zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow the Merkle path validity check in the Action circuit to pass if any output of 

MerkleCRH^Orchard is 0, and add a note in \crossref{merklepath} arguing that this is safe.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-06-30 14:36:43 +01:00
parent 0b7aeae33e
commit 1ed8e47d56
1 changed files with 29 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
protocol/protocol.tex
View File

@ -5927,22 +5927,31 @@ Given such a \merklePath, it is possible to verify that \merkleLeafNode
$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$. $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$.
\sapling{ \sapling{
\pnote{ \begin{pnotes}
For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the \item For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
\merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element \merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded, inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
as specified in \crossref{cctmerklepath}. as specified in \crossref{cctmerklepath}.
} %pnote
} %sapling
\nufive{ \nufive{
\pnote{ \item For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in \crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows
\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows inputs inputs to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement
to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded. encoded.
} %pnote \item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
$0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
$0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at
\crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
$\ZeroP$. Allowing the validity check to pass in that case models the fact that
incomplete addition is used to implement Sinsemilla in the circuit. As proven in
\theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
nontrivial discrete logarithm relation. Since we assume finding such a relation to be
infeasible, we can argue that it is safe to allow an adversary to create a proof that
passes the Merkle validity check in such a case.
} %nufive } %nufive
\end{pnotes}
} %sapling
\lsubsection{SIGHASH Transaction Hashing}{sighash} \lsubsection{SIGHASH Transaction Hashing}{sighash}
@ -7074,6 +7083,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
from the previous \merkleLayer. from the previous \merkleLayer.
\item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
This allows nondeterministic, incomplete addition to be used in the circuit for $\SinsemillaHash$.
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
or that $\NoteCommitRandNew{} < \ParamP{r}$. or that $\NoteCommitRandNew{} < \ParamP{r}$.
\item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) = \item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) =
@ -14435,6 +14447,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
disruptive to change them at this point in the Network Upgrade Process, and disruptive to change them at this point in the Network Upgrade Process, and
because it is necessary to track $\bot$ outputs in order to correctly model because it is necessary to track $\bot$ outputs in order to correctly model
non-determinism in the \actionCircuit.) non-determinism in the \actionCircuit.)
\item Allow the Merkle path validity check in the \actionCircuit to pass if any
output of $\MerkleCRH{Orchard}$ is $0$, and add a note in \crossref{merklepath}
arguing that this is safe.
} % nufive } % nufive
\item No changes before \NUFive. \item No changes before \NUFive.
\end{itemize} \end{itemize}