zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ZIP 215: minor clarifications. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2020-06-05 16:10:28 +01:00
parent 0a773f1b50
commit 99a55bf3c9
2 changed files with 27 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
zip-0215.html
View File

@ -15,7 +15,7 @@ Category: Consensus
Created: 2020-04-27
License: BSD-2-Clause</pre>
<section id="terminology"><h2><span class="section-heading">Terminology</span><span class="section-anchor"> <a href="#terminology"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>The key word "MUST" in this document is to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
<p>The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. <a id="id1" class="footnote_reference" href="#rfc2119">1</a></p>
</section>
<section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a href="#abstract"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 <a id="id2" class="footnote_reference" href="#rfc8032">2</a> need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature verification from an obsolete version of <cite>libsodium</cite>. Instead, this ZIP settles the situation by explicitly defining the Ed25519 verification criteria and changing them to be compatible with batch verification.</p>
@ -33,17 +33,25 @@ License: BSD-2-Clause</pre>
<span class="math">\(\underline{A}\)</span>
and
<span class="math">\(\underline{R}\)</span>
MUST be encodings of a point on the Edwards form of Curve25519;</li>
MUST be encodings of points
<span class="math">\(A\)</span>
and
<span class="math">\(R\)</span>
respectively on the Edwards form of Curve25519;</li>
<li>
<span class="math">\(\underline{S}\)</span>
MUST represent an integer less than
MUST represent an integer
<span class="math">\(S\)</span>
less than
<span class="math">\(\ell\)</span>
;</li>
<li>The group equation
<span class="math">\([8][s]B = [8]R + [8][k]A\)</span>
<span class="math">\([8][S]B = [8]R + [8][k]A\)</span>
MUST be satisfied, where
<span class="math">\(k\)</span>
is defined as in RFC 8032 §5.1.7. <a id="id5" class="footnote_reference" href="#rfc8032">2</a></li>
and
<span class="math">\(B\)</span>
are defined as in RFC 8032 sections §5.1.7 and §5.1 respectively. <a id="id5" class="footnote_reference" href="#rfc8032">2</a></li>
</ul>
<p>The language about <cite>ExcludedPointEncodings</cite> in §5.4.5 of the Zcash specification no longer applies.</p>
<p>It is <em>not</em> required that
@ -55,6 +63,9 @@ License: BSD-2-Clause</pre>
-coordinate of the points may be unreduced modulo
<span class="math">\(2^{255}-19\)</span>
.</p>
<p>Note: the alternate verification equation
<span class="math">\([S]B = R + [k]A\)</span>
, allowed by RFC 8032, MUST NOT be used.</p>
</section>
<section id="rationale"><h2><span class="section-heading">Rationale</span><span class="section-anchor"> <a href="#rationale"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
<p>This change simplifies the Ed25519 validation logic and reduces future maintenance burden. Because multiplication by the cofactor admits more solutions to the verification equation, not fewer, it is compatible with all existing Ed25519 signatures on the chain.</p>

18
zip-0215.rst
View File

@ -12,8 +12,8 @@
Terminology
===========
The key word "MUST" in this document is to be interpreted as described in
RFC 2119. [#RFC2119]_
The key words "MUST" and "MUST NOT" in this document is to be interpreted as described
in RFC 2119. [#RFC2119]_
Abstract
========
@ -56,11 +56,12 @@ Specification
After activation of this ZIP, the :math:`\mathsf{JoinSplitSig}` validation rules
in §5.4.5 of the protocol specification [#protocol]_ are changed to the following:
- :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of a point
on the Edwards form of Curve25519;
- :math:`\underline{S}` MUST represent an integer less than :math:`\ell`;
- The group equation :math:`[8][s]B = [8]R + [8][k]A` MUST be satisfied, where
:math:`k` is defined as in RFC 8032 §5.1.7. [#RFC8032]_
- :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of points
:math:`A` and :math:`R` respectively on the Edwards form of Curve25519;
- :math:`\underline{S}` MUST represent an integer :math:`S` less than :math:`\ell`;
- The group equation :math:`[8][S]B = [8]R + [8][k]A` MUST be satisfied, where
:math:`k` and :math:`B` are defined as in RFC 8032 sections §5.1.7 and §5.1
respectively. [#RFC8032]_
The language about `ExcludedPointEncodings` in §5.4.5 of the Zcash
specification no longer applies.
@ -69,6 +70,9 @@ It is *not* required that :math:`\underline{A}` and :math:`\underline{R}`
are canonical encodings; in other words, the integer encoding the
:math:`y`-coordinate of the points may be unreduced modulo :math:`2^{255}-19`.
Note: the alternate verification equation :math:`[S]B = R + [k]A`, allowed
by RFC 8032, MUST NOT be used.
Rationale
=========