mirror of https://github.com/zcash/zips.git
Correct type ambiguities for rho in Sapling.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
df2f80f13b
commit
1ad35c6a59
|
@ -1113,6 +1113,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
||||||
|
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand^{\Repr}}
|
||||||
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
||||||
|
@ -2288,8 +2289,7 @@ We refer to the combination of a \note and its \notePosition $\NotePosition$, as
|
||||||
\positionedNote.
|
\positionedNote.
|
||||||
|
|
||||||
For a \positionedNote, we can compute the value
|
For a \positionedNote, we can compute the value
|
||||||
$\NoteAddressRand \typecolon \bitseq{\PRFOutputLengthNfSapling}$; see
|
$\NoteAddressRand$ as described in \crossref{commitmentsandnullifiers}.
|
||||||
\crossref{commitmentsandnullifiers}.
|
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
|
@ -3926,7 +3926,7 @@ A \dummy{} \Sapling input \note is constructed as follows:
|
||||||
= \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
= \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJOf{\DiversifiedTransmitPublic},
|
||||||
\Value)$.
|
\Value)$.
|
||||||
\item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRand)$.
|
\item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$.
|
||||||
\item Construct a \dummy \merklePath $\TreePath{}$ for use in the
|
\item Construct a \dummy \merklePath $\TreePath{}$ for use in the
|
||||||
\auxiliaryInput to the \spendStatement (this will not be checked).
|
\auxiliaryInput to the \spendStatement (this will not be checked).
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -4299,8 +4299,8 @@ is derived as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$, where $\AuthPrivate$ is
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
For a \Sapling{} \note, the \nullifier is derived as
|
For a \Sapling{} \note, the \nullifier is derived as
|
||||||
$\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRand)$, where $\AuthProvePublicRepr$
|
$\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$, where $\AuthProvePublicRepr$
|
||||||
is a representation of the \nullifierKey associated with the \note.
|
is a representation of the \nullifierKey associated with the \note and $\NoteAddressRandRepr = \reprJ(\NoteAddressRand)$.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
|
@ -4467,11 +4467,12 @@ and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
|
||||||
|
|
||||||
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
||||||
|
|
||||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRand)$ where
|
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
||||||
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
|
\item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\item $\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$.
|
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\big)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\snarkcondition{Spend authority} \label{spendauthority}
|
\snarkcondition{Spend authority} \label{spendauthority}
|
||||||
|
@ -4808,8 +4809,8 @@ $\NoteAddressRand$ value can immediately be calculated as described in
|
||||||
|
|
||||||
To test whether a \Sapling{} \note is unspent in a particular \blockchain also requires
|
To test whether a \Sapling{} \note is unspent in a particular \blockchain also requires
|
||||||
the \nullifierKey $\AuthProvePublicRepr$; the coin is unspent if and only if
|
the \nullifierKey $\AuthProvePublicRepr$; the coin is unspent if and only if
|
||||||
$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRand)$ is not in the \nullifierSet
|
$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$ is not in the
|
||||||
for that \blockchain.
|
\nullifierSet for that \blockchain.
|
||||||
|
|
||||||
\pnote{
|
\pnote{
|
||||||
A \note can change from being unspent to spent as a node's view of the best
|
A \note can change from being unspent to spent as a node's view of the best
|
||||||
|
@ -5687,7 +5688,7 @@ be necessary.})
|
||||||
\setsapling
|
\setsapling
|
||||||
\begin{bytefield}[bitwidth=0.046em]{512}
|
\begin{bytefield}[bitwidth=0.046em]{512}
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\AuthProvePublicRepr}$} &
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\AuthProvePublicRepr}$} &
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\NoteAddressRand}\hairspace}$}
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\NoteAddressRandRepr}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -5718,7 +5719,7 @@ $\PRFnfSapling{}$ is used to derive the \nullifier for a \Sapling{} \note.
|
||||||
It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \crossref{concreteblake2}:
|
It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \crossref{concreteblake2}:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRand) := \BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$.
|
\item $\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr) := \BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{-3.5ex}
|
\vspace{-3.5ex}
|
||||||
|
@ -8526,9 +8527,11 @@ This is sufficient to prevent the Faerie Gold attack.
|
||||||
A variation on the attack attempts to cause the \nullifier of a sent
|
A variation on the attack attempts to cause the \nullifier of a sent
|
||||||
\note to be repeated, without repeating $\NoteAddressRand$.
|
\note to be repeated, without repeating $\NoteAddressRand$.
|
||||||
However, since the \nullifier is computed as
|
However, since the \nullifier is computed as
|
||||||
$\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
|
$\PRFnf{\AuthPrivate}(\NoteAddressRand)$\sapling{ (or
|
||||||
the adversary finds a collision (across both inputs) on $\PRFnf{}$,
|
$\PRFnfSapling{\AuthProvePublic}(\NoteAddressRandRepr)$ for \Sapling)},
|
||||||
which is assumed to be infeasible --- see \crossref{abstractprfs}.
|
this is only possible if the adversary finds a collision across both
|
||||||
|
inputs on $\PRFnf{}$\sapling{ (or $\PRFnfSapling{}$)}, which is assumed
|
||||||
|
to be infeasible --- see \crossref{abstractprfs}.
|
||||||
|
|
||||||
\sproutspecific{
|
\sproutspecific{
|
||||||
Crucially, ``\nullifier integrity'' is enforced whether or not the
|
Crucially, ``\nullifier integrity'' is enforced whether or not the
|
||||||
|
@ -8922,6 +8925,7 @@ found by Brian Warner.
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item No changes to \Sprout.
|
\item No changes to \Sprout.
|
||||||
\sapling{
|
\sapling{
|
||||||
|
\item Correct type ambiguities for $\NoteAddressRand$.
|
||||||
\item Specify the representation of $i$ in group $\GroupG{2}$ of $\BLSCurve$.
|
\item Specify the representation of $i$ in group $\GroupG{2}$ of $\BLSCurve$.
|
||||||
} %sapling
|
} %sapling
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
Loading…
Reference in New Issue