mirror of https://github.com/zcash/zips.git
8 -> h_J for Jubjub cofactor.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
31578a6f3c
commit
8c0e7b85f4
|
@ -3818,7 +3818,7 @@ the following steps:
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Check that $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$ is a
|
\item Check that $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$ is a
|
||||||
valid Edwards point on the \jubjubCurve and that this point is not of
|
valid Edwards point on the \jubjubCurve and that this point is not of
|
||||||
small order (i.e.\ $\scalarmult{8}{\DiversifiedTransmitPublic} \neq \ZeroJ$).
|
small order (i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitPublic} \neq \ZeroJ$).
|
||||||
|
|
||||||
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||||
and check that $\DiversifiedTransmitBase \neq \bot$.
|
and check that $\DiversifiedTransmitBase \neq \bot$.
|
||||||
|
@ -4447,9 +4447,9 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
|
||||||
\snarkcondition{Small order checks} \label{spendnonsmall}
|
\snarkcondition{Small order checks} \label{spendnonsmall}
|
||||||
|
|
||||||
$\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$
|
$\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$
|
||||||
are not of small order, i.e.\ $\scalarmult{8}{\AuthSignRandomizedPublic} \neq \ZeroJ$
|
are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic} \neq \ZeroJ$
|
||||||
and $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$
|
and $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
|
||||||
and $\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$.
|
and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
|
||||||
|
|
||||||
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
||||||
|
|
||||||
|
@ -6655,7 +6655,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $P := \abstJOf{\LEOStoIPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
|
\item $P := \abstJOf{\LEOStoIPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
|
||||||
\item If $P = \bot$ then return $\bot$.
|
\item If $P = \bot$ then return $\bot$.
|
||||||
\item $Q := \scalarmult{8}{P}$
|
\item $Q := \scalarmult{\ParamJ{h}}{P}$
|
||||||
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
@ -8923,6 +8923,7 @@ found by Brian Warner.
|
||||||
\item Define $\DefaultDiversifier$.
|
\item Define $\DefaultDiversifier$.
|
||||||
\item Change the \spendCircuit and \outputCircuit specifications to remove unintended differences
|
\item Change the \spendCircuit and \outputCircuit specifications to remove unintended differences
|
||||||
from sapling-crypto.
|
from sapling-crypto.
|
||||||
|
\item Use $\ParamJ{h}$ to refer to the \jubjubCurve cofactor, rather than $8$.
|
||||||
\item Correct an error in the $y$-coordinate formula for addition
|
\item Correct an error in the $y$-coordinate formula for addition
|
||||||
in \crossref{cctmontarithmetic} (the constraints were correct).
|
in \crossref{cctmontarithmetic} (the constraints were correct).
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
Loading…
Reference in New Issue