mirror of https://github.com/zcash/zips.git
Correct the range of input to ValueCommit^Orchard in the action statement, and the corresponding security argument in \crossref{orchardbalance}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
e31f33c678
commit
0b8a4b3d90
|
|
@ -1592,7 +1592,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ValueNet}[1]{\Value^\mathsf{net}_{#1}}
|
||||
\newcommand{\ValueLength}{\ell_{\mathsf{value}}}
|
||||
\newcommand{\ValueType}{\binaryrange{\ValueLength}}
|
||||
\newcommand{\SignedValueType}{\range{-2^{63}}{2^{63}-1}}
|
||||
\newcommand{\SignedValueFieldType}{\range{-2^{63}}{2^{63}-1}}
|
||||
\newcommand{\SignedValueDifferenceType}{\range{-2^{64}+1}{2^{64}-1}}
|
||||
\newcommand{\ValueCommitTypeSapling}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
|
||||
\newcommand{\ValueCommitTypeOrchard}{\bigrange{-\SignedScalarLimitP}{\SignedScalarLimitP}}
|
||||
\newcommand{\ValueCommitRand}{\mathsf{rcv}}
|
||||
|
|
@ -6134,10 +6135,11 @@ values, breaking the binding property of the \valueCommitmentScheme.
|
|||
The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
|
||||
$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeSapling$.
|
||||
|
||||
The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$.
|
||||
Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$.
|
||||
The $\spendStatements$ (\crossref{spendstatement}) prove that all of $\vOld{\alln}$
|
||||
are in $\ValueType$. Similarly the $\outputStatements$ (\crossref{outputstatement})
|
||||
prove that all of $\vNew{\allm}$ are in $\ValueType$.
|
||||
$\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer
|
||||
in the range $\SignedValueType$. $\ValueLength$ is defined as 64, so $\vSum$
|
||||
in the range $\SignedValueFieldType$. $\ValueLength$ is defined as 64, so $\vSum$
|
||||
is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
|
||||
The maximum \transaction size is $2$ MB, and the minimum contributions of a \spendDescription
|
||||
and an \outputDescription to \transaction size
|
||||
|
|
@ -6331,13 +6333,14 @@ values, breaking the binding property of the \valueCommitmentScheme.
|
|||
The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that
|
||||
$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeOrchard$.
|
||||
|
||||
The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly,
|
||||
$\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer
|
||||
in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$.
|
||||
$n$ and $m$ are limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due
|
||||
The $\actionStatements$ (\crossref{actionstatement}) prove that all $\vNet{\alln}$
|
||||
are in $\SignedValueDifferenceType$. $\vBalance{Orchard}$ is encoded in the \transaction as a
|
||||
signed two's complement $64$-bit integer in the range $\SignedValueFieldType$. Therefore, $\vSum$ is
|
||||
is in the range $\range{-n \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
|
||||
$n$ is limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due
|
||||
to the $2$ MB \transaction size limit, but it suffices here).
|
||||
|
||||
This ensures that $\vSum \in \range{-604453686435277732577280}{604453686435277732511745}$,
|
||||
This ensures that $\vSum \in \range{-1208916596242592319864832}{1208916596242592319864833}$,
|
||||
a subrange of $\ValueCommitTypeOrchard$.
|
||||
|
||||
Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction
|
||||
|
|
@ -6909,6 +6912,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
|||
In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
|
||||
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
|
||||
\pallasCurve points, i.e.\ $\GroupP$.
|
||||
\item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
|
||||
range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$
|
||||
of $\vBalance{Orchard}$.
|
||||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
|
||||
from the previous \merkleLayer.
|
||||
|
|
@ -13848,6 +13854,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\historyentry{2021.1.19}{}
|
||||
\begin{itemize}
|
||||
\nufive{
|
||||
\item Correct the range of input to $\ValueCommitAlg{Orchard}$ in the \actionStatement, and
|
||||
the corresponding security argument in \crossref{orchardbalance}.
|
||||
\item Update the consensus rules that prevent trivial transactions (with no inputs or outputs)
|
||||
to take into account \actionTransfers in the v5 \transaction format.
|
||||
\item Make $\DiversifyHash{Orchard}$ total, by replacing an output of $\ZeroP$ with another base.
|
||||
|
|
|
|||
Loading…
Reference in New Issue