mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
dcc5532d61
commit
6c32c7c7ea
|
@ -5978,6 +5978,7 @@ $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} =
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
\lsubsection{SIGHASH Transaction Hashing}{sighash}
|
||||||
|
|
||||||
\Bitcoin and \Zcash use signatures and/or non-interactive proofs associated
|
\Bitcoin and \Zcash use signatures and/or non-interactive proofs associated
|
||||||
|
@ -6063,6 +6064,7 @@ undefined bits of a \sighashType encoding were ignored.)}
|
||||||
} %nufive
|
} %nufive
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
\lsubsection{Non-malleability (\SproutText)}{sproutnonmalleability}
|
\lsubsection{Non-malleability (\SproutText)}{sproutnonmalleability}
|
||||||
|
|
||||||
Let $\dataToBeSigned$ be the hash of the \transaction{}, not associated with an input,
|
Let $\dataToBeSigned$ be the hash of the \transaction{}, not associated with an input,
|
||||||
|
@ -14108,6 +14110,7 @@ A side benefit is that this reduces the cost of computing the
|
||||||
evaluations needed to compute each \noteCommitment from three to two,
|
evaluations needed to compute each \noteCommitment from three to two,
|
||||||
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
saving a total of four \shaCompress evaluations in the \joinSplitStatement.
|
||||||
|
|
||||||
|
\vspace{-1ex}
|
||||||
\sproutspecificpnote{
|
\sproutspecificpnote{
|
||||||
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
|
The full \shaHash algorithm is used for $\NoteCommitAlg{Sprout}$, with randomness
|
||||||
appended after the commitment input. The commitment input can be split into two
|
appended after the commitment input. The commitment input can be split into two
|
||||||
|
@ -14128,6 +14131,7 @@ about the Merkle--Damgård structure \cite{Damgard1989} of \shaHash causing any
|
||||||
security problem for $\NoteCommitAlg{Sprout}$.
|
security problem for $\NoteCommitAlg{Sprout}$.
|
||||||
} %sproutspecificpnote
|
} %sproutspecificpnote
|
||||||
|
|
||||||
|
\vspace{-1ex}
|
||||||
\sproutspecificpnote{
|
\sproutspecificpnote{
|
||||||
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
\Sprout \noteCommitments are not statistically \hiding, so for \Sprout notes,
|
||||||
\Zcash does not support the ``everlasting anonymity'' property described in
|
\Zcash does not support the ``everlasting anonymity'' property described in
|
||||||
|
@ -14136,8 +14140,9 @@ While it is possible to define a statistically \hiding, computationally \binding
|
||||||
\commitmentScheme for this use at a 128-bit security level, the overhead of
|
\commitmentScheme for this use at a 128-bit security level, the overhead of
|
||||||
doing so within the \joinSplitStatement was not considered to justify the
|
doing so within the \joinSplitStatement was not considered to justify the
|
||||||
benefits.
|
benefits.
|
||||||
}
|
} %sproutspecificpnote
|
||||||
|
|
||||||
|
\vspace{1ex}
|
||||||
\saplingonward{
|
\saplingonward{
|
||||||
In \Sapling, \xPedersenOrSinsemillaCommitments are used instead of \shaCompress.
|
In \Sapling, \xPedersenOrSinsemillaCommitments are used instead of \shaCompress.
|
||||||
These commitments are statistically \hiding, and so ``everlasting anonymity''
|
These commitments are statistically \hiding, and so ``everlasting anonymity''
|
||||||
|
@ -14145,7 +14150,7 @@ is supported for \SaplingAndOrchard notes under the same conditions as in \Zeroc
|
||||||
(by the protocol, not necessarily by \zcashd). Note that
|
(by the protocol, not necessarily by \zcashd). Note that
|
||||||
\diversifiedPaymentAddresses can be linked if the \xDecisionalDiffieHellmanProblem
|
\diversifiedPaymentAddresses can be linked if the \xDecisionalDiffieHellmanProblem
|
||||||
on the \jubjubCurve\nufive{ or the \pallasCurve} can be broken.
|
on the \jubjubCurve\nufive{ or the \pallasCurve} can be broken.
|
||||||
}
|
} %saplingonward
|
||||||
|
|
||||||
\lsubsection{Changes to PRF inputs and truncation}{truncation}
|
\lsubsection{Changes to PRF inputs and truncation}{truncation}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue