ZIP 32: correction for seeds longer than 32 bytes. refs https://github.com/zcash/zcash/issues/4641

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-07-29 20:02:01 +01:00 · 2020-07-29 20:02:01 +01:00 · 9a6aa31d93
parent 60db5fe85d
commit 9a6aa31d93
2 changed files with 8 additions and 10 deletions
--- a/zip-0032.html
+++ b/zip-0032.html
@ -229,7 +229,7 @@ License: MIT</pre>
            <section id="sapling-master-key-generation"><h3><span class="section-heading">Sapling master key generation</span><span class="section-anchor"> <a rel="bookmark" href="#sapling-master-key-generation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
                <p>Let
                    <span class="math">\(S\)</span>
-                 be a seed byte sequence of a chosen length, which MUST be at least 32 bytes.</p>
+                 be a seed byte sequence of a chosen length, which MUST be at least 32 and at most 253 bytes.</p>
                <ul>
                    <li>Calculate
                        <span class="math">\(I = \mathsf{BLAKE2b}\text{-}\mathsf{512}(\texttt{“ZcashIP32Sapling”}, S)\)</span>
@ -470,7 +470,7 @@ License: MIT</pre>
            <section id="sprout-master-key-generation"><h3><span class="section-heading">Sprout master key generation</span><span class="section-anchor"> <a rel="bookmark" href="#sprout-master-key-generation"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h3>
                <p>Let
                    <span class="math">\(S\)</span>
-                 be a seed byte sequence of a chosen length, which MUST be at least 32 bytes.</p>
+                 be a seed byte sequence of a chosen length, which MUST be at least 32 and at most 253 bytes.</p>
                <ul>
                    <li>Calculate
                        <span class="math">\(I = \mathsf{BLAKE2b}\text{-}\mathsf{512}(\texttt{“ZcashIP32_Sprout”}, S)\)</span>
@ -625,14 +625,12 @@ License: MIT</pre>
                <ul>
                    <li>
                        <span class="math">\(\mathsf{BLAKE2b}\text{-}\mathsf{256}(\texttt{“Zcash_HD_Seed_FP”},\)</span>
-                        <span class="math">\([\texttt{0x20}]\,||\,S)\)</span>
+                        <span class="math">\([\mathsf{length}(S)]\,||\,S)\)</span>
                    .</li>
                </ul>
                <p>It MAY be used to uniquely identify a particular hierarchical deterministic wallet.</p>
                <p>No corresponding short tag is defined.</p>
-                <p>Note: a previous version of this specification did not have the
-                    <span class="math">\(\texttt{0x20}\)</span>
-                 byte prefixing the seed. The current specification reflects the implementation in <cite>zcashd</cite>.</p>
+                <p>Note: a previous version of this specification did not have the length byte prefixing the seed. The current specification reflects the implementation in <cite>zcashd</cite>.</p>
            </section>
        </section>
        <section id="specification-key-encodings"><h2><span class="section-heading">Specification: Key Encodings</span><span class="section-anchor"> <a rel="bookmark" href="#specification-key-encodings"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
--- a/zip-0032.rst
+++ b/zip-0032.rst
@ -162,7 +162,7 @@ Define
 Sapling master key generation
 -----------------------------

-Let :math:`S` be a seed byte sequence of a chosen length, which MUST be at least 32 bytes.
+Let :math:`S` be a seed byte sequence of a chosen length, which MUST be at least 32 and at most 253 bytes.

 - Calculate :math:`I = \mathsf{BLAKE2b}\text{-}\mathsf{512}(\texttt{“ZcashIP32Sapling”}, S)`.
 - Split :math:`I` into two 32-byte sequences, :math:`I_L` and :math:`I_R`.
@ -286,7 +286,7 @@ of :math:`ASK`, and decoding the 32-byte result according to the inverse of :mat
 Sprout master key generation
 ----------------------------

-Let :math:`S` be a seed byte sequence of a chosen length, which MUST be at least 32 bytes.
+Let :math:`S` be a seed byte sequence of a chosen length, which MUST be at least 32 and at most 253 bytes.

 - Calculate :math:`I = \mathsf{BLAKE2b}\text{-}\mathsf{512}(\texttt{“ZcashIP32_Sprout”}, S)`.
 - Split :math:`I` into two 32-byte sequences, :math:`I_L` and :math:`I_R`.
@ -410,13 +410,13 @@ Seed Fingerprints

 A "seed fingerprint" for the master seed :math:`S` of a hierarchical deterministic wallet is given by:

-* :math:`\mathsf{BLAKE2b}\text{-}\mathsf{256}(\texttt{“Zcash_HD_Seed_FP”},`:math:`[\texttt{0x20}]\,||\,S)`.
+* :math:`\mathsf{BLAKE2b}\text{-}\mathsf{256}(\texttt{“Zcash_HD_Seed_FP”},`:math:`[\mathsf{length}(S)]\,||\,S)`.

 It MAY be used to uniquely identify a particular hierarchical deterministic wallet.

 No corresponding short tag is defined.

-Note: a previous version of this specification did not have the :math:`\texttt{0x20}` byte prefixing the seed.
+Note: a previous version of this specification did not have the length byte prefixing the seed.
 The current specification reflects the implementation in `zcashd`.