mirror of https://github.com/zcash/zips.git
WIP toward changing the disclosure ciphertext to symmetric encryption.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0e43170229
commit
6a2713ec02
Binary file not shown.
|
@ -87,7 +87,7 @@
|
|||
\newcommand{\coinsCiphertext}{\term{transmitted coins ciphertext}}
|
||||
\newcommand{\authKeypair}{\term{authorization}}
|
||||
\newcommand{\transmitKeypair}{\term{transmission}}
|
||||
\newcommand{\discloseKeypair}{\term{disclosure}}
|
||||
\newcommand{\discloseKey}{\term{disclosure key}}
|
||||
\newcommand{\keyPrivateAlgorithm}{\term{key-private encryption scheme}}
|
||||
\newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
|
||||
\newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
|
||||
|
@ -104,6 +104,7 @@
|
|||
\newcommand{\SpendingKeyLeadByte}{\mathbf{0x93}}
|
||||
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
|
||||
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
|
||||
\newcommand{\DiscloseKey}{\mathsf{a_{vk}}}
|
||||
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
||||
\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
||||
\newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
|
||||
|
@ -112,19 +113,11 @@
|
|||
\newcommand{\enc}{\mathsf{enc}}
|
||||
\newcommand{\alleged}{\mathsf{alleged}}
|
||||
\newcommand{\disclose}{\mathsf{disclose}}
|
||||
\newcommand{\PublicKey}[1]{\mathsf{pk_\mathnormal{#1}}}
|
||||
\newcommand{\PrivateKey}[1]{\mathsf{sk_\mathnormal{#1}}}
|
||||
\newcommand{\EphemeralPublic}[1]{\mathsf{epk_\mathnormal{#1}}}
|
||||
\newcommand{\EphemeralPrivate}[1]{\mathsf{esk_\mathnormal{#1}}}
|
||||
\newcommand{\TransmitPublic}{\PublicKey{\enc}}
|
||||
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
||||
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
||||
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
|
||||
\newcommand{\TransmitPublicNew}[1]{\mathsf{pk^{new}_{\enc,\mathnormal{#1}}}}
|
||||
\newcommand{\TransmitPrivate}{\PrivateKey{\enc}}
|
||||
\newcommand{\DisclosePublic}{\PublicKey{\disclose}}
|
||||
\newcommand{\DisclosePrivate}{\PrivateKey{\disclose}}
|
||||
\newcommand{\TransmitEphemeralPublic}{\EphemeralPublic{\enc}}
|
||||
\newcommand{\TransmitEphemeralPrivate}{\EphemeralPrivate{\enc}}
|
||||
\newcommand{\DiscloseEphemeralPublic}{\EphemeralPublic{\disclose}}
|
||||
\newcommand{\DiscloseEphemeralPrivate}{\EphemeralPrivate{\disclose}}
|
||||
\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
|
||||
\newcommand{\Value}{\mathsf{v}}
|
||||
|
||||
% Coins
|
||||
|
@ -190,9 +183,8 @@
|
|||
\newcommand{\scriptPubKey}{\mathtt{scriptPubKey}}
|
||||
\newcommand{\serials}{\mathtt{serials}}
|
||||
\newcommand{\commitments}{\mathtt{commitments}}
|
||||
\newcommand{\encEphemeral}{\mathtt{encEphemeral}}
|
||||
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
|
||||
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
|
||||
\newcommand{\discloseEphemeral}{\mathtt{discloseEphemeral}}
|
||||
\newcommand{\discloseCiphertext}{\mathtt{discloseCiphertext}}
|
||||
\newcommand{\rt}{\mathsf{rt}}
|
||||
|
||||
|
@ -342,8 +334,8 @@ ensuring that the functions are independent.
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\nathan{Note: If we change input arity (i.e. $\NOld$), we need to be aware of how it
|
||||
is associated with this bit-packing.}
|
||||
\nathan{Note: If we change input or output arity (i.e. $\NOld$ or $\NNew$), we
|
||||
need to be aware of how it is associated with this bit-packing.}
|
||||
|
||||
\begin{equation*}
|
||||
\begin{aligned}
|
||||
|
@ -358,44 +350,27 @@ is associated with this bit-packing.}
|
|||
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
|
||||
253 bits?}
|
||||
|
||||
\subsection{Payment Addresses\changed{, Viewing Keys,} and Spending Keys}
|
||||
\subsection{Payment Addresses, Viewing Keys, and Spending Keys}
|
||||
|
||||
A \keyTuple $(\PaymentAddress, \changed{\ViewingKey,\;} \SpendingKey)$ is generated
|
||||
by users who wish to receive payments under this scheme. The parts of
|
||||
the \keyTuple are composed from \changed{three} distinct keypairs, called the
|
||||
\authKeypair, \transmitKeypair \changed{, and \discloseKeypair} keypairs.
|
||||
|
||||
\begin{itemize}
|
||||
\item The \paymentAddress $\PaymentAddress$ is a pair
|
||||
$(\AuthPublic, \TransmitPublic)$, containing the \emph{public}
|
||||
components of the \authKeypair and \transmitKeypair keypairs
|
||||
respectively.
|
||||
\changed{
|
||||
\item The \viewingKey $\ViewingKey$ is a pair
|
||||
$(\TransmitPrivate, \DisclosePrivate)$, containing the \emph{private}
|
||||
components of the \transmitKeypair and \discloseKeypair keypairs
|
||||
respectively.
|
||||
}
|
||||
\item The \spendingKey $\SpendingKey$ is a \changed{triple}
|
||||
$(\AuthPrivate, \TransmitPrivate\changed{, \DisclosePrivate})$,
|
||||
containing the \emph{private} components of the \authKeypair,
|
||||
\transmitKeypair\changed{, and \discloseKeypair} keypairs respectively.
|
||||
\end{itemize}
|
||||
A \keyTuple $(\SpendingKey, \changed{\ViewingKey, }\PaymentAddress)$ is
|
||||
generated by users who wish to receive payments under this scheme.
|
||||
\changed{The \viewingKey $\ViewingKey$ is derived from the \spendingKey
|
||||
$\SpendingKey$, and the \paymentAddress $\PaymentAddress$ is derived from
|
||||
the \viewingKey.}
|
||||
|
||||
The following diagram depicts the relations between key components.
|
||||
Arrows point from a private component to the corresponding public
|
||||
component derived from it.
|
||||
Arrows point from a component to any other component(s) that can be derived
|
||||
from it.
|
||||
|
||||
\begin{center}
|
||||
\includegraphics[scale=.5]{key_components}
|
||||
\includegraphics[scale=.8]{key_components}
|
||||
\end{center}
|
||||
|
||||
Note that a \spendingKey holder can derive
|
||||
$(\AuthPublic, \TransmitPublic\changed{, \DisclosePublic})$,
|
||||
\changed{and a \viewingKey holder can derive $(\TransmitPublic, \DisclosePublic)$,}
|
||||
Note that a \spendingKey holder can derive the other components\changed{,
|
||||
and a \viewingKey holder can derive $(\AuthPublic, \TransmitPublic)$,}
|
||||
even though these components are not formally part of the respective keys.
|
||||
Implementations \MAY cache these derived public components, provided that
|
||||
they are deleted if the corresponding private component is deleted.
|
||||
Implementations \MAY cache these derived components, provided that
|
||||
they are deleted if the corresponding source component is deleted.
|
||||
|
||||
The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys
|
||||
is a cryptographic protocol detail that should not normally be
|
||||
|
@ -404,11 +379,13 @@ to:
|
|||
|
||||
\begin{itemize}
|
||||
\changed{
|
||||
\item obtain a \viewingKey from a \spendingKey; and
|
||||
\item obtain a \paymentAddress from a \viewingKey; and
|
||||
}
|
||||
\item obtain a \paymentAddress from a \spendingKey.
|
||||
\item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey.
|
||||
\end{itemize}
|
||||
|
||||
\todo{Describe derivations.}
|
||||
|
||||
Users can accept payment from multiple parties with a single
|
||||
$\PaymentAddress$ and the fact that these payments are destined to
|
||||
the same payee is not revealed on the blockchain, even to the
|
||||
|
@ -441,9 +418,10 @@ secrets. The recipient's possession of the associated
|
|||
$(\PaymentAddress, \SpendingKey)$ (which contains both $\AuthPublic$ and
|
||||
$\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}.
|
||||
\changed{To also transmit these values to a \viewingKey holder for outgoing
|
||||
\PourTransfers, the \discloseKeypair public key $\DisclosePublic$ is used to
|
||||
encrypt the ephemeral secret and address public keys from the preceding
|
||||
encryptions.} The encryptions are combined to form a \coinsCiphertext.
|
||||
\PourTransfers, the \discloseKey $\DiscloseKey$ is used to symmetrically
|
||||
encrypt them, and also to encrypt the ephemeral secret and address public
|
||||
keys (to allow the \viewingKey holder to check whether the other encryptions
|
||||
are valid).} All of these encryptions are combined to form a \coinsCiphertext.
|
||||
|
||||
\changed{
|
||||
The encryption algorithm is defined in terms of $\CryptoBox$ (specifically,
|
||||
|
@ -455,8 +433,8 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
|||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.05em]{520}
|
||||
\bitbox{120}{64 bit $\Tag{i}$} &
|
||||
\bitbox{256}{256 bit $\EphemeralPublic{}$}
|
||||
\bitbox{256}{256 bit $\PublicKey{i}$}
|
||||
\bitbox{256}{256 bit $\EphemeralPublic$}
|
||||
\bitbox{256}{256 bit $\TransmitPublic{i}$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
|
@ -477,19 +455,11 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\tagdbox}
|
||||
\begin{lrbox}{\tagdbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.09em]{64}
|
||||
\bitbox{64}{$1^{64}$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\disclosebox}
|
||||
\begin{lrbox}{\disclosebox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.04em]{1536}
|
||||
\bitbox{256}{256 bit $\TransmitEphemeralPrivate$}
|
||||
\begin{bytefield}[bitwidth=0.05em]{768}
|
||||
\bitbox{256}{256 bit $\EphemeralPrivate$}
|
||||
\bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
|
||||
\bitbox{40}{...}
|
||||
\bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
|
||||
|
@ -498,17 +468,16 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
|||
|
||||
Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys
|
||||
for the intended recipient addresses of each new \coin,
|
||||
\changed{let $\PublicKey{\disclose}$ be the sender's \discloseKeypair public key,}
|
||||
\changed{let $\DiscloseKey$ be the sender's \discloseKey,}
|
||||
and let $\Plaintext{1..\NNew}$ be the \coinPlaintexts.
|
||||
|
||||
\changed{
|
||||
Define:
|
||||
\begin{equation*}
|
||||
\begin{aligned}
|
||||
\Prenonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \FullHashbox{\prenoncebox} \\
|
||||
\Nonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \Justthebox{\noncebox} \\
|
||||
\Prenonce(\Tag{i}, \EphemeralPublic, \TransmitPublic{i}) &:= \FullHashbox{\prenoncebox} \\
|
||||
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublic{i}) &:= \Justthebox{\noncebox} \\
|
||||
\Tag{i} &:= \Justthebox{\tagibox} \\
|
||||
\Tag{\disclose} &:= \Justthebox{\tagdbox} \\
|
||||
\DisclosePlaintext &:= \Justthebox{\disclosebox}
|
||||
\end{aligned}
|
||||
\end{equation*}
|
||||
|
@ -518,21 +487,17 @@ Then to encrypt:
|
|||
|
||||
\begin{itemize}
|
||||
\changed{
|
||||
\item Generate two new independent Curve25519 (public, private) key pairs:
|
||||
$(\TransmitEphemeralPublic, \TransmitEphemeralPrivate)$ and
|
||||
$(\DiscloseEphemeralPublic, \DiscloseEphemeralPrivate)$.
|
||||
\item Generate a new Curve25519 (public, private) key pair:
|
||||
$(\EphemeralPublic, \EphemeralPrivate)$.
|
||||
\item For $i$ in $\{1..\NNew\}$, let $\TransmitCiphertext{i} =
|
||||
\CryptoBox(\Plaintext{i}, \PublicKey{i}, \EphemeralPrivate,
|
||||
\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
|
||||
\item Let $\DiscloseCiphertext = \CryptoBox(\DisclosePlaintext,
|
||||
\DisclosePublic, \DiscloseEphemeralPrivate,
|
||||
\Nonce(\Tag{\disclose}, \DiscloseEphemeralPublic, \DisclosePublic))$
|
||||
\CryptoBox(\Plaintext{i}, \TransmitPublic{i}, \EphemeralPrivate,
|
||||
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$
|
||||
\item Let $\DiscloseCiphertext = ???_{\DiscloseKey}(\DisclosePlaintext)$
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
The resulting \coinsCiphertext is $\changed{(\TransmitEphemeralPublic,}\;
|
||||
\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseEphemeralPublic,
|
||||
\DiscloseCiphertext)}$.
|
||||
The resulting \coinsCiphertext is $\changed{(\TransmitPublic,}\;
|
||||
\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseCiphertext)}$.
|
||||
|
||||
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
|
||||
(public, private) key pair. Then for each $i$ in $\{1..\NNew\}$, the recipient
|
||||
|
@ -541,31 +506,27 @@ will attempt to decrypt that ciphertext component as follows:
|
|||
\begin{itemize}
|
||||
\changed{
|
||||
\item $\AllegedPlaintext{i} := \CryptoBoxOpen(\TransmitCiphertext{i},
|
||||
\TransmitEphemeralPublic, \TransmitPrivate,
|
||||
\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublic))$
|
||||
\EphemeralPublic, \TransmitPrivate, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublic))$
|
||||
\item \todo{validation}
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
\changed{
|
||||
Similarly, let $(\DisclosePublic, \DisclosePrivate)$ be a \viewingKey holder's
|
||||
Curve25519 (public, private) key pair. Then for each \PourDescription in its
|
||||
\blockchainview, the \viewingKey holder will attempt to decrypt the corresponding
|
||||
\coinsCiphertext as follows:
|
||||
Similarly, let $\DiscloseKey$ be a \viewingKey holder's \discloseKey.
|
||||
Then for each \PourDescription in its \blockchainview, the \viewingKey holder
|
||||
will attempt to decrypt the corresponding \coinsCiphertext as follows:
|
||||
}
|
||||
|
||||
\begin{itemize}
|
||||
\changed{
|
||||
\item Let $\DisclosePlaintext :=
|
||||
\CryptoBoxOpen(\DiscloseCiphertext, \DiscloseEphemeralPublic,
|
||||
\DisclosePrivate, \Nonce(\Tag{i}, \DiscloseEphemeralPublic, \DisclosePublic))$
|
||||
\item Extract $\TransmitEphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$
|
||||
\item Let $\DisclosePlaintext := ???_{\DiscloseKey}(\DiscloseCiphertext)$
|
||||
\item Extract $\EphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$
|
||||
from $\DisclosePlaintext$.
|
||||
\item For $i$ in $\{1..\NNew\}$,
|
||||
\begin{itemize}
|
||||
\item let $\AllegedPlaintext{i} :=
|
||||
\CryptoBoxOpen(\TransmitCiphertext{i}, \TransmitEphemeralPrivate,
|
||||
\TransmitPublicNew{i}, \Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
|
||||
\CryptoBoxOpen(\TransmitCiphertext{i}, \EphemeralPrivate,
|
||||
\TransmitPublicNew{i}, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$
|
||||
\item \todo{validation}
|
||||
\end{itemize}
|
||||
}
|
||||
|
@ -586,9 +547,9 @@ This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
|
|||
of the IK-CCA (key privacy) property.
|
||||
\item $\FullHash$ (the full hash, not the compression function) is used instead
|
||||
of $\mathsf{blake2b}$.
|
||||
\item The ephemeral secret $\TransmitEphemeralPrivate$ is included together with
|
||||
\item The ephemeral secret $\EphemeralPrivate$ is included together with
|
||||
the \transmitKeypair public keys of the recipients, encrypted to the
|
||||
\discloseKeypair public key. This allows a \viewingKey holder to decrypt
|
||||
\discloseKey. This allows a \viewingKey holder to decrypt
|
||||
and validate these ciphertexts (if the sender constructs the \PourDescription
|
||||
honestly). It also ensures (without assuming honesty of the sender) that if
|
||||
the \viewingKey holder can decrypt a given component, then the indicated
|
||||
|
@ -764,17 +725,15 @@ $\scriptSig$.
|
|||
$\cmNew{\mathrm{1}..\NNew}$.
|
||||
|
||||
\changed{
|
||||
\item $\encEphemeral$ which is a Curve25519 public key $\TransmitEphemeralPublic$.
|
||||
\item $\ephemeralKey$ which is a Curve25519 public key $\EphemeralPublic$.
|
||||
|
||||
\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
|
||||
components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
|
||||
|
||||
\item $\discloseEphemeral$ which is a Curve25519 public key $\DiscloseEphemeralPublic$.
|
||||
|
||||
\item $\discloseCiphertext$ which is the ciphertext component
|
||||
$\DiscloseCiphertext$.
|
||||
|
||||
(The preceding four fields together form the \coinsCiphertext.)
|
||||
(The preceding three fields together form the \coinsCiphertext.)
|
||||
}
|
||||
|
||||
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
||||
|
@ -999,7 +958,7 @@ Transmitted coins are stored on the blockchain in encrypted form, together with
|
|||
a \coinCommitment $\cm$.
|
||||
|
||||
The \coinPlaintexts associated with a \PourDescription are encrypted to the
|
||||
respective \transmitKeypair keys $\PublicKey{\mathrm{1}..\NNew}$,
|
||||
respective \transmitKeypair keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
|
||||
and the result forms a \coinsCiphertext.
|
||||
|
||||
Each \coinPlaintext consists of $(\changed{\AuthPublic, }\Value, \CoinAddressRand,
|
||||
|
|
Loading…
Reference in New Issue