zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clarify the computation of h_i in a JoinSplit statement. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2017-07-09 22:13:20 +01:00
parent 93a8881f9b
commit a197958131
1 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
protocol/protocol.tex
View File

@ -1862,9 +1862,16 @@ $\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitS
% FIXME: distinguish pubkey and signature from their encodings. % FIXME: distinguish pubkey and signature from their encodings.
} }
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour} Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}, and let
ensures that a holder of all of $\AuthPrivateOld{\allOld}$ for each $\PRFpk{}$ be as defined in \crossref{abstractprfs}.
\joinSplitDescription has authorized the use of the private signing key corresponding
For each $i \in \setofOld$, the creator of a \joinSplitDescription calculates
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
specified in \crossref{nonmalleablejs}. This ensures that a holder of all of
the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
\transaction has authorized the use of the private signing key corresponding
to $\joinSplitPubKey$ to sign this \transaction. to $\joinSplitPubKey$ to sign this \transaction.
@ -1971,7 +1978,7 @@ $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
for each $i \in \setofOld$: for each $i \in \setofOld$:
$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$. $\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$.
\subparagraph{Non-malleability} \label{nonmalleablepour} \subparagraph{Non-malleability} \label{nonmalleablejs}
for each $i \in \setofOld$: for each $i \in \setofOld$:
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$. $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
@ -3148,7 +3155,11 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \
\end{tabularx} \end{tabularx}
\end{center} \end{center}
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext. The $\vmacs$ field encodes $\h{\allOld}$ which are computed as described in
\crossref{nonmalleability}.
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext,
which is computed as described in \crossref{inband}.
Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}. Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}.
@ -4143,6 +4154,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introlist \introlist
\nsection{Change history} \nsection{Change history}
\subparagraph{2017.0-beta-2.7}
\begin{itemize}
\item Clarify the computation of $\h{i}$ in a \joinSplitStatement.
\end{itemize}
\introlist
\subparagraph{2017.0-beta-2.6} \subparagraph{2017.0-beta-2.6}
\begin{itemize} \begin{itemize}