zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Updates to JoinSplit signatures. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-09-04 04:22:46 +01:00
parent 15c838b510
commit 4fc9bc21aa
1 changed files with 44 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
protocol/protocol.tex
View File

@ -165,6 +165,8 @@
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}}
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}}
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
\newcommand{\joinSplitStatements}{\term{JoinSplit statements}}
\newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}}
@ -419,6 +421,10 @@
% Signatures
\newcommand{\JoinSplitSigAlg}{\mathsf{JoinSplitSigAlg}}
\newcommand{\JoinSplitSigPublic}{\mathsf{JoinSplitSig.Public}}
\newcommand{\JoinSplitSigPrivate}{\mathsf{JoinSplitSig.Private}}
\newcommand{\JoinSplitSigSign}{\mathsf{JoinSplitSig.Sign}}
\newcommand{\JoinSplitSigVerify}{\mathsf{JoinSplitSig.Verify}}
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
\newcommand{\cm}{\mathsf{cm}}
@ -1427,9 +1433,8 @@ $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \Mer
\nsubsection{Non-malleability} \label{nonmalleability}
\changed{
\Bitcoin defines several \sighashTypes that cover various parts of a transaction.
In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
\changed{In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$.
They \emph{do not} cover the field $\joinSplitSig$.
@ -1437,10 +1442,11 @@ They \emph{do not} cover the field $\joinSplitSig$.
If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than
$\SIGHASHALL$.
}
}
Let $\dataToBeSigned$ be the hash of the \transaction using the $\SIGHASHALL$
\sighashType. This \emph{excludes} all of the $\scriptSig$ fields in
the non-\Zcash-specific parts of the \transaction.
Let $\dataToBeSigned$ be the hash of the \transaction{} \changed{using the $\SIGHASHALL$
\sighashType}. \changed{This \emph{excludes} all of the $\scriptSig$ fields in
the non-\Zcash-specific parts of the \transaction.}
In order to ensure that a \joinSplitDescription is cryptographically bound to the
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
@ -1449,40 +1455,13 @@ key pair is generated for each \transaction, and the $\dataToBeSigned$ is
signed with the private signing key of this key pair. The corresponding public
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
with the additional requirement that $\EdDSAs$ (the integer represented
by $\EdDSAS$) must be less than the prime
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
otherwise the signature is considered invalid.
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
$\JoinSplitSigAlg$ is instantiated in \crossref{concretesig}.
\changed{
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if
$\joinSplitSig$ can be verified as an encoding of a signature on $\dataToBeSigned$
as specified above, using the $\JoinSplitSigSpecific$ public key encoded as
$\joinSplitPubKey$.
}
\newsavebox{\sigbox}
\begin{lrbox}{\sigbox}
\setchanged
\begin{bytefield}[bitwidth=0.075em]{512}
\bitbox{256}{$256$-bit $\EdDSAR$}
\bitbox{256}{$256$-bit $\EdDSAS$}
\end{bytefield}
\end{lrbox}
\changed{
The encoding of a signature is:
}
\begin{itemize}
\item[] $\Justthebox{\sigbox}$
\end{itemize}
\changed{
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
The encoding of a public key is as defined in \cite{BDL+2012}.
as specified above, using $\joinSplitPubKey$.
}
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour}
@ -2086,7 +2065,36 @@ where:
\nsubsubsection{Signatures} \label{concretesig}
\todo{}
\changed{
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
with the additional requirement that $\EdDSAs$ (the integer represented
by $\EdDSAS$) must be less than the prime
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
otherwise the signature is considered invalid.
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
}
\newsavebox{\sigbox}
\begin{lrbox}{\sigbox}
\setchanged
\begin{bytefield}[bitwidth=0.075em]{512}
\bitbox{256}{$256$-bit $\EdDSAR$}
\bitbox{256}{$256$-bit $\EdDSAS$}
\end{bytefield}
\end{lrbox}
\changed{
The encoding of a signature is:
}
\begin{itemize}
\item[] $\Justthebox{\sigbox}$
\end{itemize}
\changed{
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
The encoding of a public key is as defined in \cite{BDL+2012}.
}
\nsubsection{Note Components}