mirror of https://github.com/zcash/zips.git
Allow the Merkle path validity check in the Action circuit to pass if any output of
MerkleCRH^Orchard is 0, and add a note in \crossref{merklepath} arguing that this is safe. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0b7aeae33e
commit
1ed8e47d56
|
@ -5927,22 +5927,31 @@ Given such a \merklePath, it is possible to verify that \merkleLeafNode
|
||||||
$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$.
|
$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$.
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
\pnote{
|
\begin{pnotes}
|
||||||
For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
|
\item For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
|
||||||
\merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
|
\merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
|
||||||
of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
|
of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
|
||||||
inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
|
inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
|
||||||
as specified in \crossref{cctmerklepath}.
|
as specified in \crossref{cctmerklepath}.
|
||||||
} %pnote
|
|
||||||
} %sapling
|
|
||||||
|
|
||||||
\nufive{
|
\nufive{
|
||||||
\pnote{
|
\item For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
|
||||||
For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
|
\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows
|
||||||
\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows inputs
|
inputs to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement
|
||||||
to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded.
|
encoded.
|
||||||
} %pnote
|
\item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
|
||||||
|
validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
|
||||||
|
$0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
|
||||||
|
$0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at
|
||||||
|
\crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
|
||||||
|
$\ZeroP$. Allowing the validity check to pass in that case models the fact that
|
||||||
|
incomplete addition is used to implement Sinsemilla in the circuit. As proven in
|
||||||
|
\theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
|
||||||
|
nontrivial discrete logarithm relation. Since we assume finding such a relation to be
|
||||||
|
infeasible, we can argue that it is safe to allow an adversary to create a proof that
|
||||||
|
passes the Merkle validity check in such a case.
|
||||||
} %nufive
|
} %nufive
|
||||||
|
\end{pnotes}
|
||||||
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
||||||
|
@ -7074,6 +7083,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
||||||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
|
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
|
||||||
from the previous \merkleLayer.
|
from the previous \merkleLayer.
|
||||||
|
\item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
|
||||||
|
such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
|
||||||
|
This allows nondeterministic, incomplete addition to be used in the circuit for $\SinsemillaHash$.
|
||||||
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
|
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
|
||||||
or that $\NoteCommitRandNew{} < \ParamP{r}$.
|
or that $\NoteCommitRandNew{} < \ParamP{r}$.
|
||||||
\item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) =
|
\item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) =
|
||||||
|
@ -14435,6 +14447,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
disruptive to change them at this point in the Network Upgrade Process, and
|
disruptive to change them at this point in the Network Upgrade Process, and
|
||||||
because it is necessary to track $\bot$ outputs in order to correctly model
|
because it is necessary to track $\bot$ outputs in order to correctly model
|
||||||
non-determinism in the \actionCircuit.)
|
non-determinism in the \actionCircuit.)
|
||||||
|
\item Allow the Merkle path validity check in the \actionCircuit to pass if any
|
||||||
|
output of $\MerkleCRH{Orchard}$ is $0$, and add a note in \crossref{merklepath}
|
||||||
|
arguing that this is safe.
|
||||||
} % nufive
|
} % nufive
|
||||||
\item No changes before \NUFive.
|
\item No changes before \NUFive.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
Loading…
Reference in New Issue