zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme 

NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2022-01-19 17:58:40 +00:00
parent 0cdab5071b
commit 4ef578706b
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
protocol/protocol.tex
View File

@ -237,6 +237,7 @@
\def\tempstring{#1}% \def\tempstring{#1}%
\xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]% \xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]%
\xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]% \xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]%
\xStrSubstitute{\tempstring}{Damgard1989}{Damgård1989}[\tempstring]%
\tempstring \tempstring
\restoreexpandmode \restoreexpandmode
} }
@ -1543,6 +1544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}}
\newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}} \newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}}
\newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}} \newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}}
\newcommand{\CommitPrimeAlg}{\mathsf{COMM}'}
\newcommand{\CommitPrime}[1]{\CommitPrimeAlg_{#1}}
\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}} \newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}}
\newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}} \newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}}
\newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}} \newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}}
@ -14096,6 +14099,26 @@ A side benefit is that this reduces the cost of computing the
evaluations needed to compute each \noteCommitment from three to two, evaluations needed to compute each \noteCommitment from three to two,
saving a total of four \shaCompress evaluations in the \joinSplitStatement. saving a total of four \shaCompress evaluations in the \joinSplitStatement.
\sproutspecificpnote{
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
appended after the commitment input. The commitment input can be split into two
blocks, call them $x$ of length $64$ bytes, and $y$ of the remaining length ($9$ bytes).
Let $\CommitPrime{r}(z \typecolon \byteseq{41})$ be the \commitmentScheme that applies
$\SHACompress$ with the first $32$ bytes of $z$ in the IV, and the rest of $z$
($9$ bytes), the randomness $r$ ($32$ bytes), and padding up to $64$ bytes in the
$\SHACompress$ input block. Then we have
$\NoteCommit{Sprout}{r}(x \bconcat y) = \CommitPrime{r}(\SHACompress(x) \bconcat y)$.
Suppose we make the reasonable assumption that $\CommitPrimeAlg$ is a computationally
\binding and \hiding \commitmentScheme. If $\SHACompress$ is \collisionResistant with
the standard IV\footnote{If $\SHACompress$ is not \collisionResistant with the
standard IV, then \shaHash is not \collisionResistant for a $2$-block input.}, then
$\NoteCommitAlg{Sprout}$ is as secure for \binding as $\CommitPrimeAlg$. Also
$\NoteCommitAlg{Sprout}$ is as secure for \hiding as $\CommitPrimeAlg$ (without
any assumption on $\SHACompress$). This effectively rules out potential concerns
about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any
security problem for $\NoteCommitAlg{Sprout}$.
} %sproutspecificpnote
\sproutspecificpnote{ \sproutspecificpnote{
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes, \Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
\Zcash does not support the ``everlasting anonymity'' property described in \Zcash does not support the ``everlasting anonymity'' property described in
@ -14524,6 +14547,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize} \begin{itemize}
\item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced \item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced
by the \joinSplitStatement, and that there is no consensus rule to check it directly. by the \joinSplitStatement, and that there is no consensus rule to check it directly.
\item In \crossref{internalh}, add a security argument for why the \shaHash-based
\commitmentScheme $\NoteCommitAlg{Sprout}$ is \binding and \hiding, under reasonable
assumptions about $\SHACompress$.
\end{itemize} \end{itemize}

20
protocol/zcash.bib
View File

@ -473,6 +473,26 @@ Received March~20, 2012.}
urldate={2021-03-08} urldate={2021-03-08}
} }
@inproceedings{Damgard1989,
presort={Damgard1989},
shorthand={Damgård1989},
author={Ivan Damgård},
title={A Design Principle for Hash Functions},
date={1990}, % publication year
booktitle={Advances in Cryptology - CRYPTO~'89.
Proceedings of the 9th Annual International Cryptology Conference
(Santa Barbara, California, USA, August~20--24, 1989)},
volume={435},
series={Lecture Notes in Computer Science},
editor={Giles Brassard},
pages={416--427},
publisher={Springer},
isbn={978-0-387-34805-6},
doi={10.1007/0-387-34805-0_39},
url={https://link.springer.com/chapter/10.1007/0-387-34805-0_39},
urldate={2022-01-19}
}
@misc{NIST2016, @misc{NIST2016,
presort={NIST2016}, presort={NIST2016},
author={NIST}, author={NIST},