mirror of https://github.com/zcash/zips.git
ZIP 316: Define a named constant \ell^MAX_M to replace the magic number 4194368.
Also define \ell_H = 64. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
067befbb08
commit
17229163f9
23
zip-0316.rst
23
zip-0316.rst
|
@ -579,9 +579,13 @@ Let :math:`H_i` be a hash personalized by :math:`i,` with maximum output
|
||||||
length :math:`\ell_H` bytes. Let :math:`G_i` be a XOF (a hash function with
|
length :math:`\ell_H` bytes. Let :math:`G_i` be a XOF (a hash function with
|
||||||
extendable output length) based on :math:`H,` personalized by :math:`i.`
|
extendable output length) based on :math:`H,` personalized by :math:`i.`
|
||||||
|
|
||||||
|
Define :math:`\ell^\mathsf{MAX}_M = (2^{16} + 1) \cdot \ell_H.`
|
||||||
|
For the instantiation using BLAKE2b defined below,
|
||||||
|
:math:`\ell^\mathsf{MAX}_M = 4194368.`
|
||||||
|
|
||||||
Given input :math:`M` of length :math:`\ell_M` bytes such that
|
Given input :math:`M` of length :math:`\ell_M` bytes such that
|
||||||
:math:`48 \leq \ell_M \leq 4194368,` define :math:`\mathsf{F4Jumble}(M)`
|
:math:`48 \leq \ell_M \leq \ell^\mathsf{MAX}_M,` define
|
||||||
by:
|
:math:`\mathsf{F4Jumble}(M)` by:
|
||||||
|
|
||||||
* let :math:`\ell_L = \mathsf{min}(\ell_H, \mathsf{floor}(\ell_M/2))`
|
* let :math:`\ell_L = \mathsf{min}(\ell_H, \mathsf{floor}(\ell_M/2))`
|
||||||
* let :math:`\ell_R = \ell_M - \ell_L`
|
* let :math:`\ell_R = \ell_M - \ell_L`
|
||||||
|
@ -599,7 +603,7 @@ The first argument to BLAKE2b below is the personalization.
|
||||||
|
|
||||||
We instantiate :math:`H_i(u)` by
|
We instantiate :math:`H_i(u)` by
|
||||||
:math:`\mathsf{BLAKE2b‐}(8\ell_L)(\texttt{“UA_F4Jumble_H”} \,||\,`
|
:math:`\mathsf{BLAKE2b‐}(8\ell_L)(\texttt{“UA_F4Jumble_H”} \,||\,`
|
||||||
:math:`[i, 0, 0], u).`
|
:math:`[i, 0, 0], u),` with :math:`\ell_H = 64.`
|
||||||
|
|
||||||
We instantiate :math:`G_i(u)` as the first :math:`\ell_R` bytes of the
|
We instantiate :math:`G_i(u)` as the first :math:`\ell_R` bytes of the
|
||||||
concatenation of
|
concatenation of
|
||||||
|
@ -627,14 +631,15 @@ zero bytes, to the raw encoding, then applies :math:`\mathsf{F4Jumble}`
|
||||||
before encoding the result with Bech32m.
|
before encoding the result with Bech32m.
|
||||||
|
|
||||||
The Consumer rejects any Bech32m-decoded byte sequence that is less than
|
The Consumer rejects any Bech32m-decoded byte sequence that is less than
|
||||||
48 bytes or greater than 4194368 bytes; otherwise it applies
|
48 bytes or greater than :math:`\ell^\mathsf{MAX}_M` bytes; otherwise it
|
||||||
:math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does not end
|
applies :math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does
|
||||||
in the expected padding, before stripping these 16 bytes and parsing the
|
not end in the expected padding, before stripping these 16 bytes and
|
||||||
result.
|
parsing the result.
|
||||||
|
|
||||||
(48 bytes is the minimum size of a valid UA, UFVK, or UIVK raw encoding
|
(48 bytes is the minimum size of a valid UA, UFVK, or UIVK raw encoding
|
||||||
plus 16 zero bytes, corresponding to a single Sapling Incoming Viewing Key.
|
plus 16 zero bytes, corresponding to a single Sapling Incoming Viewing Key.
|
||||||
4194368 bytes is the largest input/output size supported by :math:`\mathsf{F4Jumble}.`)
|
:math:`\ell^\mathsf{MAX}_M` bytes is the largest input/output size
|
||||||
|
supported by :math:`\mathsf{F4Jumble}.`)
|
||||||
|
|
||||||
Heuristic analysis
|
Heuristic analysis
|
||||||
''''''''''''''''''
|
''''''''''''''''''
|
||||||
|
@ -701,7 +706,7 @@ For longer UAs (when other Typecodes are added), the cost increases to 6
|
||||||
BLAKE2b compressions for :math:`128 < \ell_M \leq 192,` and 10 BLAKE2b
|
BLAKE2b compressions for :math:`128 < \ell_M \leq 192,` and 10 BLAKE2b
|
||||||
compressions for :math:`192 < \ell_M \leq 256,` for example. The maximum
|
compressions for :math:`192 < \ell_M \leq 256,` for example. The maximum
|
||||||
cost for which the algorithm is defined would be 196608 BLAKE2b compressions
|
cost for which the algorithm is defined would be 196608 BLAKE2b compressions
|
||||||
at :math:`\ell_M = 4194368` bytes.
|
at :math:`\ell_M = \ell^\mathsf{MAX}_M` bytes.
|
||||||
|
|
||||||
A naïve implementation of the :math:`\mathsf{F4Jumble}^{-1}` function would
|
A naïve implementation of the :math:`\mathsf{F4Jumble}^{-1}` function would
|
||||||
require roughly :math:`\ell_M` bytes plus the size of a BLAKE2b hash state.
|
require roughly :math:`\ell_M` bytes plus the size of a BLAKE2b hash state.
|
||||||
|
|
Loading…
Reference in New Issue