mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
dcc5532d61
commit
6c32c7c7ea
|
@ -5978,6 +5978,7 @@ $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} =
|
|||
} %sapling
|
||||
|
||||
|
||||
\introsection
|
||||
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
||||
|
||||
\Bitcoin and \Zcash use signatures and/or non-interactive proofs associated
|
||||
|
@ -6063,6 +6064,7 @@ undefined bits of a \sighashType encoding were ignored.)}
|
|||
} %nufive
|
||||
|
||||
|
||||
\introsection
|
||||
\lsubsection{Non-malleability (\SproutText)}{sproutnonmalleability}
|
||||
|
||||
Let $\dataToBeSigned$ be the hash of the \transaction{}, not associated with an input,
|
||||
|
@ -14108,6 +14110,7 @@ A side benefit is that this reduces the cost of computing the
|
|||
evaluations needed to compute each \noteCommitment from three to two,
|
||||
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
||||
|
||||
\vspace{-1ex}
|
||||
\sproutspecificpnote{
|
||||
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
|
||||
appended after the commitment input. The commitment input can be split into two
|
||||
|
@ -14128,6 +14131,7 @@ about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any
|
|||
security problem for $\NoteCommitAlg{Sprout}$.
|
||||
} %sproutspecificpnote
|
||||
|
||||
\vspace{-1ex}
|
||||
\sproutspecificpnote{
|
||||
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
||||
\Zcash does not support the ``everlasting anonymity'' property described in
|
||||
|
@ -14136,8 +14140,9 @@ While it is possible to define a statistically \hiding, computationally \binding
|
|||
\commitmentScheme for this use at a 128-bit security level, the overhead of
|
||||
doing so within the \joinSplitStatement was not considered to justify the
|
||||
benefits.
|
||||
}
|
||||
} %sproutspecificpnote
|
||||
|
||||
\vspace{1ex}
|
||||
\saplingonward{
|
||||
In \Sapling, \xPedersenOrSinsemillaCommitments are used instead of \shaCompress.
|
||||
These commitments are statistically \hiding, and so ``everlasting anonymity''
|
||||
|
@ -14145,7 +14150,7 @@ is supported for \SaplingAndOrchard notes under the same conditions as in \Zeroc
|
|||
(by the protocol, not necessarily by \zcashd). Note that
|
||||
\diversifiedPaymentAddresses can be linked if the \xDecisionalDiffieHellmanProblem
|
||||
on the \jubjubCurve\nufive{ or the \pallasCurve} can be broken.
|
||||
}
|
||||
} %saplingonward
|
||||
|
||||
\lsubsection{Changes to PRF inputs and truncation}{truncation}
|
||||
|
||||
|
|
Loading…
Reference in New Issue