zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics: use 'Of' macros. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-03-11 12:45:51 +00:00
parent 03918a759c
commit 96cfbe9232
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
protocol/protocol.tex
View File

@ -1241,6 +1241,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ItoBEBSP}[1]{\mathsf{I2BEBSP}_{#1}}
\newcommand{\ItoLEOSPvar}{\mathsf{I2LEOSP_{var}}}
\newcommand{\LEOStoIP}[1]{\mathsf{LEOS2IP}_{#1}}
\newcommand{\LEOStoIPOf}[2]{\LEOStoIP{#1}\!\left({#2}\right)}
\newcommand{\LEBStoOSP}[1]{\mathsf{LEBS2OSP}_{#1}}
\newcommand{\LEBStoOSPOf}[2]{\LEBStoOSP{#1}\!\left({#2}\right)}
@ -3810,7 +3811,7 @@ BLAKE2 is defined by \cite{ANWW2013}.
\sapling{\Zcash uses both the $\BlakeTwobGeneric$ and $\BlakeTwosGeneric$
variants.}
$\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$
$\BlakeTwobOf{\ell}{p, x}$ refers to unkeyed $\BlakeTwob{\ell}$
in sequential mode, with an output digest length of $\ell/8$ bytes,
$16$-byte personalization string $p$, and input $x$.
@ -3834,7 +3835,7 @@ block.
\sapling{
\vspace{3ex}
$\BlakeTwos{\ell}(p, x)$ refers to unkeyed $\BlakeTwos{\ell}$
$\BlakeTwosOf{\ell}{p, x}$ refers to unkeyed $\BlakeTwos{\ell}$
in sequential mode, with an output digest length of $\ell/8$ bytes,
$8$-byte personalization string $p$, and input $x$.
@ -3943,7 +3944,7 @@ $\hSigCRH$ is used to compute the value $\hSig$ in \crossref{joinsplitdesc}.
\changed{
\begin{formulae}
\item $\hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey) := \BlakeTwob{256}(\ascii{ZcashComputehSig},\; \hSigInput)$
\item $\hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey) := \BlakeTwobOf{256}{\ascii{ZcashComputehSig},\; \hSigInput}$
\end{formulae}
where
@ -3952,10 +3953,10 @@ where
\end{formulae}
}
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
$\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
\securityrequirement{
$\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
$\BlakeTwobOf{256}{\ascii{ZcashComputehSig}, x}$ must be collision-resistant on $x$.
}
@ -3982,7 +3983,7 @@ It is defined as follows:
\begin{formulae}
\item $\CRHivk(\AuthSignPublic, \AuthProvePublic) :=
\LEOStoIP{256}(\BlakeTwos{256}(\ascii{Zcashivk},\; \crhInput)) \bmod 2^{251}$
\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk},\; \crhInput}} \bmod 2^{251}$
\end{formulae}
where
@ -3991,12 +3992,12 @@ where
\end{formulae}
\vspace{2ex}
$\BlakeTwos{256}(p, x)$ refers to unkeyed $\BlakeTwos{256}$
$\BlakeTwosOf{256}{p, x}$ refers to unkeyed $\BlakeTwos{256}$
\cite{ANWW2013} in sequential mode, with an output digest length of
$32$ bytes, $8$-byte personalization string $p$, and input $x$.
\securityrequirement{
$\LEOStoIP{256}(\BlakeTwos{256}(\ascii{Zcashivk}, x)) \bmod 2^{251}$
$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{251}$
must be collision-resistant on a $512$-bit input $x$. Note that this
does not follow from collision-resistance of $\BlakeTwos{256}$
(and the best possible concrete security is that of a $251$-bit hash
@ -4206,15 +4207,15 @@ Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
\begin{formulae}
\item $m := \floor{\frac{512}{n}}$;
\item $h := (i-1 \bmod m) \mult n$;
\item $T := \BlakeTwob{(\mathnormal{n \mult m})}(\powtag,\, S \bconcat \powcount(\floor{\frac{i-1}{m}}))$.
\item $T := \BlakeTwobOf{(\mathnormal{n \mult m})}{\powtag,\, S \bconcat \powcount(\floor{\frac{i-1}{m}})}$.
\end{formulae}
Indices of bits in $T$ are 1-based.
$\BlakeTwob{\ell}(p, x)$ is defined in \crossref{concreteblake2}.
$\BlakeTwobOf{\ell}{p, x}$ is defined in \crossref{concreteblake2}.
\securityrequirement{
$\BlakeTwob{\ell}(\powtag, x)$ must generate output that is sufficiently
$\BlakeTwobOf{\ell}{\powtag, x}$ must generate output that is sufficiently
unpredictable to avoid short-cuts to the Equihash solution process.
It would suffice to model it as a random oracle.
}
@ -4508,7 +4509,7 @@ using $\BlakeTwob{256}$ as follows:
\begin{formulae}
\item $\KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) :=
\BlakeTwob{256}(\kdftag, \kdfinput)$
\BlakeTwobOf{256}{\kdftag, \kdfinput}$
\end{formulae}
\introlist
where:
@ -4518,7 +4519,7 @@ where:
\end{formulae}
}
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
$\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
\sapling{
@ -4552,7 +4553,7 @@ is instantiated using $\BlakeTwob{256}$ as follows:
\begin{formulae}
\item $\KDFSapling(\OutputIndex, \DHSecret{}, \EphemeralPublic) :=
\BlakeTwob{256}(\ascii{Zcash\_SaplingKDF}, \kdfinput)$.
\BlakeTwobOf{256}{\ascii{Zcash\_SaplingKDF}, \kdfinput}$.
\end{formulae}
\introlist
where:
@ -4560,7 +4561,7 @@ where:
\item $\kdfinput := \Justthebox{\kdfsaplinginputbox}$.
\end{formulae}
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
$\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
} %sapling
@ -5148,7 +5149,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
\end{lrbox}
\begin{formulae}
\item $\Justthebox{\ghintbox} := \BlakeTwos{256}(D,\, \CRS \bconcat\, M)$
\item $\Justthebox{\ghintbox} := \BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}$
\item $P := \abstJOf{p}$
\item If $P = \bot$ then return $\bot$.
\item $Q := \scalarmult{8}{P}$