mirror of https://github.com/zcash/zips.git
Change Uncommitted^Sapling to be a u-coordinate for which there is no point on the curve.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f55ad120ff
commit
618e6ebf37
|
@ -3487,7 +3487,7 @@ such that the following conditions hold:
|
|||
|
||||
\subparagraph{Note commitment integrity} \label{saplingnotecommitmentintegrity}
|
||||
|
||||
$\cmOld{} \neq \UncommittedSapling$, and $\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$.
|
||||
$\pack(\cmOld{}) = \NoteCommitmentSapling(\nOld{})$.
|
||||
|
||||
\subparagraph{Merkle path validity} \label{saplingmerklepathvalidity}
|
||||
|
||||
|
@ -3751,7 +3751,7 @@ Define:
|
|||
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
||||
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
||||
\sapling{
|
||||
\item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ones{\MerkleHashLengthSapling}$
|
||||
\item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ItoLEBSP{\MerkleHashLengthSapling}(1)$
|
||||
} %sapling
|
||||
\item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi)
|
||||
\item $\SlowStartInterval \typecolon \Nat := 20000$
|
||||
|
@ -4143,6 +4143,25 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo
|
|||
is collision-resistant under the same assumptions and security bounds.
|
||||
Because $\ItoLEBSP{\MerkleHashLengthSapling}$ and $\ExtractJ$ are injective,
|
||||
it follows that $\PedersenHash$ is equally collision-resistant.
|
||||
|
||||
\vspace{2ex}
|
||||
\begin{theorem} \label{thmnohashtouncommittedsapling}
|
||||
$\UncommittedSapling = \ItoLEBSP{\MerkleHashLengthSapling}(1)$ is not in the range of $\PedersenHash$.
|
||||
\end{theorem}
|
||||
|
||||
\begin{proof}
|
||||
By the definition of $\PedersenHash$, $\ItoLEBSP{\MerkleHashLengthSapling}(1)$ can be in the
|
||||
range of $\PedersenHash$ only if there exist $D \typecolon \byteseq{8}$ and $M \typecolon \bitseq{\PosInt}$
|
||||
such that $\ExtractJ(\PedersenHashToPoint(D, M)) = 1$.
|
||||
The latter can only be the affine-Edwards $u$-coordinate of a point in $\GroupJ$.
|
||||
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
|
||||
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
||||
$\varv \typecolon \GF{\ParamJ{r}}$. By writing the curve equation as
|
||||
$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that
|
||||
$1 - \ParamJ{d} \smult u^2 \neq 0$, we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$.
|
||||
The right-hand-side is a nonsquare in $\GF{\ParamJ{r}}$, so there are no solutions for $\varv$
|
||||
(contradiction).
|
||||
\end{proof}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -7271,6 +7290,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
|||
$\SpendingKey$ to ensure they are on the full range of $\GF{\ParamJ{r}}$.
|
||||
\item Change $\PRFnr{}$ to produce output computationally indistinguishable from uniform on
|
||||
$\GF{\ParamJ{r}}$.
|
||||
\item Change $\UncommittedSapling$ to be a $u$-coordinate for which there is no point on the curve.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
|
|
Loading…
Reference in New Issue