zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ZIP 316: Define a named constant \ell^MAX_M to replace the magic number 4194368. 

Also define \ell_H = 64.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-09-17 14:22:56 +01:00
parent 067befbb08
commit 17229163f9
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
zip-0316.rst
View File

@ -579,9 +579,13 @@ Let :math:`H_i` be a hash personalized by :math:`i,` with maximum output
length :math:`\ell_H` bytes. Let :math:`G_i` be a XOF (a hash function with length :math:`\ell_H` bytes. Let :math:`G_i` be a XOF (a hash function with
extendable output length) based on :math:`H,` personalized by :math:`i.` extendable output length) based on :math:`H,` personalized by :math:`i.`
Define :math:`\ell^\mathsf{MAX}_M = (2^{16} + 1) \cdot \ell_H.`
For the instantiation using BLAKE2b defined below,
:math:`\ell^\mathsf{MAX}_M = 4194368.`
Given input :math:`M` of length :math:`\ell_M` bytes such that Given input :math:`M` of length :math:`\ell_M` bytes such that
:math:`48 \leq \ell_M \leq 4194368,` define :math:`\mathsf{F4Jumble}(M)` :math:`48 \leq \ell_M \leq \ell^\mathsf{MAX}_M,` define
by: :math:`\mathsf{F4Jumble}(M)` by:
* let :math:`\ell_L = \mathsf{min}(\ell_H, \mathsf{floor}(\ell_M/2))` * let :math:`\ell_L = \mathsf{min}(\ell_H, \mathsf{floor}(\ell_M/2))`
* let :math:`\ell_R = \ell_M - \ell_L` * let :math:`\ell_R = \ell_M - \ell_L`
@ -599,7 +603,7 @@ The first argument to BLAKE2b below is the personalization.
We instantiate :math:`H_i(u)` by We instantiate :math:`H_i(u)` by
:math:`\mathsf{BLAKE2b}(8\ell_L)(\texttt{“UA_F4Jumble_H”} \,||\,` :math:`\mathsf{BLAKE2b}(8\ell_L)(\texttt{“UA_F4Jumble_H”} \,||\,`
:math:`[i, 0, 0], u).` :math:`[i, 0, 0], u),` with :math:`\ell_H = 64.`
We instantiate :math:`G_i(u)` as the first :math:`\ell_R` bytes of the We instantiate :math:`G_i(u)` as the first :math:`\ell_R` bytes of the
concatenation of concatenation of
@ -627,14 +631,15 @@ zero bytes, to the raw encoding, then applies :math:`\mathsf{F4Jumble}`
before encoding the result with Bech32m. before encoding the result with Bech32m.
The Consumer rejects any Bech32m-decoded byte sequence that is less than The Consumer rejects any Bech32m-decoded byte sequence that is less than
48 bytes or greater than 4194368 bytes; otherwise it applies 48 bytes or greater than :math:`\ell^\mathsf{MAX}_M` bytes; otherwise it
:math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does not end applies :math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does
in the expected padding, before stripping these 16 bytes and parsing the not end in the expected padding, before stripping these 16 bytes and
result. parsing the result.
(48 bytes is the minimum size of a valid UA, UFVK, or UIVK raw encoding (48 bytes is the minimum size of a valid UA, UFVK, or UIVK raw encoding
plus 16 zero bytes, corresponding to a single Sapling Incoming Viewing Key. plus 16 zero bytes, corresponding to a single Sapling Incoming Viewing Key.
4194368 bytes is the largest input/output size supported by :math:`\mathsf{F4Jumble}.`) :math:`\ell^\mathsf{MAX}_M` bytes is the largest input/output size
supported by :math:`\mathsf{F4Jumble}.`)
Heuristic analysis Heuristic analysis
'''''''''''''''''' ''''''''''''''''''
@ -701,7 +706,7 @@ For longer UAs (when other Typecodes are added), the cost increases to 6
BLAKE2b compressions for :math:`128 < \ell_M \leq 192,` and 10 BLAKE2b BLAKE2b compressions for :math:`128 < \ell_M \leq 192,` and 10 BLAKE2b
compressions for :math:`192 < \ell_M \leq 256,` for example. The maximum compressions for :math:`192 < \ell_M \leq 256,` for example. The maximum
cost for which the algorithm is defined would be 196608 BLAKE2b compressions cost for which the algorithm is defined would be 196608 BLAKE2b compressions
at :math:`\ell_M = 4194368` bytes. at :math:`\ell_M = \ell^\mathsf{MAX}_M` bytes.
A naïve implementation of the :math:`\mathsf{F4Jumble}^{-1}` function would A naïve implementation of the :math:`\mathsf{F4Jumble}^{-1}` function would
require roughly :math:`\ell_M` bytes plus the size of a BLAKE2b hash state. require roughly :math:`\ell_M` bytes plus the size of a BLAKE2b hash state.