mirror of https://github.com/zcash/zips.git
Group Hash and DiversifyHash refactoring. Also fix an error in the definition of set difference.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f480f351b7
commit
8c80decd3b
|
@ -530,7 +530,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
|
||||
\newcommand{\groupHash}{\term{group hash}}
|
||||
\newcommand{\groupHashes}{\term{group hashes}}
|
||||
\newcommand{\GroupHash}{\titleterm{Group Hash}}
|
||||
\newcommand{\representedPairing}{\term{represented pairing}}
|
||||
\newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}}
|
||||
\newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}}
|
||||
|
@ -545,7 +544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\JubjubCurve}{\mathsf{Jubjub}}
|
||||
\newcommand{\jubjubCurve}{\term{Jubjub curve}}
|
||||
\newcommand{\Jubjub}{\titleterm{Jubjub}}
|
||||
\newcommand{\commonRandomString}{\term{Common Random String}}
|
||||
\newcommand{\uniformRandomString}{\term{Uniform Random String}}
|
||||
\newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}}
|
||||
\newcommand{\BNRepresentedPairing}{\titleterm{BN-254}}
|
||||
\newcommand{\BLSRepresentedPairing}{\titleterm{BLS12-381}}
|
||||
\newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}}
|
||||
|
@ -782,6 +782,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\bconcat}{\mathop{\kern 0.05em||}}
|
||||
\newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}}
|
||||
\newcommand{\fun}[2]{{#1} \mapsto {#2}}
|
||||
\newcommand{\exclusivefun}[3]{{#1} \mapsto_{\neq\kern 0.05em{#3}\!} {#2}}
|
||||
\newcommand{\first}{\mathsf{first}}
|
||||
\newcommand{\for}{\text{ for }}
|
||||
\newcommand{\from}{\text{ from }}
|
||||
|
@ -1478,6 +1479,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
||||
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
|
||||
\newcommand{\Extract}{\mathsf{Extract}}
|
||||
\newcommand{\GroupHash}{\mathsf{GroupHash}}
|
||||
\newcommand{\FindGroupHash}{\mathsf{FindGroupHash}}
|
||||
|
||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
||||
|
@ -1497,7 +1501,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
|
||||
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
|
||||
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
|
||||
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}}
|
||||
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
|
||||
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
|
||||
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
|
||||
|
@ -1508,7 +1511,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
||||
\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
|
||||
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
||||
\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}}
|
||||
|
||||
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
|
||||
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}}
|
||||
\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
|
||||
\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
|
||||
\newcommand{\URS}{\mathsf{URS}}
|
||||
|
||||
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
|
||||
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
|
||||
|
@ -1530,7 +1538,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
|
||||
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
|
||||
\newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ}
|
||||
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}}
|
||||
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
|
||||
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
|
||||
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
||||
|
@ -1540,11 +1547,16 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
|
||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
|
||||
\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}}
|
||||
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}}
|
||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
|
||||
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
||||
|
||||
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
|
||||
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}}
|
||||
\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
|
||||
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
|
||||
\newcommand{\HashOutput}{\bytes{H}}
|
||||
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
|
||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
|
||||
|
||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||
|
||||
|
@ -1562,9 +1574,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\xP}{{x_{\hspace{-0.12em}P}}}
|
||||
\newcommand{\yP}{{y_{\hspace{-0.03em}P}}}
|
||||
|
||||
\newcommand{\CRS}{\mathsf{CRS}}
|
||||
\newcommand{\CRSType}{\mathsf{CRSType}}
|
||||
|
||||
% Conversions
|
||||
|
||||
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}}
|
||||
|
@ -1942,11 +1951,27 @@ written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
|
|||
$f \typecolon X \times Y \rightarrow Z$, then an invocation of
|
||||
$f(x, y)$ can also be written $f_x(y)$.
|
||||
|
||||
$\setof{x \typecolon T \suchthat p_x}$ means the subset of $x$ from $T$
|
||||
for which $p_x$ (a boolean expression depending on $x$) holds.
|
||||
|
||||
$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
|
||||
$S \union T$ means the set union of $S$ and $T$.
|
||||
|
||||
$S \intersection T$ means the set intersection of $S$ and $T$,
|
||||
i.e.\ $\setof{x \typecolon S \suchthat x \in T}$.
|
||||
|
||||
\notsprout{
|
||||
$S \difference T$ means the set difference obtained by removing elements
|
||||
in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \notin T}$.
|
||||
|
||||
$\fun{x \typecolon T}{e_x \typecolon U}$ means the function of type $T \rightarrow U$
|
||||
mapping formal parameter $x$ to $e_x$ (an expression depending on~$x$).
|
||||
The types $T$ and $U$ are always explicit.
|
||||
|
||||
$\exclusivefun{x \typecolon T}{e_x \typecolon U}{y}$ means
|
||||
$\fun{x \typecolon T}{e_x \typecolon U \union \setof{y}}$ restricted to the domain
|
||||
$\setof{x \typecolon T \suchthat e_x \neq y}$ and range $U$.
|
||||
|
||||
$\powerset{T}$ means the powerset of $T$.
|
||||
}
|
||||
|
||||
|
@ -1963,23 +1988,6 @@ $\length(S)$ means the length of (number of elements in) $S$.
|
|||
$\truncate{k}(S)$ means the sequence formed from the first $k$ elements of $S$.
|
||||
}
|
||||
|
||||
$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
|
||||
|
||||
\notsprout{
|
||||
$\setof{x \typecolon T \suchthat p(x)}$ means the subset of $x$ from $T$
|
||||
for which $p(x)$ holds.
|
||||
}
|
||||
|
||||
$S \union T$ means the set union of $S$ and $T$, or the type corresponding
|
||||
to it.
|
||||
|
||||
$S \intersection T$ means the set intersection of $S$ and $T$.
|
||||
|
||||
\notsprout{
|
||||
$S \difference T$ means the set difference obtained by removing elements
|
||||
in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \neq T}$.
|
||||
}
|
||||
|
||||
$\hexint{}$ followed by a string of $\mathtt{monospace}$ hexadecimal
|
||||
digits means the corresponding integer converted from hexadecimal.
|
||||
|
||||
|
@ -2693,9 +2701,8 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
|
|||
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
|
||||
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
||||
|
||||
$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction
|
||||
satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!)
|
||||
described in \crossref{abstractgrouphash}.
|
||||
$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction
|
||||
satisfying the Unlinkability security property described in \crossref{concretediversifyhash}.
|
||||
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
|
||||
It is instantiated in \crossref{concretediversifyhash}.
|
||||
} %sapling
|
||||
|
@ -3311,43 +3318,60 @@ efficiently computable left inverse.
|
|||
|
||||
\sapling{
|
||||
\introlist
|
||||
\subsubsection{\GroupHash} \label{abstractgrouphash}
|
||||
\subsubsection{Group Hash} \label{abstractgrouphash}
|
||||
|
||||
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
|
||||
and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$}
|
||||
as a function
|
||||
a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$
|
||||
\end{formulae}
|
||||
\begin{itemize}
|
||||
\item a type $\GroupGHashURSType$ of \uniformRandomStrings;
|
||||
\item a type $\GroupGHashInput$ of inputs;
|
||||
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$.
|
||||
\end{itemize}
|
||||
|
||||
In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
|
||||
the \jubjubCurve defined by \crossref{jubjub}.
|
||||
|
||||
\vspace{-2ex}
|
||||
\securityrequirement{\textbf{Discrete Logarithm Independence}
|
||||
|
||||
For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
|
||||
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$
|
||||
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
|
||||
}
|
||||
\securityrequirement{
|
||||
For a randomly selected $\URS \typecolon \GroupGHashURSType$,
|
||||
it must be reasonble to model $\GroupGHash{\URS}$ (restricted to inputs for which it does
|
||||
not return $\bot$) as a random oracle.
|
||||
} %securityrequirement
|
||||
|
||||
\vspace{-1ex}
|
||||
\begin{nnotes}
|
||||
\item This property implies (and is stronger than) collision-resistance,
|
||||
since a collision $(m_1, m_2)$ for $\GroupGHash{\CRS}$ trivially gives a
|
||||
discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$.
|
||||
\item An alternative approach is to model $\GroupGHash{\CRS}$ as a random
|
||||
oracle, and assume that the Discrete Logarithm Problem is hard in
|
||||
the group. We prefer to avoid the Random Oracle Model and instead make
|
||||
a more specific standard-model assumption, which is effectively no
|
||||
stronger than the assumptions made in the random oracle approach.
|
||||
\item $\CRS$ is a \commonRandomString; we choose it verifiably at random
|
||||
\vspace{-0.5ex}
|
||||
\item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes:
|
||||
the bases $\AuthSignBase$ and $\AuthProveBase$ used in \Sapling key generation,
|
||||
the \xPedersenHash defined in \crossref{concretepedersenhash}, and
|
||||
the commitment schemes defined in \crossref{concretewindowedcommit} and
|
||||
in \crossref{concretehomomorphiccommit}.
|
||||
|
||||
The security property needed for these uses can alternatively be defined in the
|
||||
standard model as follows:
|
||||
|
||||
\textbf{Discrete Logarithm Independence}:
|
||||
For a randomly selected member $\GroupGHash{\URS}$ of the family, it is infeasible to find
|
||||
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
|
||||
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
|
||||
\item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies
|
||||
Discrete Logarithm Independence.
|
||||
\item Discrete Logarithm Independence implies \collisionResistance\!,
|
||||
since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
|
||||
discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. It is in fact
|
||||
stronger than \collisionResistance\!.
|
||||
\item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash$ in \crossref{concretediversifyhash}.
|
||||
We do not know how to prove the Unlinkability property defined in that section
|
||||
in the standard model, but in a model where $\GroupJHash{}$ (restricted to
|
||||
inputs for which it does not return $\bot$) is taken as a random oracle,
|
||||
it is implied by the Decisional Diffie-Hellman assumption on $\SubgroupJ$.
|
||||
\item $\URS$ is a \uniformRandomString; we choose it verifiably at random
|
||||
(see \crossref{beacon}), \emph{after} fixing the concrete
|
||||
group hash algorithm to be used.
|
||||
This mitigates the possibility that the group hash algorithm could have
|
||||
been backdoored.
|
||||
\item The input element with type $\byteseq{8}$ is intended to act as a
|
||||
``personalization'' parameter to distinguish uses of the \groupHash for
|
||||
different purposes.
|
||||
\end{nnotes}
|
||||
} %sapling
|
||||
|
||||
|
@ -3540,9 +3564,8 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
|
|||
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
|
||||
be a \rerandomizableSignatureScheme.
|
||||
|
||||
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
|
||||
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
|
||||
let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
||||
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
|
||||
|
@ -3617,7 +3640,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define:
|
|||
\end{cases}$
|
||||
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
|
||||
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
|
||||
\typecolon \maybe{\SubgroupJ}}\big)$.
|
||||
\typecolon \maybe{(\PrimeOrderJ)}}\big)$.
|
||||
\end{formulae}
|
||||
|
||||
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
|
||||
|
@ -5547,9 +5570,24 @@ Define
|
|||
|
||||
\vspace{-3ex}
|
||||
\securityrequirement{
|
||||
$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
|
||||
described in \crossref{abstractgrouphash}.
|
||||
}
|
||||
\textbf{Unlinkability:} Given two randomly selected
|
||||
\paymentAddresses from different spend authorities, and a third \paymentAddress
|
||||
which could be derived from either of those authorities, it is not possible to
|
||||
tell which authority the third address was derived from.}
|
||||
|
||||
\begin{nnotes}
|
||||
\item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not
|
||||
return $\bot$) is modelled as a random oracle from \diversifiers to points
|
||||
of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability
|
||||
of $\DiversifyHash$ holds under the Decisional Diffie-Hellman assumption on the
|
||||
\jubjubCurve.
|
||||
\item Informally, the random self-reducibility property of DDH implies that an
|
||||
adversary would gain no advantage from being able to query an oracle for
|
||||
additional $(\DiversifiedTransmitBase, \DiversifiedTransmitPublic)$ pairs
|
||||
with the same spend authority as an existing \paymentAddress, since they
|
||||
could also create such pairs on their own. This justifies only considering
|
||||
two \paymentAddresses in the security definition.
|
||||
\end{nnotes}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -6799,6 +6837,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
|||
$\reprJ$, then $\abstJOf{S} = \bot$.
|
||||
|
||||
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
||||
For the set of prime-order points we write $\PrimeOrderJ$.
|
||||
|
||||
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
|
||||
|
||||
|
@ -6877,9 +6916,17 @@ $\Selectu$ is injective on points in $\SubgroupJ$.
|
|||
|
||||
\sapling{
|
||||
\introsection
|
||||
\subsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub}
|
||||
\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}
|
||||
|
||||
Let $\CRS$ be the MPC randomness beacon defined in \crossref{beacon}.
|
||||
\vspace{-2ex}
|
||||
Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
|
||||
let $\GroupGHashURSType := \byteseq{64}$.
|
||||
|
||||
(The input element with type $\byteseq{8}$ is intended to act as a
|
||||
``personalization'' parameter to distinguish uses of the \groupHash for
|
||||
different purposes.)
|
||||
|
||||
Let $\URS$ be the MPC randomness beacon defined in \crossref{beacon}.
|
||||
|
||||
Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.
|
||||
|
||||
|
@ -6892,15 +6939,38 @@ Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
|
|||
let $M \typecolon \byteseqs$ be the hash input.
|
||||
|
||||
\introlist
|
||||
The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
|
||||
The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
|
||||
|
||||
\begin{algorithm}
|
||||
\item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
|
||||
\item If $P = \bot$ then return $\bot$.
|
||||
\item $Q := \scalarmult{\ParamJ{h}}{P}$
|
||||
\item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
|
||||
\item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
|
||||
\item if $P = \bot$ then return $\bot$
|
||||
\item let $Q = \scalarmult{\ParamJ{h}}{P}$
|
||||
\item if $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||
\end{algorithm}
|
||||
|
||||
\vspace{-3ex}
|
||||
\begin{pnotes}
|
||||
\vspace{-1ex}
|
||||
\item The $\BlakeTwos{256}$ chaining variable after processing $\URS$ may be precomputed.
|
||||
\item The use of $\GroupJHash{\URS}$ for $\DiversifyHash$ and to generate independent bases
|
||||
needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$);
|
||||
here we show that it is sufficient to employ a simpler random oracle instantiated by
|
||||
$\vphantom{a^b}\BlakeTwos{256}$ in the security analysis.
|
||||
|
||||
$\exclusivefun{\HashOutput \typecolon \byteseq{32}}
|
||||
{\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
|
||||
is injective, and both it and its inverse are efficiently computable.
|
||||
|
||||
$\exclusivefun{P \typecolon \GroupJ}
|
||||
{\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$
|
||||
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
|
||||
|
||||
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M} \typecolon \byteseq{32}}$
|
||||
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
|
||||
{\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
|
||||
\end{pnotes}
|
||||
|
||||
\vspace{0.5ex}
|
||||
Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
|
||||
|
@ -6908,15 +6978,14 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
|||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||
|
||||
Define $\FindGroupJHashOf{D, M} :=
|
||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
||||
|
||||
\begin{pnotes}
|
||||
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
|
||||
\item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
|
||||
In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not
|
||||
return $\bot$; the only use that could potentially return $\bot$ is in the
|
||||
computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}.
|
||||
\end{pnotes}
|
||||
\vspace{-3ex}
|
||||
\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
|
||||
In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not
|
||||
return $\bot$; the only use that could potentially return $\bot$ is in the
|
||||
computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}.
|
||||
} %pnote
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -7560,7 +7629,7 @@ These parameters were obtained by a multi-party computation described in \todo{}
|
|||
\introsection
|
||||
\subsection{Randomness Beacon} \label{beacon}
|
||||
|
||||
Let $\CRS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$.
|
||||
Let $\URS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$.
|
||||
|
||||
This value is used in the definition of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub},
|
||||
and in the multi-party computation to obtain the \Sapling parameters given in
|
||||
|
@ -7576,7 +7645,7 @@ It is derived as described in \cite{Bowe2018}:
|
|||
\end{itemize}
|
||||
|
||||
\vspace{-4ex}
|
||||
\pnote{$\CRS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.}
|
||||
\pnote{$\URS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -9160,12 +9229,21 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Remove the consensus rule
|
||||
``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
|
||||
which was never implemented.
|
||||
\item Correct the definition of set difference ($S \setminus T$).
|
||||
\sapling{
|
||||
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
|
||||
$\GroupG{}$ and $\GroupJ$ where applicable.
|
||||
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
|
||||
\item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
|
||||
\item Improve cross-referencing.
|
||||
\item Model the group hash as a random oracle. This appears to be unavoidable in order to allow
|
||||
proving unlinkability of $\DiversifyHash$. Explain how this relates to the Discrete Logarithm
|
||||
Independence assumption used previously, and justify this modelling by showing that it
|
||||
follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of
|
||||
$\GroupJHash{}$.
|
||||
\item Rename $\mathsf{CRS}$ (Common Random String) to $\URS$ (\uniformRandomString), to
|
||||
match the terminology adopted at the first zkproof workshop held in Boston, Massachusetts
|
||||
on May~10--11, 2018.
|
||||
\item Generalize $\PRFexpand{}$ to accept an arbitrary-length input. (This specification does not
|
||||
use that generalization, but \cite{ZIP-32} does.)
|
||||
\item Change the notation for a multiplication constraint in \crossref{circuitdesign} to avoid
|
||||
|
|
Loading…
Reference in New Issue