zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics and Markdown formatting. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-01-21 00:07:38 +00:00
parent 265ff91cc6
commit d6fd00b5b3
2 changed files with 48 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
book/src/design/commitments.md
View File

@ -1,28 +1,28 @@
# Commitments
As in Sapling, we require two kinds of commitment schemes in Pollard:
- $HomomorphicCommit$ is a linearly homomorphic commitment scheme with perfect hiding, and
As in Sapling, we require two kinds of commitment schemes in Orchard:
- $\mathit{HomomorphicCommit}$ is a linearly homomorphic commitment scheme with perfect hiding,
and strong binding reducible to DL.
- $\mathit{Commit}$ and $\mathit{ShortCommit}$ are commitment schemes with perfect hiding, and
strong binding reducible to DL.
- $Commit$ and $ShortCommit$ are commitment schemes with perfect hiding, and strong
binding reducible to DL.
By "strong binding" we mean that the scheme is collision resistant on the input and
randomness.
We instantiate $HomomorphicCommit$ with a Pedersen commitment, and use it for value
commitments:
We instantiate $\mathit{HomomorphicCommit}$ with a Pedersen commitment, and use it for
value commitments:
$$\mathsf{cv} = HomomorphicCommit^{\mathsf{cv}}_{\mathsf{rcv}}(v)$$
$$\mathsf{cv} = \mathit{HomomorphicCommit}^{\mathsf{cv}}_{\mathsf{rcv}}(v)$$
We instantiate $Commit$ and $ShortCommit$ with Sinsemilla, and use them for all other
commitments:
We instantiate $\mathit{Commit}$ and $\mathit{ShortCommit}$ with Sinsemilla, and use them
for all other commitments:
$$\mathsf{ivk} = \mathit{ShortCommit}^{\mathsf{ivk}}_{\mathsf{rivk}}(\mathsf{ak}, \mathsf{nk})$$
$$\mathsf{cm} = Commit^{\mathsf{cm}}_{\mathsf{rcm}}(\text{rest of note})$$
$$\mathsf{cm} = \mathit{Commit}^{\mathsf{cm}}_{\mathsf{rcm}}(\text{rest of note})$$
This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient
Sinsemilla instead of Bowe-Hopwood Pedersen hashes.
Sinsemilla instead of Bowe--Hopwood Pedersen hashes.
Note that we also deviate from Sapling by using $ShortCommit$ to deriving $\mathsf{ivk}$
Note that we also deviate from Sapling by using $\mathit{ShortCommit}$ to deriving $\mathsf{ivk}$
instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit,
at the cost of requiring $\mathsf{rivk}$ to be part of the full viewing key.

58
book/src/design/nullifiers.md
View File

@ -5,6 +5,7 @@ The nullifier design we use for Orchard is
$$\mathsf{nf} = [F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G} + \mathsf{cm},$$
where:
- $F$ is a keyed circuit-efficient PRF (such as Rescue or Poseidon).
- $\rho$ is unique to this output. As with $\mathsf{h_{Sig}}$ in Sprout, $\rho$ includes
the nullifiers of any Orchard notes being spent in the same action. Given that an action
@ -29,22 +30,26 @@ We care about several security properties for our nullifiers:
- **Balance:** can I forge money?
- **Note Privacy:** can I gain information about notes only from the public block chain?
- This describes notes sent in-band.
- **Note Privacy (OOB):** can I gain information about notes sent out-of-band, only from
the public block chain?
- In this case, we assume privacy of the channel over which the note is sent, and that
the adversary does not have access to any notes sent to the same address which are
then spent (so that the nullifier is on the block chain somewhere).
- **Spend Unlinkability:** given the incoming viewing key for an address, and not the full
viewing key, can I (possibly the sender) detect spends of any notes sent to that address?
- We're giving $ivk$ to the attacker and allowing it to be the sender in order to make
this property as strong as possible: they will have *all* the notes sent to that
- We're giving $\mathsf{ivk}$ to the attacker and allowing it to be the sender in order
to make this property as strong as possible: they will have *all* the notes sent to that
address.
- **Faerie Resistance:** can I perform a Faerie Gold attack (i.e. cause notes to be
accepted that are unspendable)?
- We're giving the full viewing key to the attacker and allowing it to be the sender in
order to make this property as strong as possible: they will have *all* the notes sent
to that address, and be able to derive *every* nullifier.
@ -60,15 +65,17 @@ For our chosen design, our desired security properties rely on the following ass
$$
\begin{array}{|l|l|}
\hline
\text{Balance} & DL_E \\
\text{Note Privacy} & HashDH^{KDF}_E \\
\text{Note Privacy} & \mathit{HashDH}^{KDF}_E \\
\text{Note Privacy (OOB)} & \text{Near perfect} \ddagger \\
\text{Spend Unlinkability} & DDH_E^\dagger \vee PRF_F \\
\text{Faerie Resistance} & DL_E \\
\hline
\end{array}
$$
$HashDH^{KDF}_E$ is computational Diffie-Hellman using $KDF$ for the key derivation, with
$\mathit{HashDH}^{KDF}_E$ is computational Diffie-Hellman using $KDF$ for the key derivation, with
one-time ephemeral keys. This assumption is heuristically weaker than $DDH_E$ but stronger
than $DL_E$.
@ -92,31 +99,33 @@ $$
\begin{array}{|c|l|c|c|c|c|c|}
\hline
\mathsf{nf} & Note & \text{Balance} & \text{Note Privacy} & \text{Note Privacy (OOB)} & \text{Spend Unlinkability} & \text{Faerie Resistance} & \text{Reason not to use} \\\hline
[\mathsf{nk}] [\theta] H & (addr, v, H, \theta, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E & RO_{GH} \wedge DL_E & \text{No SU for DL-breaking} \\\hline
[\mathsf{nk}] H + [\mathsf{rnf}] \mathcal{I} & (addr, v, H, \mathsf{rnf}, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E & RO_{GH} \wedge DL_E & \text{No SU for DL-breaking} \\\hline
Hash([\mathsf{nk}] [\theta] H) & (addr, v, H, \theta, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E \vee Pre_{Hash} & Coll_{Hash} \wedge RO_{GH} \wedge DL_E & Coll_{Hash} \text{ for FR} \\\hline
Hash([\mathsf{nk}] H + [\mathsf{rnf}] \mathcal{I}) & (addr, v, H, \mathsf{rnf}, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E \vee Pre_{Hash} & Coll_{Hash} \wedge RO_{GH} \wedge DL_E & Coll_{Hash} \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\psi)] [\theta] H & (addr, v, H, \theta, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (2 variable-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] H + [\mathsf{rnf}] \mathcal{I} & (addr, v, H, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (1 variable- + 1 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] \mathcal{G} + [\theta] H & (addr, v, H, \theta, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (1 variable- + 1 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] H + \mathsf{cm} & (addr, v, H, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G} + \mathsf{cm} & (addr, v, \rho, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G} + \mathsf{cm} & (addr, v, \rho, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G_v} + [\mathsf{rnf}] \mathcal{I} & (addr, v, \rho, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & Coll_F \wedge DL_E & Coll_F \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G_v} + [\mathsf{rnf}] \mathcal{I} & (addr, v, \rho, \mathsf{rnf}, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & Coll_F \wedge DL_E & Coll_F \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G_v} & (addr, v, \rho, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Near perfect} \ddagger & DDH_E^\dagger \vee PRF_F & \color{red}{\text{broken}} & \text{broken for FR} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G} + Commit^{\mathsf{nf}}_{\mathsf{rnf}}(v, \rho) & (addr, v, \rho, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & DL_E & \text{Performance (2 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G} + Commit^{\mathsf{nf}}_{\mathsf{rnf}}(v, \rho) & (addr, v, \rho, \mathsf{rnf}, \mathsf{rcm}) & DL_E & HashDH^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & DL_E & \text{Performance (2 fixed-base)} \\\hline
[\mathsf{nk}] [\theta] H & (addr, v, H, \theta, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E & RO_{GH} \wedge DL_E & \text{No SU for DL-breaking} \\\hline
[\mathsf{nk}] H + [\mathsf{rnf}] \mathcal{I} & (addr, v, H, \mathsf{rnf}, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E & RO_{GH} \wedge DL_E & \text{No SU for DL-breaking} \\\hline
\mathit{Hash}([\mathsf{nk}] [\theta] H) & (addr, v, H, \theta, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E \vee Pre_{\mathit{Hash}} & Coll_{\mathit{Hash}} \wedge RO_{GH} \wedge DL_E & Coll_{\mathit{Hash}} \text{ for FR} \\\hline
\mathit{Hash}([\mathsf{nk}] H + [\mathsf{rnf}] \mathcal{I}) & (addr, v, H, \mathsf{rnf}, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E \vee Pre_{\mathit{Hash}} & Coll_{\mathit{Hash}} \wedge RO_{GH} \wedge DL_E & Coll_{\mathit{Hash}} \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\psi)] [\theta] H & (addr, v, H, \theta, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (2 variable-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] H + [\mathsf{rnf}] \mathcal{I} & (addr, v, H, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (1 variable- + 1 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] \mathcal{G} + [\theta] H & (addr, v, H, \theta, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{Performance (1 variable- + 1 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\psi)] H + \mathsf{cm} & (addr, v, H, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & RO_{GH} \wedge DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G} + \mathsf{cm} & (addr, v, \rho, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G} + \mathsf{cm} & (addr, v, \rho, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & DDH_E^\dagger & DDH_E^\dagger \vee PRF_F & DL_E & \text{NP(OOB) not perfect} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G_v} + [\mathsf{rnf}] \mathcal{I} & (addr, v, \rho, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & Coll_F \wedge DL_E & Coll_F \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G_v} + [\mathsf{rnf}] \mathcal{I} & (addr, v, \rho, \mathsf{rnf}, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & Coll_F \wedge DL_E & Coll_F \text{ for FR} \\\hline
[F_{\mathsf{nk}}(\rho) + \psi \pmod{p}] \mathcal{G_v} & (addr, v, \rho, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Near perfect} \ddagger & DDH_E^\dagger \vee PRF_F & \color{red}{\text{broken}} & \text{broken for FR} \\\hline
[F_{\mathsf{nk}}(\rho, \psi)] \mathcal{G} + \mathit{Commit}^{\mathsf{nf}}_{\mathsf{rnf}}(v, \rho) & (addr, v, \rho, \mathsf{rnf}, \psi, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & DL_E & \text{Performance (2 fixed-base)} \\\hline
[F_{\mathsf{nk}}(\rho)] \mathcal{G} + \mathit{Commit}^{\mathsf{nf}}_{\mathsf{rnf}}(v, \rho) & (addr, v, \rho, \mathsf{rnf}, \mathsf{rcm}) & DL_E & \mathit{HashDH}^{KDF}_E & \text{Perfect} & DDH_E^\dagger \vee PRF_F & DL_E & \text{Performance (2 fixed-base)} \\\hline
\end{array}
$$
In the above alternatives:
- $Hash$ is a keyed circuit-efficient hash (such as Rescue).
- $\mathit{Hash}$ is a keyed circuit-efficient hash (such as Rescue).
- $\mathcal{I}$ is an fixed independent base, independent of $\mathcal{G}$ and any others
returned by $GH$.
- $\mathcal{G_v}$ is a pair of fixed independent bases (independent of all others), where
the specific choice of base depends on whether the note has zero value.
- $H$ is a base unique to this output.
- For non-zero-valued notes, $H = GH(\rho)$. As with $\mathsf{h_{Sig}}$ in Sprout,
$\rho$ includes the nullifiers of any Orchard notes being spent in the same action.
- For zero-valued notes, $H$ is constrained by the circuit to a fixed base independent
@ -153,9 +162,11 @@ requirements:
- Publish a unique value $\rho$ at note creation time, and blind that value within the
nullifier computation.
- This is similar to the approach taken in Sprout and Sapling, which both implemented
nullifiers as PRF outputs; Sprout uses the compression function from SHA-256, while
Sapling uses BLAKE2s.
- Derive a unique base $H$ from some unique value, publish that unique base at note
creation time, and then blind the base (either additively or multiplicatively) during
nullifier computation.
@ -168,6 +179,7 @@ directly to the note (to avoid a DL-breaking adversary from immediately breaking
We were considering using a design involving $H$ with the goal of eliminating all usages
of a PRF inside the circuit, for two reasons:
- Instantiating $PRF_F$ with a traditional hash function is expensive in the circuit.
- We didn't want to solely rely on an algebraic hash function satisfying $PRF_F$ to
achieve **Spend Unlinkability**.
@ -196,6 +208,7 @@ is that it does not require an additional scalar multiplication, making it more
inside the circuit.
$\psi$'s derivation has two motivations:
- Deriving from a random value $\mathsf{rseed}$ enables multiple derived values to be
conveyed to the recipient within an action (such as the ephemeral secret $\mathsf{esk}$,
per [ZIP 212](https://zips.z.cash/zip-0212)), while keeping the note plaintext short.
@ -213,15 +226,16 @@ and reject it (as in Sapling).
### Use of $\mathsf{cm}$
The nullifier commits to the note value via $\mathsf{cm}$ for two reasons:
- It domain-separates nullifiers for zero-valued notes from other notes. This is necessary
because we do not require zero-valued notes to exist in the commitment tree.
- Designs that bind the nullifier to $F_{\mathsf{nk}}(\rho)$ require $Coll_F$ to achieve
**Faerie Resistance** (and similarly where $Hash$ is applied to a value derived from
**Faerie Resistance** (and similarly where $\mathit{Hash}$ is applied to a value derived from
$H$). Adding $\mathsf{cm}$ to the nullifier avoids this assumption: all of the bases
used to derive $\mathsf{cm}$ are fixed and independent of $\mathcal{G}$, and so the
nullifier can be viewed as a Pedersen hash where the input includes $\rho$ directly.
The $Commit^{\mathsf{nf}}$ variants were considered to avoid directly depending on
The $\mathit{Commit}^{\mathsf{nf}}$ variants were considered to avoid directly depending on
$\mathsf{cm}$ (which in its native type is a base field element, not a group element). We
decided instead to follow Sapling by defining an intermediate representation of
$\mathsf{cm}$ as a group element, that is only used in nullifier computation. The circuit