zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clarify why BLAKE2b-l is different from truncated BLAKE2b-512. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-09-26 17:05:28 +01:00
parent 7e9e88b5e5
commit 979d10a4c7
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
protocol/protocol.tex
View File

@ -1987,10 +1987,11 @@ where
} }
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$ $\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
\cite{ANWW2013}\cite{RFC-7693} in sequential mode, with an output \cite{ANWW2013} in sequential mode, with an output
digest length of $32$ bytes, 16-byte personalization string $p$, digest length of $32$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to and input $x$. This is not the same as $\Blake{512}$ truncated to
$256$ bits. $256$ bits, because the digest length is encoded in the parameter
block.
\securityrequirement{ \securityrequirement{
$\Blake{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant. $\Blake{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
@ -2033,10 +2034,11 @@ Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where
Indices of bits in $T$ are 1-based. Indices of bits in $T$ are 1-based.
$\Blake{\ell}(p, x)$ refers to unkeyed $\Blake{\ell}$ $\Blake{\ell}(p, x)$ refers to unkeyed $\Blake{\ell}$
\cite{ANWW2013}\cite{RFC-7693} in sequential mode, with an output \cite{ANWW2013} in sequential mode, with an output
digest length of $\ell/8$ bytes, 16-byte personalization string $p$, digest length of $\ell/8$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to and input $x$. This is not the same as $\Blake{512}$ truncated to
$\ell$ bits. $\ell$ bits, because the digest length is encoded in the parameter
block.
\securityrequirement{ \securityrequirement{
$\Blake{\ell}(\powtag, x)$ must generate output that is sufficiently $\Blake{\ell}(\powtag, x)$ must generate output that is sufficiently
@ -2231,6 +2233,13 @@ where:
\hskip 1.5em $\kdfinput := \Justthebox{\kdfinputbox}$. \hskip 1.5em $\kdfinput := \Justthebox{\kdfinputbox}$.
} }
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
\cite{ANWW2013} in sequential mode, with an output
digest length of $32$ bytes, 16-byte personalization string $p$,
and input $x$. This is not the same as $\Blake{512}$ truncated to
$256$ bits, because the digest length is encoded in the parameter
block.
\nsubsubsection{Signatures} \label{concretesig} \nsubsubsection{Signatures} \label{concretesig}
$\JoinSplitSig$ is specified in \crossref{abstractsig}. $\JoinSplitSig$ is specified in \crossref{abstractsig}.
@ -3547,6 +3556,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Correct the number of bytes in the encoding of $\solutionSize$. \item Correct the number of bytes in the encoding of $\solutionSize$.
\item Update the section on encoding of \transparent addresses. \item Update the section on encoding of \transparent addresses.
(The precise prefixes are not decided yet.) (The precise prefixes are not decided yet.)
\item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$.
\item Add a paragraph about key length in \crossref{inbandrationale}. \item Add a paragraph about key length in \crossref{inbandrationale}.
\end{itemize} \end{itemize}