From 618e6ebf37ad5cb45ed2ce10b800558c83b0b1c7 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sun, 11 Mar 2018 17:09:32 +0000 Subject: [PATCH] Change Uncommitted^Sapling to be a u-coordinate for which there is no point on the curve. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 182df294..5de1cbf5 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -3487,7 +3487,7 @@ such that the following conditions hold: \subparagraph{Note commitment integrity} \label{saplingnotecommitmentintegrity} -$\cmOld{} \neq \UncommittedSapling$, and $\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$. +$\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$. \subparagraph{Merkle path validity} \label{saplingmerklepathvalidity} @@ -3751,7 +3751,7 @@ Define: \item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$ \item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$ \sapling{ - \item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ones{\MerkleHashLengthSapling}$ + \item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ItoLEBSP{\MerkleHashLengthSapling}(1)$ } %sapling \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi) \item $\SlowStartInterval \typecolon \Nat := 20000$ @@ -4143,6 +4143,25 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo is collision-resistant under the same assumptions and security bounds. Because $\ItoLEBSP{\MerkleHashLengthSapling}$ and $\ExtractJ$ are injective, it follows that $\PedersenHash$ is equally collision-resistant. + +\vspace{2ex} +\begin{theorem} \label{thmnohashtouncommittedsapling} +$\UncommittedSapling = \ItoLEBSP{\MerkleHashLengthSapling}(1)$ is not in the range of $\PedersenHash$. +\end{theorem} + +\begin{proof} +By the definition of $\PedersenHash$, $\ItoLEBSP{\MerkleHashLengthSapling}(1)$ can be in the +range of $\PedersenHash$ only if there exist $D \typecolon \byteseq{8}$ and $M \typecolon \bitseq{\PosInt}$ +such that $\ExtractJ(\PedersenHashToPoint(D, M)) = 1$. +The latter can only be the affine-Edwards $u$-coordinate of a point in $\GroupJ$. +We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$. +Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some +$\varv \typecolon \GF{\ParamJ{r}}$. By writing the curve equation as +$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that +$1 - \ParamJ{d} \smult u^2 \neq 0$, we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$. +The right-hand-side is a nonsquare in $\GF{\ParamJ{r}}$, so there are no solutions for $\varv$ +(contradiction). +\end{proof} } %sapling @@ -7271,6 +7290,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg. $\SpendingKey$ to ensure they are on the full range of $\GF{\ParamJ{r}}$. \item Change $\PRFnr{}$ to produce output computationally indistinguishable from uniform on $\GF{\ParamJ{r}}$. + \item Change $\UncommittedSapling$ to be a $u$-coordinate for which there is no point on the curve. } \end{itemize}