zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clarify why BLAKE2b-l is different from truncated BLAKE2b-512. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-09-26 17:05:28 +01:00
parent 7e9e88b5e5
commit 979d10a4c7
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
protocol/protocol.tex
View File

@ -1987,10 +1987,11 @@ where
}
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
\cite{ANWW2013}\cite{RFC-7693} in sequential mode, with an output
\cite{ANWW2013} in sequential mode, with an output
digest length of $32$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to
$256$ bits.
$256$ bits, because the digest length is encoded in the parameter
block.
\securityrequirement{
$\Blake{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
@ -2033,10 +2034,11 @@ Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where
Indices of bits in $T$ are 1-based.
$\Blake{\ell}(p, x)$ refers to unkeyed $\Blake{\ell}$
\cite{ANWW2013}\cite{RFC-7693} in sequential mode, with an output
\cite{ANWW2013} in sequential mode, with an output
digest length of $\ell/8$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to
$\ell$ bits.
$\ell$ bits, because the digest length is encoded in the parameter
block.
\securityrequirement{
$\Blake{\ell}(\powtag, x)$ must generate output that is sufficiently
@ -2231,6 +2233,13 @@ where:
\hskip 1.5em $\kdfinput := \Justthebox{\kdfinputbox}$.
}
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
\cite{ANWW2013} in sequential mode, with an output
digest length of $32$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to
$256$ bits, because the digest length is encoded in the parameter
block.
\nsubsubsection{Signatures} \label{concretesig}
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
@ -3547,6 +3556,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Correct the number of bytes in the encoding of $\solutionSize$.
\item Update the section on encoding of \transparent addresses.
(The precise prefixes are not decided yet.)
\item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$.
\item Add a paragraph about key length in \crossref{inbandrationale}.
\end{itemize}