mirror of https://github.com/zcash/zips.git
Rename the type of Sapling transmission keys from KA^Sapling.PublicPrimeOrder to KA^Sapling.PublicPrimeSubgroup.
This type is defined as J^(r), which reflects the implementation in zcashd (subject to the point below); it was never enforced that a transmission key (pk_d) cannot be the zero point. Add a non-normative note saying that zcashd does not fully conform to the requirement to treat transmission keys not in KA^Sapling.PublicPrimeSubgroup as invalid when importing payment addresses. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
e1037ff046
commit
1d71f6cb31
|
@ -1389,7 +1389,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
|
|
||||||
\newcommand{\KA}{\mathsf{KA}}
|
\newcommand{\KA}{\mathsf{KA}}
|
||||||
\newcommand{\KAPublic}{\KA\mathsf{.Public}}
|
\newcommand{\KAPublic}{\KA\mathsf{.Public}}
|
||||||
\newcommand{\KAPublicPrimeOrder}{\KA\mathsf{.PublicPrimeOrder}}
|
\newcommand{\KAPublicPrimeSubgroup}{\KA\mathsf{.PublicPrimeSubgroup}}
|
||||||
\newcommand{\KAPrivate}{\KA\mathsf{.Private}}
|
\newcommand{\KAPrivate}{\KA\mathsf{.Private}}
|
||||||
\newcommand{\KASharedSecret}{\KA\mathsf{.SharedSecret}}
|
\newcommand{\KASharedSecret}{\KA\mathsf{.SharedSecret}}
|
||||||
\newcommand{\KAFormatPrivate}{\KA\mathsf{.FormatPrivate}}
|
\newcommand{\KAFormatPrivate}{\KA\mathsf{.FormatPrivate}}
|
||||||
|
@ -1413,7 +1413,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
|
|
||||||
\newcommand{\KASapling}{\mathsf{KA^{Sapling}}}
|
\newcommand{\KASapling}{\mathsf{KA^{Sapling}}}
|
||||||
\newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}}
|
\newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}}
|
||||||
\newcommand{\KASaplingPublicPrimeOrder}{\KASapling\mathsf{.PublicPrimeOrder}}
|
\newcommand{\KASaplingPublicPrimeSubgroup}{\KASapling\mathsf{.PublicPrimeSubgroup}}
|
||||||
\newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}}
|
\newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}}
|
||||||
\newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}}
|
\newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}}
|
||||||
\newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}}
|
\newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}}
|
||||||
|
@ -2768,7 +2768,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item $\Diversifier \typecolon \DiversifierType$
|
\item $\Diversifier \typecolon \DiversifierType$
|
||||||
is the \diversifier of the recipient's \paymentAddress;
|
is the \diversifier of the recipient's \paymentAddress;
|
||||||
\item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$
|
\item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$
|
||||||
is the \diversifiedTransmissionKey of the recipient's \paymentAddress;
|
is the \diversifiedTransmissionKey of the recipient's \paymentAddress;
|
||||||
\item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
|
\item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
|
||||||
representing the value of the \note in \zatoshi;
|
representing the value of the \note in \zatoshi;
|
||||||
|
@ -2779,7 +2779,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
|
||||||
\introlist
|
\introlist
|
||||||
Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e.
|
Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e.
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeOrder \times \range{0}{\MAXMONEY}
|
\item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeSubgroup \times \range{0}{\MAXMONEY}
|
||||||
\times \NoteCommitSaplingTrapdoor$.
|
\times \NoteCommitSaplingTrapdoor$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
} %sapling
|
} %sapling
|
||||||
|
@ -3354,7 +3354,7 @@ a shared secret, each using their \defining{\privateKey} and the other party's \
|
||||||
|
|
||||||
A \keyAgreementScheme $\KA$ defines a type of \publicKeys $\KAPublic$, a type
|
A \keyAgreementScheme $\KA$ defines a type of \publicKeys $\KAPublic$, a type
|
||||||
of \privateKeys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
|
of \privateKeys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
|
||||||
\sapling{Optionally, it also defines a type $\KAPublicPrimeOrder \subseteq \KAPublic$.}
|
\sapling{Optionally, it also defines a type $\KAPublicPrimeSubgroup \subseteq \KAPublic$.}
|
||||||
|
|
||||||
\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
|
\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
|
||||||
be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ \privateKey.
|
be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ \privateKey.
|
||||||
|
@ -4192,7 +4192,7 @@ Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitP
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
The resulting \diversifiedPaymentAddress is
|
The resulting \diversifiedPaymentAddress is
|
||||||
$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder)$.
|
$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup)$.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress}
|
For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress}
|
||||||
|
@ -4554,9 +4554,9 @@ performs the following steps:
|
||||||
|
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
\begin{algorithm}
|
\begin{algorithm}
|
||||||
\item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeOrder$, i.e.\ it
|
\item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeSubgroup$, i.e.\ it
|
||||||
is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub})
|
is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and
|
||||||
not equal to $\ZeroJ$, and $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$.
|
$\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$.
|
||||||
|
|
||||||
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||||
and check that $\DiversifiedTransmitBase \neq \bot$.
|
and check that $\DiversifiedTransmitBase \neq \bot$.
|
||||||
|
@ -5630,9 +5630,9 @@ For both encryption and decryption,
|
||||||
\sapling{
|
\sapling{
|
||||||
\lsubsubsection{Encryption (\SaplingText)}{saplingencrypt}
|
\lsubsubsection{Encryption (\SaplingText)}{saplingencrypt}
|
||||||
|
|
||||||
Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$ be the
|
Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ be the
|
||||||
\diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note,
|
\diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note,
|
||||||
and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeOrder$ be the corresponding
|
and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeSubgroup$ be the corresponding
|
||||||
\diversifiedBase computed as $\DiversifyHash(\Diversifier)$.
|
\diversifiedBase computed as $\DiversifyHash(\Diversifier)$.
|
||||||
|
|
||||||
Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that
|
Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that
|
||||||
|
@ -5801,7 +5801,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
||||||
\EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
|
\EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
|
||||||
\item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
|
\item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
|
||||||
and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$
|
and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$
|
||||||
\item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$
|
\item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeSubgroup$, return $\bot$
|
||||||
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
|
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
|
||||||
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
|
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
|
||||||
\item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$
|
\item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$
|
||||||
|
@ -7087,7 +7087,7 @@ Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be
|
||||||
|
|
||||||
Define $\KASaplingPublic := \GroupJ$.
|
Define $\KASaplingPublic := \GroupJ$.
|
||||||
|
|
||||||
Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$.
|
Define $\KASaplingPublicPrimeSubgroup := \SubgroupJ$.
|
||||||
|
|
||||||
Define $\KASaplingSharedSecret := \SubgroupJ$.
|
Define $\KASaplingSharedSecret := \SubgroupJ$.
|
||||||
|
|
||||||
|
@ -8593,12 +8593,11 @@ cause the first two characters of the Base58Check encoding to be fixed as
|
||||||
Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
|
Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
|
||||||
|
|
||||||
A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
|
A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
|
||||||
and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$.
|
and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$.
|
||||||
|
|
||||||
$\DiversifiedTransmitPublic$ is an encoding of a $\KASapling$ \publicKey of type
|
$\DiversifiedTransmitPublic$ is an encoding of a $\KASapling$ \publicKey of type
|
||||||
$\KASaplingPublicPrimeOrder$ (see \crossref{concretesaplingkeyagreement}),
|
$\KASaplingPublicPrimeSubgroup$, for use with the encryption scheme defined in
|
||||||
for use with the encryption scheme defined in \crossref{saplinginband}.
|
\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes.
|
||||||
$\Diversifier$~is a sequence of $11$ bytes.
|
|
||||||
These components are derived as described in \crossref{saplingkeycomponents}.
|
These components are derived as described in \crossref{saplingkeycomponents}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -8617,10 +8616,15 @@ The \rawEncoding of a \Sapling{} \paymentAddress consists of:
|
||||||
$\DiversifiedTransmitPublic$ (see \crossref{jubjub}).
|
$\DiversifiedTransmitPublic$ (see \crossref{jubjub}).
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
When decoding the representation of $\DiversifiedTransmitPublic$, the address is
|
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
|
||||||
not valid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
|
considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
|
||||||
is not of prime order.
|
is not in the prime-order subgroup $\SubgroupJ$.
|
||||||
|
|
||||||
|
\vspace{-2ex}
|
||||||
|
\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on
|
||||||
|
address validation when importing \paymentAddresses.}
|
||||||
|
|
||||||
|
\vspace{1ex}
|
||||||
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}.
|
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}.
|
||||||
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
|
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
|
||||||
} %sapling
|
} %sapling
|
||||||
|
@ -8748,7 +8752,7 @@ The \rawEncoding of a \Sapling{} \fullViewingKey consists of:
|
||||||
\item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
|
\item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
|
When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$
|
||||||
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
|
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
|
||||||
or if $\AuthProvePublic \notin \SubgroupJ$.
|
or if $\AuthProvePublic \notin \SubgroupJ$.
|
||||||
|
|
||||||
|
@ -10816,6 +10820,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
|
|
||||||
\historyentry{2020.1.13}{2020-08-11}
|
\historyentry{2020.1.13}{2020-08-11}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
\sapling{
|
||||||
|
\item Rename the type of \Sapling \transmissionKeys from $\KASapling\mathsf{.PublicPrimeOrder}$
|
||||||
|
to $\KASaplingPublicPrimeSubgroup$. This type is defined as $\SubgroupJ$, which reflects
|
||||||
|
the implementation in \zcashd (subject to the next point below); it was never enforced that a
|
||||||
|
\transmissionKey ($\DiversifiedTransmitPublic$) cannot be $\ZeroJ$.
|
||||||
|
\item Add a non-normative note saying that \zcashd does not fully conform to the requirement
|
||||||
|
to treat \transmissionKeys not in $\KASaplingPublicPrimeSubgroup$ as invalid when importing
|
||||||
|
\paymentAddresses.
|
||||||
|
} %sapling
|
||||||
\canopy{
|
\canopy{
|
||||||
\item Set $\CanopyActivationHeight$ for \Testnet.
|
\item Set $\CanopyActivationHeight$ for \Testnet.
|
||||||
\item Modify the tables and notes in \crossref{zip214fundingstreams} to reflect changes in
|
\item Modify the tables and notes in \crossref{zip214fundingstreams} to reflect changes in
|
||||||
|
|
Loading…
Reference in New Issue