Change the type of MerkleCRH^Orchard to have MerkleHash^Orchard in place of MerkleHash^Orchard ∪ {⊥}

for the inputs and output, and map a ⊥ output from SinsemillaHash to 0. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-30 14:34:59 +01:00 · 2021-06-30 14:34:59 +01:00 · 0b7aeae33e
parent c33e23e0c2
commit 0b7aeae33e
1 changed files with 34 additions and 28 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -1894,6 +1894,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}}
 \newcommand{\MerkleHashOrchard}{\GroupPx}
 \newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}}
+\newcommand{\hash}{\mathsf{hash}}
 \newcommand{\layerInput}{\mathsf{layer}}
 \newcommand{\layerRepr}{{l\Repr}}
 \newcommand{\leftInput}{\mathsf{left}}
@ -3388,13 +3389,6 @@ In a given \blockChain, \sapling{for each of \Sprout and \SaplingAndOrchard,}
 \sapling{There is no equivalent of interstitial \treestates for \Sapling\nufive{ or
 for \Orchard}.}

-\nufive{
-\vspace{1ex}
-$\MerkleCRH{Orchard}$ can produce $\bot$ as output (with insignificant probability).
-If either input is $\bot$, this is propagated to the output, and so if any \merkleNode
-of a \noteCommitmentTree is $\bot$, then the \merkleRoot of that tree will be $\bot$.
-} %nufive
-

 \lsubsection{JoinSplit Transfers and Descriptions}{joinsplit}

@ -3763,13 +3757,12 @@ The following \hashFunctions are used in \crossref{merklepath}:
 \begin{tabular}{@{\hskip 2em}l@{\;}l@{\;}l@{\;}l@{\;}l}
 $\MerkleCRH{Sprout}$              &$\typecolon\, \MerkleLayer{Sprout}$ &$\times\; \MerkleHash{Sprout}$ &$\times\; \MerkleHash{Sprout}$ &$\rightarrow \MerkleHash{Sprout}$ \\
 \setsapling $\MerkleCRH{Sapling}$ &\setsapling $\typecolon\, \MerkleLayer{Sapling}$ &\setsapling $\times\; \MerkleHash{Sapling}$ &\setsapling $\times\; \MerkleHash{Sapling}$ &\setsapling $\rightarrow \MerkleHash{Sapling}$\notbeforenufive{ \\
-\setnufive  $\MerkleCRH{Orchard}$ &\setnufive  $\typecolon\, \MerkleLayer{Orchard}$ &\setnufive  $\times\; \maybe{\MerkleHashOrchard}$ &\setnufive  $\times\; \maybe{\MerkleHashOrchard}$ &\setnufive  $\rightarrow \maybe{\MerkleHashOrchard}$}.
+\setnufive  $\MerkleCRH{Orchard}$ &\setnufive  $\typecolon\, \MerkleLayer{Orchard}$ &\setnufive  $\times\; \MerkleHashOrchard$   &\setnufive  $\times\; \MerkleHashOrchard$   &\setnufive  $\rightarrow \MerkleHashOrchard$}.
 \end{tabular}

 $\MerkleCRH{Sprout}$ is \collisionResistant except on its first argument.
 \sapling{$\MerkleCRH{Sapling}$\notnufive{ is}\nufive{ and $\MerkleCRH{Orchard}$ are}
-\collisionResistant on all\notnufive{ its}\nufive{ their} arguments\nufive{ (restricted
-to non-$\bot$ inputs in the case of $\MerkleCRH{Orchard}$)}.}
+\collisionResistant on all\notnufive{ its}\nufive{ their} arguments.}

 These functions are instantiated in \crossref{merklecrh}.

@ -8135,29 +8128,29 @@ but using a prefix that cannot collide with a layer prefix, as noted in \crossre
 \vspace{-2ex}
 Let $\SinsemillaHash$ be as specified in \crossref{concretesinsemillahash}.

-$\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \maybe{\MerkleHashOrchard} \times \maybe{\MerkleHashOrchard}
-\rightarrow \maybe{\MerkleHashOrchard}$ is defined as follows:
+$\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHashOrchard \times \MerkleHashOrchard
+\rightarrow \MerkleHashOrchard$ is defined as follows:

 \begin{formulae}
  \item $\MerkleCRH{Orchard}(\layerInput, \leftInput, \rightInput) := \begin{cases}
-           \bot, &\caseif \leftInput = \bot \text{ or } \rightInput = \bot \\
-           \Longunderstack[l]{$\SinsemillaHash(\ascii{z.cash:Orchard-MerkleCRH},$ \\
-                              $\hspace{6.7em} \layerRepr \bconcat \leftRepr \bconcat \rightRepr),$} &\Longunderstack{\\ \squash otherwise}
+           0,     &\caseif \hash = \bot \\
+           \hash, &\caseotherwise
        \end{cases}$
-  \item \begin{tabular}{l@{\;}r@{\;}l}
-          where &$\layerRepr$ &$= \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \layerInput\big)$ \\
-                &$\leftRepr$  &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\leftInput\big)$ when $\leftInput \neq \bot$ \\
-                &$\rightRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\rightInput\big)$ when $\rightInput \neq \bot$.
+  \item \begin{tabular}{@{}l@{\;}r@{\;}l}
+          where &$\hash$      &$= \SinsemillaHash(\ascii{z.cash:Orchard-MerkleCRH},\, \layerRepr \bconcat \leftRepr \bconcat \rightRepr)$ \\
+                &$\layerRepr$ &$= \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \layerInput\big)$ \\
+                &$\leftRepr$  &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\leftInput\big)$ \\
+                &$\rightRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\rightInput\big)$.
        \end{tabular}
 \end{formulae}

 \begin{securityrequirements}
-  \item $\SinsemillaHash$ must be \collisionResistant, when restricted to non-$\bot$ inputs.
+  \item $\SinsemillaHash$ must be \collisionResistant.
  \item It must be infeasible to find a input of length $6 + 2 \mult \MerkleHashLength{Orchard}$
        to $\SinsemillaHash$ that yields output $\bot$.
 \end{securityrequirements}

-\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
+\pnote{The prefix $\layerRepr$ provides domain separation between inputs at different layers of the
 \noteCommitmentTree.}
 } %nufive

@ -10179,10 +10172,12 @@ is not square in $\GF{\ParamP{q}}$.
 \end{proof}

 \vspace{-2ex}
-\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$.
-We do not choose $\Uncommitted{Orchard} = 0$ because we define $\ExtractPbot\Of{\ZeroP} = 0$.
-Although $\SinsemillaCommitAlg{}$ cannot return $\ZeroP$ (the incomplete addition would return
-$\bot$ instead), it would arguably be confusing to rely on that.}
+\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate
+$0 \pmod{\ParamP{q}}$, as shown in a note at \crossref{concreteextractorpallas}.
+We do not choose $\Uncommitted{Orchard} = 0$ because $\MerkleCRH{Orchard}$ returns $0$
+in exceptional cases. Although the \merkleHashes of \merkleLeafNodes are separated from
+the \merkleHashes at other \merkleLayers by the $\layerInput$ input to $\MerkleCRH{Orchard}$,
+it would arguably be confusing to rely on that.}
 } %nufive


@ -10864,9 +10859,13 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou
  \item $\ExtractPbot\big(P \typecolon \GroupP\big) = \ExtractP(P)$.
 \end{formulae}

-\vspace{-3ex}
-\nnote{$\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
-which returns a bit sequence.}
+\vspace{-2ex}
+\begin{pnotes}
+  \item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$
+        can only be $0$ when $P = \ZeroP$.
+  \item $\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
+        which returns a bit sequence.
+\end{pnotes}
 } %nufive

 \nufive{
@ -14429,6 +14428,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
          that each intermediate \merkleRoot of the \noteCommitmentTree is not $\bot$.
          Checking this rule would have imposed a significant performance penalty,
          since intermediate roots do not otherwise need to be computed.
+    \item Change the type of $\MerkleCRH{Orchard}$ to have $\MerkleHashOrchard$ in place
+          of $\maybe{\MerkleHashOrchard}$ for the inputs and output, and map a $\bot$
+          output from $\SinsemillaHash$ to $0$. (We retain the original definitions
+          of $\SinsemillaHash$ and $\SinsemillaHashToPoint$ both because it would be
+          disruptive to change them at this point in the Network Upgrade Process, and
+          because it is necessary to track $\bot$ outputs in order to correctly model
+          non-determinism in the \actionCircuit.)
 } % nufive
    \item No changes before \NUFive.
 \end{itemize}