mirror of https://github.com/zcash/zips.git
Updates to JoinSplit signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
15c838b510
commit
4fc9bc21aa
|
@ -165,6 +165,8 @@
|
|||
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}}
|
||||
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}}
|
||||
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
|
||||
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
|
||||
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
|
||||
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
|
||||
\newcommand{\joinSplitStatements}{\term{JoinSplit statements}}
|
||||
\newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}}
|
||||
|
@ -419,6 +421,10 @@
|
|||
|
||||
% Signatures
|
||||
\newcommand{\JoinSplitSigAlg}{\mathsf{JoinSplitSigAlg}}
|
||||
\newcommand{\JoinSplitSigPublic}{\mathsf{JoinSplitSig.Public}}
|
||||
\newcommand{\JoinSplitSigPrivate}{\mathsf{JoinSplitSig.Private}}
|
||||
\newcommand{\JoinSplitSigSign}{\mathsf{JoinSplitSig.Sign}}
|
||||
\newcommand{\JoinSplitSigVerify}{\mathsf{JoinSplitSig.Verify}}
|
||||
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
|
||||
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
|
||||
\newcommand{\cm}{\mathsf{cm}}
|
||||
|
@ -1427,9 +1433,8 @@ $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \Mer
|
|||
|
||||
\nsubsection{Non-malleability} \label{nonmalleability}
|
||||
|
||||
\changed{
|
||||
\Bitcoin defines several \sighashTypes that cover various parts of a transaction.
|
||||
In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
|
||||
\changed{In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific
|
||||
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$.
|
||||
They \emph{do not} cover the field $\joinSplitSig$.
|
||||
|
||||
|
@ -1437,10 +1442,11 @@ They \emph{do not} cover the field $\joinSplitSig$.
|
|||
If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than
|
||||
$\SIGHASHALL$.
|
||||
}
|
||||
}
|
||||
|
||||
Let $\dataToBeSigned$ be the hash of the \transaction using the $\SIGHASHALL$
|
||||
\sighashType. This \emph{excludes} all of the $\scriptSig$ fields in
|
||||
the non-\Zcash-specific parts of the \transaction.
|
||||
Let $\dataToBeSigned$ be the hash of the \transaction{} \changed{using the $\SIGHASHALL$
|
||||
\sighashType}. \changed{This \emph{excludes} all of the $\scriptSig$ fields in
|
||||
the non-\Zcash-specific parts of the \transaction.}
|
||||
|
||||
In order to ensure that a \joinSplitDescription is cryptographically bound to the
|
||||
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
|
||||
|
@ -1449,40 +1455,13 @@ key pair is generated for each \transaction, and the $\dataToBeSigned$ is
|
|||
signed with the private signing key of this key pair. The corresponding public
|
||||
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
|
||||
|
||||
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
||||
with the additional requirement that $\EdDSAs$ (the integer represented
|
||||
by $\EdDSAS$) must be less than the prime
|
||||
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
|
||||
otherwise the signature is considered invalid.
|
||||
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
||||
$\JoinSplitSigAlg$ is instantiated in \crossref{concretesig}.
|
||||
|
||||
\changed{
|
||||
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
|
||||
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if
|
||||
$\joinSplitSig$ can be verified as an encoding of a signature on $\dataToBeSigned$
|
||||
as specified above, using the $\JoinSplitSigSpecific$ public key encoded as
|
||||
$\joinSplitPubKey$.
|
||||
}
|
||||
|
||||
\newsavebox{\sigbox}
|
||||
\begin{lrbox}{\sigbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.075em]{512}
|
||||
\bitbox{256}{$256$-bit $\EdDSAR$}
|
||||
\bitbox{256}{$256$-bit $\EdDSAS$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\changed{
|
||||
The encoding of a signature is:
|
||||
}
|
||||
\begin{itemize}
|
||||
\item[] $\Justthebox{\sigbox}$
|
||||
\end{itemize}
|
||||
|
||||
\changed{
|
||||
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
|
||||
|
||||
The encoding of a public key is as defined in \cite{BDL+2012}.
|
||||
as specified above, using $\joinSplitPubKey$.
|
||||
}
|
||||
|
||||
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour}
|
||||
|
@ -2086,7 +2065,36 @@ where:
|
|||
|
||||
\nsubsubsection{Signatures} \label{concretesig}
|
||||
|
||||
\todo{}
|
||||
\changed{
|
||||
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
||||
with the additional requirement that $\EdDSAs$ (the integer represented
|
||||
by $\EdDSAS$) must be less than the prime
|
||||
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
|
||||
otherwise the signature is considered invalid.
|
||||
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
||||
}
|
||||
|
||||
\newsavebox{\sigbox}
|
||||
\begin{lrbox}{\sigbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.075em]{512}
|
||||
\bitbox{256}{$256$-bit $\EdDSAR$}
|
||||
\bitbox{256}{$256$-bit $\EdDSAS$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\changed{
|
||||
The encoding of a signature is:
|
||||
}
|
||||
\begin{itemize}
|
||||
\item[] $\Justthebox{\sigbox}$
|
||||
\end{itemize}
|
||||
|
||||
\changed{
|
||||
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
|
||||
|
||||
The encoding of a public key is as defined in \cite{BDL+2012}.
|
||||
}
|
||||
|
||||
\nsubsection{Note Components}
|
||||
|
||||
|
|
Loading…
Reference in New Issue