mirror of https://github.com/zcash/zips.git
ZIP 316: Define a named constant \ell^MAX_M to replace the magic number 4194368.
Also define \ell_H = 64. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
067befbb08
commit
17229163f9
23
zip-0316.rst
23
zip-0316.rst
|
@ -579,9 +579,13 @@ Let :math:`H_i` be a hash personalized by :math:`i,` with maximum output
|
|||
length :math:`\ell_H` bytes. Let :math:`G_i` be a XOF (a hash function with
|
||||
extendable output length) based on :math:`H,` personalized by :math:`i.`
|
||||
|
||||
Define :math:`\ell^\mathsf{MAX}_M = (2^{16} + 1) \cdot \ell_H.`
|
||||
For the instantiation using BLAKE2b defined below,
|
||||
:math:`\ell^\mathsf{MAX}_M = 4194368.`
|
||||
|
||||
Given input :math:`M` of length :math:`\ell_M` bytes such that
|
||||
:math:`48 \leq \ell_M \leq 4194368,` define :math:`\mathsf{F4Jumble}(M)`
|
||||
by:
|
||||
:math:`48 \leq \ell_M \leq \ell^\mathsf{MAX}_M,` define
|
||||
:math:`\mathsf{F4Jumble}(M)` by:
|
||||
|
||||
* let :math:`\ell_L = \mathsf{min}(\ell_H, \mathsf{floor}(\ell_M/2))`
|
||||
* let :math:`\ell_R = \ell_M - \ell_L`
|
||||
|
@ -599,7 +603,7 @@ The first argument to BLAKE2b below is the personalization.
|
|||
|
||||
We instantiate :math:`H_i(u)` by
|
||||
:math:`\mathsf{BLAKE2b‐}(8\ell_L)(\texttt{“UA_F4Jumble_H”} \,||\,`
|
||||
:math:`[i, 0, 0], u).`
|
||||
:math:`[i, 0, 0], u),` with :math:`\ell_H = 64.`
|
||||
|
||||
We instantiate :math:`G_i(u)` as the first :math:`\ell_R` bytes of the
|
||||
concatenation of
|
||||
|
@ -627,14 +631,15 @@ zero bytes, to the raw encoding, then applies :math:`\mathsf{F4Jumble}`
|
|||
before encoding the result with Bech32m.
|
||||
|
||||
The Consumer rejects any Bech32m-decoded byte sequence that is less than
|
||||
48 bytes or greater than 4194368 bytes; otherwise it applies
|
||||
:math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does not end
|
||||
in the expected padding, before stripping these 16 bytes and parsing the
|
||||
result.
|
||||
48 bytes or greater than :math:`\ell^\mathsf{MAX}_M` bytes; otherwise it
|
||||
applies :math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does
|
||||
not end in the expected padding, before stripping these 16 bytes and
|
||||
parsing the result.
|
||||
|
||||
(48 bytes is the minimum size of a valid UA, UFVK, or UIVK raw encoding
|
||||
plus 16 zero bytes, corresponding to a single Sapling Incoming Viewing Key.
|
||||
4194368 bytes is the largest input/output size supported by :math:`\mathsf{F4Jumble}.`)
|
||||
:math:`\ell^\mathsf{MAX}_M` bytes is the largest input/output size
|
||||
supported by :math:`\mathsf{F4Jumble}.`)
|
||||
|
||||
Heuristic analysis
|
||||
''''''''''''''''''
|
||||
|
@ -701,7 +706,7 @@ For longer UAs (when other Typecodes are added), the cost increases to 6
|
|||
BLAKE2b compressions for :math:`128 < \ell_M \leq 192,` and 10 BLAKE2b
|
||||
compressions for :math:`192 < \ell_M \leq 256,` for example. The maximum
|
||||
cost for which the algorithm is defined would be 196608 BLAKE2b compressions
|
||||
at :math:`\ell_M = 4194368` bytes.
|
||||
at :math:`\ell_M = \ell^\mathsf{MAX}_M` bytes.
|
||||
|
||||
A naïve implementation of the :math:`\mathsf{F4Jumble}^{-1}` function would
|
||||
require roughly :math:`\ell_M` bytes plus the size of a BLAKE2b hash state.
|
||||
|
|
Loading…
Reference in New Issue