Is authenticated encryption for coins useful? about zips HOT 4 CLOSED

My thinking was that it would be harder to analyse and to update the security proof if we didn't use an authenticated encryption scheme. We should revisit this because it would be a significant simplification not to have to implement or rely on Poly1305 in the circuit. (Also a slight performance improvement, but not much because Poly1305 turns out to be very circuit-efficient.)

Edit: the performance saving would be to not have to derive the Poly1305 keys using ChaCha20. But it turns out that this only saves one ChaCha20 block (assuming other known optimizations described on zcash/zcash#406).

from zips.

Oh, I remember the main reason I did this: the security argument for confidentiality of the encryption should be independent of the SNARK. We want everything to stay confidential even if the SNARK (and therefore the enforcement of linking between a^old_sk,i and the signature) were completely broken. Confidentiality against chosen ciphertext attacks requires authenticated encryption.

from zips.

But yes, we should document a bunch of additional requirements and security caveats about sending coins out-of-band. (I'd almost like to say that it is not supported, but we can't enforce that it doesn't happen, so let's document it.)

from zips.

We want everything to stay confidential even if the SNARK (and therefore the enforcement of linking between aoldsk,i and the signature) were completely broken.

Ah, that's a very good reason!

from zips.