient for the PRFs to just be PRFs. (Finding this was also helped by drawing a dataflow diagram for the protocol; that's only in rough dead-tree form at the moment, but I'll try to post a version of it soon.)
The text was updated successfully, but these errors were encountered: