mirror of https://github.com/zcash/zips.git
Give a definition for SHA-512. Also some refactoring of hash macros.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
6a4b1f5f6c
commit
31b844c37c
|
@ -680,6 +680,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\collisionResistance}{\term{collision resistance}}
|
\newcommand{\collisionResistance}{\term{collision resistance}}
|
||||||
\newcommand{\xCollisionResistance}{\termx{collision resistance}}
|
\newcommand{\xCollisionResistance}{\termx{collision resistance}}
|
||||||
|
|
||||||
|
\newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}}
|
||||||
|
\newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}}
|
||||||
|
\newcommand{\shaCompress}{\termandindexx{$\SHACompress$}{SHA256Compress}}
|
||||||
|
\newcommand{\shaHashText}{\texorpdfstring{$\SHAFull$}{SHA-256}}
|
||||||
|
\newcommand{\shadHashText}{\texorpdfstring{$\SHAFulld$}{SHA-256d}}
|
||||||
|
\newcommand{\shaCompressText}{\texorpdfstring{$\SHACompress$}{SHA256Compress}}
|
||||||
|
\newcommand{\bigShaHash}{\termandindexx{$\BigSHAFull$}{SHA-512}}
|
||||||
|
\newcommand{\bigShaHashText}{\texorpdfstring{$\BigSHAFull$}{SHA-512}}
|
||||||
|
|
||||||
\newcommand{\publicKey}{\term{public key}}
|
\newcommand{\publicKey}{\term{public key}}
|
||||||
\newcommand{\publicKeys}{\terms{public key}}
|
\newcommand{\publicKeys}{\terms{public key}}
|
||||||
\newcommand{\privateKey}{\term{private key}}
|
\newcommand{\privateKey}{\term{private key}}
|
||||||
|
@ -1172,6 +1181,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\SHAFull}{\mathsf{SHA\mhyphen256}}
|
\newcommand{\SHAFull}{\mathsf{SHA\mhyphen256}}
|
||||||
\newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
|
\newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
|
||||||
\newcommand{\SHAFulld}{\mathsf{SHA\mhyphen256d}}
|
\newcommand{\SHAFulld}{\mathsf{SHA\mhyphen256d}}
|
||||||
|
\newcommand{\BigSHAFull}{\mathsf{SHA\mhyphen512}}
|
||||||
\newcommand{\BlakeTwoGeneric}{\mathsf{BLAKE2}}
|
\newcommand{\BlakeTwoGeneric}{\mathsf{BLAKE2}}
|
||||||
\newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
|
\newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
|
||||||
\newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
|
\newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
|
||||||
|
@ -1608,7 +1618,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\EdDSAReprA}[1]{\bytes{\EdDSASigA{#1}}}
|
\newcommand{\EdDSAReprA}[1]{\bytes{\EdDSASigA{#1}}}
|
||||||
\newcommand{\EdDSASigc}[1]{c_{#1}}
|
\newcommand{\EdDSASigc}[1]{c_{#1}}
|
||||||
\newcommand{\EdDSABase}{B}
|
\newcommand{\EdDSABase}{B}
|
||||||
\newcommand{\EdSpecificHash}{\mathsf{SHA\mhyphen512}}
|
|
||||||
\newcommand{\EdSpecificPublic}{\EdSpecificAlg\mathsf{.Public}}
|
\newcommand{\EdSpecificPublic}{\EdSpecificAlg\mathsf{.Public}}
|
||||||
\newcommand{\EdSpecificPrivate}{\EdSpecificAlg\mathsf{.Private}}
|
\newcommand{\EdSpecificPrivate}{\EdSpecificAlg\mathsf{.Private}}
|
||||||
\newcommand{\EdSpecificMessage}{\EdSpecificAlg\mathsf{.Message}}
|
\newcommand{\EdSpecificMessage}{\EdSpecificAlg\mathsf{.Message}}
|
||||||
|
@ -1773,12 +1782,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\nNonce}{\mathtt{nNonce}}
|
\newcommand{\nNonce}{\mathtt{nNonce}}
|
||||||
\newcommand{\solutionSize}{\mathtt{solutionSize}}
|
\newcommand{\solutionSize}{\mathtt{solutionSize}}
|
||||||
\newcommand{\solution}{\mathtt{solution}}
|
\newcommand{\solution}{\mathtt{solution}}
|
||||||
\newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}}
|
|
||||||
\newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}}
|
|
||||||
\newcommand{\shaCompress}{\termandindexx{$\SHACompress$}{SHA256Compress}}
|
|
||||||
\newcommand{\shaHashText}{\texorpdfstring{$\SHAFull$}{SHA-256}}
|
|
||||||
\newcommand{\shadHashText}{\texorpdfstring{$\SHAFulld$}{SHA-256d}}
|
|
||||||
\newcommand{\shaCompressText}{\texorpdfstring{$\SHACompress$}{SHA256Compress}}
|
|
||||||
|
|
||||||
% Proving system
|
% Proving system
|
||||||
|
|
||||||
|
@ -6112,9 +6115,9 @@ Define:
|
||||||
|
|
||||||
\lsubsubsection{Hash Functions}{concretehashes}
|
\lsubsubsection{Hash Functions}{concretehashes}
|
||||||
|
|
||||||
\lsubsubsubsection{\shaHashText{}, \shadHashText{}, and \shaCompressText{} Hash Functions}{concretesha256}
|
\extralabel{concretesha256}{\lsubsubsubsection{\shaHashText{}, \shadHashText{}, \shaCompressText{}, and \bigShaHashText{} Hash Functions}{concretesha}}
|
||||||
|
|
||||||
SHA-256 is defined by \cite{NIST2015}.
|
SHA-256 and SHA-512 are defined by \cite{NIST2015}.
|
||||||
|
|
||||||
\Zcash uses the full \defining{\shaHash} \hashFunction to instantiate $\NoteCommitmentSprout$.
|
\Zcash uses the full \defining{\shaHash} \hashFunction to instantiate $\NoteCommitmentSprout$.
|
||||||
|
|
||||||
|
@ -6130,6 +6133,7 @@ byte-sequence interface for messages and outputs, such that the
|
||||||
associated bit sequence. (In the NIST specification ``first'' is conflated with
|
associated bit sequence. (In the NIST specification ``first'' is conflated with
|
||||||
``leftmost''.)
|
``leftmost''.)
|
||||||
|
|
||||||
|
\introlist
|
||||||
\defining{\shadHash}, defined as a double application of \shaHash, is used to hash \blockHeaders:
|
\defining{\shadHash}, defined as a double application of \shaHash, is used to hash \blockHeaders:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
|
@ -6152,9 +6156,22 @@ $\MerkleCRHSprout$.
|
||||||
\item $\SHACompress \typecolon \bitseq{512} \rightarrow \bitseq{256}$
|
\item $\SHACompress \typecolon \bitseq{512} \rightarrow \bitseq{256}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
\vspace{-2ex}
|
||||||
The ordering of bits within words in the interface to $\SHACompress$ is
|
The ordering of bits within words in the interface to $\SHACompress$ is
|
||||||
consistent with \cite[section 3.1]{NIST2015}, i.e.\ big-endian.
|
consistent with \cite[section 3.1]{NIST2015}, i.e.\ big-endian.
|
||||||
|
|
||||||
|
\changed{
|
||||||
|
\vspace{2ex}
|
||||||
|
\EdSpecific uses \defining{\bigShaHash}:
|
||||||
|
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\BigSHAFull \typecolon \byteseqs \rightarrow \byteseq{64}$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
\vspace{-2ex}
|
||||||
|
The comment above concerning bit vs byte-sequence interfaces also applies to \bigShaHash.
|
||||||
|
} %changed
|
||||||
|
|
||||||
|
|
||||||
\lsubsubsubsection{\sprout{BLAKE2b Hash Function}\notsprout{BLAKE2 Hash Functions}}{concreteblake2}
|
\lsubsubsubsection{\sprout{BLAKE2b Hash Function}\notsprout{BLAKE2 Hash Functions}}{concreteblake2}
|
||||||
|
|
||||||
|
@ -6220,20 +6237,14 @@ and $\GroupJHash{}$.
|
||||||
\sprout{
|
\sprout{
|
||||||
$\MerkleCRHSprout$ is used to hash \incrementalMerkleTree \merkleHashes.
|
$\MerkleCRHSprout$ is used to hash \incrementalMerkleTree \merkleHashes.
|
||||||
|
|
||||||
Let $\SHACompress$ be as specified in \crossref{concretesha256}.
|
|
||||||
|
|
||||||
$\MerkleCRHSprout \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$
|
$\MerkleCRHSprout \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$
|
||||||
is defined as follows:
|
is defined as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\MerkleCRHSprout(\mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
|
\item $\MerkleCRHSprout(\mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
} %sprout
|
||||||
|
|
||||||
\pnote{
|
|
||||||
\shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
|
|
||||||
byte sequences.
|
|
||||||
}
|
|
||||||
}
|
|
||||||
\notsprout{
|
\notsprout{
|
||||||
$\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash
|
$\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash
|
||||||
\incrementalMerkleTree \merkleHashes for \Sprout and \Sapling respectively.
|
\incrementalMerkleTree \merkleHashes for \Sprout and \Sapling respectively.
|
||||||
|
@ -6241,15 +6252,16 @@ $\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
\lsubsubsubsubsection{$\MerkleCRHSprout$ Hash Function}{sproutmerklecrh}
|
\lsubsubsubsubsection{$\MerkleCRHSprout$ Hash Function}{sproutmerklecrh}
|
||||||
|
|
||||||
\vspace{-2ex}
|
|
||||||
Let \shaCompress be as specified in \crossref{concretesha256}.
|
|
||||||
|
|
||||||
$\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
|
$\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
|
||||||
\rightarrow \MerkleHashSprout$ is defined as follows:
|
\rightarrow \MerkleHashSprout$ is defined as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\MerkleCRHSprout(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
|
\item $\MerkleCRHSprout(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
} %notsprout
|
||||||
|
|
||||||
|
\vspace{-1ex}
|
||||||
|
$\SHACompress$ is defined in \crossref{concretesha256}.
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
\securityrequirement{
|
\securityrequirement{
|
||||||
|
@ -6257,12 +6269,19 @@ $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times
|
||||||
such that $\SHACompress(x) = \zeros{256}$.
|
such that $\SHACompress(x) = \zeros{256}$.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
\sprout{
|
||||||
|
\pnote{
|
||||||
|
\shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
|
||||||
|
byte sequences.
|
||||||
|
}
|
||||||
|
} %sprout
|
||||||
|
\notsprout{
|
||||||
\begin{pnotes}
|
\begin{pnotes}
|
||||||
\item The $\mathsf{layer}$ argument does not affect the output.
|
\item The $\mathsf{layer}$ argument does not affect the output.
|
||||||
\item \shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
|
\item \shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
|
||||||
byte sequences.
|
byte sequences.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
}
|
} %notsprout
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
@ -6771,7 +6790,7 @@ $n = 200$).
|
||||||
\introsection
|
\introsection
|
||||||
\lsubsubsection{Pseudo Random Functions}{concreteprfs}
|
\lsubsubsection{Pseudo Random Functions}{concreteprfs}
|
||||||
|
|
||||||
Let \shaCompress be as defined in \crossref{concretesha256}.
|
Let \shaCompress be as given in \crossref{concretesha256}.
|
||||||
|
|
||||||
The \pseudoRandomFunctions $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$},
|
The \pseudoRandomFunctions $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$},
|
||||||
described in \crossref{abstractprfs}, are all instantiated using \shaCompress:
|
described in \crossref{abstractprfs}, are all instantiated using \shaCompress:
|
||||||
|
@ -7178,7 +7197,7 @@ In this specification, the first two of these are accepted as encodings of $(0,
|
||||||
accepted as an encoding of $(0, -1)$.}
|
accepted as an encoding of $(0, -1)$.}
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
\EdSpecific is defined as in \cite{BDLSY2012}, using $\EdSpecificHash$ as the internal \hashFunction,
|
\EdSpecific is defined as in \cite{BDLSY2012}, using \bigShaHash as the internal \hashFunction,
|
||||||
with the additional requirements below. A valid \EdSpecific \validatingKey is defined as a sequence of
|
with the additional requirements below. A valid \EdSpecific \validatingKey is defined as a sequence of
|
||||||
$32$ bytes encoding a point on the \EdSpecific curve.
|
$32$ bytes encoding a point on the \EdSpecific curve.
|
||||||
All conversions between \EdSpecific points, byte sequences, and integers used in this section are as
|
All conversions between \EdSpecific points, byte sequences, and integers used in this section are as
|
||||||
|
@ -7198,7 +7217,7 @@ a message $M$ are:
|
||||||
single-signature validation.}
|
single-signature validation.}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
where $\EdDSASigc{}$ is computed as the integer corresponding to $\EdSpecificHash(\EdDSAReprR{} \bconcat \EdDSAReprA{} \bconcat M)$
|
where $\EdDSASigc{}$ is computed as the integer corresponding to $\BigSHAFull(\EdDSAReprR{} \bconcat \EdDSAReprA{} \bconcat M)$
|
||||||
as specified in \cite{BDLSY2012}.
|
as specified in \cite{BDLSY2012}.
|
||||||
|
|
||||||
If these requirements are not met or the validation equation does not hold, then the signature is
|
If these requirements are not met or the validation equation does not hold, then the signature is
|
||||||
|
@ -10770,6 +10789,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
|
|
||||||
\historyentry{2020.1.12}{2020-08-03}
|
\historyentry{2020.1.12}{2020-08-03}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
\item Include \bigShaHash in \crossref{concretesha}.
|
||||||
\item Add a reference to \cite{BCCGLRT2014} in \crossref{abstractzk}.
|
\item Add a reference to \cite{BCCGLRT2014} in \crossref{abstractzk}.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue