From f5bab61f81ca40e5ce1b3ee80f75e76c3fc297fc Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 21 Apr 2021 18:25:18 +0100 Subject: [PATCH] Update nullifier explanation to include Extract_P. Signed-off-by: Daira Hopwood --- book/src/design/nullifiers.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/book/src/design/nullifiers.md b/book/src/design/nullifiers.md index dbe76667..37d0a4d5 100644 --- a/book/src/design/nullifiers.md +++ b/book/src/design/nullifiers.md @@ -2,7 +2,7 @@ The nullifier design we use for Orchard is -$$\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm},$$ +$$\mathsf{nf} = \mathsf{Extract}_{\mathbb{P}}\big([F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm}\big),$$ where: @@ -15,6 +15,7 @@ where: is derived from both $\rho$ and a sender-selected random value $\mathsf{rseed}$: $$\psi = KDF^\psi(\rho, \mathsf{rseed}).$$ - $\mathcal{G}$ is a fixed independent base. +- $\mathsf{Extract}_{\mathbb{P}}$ extracts the $x$-coordinate of a Pallas curve point. This gives a note structure of @@ -95,6 +96,11 @@ $\color{red}{\textsf{⚠ Caution}}$: be skeptical of the claims in this table ab problem(s) each security property depends on. They may not be accurate and are definitely not fully rigorous. +The entries in this table omit the application of $\mathsf{Extract}_{\mathbb{P}}$, +which is an optimization to halve the nullifier length. That optimization requires its +own security analysis, but because it is a deterministic mapping, only Faerie Resistance +could be affected by it. + $$ \begin{array}{|c|l|c|c|c|c|c|} \hline