mirror of https://github.com/zcash/zips.git
In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme
NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
0cdab5071b
commit
4ef578706b
|
|
@ -237,6 +237,7 @@
|
|||
\def\tempstring{#1}%
|
||||
\xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]%
|
||||
\xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]%
|
||||
\xStrSubstitute{\tempstring}{Damgard1989}{Damgård1989}[\tempstring]%
|
||||
\tempstring
|
||||
\restoreexpandmode
|
||||
}
|
||||
|
|
@ -1543,6 +1544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}}
|
||||
\newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}}
|
||||
\newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}}
|
||||
\newcommand{\CommitPrimeAlg}{\mathsf{COMM}'}
|
||||
\newcommand{\CommitPrime}[1]{\CommitPrimeAlg_{#1}}
|
||||
\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}}
|
||||
\newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}}
|
||||
\newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}}
|
||||
|
|
@ -14096,6 +14099,26 @@ A side benefit is that this reduces the cost of computing the
|
|||
evaluations needed to compute each \noteCommitment from three to two,
|
||||
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
||||
|
||||
\sproutspecificpnote{
|
||||
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
|
||||
appended after the commitment input. The commitment input can be split into two
|
||||
blocks, call them $x$ of length $64$ bytes, and $y$ of the remaining length ($9$ bytes).
|
||||
Let $\CommitPrime{r}(z \typecolon \byteseq{41})$ be the \commitmentScheme that applies
|
||||
$\SHACompress$ with the first $32$ bytes of $z$ in the IV, and the rest of $z$
|
||||
($9$ bytes), the randomness $r$ ($32$ bytes), and padding up to $64$ bytes in the
|
||||
$\SHACompress$ input block. Then we have
|
||||
$\NoteCommit{Sprout}{r}(x \bconcat y) = \CommitPrime{r}(\SHACompress(x) \bconcat y)$.
|
||||
Suppose we make the reasonable assumption that $\CommitPrimeAlg$ is a computationally
|
||||
\binding and \hiding \commitmentScheme. If $\SHACompress$ is \collisionResistant with
|
||||
the standard IV\footnote{If $\SHACompress$ is not \collisionResistant with the
|
||||
standard IV, then \shaHash is not \collisionResistant for a $2$-block input.}, then
|
||||
$\NoteCommitAlg{Sprout}$ is as secure for \binding as $\CommitPrimeAlg$. Also
|
||||
$\NoteCommitAlg{Sprout}$ is as secure for \hiding as $\CommitPrimeAlg$ (without
|
||||
any assumption on $\SHACompress$). This effectively rules out potential concerns
|
||||
about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any
|
||||
security problem for $\NoteCommitAlg{Sprout}$.
|
||||
} %sproutspecificpnote
|
||||
|
||||
\sproutspecificpnote{
|
||||
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
||||
\Zcash does not support the ``everlasting anonymity'' property described in
|
||||
|
|
@ -14524,6 +14547,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\begin{itemize}
|
||||
\item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced
|
||||
by the \joinSplitStatement, and that there is no consensus rule to check it directly.
|
||||
\item In \crossref{internalh}, add a security argument for why the \shaHash-based
|
||||
\commitmentScheme $\NoteCommitAlg{Sprout}$ is \binding and \hiding, under reasonable
|
||||
assumptions about $\SHACompress$.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -473,6 +473,26 @@ Received March~20, 2012.}
|
|||
urldate={2021-03-08}
|
||||
}
|
||||
|
||||
@inproceedings{Damgard1989,
|
||||
presort={Damgard1989},
|
||||
shorthand={Damgård1989},
|
||||
author={Ivan Damgård},
|
||||
title={A Design Principle for Hash Functions},
|
||||
date={1990}, % publication year
|
||||
booktitle={Advances in Cryptology - CRYPTO~'89.
|
||||
Proceedings of the 9th Annual International Cryptology Conference
|
||||
(Santa Barbara, California, USA, August~20--24, 1989)},
|
||||
volume={435},
|
||||
series={Lecture Notes in Computer Science},
|
||||
editor={Giles Brassard},
|
||||
pages={416--427},
|
||||
publisher={Springer},
|
||||
isbn={978-0-387-34805-6},
|
||||
doi={10.1007/0-387-34805-0_39},
|
||||
url={https://link.springer.com/chapter/10.1007/0-387-34805-0_39},
|
||||
urldate={2022-01-19}
|
||||
}
|
||||
|
||||
@misc{NIST2016,
|
||||
presort={NIST2016},
|
||||
author={NIST},
|
||||
|
|
|
|||
Loading…
Reference in New Issue