zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct the range of input to ValueCommit^Orchard in the action statement, and the corresponding security argument in \crossref{orchardbalance}. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-17 19:48:04 +00:00
parent e31f33c678
commit 0b8a4b3d90
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
protocol/protocol.tex
View File

@ -1592,7 +1592,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ValueNet}[1]{\Value^\mathsf{net}_{#1}} \newcommand{\ValueNet}[1]{\Value^\mathsf{net}_{#1}}
\newcommand{\ValueLength}{\ell_{\mathsf{value}}} \newcommand{\ValueLength}{\ell_{\mathsf{value}}}
\newcommand{\ValueType}{\binaryrange{\ValueLength}} \newcommand{\ValueType}{\binaryrange{\ValueLength}}
\newcommand{\SignedValueType}{\range{-2^{63}}{2^{63}-1}} \newcommand{\SignedValueFieldType}{\range{-2^{63}}{2^{63}-1}}
\newcommand{\SignedValueDifferenceType}{\range{-2^{64}+1}{2^{64}-1}}
\newcommand{\ValueCommitTypeSapling}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} \newcommand{\ValueCommitTypeSapling}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
\newcommand{\ValueCommitTypeOrchard}{\bigrange{-\SignedScalarLimitP}{\SignedScalarLimitP}} \newcommand{\ValueCommitTypeOrchard}{\bigrange{-\SignedScalarLimitP}{\SignedScalarLimitP}}
\newcommand{\ValueCommitRand}{\mathsf{rcv}} \newcommand{\ValueCommitRand}{\mathsf{rcv}}
@ -6134,10 +6135,11 @@ values, breaking the binding property of the \valueCommitmentScheme.
The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeSapling$. $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeSapling$.
The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$. The $\spendStatements$ (\crossref{spendstatement}) prove that all of $\vOld{\alln}$
Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$. are in $\ValueType$. Similarly the $\outputStatements$ (\crossref{outputstatement})
prove that all of $\vNew{\allm}$ are in $\ValueType$.
$\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer $\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer
in the range $\SignedValueType$. $\ValueLength$ is defined as 64, so $\vSum$ in the range $\SignedValueFieldType$. $\ValueLength$ is defined as 64, so $\vSum$
is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$. is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
The maximum \transaction size is $2$ MB, and the minimum contributions of a \spendDescription The maximum \transaction size is $2$ MB, and the minimum contributions of a \spendDescription
and an \outputDescription to \transaction size and an \outputDescription to \transaction size
@ -6331,13 +6333,14 @@ values, breaking the binding property of the \valueCommitmentScheme.
The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that
$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeOrchard$. $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeOrchard$.
The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly, The $\actionStatements$ (\crossref{actionstatement}) prove that all $\vNet{\alln}$
$\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer are in $\SignedValueDifferenceType$. $\vBalance{Orchard}$ is encoded in the \transaction as a
in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$. signed two's complement $64$-bit integer in the range $\SignedValueFieldType$. Therefore, $\vSum$ is
$n$ and $m$ are limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due is in the range $\range{-n \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$.
$n$ is limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due
to the $2$ MB \transaction size limit, but it suffices here). to the $2$ MB \transaction size limit, but it suffices here).
This ensures that $\vSum \in \range{-604453686435277732577280}{604453686435277732511745}$, This ensures that $\vSum \in \range{-1208916596242592319864832}{1208916596242592319864833}$,
a subrange of $\ValueCommitTypeOrchard$. a subrange of $\ValueCommitTypeOrchard$.
Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction
@ -6909,6 +6912,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$. In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
\pallasCurve points, i.e.\ $\GroupP$. \pallasCurve points, i.e.\ $\GroupP$.
\item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$
of $\vBalance{Orchard}$.
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
from the previous \merkleLayer. from the previous \merkleLayer.
@ -13848,6 +13854,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2021.1.19}{} \historyentry{2021.1.19}{}
\begin{itemize} \begin{itemize}
\nufive{ \nufive{
\item Correct the range of input to $\ValueCommitAlg{Orchard}$ in the \actionStatement, and
the corresponding security argument in \crossref{orchardbalance}.
\item Update the consensus rules that prevent trivial transactions (with no inputs or outputs) \item Update the consensus rules that prevent trivial transactions (with no inputs or outputs)
to take into account \actionTransfers in the v5 \transaction format. to take into account \actionTransfers in the v5 \transaction format.
\item Make $\DiversifyHash{Orchard}$ total, by replacing an output of $\ZeroP$ with another base. \item Make $\DiversifyHash{Orchard}$ total, by replacing an output of $\ZeroP$ with another base.