mirror of https://github.com/zcash/zips.git
The arguments to Curve25519 multiplication were consistently the wrong way round.
Also, add the base point argument to the computation of pk_enc from sk_enc. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
c6ec1e0e07
commit
9611e0b35b
|
@ -139,6 +139,7 @@
|
|||
\newcommand{\hSigInputVersionByte}{\mathbf{0xF1}}
|
||||
\newcommand{\Memo}{\mathsf{memo}}
|
||||
\newcommand{\CurveMultiply}{\mathsf{Curve25519}}
|
||||
\newcommand{\CurveBase}{\underline{9}}
|
||||
\newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
|
||||
\newcommand{\Plaintext}{\mathbf{P}}
|
||||
\newcommand{\Ciphertext}{\mathbf{C}}
|
||||
|
@ -449,12 +450,13 @@ derived as follows:
|
|||
\DiscloseKey &:= \Trailing{252}(\PRFaddr{\AuthPrivate}(0)) & \hspace{30em} \\
|
||||
\AuthPublic &:= \PRFaddr{\DiscloseKey}(1) & \\
|
||||
\TransmitPrivate &:= \Clamp(\PRFaddr{\AuthPrivate}(2)) & \\
|
||||
\TransmitPublic &:= \CurveMultiply(\TransmitPrivate)
|
||||
\TransmitPublic &:= \CurveMultiply(\TransmitPrivate, \CurveBase)
|
||||
\end{aligned}
|
||||
\end{equation*}
|
||||
|
||||
where $\Clamp$ performs the clamping of Curve25519 private key bits, and
|
||||
$\CurveMultiply$ performs point multiplication, both as defined in \cite{Curve25519}.
|
||||
where $\Clamp$ performs the clamping of Curve25519 private key bits,
|
||||
$\CurveMultiply$ performs point multiplication, and $\CurveBase$ is the
|
||||
public string representing a base point, all as defined in \cite{Curve25519}.
|
||||
}
|
||||
|
||||
Users can accept payment from multiple parties with a single
|
||||
|
@ -928,8 +930,8 @@ Then to encrypt:
|
|||
$(\EphemeralPublic, \EphemeralPrivate)$, and a new $\SymSpecific$ key $\SharedKey{}$.
|
||||
\item For $i$ in $\{1..\NNew\}$,
|
||||
\begin{itemize}
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i},
|
||||
\EphemeralPrivate)$.
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate,
|
||||
\TransmitPublicNew{i})$.
|
||||
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublicNew{i}, i)$.
|
||||
\item Let $\TransmitCiphertext{i} :=
|
||||
|
@ -957,7 +959,7 @@ will attempt to decrypt that ciphertext component as follows:
|
|||
|
||||
\changed{
|
||||
\begin{itemize}
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPublic, \TransmitPrivate)$.
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPrivate, \EphemeralPublic)$.
|
||||
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublicNew{i}, i)$.
|
||||
\item Return $\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}).$
|
||||
|
@ -1017,7 +1019,7 @@ and $\EphemeralPrivate$ from $\SharedPlaintext{}$.
|
|||
\begin{itemize}
|
||||
\item Let $\CoinPlaintext{i} :=
|
||||
\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i})$.
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i}, \EphemeralPrivate)$.
|
||||
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate, \TransmitPublicNew{i})$.
|
||||
\item Let $\TransmitKeyCompare{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublicNew{i}, i)$.
|
||||
\item If $\CoinPlaintext{i} \neq \bot$ and
|
||||
|
|
Loading…
Reference in New Issue