mirror of https://github.com/zcash/zips.git
Add DiversifyHash, and change the type of diversifiers to a bit sequence.
Fix the generation of diversified addresses to repeatedly try diversifiers. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
752156da97
commit
108fa4daa0
|
@ -529,6 +529,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PaymentAddresses}{\titleterm{Shielded Payment Addresses}}
|
||||
\newcommand{\diversifiedPaymentAddress}{\term{diversified payment address}}
|
||||
\newcommand{\diversifiedPaymentAddresses}{\term{diversified payment addresses}}
|
||||
\newcommand{\diversifiedBase}{\term{diversified base}}
|
||||
\newcommand{\diversifiedBases}{\term{diversified bases}}
|
||||
\newcommand{\diversifier}{\term{diversifier}}
|
||||
\newcommand{\diversifiers}{\term{diversifiers}}
|
||||
\newcommand{\incomingViewingKey}{\term{incoming viewing key}}
|
||||
|
@ -736,6 +738,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\CRHivkText}{\texorpdfstring{$\CRHivk$}{CRHivk}}
|
||||
\newcommand{\CRHivkOutput}{\CRHivk\mathsf{.Output}}
|
||||
\newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\DiversifyHash}{\mathsf{DiversifyHash}}
|
||||
|
||||
% Key pairs
|
||||
|
||||
|
@ -808,7 +811,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Hashnr}{H^{\NullifierRand}}
|
||||
\newcommand{\Diversifier}{\mathsf{d}}
|
||||
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
|
||||
\newcommand{\DiversifierType}{\byteseq{\DiversifierLength/8}}
|
||||
\newcommand{\DiversifierType}{\bitseq{\DiversifierLength}}
|
||||
\newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
|
||||
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
|
||||
\newcommand{\Index}{\mathsf{Index}}
|
||||
|
@ -1972,16 +1975,18 @@ where $\NoteCommitSprout{}$ is instantiated in \crossref{concretesproutcommit}.
|
|||
\sapling{
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
Let $\DiversifyHash$ be as defined in \crossref{concretediversifyhash}.
|
||||
|
||||
A \Sapling{} \noteCommitment on a \note
|
||||
$\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ is computed as
|
||||
|
||||
\begin{formulae}
|
||||
\item $\DiversifiedTransmitBase := \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$
|
||||
\item $\DiversifiedTransmitBase := \DiversifyHash(\Diversifier)$
|
||||
\item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases}
|
||||
\bot, &\caseif \DiversifiedTransmitBase = \bot \\
|
||||
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \DiversifiedTransmitPublic, \Value), &\caseotherwise.
|
||||
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
||||
\reprJOf{\DiversifiedTransmitPublic},
|
||||
\Value), &\caseotherwise.
|
||||
\end{cases}$
|
||||
\end{formulae}
|
||||
\vspace{-1.5ex}
|
||||
|
@ -2964,6 +2969,8 @@ Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesap
|
|||
|
||||
Let $\CRHivk$ be a \hashFunction, instantiated in \crossref{concretecrhivk}.
|
||||
|
||||
Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediversifyhash}.
|
||||
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Let $\AuthSignBase = \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$ and
|
||||
|
@ -3016,14 +3023,14 @@ authority. A group of such addresses shares the same \fullViewingKey and
|
|||
\incomingViewingKey.
|
||||
|
||||
To create a new \diversifiedPaymentAddress given an \incomingViewingKey
|
||||
$\InViewingKey$, first choose a \diversifier $\Diversifier$ uniformly at
|
||||
random from $\DiversifierType$.
|
||||
$\InViewingKey$, repeatedly pick a \diversifier $\Diversifier$ uniformly at
|
||||
random from $\DiversifierType$ until
|
||||
$\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ is not $\bot$.
|
||||
Then calculate:
|
||||
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\DiversifiedTransmitBase$ &$:= \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$ \\
|
||||
$\DiversifiedTransmitPublic$ &$:= \reprJOf{\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)}$.
|
||||
\end{tabular}
|
||||
\begin{formulae}
|
||||
\item $\DiversifiedTransmitPublic := \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$.
|
||||
\end{formulae}
|
||||
|
||||
The resulting \diversifiedPaymentAddress is $(\Diversifier, \DiversifiedTransmitPublic)$.
|
||||
|
||||
|
@ -3276,7 +3283,7 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
|
|||
(i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and
|
||||
$\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$).
|
||||
|
||||
\item Calculate $\DiversifiedTransmitBase = \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$
|
||||
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
and check that $\DiversifiedTransmitBase \neq \bot$.
|
||||
|
||||
\item Choose $\EphemeralPrivate$ uniformly at random on $\range{0}{\ParamJ{r} - 1}$.
|
||||
|
@ -4183,6 +4190,28 @@ the same effect as using that feature.
|
|||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
\introlist
|
||||
\subsubsubsection{$\DiversifyHash$ \HashFunction} \label{concretediversifyhash}
|
||||
|
||||
$\DiversifyHash$ is used to derive a \diversifiedBase from a \diversifier in
|
||||
\crossref{saplingkeycomponents}.
|
||||
|
||||
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Define
|
||||
|
||||
\begin{formulae}
|
||||
\item $\DiversifyHash(\Diversifier) := \GroupJHash{U}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
|
||||
\end{formulae}
|
||||
|
||||
\securityrequirement{
|
||||
$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
|
||||
described in \crossref{abstractgrouphash}. \todo{make this more precise.}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
\introlist
|
||||
\subsubsubsection{\PedersenHashFunction} \label{concretepedersenhash}
|
||||
|
|
Loading…
Reference in New Issue