zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The arguments to Curve25519 multiplication were consistently the wrong way round. 

Also, add the base point argument to the computation of pk_enc from sk_enc.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-02-27 21:12:50 +00:00
parent c6ec1e0e07
commit 9611e0b35b
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
protocol/protocol.tex
View File

@ -139,6 +139,7 @@
\newcommand{\hSigInputVersionByte}{\mathbf{0xF1}}
\newcommand{\Memo}{\mathsf{memo}}
\newcommand{\CurveMultiply}{\mathsf{Curve25519}}
\newcommand{\CurveBase}{\underline{9}}
\newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
\newcommand{\Plaintext}{\mathbf{P}}
\newcommand{\Ciphertext}{\mathbf{C}}
@ -449,12 +450,13 @@ derived as follows:
\DiscloseKey &:= \Trailing{252}(\PRFaddr{\AuthPrivate}(0)) & \hspace{30em} \\
\AuthPublic &:= \PRFaddr{\DiscloseKey}(1) & \\
\TransmitPrivate &:= \Clamp(\PRFaddr{\AuthPrivate}(2)) & \\
\TransmitPublic &:= \CurveMultiply(\TransmitPrivate)
\TransmitPublic &:= \CurveMultiply(\TransmitPrivate, \CurveBase)
\end{aligned}
\end{equation*}
where $\Clamp$ performs the clamping of Curve25519 private key bits, and
$\CurveMultiply$ performs point multiplication, both as defined in \cite{Curve25519}.
where $\Clamp$ performs the clamping of Curve25519 private key bits,
$\CurveMultiply$ performs point multiplication, and $\CurveBase$ is the
public string representing a base point, all as defined in \cite{Curve25519}.
}
Users can accept payment from multiple parties with a single
@ -928,8 +930,8 @@ Then to encrypt:
$(\EphemeralPublic, \EphemeralPrivate)$, and a new $\SymSpecific$ key $\SharedKey{}$.
\item For $i$ in $\{1..\NNew\}$,
\begin{itemize}
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i},
\EphemeralPrivate)$.
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate,
\TransmitPublicNew{i})$.
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$.
\item Let $\TransmitCiphertext{i} :=
@ -957,7 +959,7 @@ will attempt to decrypt that ciphertext component as follows:
\changed{
\begin{itemize}
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPublic, \TransmitPrivate)$.
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPrivate, \EphemeralPublic)$.
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$.
\item Return $\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}).$
@ -1017,7 +1019,7 @@ and $\EphemeralPrivate$ from $\SharedPlaintext{}$.
\begin{itemize}
\item Let $\CoinPlaintext{i} :=
\DecryptCoin(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i})$.
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i}, \EphemeralPrivate)$.
\item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPrivate, \TransmitPublicNew{i})$.
\item Let $\TransmitKeyCompare{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$.
\item If $\CoinPlaintext{i} \neq \bot$ and