mirror of https://github.com/zcash/zips.git
Simplify FindGroupHash to use a single-byte index.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b44beb7141
commit
877ce30283
|
@ -1241,7 +1241,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\FEtoIPP}{\mathsf{FE2IPP}}
|
||||
\newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}}
|
||||
\newcommand{\ItoBEBSP}[1]{\mathsf{I2BEBSP}_{#1}}
|
||||
\newcommand{\ItoLEOSPvar}{\mathsf{I2LEOSP_{var}}}
|
||||
\newcommand{\LEOStoIP}[1]{\mathsf{LEOS2IP}_{#1}}
|
||||
\newcommand{\LEOStoIPOf}[2]{\LEOStoIP{#1}\!\left({#2}\right)}
|
||||
\newcommand{\LEBStoOSP}[1]{\mathsf{LEBS2OSP}_{#1}}
|
||||
|
@ -3697,10 +3696,6 @@ and integers:
|
|||
\item $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
|
||||
such that $\ItoBEBSP{u}(\ell)$ is the sequence of $\ell$ bits representing $x$ in
|
||||
big-endian order.
|
||||
\item $\ItoLEOSPvar \typecolon \Nat \rightarrow \byteseqs$,
|
||||
such that $\ItoLEOSPvar(i)$ is the shortest little-endian encoding of $i$
|
||||
as a byte sequence, i.e. so that the encoding does not end in a zero
|
||||
byte. ($\ItoLEOSPvar(0) = []$.)
|
||||
\item $\LEOStoIP{} \typecolon (k \typecolon \Nat) \times \byteseq{k} \rightarrow \range{0}{256^k\!-\!1}$
|
||||
such that $\LEOStoIP{k}(S)$ is the integer represented in little-endian order by the
|
||||
byte sequence $S$ of length $k$.
|
||||
|
@ -5177,22 +5172,17 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
|||
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||
\end{formulae}
|
||||
|
||||
Define $\ItoLEOSPvar \typecolon \Nat \rightarrow \byteseqs$ as in \crossref{endian}.
|
||||
|
||||
Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T$
|
||||
so that $\first(f) = f(i)$ where $i$ is the least nonnegative integer
|
||||
such that $f(i) \neq \bot$. (For our use of $\first$, such an $i$ always
|
||||
exists.)
|
||||
Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T \union \setof{\bot}$
|
||||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\range{0}{255}$
|
||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||
|
||||
Let $\FindGroupJHashOf{D, M} =
|
||||
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat \ItoLEOSPvar(i)) \typecolon \GroupJ})$.
|
||||
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat [i]) \typecolon \GroupJ})$.
|
||||
|
||||
\begin{pnotes}
|
||||
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$
|
||||
may be precomputed.
|
||||
\item $\FindGroupJHash$ is designed for use with fixed-length $M$.
|
||||
If it is reused in a context where $M$ may be variable-length,
|
||||
then an encoding of the length of $M$ should be prepended.
|
||||
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
|
||||
\item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
|
||||
The uses of $\FindGroupJHash$ in the \Zcash protocol never return $\bot$.
|
||||
\end{pnotes}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue