mirror of https://github.com/zcash/zips.git
Change Uncommitted^Sapling to be a u-coordinate for which there is no point on the curve.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f55ad120ff
commit
618e6ebf37
|
@ -3487,7 +3487,7 @@ such that the following conditions hold:
|
||||||
|
|
||||||
\subparagraph{Note commitment integrity} \label{saplingnotecommitmentintegrity}
|
\subparagraph{Note commitment integrity} \label{saplingnotecommitmentintegrity}
|
||||||
|
|
||||||
$\cmOld{} \neq \UncommittedSapling$, and $\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$.
|
$\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$.
|
||||||
|
|
||||||
\subparagraph{Merkle path validity} \label{saplingmerklepathvalidity}
|
\subparagraph{Merkle path validity} \label{saplingmerklepathvalidity}
|
||||||
|
|
||||||
|
@ -3751,7 +3751,7 @@ Define:
|
||||||
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
||||||
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
||||||
\sapling{
|
\sapling{
|
||||||
\item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ones{\MerkleHashLengthSapling}$
|
\item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ItoLEBSP{\MerkleHashLengthSapling}(1)$
|
||||||
} %sapling
|
} %sapling
|
||||||
\item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi)
|
\item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi)
|
||||||
\item $\SlowStartInterval \typecolon \Nat := 20000$
|
\item $\SlowStartInterval \typecolon \Nat := 20000$
|
||||||
|
@ -4143,6 +4143,25 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo
|
||||||
is collision-resistant under the same assumptions and security bounds.
|
is collision-resistant under the same assumptions and security bounds.
|
||||||
Because $\ItoLEBSP{\MerkleHashLengthSapling}$ and $\ExtractJ$ are injective,
|
Because $\ItoLEBSP{\MerkleHashLengthSapling}$ and $\ExtractJ$ are injective,
|
||||||
it follows that $\PedersenHash$ is equally collision-resistant.
|
it follows that $\PedersenHash$ is equally collision-resistant.
|
||||||
|
|
||||||
|
\vspace{2ex}
|
||||||
|
\begin{theorem} \label{thmnohashtouncommittedsapling}
|
||||||
|
$\UncommittedSapling = \ItoLEBSP{\MerkleHashLengthSapling}(1)$ is not in the range of $\PedersenHash$.
|
||||||
|
\end{theorem}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
By the definition of $\PedersenHash$, $\ItoLEBSP{\MerkleHashLengthSapling}(1)$ can be in the
|
||||||
|
range of $\PedersenHash$ only if there exist $D \typecolon \byteseq{8}$ and $M \typecolon \bitseq{\PosInt}$
|
||||||
|
such that $\ExtractJ(\PedersenHashToPoint(D, M)) = 1$.
|
||||||
|
The latter can only be the affine-Edwards $u$-coordinate of a point in $\GroupJ$.
|
||||||
|
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
|
||||||
|
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
||||||
|
$\varv \typecolon \GF{\ParamJ{r}}$. By writing the curve equation as
|
||||||
|
$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that
|
||||||
|
$1 - \ParamJ{d} \smult u^2 \neq 0$, we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$.
|
||||||
|
The right-hand-side is a nonsquare in $\GF{\ParamJ{r}}$, so there are no solutions for $\varv$
|
||||||
|
(contradiction).
|
||||||
|
\end{proof}
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
|
@ -7271,6 +7290,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
||||||
$\SpendingKey$ to ensure they are on the full range of $\GF{\ParamJ{r}}$.
|
$\SpendingKey$ to ensure they are on the full range of $\GF{\ParamJ{r}}$.
|
||||||
\item Change $\PRFnr{}$ to produce output computationally indistinguishable from uniform on
|
\item Change $\PRFnr{}$ to produce output computationally indistinguishable from uniform on
|
||||||
$\GF{\ParamJ{r}}$.
|
$\GF{\ParamJ{r}}$.
|
||||||
|
\item Change $\UncommittedSapling$ to be a $u$-coordinate for which there is no point on the curve.
|
||||||
}
|
}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue