From 8f647e0f0821a62398e1aaaaa4af7c8998fd4b6f Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 7 Feb 2018 15:41:46 +0000 Subject: [PATCH] Add instantiation of CRHivk. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 89 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 88 insertions(+), 1 deletion(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 49096268..3f9d1138 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -546,6 +546,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\bitseq}[1]{\typeexp{\bit}{#1}} \newcommand{\byteseqs}{\typeexp{\bit}{8 \mult \Nat}} \newcommand{\concatbits}{\mathsf{concat}_\bit} +\newcommand{\drop}[1]{\mathsf{drop}_{#1}} \newcommand{\listcomp}[1]{[~{#1}~]} \newcommand{\for}{\text{ for }} \newcommand{\from}{\text{ from }} @@ -581,6 +582,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\FullHash}{\mathtt{SHA256}} \newcommand{\FullHashName}{\mathsf{SHA\mhyphen256}} \newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}} +\newcommand{\BlakeTwos}[1]{\mathsf{BLAKE2s\kern 0.05em\mhyphen{#1}}} \newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}} \newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}} \newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)} @@ -931,6 +933,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\pksig}{\mathsf{pk_{sig}}} \newcommand{\sk}{\mathsf{sk}} \newcommand{\hSigInput}{\mathsf{hSigInput}} +\newcommand{\crhInput}{\mathsf{crhInput}} \newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}} % Merkle tree @@ -1136,6 +1139,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}} \newcommand{\FEtoIP}{\mathsf{FE2IP}} \newcommand{\FEtoIPP}{\mathsf{FE2IPP}} +\newcommand{\BStoIP}[1]{\mathsf{BS2IP}_{#1}} \newcommand{\BNImpl}{\mathtt{ALT\_BN128}} \newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}} \newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}} @@ -1510,6 +1514,13 @@ concatenating the elements of $S$ viewed as bit sequences. If the elements of $S$ are byte sequences, they are converted to bit sequences with the \emph{most significant} bit of each byte first. +\notsprout{ +$\drop{\ell}(S)$ means the sequence of bits obtained by +discarding the first $\ell$ bits of $S$ and taking the remaining bits +in the original order. If $S$ is a byte sequence, it is converted to +a bit sequence with the \emph{most significant} bit of each byte first. +} + $\sorted(S)$ means the sequence formed by sorting the elements of $S$. @@ -2614,6 +2625,10 @@ let $\AuthProveBase = \GroupJHash{U}(\ascii{Zcash\_H\_}, \ascii{})$. Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup, instantiated in \crossref{jubjub}. +Define $\BStoIP{} \typecolon (u \typecolon \Nat) \times \bitseq{u} \rightarrow \range{0}{2^u\!-\!1}$ +such that $\BStoIP{u}(S)$ is the integer represented in big-endian order by the +bit sequence $S$ of length $u$. + \vspace{2ex} A new \Sapling \spendingKey $\AuthPrivateSeed$ is generated by choosing a bit string uniformly at random from $\bitseq{\AuthPrivateSeedLength}$. @@ -2659,7 +2674,7 @@ and $\InViewingKey$ are then derived as follows: $\AuthProvePrivate$ &$:= \PreAuthProvePrivate \bmod \JubjubScalarThreshold$ \\ $\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\ $\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\ - $\InViewingKey$ &$:= \CRHivkHashbox{\crhivkinputbox}$. + $\InViewingKey$ &$:= \BStoIP{251}(\CRHivkHashbox{\crhivkinputbox})$. \end{tabular} \vspace{2ex} @@ -3503,6 +3518,68 @@ block. $\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant. } + +\sapling{ +\introlist +\nsubsubsubsection{CRHivk \HashFunction} \label{concretecrhivk} + +\newsavebox{\crhivkbox} +\begin{lrbox}{\crhivkbox} +\begin{bytefield}[bitwidth=0.05em]{512} + \bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$} + \bitbox{256}{$256$-bit $\reprJ(\AuthProvePublic)$} +\end{bytefield} +\end{lrbox} + +$\CRHivk$ is used to derive the \incomingViewingKey $\InViewingKey$ +for a \Sapling \paymentAddress. +For its use when generating an address see \crossref{saplingkeycomponents}, +and for its use in the \spendStatement see \crossref{spendstatement}. + +\introlist +It is defined as follows: + +\begin{formulae} + \item $\CRHivk(\AuthSignPublic, \AuthProvePublic) := \drop{5}(\BlakeTwos{256}(\ascii{Zcashivk},\; \crhInput))$ +\end{formulae} + +where +\begin{formulae} + \item $\crhInput := \Justthebox{\crhivkbox}$ +\end{formulae} + +\vspace{2ex} +$\BlakeTwos{256}(p, x)$ refers to unkeyed $\BlakeTwos{256}$ +\cite{ANWW2013} in sequential mode, with an output digest length of +$32$ bytes, $8$-byte personalization string $p$, and input $x$. + +The output of $\BlakeTwos{256}$ is treated as a bit string with the +most-significant bit first in each byte. $\drop{5}$ discards the first +$5$ bits and returns the remaining $251$ bits as the hash result. + +When the output of $\CRHivk$ is used to obtain $\InViewingKey$, +the $251$-bit string will be converted to an integer according to +big-endian bit order as specified in \crossref{saplingkeycomponents}. + +\securityrequirement{ +$\drop{5}(\BlakeTwos{256}(\ascii{Zcashivk}, x))$ must be +collision-resistant on a $512$-bit input $x$. Note that this +does not follow from collision-resistance of $\BlakeTwos{256}$ +(and the best possible concrete security is that of a $251$-bit hash +rather than a $256$-bit hash), but it is a reasonable assumption +given the design and structure of $\BlakeTwosGeneric$. +} + +\pnote{ +The variable output digest length feature of $\BlakeTwosGeneric$ does +not support arbitrary bit lengths, otherwise that would have been +used rather than external truncation. However, the protocol-specific +personalization string together with truncation achieve essentially +the same effect as using that feature. +} +} + + \introlist \nsubsubsubsection{Equihash Generator} \label{equihashgen} @@ -6203,6 +6280,16 @@ Daira Hopwood, Sean Bowe, and Jack Grigg. \introsection \nsection{Change History} +\subparagraph{2018.0-beta-8} + +\begin{itemize} + \item No changes to \Sprout. +\sapling{ + \item Add instantiation of $\CRHivk$. +} +\end{itemize} + +\introlist \subparagraph{2018.0-beta-7} \begin{itemize}