zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Simplify FindGroupHash to use a single-byte index. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-03-11 21:22:53 +00:00
parent b44beb7141
commit 877ce30283
1 changed files with 7 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
protocol/protocol.tex
View File

@ -1241,7 +1241,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\FEtoIPP}{\mathsf{FE2IPP}}
\newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}}
\newcommand{\ItoBEBSP}[1]{\mathsf{I2BEBSP}_{#1}}
\newcommand{\ItoLEOSPvar}{\mathsf{I2LEOSP_{var}}}
\newcommand{\LEOStoIP}[1]{\mathsf{LEOS2IP}_{#1}}
\newcommand{\LEOStoIPOf}[2]{\LEOStoIP{#1}\!\left({#2}\right)}
\newcommand{\LEBStoOSP}[1]{\mathsf{LEBS2OSP}_{#1}}
@ -3697,10 +3696,6 @@ and integers:
\item $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
such that $\ItoBEBSP{u}(\ell)$ is the sequence of $\ell$ bits representing $x$ in
big-endian order.
\item $\ItoLEOSPvar \typecolon \Nat \rightarrow \byteseqs$,
such that $\ItoLEOSPvar(i)$ is the shortest little-endian encoding of $i$
as a byte sequence, i.e. so that the encoding does not end in a zero
byte. ($\ItoLEOSPvar(0) = []$.)
\item $\LEOStoIP{} \typecolon (k \typecolon \Nat) \times \byteseq{k} \rightarrow \range{0}{256^k\!-\!1}$
such that $\LEOStoIP{k}(S)$ is the integer represented in little-endian order by the
byte sequence $S$ of length $k$.
@ -5177,22 +5172,17 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
\end{formulae}
Define $\ItoLEOSPvar \typecolon \Nat \rightarrow \byteseqs$ as in \crossref{endian}.
Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T$
so that $\first(f) = f(i)$ where $i$ is the least nonnegative integer
such that $f(i) \neq \bot$. (For our use of $\first$, such an $i$ always
exists.)
Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T \union \setof{\bot}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\range{0}{255}$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Let $\FindGroupJHashOf{D, M} =
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat \ItoLEOSPvar(i)) \typecolon \GroupJ})$.
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat [i]) \typecolon \GroupJ})$.
\begin{pnotes}
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$
may be precomputed.
\item $\FindGroupJHash$ is designed for use with fixed-length $M$.
If it is reused in a context where $M$ may be variable-length,
then an encoding of the length of $M$ should be prepended.
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
\item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
The uses of $\FindGroupJHash$ in the \Zcash protocol never return $\bot$.
\end{pnotes}
}