ZIP 316: Reduce the minimum `F4Jumble^{-1}` input length to 38 bytes,

allowing a bare Transparent P2PKH Receiver to be encoded as a Revision 1 UA. Signed-off-by: Daira-Emma Hopwood <daira@jacaranda.org>
2024-06-04 19:11:50 +01:00 · 2024-06-04 19:11:50 +01:00 · 3e2df48f80
parent dfd3ddde28
commit 3e2df48f80
1 changed files with 24 additions and 17 deletions
--- a/zip-0316.rst
+++ b/zip-0316.rst
@ -1108,7 +1108,7 @@ zero bytes, to the raw encoding, then applies :math:`\mathsf{F4Jumble}`
 before encoding the result with Bech32m.

 The Consumer rejects any Bech32m-decoded byte sequence that is less than
-40 bytes or greater than :math:`\ell^\mathsf{MAX}_M` bytes; otherwise it
+38 bytes or greater than :math:`\ell^\mathsf{MAX}_M` bytes; otherwise it
 applies :math:`\mathsf{F4Jumble}^{-1}.` It rejects any result that does
 not end in the expected 16-byte padding, before stripping these 16 bytes
 and parsing the result.
@ -1116,11 +1116,15 @@ and parsing the result.
 Rationale for length restrictions
 '''''''''''''''''''''''''''''''''

-A minimum input length to :math:`\mathsf{F4Jumble}^{-1}` of 40 bytes
-allows for the minimum size of a UA/UVK Item encoding to be 24 bytes
+.. raw:: html
+
+   <details>
+   <summary>Click to show/hide</summary>
+
+A minimum input length to :math:`\mathsf{F4Jumble}^{-1}` of 38 bytes
+allows for the minimum size of a UA/UVK Item encoding to be 22 bytes
 including the typecode and length, taking into account 16 bytes of padding.
-This allows for a UA containing only a Transparent P2PKH Receiver and any
-Metadata Item:
+This allows for a UA containing only a Transparent P2PKH Receiver:

 * Transparent P2PKH Receiver Item:

@ -1128,23 +1132,26 @@ Metadata Item:
  * 1-byte encoding of length
  * 20-byte transparent address hash

-* Metadata Item:
-
-  * 1-byte typecode
-  * 1-byte encoding of length
-  * metadata encoding, potentially 0-length for future Metadata Items
-
 :math:`\ell^\mathsf{MAX}_M` bytes is the largest input/output size
 supported by :math:`\mathsf{F4Jumble}.`

+Allowing only a Transparent P2PKH Receiver is consistent with dropping
+the requirement to have at least one shielded Item in Revision 1 UA/UVKs
+(`see rationale <#rationale-for-dropping-the-at-least-one-shielded-item-restriction>`_).
+
 Note that Revision 0 of this ZIP specified a minimum input length to
 :math:`\mathsf{F4Jumble}^{-1}` of 48 bytes. Since there were no sets
 of UA/UVK Item Encodings valid in Revision 0 to which a byte sequence
-of length between 40 and 47 bytes inclusive could be parsed, the
-difference between the 40 and 48-byte restrictions is not observable,
-other than potentially affecting which error is reported. A Consumer
-supporting Revision 1 of this specification MAY therefore apply either
-the 48-byte or 40-byte minimum to Revision 0 UA/UVKs.
+(after removal of the 16-byte padding) of length between 22 and 31 bytes
+inclusive could be parsed, the difference between the 38 and 48-byte
+restrictions is not observable, other than potentially affecting which
+error is reported. A Consumer supporting Revision 1 of this specification
+MAY therefore apply either the 48-byte or 38-byte minimum to Revision 0
+UA/UVKs.
+
+.. raw:: html
+
+   </details>

 Heuristic analysis
 ''''''''''''''''''
@ -1186,7 +1193,7 @@ A 4-round Feistel thwarts this and similar attacks. Defining :math:`x` and
 * if :math:`x' \neq x` and :math:`y' \neq y,` all four pieces are
  randomized.

-Note that the size of each piece is at least 20 bytes.
+Note that the size of each piece is at least 19 bytes.

 It would be possible to make an attack more expensive by making the work
 done by a Producer more expensive. (This wouldn't necessarily have to