mirror of https://github.com/zcash/zips.git
Type corrections and precision improvements. Also add more cross-references.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
4035e4c5e0
commit
8abebf4296
|
@ -752,6 +752,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ones}[1]{[1]^{#1}}
|
||||
\newcommand{\bit}{\mathbb{B}}
|
||||
\newcommand{\overlap}[2]{\rlap{#2}\hspace{#1}{#2}}
|
||||
\newcommand{\plap}[2]{\rlap{\hphantom{#2}}{#1}}
|
||||
\newcommand{\byte}{\mathbb{B}\kern -0.1em\raisebox{0.55ex}{\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{Y}$}}}}
|
||||
\newcommand{\Nat}{\mathbb{N}}
|
||||
\newcommand{\PosInt}{\mathbb{N}^+}
|
||||
|
@ -994,14 +995,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
|
||||
\newcommand{\PRFrho}[1]{\PRF{#1}{\NoteAddressRand}}
|
||||
\newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}}
|
||||
\newcommand{\PRFOutputLength}{\mathsf{\ell_{PRF}}}
|
||||
\newcommand{\PRFOutput}{\bitseq{\PRFOutputLength}}
|
||||
\newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}}
|
||||
\newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}}
|
||||
\newcommand{\PRFOutputLengthNfSapling}{\mathsf{\ell_{PRFnfSapling}}}
|
||||
\newcommand{\PRFOutputNfSapling}{\bitseq{\PRFOutputLengthNfSapling}}
|
||||
\newcommand{\PRFOutputLengthExpand}{\mathsf{\ell_{PRFexpand}}}
|
||||
\newcommand{\PRFOutputExpand}{\bitseq{\PRFOutputLengthExpand}}
|
||||
\newcommand{\PRFOutputExpand}{\byteseq{\PRFOutputLengthExpand/8}}
|
||||
\newcommand{\PRFInputExpand}{\byteseq{\barerange{1}{2}}}
|
||||
|
||||
% Commitments
|
||||
|
@ -1463,6 +1462,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
||||
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
||||
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
|
||||
|
||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
||||
|
@ -1480,9 +1480,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
|
||||
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
|
||||
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
|
||||
\newcommand{\SubgroupG}{\mathbb{G}_{r}}
|
||||
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
|
||||
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
|
||||
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^\GroupG{#1}}
|
||||
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}}
|
||||
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
|
||||
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
|
||||
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
|
||||
|
@ -1493,7 +1493,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
||||
\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
|
||||
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
||||
\newcommand{\ExtractG}{\ParamG{\mathsf{Extract}}}
|
||||
\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}}
|
||||
|
||||
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
|
||||
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
|
||||
|
@ -1512,9 +1512,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
|
||||
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
|
||||
\newcommand{\GroupJ}{\mathbb{J}}
|
||||
\newcommand{\SubgroupJ}{\mathbb{J}_{r}}
|
||||
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
|
||||
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
|
||||
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^\mathbb{J}_{#1}}
|
||||
\newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ}
|
||||
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}}
|
||||
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
|
||||
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
|
||||
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
||||
|
@ -1524,8 +1525,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
|
||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
|
||||
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
|
||||
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
|
||||
\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}}
|
||||
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}}
|
||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
|
||||
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
||||
|
||||
|
@ -2198,8 +2199,8 @@ spendable by the recipient who holds the \spendingKey corresponding
|
|||
to a given \paymentAddress.
|
||||
} %notsprout
|
||||
|
||||
Let \sprout{$\MAXMONEY$ and $\PRFOutputLength$}
|
||||
\notsprout{$\MAXMONEY$, $\PRFOutputLength$\sapling{, and $\DiversifierLength$}}
|
||||
Let \sprout{$\MAXMONEY$ and $\PRFOutputLengthSprout$}
|
||||
\notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$, and $\DiversifierLength$}}
|
||||
be as defined in \crossref{constants}.
|
||||
|
||||
Let $\NoteCommitSproutAlg$ be as defined in \crossref{concretesproutnotecommit}.
|
||||
|
@ -2619,12 +2620,11 @@ as described in \crossref{foundersreward}.
|
|||
\subsubsection{\HashFunctions} \label{abstracthashes}
|
||||
|
||||
Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
|
||||
\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$,}
|
||||
\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$, $\DiversifierLength$,}
|
||||
$\RandomSeedLength$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
|
||||
|
||||
\sapling{
|
||||
% \todo{define the abstract protocol over a generic group.}
|
||||
Let $\GroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
|
||||
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
|
||||
} %sapling
|
||||
|
||||
\sprout{
|
||||
|
@ -2646,7 +2646,7 @@ Both of these functions are instantiated in \crossref{merklecrh}.
|
|||
} %notsprout
|
||||
|
||||
\changed{
|
||||
$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
|
||||
$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutputSprout}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
|
||||
is a \collisionResistant \hashFunction used in \crossref{joinsplitdesc}.
|
||||
It is instantiated in \crossref{hsigcrh}.
|
||||
|
||||
|
@ -2670,7 +2670,7 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
|
|||
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
|
||||
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
||||
|
||||
$\DiversifyHash \typecolon \DiversifierType \rightarrow \GroupJ$ is a \hashFunction
|
||||
$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction
|
||||
satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!)
|
||||
described in \crossref{abstractgrouphash}.
|
||||
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
|
||||
|
@ -2684,8 +2684,9 @@ It is instantiated in \crossref{concretediversifyhash}.
|
|||
$\PRF{x}{}$ is a \pseudoRandomFunction keyed by $x$.
|
||||
|
||||
Let $\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$,
|
||||
$\PRFOutputLengthSprout$, \sapling{$\PRFOutputLengthNfSapling$,} $\NOld$, and $\NNew$
|
||||
be as defined in \crossref{constants}.
|
||||
$\PRFOutputLengthSprout$, \sapling{$\SpendingKeyLength$, $\OutViewingKeyLength$,
|
||||
$\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,}
|
||||
$\NOld$, and $\NNew$ be as defined in \crossref{constants}.
|
||||
|
||||
\sapling{
|
||||
Let $\ellJ$ and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
|
||||
|
@ -2771,8 +2772,8 @@ a shared secret, each using their private key and the other party's public key.
|
|||
A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type
|
||||
of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
|
||||
|
||||
Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function
|
||||
to convert a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
|
||||
\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
|
||||
be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ private key.
|
||||
|
||||
Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$
|
||||
be a function that derives the $\KA$ public key corresponding to a given $\KA$
|
||||
|
@ -3171,7 +3172,7 @@ Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$
|
|||
$\ValueLength$ be as defined in \crossref{constants}.
|
||||
|
||||
\sapling{
|
||||
Let $\GroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||
} %sapling
|
||||
|
||||
\sprout{
|
||||
|
@ -3185,9 +3186,9 @@ Define:
|
|||
$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$;
|
||||
\sapling{
|
||||
\item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and
|
||||
$\NoteCommitSaplingOutput := \GroupJ$;
|
||||
$\NoteCommitSaplingOutput := \SubgroupJ$;
|
||||
\item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and
|
||||
$\ValueCommitOutput := \GroupJ$.
|
||||
$\ValueCommitOutput := \SubgroupJ$.
|
||||
} %sapling
|
||||
\end{formulae}
|
||||
} %notsprout
|
||||
|
@ -3271,9 +3272,9 @@ $\scalarmult{a}{G}$ meaning $\scalarmult{a \bmod \ParamG{r}}{G}$ as defined abov
|
|||
\subsubsection{\HashExtractor} \label{abstractextractor}
|
||||
|
||||
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
|
||||
$\ExtractG \typecolon \GroupG{} \rightarrow T$ for some type $T$,
|
||||
such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order
|
||||
$\ParamG{r}$.
|
||||
$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$,
|
||||
such that $\ExtractG$ is injective on $\SubgroupG{}$ (the subgroup of $\GroupG{}$
|
||||
of order $\ParamG{r}$).
|
||||
|
||||
\vspace{-2ex}
|
||||
\pnote{
|
||||
|
@ -3287,19 +3288,20 @@ efficiently computable left inverse.
|
|||
\introlist
|
||||
\subsubsection{\GroupHash} \label{abstractgrouphash}
|
||||
|
||||
Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
|
||||
\term{family of group hashes into\, $\GroupG{}$} as a function
|
||||
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
|
||||
and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$}
|
||||
as a function
|
||||
|
||||
\begin{formulae}
|
||||
\item $\GroupGHash{} \typecolon \CRSType \times \bitseq{\ell} \rightarrow \GroupG{}$
|
||||
\item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-2ex}
|
||||
\securityrequirement{\textbf{Discrete Logarithm Independence}
|
||||
|
||||
For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
|
||||
a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
|
||||
and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$
|
||||
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
|
||||
}
|
||||
|
||||
|
@ -3317,6 +3319,9 @@ such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right
|
|||
group hash algorithm to be used.
|
||||
This mitigates the possibility that the group hash algorithm could have
|
||||
been backdoored.
|
||||
\item The input element with type $\byteseq{8}$ is intended to act as a
|
||||
``personalization'' parameter to distinguish uses of the \groupHash for
|
||||
different purposes.
|
||||
\end{nnotes}
|
||||
} %sapling
|
||||
|
||||
|
@ -3468,6 +3473,8 @@ them to be the $\Groth$ \provingKeys and
|
|||
|
||||
\notsprout{\subsubsection{\Sprout{} \KeyComponents}} \label{sproutkeycomponents}
|
||||
|
||||
Let $\AuthPrivateLength$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concreteprfs}.
|
||||
|
||||
Let $\KASprout$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}.
|
||||
|
@ -3492,7 +3499,10 @@ as follows:}
|
|||
\sapling{
|
||||
\subsubsection{\Sapling{} \KeyComponents} \label{saplingkeycomponents}
|
||||
|
||||
Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions, instantiated in \crossref{concreteprfs}.
|
||||
Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, and $\DiversifierLength$
|
||||
be as defined in \crossref{constants}.
|
||||
|
||||
Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions instantiated in \crossref{concreteprfs}.
|
||||
|
||||
Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesaplingkeyagreement}.
|
||||
|
||||
|
@ -3503,17 +3513,16 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
|
|||
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
|
||||
be a \rerandomizableSignatureScheme.
|
||||
|
||||
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Let $\AuthProveBase = \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
|
||||
|
||||
Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup,
|
||||
instantiated in \crossref{jubjub}.
|
||||
|
||||
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
||||
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
|
||||
be as defined in \crossref{endian}.
|
||||
|
||||
Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
|
||||
|
||||
Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
|
||||
|
||||
A new \Sapling \spendingKey $\SpendingKey$ is generated by choosing a bit sequence
|
||||
|
@ -3523,24 +3532,13 @@ uniformly at random from $\SpendingKeyType$.
|
|||
From this \spendingKey, the \authSigningKey $\AuthSignPrivate$ and \authProvingKey $\AuthProvePrivate$
|
||||
are derived as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\AuthSignPrivate := \ToScalar(\PRFexpand{\SpendingKey}([0]))$
|
||||
\item $\AuthProvePrivate := \ToScalar(\PRFexpand{\SpendingKey}([1]))$
|
||||
\item $\OutViewingKey := \truncate{32}(\PRFexpand{\SpendingKey}([2]))$
|
||||
\end{formulae}
|
||||
} %sapling
|
||||
\vspace{-0.5ex}
|
||||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||
$\AuthSignPrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([0]))$ \\
|
||||
$\AuthProvePrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([1]))$ \\
|
||||
$\OutViewingKey$ &$:= \truncate{(\OutViewingKeyLength/8)}(\PRFexpand{\SpendingKey}([2]))$
|
||||
\end{tabular}
|
||||
|
||||
\newsavebox{\crhivkinputbox}
|
||||
\begin{lrbox}{\crhivkinputbox}
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\sapling{
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$} &
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$}
|
||||
}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\sapling{
|
||||
\vspace{1ex}
|
||||
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
|
||||
|
||||
|
@ -3548,7 +3546,7 @@ $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
|
|||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
|
||||
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
||||
$\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
|
||||
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$.
|
||||
\end{tabular}
|
||||
|
||||
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
|
||||
|
@ -3592,7 +3590,8 @@ Define:
|
|||
\Diversifier, &\caseotherwise
|
||||
\end{cases}$
|
||||
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
|
||||
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$.
|
||||
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
|
||||
\typecolon \maybe{\SubgroupJ}}\big)$.
|
||||
\end{formulae}
|
||||
|
||||
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
|
||||
|
@ -3628,12 +3627,12 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
|||
is computationally indistinguishable from that of $\SpendAuthSigGenPrivate()$ (defined
|
||||
in \crossref{concretespendauthsig}).
|
||||
\item Similarly, the distribution of $\AuthProvePrivate$, i.e.\
|
||||
$\PRFexpand{\SpendingKey}([1]) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
||||
$\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
||||
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}}
|
||||
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \GroupJ}$
|
||||
is injective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
|
||||
indistinguishable from the uniform distribution on $\SubgroupReprJ$ (defined in \crossref{jubjub})
|
||||
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
||||
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
|
||||
is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
|
||||
indistinguishable from the uniform distribution on $\SubgroupReprJ$
|
||||
which is the keyspace of $\PRFnfSapling{}$.
|
||||
\end{nnotes}
|
||||
} %sapling
|
||||
|
@ -3648,6 +3647,20 @@ Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
|
|||
When this sequence is non-empty, the \transaction also includes encodings of a
|
||||
$\JoinSplitSig$ public verification key and signature.
|
||||
|
||||
Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$,
|
||||
$\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\hSigCRH$ be as defined in \crossref{abstracthashes}.
|
||||
|
||||
Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
Let $\KASprout$ be as defined in \crossref{abstractkeyagreement}.
|
||||
|
||||
Let $\Sym$ be as defined in \crossref{abstractsym}.
|
||||
|
||||
Let $\JoinSplit$ be as defined in \crossref{abstractzk}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, \nfOld{\allOld},
|
||||
\cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit,
|
||||
|
@ -3658,11 +3671,11 @@ where
|
|||
the value that the \joinSplitTransfer removes from the \transparentValuePool};
|
||||
\item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is
|
||||
the value that the \joinSplitTransfer inserts into the \transparentValuePool;
|
||||
\item $\rt \typecolon \MerkleHash$ is an \anchor, as defined in
|
||||
\item $\rt \typecolon \MerkleHashSprout$ is an \anchor, as defined in
|
||||
\crossref{blockchain}, for the output \treestate of either
|
||||
a previous \block, or a previous \joinSplitTransfer in this
|
||||
\transaction.
|
||||
\item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
|
||||
\item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
|
||||
the sequence of \nullifiers for the input \notes;
|
||||
\item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew}$ is
|
||||
the sequence of \noteCommitments for the output \notes;
|
||||
|
@ -3672,7 +3685,7 @@ where
|
|||
\item \changed{$\RandomSeed \typecolon \RandomSeedType$ is
|
||||
a seed that must be chosen independently at random for each
|
||||
\joinSplitDescription};
|
||||
\item $\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
|
||||
\item $\h{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
|
||||
a sequence of tags that bind $\hSig$ to each
|
||||
$\AuthPrivate$ of the input \notes;
|
||||
\item $\ProofJoinSplit \typecolon \JoinSplitProof$ is a \zkProof with
|
||||
|
@ -3692,8 +3705,6 @@ $\joinSplitPubKey$ of the containing \transaction:
|
|||
\item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$.
|
||||
\end{formulae}
|
||||
|
||||
$\hSigCRH$ is instantiated in \crossref{hsigcrh}.
|
||||
|
||||
\vspace{2ex}
|
||||
\begin{consensusrules}
|
||||
\item Elements of a \joinSplitDescription{} \MUST have the types given
|
||||
|
@ -3719,6 +3730,11 @@ Let $\MerkleHashLengthSapling$ and $\PRFOutputLengthNfSapling$ be as defined in
|
|||
|
||||
Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}.
|
||||
|
||||
Let $\Spend$ be as defined in \crossref{abstractzk}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
|
||||
where
|
||||
|
@ -3761,6 +3777,13 @@ An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in
|
|||
Each \transaction includes a sequence of zero or more \outputDescriptions.
|
||||
There are no signatures associated with \outputDescriptions.
|
||||
|
||||
Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}.
|
||||
|
||||
Let $\Sym$ be as defined in \crossref{abstractsym}.
|
||||
|
||||
Let $\Spend$ be as defined in \crossref{abstractzk}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
|
||||
where
|
||||
|
@ -3917,6 +3940,12 @@ The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and
|
|||
$\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer
|
||||
with fewer input or output \notes. This is achieved using \dummyNotes.
|
||||
|
||||
Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\PRFnf{}$ be as defined in \crossref{abstractprfs}.
|
||||
|
||||
Let $\NoteCommitSproutTrapdoor$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
\introlist
|
||||
\changed{
|
||||
A \dummy{} \SproutOrNothing input \note, with index $i$ in the \joinSplitDescription,
|
||||
|
@ -3926,7 +3955,7 @@ is constructed as follows:
|
|||
\item Generate a new uniformly random \spendingKey $\AuthPrivateOld{i} \leftarrowR \bitseq{\AuthPrivateLength}$
|
||||
and derive its \payingKey $\AuthPublicOld{i}$.
|
||||
\item \vspace{-0.5ex} Set $\vOld{i} = 0$.
|
||||
\item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutput$
|
||||
\item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$
|
||||
and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$.
|
||||
\item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
|
||||
\item Construct a \dummy \merklePath $\TreePath{i}$ for use in the
|
||||
|
@ -3948,6 +3977,16 @@ otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless
|
|||
it may be useful for privacy to obscure the number of real \shieldedInputs from
|
||||
\Sapling{} \notes{}.
|
||||
|
||||
Let $\SpendingKeyLength$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
|
||||
|
||||
Let $\PRFnfSapling{}$ be as defined in \crossref{abstractprfs}.
|
||||
|
||||
Let $\NoteCommitSaplingTrapdoor$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
\introlist
|
||||
A \dummy{} \Sapling input \note is constructed as follows:
|
||||
|
||||
|
@ -4155,13 +4194,15 @@ Instead of generating a key pair at random, we generate it as a function of the
|
|||
and the \balancingValue.
|
||||
|
||||
\vspace{2ex}
|
||||
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
\introlist
|
||||
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
|
||||
be as defined in \crossref{concretevaluecommit}:
|
||||
\begin{formulae}
|
||||
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
|
||||
\item $\ValueCommitValueBase \typecolon \GroupJ$ is the value base in $\ValueCommit{}$;
|
||||
\item $\ValueCommitRandBase \typecolon \GroupJ$ is the randomness base in $\ValueCommit{}$.
|
||||
\item $\ValueCommitValueBase \typecolon \SubgroupJ$ is the value base in $\ValueCommit{}$;
|
||||
\item $\ValueCommitRandBase \typecolon \SubgroupJ$ is the randomness base in $\ValueCommit{}$.
|
||||
\end{formulae}
|
||||
|
||||
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
|
||||
|
@ -4390,12 +4431,12 @@ A valid instance of $\ProofJoinSplit$ assures that given a \primaryInput:
|
|||
\vspace{-1ex}
|
||||
\begin{formulae}
|
||||
\item $\oparen\rt \typecolon \MerkleHashSprout,\\
|
||||
\hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},\\
|
||||
\hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\
|
||||
\hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew},\vspace{0.6ex}\\
|
||||
\hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\
|
||||
\hparen\vpubNew \typecolon \ValueType,\\
|
||||
\hparen\hSig \typecolon \hSigType,\\
|
||||
\hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutput}{\NOld}\cparen}$,
|
||||
\hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutputSprout}{\NOld}\cparen}$,
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
\introlist
|
||||
|
@ -4484,10 +4525,13 @@ Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{a
|
|||
|
||||
Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}.
|
||||
|
||||
Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
|
||||
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
|
||||
|
||||
Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
|
||||
|
||||
\intropart
|
||||
A valid instance of $\ProofSpend$ assures that given a \primaryInput:
|
||||
|
||||
\begin{formulae}
|
||||
|
@ -5447,9 +5491,9 @@ $\PedersenHash$ is used in the \incrementalMerkleTree over \noteCommitments
|
|||
(\crossref{merkletree}) and in the definition of \xPedersenCommitments
|
||||
(\crossref{concretewindowedcommit}).
|
||||
|
||||
Let $\GroupJ$ be as defined in \crossref{jubjub}.
|
||||
Let $\GroupJ$, $\SubgroupJ$, $\ZeroJ$, $\ParamJ{q}$, $\ParamJ{r}$, $\ParamJ{a}$, and $\ParamJ{d}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
|
||||
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
|
||||
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
|
@ -5464,7 +5508,7 @@ Let $c := 63$.
|
|||
|
||||
\introlist
|
||||
\vspace{2ex}
|
||||
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$ by:
|
||||
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$.
|
||||
|
@ -5474,7 +5518,7 @@ Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$
|
|||
|
||||
\vspace{2ex}
|
||||
\introsection
|
||||
Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt})$ as follows:
|
||||
Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt}) \rightarrow \SubgroupJ$ as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$.
|
||||
|
@ -5483,7 +5527,7 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos
|
|||
so that $M' = \concatbits(M_\barerange{1}{n})$, and
|
||||
each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits.
|
||||
($M_n$ may be shorter.)
|
||||
\item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \GroupJ$.
|
||||
\item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \SubgroupJ$.
|
||||
\end{formulae}
|
||||
|
||||
where
|
||||
|
@ -5813,6 +5857,7 @@ corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
|
|||
$\NoteAddressRand$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
|
||||
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
|
||||
and therefore is not uniformly distributed on $\ReprJ$.
|
||||
$\SubgroupReprJ$ is defined in \crossref{jubjub}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
@ -5930,11 +5975,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
|
|||
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
|
||||
as follows:
|
||||
|
||||
Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Define $\KASaplingPublic := \GroupJ$.
|
||||
|
||||
Define $\KASaplingSharedSecret := \GroupJ$.
|
||||
Define $\KASaplingSharedSecret := \SubgroupJ$.
|
||||
|
||||
Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
|
||||
|
||||
|
@ -6050,13 +6095,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
|
|||
Its parameters are:
|
||||
\begin{itemize}
|
||||
\item a \representedGroup $\GroupG{}$, which also defines
|
||||
a subgroup order $\ParamG{r}$, a cofactor $\ParamG{h}$,
|
||||
a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
|
||||
a group operation $+$, an additive identity $\ZeroG{}$,
|
||||
a bit-length $\ellG{}$, a representation function $\reprG{}$,
|
||||
and an abstraction function $\abstG{}$, as specified in
|
||||
\crossref{abstractgroup};
|
||||
\item a generator $\GenG{}$ of the subgroup of $\GroupG{}$ of
|
||||
order $\ParamG{r}$;
|
||||
\item $\GenG{}$, a generator of $\SubgroupG$;
|
||||
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
|
||||
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
|
||||
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
|
||||
|
@ -6181,7 +6225,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
|
|||
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
|
||||
\end{itemize}
|
||||
|
||||
The generator $\GenG{}$ is left as an unspecified parameter, which is different between
|
||||
The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between
|
||||
$\BindingSig$ and $\SpendAuthSig$.
|
||||
} %sapling
|
||||
|
||||
|
@ -6667,6 +6711,10 @@ Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
|
|||
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
||||
$\reprJ$, then $\abstJOf{S} = \bot$.
|
||||
|
||||
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
||||
|
||||
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
|
||||
|
||||
\begin{nnotes}
|
||||
\item The encoding of a compressed twisted Edwards point used here is
|
||||
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
|
||||
|
@ -6692,36 +6740,35 @@ other conditions on points, for example that they have order at least $\ParamJ{r
|
|||
|
||||
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
|
||||
|
||||
Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
|
||||
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
|
||||
|
||||
Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime).
|
||||
|
||||
\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.}
|
||||
\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.
|
||||
$\SubgroupJ$ is of odd-prime order.}
|
||||
|
||||
% <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
|
||||
\vspace{2ex}
|
||||
\begin{lemma*}
|
||||
Let $P = (u, \varv) \in G$. Then $(u, -\varv) \notin G$.
|
||||
Let $P = (u, \varv) \in \SubgroupJ$. Then $(u, -\varv) \notin \SubgroupJ$.
|
||||
\end{lemma*}
|
||||
|
||||
\begin{proof}
|
||||
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin G$.
|
||||
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin \SubgroupJ$.
|
||||
Else, $P$ is of odd-prime order. Note that $\varv \neq 0$.
|
||||
(If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula
|
||||
gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$;
|
||||
contradiction since then $P$ would not be of odd-prime order.)
|
||||
Therefore, $-\varv \neq \varv$.
|
||||
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
||||
Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
|
||||
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
|
||||
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
||||
since $G$ is of odd order \cite{KvE2013}).
|
||||
$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
|
||||
since $\SubgroupJ$ is of odd order \cite{KvE2013}).
|
||||
\end{proof}
|
||||
|
||||
\vspace{0.5ex}
|
||||
\begin{theorem} \label{thmselectuinjective}
|
||||
$\Selectu$ is injective on $G$.
|
||||
$\Selectu$ is injective on $\SubgroupJ$.
|
||||
\end{theorem}
|
||||
|
||||
\begin{proof}
|
||||
|
@ -6731,8 +6778,8 @@ potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a
|
|||
complete twisted Edwards curve, we see that for a given $u$ there can be at
|
||||
most two possible solutions for $\varv$, and that if there are two solutions
|
||||
they can be written as $\varv$ and $-\varv$. In that case by the Lemma, at
|
||||
most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\Selectu$
|
||||
is injective on points in $G$.
|
||||
most one of $(u, \varv)$ and $(u, -\varv)$ is in $\SubgroupJ$. Therefore, $\Selectu$
|
||||
is injective on points in $\SubgroupJ$.
|
||||
\end{proof}
|
||||
}
|
||||
|
||||
|
@ -6754,7 +6801,7 @@ let $M \typecolon \byteseqs$ be the hash input.
|
|||
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
||||
The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
|
||||
|
@ -6767,8 +6814,8 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
|
|||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||
|
||||
Let $\FindGroupJHashOf{D, M} =
|
||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \GroupJ})$.
|
||||
Define $\FindGroupJHashOf{D, M} :=
|
||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
||||
|
||||
\begin{pnotes}
|
||||
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
|
||||
|
@ -9008,6 +9055,13 @@ found by Brian Warner.
|
|||
\item Remove the consensus rule
|
||||
``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
|
||||
which was never implemented.
|
||||
\sapling{
|
||||
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
|
||||
$\GroupG{}$ and $\GroupJ$ where applicable.
|
||||
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
|
||||
\item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
|
||||
\item Improve cross-referencing.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
|
|
Loading…
Reference in New Issue