zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

NCC audit: Fix a discrepancy between \crossref{concretegrouphashpallasandvesta} and \cite{ID-hashtocurve}. 

The zero padding in expand_message_xmd should be 128 bytes (matching the input block size of
BLAKE2b), rather than 64 bytes.

See also https://github.com/zcash/pasta/pull/2 and https://github.com/zcash/pasta_curves/issues/7

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-26 15:24:04 +00:00
parent 5d15a3d91e
commit 9d62142142
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
protocol/protocol.tex
View File

@ -1342,6 +1342,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\DST}{\mathsf{DST}}
\newcommand{\leninbytes}{\mathsf{len\_in\_bytes}}
\newcommand{\binbytes}{\mathsf{b\_in\_bytes}}
\newcommand{\rinbytes}{\mathsf{r\_in\_bytes}}
\newcommand{\tx}{\mathsf{tx}}
\newcommand{\ReceivedSet}{\mathsf{ReceivedSet}}
@ -10624,7 +10625,7 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
\vspace{-1ex}
\begin{algorithm}
\item let $\DST' = \DST \bconcat\, [\,\length(\DST)\,]$
\item let $\msg' = \zerobytes{64} \bconcat \msg \bconcat\, [\,0, 128\,] \bconcat\, [\,0\,] \bconcat \DST'$
\item let $\msg' = \zerobytes{128} \bconcat \msg \bconcat\, [\,0, 128\,] \bconcat\, [\,0\,] \bconcat \DST'$
\item let $b_0 = \BlakeTwob{512}\big(\zerobytes{16}, \msg'\big)$
\item let $b_1 = \BlakeTwob{512}\big(\zerobytes{16}, b_0 \bconcat\, [\,1\,] \bconcat \DST'\big)$
\item let $b_2 = \BlakeTwob{512}\big(\zerobytes{16}, (b_0 \xor b_1) \bconcat\, [\,2\,] \bconcat \DST'\big)$
@ -10639,9 +10640,9 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
the function $\XMDBlakeTwob$ corresponding to $\expandmessagexmd$ defined in
\cite[section 5.4.1]{ID-hashtocurve}, and with domain separation tag $\DST$.
In $\expandmessagexmd$, $\mathsf{H}$ is instantiated as $\BlakeTwob{512}$ with
$\binbytes = 64$, and we specialize to $\leninbytes = 128$ since that is the only
case we need. In the event of any discrepancy or change to the Internet Draft,
the definition here takes precedence.
$\binbytes = 64$ and $\rinbytes = 128$, and we specialize to $\leninbytes = 128$
since that is the only case we need. In the event of any discrepancy or change to
the Internet Draft, the definition here takes precedence.
\vspace{-0.25ex}
\item Unlike other uses of $\BlakeTwobGeneric$ in \Zcash, zero bytes are used for the
$\BlakeTwobGeneric$ personalization, in order to follow the Internet Draft which
@ -10651,7 +10652,7 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
to follow the Internet Draft.\!\!
\vspace{-0.25ex}
\item A minor optimization is to cache the state of the $\BlakeTwob{512}$ instance
used to compute $b_0$ after processing $\zerobytes{64}$, since this state does
used to compute $b_0$ after processing $\zerobytes{128}$, since this state does
not depend on the message.
\end{nnotes}
@ -13953,6 +13954,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Define $\GroupG{}$ in \crossref{concretegrouphashpallasandvesta}.
\item Fix type confusion between integers and field elements (including additional
cases not found in the audit, involving \nullifiers and $\cmX$).
\item Fix a discrepancy between \crossref{concretegrouphashpallasandvesta} and
\cite{ID-hashtocurve}: the zero padding in $\expandmessagexmd$ should be
$128$ bytes (matching the input block size of $\BlakeTwobGeneric$), rather
than $64$ bytes.
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
\end{itemize}
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.