zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clarify the notes concerning domain separation of prefixes for MerkleCRH^Sapling and NoteCommit^Sapling. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-10-01 11:00:45 +01:00
parent 2a7002a010
commit 25b64382e4
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
protocol/protocol.tex
View File

@ -5747,8 +5747,8 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\vspace{1ex}
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
\noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix
as noted in \crossref{concretewindowedcommit}.} %sapling
\noteCommitmentTree. $\NoteCommitSaplingAlg$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$,
but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} %sapling
\subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh}
@ -6913,11 +6913,13 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
\vspace{-2ex}
\begin{pnotes}
\item The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
in $\range{0}{\MerkleDepthSapling-1}$; because $\MerkleDepthSapling < 64$, this
cannot collide with $\ones{6}$.
\item $\MerkleCRHSapling$ is also defined in terms of $\PedersenHashToPoint$
(see \crossref{merklecrh}). The prefix $\ones{6}$ distinguishes the use of
$\WindowedPedersenCommitAlg$ in
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$.
That layer prefix is a $6$-bit little-endian encoding of an integer
in the range $\range{0}{\MerkleDepthSapling-1}$; because $\MerkleDepthSapling < 64$,
it cannot collide with $\ones{6}$.
\item The arguments to $\NoteCommitSapling{}$ are in a different order to their encodings
in $\WindowedPedersenCommit{}$. There is no particularly good reason for this.
\end{pnotes}
@ -9787,6 +9789,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Address some of the findings of the QED-it report:
\begin{itemize}
\item Improved cross-referencing in \crossref{concretepedersenhash}.
\item Clarify the notes concerning domain separation of prefixes in
\crossref{saplingmerklecrh} and \crossref{concretesaplingnotecommit}.
\end{itemize}
} %sapling
\item Add the QED-it report to the acknowledgements.