diff --git a/zip-0215.html b/zip-0215.html index f8c588eb..68804485 100644 --- a/zip-0215.html +++ b/zip-0215.html @@ -15,7 +15,7 @@ Category: Consensus Created: 2020-04-27 License: BSD-2-Clause

Terminology

-

The key word "MUST" in this document is to be interpreted as described in RFC 2119. 1

+

The key words "MUST" and "MUST NOT" in this document is to be interpreted as described in RFC 2119. 1

Abstract

Zcash uses Ed25519 signatures as part of Sprout transactions. However, Ed25519 does not clearly define criteria for signature validity, and implementations conformant to RFC 8032 2 need not agree on whether signatures are valid. This is unacceptable for a consensus-critical application like Zcash. Currently, Zcash inherits criteria for signature verification from an obsolete version of libsodium. Instead, this ZIP settles the situation by explicitly defining the Ed25519 verification criteria and changing them to be compatible with batch verification.

@@ -33,17 +33,25 @@ License: BSD-2-Clause \(\underline{A}\) and \(\underline{R}\) - MUST be encodings of a point on the Edwards form of Curve25519; + MUST be encodings of points + \(A\) + and + \(R\) + respectively on the Edwards form of Curve25519;
  • \(\underline{S}\) - MUST represent an integer less than + MUST represent an integer + \(S\) + less than \(\ell\) ;
  • The group equation - \([8][s]B = [8]R + [8][k]A\) + \([8][S]B = [8]R + [8][k]A\) MUST be satisfied, where \(k\) - is defined as in RFC 8032 §5.1.7. 2
    • + and + \(B\) + are defined as in RFC 8032 sections §5.1.7 and §5.1 respectively. 2

    The language about ExcludedPointEncodings in §5.4.5 of the Zcash specification no longer applies.

    It is not required that @@ -55,6 +63,9 @@ License: BSD-2-Clause -coordinate of the points may be unreduced modulo \(2^{255}-19\) .

    +

    Note: the alternate verification equation + \([S]B = R + [k]A\) + , allowed by RFC 8032, MUST NOT be used.

    Rationale

    This change simplifies the Ed25519 validation logic and reduces future maintenance burden. Because multiplication by the cofactor admits more solutions to the verification equation, not fewer, it is compatible with all existing Ed25519 signatures on the chain.

    diff --git a/zip-0215.rst b/zip-0215.rst index 156812e2..fd867117 100644 --- a/zip-0215.rst +++ b/zip-0215.rst @@ -12,8 +12,8 @@ Terminology =========== -The key word "MUST" in this document is to be interpreted as described in -RFC 2119. [#RFC2119]_ +The key words "MUST" and "MUST NOT" in this document is to be interpreted as described +in RFC 2119. [#RFC2119]_ Abstract ======== @@ -56,11 +56,12 @@ Specification After activation of this ZIP, the :math:`\mathsf{JoinSplitSig}` validation rules in §5.4.5 of the protocol specification [#protocol]_ are changed to the following: -- :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of a point - on the Edwards form of Curve25519; -- :math:`\underline{S}` MUST represent an integer less than :math:`\ell`; -- The group equation :math:`[8][s]B = [8]R + [8][k]A` MUST be satisfied, where - :math:`k` is defined as in RFC 8032 §5.1.7. [#RFC8032]_ +- :math:`\underline{A}` and :math:`\underline{R}` MUST be encodings of points + :math:`A` and :math:`R` respectively on the Edwards form of Curve25519; +- :math:`\underline{S}` MUST represent an integer :math:`S` less than :math:`\ell`; +- The group equation :math:`[8][S]B = [8]R + [8][k]A` MUST be satisfied, where + :math:`k` and :math:`B` are defined as in RFC 8032 sections §5.1.7 and §5.1 + respectively. [#RFC8032]_ The language about `ExcludedPointEncodings` in §5.4.5 of the Zcash specification no longer applies. @@ -69,6 +70,9 @@ It is *not* required that :math:`\underline{A}` and :math:`\underline{R}` are canonical encodings; in other words, the integer encoding the :math:`y`-coordinate of the points may be unreduced modulo :math:`2^{255}-19`. +Note: the alternate verification equation :math:`[S]B = R + [k]A`, allowed +by RFC 8032, MUST NOT be used. + Rationale =========