Rename the type of Sapling transmission keys from KA^Sapling.PublicPrimeOrder to KA^Sapling.PublicPrimeSubgroup.

This type is defined as J^(r), which reflects the implementation in zcashd (subject to the point below); it was never enforced that a transmission key (pk_d) cannot be the zero point. Add a non-normative note saying that zcashd does not fully conform to the requirement to treat transmission keys not in KA^Sapling.PublicPrimeSubgroup as invalid when importing payment addresses. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:43:00 +01:00 · 2020-08-11 13:43:00 +01:00 · 1d71f6cb31
parent e1037ff046
commit 1d71f6cb31
1 changed files with 34 additions and 21 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -1389,7 +1389,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg

 \newcommand{\KA}{\mathsf{KA}}
 \newcommand{\KAPublic}{\KA\mathsf{.Public}}
-\newcommand{\KAPublicPrimeOrder}{\KA\mathsf{.PublicPrimeOrder}}
+\newcommand{\KAPublicPrimeSubgroup}{\KA\mathsf{.PublicPrimeSubgroup}}
 \newcommand{\KAPrivate}{\KA\mathsf{.Private}}
 \newcommand{\KASharedSecret}{\KA\mathsf{.SharedSecret}}
 \newcommand{\KAFormatPrivate}{\KA\mathsf{.FormatPrivate}}
@ -1413,7 +1413,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg

 \newcommand{\KASapling}{\mathsf{KA^{Sapling}}}
 \newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}}
-\newcommand{\KASaplingPublicPrimeOrder}{\KASapling\mathsf{.PublicPrimeOrder}}
+\newcommand{\KASaplingPublicPrimeSubgroup}{\KASapling\mathsf{.PublicPrimeSubgroup}}
 \newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}}
 \newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}}
 \newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}}
@ -2768,7 +2768,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
 \begin{itemize}
  \item $\Diversifier \typecolon \DiversifierType$
        is the \diversifier of the recipient's \paymentAddress;
-  \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$
+  \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$
        is the \diversifiedTransmissionKey of the recipient's \paymentAddress;
  \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
        representing the value of the \note in \zatoshi;
@ -2779,7 +2779,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
 \introlist
 Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e.
 \begin{formulae}
-  \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeOrder \times \range{0}{\MAXMONEY}
+  \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeSubgroup \times \range{0}{\MAXMONEY}
           \times \NoteCommitSaplingTrapdoor$.
 \end{formulae}
 } %sapling
@ -3354,7 +3354,7 @@ a shared secret, each using their \defining{\privateKey} and the other party's \

 A \keyAgreementScheme $\KA$ defines a type of \publicKeys $\KAPublic$, a type
 of \privateKeys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
-\sapling{Optionally, it also defines a type $\KAPublicPrimeOrder \subseteq \KAPublic$.}
+\sapling{Optionally, it also defines a type $\KAPublicPrimeSubgroup \subseteq \KAPublic$.}

 \sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
 be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ \privateKey.
@ -4192,7 +4192,7 @@ Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitP

 \vspace{-1ex}
 The resulting \diversifiedPaymentAddress is
-$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder)$.
+$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup)$.

 \vspace{1ex}
 For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress}
@ -4554,9 +4554,9 @@ performs the following steps:

 \vspace{0.5ex}
 \begin{algorithm}
-  \item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeOrder$, i.e.\ it
-        is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub})
-        not equal to $\ZeroJ$, and $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$.
+  \item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeSubgroup$, i.e.\ it
+        is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and
+        $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$.

  \item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
        and check that $\DiversifiedTransmitBase \neq \bot$.
@ -5630,9 +5630,9 @@ For both encryption and decryption,
 \sapling{
 \lsubsubsection{Encryption (\SaplingText)}{saplingencrypt}

-Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$ be the
+Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ be the
 \diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note,
-and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeOrder$ be the corresponding
+and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeSubgroup$ be the corresponding
 \diversifiedBase computed as $\DiversifyHash(\Diversifier)$.

 Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that
@ -5801,7 +5801,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
        \EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
  \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
        and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$
-  \item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$
+  \item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeSubgroup$, return $\bot$
  \item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
  \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
  \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$
@ -7087,7 +7087,7 @@ Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be

 Define $\KASaplingPublic := \GroupJ$.

-Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$.
+Define $\KASaplingPublicPrimeSubgroup := \SubgroupJ$.

 Define $\KASaplingSharedSecret := \SubgroupJ$.

@ -8593,12 +8593,11 @@ cause the first two characters of the Base58Check encoding to be fixed as
 Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.

 A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
-and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$.
+and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$.

 $\DiversifiedTransmitPublic$ is an encoding of a $\KASapling$ \publicKey of type
-$\KASaplingPublicPrimeOrder$ (see \crossref{concretesaplingkeyagreement}),
-for use with the encryption scheme defined in \crossref{saplinginband}.
-$\Diversifier$~is a sequence of $11$ bytes.
+$\KASaplingPublicPrimeSubgroup$, for use with the encryption scheme defined in
+\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes.
 These components are derived as described in \crossref{saplingkeycomponents}.

 \introlist
@ -8617,10 +8616,15 @@ The \rawEncoding of a \Sapling{} \paymentAddress consists of:
        $\DiversifiedTransmitPublic$ (see \crossref{jubjub}).
 \end{itemize}

-When decoding the representation of $\DiversifiedTransmitPublic$, the address is
-not valid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
-is not of prime order.
+When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
+considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
+is not in the prime-order subgroup $\SubgroupJ$.

+\vspace{-2ex}
+\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on
+address validation when importing \paymentAddresses.}
+
+\vspace{1ex}
 For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}.
 For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
 } %sapling
@ -8748,7 +8752,7 @@ The \rawEncoding of a \Sapling{} \fullViewingKey consists of:
  \item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
 \end{itemize}

-When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
+When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$
 for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
 or if $\AuthProvePublic \notin \SubgroupJ$.

@ -10816,6 +10820,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.

 \historyentry{2020.1.13}{2020-08-11}
 \begin{itemize}
+\sapling{
+    \item Rename the type of \Sapling \transmissionKeys from $\KASapling\mathsf{.PublicPrimeOrder}$
+          to $\KASaplingPublicPrimeSubgroup$. This type is defined as $\SubgroupJ$, which reflects
+          the implementation in \zcashd (subject to the next point below); it was never enforced that a
+          \transmissionKey ($\DiversifiedTransmitPublic$) cannot be $\ZeroJ$.
+    \item Add a non-normative note saying that \zcashd does not fully conform to the requirement
+          to treat \transmissionKeys not in $\KASaplingPublicPrimeSubgroup$ as invalid when importing
+          \paymentAddresses.
+} %sapling
 \canopy{
    \item Set $\CanopyActivationHeight$ for \Testnet.
    \item Modify the tables and notes in \crossref{zip214fundingstreams} to reflect changes in