mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
8364aff29c
commit
4d1cb63baf
|
@ -5797,7 +5797,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
|
|||
\securityrequirement{
|
||||
$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLength}$
|
||||
must be \collisionResistant on a $64$-byte input $x$. Note that this
|
||||
does not follow from collision-resistance of $\BlakeTwos{256}$
|
||||
does not follow from \collisionResistance of $\BlakeTwos{256}$
|
||||
(and the best possible concrete security is that of a $251$-bit hash
|
||||
rather than a $256$-bit hash), but it is a reasonable assumption
|
||||
given the design, structure, and cryptanalysis to date of $\BlakeTwosGeneric$.
|
||||
|
@ -9593,7 +9593,7 @@ Least Authority, Mary Maller, and Kudelski Security.
|
|||
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
|
||||
of variations on the attack was performed by Daira Hopwood and Sean Bowe.
|
||||
The internal hash collision attack was found by Taylor Hornby.
|
||||
The error in the \Zerocash proof of Balance relating to collision-resistance
|
||||
The error in the \Zerocash proof of Balance relating to \collisionResistance
|
||||
of $\PRFaddr{}$ was found by Daira Hopwood.
|
||||
The errors in the proof of Ledger Indistinguishability mentioned in
|
||||
\crossref{truncation} were also found by Daira Hopwood.
|
||||
|
@ -10783,6 +10783,8 @@ and so it is only necessary to allocate separate variables for the $\Pi_m$
|
|||
such that $m < n-1$ and $c_m = 1$. Furthermore if $c_{\barerange{n-2}{0}}$ has
|
||||
$t > 0$ trailing $1$ bits, then we do not need to allocate variables for
|
||||
$\Pi_{\barerange{0}{t-1}}$ because those variables will not be used below.
|
||||
|
||||
\introlist
|
||||
More explicitly:
|
||||
|
||||
Let $\Pi_{n-1} = a_{n-1}$.
|
||||
|
@ -10793,9 +10795,9 @@ For $i \from n-2 \downto t$,
|
|||
\item if $c_i = 1$, then constrain $\constraint{\Pi_{i+1}}{a_i}{\Pi_i}$.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
Then we constrain the $a_i$ as follows:
|
||||
|
||||
\introlist
|
||||
For $i \from n-1 \downto 0$,
|
||||
\begin{itemize}
|
||||
\item if $c_i = 0$, constrain $\constraint{1 - \Pi_{i+1} - a_i}{a_i}{0}$;
|
||||
|
@ -10865,6 +10867,7 @@ The algorithm in \crossref{ccteddecompressvalidate} uses range checks with
|
|||
$c = \ParamS{r}-1$ to validate compressed Edwards points. In that case $n = 255$ and
|
||||
$k = 132$, so the cost of each such range check is $387$ constraints.
|
||||
|
||||
\introsection
|
||||
\nnote{It is possible to optimize the computation of $\Pi_{\barerange{t}{n-2}}$ further.
|
||||
Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a
|
||||
run of $1$ bits in $c$. So for each run of $N$ $1$ bits, it is sufficient to compute
|
||||
|
|
Loading…
Reference in New Issue