[zksecurity #02] ElGamal Registry Doesn't Authenticate Owner

[samkim-crypto]

Description

An ElGamal registry program is implemented in order to facilitate the creation of confidential token accounts for other peers. As the creation of token accounts require pubkey validity proofs and each new (confidential) mint requires a new (confidential) token account, the registry can be used to publish these to everyone.

The registry also lets you post an associated owner, which is the public key of a Solana system account, also required to admistrate a (confidential) token account.

The issue is that there is no authentication mechanism that enforces that the link between the (validated) ElGamal public key and the owner is legitimate.

Recommendation

Adding the (initial) owner of the to-be-created token account to the transcript would naturally authenticate the intent of the proof, narrowing the portability of this proof.

[samkim-crypto]

This would be a useful change to add to prevent misuse and for general defensive programming. However, to address the issue, we would need to alter the behavior of public key validity proof in the ZK ElGamal proof program.

So far, the audits did not find a crucial vulnerability that would force us to make breaking changes to the current ZK ElGamal proof program included in the agave v3.1 release.

If such vulnerability is found in subsequent audits, then we will address this issue as part of agave v3.2. Otherwise, it makes sense for us to keep the current behavior and potentially implement this after a dedicated SIMD on the ZK ElGamal proof program.