From 849d9435ae477404766a64c15598cdc1f70d75f2 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Thu, 6 Feb 2020 23:02:40 +0000 Subject: [PATCH] Use the term monomorphism for an injective homomorphism, in the context of a "signature scheme with key monomorphism". Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 8a9f82e0..3e21cc35 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1028,7 +1028,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\signatureSchemes}{\terms{signature scheme}} \newcommand{\oneTimeSignatureScheme}{\termandindex{one-time signature scheme}{one-time (signature scheme)}} \newcommand{\rerandomizableSignatureScheme}{\termandindex{signature scheme with re\hyp randomizable keys}{signature scheme with re-randomizable keys}} -\newcommand{\keyHomomorphicSignatureScheme}{\term{signature scheme with key homomorphism}} +\newcommand{\keyMonomorphicSignatureScheme}{\term{signature scheme with key monomorphism}} \newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}} \newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}} \newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}} @@ -3396,7 +3396,7 @@ $\SigVerify{\vk}(m, s) = 1$. The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig$}. \sapling{Security requirements for $\SpendAuthSig$ are defined in the next section, \crossref{abstractsigrerand}. An additional requirement for $\BindingSig$ is defined -in \crossref{abstractsighom}.} +in \crossref{abstractsigmono}.} } %notsprout \vspace{-1ex} @@ -3419,7 +3419,7 @@ pair without access to the signing key. $\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support the key derivation in \crossref{saplingkeycomponents}. This also simplifies some aspects of the definitions of \signatureSchemes with additional features in - \crossref{abstractsigrerand} and \crossref{abstractsighom}. + \crossref{abstractsigrerand} and \crossref{abstractsigmono}. } %notsprout \item A fresh signature key pair is generated for each \transaction containing a \joinSplitDescription{}. @@ -3534,9 +3534,9 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$. \sapling{ \introlist -\lsubsubsubsection{Signature with Private Key to Public Key Homomorphism}{abstractsighom} +\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono} -A \defining{\keyHomomorphicSignatureScheme} $\Sig$ is a \signatureScheme that +A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that additionally defines: \begin{itemize} @@ -3552,7 +3552,8 @@ additionally defines: such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$, $\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$. -In other words, $\SigDerivePublic$ is an injective homomorphism from the \privateKey group to the \publicKey group. +In other words, $\SigDerivePublic$ is a monomorphism (that is, an injective homomorphism) from the +\privateKey group to the \publicKey group. \vspace{1ex} \introlist @@ -4801,7 +4802,7 @@ be as defined in \crossref{concretevaluecommit}: $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and -$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}. +$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}. \vspace{1.5ex} \introlist @@ -6945,7 +6946,7 @@ The encoding of a \publicKey is as defined in \cite{BDLSY2012}. $\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization as described in \crossref{abstractsigrerand}. It also supports a -Secret Key to Public Key Homomorphism as described in \crossref{abstractsighom}. +Secret Key to Public Key Monomorphism as described in \crossref{abstractsigmono}. It is based on a scheme from \cite[section 3]{FKMSSS2016}, with some ideas from EdDSA \cite{BJLSY2015}. @@ -7077,7 +7078,7 @@ properties, careful analysis of potential interactions is required.} \vspace{3ex} \introlist -The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$ +The two abelian groups specified in \crossref{abstractsigmono} are instantiated for $\RedDSA$ as follows: \begin{itemize} \item $\grpzero := 0 \pmod{\ParamG{r}}$ @@ -7087,7 +7088,7 @@ as follows: \end{itemize} \introlist -As required, $\RedDSADerivePublic$ is a group homomorphism: +As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injective and: \begin{tabular}{@{\hskip 1.5em}r@{\;}l} $\RedDSADerivePublic(\sk_1 \grpplus \sk_2)$ @@ -7148,8 +7149,8 @@ use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$ See \crossref{bindingsig} for details on the use of this \signatureScheme. \securityrequirement{ -$\BindingSig$ must be a SUF-CMA secure \keyHomomorphicSignatureScheme as defined in -\crossref{abstractsighom}. A signature must prove knowledge of the discrete logarithm of +$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in +\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of the \publicKey with respect to the base $\ValueCommitRandBase$. } %securityrequirement } %sapling @@ -10272,6 +10273,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. and Zancas Wilcox. \item Add an acknowledgement to Trail of Bits for their security audit. \item Change indices in the \incrementalMerkleTree diagram to be zero-based. + \item Use the term \quotedterm{monomorphism} for an injective homomorphism, in + the context of a \keyMonomorphicSignatureScheme. \end{itemize} \historyentry{2019.0.9}{2019-12-27}