mirror of https://github.com/zcash/zips.git
Change the type of MerkleCRH^Orchard to have MerkleHash^Orchard in place of MerkleHash^Orchard ∪ {⊥}
for the inputs and output, and map a ⊥ output from SinsemillaHash to 0. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
c33e23e0c2
commit
0b7aeae33e
|
@ -1894,6 +1894,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}}
|
||||
\newcommand{\MerkleHashOrchard}{\GroupPx}
|
||||
\newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}}
|
||||
\newcommand{\hash}{\mathsf{hash}}
|
||||
\newcommand{\layerInput}{\mathsf{layer}}
|
||||
\newcommand{\layerRepr}{{l\Repr}}
|
||||
\newcommand{\leftInput}{\mathsf{left}}
|
||||
|
@ -3388,13 +3389,6 @@ In a given \blockChain, \sapling{for each of \Sprout and \SaplingAndOrchard,}
|
|||
\sapling{There is no equivalent of interstitial \treestates for \Sapling\nufive{ or
|
||||
for \Orchard}.}
|
||||
|
||||
\nufive{
|
||||
\vspace{1ex}
|
||||
$\MerkleCRH{Orchard}$ can produce $\bot$ as output (with insignificant probability).
|
||||
If either input is $\bot$, this is propagated to the output, and so if any \merkleNode
|
||||
of a \noteCommitmentTree is $\bot$, then the \merkleRoot of that tree will be $\bot$.
|
||||
} %nufive
|
||||
|
||||
|
||||
\lsubsection{JoinSplit Transfers and Descriptions}{joinsplit}
|
||||
|
||||
|
@ -3763,13 +3757,12 @@ The following \hashFunctions are used in \crossref{merklepath}:
|
|||
\begin{tabular}{@{\hskip 2em}l@{\;}l@{\;}l@{\;}l@{\;}l}
|
||||
$\MerkleCRH{Sprout}$ &$\typecolon\, \MerkleLayer{Sprout}$ &$\times\; \MerkleHash{Sprout}$ &$\times\; \MerkleHash{Sprout}$ &$\rightarrow \MerkleHash{Sprout}$ \\
|
||||
\setsapling $\MerkleCRH{Sapling}$ &\setsapling $\typecolon\, \MerkleLayer{Sapling}$ &\setsapling $\times\; \MerkleHash{Sapling}$ &\setsapling $\times\; \MerkleHash{Sapling}$ &\setsapling $\rightarrow \MerkleHash{Sapling}$\notbeforenufive{ \\
|
||||
\setnufive $\MerkleCRH{Orchard}$ &\setnufive $\typecolon\, \MerkleLayer{Orchard}$ &\setnufive $\times\; \maybe{\MerkleHashOrchard}$ &\setnufive $\times\; \maybe{\MerkleHashOrchard}$ &\setnufive $\rightarrow \maybe{\MerkleHashOrchard}$}.
|
||||
\setnufive $\MerkleCRH{Orchard}$ &\setnufive $\typecolon\, \MerkleLayer{Orchard}$ &\setnufive $\times\; \MerkleHashOrchard$ &\setnufive $\times\; \MerkleHashOrchard$ &\setnufive $\rightarrow \MerkleHashOrchard$}.
|
||||
\end{tabular}
|
||||
|
||||
$\MerkleCRH{Sprout}$ is \collisionResistant except on its first argument.
|
||||
\sapling{$\MerkleCRH{Sapling}$\notnufive{ is}\nufive{ and $\MerkleCRH{Orchard}$ are}
|
||||
\collisionResistant on all\notnufive{ its}\nufive{ their} arguments\nufive{ (restricted
|
||||
to non-$\bot$ inputs in the case of $\MerkleCRH{Orchard}$)}.}
|
||||
\collisionResistant on all\notnufive{ its}\nufive{ their} arguments.}
|
||||
|
||||
These functions are instantiated in \crossref{merklecrh}.
|
||||
|
||||
|
@ -8135,29 +8128,29 @@ but using a prefix that cannot collide with a layer prefix, as noted in \crossre
|
|||
\vspace{-2ex}
|
||||
Let $\SinsemillaHash$ be as specified in \crossref{concretesinsemillahash}.
|
||||
|
||||
$\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \maybe{\MerkleHashOrchard} \times \maybe{\MerkleHashOrchard}
|
||||
\rightarrow \maybe{\MerkleHashOrchard}$ is defined as follows:
|
||||
$\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHashOrchard \times \MerkleHashOrchard
|
||||
\rightarrow \MerkleHashOrchard$ is defined as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\MerkleCRH{Orchard}(\layerInput, \leftInput, \rightInput) := \begin{cases}
|
||||
\bot, &\caseif \leftInput = \bot \text{ or } \rightInput = \bot \\
|
||||
\Longunderstack[l]{$\SinsemillaHash(\ascii{z.cash:Orchard-MerkleCRH},$ \\
|
||||
$\hspace{6.7em} \layerRepr \bconcat \leftRepr \bconcat \rightRepr),$} &\Longunderstack{\\ \squash otherwise}
|
||||
0, &\caseif \hash = \bot \\
|
||||
\hash, &\caseotherwise
|
||||
\end{cases}$
|
||||
\item \begin{tabular}{l@{\;}r@{\;}l}
|
||||
where &$\layerRepr$ &$= \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \layerInput\big)$ \\
|
||||
&$\leftRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\leftInput\big)$ when $\leftInput \neq \bot$ \\
|
||||
&$\rightRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\rightInput\big)$ when $\rightInput \neq \bot$.
|
||||
\item \begin{tabular}{@{}l@{\;}r@{\;}l}
|
||||
where &$\hash$ &$= \SinsemillaHash(\ascii{z.cash:Orchard-MerkleCRH},\, \layerRepr \bconcat \leftRepr \bconcat \rightRepr)$ \\
|
||||
&$\layerRepr$ &$= \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \layerInput\big)$ \\
|
||||
&$\leftRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\leftInput\big)$ \\
|
||||
&$\rightRepr$ &$= \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\rightInput\big)$.
|
||||
\end{tabular}
|
||||
\end{formulae}
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item $\SinsemillaHash$ must be \collisionResistant, when restricted to non-$\bot$ inputs.
|
||||
\item $\SinsemillaHash$ must be \collisionResistant.
|
||||
\item It must be infeasible to find a input of length $6 + 2 \mult \MerkleHashLength{Orchard}$
|
||||
to $\SinsemillaHash$ that yields output $\bot$.
|
||||
\end{securityrequirements}
|
||||
|
||||
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
|
||||
\pnote{The prefix $\layerRepr$ provides domain separation between inputs at different layers of the
|
||||
\noteCommitmentTree.}
|
||||
} %nufive
|
||||
|
||||
|
@ -10179,10 +10172,12 @@ is not square in $\GF{\ParamP{q}}$.
|
|||
\end{proof}
|
||||
|
||||
\vspace{-2ex}
|
||||
\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$.
|
||||
We do not choose $\Uncommitted{Orchard} = 0$ because we define $\ExtractPbot\Of{\ZeroP} = 0$.
|
||||
Although $\SinsemillaCommitAlg{}$ cannot return $\ZeroP$ (the incomplete addition would return
|
||||
$\bot$ instead), it would arguably be confusing to rely on that.}
|
||||
\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate
|
||||
$0 \pmod{\ParamP{q}}$, as shown in a note at \crossref{concreteextractorpallas}.
|
||||
We do not choose $\Uncommitted{Orchard} = 0$ because $\MerkleCRH{Orchard}$ returns $0$
|
||||
in exceptional cases. Although the \merkleHashes of \merkleLeafNodes are separated from
|
||||
the \merkleHashes at other \merkleLayers by the $\layerInput$ input to $\MerkleCRH{Orchard}$,
|
||||
it would arguably be confusing to rely on that.}
|
||||
} %nufive
|
||||
|
||||
|
||||
|
@ -10864,9 +10859,13 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou
|
|||
\item $\ExtractPbot\big(P \typecolon \GroupP\big) = \ExtractP(P)$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-3ex}
|
||||
\nnote{$\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
|
||||
which returns a bit sequence.}
|
||||
\vspace{-2ex}
|
||||
\begin{pnotes}
|
||||
\item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$
|
||||
can only be $0$ when $P = \ZeroP$.
|
||||
\item $\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
|
||||
which returns a bit sequence.
|
||||
\end{pnotes}
|
||||
} %nufive
|
||||
|
||||
\nufive{
|
||||
|
@ -14429,6 +14428,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
that each intermediate \merkleRoot of the \noteCommitmentTree is not $\bot$.
|
||||
Checking this rule would have imposed a significant performance penalty,
|
||||
since intermediate roots do not otherwise need to be computed.
|
||||
\item Change the type of $\MerkleCRH{Orchard}$ to have $\MerkleHashOrchard$ in place
|
||||
of $\maybe{\MerkleHashOrchard}$ for the inputs and output, and map a $\bot$
|
||||
output from $\SinsemillaHash$ to $0$. (We retain the original definitions
|
||||
of $\SinsemillaHash$ and $\SinsemillaHashToPoint$ both because it would be
|
||||
disruptive to change them at this point in the Network Upgrade Process, and
|
||||
because it is necessary to track $\bot$ outputs in order to correctly model
|
||||
non-determinism in the \actionCircuit.)
|
||||
} % nufive
|
||||
\item No changes before \NUFive.
|
||||
\end{itemize}
|
||||
|
|
Loading…
Reference in New Issue