mirror of https://github.com/zcash/zips.git
In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme
NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0cdab5071b
commit
4ef578706b
|
@ -237,6 +237,7 @@
|
||||||
\def\tempstring{#1}%
|
\def\tempstring{#1}%
|
||||||
\xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]%
|
\xStrSubstitute{\tempstring}{MAEA2010}{MÁEÁ2010}[\tempstring]%
|
||||||
\xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]%
|
\xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]%
|
||||||
|
\xStrSubstitute{\tempstring}{Damgard1989}{Damgård1989}[\tempstring]%
|
||||||
\tempstring
|
\tempstring
|
||||||
\restoreexpandmode
|
\restoreexpandmode
|
||||||
}
|
}
|
||||||
|
@ -1543,6 +1544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}}
|
\newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}}
|
||||||
\newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}}
|
\newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}}
|
||||||
\newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}}
|
\newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}}
|
||||||
|
\newcommand{\CommitPrimeAlg}{\mathsf{COMM}'}
|
||||||
|
\newcommand{\CommitPrime}[1]{\CommitPrimeAlg_{#1}}
|
||||||
\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}}
|
\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit}^\mathsf{#1\kern-0.1em}}
|
||||||
\newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}}
|
\newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}}
|
||||||
\newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}}
|
\newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}}
|
||||||
|
@ -14096,6 +14099,26 @@ A side benefit is that this reduces the cost of computing the
|
||||||
evaluations needed to compute each \noteCommitment from three to two,
|
evaluations needed to compute each \noteCommitment from three to two,
|
||||||
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
||||||
|
|
||||||
|
\sproutspecificpnote{
|
||||||
|
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
|
||||||
|
appended after the commitment input. The commitment input can be split into two
|
||||||
|
blocks, call them $x$ of length $64$ bytes, and $y$ of the remaining length ($9$ bytes).
|
||||||
|
Let $\CommitPrime{r}(z \typecolon \byteseq{41})$ be the \commitmentScheme that applies
|
||||||
|
$\SHACompress$ with the first $32$ bytes of $z$ in the IV, and the rest of $z$
|
||||||
|
($9$ bytes), the randomness $r$ ($32$ bytes), and padding up to $64$ bytes in the
|
||||||
|
$\SHACompress$ input block. Then we have
|
||||||
|
$\NoteCommit{Sprout}{r}(x \bconcat y) = \CommitPrime{r}(\SHACompress(x) \bconcat y)$.
|
||||||
|
Suppose we make the reasonable assumption that $\CommitPrimeAlg$ is a computationally
|
||||||
|
\binding and \hiding \commitmentScheme. If $\SHACompress$ is \collisionResistant with
|
||||||
|
the standard IV\footnote{If $\SHACompress$ is not \collisionResistant with the
|
||||||
|
standard IV, then \shaHash is not \collisionResistant for a $2$-block input.}, then
|
||||||
|
$\NoteCommitAlg{Sprout}$ is as secure for \binding as $\CommitPrimeAlg$. Also
|
||||||
|
$\NoteCommitAlg{Sprout}$ is as secure for \hiding as $\CommitPrimeAlg$ (without
|
||||||
|
any assumption on $\SHACompress$). This effectively rules out potential concerns
|
||||||
|
about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any
|
||||||
|
security problem for $\NoteCommitAlg{Sprout}$.
|
||||||
|
} %sproutspecificpnote
|
||||||
|
|
||||||
\sproutspecificpnote{
|
\sproutspecificpnote{
|
||||||
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
||||||
\Zcash does not support the ``everlasting anonymity'' property described in
|
\Zcash does not support the ``everlasting anonymity'' property described in
|
||||||
|
@ -14524,6 +14547,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced
|
\item In \crossref{joinsplit}, clarify that balance for \joinSplitTransfers is enforced
|
||||||
by the \joinSplitStatement, and that there is no consensus rule to check it directly.
|
by the \joinSplitStatement, and that there is no consensus rule to check it directly.
|
||||||
|
\item In \crossref{internalh}, add a security argument for why the \shaHash-based
|
||||||
|
\commitmentScheme $\NoteCommitAlg{Sprout}$ is \binding and \hiding, under reasonable
|
||||||
|
assumptions about $\SHACompress$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -473,6 +473,26 @@ Received March~20, 2012.}
|
||||||
urldate={2021-03-08}
|
urldate={2021-03-08}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@inproceedings{Damgard1989,
|
||||||
|
presort={Damgard1989},
|
||||||
|
shorthand={Damgård1989},
|
||||||
|
author={Ivan Damgård},
|
||||||
|
title={A Design Principle for Hash Functions},
|
||||||
|
date={1990}, % publication year
|
||||||
|
booktitle={Advances in Cryptology - CRYPTO~'89.
|
||||||
|
Proceedings of the 9th Annual International Cryptology Conference
|
||||||
|
(Santa Barbara, California, USA, August~20--24, 1989)},
|
||||||
|
volume={435},
|
||||||
|
series={Lecture Notes in Computer Science},
|
||||||
|
editor={Giles Brassard},
|
||||||
|
pages={416--427},
|
||||||
|
publisher={Springer},
|
||||||
|
isbn={978-0-387-34805-6},
|
||||||
|
doi={10.1007/0-387-34805-0_39},
|
||||||
|
url={https://link.springer.com/chapter/10.1007/0-387-34805-0_39},
|
||||||
|
urldate={2022-01-19}
|
||||||
|
}
|
||||||
|
|
||||||
@misc{NIST2016,
|
@misc{NIST2016,
|
||||||
presort={NIST2016},
|
presort={NIST2016},
|
||||||
author={NIST},
|
author={NIST},
|
||||||
|
|
Loading…
Reference in New Issue