zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add specification of signatures. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-09-05 21:14:29 +01:00
parent 0d182e6ab8
commit 26c0ad45b6
2 changed files with 116 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
protocol/protocol.tex
View File

@ -165,6 +165,7 @@
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}}
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}}
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
\newcommand{\joinSplitSignatures}{\term{JoinSplit signatures}}
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
@ -309,6 +310,7 @@
\newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}}
\newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}}
\newcommand{\xor}{\oplus}
\newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}
% key pairs:
\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
@ -426,11 +428,22 @@
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
% Signatures
\newcommand{\JoinSplitSigAlg}{\mathsf{JoinSplitSigAlg}}
\newcommand{\Sig}{\mathsf{Sig}}
\newcommand{\SigPublic}{\mathsf{Sig.Public}}
\newcommand{\SigPrivate}{\mathsf{Sig.Private}}
\newcommand{\SigMessage}{\mathsf{Sig.Message}}
\newcommand{\SigSignature}{\mathsf{Sig.Signature}}
\newcommand{\SigGen}{\mathsf{Sig.Gen}}
\newcommand{\SigSign}[1]{\mathsf{Sig.Sign}_{#1}}
\newcommand{\SigVerify}[1]{\mathsf{Sig.Verify}_{#1}}
\newcommand{\JoinSplitSig}{\mathsf{JoinSplitSig}}
\newcommand{\JoinSplitSigPublic}{\mathsf{JoinSplitSig.Public}}
\newcommand{\JoinSplitSigPrivate}{\mathsf{JoinSplitSig.Private}}
\newcommand{\JoinSplitSigSign}{\mathsf{JoinSplitSig.Sign}}
\newcommand{\JoinSplitSigVerify}{\mathsf{JoinSplitSig.Verify}}
\newcommand{\JoinSplitSigMessage}{\mathsf{JoinSplitSig.Message}}
\newcommand{\JoinSplitSigSignature}{\mathsf{JoinSplitSig.Signature}}
\newcommand{\JoinSplitSigGen}{\mathsf{JoinSplitSig.Gen}}
\newcommand{\JoinSplitSigSign}[1]{\mathsf{JoinSplitSig.Sign}_{#1}}
\newcommand{\JoinSplitSigVerify}[1]{\mathsf{JoinSplitSig.Verify}_{#1}}
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
\newcommand{\EdDSAr}{R}
@ -440,6 +453,7 @@
\newcommand{\RandomSeedLength}{\mathsf{\ell_{Seed}}}
\newcommand{\RandomSeedType}{\bitseq{\mathsf{\ell_{Seed}}}}
\newcommand{\pksig}{\mathsf{pk_{sig}}}
\newcommand{\sk}{\mathsf{sk}}
\newcommand{\hSigInput}{\mathsf{hSigInput}}
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
@ -451,7 +465,7 @@
\newcommand{\MerkleHashLength}{\mathsf{\ell_{Merkle}}}
\newcommand{\MerkleHash}{\bitseq{\MerkleHashLength}}
% Bitcoin
% Transactions
\newcommand{\versionField}{\mathtt{version}}
\newcommand{\txInCount}{\mathtt{tx\_in\_count}}
\newcommand{\txIn}{\mathtt{tx\_in}}
@ -464,6 +478,7 @@
\newcommand{\vpubNewField}{\mathtt{vpub\_new}}
\newcommand{\anchorField}{\mathtt{anchor}}
\newcommand{\joinSplitSig}{\mathtt{joinSplitSig}}
\newcommand{\joinSplitPrivKey}{\mathtt{joinSplitPrivKey}}
\newcommand{\joinSplitPubKey}{\mathtt{joinSplitPubKey}}
\newcommand{\nullifiersField}{\mathtt{nullifiers}}
\newcommand{\commitments}{\mathtt{commitments}}
@ -478,6 +493,7 @@
\newcommand{\sighashTypes}{\term{SIGHASH types}}
\newcommand{\SIGHASHALL}{\mathsf{SIGHASH\_ALL}}
\newcommand{\scriptSig}{\mathtt{scriptSig}}
\newcommand{\ScriptOP}[1]{\texttt{OP\_{#1}}}
% Equihash and block headers
\newcommand{\validEquihashSolution}{\term{valid Equihash solution}}
@ -552,6 +568,7 @@
\newcommand{\Receive}{\mathsf{Receive}}
\newcommand{\EnforceCommit}[1]{\mathsf{enforce}_{#1}}
\newcommand{\consensusrule}[1]{\subparagraph{Consensus rule:}{#1}}
\newenvironment{consensusrules}{\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}}
\newcommand{\securityrequirement}[1]{\subparagraph{Security requirement:}{#1}}
@ -767,10 +784,15 @@ The notation $T \subseteq U$ indicates that $T$ is an inclusive subset or subtyp
The notation $x \typecolon T$ is used to specify that $x$ has type $T$.
A cartesian product type is denoted by $S \times T$, and a function type
by $S \rightarrow T$. A subscripted argument of a function is taken to be
its first argument, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
$\PRF{x}{}(y) \typecolon Z$, then $\PRF{}{} \typecolon X \times Y \rightarrow Z$.
An argument to a function can determine other argument or result types.
by $S \rightarrow T$. The type of a randomized algorithm is denoted by $S \rightarrowR T$.
The domain of a randomized algorithm may be $()$, indicating that it requires
no arguments. An argument to a function can determine other argument or result
types.
Initial arguments to a function or randomized algorithm may be
written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
$\PRF{}{} \typecolon X \times Y \rightarrow Z$, then an invocation of
$\PRF{}{}(x, y)$ can also be written $\PRF{x}{}(y)$.
The following integer constants will be instantiated in \crossref{constants}:
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
@ -1155,7 +1177,52 @@ This is not considered to be a significant security weakness.
\nsubsubsection{Signatures} \label{abstractsig}
\todo{Define $\JoinSplitSigAlg$.}
A signature scheme $\Sig$ defines:
\begin{itemize}
\item a type of signing keys $\SigPrivate$;
\item a type of verifying keys $\SigPublic$;
\item a type of messages $\SigMessage$;
\item a type of signatures $\SigSignature$;
\item a randomized key pair generation algorithm $\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$;
\item a randomized signing algorithm $\SigSign{} \typecolon \SigPrivate \times \SigMessage \rightarrowR \SigSignature$;
\item a verifying algorithm $\SigVerify{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
\end{itemize}
such that for any key pair $(\sk, \vk) \leftarrow \SigGen()$, and
any $m \typecolon \SigMessage$ and $s \typecolon \SigSignature \leftarrow \SigSign{\sk}(m)$,
$\SigVerify{\vk}(m, s) = 1$.
\Zcash uses two signature schemes, one used for signatures that can be verified
by script operations such as \ScriptOP{CHECKSIG} and \ScriptOP{CHECKMULTISIG} as
in \Bitcoin, and one called $\JoinSplitSig$ which is used to sign \transactions
that contain at least one \joinSplitDescription. The latter is instantiated in
\crossref{concretesig}. The following defines only the security properties needed
for $\JoinSplitSig$.
\securityrequirement{
$\JoinSplitSig$ must be Strongly Unforgeable under (non-adaptive)
Chosen Message Attack (SU-CMA), as defined for example in
\cite[Definition 6]{BDEHR2011}. This allows an adversary to obtain
signatures on chosen messages, and then requires it to be infeasible
for the adversary to forge a previously unseen valid \mbox{(message, signature)}
pair without access to the signing key.
}
\begin{pnotes}
\item Since a fresh key pair is generated for every \transaction containing
a \joinSplitDescription and is only used for one signature (see
\crossref{nonmalleability}), a one-time signature scheme would
suffice for $\JoinSplitSig$. This is also the reason why only
security against \emph{non-adaptive} chosen message attack is needed.
In fact the instantiation of $\JoinSplitSig$ uses a scheme designed
for security under adaptive attack even when multiple signatures are
signed under the same key.
\item SU-CMA security requires it to be infeasible for the adversary to
forge a distinct signature on a previously seen message. That is,
\joinSplitSignatures are intended to be nonmalleable in the sense of
\cite{BIP-62}.
\end{pnotes}
\nsubsubsection{Commitment} \label{abstractcomm}
@ -1261,7 +1328,7 @@ A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in
Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
When this sequence is non-empty, the \transaction also includes encodings of a
$\JoinSplitSigAlg$ public verification key and signature.
$\JoinSplitSig$ public verification key and signature.
Each \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt,
\nfOld{\allOld}, \cmNew{\allNew}, \EphemeralPublic, \RandomSeed,
@ -1321,7 +1388,9 @@ $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
In order to send \xprotected value, the sender constructs a \transaction
containing one or more \joinSplitDescriptions. This involves first generating
a new $\JoinSplitSigAlg$ key pair, which includes $\joinSplitPubKey$.
a new $\JoinSplitSig$ key pair:
\hskip 1.5em $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrow \JoinSplitSigGen()$.
For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at
random on $\bitseq{\RandomSeedLength}$, and selects
@ -1342,9 +1411,13 @@ of the input \notes and of the output \notes. Other considerations relating to
information leakage from the structure of \transactions are beyond the
scope of this specification.
After generating all of the \joinSplitDescriptions, the sender constructs the
encoded \transaction as described in \crossref{joinsplitencoding}, signed with the
private \joinSplitSigningKey, and submits it to the network.
After generating all of the \joinSplitDescriptions, the sender obtains the
$\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with
the private \joinSplitSigningKey:
\hskip 1.5em $\joinSplitSig \leftarrow \JoinSplitSigSign{\text{\small\joinSplitPrivKey}}(\dataToBeSigned)$
Then the encoded \transaction including $\joinSplitSig$ is submitted to the network.
\nsubsubsection{\DummyNotes} \label{dummynotes}
@ -1414,8 +1487,8 @@ $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \Mer
\Bitcoin defines several \sighashTypes that cover various parts of a transaction.
\changed{In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$.
They \emph{do not} cover the field $\joinSplitSig$.
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$, described in
\crossref{txnencoding}. They \emph{do not} cover the field $\joinSplitSig$.
\consensusrule{
If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than
@ -1429,18 +1502,18 @@ the non-\Zcash-specific parts of the \transaction.}
In order to ensure that a \joinSplitDescription is cryptographically bound to the
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSigAlg$
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSig$
key pair is generated for each \transaction, and the $\dataToBeSigned$ is
signed with the private signing key of this key pair. The corresponding public
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
$\JoinSplitSigAlg$ is instantiated in \crossref{concretesig}.
$\JoinSplitSig$ is instantiated in \crossref{concretesig}.
\changed{
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if
$\joinSplitSig$ can be verified as an encoding of a signature on $\dataToBeSigned$
as specified above, using $\joinSplitPubKey$.
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if and only if
$\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
% FIXME: distinguish pubkey and signature from their encodings.
}
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour}
@ -2055,8 +2128,9 @@ where:
\nsubsubsection{Signatures} \label{concretesig}
\changed{
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
with the additional requirement that $\EdDSAs$ (the integer represented
by $\EdDSAS$) must be less than the prime
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
@ -2465,7 +2539,7 @@ computation, which has yet to be performed.
\nsection{Consensus Changes from \Bitcoin}
\nsubsection{Encoding of \Transactions}
\nsubsection{Encoding of \Transactions} \label{txnencoding}
The \Zcash \transaction format is as follows:
@ -2494,7 +2568,7 @@ in $\vJoinSplit$. \\ \hline
\Longunderstack{1802 $\times$ \\ $\nJoinSplit\,\dagger$} & $\vJoinSplit$ & \type{JoinSplitDescription} \type{[$\nJoinSplit$]} &
A \sequenceOfJoinSplitDescriptions, each encoded as described in \crossref{joinsplitencoding}. \\ \hline
32 $\ddagger$ & $\joinSplitPubKey$ & \type{char[32]} & An encoding of a $\JoinSplitSigAlg$
32 $\ddagger$ & $\joinSplitPubKey$ & \type{char[32]} & An encoding of a $\JoinSplitSig$
public verification key. \\ \hline
64 $\ddagger$ & $\joinSplitSig$ & \type{char[64]} & A signature on a prefix of the \transaction encoding,

17
protocol/zcash.bib
View File

@ -184,6 +184,15 @@ L. Hern{\'a}ndez Encinas and C. S{\'a}nchez {\'A}vila},
howpublished={Cryptology ePrint Archive: Report 2011/708. \mbox{December 28,} 2011.}
}
@misc{BDEHR2011,
author={Johannes Buchmann and Erik Dahmen and Sarah Ereth and Andreas H{\"u}lsing and Markus R{\"u}ckert},
title={On the {S}ecurity of the {W}internitz {O}ne-{T}ime {S}ignature {S}cheme (full version)},
url={https://eprint.iacr.org/2011/191},
urldate={2016-09-05},
howpublished={Cryptology ePrint Archive: Report 2011/191.
Received \mbox{April 13,} 2011.}
}
@misc{vanS2014,
author={Nicolas van Saberhagen},
title={CryptoNote v 2.0},
@ -228,6 +237,14 @@ L. Hern{\'a}ndez Encinas and C. S{\'a}nchez {\'A}vila},
urldate={2016-08-13}
}
@misc{BIP-62,
author={Pieter Wuille},
title={Dealing with malleability},
howpublished={Bitcoin Improvement Proposal 62. Withdrawn Nov\-ember 17, 2015},
url={https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki},
urldate={2016-09-05}
}
@misc{BIP-68,
author={Mark Friedenbach and BtcDrak and Nicolas Dorier and kinoshitajona},
title={Relative lock-time using con\-sensus-enforced sequence numbers},