mirror of https://github.com/zcash/zips.git
Fix PRFpk notation, clarify truncation, and answer a question about PRFsn.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
aa0087f501
commit
592c06c263
Binary file not shown.
|
|
@ -89,7 +89,7 @@
|
|||
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}}
|
||||
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}}
|
||||
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}}
|
||||
\newcommand{\PRFpk}[2]{\PRF{#1}{pk,{\mathnormal{#2}}}}
|
||||
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
|
||||
\newcommand{\SHA}{\mathtt{SHA256Compress}}
|
||||
\newcommand{\SHAName}{\term{SHA-256 compression}}
|
||||
\newcommand{\SHAOrig}{\term{SHA-256}}
|
||||
|
|
@ -171,6 +171,9 @@ protected by zero-knowledge succinct non-interactive arguments of knowledge
|
|||
All integers visible in \Zcash-specific encodings are unsigned, have a fixed
|
||||
bit length, and are encoded as big-endian.
|
||||
|
||||
In bit layout diagrams, bits are ordered from left to right with the most
|
||||
significant bits in each byte first.
|
||||
|
||||
\subsection{Cryptographic Functions}
|
||||
|
||||
\subparagraph{}
|
||||
|
|
@ -183,8 +186,7 @@ different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
|
|||
|
||||
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent}
|
||||
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and
|
||||
$\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant.
|
||||
\daira{For any given $x$, or across all $x$?}
|
||||
$\PRFpk{x}$. It is required that $\PRFsn{x}$ be collision-resistant across all $x$.
|
||||
|
||||
In \Zcash, the $\SHAName$ function is used to construct all three of these
|
||||
functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included
|
||||
|
|
@ -211,7 +213,7 @@ independent.
|
|||
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
||||
\bitbox{14}{0} &
|
||||
\bitbox{14}{1} &
|
||||
\bitbox{242}{254 bit truncated $\CoinAddressRand$} &
|
||||
\bitbox{242}{254 bit left-truncated $\CoinAddressRand$} &
|
||||
\end{bytefield}
|
||||
\enspace
|
||||
\right)
|
||||
|
|
@ -219,19 +221,23 @@ independent.
|
|||
|
||||
|
||||
\begin{equation*}
|
||||
\h{i} = \PRFpk{\SpendAuthorityPrivate}{i}(\hSig) = \CRH\left(
|
||||
\h{i} = \PRFpk{\SpendAuthorityPrivate}(i, \hSig) = \CRH\left(
|
||||
\;
|
||||
\begin{bytefield}[bitwidth=0.07em]{512}
|
||||
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
||||
\bitbox{14}{1} &
|
||||
\bitbox{14}{0} &
|
||||
\bitbox{14}{i} &
|
||||
\bitbox{241}{253 bit truncated $\hSig$}
|
||||
\bitbox{241}{253 bit left-truncated $\hSig$}
|
||||
\end{bytefield}
|
||||
\enspace
|
||||
\right)
|
||||
\end{equation*}
|
||||
|
||||
\term{Left-truncated} means that the most significant bits of the first byte of
|
||||
$\CoinAddressRand$ and $\hSig$ respectively are dropped. \daira{Should we instead
|
||||
define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be 253 bits?}
|
||||
|
||||
\subsection{Confidential Addresses and Private Keys}
|
||||
|
||||
\subparagraph{}
|
||||
|
|
@ -540,9 +546,7 @@ $\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
|
|||
|
||||
\subparagraph{Non-malleability}
|
||||
|
||||
% TODO: protocol is really gross here, let's clarify the
|
||||
% indices and use of PRFpk independence from other h sdfhjgahsdjkgfas
|
||||
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}{i}(\hSig)$
|
||||
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
|
||||
|
||||
\subparagraph{Commitment integrity}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue