mirror of https://github.com/zcash/zips.git
Add specification of signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0d182e6ab8
commit
26c0ad45b6
|
@ -165,6 +165,7 @@
|
|||
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}}
|
||||
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}}
|
||||
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
|
||||
\newcommand{\joinSplitSignatures}{\term{JoinSplit signatures}}
|
||||
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
|
||||
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
|
||||
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
|
||||
|
@ -309,6 +310,7 @@
|
|||
\newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}}
|
||||
\newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}}
|
||||
\newcommand{\xor}{\oplus}
|
||||
\newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}
|
||||
|
||||
% key pairs:
|
||||
\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
|
||||
|
@ -426,11 +428,22 @@
|
|||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||
|
||||
% Signatures
|
||||
\newcommand{\JoinSplitSigAlg}{\mathsf{JoinSplitSigAlg}}
|
||||
\newcommand{\Sig}{\mathsf{Sig}}
|
||||
\newcommand{\SigPublic}{\mathsf{Sig.Public}}
|
||||
\newcommand{\SigPrivate}{\mathsf{Sig.Private}}
|
||||
\newcommand{\SigMessage}{\mathsf{Sig.Message}}
|
||||
\newcommand{\SigSignature}{\mathsf{Sig.Signature}}
|
||||
\newcommand{\SigGen}{\mathsf{Sig.Gen}}
|
||||
\newcommand{\SigSign}[1]{\mathsf{Sig.Sign}_{#1}}
|
||||
\newcommand{\SigVerify}[1]{\mathsf{Sig.Verify}_{#1}}
|
||||
\newcommand{\JoinSplitSig}{\mathsf{JoinSplitSig}}
|
||||
\newcommand{\JoinSplitSigPublic}{\mathsf{JoinSplitSig.Public}}
|
||||
\newcommand{\JoinSplitSigPrivate}{\mathsf{JoinSplitSig.Private}}
|
||||
\newcommand{\JoinSplitSigSign}{\mathsf{JoinSplitSig.Sign}}
|
||||
\newcommand{\JoinSplitSigVerify}{\mathsf{JoinSplitSig.Verify}}
|
||||
\newcommand{\JoinSplitSigMessage}{\mathsf{JoinSplitSig.Message}}
|
||||
\newcommand{\JoinSplitSigSignature}{\mathsf{JoinSplitSig.Signature}}
|
||||
\newcommand{\JoinSplitSigGen}{\mathsf{JoinSplitSig.Gen}}
|
||||
\newcommand{\JoinSplitSigSign}[1]{\mathsf{JoinSplitSig.Sign}_{#1}}
|
||||
\newcommand{\JoinSplitSigVerify}[1]{\mathsf{JoinSplitSig.Verify}_{#1}}
|
||||
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
|
||||
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
|
||||
\newcommand{\EdDSAr}{R}
|
||||
|
@ -440,6 +453,7 @@
|
|||
\newcommand{\RandomSeedLength}{\mathsf{\ell_{Seed}}}
|
||||
\newcommand{\RandomSeedType}{\bitseq{\mathsf{\ell_{Seed}}}}
|
||||
\newcommand{\pksig}{\mathsf{pk_{sig}}}
|
||||
\newcommand{\sk}{\mathsf{sk}}
|
||||
\newcommand{\hSigInput}{\mathsf{hSigInput}}
|
||||
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
|
||||
|
||||
|
@ -451,7 +465,7 @@
|
|||
\newcommand{\MerkleHashLength}{\mathsf{\ell_{Merkle}}}
|
||||
\newcommand{\MerkleHash}{\bitseq{\MerkleHashLength}}
|
||||
|
||||
% Bitcoin
|
||||
% Transactions
|
||||
\newcommand{\versionField}{\mathtt{version}}
|
||||
\newcommand{\txInCount}{\mathtt{tx\_in\_count}}
|
||||
\newcommand{\txIn}{\mathtt{tx\_in}}
|
||||
|
@ -464,6 +478,7 @@
|
|||
\newcommand{\vpubNewField}{\mathtt{vpub\_new}}
|
||||
\newcommand{\anchorField}{\mathtt{anchor}}
|
||||
\newcommand{\joinSplitSig}{\mathtt{joinSplitSig}}
|
||||
\newcommand{\joinSplitPrivKey}{\mathtt{joinSplitPrivKey}}
|
||||
\newcommand{\joinSplitPubKey}{\mathtt{joinSplitPubKey}}
|
||||
\newcommand{\nullifiersField}{\mathtt{nullifiers}}
|
||||
\newcommand{\commitments}{\mathtt{commitments}}
|
||||
|
@ -478,6 +493,7 @@
|
|||
\newcommand{\sighashTypes}{\term{SIGHASH types}}
|
||||
\newcommand{\SIGHASHALL}{\mathsf{SIGHASH\_ALL}}
|
||||
\newcommand{\scriptSig}{\mathtt{scriptSig}}
|
||||
\newcommand{\ScriptOP}[1]{\texttt{OP\_{#1}}}
|
||||
|
||||
% Equihash and block headers
|
||||
\newcommand{\validEquihashSolution}{\term{valid Equihash solution}}
|
||||
|
@ -552,6 +568,7 @@
|
|||
\newcommand{\Receive}{\mathsf{Receive}}
|
||||
\newcommand{\EnforceCommit}[1]{\mathsf{enforce}_{#1}}
|
||||
|
||||
|
||||
\newcommand{\consensusrule}[1]{\subparagraph{Consensus rule:}{#1}}
|
||||
\newenvironment{consensusrules}{\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\securityrequirement}[1]{\subparagraph{Security requirement:}{#1}}
|
||||
|
@ -767,10 +784,15 @@ The notation $T \subseteq U$ indicates that $T$ is an inclusive subset or subtyp
|
|||
|
||||
The notation $x \typecolon T$ is used to specify that $x$ has type $T$.
|
||||
A cartesian product type is denoted by $S \times T$, and a function type
|
||||
by $S \rightarrow T$. A subscripted argument of a function is taken to be
|
||||
its first argument, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
|
||||
$\PRF{x}{}(y) \typecolon Z$, then $\PRF{}{} \typecolon X \times Y \rightarrow Z$.
|
||||
An argument to a function can determine other argument or result types.
|
||||
by $S \rightarrow T$. The type of a randomized algorithm is denoted by $S \rightarrowR T$.
|
||||
The domain of a randomized algorithm may be $()$, indicating that it requires
|
||||
no arguments. An argument to a function can determine other argument or result
|
||||
types.
|
||||
|
||||
Initial arguments to a function or randomized algorithm may be
|
||||
written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
|
||||
$\PRF{}{} \typecolon X \times Y \rightarrow Z$, then an invocation of
|
||||
$\PRF{}{}(x, y)$ can also be written $\PRF{x}{}(y)$.
|
||||
|
||||
The following integer constants will be instantiated in \crossref{constants}:
|
||||
$\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
|
||||
|
@ -1155,7 +1177,52 @@ This is not considered to be a significant security weakness.
|
|||
|
||||
\nsubsubsection{Signatures} \label{abstractsig}
|
||||
|
||||
\todo{Define $\JoinSplitSigAlg$.}
|
||||
A signature scheme $\Sig$ defines:
|
||||
|
||||
\begin{itemize}
|
||||
\item a type of signing keys $\SigPrivate$;
|
||||
\item a type of verifying keys $\SigPublic$;
|
||||
\item a type of messages $\SigMessage$;
|
||||
\item a type of signatures $\SigSignature$;
|
||||
\item a randomized key pair generation algorithm $\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$;
|
||||
\item a randomized signing algorithm $\SigSign{} \typecolon \SigPrivate \times \SigMessage \rightarrowR \SigSignature$;
|
||||
\item a verifying algorithm $\SigVerify{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
|
||||
\end{itemize}
|
||||
|
||||
such that for any key pair $(\sk, \vk) \leftarrow \SigGen()$, and
|
||||
any $m \typecolon \SigMessage$ and $s \typecolon \SigSignature \leftarrow \SigSign{\sk}(m)$,
|
||||
$\SigVerify{\vk}(m, s) = 1$.
|
||||
|
||||
\Zcash uses two signature schemes, one used for signatures that can be verified
|
||||
by script operations such as \ScriptOP{CHECKSIG} and \ScriptOP{CHECKMULTISIG} as
|
||||
in \Bitcoin, and one called $\JoinSplitSig$ which is used to sign \transactions
|
||||
that contain at least one \joinSplitDescription. The latter is instantiated in
|
||||
\crossref{concretesig}. The following defines only the security properties needed
|
||||
for $\JoinSplitSig$.
|
||||
|
||||
\securityrequirement{
|
||||
$\JoinSplitSig$ must be Strongly Unforgeable under (non-adaptive)
|
||||
Chosen Message Attack (SU-CMA), as defined for example in
|
||||
\cite[Definition 6]{BDEHR2011}. This allows an adversary to obtain
|
||||
signatures on chosen messages, and then requires it to be infeasible
|
||||
for the adversary to forge a previously unseen valid \mbox{(message, signature)}
|
||||
pair without access to the signing key.
|
||||
}
|
||||
|
||||
\begin{pnotes}
|
||||
\item Since a fresh key pair is generated for every \transaction containing
|
||||
a \joinSplitDescription and is only used for one signature (see
|
||||
\crossref{nonmalleability}), a one-time signature scheme would
|
||||
suffice for $\JoinSplitSig$. This is also the reason why only
|
||||
security against \emph{non-adaptive} chosen message attack is needed.
|
||||
In fact the instantiation of $\JoinSplitSig$ uses a scheme designed
|
||||
for security under adaptive attack even when multiple signatures are
|
||||
signed under the same key.
|
||||
\item SU-CMA security requires it to be infeasible for the adversary to
|
||||
forge a distinct signature on a previously seen message. That is,
|
||||
\joinSplitSignatures are intended to be nonmalleable in the sense of
|
||||
\cite{BIP-62}.
|
||||
\end{pnotes}
|
||||
|
||||
|
||||
\nsubsubsection{Commitment} \label{abstractcomm}
|
||||
|
@ -1261,7 +1328,7 @@ A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in
|
|||
|
||||
Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
|
||||
When this sequence is non-empty, the \transaction also includes encodings of a
|
||||
$\JoinSplitSigAlg$ public verification key and signature.
|
||||
$\JoinSplitSig$ public verification key and signature.
|
||||
|
||||
Each \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt,
|
||||
\nfOld{\allOld}, \cmNew{\allNew}, \EphemeralPublic, \RandomSeed,
|
||||
|
@ -1321,7 +1388,9 @@ $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
|
|||
|
||||
In order to send \xprotected value, the sender constructs a \transaction
|
||||
containing one or more \joinSplitDescriptions. This involves first generating
|
||||
a new $\JoinSplitSigAlg$ key pair, which includes $\joinSplitPubKey$.
|
||||
a new $\JoinSplitSig$ key pair:
|
||||
|
||||
\hskip 1.5em $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrow \JoinSplitSigGen()$.
|
||||
|
||||
For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at
|
||||
random on $\bitseq{\RandomSeedLength}$, and selects
|
||||
|
@ -1342,9 +1411,13 @@ of the input \notes and of the output \notes. Other considerations relating to
|
|||
information leakage from the structure of \transactions are beyond the
|
||||
scope of this specification.
|
||||
|
||||
After generating all of the \joinSplitDescriptions, the sender constructs the
|
||||
encoded \transaction as described in \crossref{joinsplitencoding}, signed with the
|
||||
private \joinSplitSigningKey, and submits it to the network.
|
||||
After generating all of the \joinSplitDescriptions, the sender obtains the
|
||||
$\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with
|
||||
the private \joinSplitSigningKey:
|
||||
|
||||
\hskip 1.5em $\joinSplitSig \leftarrow \JoinSplitSigSign{\text{\small\joinSplitPrivKey}}(\dataToBeSigned)$
|
||||
|
||||
Then the encoded \transaction including $\joinSplitSig$ is submitted to the network.
|
||||
|
||||
|
||||
\nsubsubsection{\DummyNotes} \label{dummynotes}
|
||||
|
@ -1414,8 +1487,8 @@ $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \Mer
|
|||
|
||||
\Bitcoin defines several \sighashTypes that cover various parts of a transaction.
|
||||
\changed{In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
|
||||
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$.
|
||||
They \emph{do not} cover the field $\joinSplitSig$.
|
||||
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$, described in
|
||||
\crossref{txnencoding}. They \emph{do not} cover the field $\joinSplitSig$.
|
||||
|
||||
\consensusrule{
|
||||
If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than
|
||||
|
@ -1429,18 +1502,18 @@ the non-\Zcash-specific parts of the \transaction.}
|
|||
|
||||
In order to ensure that a \joinSplitDescription is cryptographically bound to the
|
||||
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
|
||||
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSigAlg$
|
||||
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSig$
|
||||
key pair is generated for each \transaction, and the $\dataToBeSigned$ is
|
||||
signed with the private signing key of this key pair. The corresponding public
|
||||
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
|
||||
|
||||
$\JoinSplitSigAlg$ is instantiated in \crossref{concretesig}.
|
||||
$\JoinSplitSig$ is instantiated in \crossref{concretesig}.
|
||||
|
||||
\changed{
|
||||
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
|
||||
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if
|
||||
$\joinSplitSig$ can be verified as an encoding of a signature on $\dataToBeSigned$
|
||||
as specified above, using $\joinSplitPubKey$.
|
||||
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if and only if
|
||||
$\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
|
||||
% FIXME: distinguish pubkey and signature from their encodings.
|
||||
}
|
||||
|
||||
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour}
|
||||
|
@ -2055,8 +2128,9 @@ where:
|
|||
|
||||
\nsubsubsection{Signatures} \label{concretesig}
|
||||
|
||||
\changed{
|
||||
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
||||
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
||||
|
||||
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
||||
with the additional requirement that $\EdDSAs$ (the integer represented
|
||||
by $\EdDSAS$) must be less than the prime
|
||||
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
|
||||
|
@ -2465,7 +2539,7 @@ computation, which has yet to be performed.
|
|||
|
||||
\nsection{Consensus Changes from \Bitcoin}
|
||||
|
||||
\nsubsection{Encoding of \Transactions}
|
||||
\nsubsection{Encoding of \Transactions} \label{txnencoding}
|
||||
|
||||
The \Zcash \transaction format is as follows:
|
||||
|
||||
|
@ -2494,7 +2568,7 @@ in $\vJoinSplit$. \\ \hline
|
|||
\Longunderstack{1802 $\times$ \\ $\nJoinSplit\,\dagger$} & $\vJoinSplit$ & \type{JoinSplitDescription} \type{[$\nJoinSplit$]} &
|
||||
A \sequenceOfJoinSplitDescriptions, each encoded as described in \crossref{joinsplitencoding}. \\ \hline
|
||||
|
||||
32 $\ddagger$ & $\joinSplitPubKey$ & \type{char[32]} & An encoding of a $\JoinSplitSigAlg$
|
||||
32 $\ddagger$ & $\joinSplitPubKey$ & \type{char[32]} & An encoding of a $\JoinSplitSig$
|
||||
public verification key. \\ \hline
|
||||
|
||||
64 $\ddagger$ & $\joinSplitSig$ & \type{char[64]} & A signature on a prefix of the \transaction encoding,
|
||||
|
|
|
@ -184,6 +184,15 @@ L. Hern{\'a}ndez Encinas and C. S{\'a}nchez {\'A}vila},
|
|||
howpublished={Cryptology ePrint Archive: Report 2011/708. \mbox{December 28,} 2011.}
|
||||
}
|
||||
|
||||
@misc{BDEHR2011,
|
||||
author={Johannes Buchmann and Erik Dahmen and Sarah Ereth and Andreas H{\"u}lsing and Markus R{\"u}ckert},
|
||||
title={On the {S}ecurity of the {W}internitz {O}ne-{T}ime {S}ignature {S}cheme (full version)},
|
||||
url={https://eprint.iacr.org/2011/191},
|
||||
urldate={2016-09-05},
|
||||
howpublished={Cryptology ePrint Archive: Report 2011/191.
|
||||
Received \mbox{April 13,} 2011.}
|
||||
}
|
||||
|
||||
@misc{vanS2014,
|
||||
author={Nicolas van Saberhagen},
|
||||
title={CryptoNote v 2.0},
|
||||
|
@ -228,6 +237,14 @@ L. Hern{\'a}ndez Encinas and C. S{\'a}nchez {\'A}vila},
|
|||
urldate={2016-08-13}
|
||||
}
|
||||
|
||||
@misc{BIP-62,
|
||||
author={Pieter Wuille},
|
||||
title={Dealing with malleability},
|
||||
howpublished={Bitcoin Improvement Proposal 62. Withdrawn Nov\-ember 17, 2015},
|
||||
url={https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki},
|
||||
urldate={2016-09-05}
|
||||
}
|
||||
|
||||
@misc{BIP-68,
|
||||
author={Mark Friedenbach and BtcDrak and Nicolas Dorier and kinoshitajona},
|
||||
title={Relative lock-time using con\-sensus-enforced sequence numbers},
|
||||
|
|
Loading…
Reference in New Issue