zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

deploy: edffeb870e

This commit is contained in:
str4d 2021-04-21 19:24:51 +00:00
parent 0de5122f0c
commit 662a32730e
4 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
design/keys.html
View File

@ -201,6 +201,17 @@ same <span class="katex"><span class="katex-html" aria-hidden="true"><span class
being specified to be infallible. This removes significant complexity from the use cases
for diversified addresses.</p>
</li>
<li>
<p>The fact that Pallas is a prime-order curve simplifies the protocol and removes the need
for cofactor multiplication in key agreement. Unlike Sapling, we define public (including
ephemeral) and private keys used for note encryption to exclude the zero point and the
zero scalar. Without this change, the implementation of the Orchard Action circuit would
need special cases for the zero point, since Pallas is a short Weierstrass rather than
an Edwards curve. This also has the advantage of ensuring that the key agreement has
&quot;contributory behaviour&quot; — that is, if <em>either</em> party contributes a random scalar, then
the shared secret will be random to an observer who does not know that scalar and cannot
break DiffieHellman.</p>
</li>
</ul>
<p>Other than the above, Orchard retains the same design rationale for its keys and addresses
as Sapling. For example, diversifiers remain at 11 bytes, so that a raw Orchard address is

11
print.html
View File

@ -277,6 +277,17 @@ same <span class="katex"><span class="katex-html" aria-hidden="true"><span class
being specified to be infallible. This removes significant complexity from the use cases
for diversified addresses.</p>
</li>
<li>
<p>The fact that Pallas is a prime-order curve simplifies the protocol and removes the need
for cofactor multiplication in key agreement. Unlike Sapling, we define public (including
ephemeral) and private keys used for note encryption to exclude the zero point and the
zero scalar. Without this change, the implementation of the Orchard Action circuit would
need special cases for the zero point, since Pallas is a short Weierstrass rather than
an Edwards curve. This also has the advantage of ensuring that the key agreement has
&quot;contributory behaviour&quot; — that is, if <em>either</em> party contributes a random scalar, then
the shared secret will be random to an observer who does not know that scalar and cannot
break DiffieHellman.</p>
</li>
</ul>
<p>Other than the above, Orchard retains the same design rationale for its keys and addresses
as Sapling. For example, diversifiers remain at 11 bytes, so that a raw Orchard address is

2
searchindex.js
View File

File diff suppressed because one or more lines are too long

2
searchindex.json
View File

File diff suppressed because one or more lines are too long