From 8356e7b3b07dedb7866e60435236067b0695e99f Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Tue, 30 Jan 2018 00:42:35 +0000 Subject: [PATCH] Specify more precisely the requirements on Ed25519 public keys and signatures. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 5f7cec40..8af7a0c9 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -3099,10 +3099,18 @@ block. $\JoinSplitSig$ is specified in \crossref{abstractsig}. \changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012}, -with the additional requirement that $\EdDSAs$ (the integer represented -by $\EdDSAS$) must be less than the prime -$\ell = 2^{252} + 27742317777372353535851937790883648493$, -otherwise the signature is considered invalid. +with the additional requirements that: + +\begin{itemize} + \item $\EdDSAS$ \MUST represent an integer less than + the prime $\ell = 2^{252} + 27742317777372353535851937790883648493$; + \item $\EdDSAR$ \MUST represent a point of order $\ell$ on the Ed25519 curve; +\end{itemize} + +If these requirements are not met then the signature is considered invalid. +Note that it is \emph{not} required that the encoding of the y-coordinate +in $\EdDSAR$ is less than $2^{255}-19$. + $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally. } @@ -5282,6 +5290,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in \subparagraph{2018.0-beta-5} \begin{itemize} + \item Specify more precisely the requirements on $\JoinSplitSigSpecific$ + public keys and signatures. \sapling{ \item{\Sapling work in progress.} } @@ -5647,7 +5657,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in \printbibliography \endgroup -%\notsprout{ +\notsprout{ \introsection \vspace{20ex} @@ -6102,6 +6112,6 @@ cryptanalytic attention to confidently use them for \Sapling. \nsubsection{The SaplingOutput circuit} \label{cctsaplingoutput} -%} %notsprout +} %notsprout \end{document}