mirror of https://github.com/zcash/zips.git
Clarify the computation of h_i in a JoinSplit statement.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
93a8881f9b
commit
a197958131
|
@ -1862,9 +1862,16 @@ $\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitS
|
||||||
% FIXME: distinguish pubkey and signature from their encodings.
|
% FIXME: distinguish pubkey and signature from their encodings.
|
||||||
}
|
}
|
||||||
|
|
||||||
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour}
|
Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}, and let
|
||||||
ensures that a holder of all of $\AuthPrivateOld{\allOld}$ for each
|
$\PRFpk{}$ be as defined in \crossref{abstractprfs}.
|
||||||
\joinSplitDescription has authorized the use of the private signing key corresponding
|
|
||||||
|
For each $i \in \setofOld$, the creator of a \joinSplitDescription calculates
|
||||||
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
|
||||||
|
|
||||||
|
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
|
||||||
|
specified in \crossref{nonmalleablejs}. This ensures that a holder of all of
|
||||||
|
the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
|
||||||
|
\transaction has authorized the use of the private signing key corresponding
|
||||||
to $\joinSplitPubKey$ to sign this \transaction.
|
to $\joinSplitPubKey$ to sign this \transaction.
|
||||||
|
|
||||||
|
|
||||||
|
@ -1971,7 +1978,7 @@ $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
|
||||||
for each $i \in \setofOld$:
|
for each $i \in \setofOld$:
|
||||||
$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$.
|
$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$.
|
||||||
|
|
||||||
\subparagraph{Non-malleability} \label{nonmalleablepour}
|
\subparagraph{Non-malleability} \label{nonmalleablejs}
|
||||||
|
|
||||||
for each $i \in \setofOld$:
|
for each $i \in \setofOld$:
|
||||||
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
|
||||||
|
@ -3148,7 +3155,11 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \
|
||||||
\end{tabularx}
|
\end{tabularx}
|
||||||
\end{center}
|
\end{center}
|
||||||
|
|
||||||
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext.
|
The $\vmacs$ field encodes $\h{\allOld}$ which are computed as described in
|
||||||
|
\crossref{nonmalleability}.
|
||||||
|
|
||||||
|
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext,
|
||||||
|
which is computed as described in \crossref{inband}.
|
||||||
|
|
||||||
Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}.
|
Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}.
|
||||||
|
|
||||||
|
@ -4143,6 +4154,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
||||||
\introlist
|
\introlist
|
||||||
\nsection{Change history}
|
\nsection{Change history}
|
||||||
|
|
||||||
|
\subparagraph{2017.0-beta-2.7}
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\item Clarify the computation of $\h{i}$ in a \joinSplitStatement.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\introlist
|
||||||
\subparagraph{2017.0-beta-2.6}
|
\subparagraph{2017.0-beta-2.6}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
|
Loading…
Reference in New Issue