Give a definition for SHA-512. Also some refactoring of hash macros.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -680,6 +680,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\collisionResistance}{\term{collision resistance}}
 \newcommand{\xCollisionResistance}{\termx{collision resistance}}
 
+\newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}}
+\newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}}
+\newcommand{\shaCompress}{\termandindexx{$\SHACompress$}{SHA256Compress}}
+\newcommand{\shaHashText}{\texorpdfstring{$\SHAFull$}{SHA-256}}
+\newcommand{\shadHashText}{\texorpdfstring{$\SHAFulld$}{SHA-256d}}
+\newcommand{\shaCompressText}{\texorpdfstring{$\SHACompress$}{SHA256Compress}}
+\newcommand{\bigShaHash}{\termandindexx{$\BigSHAFull$}{SHA-512}}
+\newcommand{\bigShaHashText}{\texorpdfstring{$\BigSHAFull$}{SHA-512}}
+
 \newcommand{\publicKey}{\term{public key}}
 \newcommand{\publicKeys}{\terms{public key}}
 \newcommand{\privateKey}{\term{private key}}
@@ -1172,6 +1181,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\SHAFull}{\mathsf{SHA\mhyphen256}}
 \newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
 \newcommand{\SHAFulld}{\mathsf{SHA\mhyphen256d}}
+\newcommand{\BigSHAFull}{\mathsf{SHA\mhyphen512}}
 \newcommand{\BlakeTwoGeneric}{\mathsf{BLAKE2}}
 \newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
 \newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
@@ -1608,7 +1618,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\EdDSAReprA}[1]{\bytes{\EdDSASigA{#1}}}
 \newcommand{\EdDSASigc}[1]{c_{#1}}
 \newcommand{\EdDSABase}{B}
-\newcommand{\EdSpecificHash}{\mathsf{SHA\mhyphen512}}
 \newcommand{\EdSpecificPublic}{\EdSpecificAlg\mathsf{.Public}}
 \newcommand{\EdSpecificPrivate}{\EdSpecificAlg\mathsf{.Private}}
 \newcommand{\EdSpecificMessage}{\EdSpecificAlg\mathsf{.Message}}
@@ -1773,12 +1782,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\nNonce}{\mathtt{nNonce}}
 \newcommand{\solutionSize}{\mathtt{solutionSize}}
 \newcommand{\solution}{\mathtt{solution}}
-\newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}}
-\newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}}
-\newcommand{\shaCompress}{\termandindexx{$\SHACompress$}{SHA256Compress}}
-\newcommand{\shaHashText}{\texorpdfstring{$\SHAFull$}{SHA-256}}
-\newcommand{\shadHashText}{\texorpdfstring{$\SHAFulld$}{SHA-256d}}
-\newcommand{\shaCompressText}{\texorpdfstring{$\SHACompress$}{SHA256Compress}}
 
 % Proving system
 
@@ -6112,9 +6115,9 @@ Define:
 
 \lsubsubsection{Hash Functions}{concretehashes}
 
-\lsubsubsubsection{\shaHashText{}, \shadHashText{}, and \shaCompressText{} Hash Functions}{concretesha256}
+\extralabel{concretesha256}{\lsubsubsubsection{\shaHashText{}, \shadHashText{}, \shaCompressText{}, and \bigShaHashText{} Hash Functions}{concretesha}}
 
-SHA-256 is defined by \cite{NIST2015}.
+SHA-256 and SHA-512 are defined by \cite{NIST2015}.
 
 \Zcash uses the full \defining{\shaHash} \hashFunction to instantiate $\NoteCommitmentSprout$.
 
@@ -6130,6 +6133,7 @@ byte-sequence interface for messages and outputs, such that the
 associated bit sequence. (In the NIST specification ``first'' is conflated with
 ``leftmost''.)
 
+\introlist
 \defining{\shadHash}, defined as a double application of \shaHash, is used to hash \blockHeaders:
 
 \begin{formulae}
@@ -6152,9 +6156,22 @@ $\MerkleCRHSprout$.
   \item $\SHACompress \typecolon \bitseq{512} \rightarrow \bitseq{256}$
 \end{formulae}
 
+\vspace{-2ex}
 The ordering of bits within words in the interface to $\SHACompress$ is
 consistent with \cite[section 3.1]{NIST2015}, i.e.\ big-endian.
 
+\changed{
+\vspace{2ex}
+\EdSpecific uses \defining{\bigShaHash}:
+
+\begin{formulae}
+  \item $\BigSHAFull \typecolon \byteseqs \rightarrow \byteseq{64}$
+\end{formulae}
+
+\vspace{-2ex}
+The comment above concerning bit vs byte-sequence interfaces also applies to \bigShaHash.
+} %changed
+
 
 \lsubsubsubsection{\sprout{BLAKE2b Hash Function}\notsprout{BLAKE2 Hash Functions}}{concreteblake2}
 
@@ -6220,20 +6237,14 @@ and $\GroupJHash{}$.
 \sprout{
 $\MerkleCRHSprout$ is used to hash \incrementalMerkleTree \merkleHashes.
 
-Let $\SHACompress$ be as specified in \crossref{concretesha256}.
-
 $\MerkleCRHSprout \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$
 is defined as follows:
 
 \begin{formulae}
   \item $\MerkleCRHSprout(\mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
 \end{formulae}
+} %sprout
 
-\pnote{
-\shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
-byte sequences.
-}
-}
 \notsprout{
 $\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash
 \incrementalMerkleTree \merkleHashes for \Sprout and \Sapling respectively.
@@ -6241,15 +6252,16 @@ $\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash
 \vspace{-2ex}
 \lsubsubsubsubsection{$\MerkleCRHSprout$ Hash Function}{sproutmerklecrh}
 
-\vspace{-2ex}
-Let \shaCompress be as specified in \crossref{concretesha256}.
-
 $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
 \rightarrow \MerkleHashSprout$ is defined as follows:
 
 \begin{formulae}
   \item $\MerkleCRHSprout(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$.
 \end{formulae}
+} %notsprout
+
+\vspace{-1ex}
+$\SHACompress$ is defined in \crossref{concretesha256}.
 
 \vspace{-2ex}
 \securityrequirement{
@@ -6257,12 +6269,19 @@ $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times
 such that $\SHACompress(x) = \zeros{256}$.
 }
 
+\sprout{
+\pnote{
+\shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
+byte sequences.
+}
+} %sprout
+\notsprout{
 \begin{pnotes}
   \item The $\mathsf{layer}$ argument does not affect the output.
   \item \shaCompress is not the same as the \shaHash function, which hashes arbitrary-length
         byte sequences.
 \end{pnotes}
-}
+} %notsprout
 
 \sapling{
 \vspace{-2ex}
@@ -6771,7 +6790,7 @@ $n = 200$).
 \introsection
 \lsubsubsection{Pseudo Random Functions}{concreteprfs}
 
-Let \shaCompress be as defined in \crossref{concretesha256}.
+Let \shaCompress be as given in \crossref{concretesha256}.
 
 The \pseudoRandomFunctions $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$},
 described in \crossref{abstractprfs}, are all instantiated using \shaCompress:
@@ -7178,7 +7197,7 @@ In this specification, the first two of these are accepted as encodings of $(0,
 accepted as an encoding of $(0, -1)$.}
 
 \vspace{2ex}
-\EdSpecific is defined as in \cite{BDLSY2012}, using $\EdSpecificHash$ as the internal \hashFunction,
+\EdSpecific is defined as in \cite{BDLSY2012}, using \bigShaHash as the internal \hashFunction,
 with the additional requirements below. A valid \EdSpecific \validatingKey is defined as a sequence of
 $32$ bytes encoding a point on the \EdSpecific curve.
 All conversions between \EdSpecific points, byte sequences, and integers used in this section are as
@@ -7198,7 +7217,7 @@ a message $M$ are:
         single-signature validation.}
 \end{itemize}
 \vspace{-2ex}
-where $\EdDSASigc{}$ is computed as the integer corresponding to $\EdSpecificHash(\EdDSAReprR{} \bconcat \EdDSAReprA{} \bconcat M)$
+where $\EdDSASigc{}$ is computed as the integer corresponding to $\BigSHAFull(\EdDSAReprR{} \bconcat \EdDSAReprA{} \bconcat M)$
 as specified in \cite{BDLSY2012}.
 
 If these requirements are not met or the validation equation does not hold, then the signature is
@@ -10770,6 +10789,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 
 \historyentry{2020.1.12}{2020-08-03}
 \begin{itemize}
+    \item Include \bigShaHash in \crossref{concretesha}.
     \item Add a reference to \cite{BCCGLRT2014} in \crossref{abstractzk}.
 \end{itemize}