mirror of https://github.com/zcash/zips.git
Specify more precisely the requirements on Ed25519 public keys and signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
488195b804
commit
8356e7b3b0
|
@ -3099,10 +3099,18 @@ block.
|
||||||
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
||||||
|
|
||||||
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012},
|
||||||
with the additional requirement that $\EdDSAs$ (the integer represented
|
with the additional requirements that:
|
||||||
by $\EdDSAS$) must be less than the prime
|
|
||||||
$\ell = 2^{252} + 27742317777372353535851937790883648493$,
|
\begin{itemize}
|
||||||
otherwise the signature is considered invalid.
|
\item $\EdDSAS$ \MUST represent an integer less than
|
||||||
|
the prime $\ell = 2^{252} + 27742317777372353535851937790883648493$;
|
||||||
|
\item $\EdDSAR$ \MUST represent a point of order $\ell$ on the Ed25519 curve;
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
If these requirements are not met then the signature is considered invalid.
|
||||||
|
Note that it is \emph{not} required that the encoding of the y-coordinate
|
||||||
|
in $\EdDSAR$ is less than $2^{255}-19$.
|
||||||
|
|
||||||
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5282,6 +5290,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
||||||
\subparagraph{2018.0-beta-5}
|
\subparagraph{2018.0-beta-5}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
\item Specify more precisely the requirements on $\JoinSplitSigSpecific$
|
||||||
|
public keys and signatures.
|
||||||
\sapling{
|
\sapling{
|
||||||
\item{\Sapling work in progress.}
|
\item{\Sapling work in progress.}
|
||||||
}
|
}
|
||||||
|
@ -5647,7 +5657,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
||||||
\printbibliography
|
\printbibliography
|
||||||
\endgroup
|
\endgroup
|
||||||
|
|
||||||
%\notsprout{
|
\notsprout{
|
||||||
|
|
||||||
\introsection
|
\introsection
|
||||||
\vspace{20ex}
|
\vspace{20ex}
|
||||||
|
@ -6102,6 +6112,6 @@ cryptanalytic attention to confidently use them for \Sapling.
|
||||||
|
|
||||||
\nsubsection{The SaplingOutput circuit} \label{cctsaplingoutput}
|
\nsubsection{The SaplingOutput circuit} \label{cctsaplingoutput}
|
||||||
|
|
||||||
%} %notsprout
|
} %notsprout
|
||||||
|
|
||||||
\end{document}
|
\end{document}
|
||||||
|
|
Loading…
Reference in New Issue