zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct an error in the computation of generators for Pedersen hashes. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-05-22 21:59:13 +01:00
parent 62f0c6a49b
commit 30f4dfc545
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
protocol/protocol.tex
View File

@ -3546,6 +3546,8 @@ $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
$\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
\end{tabular}
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
\vspace{2ex}
As explained in \crossref{addressesandkeys}, \Sapling allows the efficient
creation of multiple \diversifiedPaymentAddresses with the same spending
@ -3588,7 +3590,8 @@ Define:
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$.
\end{formulae}
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$.
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
if this happens, discard the key and repeat with a different $\SpendingKey$.
\vspace{-2ex}
\begin{pnotes}
@ -5442,7 +5445,7 @@ Let $c := 63$.
\newsavebox{\gencountbox}
\begin{lrbox}{\gencountbox}
\begin{bytefield}[bitwidth=0.28em]{32}
\sbitbox{32}{$32$-bit $\floor{\frac{i-1}{c}}$}
\sbitbox{32}{$32$-bit $i-1$}
\end{bytefield}
\end{lrbox}
@ -6276,8 +6279,8 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
\begin{formulae}
\item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) :=
\WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \DiversifiedTransmitBaseRepr \bconcat
\DiversifiedTransmitPublicRepr \bconcat \ItoLEBSPOf{64}{\Value}\right)$.
\WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat
\DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$.
\end{formulae}
\vspace{-2ex}
@ -8999,6 +9002,10 @@ found by Brian Warner.
\item Make the public key prefix part of the input to the \hashFunction in $\RedDSA$,
not part of the message.
\item Correct the statement about $\FindGroupJHash$ never returning $\bot$.
\item Correct an error in the computation of generators for \xPedersenHashes.
\item Change the order in which $\NoteCommitSapling{}$ commits to its inputs, to match the
sapling-crypto implementation.
\item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.)
\item Change terminology describing constraint systems.
} %sapling
\end{itemize}