From 15d59f11c4b74ed10b2693151a4aa921044aa41d Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 19 Apr 2021 00:06:37 +0100 Subject: [PATCH] Add note about non-uniformity of Orchard ivk. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index b74ddb38..91837a43 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -4943,11 +4943,16 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin \end{pnotes} \vspace{-2ex} -\nnote{ -The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is -uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to random -input, by a similar argument to that used in \crossref{saplingkeycomponents}. -} %nnote +\begin{nnotes} + \item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is + uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to + random input, by a similar argument to that used in \crossref{saplingkeycomponents}. + \item The output of $\CommitIvk{}$ is the $x$-coordinate of a \pallasCurve point, which + we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption. + The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can + only take on roughly half of the possible values) is not expected to cause any + security issue. +\end{nnotes} } %nufive @@ -14220,6 +14225,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \nufive{ \item Correct errors in the definitions of $\ExtractP$ and $\ExtractPbot$ in \crossref{concreteextractorpallas}: $\ExtractP(\ZeroP)$ should be $0$, and $\ExtractPbot(\bot)$ should be $\bot$. + \item Add a note in \crossref{orchardkeycomponents} about non-uniformity of $\InViewingKey$. } \item Fix some URLs in references. \end{itemize}