mirror of https://github.com/zcash/orchard.git
deploy: edffeb870e
This commit is contained in:
parent
0de5122f0c
commit
662a32730e
|
@ -201,6 +201,17 @@ same <span class="katex"><span class="katex-html" aria-hidden="true"><span class
|
|||
being specified to be infallible. This removes significant complexity from the use cases
|
||||
for diversified addresses.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>The fact that Pallas is a prime-order curve simplifies the protocol and removes the need
|
||||
for cofactor multiplication in key agreement. Unlike Sapling, we define public (including
|
||||
ephemeral) and private keys used for note encryption to exclude the zero point and the
|
||||
zero scalar. Without this change, the implementation of the Orchard Action circuit would
|
||||
need special cases for the zero point, since Pallas is a short Weierstrass rather than
|
||||
an Edwards curve. This also has the advantage of ensuring that the key agreement has
|
||||
"contributory behaviour" — that is, if <em>either</em> party contributes a random scalar, then
|
||||
the shared secret will be random to an observer who does not know that scalar and cannot
|
||||
break Diffie–Hellman.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>Other than the above, Orchard retains the same design rationale for its keys and addresses
|
||||
as Sapling. For example, diversifiers remain at 11 bytes, so that a raw Orchard address is
|
||||
|
|
11
print.html
11
print.html
|
@ -277,6 +277,17 @@ same <span class="katex"><span class="katex-html" aria-hidden="true"><span class
|
|||
being specified to be infallible. This removes significant complexity from the use cases
|
||||
for diversified addresses.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>The fact that Pallas is a prime-order curve simplifies the protocol and removes the need
|
||||
for cofactor multiplication in key agreement. Unlike Sapling, we define public (including
|
||||
ephemeral) and private keys used for note encryption to exclude the zero point and the
|
||||
zero scalar. Without this change, the implementation of the Orchard Action circuit would
|
||||
need special cases for the zero point, since Pallas is a short Weierstrass rather than
|
||||
an Edwards curve. This also has the advantage of ensuring that the key agreement has
|
||||
"contributory behaviour" — that is, if <em>either</em> party contributes a random scalar, then
|
||||
the shared secret will be random to an observer who does not know that scalar and cannot
|
||||
break Diffie–Hellman.</p>
|
||||
</li>
|
||||
</ul>
|
||||
<p>Other than the above, Orchard retains the same design rationale for its keys and addresses
|
||||
as Sapling. For example, diversifiers remain at 11 bytes, so that a raw Orchard address is
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue