From 30f4dfc54525388a8a00f54e73cc062f0f4ecfac Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Tue, 22 May 2018 21:59:13 +0100 Subject: [PATCH] Correct an error in the computation of generators for Pedersen hashes. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index eb9247ff..7340595c 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -3546,6 +3546,8 @@ $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as: $\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$. \end{tabular} +If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$. + \vspace{2ex} As explained in \crossref{addressesandkeys}, \Sapling allows the efficient creation of multiple \diversifiedPaymentAddresses with the same spending @@ -3588,7 +3590,8 @@ Define: \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$. \end{formulae} -For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$. +For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$; +if this happens, discard the key and repeat with a different $\SpendingKey$. \vspace{-2ex} \begin{pnotes} @@ -5442,7 +5445,7 @@ Let $c := 63$. \newsavebox{\gencountbox} \begin{lrbox}{\gencountbox} \begin{bytefield}[bitwidth=0.28em]{32} - \sbitbox{32}{$32$-bit $\floor{\frac{i-1}{c}}$} + \sbitbox{32}{$32$-bit $i-1$} \end{bytefield} \end{lrbox} @@ -6276,8 +6279,8 @@ instantiated as follows using $\WindowedPedersenCommitAlg$: \begin{formulae} \item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := - \WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \DiversifiedTransmitBaseRepr \bconcat - \DiversifiedTransmitPublicRepr \bconcat \ItoLEBSPOf{64}{\Value}\right)$. + \WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat + \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$. \end{formulae} \vspace{-2ex} @@ -8999,6 +9002,10 @@ found by Brian Warner. \item Make the public key prefix part of the input to the \hashFunction in $\RedDSA$, not part of the message. \item Correct the statement about $\FindGroupJHash$ never returning $\bot$. + \item Correct an error in the computation of generators for \xPedersenHashes. + \item Change the order in which $\NoteCommitSapling{}$ commits to its inputs, to match the + sapling-crypto implementation. + \item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.) \item Change terminology describing constraint systems. } %sapling \end{itemize}