mirror of https://github.com/zcash/orchard.git
book: Update definitions on nullifier page
This commit is contained in:
parent
a4fb24b724
commit
750bdfb700
|
@ -7,23 +7,19 @@ $$\mathsf{nf} = [Hash_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf
|
||||||
where:
|
where:
|
||||||
- $Hash$ is a keyed circuit-efficient hash (such as Rescue).
|
- $Hash$ is a keyed circuit-efficient hash (such as Rescue).
|
||||||
- $\rho$ is unique to this output. As with $\mathsf{h_{Sig}}$ in Sprout, $\rho$ includes
|
- $\rho$ is unique to this output. As with $\mathsf{h_{Sig}}$ in Sprout, $\rho$ includes
|
||||||
the nullifiers of any Orchard notes being spent.
|
the nullifiers of any Orchard notes being spent in the same action. Given that an action
|
||||||
- If spends and outputs are merged / combined, then we always have a nullifier
|
consists of a single spend and a single output, we set $\rho$ to be the nullifier of the
|
||||||
(internally derived from a real or dummy note), and can rely on the nullifier
|
spent note.
|
||||||
derivation process to prevent an adversary from choosing dummy nullifiers arbitrarily.
|
|
||||||
- If spends and outputs are *not* merged, then $\rho$ should probably also include
|
|
||||||
unique information from other parts of the transaction as well.
|
|
||||||
- TODO: Decide which of the above two cases will be used, and update this.
|
|
||||||
- $\psi$ is sender-controlled randomness. It is not required to be unique, and in practice
|
- $\psi$ is sender-controlled randomness. It is not required to be unique, and in practice
|
||||||
is derived from a sender-selected random value $\mathsf{rseed}$.
|
is derived from both $\rho$ and a sender-selected random value $\mathsf{rseed}$:
|
||||||
- $\mathcal{G}$ is an fixed independent base.
|
$\psi = KDF^\psi(\rho, \mathsf{rseed})$.
|
||||||
|
- $\mathcal{G}$ is a fixed independent base.
|
||||||
|
|
||||||
This gives a note structure of
|
This gives a note structure of
|
||||||
|
|
||||||
$$(addr, v, \rho, \psi, \mathsf{rcm}).$$
|
$$(addr, v, \rho, \psi, \mathsf{rcm}).$$
|
||||||
|
|
||||||
The nullifier commits to the note value via $\mathsf{cm}$ in order to domain-separate
|
The note plaintext includes $\mathsf{rseed}$ in place of $\psi$ and $\mathsf{rcm}$.
|
||||||
nullifiers for zero-valued notes from other notes.
|
|
||||||
|
|
||||||
## Security properties
|
## Security properties
|
||||||
|
|
||||||
|
@ -76,9 +72,9 @@ We omit $RO_{GH}$ as a security assumption because we only rely on the random or
|
||||||
applied to fixed inputs defined by the protocol, i.e. to generate the fixed base
|
applied to fixed inputs defined by the protocol, i.e. to generate the fixed base
|
||||||
$\mathcal{G}$, not to attacker-specified inputs.
|
$\mathcal{G}$, not to attacker-specified inputs.
|
||||||
|
|
||||||
> $\dagger$ We additionally assume that for any input $x$, $\{Hash_{\mathsf{nk}}(x) :
|
> $\dagger$ We additionally assume that for any input $x$,
|
||||||
> \mathsf{nk} \in E\}$ gives a scalar in an adequate range for $DDH_E$. (Otherwise, $Hash$
|
> $\{Hash_{\mathsf{nk}}(x) : \mathsf{nk} \in E\}$ gives a scalar in an adequate range for
|
||||||
> could be trivial, e.g. independent of $\mathsf{nk}$.)
|
> $DDH_E$. (Otherwise, $Hash$ could be trivial, e.g. independent of $\mathsf{nk}$.)
|
||||||
>
|
>
|
||||||
> $\ddagger$ Statistical distance $< 2^{-167.8}$ from perfect.
|
> $\ddagger$ Statistical distance $< 2^{-167.8}$ from perfect.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue