mirror of https://github.com/zcash/zips.git
Allow the Merkle path validity check in the Action circuit to pass if any output of
MerkleCRH^Orchard is 0, and add a note in \crossref{merklepath} arguing that this is safe. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0b7aeae33e
commit
1ed8e47d56
|
@ -5927,22 +5927,31 @@ Given such a \merklePath, it is possible to verify that \merkleLeafNode
|
|||
$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$.
|
||||
|
||||
\sapling{
|
||||
\pnote{
|
||||
For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
|
||||
\begin{pnotes}
|
||||
\item For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the
|
||||
\merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element
|
||||
of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows
|
||||
inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded,
|
||||
as specified in \crossref{cctmerklepath}.
|
||||
} %pnote
|
||||
} %sapling
|
||||
|
||||
\nufive{
|
||||
\pnote{
|
||||
For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
|
||||
\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows inputs
|
||||
to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded.
|
||||
} %pnote
|
||||
\item For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in
|
||||
\crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows
|
||||
inputs to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement
|
||||
encoded.
|
||||
\item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
|
||||
validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
|
||||
$0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
|
||||
$0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at
|
||||
\crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
|
||||
$\ZeroP$. Allowing the validity check to pass in that case models the fact that
|
||||
incomplete addition is used to implement Sinsemilla in the circuit. As proven in
|
||||
\theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
|
||||
nontrivial discrete logarithm relation. Since we assume finding such a relation to be
|
||||
infeasible, we can argue that it is safe to allow an adversary to create a proof that
|
||||
passes the Merkle validity check in such a case.
|
||||
} %nufive
|
||||
\end{pnotes}
|
||||
} %sapling
|
||||
|
||||
|
||||
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
||||
|
@ -7074,6 +7083,9 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
|||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
|
||||
from the previous \merkleLayer.
|
||||
\item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
|
||||
such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
|
||||
This allows nondeterministic, incomplete addition to be used in the circuit for $\SinsemillaHash$.
|
||||
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
|
||||
or that $\NoteCommitRandNew{} < \ParamP{r}$.
|
||||
\item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublicPoint) =
|
||||
|
@ -14435,6 +14447,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
disruptive to change them at this point in the Network Upgrade Process, and
|
||||
because it is necessary to track $\bot$ outputs in order to correctly model
|
||||
non-determinism in the \actionCircuit.)
|
||||
\item Allow the Merkle path validity check in the \actionCircuit to pass if any
|
||||
output of $\MerkleCRH{Orchard}$ is $0$, and add a note in \crossref{merklepath}
|
||||
arguing that this is safe.
|
||||
} % nufive
|
||||
\item No changes before \NUFive.
|
||||
\end{itemize}
|
||||
|
|
Loading…
Reference in New Issue