From 8c80decd3bccdd270877b695e5a1638dc8403ed6 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 22 Jun 2018 22:11:30 +0100 Subject: [PATCH] Group Hash and DiversifyHash refactoring. Also fix an error in the definition of set difference. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 238 ++++++++++++++++++++++++++++-------------- 1 file changed, 158 insertions(+), 80 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 1bbc54f9..721922c6 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -530,7 +530,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\HashExtractor}{\titleterm{Hash Extractor}} \newcommand{\groupHash}{\term{group hash}} \newcommand{\groupHashes}{\term{group hashes}} -\newcommand{\GroupHash}{\titleterm{Group Hash}} \newcommand{\representedPairing}{\term{represented pairing}} \newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}} \newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}} @@ -545,7 +544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\JubjubCurve}{\mathsf{Jubjub}} \newcommand{\jubjubCurve}{\term{Jubjub curve}} \newcommand{\Jubjub}{\titleterm{Jubjub}} -\newcommand{\commonRandomString}{\term{Common Random String}} +\newcommand{\uniformRandomString}{\term{Uniform Random String}} +\newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}} \newcommand{\BNRepresentedPairing}{\titleterm{BN-254}} \newcommand{\BLSRepresentedPairing}{\titleterm{BLS12-381}} \newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}} @@ -782,6 +782,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\bconcat}{\mathop{\kern 0.05em||}} \newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}} \newcommand{\fun}[2]{{#1} \mapsto {#2}} +\newcommand{\exclusivefun}[3]{{#1} \mapsto_{\neq\kern 0.05em{#3}\!} {#2}} \newcommand{\first}{\mathsf{first}} \newcommand{\for}{\text{ for }} \newcommand{\from}{\text{ from }} @@ -1478,6 +1479,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}} \newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!} \newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)} +\newcommand{\Extract}{\mathsf{Extract}} +\newcommand{\GroupHash}{\mathsf{GroupHash}} +\newcommand{\FindGroupHash}{\mathsf{FindGroupHash}} \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}} @@ -1497,7 +1501,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}} \newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}} \newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}} -\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}} \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}} \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}} \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}} @@ -1508,7 +1511,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}} \newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!} \newcommand{\PairingG}{\ParamG{\hat{e}}} -\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}} + +\newcommand{\ExtractG}{\Extract_{\SubgroupG}} +\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}} +\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}} +\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}} +\newcommand{\URS}{\mathsf{URS}} \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}} \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}} @@ -1530,7 +1538,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}} \newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}} \newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ} -\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}} \newcommand{\CurveJ}{\Curve_{\GroupJ}} \newcommand{\ZeroJ}{\Zero_{\GroupJ}} \newcommand{\GenJ}{\Generator_{\GroupJ}} @@ -1540,11 +1547,16 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!} \newcommand{\abstJ}{\abst_{\GroupJ}} \newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!} -\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}} -\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}} -\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!} \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}} +\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}} +\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}} +\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}} +\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}} +\newcommand{\HashOutput}{\bytes{H}} +\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}} +\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!} + \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} @@ -1562,9 +1574,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\xP}{{x_{\hspace{-0.12em}P}}} \newcommand{\yP}{{y_{\hspace{-0.03em}P}}} -\newcommand{\CRS}{\mathsf{CRS}} -\newcommand{\CRSType}{\mathsf{CRSType}} - % Conversions \newcommand{\ECtoOSP}{\mathsf{EC2OSP}} @@ -1942,11 +1951,27 @@ written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and $f \typecolon X \times Y \rightarrow Z$, then an invocation of $f(x, y)$ can also be written $f_x(y)$. +$\setof{x \typecolon T \suchthat p_x}$ means the subset of $x$ from $T$ +for which $p_x$ (a boolean expression depending on $x$) holds. + +$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$. +$S \union T$ means the set union of $S$ and $T$. + +$S \intersection T$ means the set intersection of $S$ and $T$, +i.e.\ $\setof{x \typecolon S \suchthat x \in T}$. + \notsprout{ +$S \difference T$ means the set difference obtained by removing elements +in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \notin T}$. + $\fun{x \typecolon T}{e_x \typecolon U}$ means the function of type $T \rightarrow U$ mapping formal parameter $x$ to $e_x$ (an expression depending on~$x$). The types $T$ and $U$ are always explicit. +$\exclusivefun{x \typecolon T}{e_x \typecolon U}{y}$ means +$\fun{x \typecolon T}{e_x \typecolon U \union \setof{y}}$ restricted to the domain +$\setof{x \typecolon T \suchthat e_x \neq y}$ and range $U$. + $\powerset{T}$ means the powerset of $T$. } @@ -1963,23 +1988,6 @@ $\length(S)$ means the length of (number of elements in) $S$. $\truncate{k}(S)$ means the sequence formed from the first $k$ elements of $S$. } -$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$. - -\notsprout{ -$\setof{x \typecolon T \suchthat p(x)}$ means the subset of $x$ from $T$ -for which $p(x)$ holds. -} - -$S \union T$ means the set union of $S$ and $T$, or the type corresponding -to it. - -$S \intersection T$ means the set intersection of $S$ and $T$. - -\notsprout{ -$S \difference T$ means the set difference obtained by removing elements -in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \neq T}$. -} - $\hexint{}$ followed by a string of $\mathtt{monospace}$ hexadecimal digits means the corresponding integer converted from hexadecimal. @@ -2693,9 +2701,8 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction -satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!) -described in \crossref{abstractgrouphash}. +$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction +satisfying the Unlinkability security property described in \crossref{concretediversifyhash}. It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. It is instantiated in \crossref{concretediversifyhash}. } %sapling @@ -3311,43 +3318,60 @@ efficiently computable left inverse. \sapling{ \introlist -\subsubsection{\GroupHash} \label{abstractgrouphash} +\subsubsection{Group Hash} \label{abstractgrouphash} Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$, -and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$} -as a function +a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of: -\begin{formulae} - \item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$ -\end{formulae} +\begin{itemize} + \item a type $\GroupGHashURSType$ of \uniformRandomStrings; + \item a type $\GroupGHashInput$ of inputs; + \item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$. +\end{itemize} + +In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into +the \jubjubCurve defined by \crossref{jubjub}. \vspace{-2ex} -\securityrequirement{\textbf{Discrete Logarithm Independence} - -For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find -a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$ -and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$ -such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$. -} +\securityrequirement{ +For a randomly selected $\URS \typecolon \GroupGHashURSType$, +it must be reasonble to model $\GroupGHash{\URS}$ (restricted to inputs for which it does +not return $\bot$) as a random oracle. +} %securityrequirement \vspace{-1ex} \begin{nnotes} - \item This property implies (and is stronger than) collision-resistance, - since a collision $(m_1, m_2)$ for $\GroupGHash{\CRS}$ trivially gives a - discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. - \item An alternative approach is to model $\GroupGHash{\CRS}$ as a random - oracle, and assume that the Discrete Logarithm Problem is hard in - the group. We prefer to avoid the Random Oracle Model and instead make - a more specific standard-model assumption, which is effectively no - stronger than the assumptions made in the random oracle approach. - \item $\CRS$ is a \commonRandomString; we choose it verifiably at random +\vspace{-0.5ex} + \item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes: + the bases $\AuthSignBase$ and $\AuthProveBase$ used in \Sapling key generation, + the \xPedersenHash defined in \crossref{concretepedersenhash}, and + the commitment schemes defined in \crossref{concretewindowedcommit} and + in \crossref{concretehomomorphiccommit}. + + The security property needed for these uses can alternatively be defined in the + standard model as follows: + + \textbf{Discrete Logarithm Independence}: + For a randomly selected member $\GroupGHash{\URS}$ of the family, it is infeasible to find + a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$ + and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$ + such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$. + \item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies + Discrete Logarithm Independence. + \item Discrete Logarithm Independence implies \collisionResistance\!, + since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a + discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. It is in fact + stronger than \collisionResistance\!. + \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash$ in \crossref{concretediversifyhash}. + We do not know how to prove the Unlinkability property defined in that section + in the standard model, but in a model where $\GroupJHash{}$ (restricted to + inputs for which it does not return $\bot$) is taken as a random oracle, + it is implied by the Decisional Diffie-Hellman assumption on $\SubgroupJ$. + \item $\URS$ is a \uniformRandomString; we choose it verifiably at random (see \crossref{beacon}), \emph{after} fixing the concrete group hash algorithm to be used. This mitigates the possibility that the group hash algorithm could have been backdoored. - \item The input element with type $\byteseq{8}$ is intended to act as a - ``personalization'' parameter to distinguish uses of the \groupHash for - different purposes. \end{nnotes} } %sapling @@ -3540,9 +3564,8 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. -Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}. - -Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. +Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and +let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ @@ -3617,7 +3640,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define: \end{cases}$ \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) := \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) - \typecolon \maybe{\SubgroupJ}}\big)$. + \typecolon \maybe{(\PrimeOrderJ)}}\big)$. \end{formulae} For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$; @@ -5547,9 +5570,24 @@ Define \vspace{-3ex} \securityrequirement{ -$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property -described in \crossref{abstractgrouphash}. -} +\textbf{Unlinkability:} Given two randomly selected +\paymentAddresses from different spend authorities, and a third \paymentAddress +which could be derived from either of those authorities, it is not possible to +tell which authority the third address was derived from.} + +\begin{nnotes} + \item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not + return $\bot$) is modelled as a random oracle from \diversifiers to points + of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability + of $\DiversifyHash$ holds under the Decisional Diffie-Hellman assumption on the + \jubjubCurve. + \item Informally, the random self-reducibility property of DDH implies that an + adversary would gain no advantage from being able to query an oracle for + additional $(\DiversifiedTransmitBase, \DiversifiedTransmitPublic)$ pairs + with the same spend authority as an existing \paymentAddress, since they + could also create such pairs on their own. This justifies only considering + two \paymentAddresses in the security definition. +\end{nnotes} } %sapling @@ -6799,6 +6837,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of $\reprJ$, then $\abstJOf{S} = \bot$. Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$. +For the set of prime-order points we write $\PrimeOrderJ$. Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$. @@ -6877,9 +6916,17 @@ $\Selectu$ is injective on points in $\SubgroupJ$. \sapling{ \introsection -\subsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub} +\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub} -Let $\CRS$ be the MPC randomness beacon defined in \crossref{beacon}. +\vspace{-2ex} +Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and +let $\GroupGHashURSType := \byteseq{64}$. + +(The input element with type $\byteseq{8}$ is intended to act as a +``personalization'' parameter to distinguish uses of the \groupHash for +different purposes.) + +Let $\URS$ be the MPC randomness beacon defined in \crossref{beacon}. Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. @@ -6892,15 +6939,38 @@ Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and let $M \typecolon \byteseqs$ be the hash input. \introlist -The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows: +The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows: \begin{algorithm} - \item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$ - \item If $P = \bot$ then return $\bot$. - \item $Q := \scalarmult{\ParamJ{h}}{P}$ - \item If $Q = \ZeroJ$ then return $\bot$, else return $Q$. + \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$ + \item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$ + \item if $P = \bot$ then return $\bot$ + \item let $Q = \scalarmult{\ParamJ{h}}{P}$ + \item if $Q = \ZeroJ$ then return $\bot$, else return $Q$. \end{algorithm} +\vspace{-3ex} +\begin{pnotes} +\vspace{-1ex} + \item The $\BlakeTwos{256}$ chaining variable after processing $\URS$ may be precomputed. + \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash$ and to generate independent bases + needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$); + here we show that it is sufficient to employ a simpler random oracle instantiated by + $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis. + + $\exclusivefun{\HashOutput \typecolon \byteseq{32}} + {\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$ + is injective, and both it and its inverse are efficiently computable. + + $\exclusivefun{P \typecolon \GroupJ} + {\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$ + is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable. + + It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} + {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M} \typecolon \byteseq{32}}$ + is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} + {\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle. +\end{pnotes} \vspace{0.5ex} Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$ @@ -6908,15 +6978,14 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. Define $\FindGroupJHashOf{D, M} := -\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$. +\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$. -\begin{pnotes} - \item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed. - \item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$. - In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not - return $\bot$; the only use that could potentially return $\bot$ is in the - computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}. -\end{pnotes} +\vspace{-3ex} +\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$. +In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not +return $\bot$; the only use that could potentially return $\bot$ is in the +computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}. +} %pnote } %sapling @@ -7560,7 +7629,7 @@ These parameters were obtained by a multi-party computation described in \todo{} \introsection \subsection{Randomness Beacon} \label{beacon} -Let $\CRS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$. +Let $\URS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$. This value is used in the definition of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub}, and in the multi-party computation to obtain the \Sapling parameters given in @@ -7576,7 +7645,7 @@ It is derived as described in \cite{Bowe2018}: \end{itemize} \vspace{-4ex} -\pnote{$\CRS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.} +\pnote{$\URS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.} } %sapling @@ -9160,12 +9229,21 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Remove the consensus rule ``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'', which was never implemented. + \item Correct the definition of set difference ($S \setminus T$). \sapling{ \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to $\GroupG{}$ and $\GroupJ$ where applicable. \item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$. \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate. \item Improve cross-referencing. + \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow + proving unlinkability of $\DiversifyHash$. Explain how this relates to the Discrete Logarithm + Independence assumption used previously, and justify this modelling by showing that it + follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of + $\GroupJHash{}$. + \item Rename $\mathsf{CRS}$ (Common Random String) to $\URS$ (\uniformRandomString), to + match the terminology adopted at the first zkproof workshop held in Boston, Massachusetts + on May~10--11, 2018. \item Generalize $\PRFexpand{}$ to accept an arbitrary-length input. (This specification does not use that generalization, but \cite{ZIP-32} does.) \item Change the notation for a multiplication constraint in \crossref{circuitdesign} to avoid