mirror of https://github.com/zcash/zips.git
Use the term monomorphism for an injective homomorphism, in the context of a "signature scheme with key monomorphism".
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0d582758dd
commit
849d9435ae
|
@ -1028,7 +1028,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\signatureSchemes}{\terms{signature scheme}}
|
||||
\newcommand{\oneTimeSignatureScheme}{\termandindex{one-time signature scheme}{one-time (signature scheme)}}
|
||||
\newcommand{\rerandomizableSignatureScheme}{\termandindex{signature scheme with re\hyp randomizable keys}{signature scheme with re-randomizable keys}}
|
||||
\newcommand{\keyHomomorphicSignatureScheme}{\term{signature scheme with key homomorphism}}
|
||||
\newcommand{\keyMonomorphicSignatureScheme}{\term{signature scheme with key monomorphism}}
|
||||
\newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}}
|
||||
\newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}}
|
||||
\newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}}
|
||||
|
@ -3396,7 +3396,7 @@ $\SigVerify{\vk}(m, s) = 1$.
|
|||
The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig$}.
|
||||
\sapling{Security requirements for $\SpendAuthSig$ are defined in the next section,
|
||||
\crossref{abstractsigrerand}. An additional requirement for $\BindingSig$ is defined
|
||||
in \crossref{abstractsighom}.}
|
||||
in \crossref{abstractsigmono}.}
|
||||
} %notsprout
|
||||
|
||||
\vspace{-1ex}
|
||||
|
@ -3419,7 +3419,7 @@ pair without access to the signing key.
|
|||
$\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support
|
||||
the key derivation in \crossref{saplingkeycomponents}. This also simplifies some
|
||||
aspects of the definitions of \signatureSchemes with additional features in
|
||||
\crossref{abstractsigrerand} and \crossref{abstractsighom}.
|
||||
\crossref{abstractsigrerand} and \crossref{abstractsigmono}.
|
||||
} %notsprout
|
||||
\item A fresh signature key pair is generated for each \transaction containing
|
||||
a \joinSplitDescription{}.
|
||||
|
@ -3534,9 +3534,9 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
|||
|
||||
\sapling{
|
||||
\introlist
|
||||
\lsubsubsubsection{Signature with Private Key to Public Key Homomorphism}{abstractsighom}
|
||||
\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono}
|
||||
|
||||
A \defining{\keyHomomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
|
||||
A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
|
||||
additionally defines:
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -3552,7 +3552,8 @@ additionally defines:
|
|||
such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$,
|
||||
$\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$.
|
||||
|
||||
In other words, $\SigDerivePublic$ is an injective homomorphism from the \privateKey group to the \publicKey group.
|
||||
In other words, $\SigDerivePublic$ is a monomorphism (that is, an injective homomorphism) from the
|
||||
\privateKey group to the \publicKey group.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
|
@ -4801,7 +4802,7 @@ be as defined in \crossref{concretevaluecommit}:
|
|||
|
||||
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
|
||||
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
|
||||
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
|
||||
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}.
|
||||
|
||||
\vspace{1.5ex}
|
||||
\introlist
|
||||
|
@ -6945,7 +6946,7 @@ The encoding of a \publicKey is as defined in \cite{BDLSY2012}.
|
|||
|
||||
$\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization
|
||||
as described in \crossref{abstractsigrerand}. It also supports a
|
||||
Secret Key to Public Key Homomorphism as described in \crossref{abstractsighom}.
|
||||
Secret Key to Public Key Monomorphism as described in \crossref{abstractsigmono}.
|
||||
It is based on a scheme from \cite[section 3]{FKMSSS2016}, with some ideas from
|
||||
EdDSA \cite{BJLSY2015}.
|
||||
|
||||
|
@ -7077,7 +7078,7 @@ properties, careful analysis of potential interactions is required.}
|
|||
|
||||
\vspace{3ex}
|
||||
\introlist
|
||||
The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
|
||||
The two abelian groups specified in \crossref{abstractsigmono} are instantiated for $\RedDSA$
|
||||
as follows:
|
||||
\begin{itemize}
|
||||
\item $\grpzero := 0 \pmod{\ParamG{r}}$
|
||||
|
@ -7087,7 +7088,7 @@ as follows:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
As required, $\RedDSADerivePublic$ is a group homomorphism:
|
||||
As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injective and:
|
||||
|
||||
\begin{tabular}{@{\hskip 1.5em}r@{\;}l}
|
||||
$\RedDSADerivePublic(\sk_1 \grpplus \sk_2)$
|
||||
|
@ -7148,8 +7149,8 @@ use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$
|
|||
See \crossref{bindingsig} for details on the use of this \signatureScheme.
|
||||
|
||||
\securityrequirement{
|
||||
$\BindingSig$ must be a SUF-CMA secure \keyHomomorphicSignatureScheme as defined in
|
||||
\crossref{abstractsighom}. A signature must prove knowledge of the discrete logarithm of
|
||||
$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in
|
||||
\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of
|
||||
the \publicKey with respect to the base $\ValueCommitRandBase$.
|
||||
} %securityrequirement
|
||||
} %sapling
|
||||
|
@ -10272,6 +10273,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
and Zancas Wilcox.
|
||||
\item Add an acknowledgement to Trail of Bits for their security audit.
|
||||
\item Change indices in the \incrementalMerkleTree diagram to be zero-based.
|
||||
\item Use the term \quotedterm{monomorphism} for an injective homomorphism, in
|
||||
the context of a \keyMonomorphicSignatureScheme.
|
||||
\end{itemize}
|
||||
|
||||
\historyentry{2019.0.9}{2019-12-27}
|
||||
|
|
Loading…
Reference in New Issue