mirror of https://github.com/zcash/zips.git
WIP: encryption and key derivation changes for viewing keys.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
d33c441c91
commit
3576398cfb
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -112,8 +112,9 @@
|
||||||
\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
|
\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
|
||||||
\newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}}
|
\newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}}
|
||||||
\newcommand{\enc}{\mathsf{enc}}
|
\newcommand{\enc}{\mathsf{enc}}
|
||||||
\newcommand{\alleged}{\mathsf{alleged}}
|
|
||||||
\newcommand{\disclose}{\mathsf{disclose}}
|
\newcommand{\disclose}{\mathsf{disclose}}
|
||||||
|
\newcommand{\shared}{\mathsf{shared}}
|
||||||
|
\newcommand{\DHSecret}[1]{\mathsf{dhsecret}_{#1}}
|
||||||
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
||||||
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
||||||
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
|
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
|
||||||
|
@ -122,7 +123,7 @@
|
||||||
\newcommand{\Value}{\mathsf{v}}
|
\newcommand{\Value}{\mathsf{v}}
|
||||||
|
|
||||||
% Coins
|
% Coins
|
||||||
\newcommand{\Coin}{\mathbf{c}}
|
\newcommand{\Coin}[1]{\mathbf{c}_{#1}}
|
||||||
\newcommand{\CoinCommitRand}{\mathsf{r}}
|
\newcommand{\CoinCommitRand}{\mathsf{r}}
|
||||||
\newcommand{\CoinCommitRandOld}[1]{\mathsf{r^{old}_\mathnormal{#1}}}
|
\newcommand{\CoinCommitRandOld}[1]{\mathsf{r^{old}_\mathnormal{#1}}}
|
||||||
\newcommand{\CoinCommitRandNew}[1]{\mathsf{r^{new}_\mathnormal{#1}}}
|
\newcommand{\CoinCommitRandNew}[1]{\mathsf{r^{new}_\mathnormal{#1}}}
|
||||||
|
@ -134,19 +135,30 @@
|
||||||
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
|
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
|
||||||
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
|
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
|
||||||
\newcommand{\Memo}{\mathsf{memo}}
|
\newcommand{\Memo}{\mathsf{memo}}
|
||||||
|
\newcommand{\CurveMultiply}{\mathsf{Curve25519}}
|
||||||
\newcommand{\CryptoBox}{\mathsf{crypto\_box}}
|
\newcommand{\CryptoBox}{\mathsf{crypto\_box}}
|
||||||
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
|
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
|
||||||
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
||||||
\newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
|
\newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
|
||||||
\newcommand{\Plaintext}[1]{\mathbf{P}^\enc_{#1}}
|
\newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
|
||||||
\newcommand{\AllegedPlaintext}[1]{\mathbf{P}^\alleged_{#1}}
|
\newcommand{\Plaintext}{\mathbf{P}}
|
||||||
\newcommand{\DisclosePlaintext}{\mathbf{P}^\disclose}
|
\newcommand{\Ciphertext}{\mathbf{C}}
|
||||||
\newcommand{\TransmitCiphertext}[1]{\mathbf{C}^\enc_{#1}}
|
\newcommand{\Key}{\mathsf{K}}
|
||||||
\newcommand{\DiscloseCiphertext}{\mathbf{C}^\disclose}
|
\newcommand{\TransmitPlaintext}[1]{\Plaintext^\enc_{#1}}
|
||||||
|
\newcommand{\TransmitCiphertext}[1]{\Ciphertext^\enc_{#1}}
|
||||||
|
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
|
||||||
|
\newcommand{\DiscloseCiphertext}[1]{\Ciphertext^\disclose_{#1}}
|
||||||
|
\newcommand{\SharedPlaintext}[1]{\Plaintext^\shared_{#1}}
|
||||||
|
\newcommand{\SharedCiphertext}{\Ciphertext^\shared}
|
||||||
|
\newcommand{\SharedKey}[1]{\Key^\shared_{#1}}
|
||||||
\newcommand{\Tag}[1]{\mathsf{tag}_{#1}}
|
\newcommand{\Tag}[1]{\mathsf{tag}_{#1}}
|
||||||
\newcommand{\Nonce}{\mathsf{nonce}}
|
\newcommand{\KDF}{\mathsf{KDF}}
|
||||||
\newcommand{\Prenonce}{\mathsf{prenonce}}
|
\newcommand{\Prenonce}{\mathsf{prenonce}}
|
||||||
\newcommand{\Encrypt}[1]{\mathsf{Encrypt}_{#1}}
|
\newcommand{\PkEncrypt}[1]{\mathsf{PkEncrypt}_{#1}}
|
||||||
|
\newcommand{\SymEncrypt}[1]{\mathsf{SymEncrypt}_{#1}}
|
||||||
|
\newcommand{\SymDecrypt}[1]{\mathsf{SymDecrypt}_{#1}}
|
||||||
|
\newcommand{\SymSpecific}{\mathsf{AEAD\_CHACHA20\_POLY1305}}
|
||||||
|
\newcommand{\Clamp}{\mathsf{clamp_{Curve25519}}}
|
||||||
\newcommand{\CRH}{\mathsf{CRH}}
|
\newcommand{\CRH}{\mathsf{CRH}}
|
||||||
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
|
||||||
\newcommand{\FullHash}{\mathtt{SHA256}}
|
\newcommand{\FullHash}{\mathtt{SHA256}}
|
||||||
|
@ -186,7 +198,8 @@
|
||||||
\newcommand{\commitments}{\mathtt{commitments}}
|
\newcommand{\commitments}{\mathtt{commitments}}
|
||||||
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
|
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
|
||||||
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
|
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
|
||||||
\newcommand{\discloseCiphertext}{\mathtt{discloseCiphertext}}
|
\newcommand{\discloseCiphertexts}{\mathtt{discloseCiphertexts}}
|
||||||
|
\newcommand{\sharedCiphertext}{\mathtt{sharedCiphertext}}
|
||||||
\newcommand{\rt}{\mathsf{rt}}
|
\newcommand{\rt}{\mathsf{rt}}
|
||||||
|
|
||||||
% pour
|
% pour
|
||||||
|
@ -210,6 +223,7 @@
|
||||||
\newcommand{\COMM}[1]{\mathsf{COMM}_{#1}}
|
\newcommand{\COMM}[1]{\mathsf{COMM}_{#1}}
|
||||||
\newcommand{\COMMtrapdoor}{\term{\textsf{COMM} trapdoor}}
|
\newcommand{\COMMtrapdoor}{\term{\textsf{COMM} trapdoor}}
|
||||||
\newcommand{\CoinCommitment}[1]{\mathtt{CoinCommitment}(#1)}
|
\newcommand{\CoinCommitment}[1]{\mathtt{CoinCommitment}(#1)}
|
||||||
|
\newcommand{\Receive}{\mathsf{Receive}}
|
||||||
|
|
||||||
|
|
||||||
\begin{document}
|
\begin{document}
|
||||||
|
@ -252,12 +266,14 @@ please contact \todo{address}. While the production \Zcash network has yet
|
||||||
to be launched, please feel free to do so in public even if you believe the
|
to be launched, please feel free to do so in public even if you believe the
|
||||||
mistake may indicate a security weakness.
|
mistake may indicate a security weakness.
|
||||||
|
|
||||||
\section{Concepts}
|
\section{Conventions}
|
||||||
|
|
||||||
\subsection{Integers, Bit Sequences, and Endianness}
|
\subsection{Integers, Bit Sequences, and Endianness}
|
||||||
|
|
||||||
All integers visible in \Zcash-specific encodings are unsigned, have a fixed
|
All integers visible in \Zcash-specific encodings are unsigned, have a fixed
|
||||||
bit length, and are encoded as big-endian.
|
bit length, and are encoded as big-endian (except in the definition of
|
||||||
|
$\SymSpecific$ \cite{rfc7539} which internally uses length fields encoded as
|
||||||
|
little-endian).
|
||||||
|
|
||||||
In bit layout diagrams, each box of the diagram represents a sequence of bits.
|
In bit layout diagrams, each box of the diagram represents a sequence of bits.
|
||||||
If the content of the box is a byte sequence, it is implicitly converted to
|
If the content of the box is a byte sequence, it is implicitly converted to
|
||||||
|
@ -297,13 +313,42 @@ ensuring that the functions are independent.
|
||||||
|
|
||||||
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
|
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
|
||||||
|
|
||||||
\newsavebox{\addrbox}
|
\newsavebox{\addrboxa}
|
||||||
\begin{lrbox}{\addrbox}
|
\begin{lrbox}{\addrboxa}
|
||||||
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
\bitbox{242}{256 bit $\AuthPrivate$} &
|
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{222}{$0^{254}$} &
|
\bitbox{186}{$0^{252}$} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
\newsavebox{\addrboxb}
|
||||||
|
\begin{lrbox}{\addrboxb}
|
||||||
|
\setchanged
|
||||||
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
|
\bitbox{242}{256 bit $\DiscloseKey$} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{186}{$0^{252}$} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{18}{1} &
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
\newsavebox{\addrboxc}
|
||||||
|
\begin{lrbox}{\addrboxc}
|
||||||
|
\setchanged
|
||||||
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
|
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
|
\bitbox{186}{$0^{252}$} &
|
||||||
|
\bitbox{18}{1} &
|
||||||
|
\bitbox{18}{0} &
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -345,7 +390,13 @@ need to be aware of how it is associated with this bit-packing.}
|
||||||
|
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
\AuthPublic &:= \PRFaddr{\AuthPrivate}(0) &= \CRHbox{\addrbox} \\
|
\setchanged \DiscloseKey &\setchanged := \PRFaddr{\AuthPrivate}(0)
|
||||||
|
&\setchanged = \CRHbox{\addrboxa} \\
|
||||||
|
\setchanged \AuthPublic &\setchanged := \PRFaddr{\DiscloseKey}(1)
|
||||||
|
&\setchanged = \CRHbox{\addrboxb} \\
|
||||||
|
\setchanged \TransmitPrivate' &\setchanged := \PRFaddr{\AuthPrivate}(2)
|
||||||
|
&\setchanged = \CRHbox{\addrboxc} \\
|
||||||
|
\setchanged \TransmitPrivate &\setchanged := \Clamp(\TransmitPrivate') & \\
|
||||||
\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
|
\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
|
||||||
\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
|
\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
|
||||||
\setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
|
\setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
|
||||||
|
@ -358,7 +409,7 @@ need to be aware of how it is associated with this bit-packing.}
|
||||||
|
|
||||||
\subsection{Payment Addresses, Viewing Keys, and Spending Keys}
|
\subsection{Payment Addresses, Viewing Keys, and Spending Keys}
|
||||||
|
|
||||||
A \keyTuple $(\SpendingKey, \changed{\ViewingKey, }\PaymentAddress)$ is
|
A \keyTuple $(\SpendingKey, \changed{\ViewingKey,\;} \PaymentAddress)$ is
|
||||||
generated by users who wish to receive payments under this scheme.
|
generated by users who wish to receive payments under this scheme.
|
||||||
\changed{The \viewingKey $\ViewingKey$ is derived from the \spendingKey
|
\changed{The \viewingKey $\ViewingKey$ is derived from the \spendingKey
|
||||||
$\SpendingKey$, and the \paymentAddress $\PaymentAddress$ is derived from
|
$\SpendingKey$, and the \paymentAddress $\PaymentAddress$ is derived from
|
||||||
|
@ -390,7 +441,26 @@ to:
|
||||||
\item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey.
|
\item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\todo{Describe derivations.}
|
Each key component, i.e. each of $\AuthPublic$, $\TransmitPublic$,
|
||||||
|
\changed{$\DiscloseKey$, }$\TransmitPrivate$, and $\AuthPrivate$, is a sequence of
|
||||||
|
32 bytes. \changed{$\AuthPublic$, $\DiscloseKey$, and $\TransmitPrivate$ are derived
|
||||||
|
as follows:}
|
||||||
|
|
||||||
|
\begin{equation*}
|
||||||
|
\begin{aligned}
|
||||||
|
\setchanged \DiscloseKey &\setchanged := \PRFaddr{\AuthPrivate}(0) & \hspace{30em} \\
|
||||||
|
\setchanged \AuthPublic &\setchanged := \PRFaddr{\DiscloseKey}(1) & \\
|
||||||
|
\setchanged \TransmitPrivate &\setchanged := \Clamp(\PRFaddr{\AuthPrivate}(2)) &
|
||||||
|
\end{aligned}
|
||||||
|
\end{equation*}
|
||||||
|
|
||||||
|
\changed{
|
||||||
|
$\Clamp$ performs the clamping of Curve25519 private key bits, and
|
||||||
|
$\CurveMultiply$ performs point multiplication, both as defined in \cite{Curve25519}.
|
||||||
|
|
||||||
|
Let $\TransmitPublic := \CurveMultiply(\TransmitPrivate)$, i.e. the public key
|
||||||
|
corresponding to the private key $\TransmitPrivate$.
|
||||||
|
}
|
||||||
|
|
||||||
Users can accept payment from multiple parties with a single
|
Users can accept payment from multiple parties with a single
|
||||||
$\PaymentAddress$ and the fact that these payments are destined to
|
$\PaymentAddress$ and the fact that these payments are destined to
|
||||||
|
@ -402,7 +472,7 @@ case that a payee wishes to prevent this they should create a distinct
|
||||||
|
|
||||||
\subsection{Coins}
|
\subsection{Coins}
|
||||||
|
|
||||||
A \coin (denoted $\Coin$) is a tuple $\changed{(\AuthPublic, \Value,
|
A \coin (denoted $\Coin{}$) is a tuple $\changed{(\AuthPublic, \Value,
|
||||||
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
|
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
|
||||||
spendable by the recipient who holds the $\authKeypair$ key pair
|
spendable by the recipient who holds the $\authKeypair$ key pair
|
||||||
$(\AuthPublic, \AuthPrivate)$ such that
|
$(\AuthPublic, \AuthPrivate)$ such that
|
||||||
|
@ -430,45 +500,30 @@ keys (to allow the \viewingKey holder to check whether the other encryptions
|
||||||
are valid).} All of these encryptions are combined to form a \coinsCiphertext.
|
are valid).} All of these encryptions are combined to form a \coinsCiphertext.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
The encryption algorithm is defined in terms of $\CryptoBox$ (specifically,
|
Let $\SymEncrypt{\Key}(\Plaintext)$ be the $\SymSpecific$ encryption
|
||||||
$\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
\cite{rfc7539} of plaintext $\Plaintext$ with empty ``additional data",
|
||||||
|
empty nonce, and key $\Key$.
|
||||||
}
|
}
|
||||||
|
|
||||||
\newsavebox{\prenoncebox}
|
\newsavebox{\kdfbox}
|
||||||
\begin{lrbox}{\prenoncebox}
|
\begin{lrbox}{\kdfbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.05em]{520}
|
\begin{bytefield}[bitwidth=0.032em]{832}
|
||||||
\bitbox{120}{64 bit $\Tag{i}$} &
|
\bitbox{256}{256 bit $\DHSecret{i}$} &
|
||||||
\bitbox{256}{256 bit $\EphemeralPublic$}
|
\bitbox{256}{256 bit $\EphemeralPublic$} &
|
||||||
\bitbox{256}{256 bit $\TransmitPublicNew{i}$}
|
\bitbox{256}{256 bit $\TransmitPublicNew{i}$} &
|
||||||
|
\bitbox{160}{8 bit $i-1$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
\newsavebox{\noncebox}
|
\newsavebox{\sharedbox}
|
||||||
\begin{lrbox}{\noncebox}
|
\begin{lrbox}{\sharedbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.085em]{192}
|
\begin{bytefield}[bitwidth=0.045em]{768}
|
||||||
\bitbox{128}{$\Leading{128}(\Prenonce)$} &
|
\bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
|
||||||
\bitbox{64}{64 bit $\Tag{i}$}
|
\bitbox{40}{...}
|
||||||
\end{bytefield}
|
\bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
|
||||||
\end{lrbox}
|
\bitbox{256}{256 bit $\EphemeralPrivate$}
|
||||||
|
|
||||||
\newsavebox{\tagibox}
|
|
||||||
\begin{lrbox}{\tagibox}
|
|
||||||
\setchanged
|
|
||||||
\begin{bytefield}[bitwidth=0.09em]{64}
|
|
||||||
\bitbox{64}{64 bit $i-1$}
|
|
||||||
\end{bytefield}
|
|
||||||
\end{lrbox}
|
|
||||||
|
|
||||||
\newsavebox{\disclosebox}
|
|
||||||
\begin{lrbox}{\disclosebox}
|
|
||||||
\setchanged
|
|
||||||
\begin{bytefield}[bitwidth=0.05em]{768}
|
|
||||||
\bitbox{256}{256 bit $\EphemeralPrivate$}
|
|
||||||
\bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
|
|
||||||
\bitbox{40}{...}
|
|
||||||
\bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
|
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -481,10 +536,8 @@ and let $\Plaintext{1..\NNew}$ be the \coinPlaintexts.
|
||||||
Define:
|
Define:
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
\Prenonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}) &:= \FullHashbox{\prenoncebox} \\
|
\KDF(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i) &:= \FullHashbox{\kdfbox} \\
|
||||||
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}) &:= \Justthebox{\noncebox} \\
|
\SharedPlaintext{} &:= \Justthebox{\sharedbox}
|
||||||
\Tag{i} &:= \Justthebox{\tagibox} \\
|
|
||||||
\DisclosePlaintext &:= \Justthebox{\disclosebox}
|
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
}
|
}
|
||||||
|
@ -495,28 +548,57 @@ Then to encrypt:
|
||||||
\changed{
|
\changed{
|
||||||
\item Generate a new Curve25519 (public, private) key pair:
|
\item Generate a new Curve25519 (public, private) key pair:
|
||||||
$(\EphemeralPublic, \EphemeralPrivate)$.
|
$(\EphemeralPublic, \EphemeralPrivate)$.
|
||||||
\item For $i$ in $\{1..\NNew\}$, let $\TransmitCiphertext{i} =
|
\item For $i$ in $\{1..\NNew\}$,
|
||||||
\CryptoBox(\Plaintext{i}, \TransmitPublicNew{i}, \EphemeralPrivate,
|
\begin{itemize}
|
||||||
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$
|
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i},
|
||||||
\item Let $\DiscloseCiphertext = ???_{\DiscloseKey}(\DisclosePlaintext)$
|
\EphemeralPrivate)$.
|
||||||
|
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
|
||||||
|
\TransmitPublicNew{i}, i)$.
|
||||||
|
\item Let $\TransmitCiphertext{i} := \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
|
||||||
|
\end{itemize}
|
||||||
|
\item Let $\SharedKey{} := ...$.
|
||||||
|
\item Let $\SharedCiphertext := \SymEncrypt{\SharedKey{}}(\SharedPlaintext{})$.
|
||||||
|
\item For $i$ in $\{1..\NOld\}$,
|
||||||
|
\begin{itemize}
|
||||||
|
\item Let $\DiscloseCiphertext{i} := \SymEncrypt{\DiscloseKey{i}}(\SharedKey{})$.
|
||||||
|
\end{itemize}
|
||||||
}
|
}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
The resulting \coinsCiphertext is $\changed{(\TransmitPublic,}\;
|
The resulting \coinsCiphertext is $\changed{(\EphemeralPublic,
|
||||||
\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseCiphertext)}$.
|
\TransmitCiphertext{\mathrm{1}..\NNew}, \DiscloseCiphertext{\mathrm{1}..\NOld},
|
||||||
|
\SharedCiphertext)}$.
|
||||||
|
|
||||||
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
|
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
|
||||||
(public, private) key pair. Then for each $i$ in $\{1..\NNew\}$, the recipient
|
(public, private) key pair, and let $\cmNew{\mathrm{1}..\NNew}$ be the coin
|
||||||
|
commitments of each output coin. Then for each $i$ in $\{1..\NNew\}$, the recipient
|
||||||
will attempt to decrypt that ciphertext component as follows:
|
will attempt to decrypt that ciphertext component as follows:
|
||||||
|
|
||||||
\begin{itemize}
|
|
||||||
\changed{
|
\changed{
|
||||||
\item $\AllegedPlaintext{i} := \CryptoBoxOpen(\TransmitCiphertext{i},
|
\begin{itemize}
|
||||||
\EphemeralPublic, \TransmitPrivate, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublic))$
|
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPublic, \TransmitPrivate)$.
|
||||||
\item \todo{validation}
|
\item Return $\DecryptCoin(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i,
|
||||||
}
|
\TransmitCiphertext{i}, \cmNew{i}).$
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
$\DecryptCoin(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i,
|
||||||
|
\TransmitCiphertext{i}, \cmNew{i})$ is defined as follows:
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
|
||||||
|
\TransmitPublicNew{i}, i)$.
|
||||||
|
\item Let $\TransmitPlaintext{i} := \SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$.
|
||||||
|
\item If $\TransmitPlaintext{i} = \bot$, return $\bot$.
|
||||||
|
\item Extract $\Coin{i} := (\AuthPublic, \Value, \CoinAddressRand, \CoinCommitRand)$
|
||||||
|
and $\Memo_{i}$ from $\TransmitPlaintext{i}$.
|
||||||
|
\item If $\CoinCommitment{\Coin{i}} \neq \cmNew{i}$, return $\bot$, else
|
||||||
|
return ($\Coin{i}, \Memo_{i})$.
|
||||||
|
\end{itemize}
|
||||||
|
}
|
||||||
|
|
||||||
|
Note that this corresponds to step 3 (b) i. and ii. (first bullet point) of the
|
||||||
|
$\Receive$ algorithm shown in Figure 2 of \cite{ZerocashOakland}.
|
||||||
|
|
||||||
To test whether a \coin is unspent in a particular \blockchainview also requires
|
To test whether a \coin is unspent in a particular \blockchainview also requires
|
||||||
the \authKeypair private key $\AuthPrivate$; the coin is unspent if and only if
|
the \authKeypair private key $\AuthPrivate$; the coin is unspent if and only if
|
||||||
$\sn = \PRFsn{\AuthPrivate}(\CoinAddressRand)$ is not in the \spentSerials
|
$\sn = \PRFsn{\AuthPrivate}(\CoinAddressRand)$ is not in the \spentSerials
|
||||||
|
@ -528,32 +610,47 @@ the transaction in which a coin was output to no longer be on the consensus
|
||||||
blockchain.
|
blockchain.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
Similarly, let $\DiscloseKey$ be a \viewingKey holder's \discloseKey.
|
Let $\DiscloseKey{}$ be a \viewingKey holder's \discloseKey.
|
||||||
Then for each \PourDescription in its \blockchainview, the \viewingKey holder
|
Then for each \PourDescription in its \blockchainview, the \viewingKey holder
|
||||||
will attempt to decrypt the corresponding \coinsCiphertext as follows:
|
will attempt to decrypt the corresponding \coinsCiphertext as follows:
|
||||||
}
|
}
|
||||||
|
|
||||||
\begin{itemize}
|
|
||||||
\changed{
|
\changed{
|
||||||
\item Let $\DisclosePlaintext := ???_{\DiscloseKey}(\DiscloseCiphertext)$
|
\begin{enumerate}
|
||||||
\item Extract $\EphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$
|
\item Set $\SharedPlaintext{} := \bot$.
|
||||||
from $\DisclosePlaintext$.
|
|
||||||
\item For $i$ in $\{1..\NNew\}$,
|
\item For $i$ in $\{1..\NNew\}$,
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item let $\AllegedPlaintext{i} :=
|
\item Let $\SharedKey{i} := \SymDecrypt{\DiscloseKey{}}(\DiscloseCiphertext{i}, \Tag{i})$.
|
||||||
\CryptoBoxOpen(\TransmitCiphertext{i}, \EphemeralPrivate,
|
\item If $\SharedKey{i} = \bot$ then continue with the next $i$.
|
||||||
\TransmitPublicNew{i}, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$
|
\item Let $\SharedPlaintext{i} := \SymDecrypt{\SharedKey{i}}(\SharedCiphertext)$.
|
||||||
\item \todo{validation}
|
\item If $\SharedPlaintext{i} = \bot$ then continue with the next $i$.
|
||||||
|
\item Set $\SharedPlaintext{} := \SharedPlaintext{i}$ and exit the loop.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
\item If $\SharedPlaintext{} = \bot$ (i.e. it was not set in the loop), then this
|
||||||
|
transaction does not contain any information decryptable by the \viewingKey; return $\bot$.
|
||||||
|
\item Extract $\TransmitPublicNew{\mathrm{1}..\NNew}$ and $\EphemeralPrivate$
|
||||||
|
from $\SharedPlaintext{}$.
|
||||||
|
\item For $i$ in $\{1..\NNew\}$,
|
||||||
|
\begin{itemize}
|
||||||
|
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i}, \EphemeralPrivate)$.
|
||||||
|
\item Let $\Coin{i} := \DecryptCoin(\DHSecret{i}, \EphemeralPublic,
|
||||||
|
\TransmitPublicNew{i}, i, \TransmitCiphertext{i}, \cmNew{i}).$
|
||||||
|
\end{itemize}
|
||||||
|
\item Return ($\Coin{\mathrm{1}..\NNew}, \Memo_{\mathrm{1}..\NNew})$.
|
||||||
|
\end{enumerate}
|
||||||
}
|
}
|
||||||
\end{itemize}
|
|
||||||
|
|
||||||
Any ciphertext components that fail to decrypt \MUST be ignored. Once a component
|
If a party holds more than one \viewingKey, it may optimize the above
|
||||||
has been decrypted, it \MUST be validated as described in section ``Coin Commitments''.
|
procedure by performing the loop in step 2 for the $\DiscloseKey{}$ of each
|
||||||
|
\viewingKey. It may be assumed that the first $\SharedPlaintext{i}$ that
|
||||||
|
decrypts correctly is the one that should be used in step 4 onward.
|
||||||
|
(However, additional information is provided by which \viewingKey was able
|
||||||
|
to decrypt each $\DiscloseCiphertext{i}$.)
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
|
The public key encryption used in this part of the protocol is based loosely on
|
||||||
\cite{cryptoboxseal}, but with the following differences:
|
the $\CryptoBoxSeal$ algorithm defined in libsodium \cite{cryptoboxseal}, but
|
||||||
|
with the following differences:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The same ephemeral key is used for all encryptions to the recipient keys
|
\item The same ephemeral key is used for all encryptions to the recipient keys
|
||||||
in a given \PourDescription.
|
in a given \PourDescription.
|
||||||
|
@ -565,12 +662,13 @@ This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
|
||||||
of $\mathsf{blake2b}$.
|
of $\mathsf{blake2b}$.
|
||||||
\item The ephemeral secret $\EphemeralPrivate$ is included together with
|
\item The ephemeral secret $\EphemeralPrivate$ is included together with
|
||||||
the \transmitKeypair public keys of the recipients, encrypted to the
|
the \transmitKeypair public keys of the recipients, encrypted to the
|
||||||
\discloseKey. This allows a \viewingKey holder to decrypt
|
\discloseKey. This allows a \viewingKey holder to check whether the
|
||||||
and validate these ciphertexts (if the sender constructs the \PourDescription
|
indicated recipients would be able to decrypt a given component, and
|
||||||
honestly). It also ensures (without assuming honesty of the sender) that if
|
if so to decrypt the memo field. (We do not rely on this to ensure
|
||||||
the \viewingKey holder can decrypt a given component, then the indicated
|
that a \viewingKey holder can decrypt the other components of the
|
||||||
recipient also has enough information to decrypt it and will receive the
|
output coins; instead, those are symmetrically encrypted to the
|
||||||
same \coinPlaintext.
|
\viewingKey and the correctness of this encryption is checked by the
|
||||||
|
\PourCircuit.)
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -746,10 +844,13 @@ $\cmNew{\mathrm{1}..\NNew}$.
|
||||||
\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
|
\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
|
||||||
components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
|
components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
|
||||||
|
|
||||||
\item $\discloseCiphertext$ which is the ciphertext component
|
\item $\discloseCiphertexts$ which is a $\NOld$ size sequence of ciphertext
|
||||||
$\DiscloseCiphertext$.
|
components, $\DiscloseCiphertext{\mathrm{1}..\NOld}$.
|
||||||
|
|
||||||
(The preceding three fields together form the \coinsCiphertext.)
|
\item $\sharedCiphertext$ which is the ciphertext component
|
||||||
|
$\SharedCiphertext$.
|
||||||
|
|
||||||
|
(The preceding four fields together form the \coinsCiphertext.)
|
||||||
}
|
}
|
||||||
|
|
||||||
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
||||||
|
|
|
@ -54,3 +54,11 @@
|
||||||
note={DOI: 10.6028/NIST.FIPS.180-4},
|
note={DOI: 10.6028/NIST.FIPS.180-4},
|
||||||
howpublished={\url{http://csrc.nist.gov/publications/PubsFIPS.html#180-4}}
|
howpublished={\url{http://csrc.nist.gov/publications/PubsFIPS.html#180-4}}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@misc{rfc7539,
|
||||||
|
author={Yoav Nir and Adam Langley},
|
||||||
|
title={Request for {C}omments 7539: Cha{C}ha20 and {P}oly1305 for {IETF} {P}rotocols},
|
||||||
|
howpublished={Internet Research Task Force (IRTF).
|
||||||
|
\url{https://tools.ietf.org/html/rfc7539}. As modified by verified
|
||||||
|
errata at \url{https://www.rfc-editor.org/errata_search.php?rfc=7539}}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue