From 553be0f9ebbd4a665f89b3e76b3c04c7e9ac93e1 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 4 Jul 2020 03:47:29 +0100 Subject: [PATCH] In RedDSA verification, clarify that \underline{R} used as part of the input to H^\ast must be exactly as encoded in the signature. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 2775f247..8e7046d3 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -7246,9 +7246,9 @@ Define $\RedDSAValidate{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \t \vspace{-2ex} \begin{pnotes} \item The validation algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order -at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonical representation -(as output by $\reprG{}$) of a point on the curve. This is different to \EdSpecific as specified in -\crossref{concretejssig}. +at least $\ParamG{r}$. + \item The value $\RedDSAReprR{}$ used as part of the input to $\RedDSAHashToScalar$ \MUST be exactly + as encoded in the signature. \item Appendix \crossref{reddsabatchvalidate} describes an optimization that \MAY be used to speed up validation of batches of $\RedDSA$ signatures. \end{pnotes} @@ -10523,6 +10523,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Change the specification of $\abstJ$ in \crossref{jubjub} to match the implementation. \item Repair the argument for $\GroupJHash{\URS}$ being usable as a random oracle, which previously depended on $\abstJ$ being injective. + \item In $\RedDSA$ verification, clarify that $\RedDSAReprR{}$ used as part of the input to + $\RedDSAHashToScalar$ must be exactly as encoded in the signature. } \canopy{ \item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after