mirror of https://github.com/zcash/zips.git
Add instantiation of CRHivk.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
a91c06aa7f
commit
8f647e0f08
|
@ -546,6 +546,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}}
|
\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}}
|
||||||
\newcommand{\byteseqs}{\typeexp{\bit}{8 \mult \Nat}}
|
\newcommand{\byteseqs}{\typeexp{\bit}{8 \mult \Nat}}
|
||||||
\newcommand{\concatbits}{\mathsf{concat}_\bit}
|
\newcommand{\concatbits}{\mathsf{concat}_\bit}
|
||||||
|
\newcommand{\drop}[1]{\mathsf{drop}_{#1}}
|
||||||
\newcommand{\listcomp}[1]{[~{#1}~]}
|
\newcommand{\listcomp}[1]{[~{#1}~]}
|
||||||
\newcommand{\for}{\text{ for }}
|
\newcommand{\for}{\text{ for }}
|
||||||
\newcommand{\from}{\text{ from }}
|
\newcommand{\from}{\text{ from }}
|
||||||
|
@ -581,6 +582,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\FullHash}{\mathtt{SHA256}}
|
\newcommand{\FullHash}{\mathtt{SHA256}}
|
||||||
\newcommand{\FullHashName}{\mathsf{SHA\mhyphen256}}
|
\newcommand{\FullHashName}{\mathsf{SHA\mhyphen256}}
|
||||||
\newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
|
\newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}}
|
||||||
|
\newcommand{\BlakeTwos}[1]{\mathsf{BLAKE2s\kern 0.05em\mhyphen{#1}}}
|
||||||
\newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
|
\newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
|
||||||
\newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}}
|
\newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}}
|
||||||
\newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)}
|
\newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)}
|
||||||
|
@ -931,6 +933,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\pksig}{\mathsf{pk_{sig}}}
|
\newcommand{\pksig}{\mathsf{pk_{sig}}}
|
||||||
\newcommand{\sk}{\mathsf{sk}}
|
\newcommand{\sk}{\mathsf{sk}}
|
||||||
\newcommand{\hSigInput}{\mathsf{hSigInput}}
|
\newcommand{\hSigInput}{\mathsf{hSigInput}}
|
||||||
|
\newcommand{\crhInput}{\mathsf{crhInput}}
|
||||||
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
|
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
|
||||||
|
|
||||||
% Merkle tree
|
% Merkle tree
|
||||||
|
@ -1136,6 +1139,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}}
|
\newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}}
|
||||||
\newcommand{\FEtoIP}{\mathsf{FE2IP}}
|
\newcommand{\FEtoIP}{\mathsf{FE2IP}}
|
||||||
\newcommand{\FEtoIPP}{\mathsf{FE2IPP}}
|
\newcommand{\FEtoIPP}{\mathsf{FE2IPP}}
|
||||||
|
\newcommand{\BStoIP}[1]{\mathsf{BS2IP}_{#1}}
|
||||||
\newcommand{\BNImpl}{\mathtt{ALT\_BN128}}
|
\newcommand{\BNImpl}{\mathtt{ALT\_BN128}}
|
||||||
\newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}}
|
\newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}}
|
||||||
\newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}}
|
\newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}}
|
||||||
|
@ -1510,6 +1514,13 @@ concatenating the elements of $S$ viewed as bit sequences. If the
|
||||||
elements of $S$ are byte sequences, they are converted to bit sequences
|
elements of $S$ are byte sequences, they are converted to bit sequences
|
||||||
with the \emph{most significant} bit of each byte first.
|
with the \emph{most significant} bit of each byte first.
|
||||||
|
|
||||||
|
\notsprout{
|
||||||
|
$\drop{\ell}(S)$ means the sequence of bits obtained by
|
||||||
|
discarding the first $\ell$ bits of $S$ and taking the remaining bits
|
||||||
|
in the original order. If $S$ is a byte sequence, it is converted to
|
||||||
|
a bit sequence with the \emph{most significant} bit of each byte first.
|
||||||
|
}
|
||||||
|
|
||||||
$\sorted(S)$ means the sequence formed by sorting the elements
|
$\sorted(S)$ means the sequence formed by sorting the elements
|
||||||
of $S$.
|
of $S$.
|
||||||
|
|
||||||
|
@ -2614,6 +2625,10 @@ let $\AuthProveBase = \GroupJHash{U}(\ascii{Zcash\_H\_}, \ascii{})$.
|
||||||
Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup,
|
Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup,
|
||||||
instantiated in \crossref{jubjub}.
|
instantiated in \crossref{jubjub}.
|
||||||
|
|
||||||
|
Define $\BStoIP{} \typecolon (u \typecolon \Nat) \times \bitseq{u} \rightarrow \range{0}{2^u\!-\!1}$
|
||||||
|
such that $\BStoIP{u}(S)$ is the integer represented in big-endian order by the
|
||||||
|
bit sequence $S$ of length $u$.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
A new \Sapling \spendingKey $\AuthPrivateSeed$ is generated by choosing a bit string
|
A new \Sapling \spendingKey $\AuthPrivateSeed$ is generated by choosing a bit string
|
||||||
uniformly at random from $\bitseq{\AuthPrivateSeedLength}$.
|
uniformly at random from $\bitseq{\AuthPrivateSeedLength}$.
|
||||||
|
@ -2659,7 +2674,7 @@ and $\InViewingKey$ are then derived as follows:
|
||||||
$\AuthProvePrivate$ &$:= \PreAuthProvePrivate \bmod \JubjubScalarThreshold$ \\
|
$\AuthProvePrivate$ &$:= \PreAuthProvePrivate \bmod \JubjubScalarThreshold$ \\
|
||||||
$\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
|
$\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
|
||||||
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
||||||
$\InViewingKey$ &$:= \CRHivkHashbox{\crhivkinputbox}$.
|
$\InViewingKey$ &$:= \BStoIP{251}(\CRHivkHashbox{\crhivkinputbox})$.
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
|
@ -3503,6 +3518,68 @@ block.
|
||||||
$\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
|
$\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
\sapling{
|
||||||
|
\introlist
|
||||||
|
\nsubsubsubsection{CRHivk \HashFunction} \label{concretecrhivk}
|
||||||
|
|
||||||
|
\newsavebox{\crhivkbox}
|
||||||
|
\begin{lrbox}{\crhivkbox}
|
||||||
|
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||||
|
\bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$}
|
||||||
|
\bitbox{256}{$256$-bit $\reprJ(\AuthProvePublic)$}
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
$\CRHivk$ is used to derive the \incomingViewingKey $\InViewingKey$
|
||||||
|
for a \Sapling \paymentAddress.
|
||||||
|
For its use when generating an address see \crossref{saplingkeycomponents},
|
||||||
|
and for its use in the \spendStatement see \crossref{spendstatement}.
|
||||||
|
|
||||||
|
\introlist
|
||||||
|
It is defined as follows:
|
||||||
|
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\CRHivk(\AuthSignPublic, \AuthProvePublic) := \drop{5}(\BlakeTwos{256}(\ascii{Zcashivk},\; \crhInput))$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
where
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\crhInput := \Justthebox{\crhivkbox}$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
\vspace{2ex}
|
||||||
|
$\BlakeTwos{256}(p, x)$ refers to unkeyed $\BlakeTwos{256}$
|
||||||
|
\cite{ANWW2013} in sequential mode, with an output digest length of
|
||||||
|
$32$ bytes, $8$-byte personalization string $p$, and input $x$.
|
||||||
|
|
||||||
|
The output of $\BlakeTwos{256}$ is treated as a bit string with the
|
||||||
|
most-significant bit first in each byte. $\drop{5}$ discards the first
|
||||||
|
$5$ bits and returns the remaining $251$ bits as the hash result.
|
||||||
|
|
||||||
|
When the output of $\CRHivk$ is used to obtain $\InViewingKey$,
|
||||||
|
the $251$-bit string will be converted to an integer according to
|
||||||
|
big-endian bit order as specified in \crossref{saplingkeycomponents}.
|
||||||
|
|
||||||
|
\securityrequirement{
|
||||||
|
$\drop{5}(\BlakeTwos{256}(\ascii{Zcashivk}, x))$ must be
|
||||||
|
collision-resistant on a $512$-bit input $x$. Note that this
|
||||||
|
does not follow from collision-resistance of $\BlakeTwos{256}$
|
||||||
|
(and the best possible concrete security is that of a $251$-bit hash
|
||||||
|
rather than a $256$-bit hash), but it is a reasonable assumption
|
||||||
|
given the design and structure of $\BlakeTwosGeneric$.
|
||||||
|
}
|
||||||
|
|
||||||
|
\pnote{
|
||||||
|
The variable output digest length feature of $\BlakeTwosGeneric$ does
|
||||||
|
not support arbitrary bit lengths, otherwise that would have been
|
||||||
|
used rather than external truncation. However, the protocol-specific
|
||||||
|
personalization string together with truncation achieve essentially
|
||||||
|
the same effect as using that feature.
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\nsubsubsubsection{Equihash Generator} \label{equihashgen}
|
\nsubsubsubsection{Equihash Generator} \label{equihashgen}
|
||||||
|
|
||||||
|
@ -6203,6 +6280,16 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
||||||
\introsection
|
\introsection
|
||||||
\nsection{Change History}
|
\nsection{Change History}
|
||||||
|
|
||||||
|
\subparagraph{2018.0-beta-8}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item No changes to \Sprout.
|
||||||
|
\sapling{
|
||||||
|
\item Add instantiation of $\CRHivk$.
|
||||||
|
}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\introlist
|
||||||
\subparagraph{2018.0-beta-7}
|
\subparagraph{2018.0-beta-7}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
|
Loading…
Reference in New Issue