mirror of https://github.com/zcash/zips.git
Merge branch '738.fix-internalh-collision.0' into 406.viewing-keys.1
Includes other fixes. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
commit
a2d625f1b2
Binary file not shown.
|
|
@ -102,6 +102,7 @@
|
|||
\newcommand{\PaymentAddressLeadByte}{\mathbf{0x92}}
|
||||
\newcommand{\ViewingKeyLeadByte}{\mathbf{0x??}}
|
||||
\newcommand{\SpendingKeyLeadByte}{\mathbf{0x??}}
|
||||
\newcommand{\CoinCommitmentLeadByte}{\mathbf{0xF0}}
|
||||
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
|
||||
\newcommand{\DiscloseKey}{\mathsf{a_{vk}}}
|
||||
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
|
||||
|
|
@ -135,7 +136,7 @@
|
|||
\newcommand{\CoinAddressPreRand}{\mathsf{\upvarphi}}
|
||||
\newcommand{\CoinCommitS}{\mathsf{s}}
|
||||
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
|
||||
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
|
||||
\newcommand{\hSigInputVersionByte}{\mathbf{0xF1}}
|
||||
\newcommand{\Memo}{\mathsf{memo}}
|
||||
\newcommand{\CurveMultiply}{\mathsf{Curve25519}}
|
||||
\newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
|
||||
|
|
@ -173,7 +174,7 @@
|
|||
\newcommand{\SHAOrig}{\term{SHA-256}}
|
||||
\newcommand{\cm}{\mathsf{cm}}
|
||||
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}}
|
||||
\newcommand{\Leading}[1]{\mathtt{Leading}_{#1}}
|
||||
\newcommand{\Trailing}[1]{\mathtt{Trailing}_{#1}}
|
||||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
||||
|
||||
|
|
@ -286,8 +287,8 @@ to a sequence of bytes, again using big-endian order.
|
|||
\nathan{An example would help here. It would be illustrative if it had
|
||||
a few differently-sized fields.}
|
||||
|
||||
$\Leading{k}(x)$, where $k$ is an integer and $x$ is a bit sequence, returns
|
||||
the leading (initial) $k$ bits of its input.
|
||||
$\Trailing{k}(x)$, where $k$ is an integer and $x$ is a bit sequence, returns
|
||||
the trailing (final) $k$ bits of its input.
|
||||
|
||||
The notation $1..\mathrm{N}$, used as a subscript, means the sequence of values
|
||||
with indices $1$ through $\mathrm{N}$ inclusive. For example,
|
||||
|
|
@ -309,69 +310,76 @@ It is required that $\PRFsn{x}$ \changed{and $\PRFrho{x}$} be collision-resistan
|
|||
across all $x$ --- i.e. it should not be feasible to find $(x, y) \neq (x', y')$
|
||||
such that $\PRFsn{x}(y) = \PRFsn{x'}(y')$\changed{, and similarly for $\PRFrho{}$}.
|
||||
|
||||
In \Zcash, the $\SHAName$ function is used to construct all four of these
|
||||
functions. The bits $\mathtt{00}$, $\mathtt{01}$, $\mathtt{10}$\changed{, and
|
||||
$\mathtt{11}$} are included (respectively) within the blocks that are hashed,
|
||||
ensuring that the functions are independent.
|
||||
|
||||
\todo{Fix domain separation for $\PRFdk{x}$.}
|
||||
In \Zcash, the $\SHAName$ function is used to construct all \changed{five} of these
|
||||
functions. The bits \changed{$\mathtt{0000}$, $\mathtt{0001}$, $\mathtt{001x}$,
|
||||
$\mathtt{010x}$, and $\mathtt{011x}$} are included (respectively) within the blocks
|
||||
that are hashed, ensuring that the functions are independent.
|
||||
|
||||
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
|
||||
|
||||
\newsavebox{\addrbox}
|
||||
\begin{lrbox}{\addrbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||
\bitbox{242}{256 bit $x$} &
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{174}{$0^{252}$} &
|
||||
\bitbox{48}{2 bit $t$} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{224}{252 bit $x$} &
|
||||
\bitbox{200}{$0^{254}$} &
|
||||
\bitbox{56}{2 bit $t$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\snbox}
|
||||
\begin{lrbox}{\snbox}
|
||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{1} &
|
||||
\bitbox{222}{$\Leading{254}(\CoinAddressRand)$} &
|
||||
\bitbox{224}{252 bit $\AuthPrivate$} &
|
||||
\bitbox{256}{256 bit $\CoinAddressRand$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\pkbox}
|
||||
\begin{lrbox}{\pkbox}
|
||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||
\bitbox{18}{1} &
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{1} &
|
||||
\bitbox{18}{\iminusone} &
|
||||
\bitbox{204}{$\Leading{253}(\hSig)$}
|
||||
\bitbox{224}{252 bit $\AuthPrivate$} &
|
||||
\bitbox{256}{256 bit $\hSig$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\rhobox}
|
||||
\begin{lrbox}{\rhobox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||
\bitbox{242}{256 bit $\CoinAddressPreRand$} &
|
||||
\bitbox{18}{1} &
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{1} &
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{\iminusone} &
|
||||
\bitbox{204}{$\Leading{253}(\hSig)$}
|
||||
\bitbox{224}{252 bit $\CoinAddressPreRand$} &
|
||||
\bitbox{256}{256 bit $\hSig$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\dkbox}
|
||||
\begin{lrbox}{\dkbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||
\bitbox{242}{256 bit $\DiscloseKey$} &
|
||||
\bitbox{18}{?} &
|
||||
\bitbox{18}{?} &
|
||||
\begin{bytefield}[bitwidth=0.06em]{512}
|
||||
\bitbox{18}{0} &
|
||||
\bitbox{18}{1} &
|
||||
\bitbox{18}{1} &
|
||||
\bitbox{18}{\iminusone} &
|
||||
\bitbox{204}{$\Leading{253}(\hSig)$}
|
||||
\bitbox{224}{252 bit $\DiscloseKey$} &
|
||||
\bitbox{256}{256 bit $\hSig$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
|
|
@ -390,8 +398,6 @@ need to be aware of how it is associated with this bit-packing.}
|
|||
\end{aligned}
|
||||
\end{equation*}
|
||||
|
||||
\daira{Truncate the left-hand sides rather than the right-hand sides.}
|
||||
|
||||
|
||||
\section{Concepts}
|
||||
|
||||
|
|
@ -429,9 +435,8 @@ to:
|
|||
\item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey.
|
||||
\end{itemize}
|
||||
|
||||
Each key component, i.e. each of $\AuthPrivate$, \changed{$\DiscloseKey$,
|
||||
}$\AuthPublic$, $\TransmitPrivate$, and $\TransmitPublic$, is a sequence of
|
||||
32 bytes.
|
||||
\changed{$\AuthPrivate$ and $\DiscloseKey$ are each 252 bits.}
|
||||
$\AuthPublic$, $\TransmitPrivate$, and $\TransmitPublic$, are each 256 bits.
|
||||
|
||||
\changed{
|
||||
$\DiscloseKey$, $\AuthPublic$, $\TransmitPrivate$, and $\TransmitPublic$ are
|
||||
|
|
@ -439,7 +444,7 @@ derived as follows:
|
|||
|
||||
\begin{equation*}
|
||||
\begin{aligned}
|
||||
\DiscloseKey &:= \PRFaddr{\AuthPrivate}(0) & \hspace{30em} \\
|
||||
\DiscloseKey &:= \Trailing{252}(\PRFaddr{\AuthPrivate}(0)) & \hspace{30em} \\
|
||||
\AuthPublic &:= \PRFaddr{\DiscloseKey}(1) & \\
|
||||
\TransmitPrivate &:= \Clamp(\PRFaddr{\AuthPrivate}(2)) & \\
|
||||
\TransmitPublic &:= \CurveMultiply(\TransmitPrivate)
|
||||
|
|
@ -487,20 +492,24 @@ of $\COMM{\CoinCommitS}$ does not use it.
|
|||
\subsubsection{Coin Commitments}
|
||||
|
||||
The underlying $\Value$ and $\AuthPublic$ are blinded with $\CoinAddressRand$
|
||||
and $\CoinCommitRand$ using the collision-resistant hash function $\FullHash$.
|
||||
and $\CoinCommitRand$ using the collision-resistant hash function \changed{$\FullHash$}.
|
||||
The resulting hash $\cm = \CoinCommitment(\Coin{})$.
|
||||
|
||||
\newsavebox{\cmbox}
|
||||
\begin{lrbox}{\cmbox}
|
||||
\begin{bytefield}[bitwidth=0.045em]{832}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.040em]{840}
|
||||
\bitbox{80}{$\CoinCommitmentLeadByte$} &
|
||||
\bitbox{256}{256 bit $\AuthPublic$} &
|
||||
\bitbox{96}{64 bit $\Value$} &
|
||||
\bitbox{128}{64 bit $\Value$} &
|
||||
\bitbox{256}{256 bit $\CoinAddressRand$}
|
||||
\bitbox{256}{256 bit $\CoinCommitRand$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
$\cm := \FullHashbox{\cmbox}$
|
||||
\changed{
|
||||
\hskip 2em $\cm := \FullHashbox{\cmbox}$
|
||||
}
|
||||
|
||||
\subsubsection{Serial numbers}
|
||||
|
||||
|
|
@ -1071,9 +1080,9 @@ The raw encoding of a \paymentAddress consists of:
|
|||
\begin{equation*}
|
||||
\begin{bytefield}[bitwidth=0.07em]{520}
|
||||
\changed{
|
||||
\bitbox{48}{$\PaymentAddressLeadByte$}
|
||||
&}\bitbox{256}{$\AuthPublic$ (32 bytes)} &
|
||||
\bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
|
||||
\bitbox{48}{$\SpendingKeyLeadByte$}
|
||||
&}\bitbox{256}{256 bit $\AuthPublic$} &
|
||||
\bitbox{256}{\changed{256 bit} $\TransmitPublic$}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
|
@ -1082,8 +1091,8 @@ The raw encoding of a \paymentAddress consists of:
|
|||
\item A byte, $\PaymentAddressLeadByte$, indicating this version of the
|
||||
raw encoding of a \Zcash public address.
|
||||
}
|
||||
\item 32 bytes specifying $\AuthPublic$.
|
||||
\item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
|
||||
\item 256 bits specifying $\AuthPublic$.
|
||||
\item \changed{256 bits} specifying $\TransmitPublic$, \changed{using the
|
||||
normal encoding of a Curve25519 public key \cite{Curve25519}}.
|
||||
\end{itemize}
|
||||
|
||||
|
|
@ -1104,7 +1113,8 @@ The raw encoding of a \spendingKey consists of, in order:
|
|||
\begin{bytefield}[bitwidth=0.07em]{264}
|
||||
\changed{
|
||||
\bitbox{48}{$\SpendingKeyLeadByte$}
|
||||
&}\bitbox{256}{$\AuthPrivate$ (32 bytes)}
|
||||
\bitbox{24}{$0^4$} &
|
||||
&}\bitbox{252}{\changed{252} bit $\AuthPrivate$}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
|
@ -1112,15 +1122,20 @@ The raw encoding of a \spendingKey consists of, in order:
|
|||
\changed{
|
||||
\item A byte $\SpendingKeyLeadByte$ indicating this version of the
|
||||
raw encoding of a \Zcash \spendingKey.
|
||||
\item 4 zero padding bits.
|
||||
}
|
||||
\item 32 bytes specifying $\AuthPrivate$.
|
||||
\item \changed{252} bits specifying $\AuthPrivate$.
|
||||
\end{itemize}
|
||||
|
||||
Note that, consistent with big-endian encoding, the zero padding occupies
|
||||
the high-order 4 bits of the second byte.
|
||||
|
||||
\daira{check that this lead byte is distinct from other Bitcoin stuff,
|
||||
and produces a suitable Base58Check leading character.}
|
||||
|
||||
\nathan{what about the network version byte?}
|
||||
|
||||
\changed{
|
||||
\subsection{Viewing Keys}
|
||||
|
||||
A \viewingKey consists of a \discloseKey $\DiscloseKey$, and a
|
||||
|
|
@ -1129,12 +1144,15 @@ A \viewingKey consists of a \discloseKey $\DiscloseKey$, and a
|
|||
\subsubsection{Raw Encoding}
|
||||
|
||||
The raw encoding of a \viewingKey consists of, in order:
|
||||
}
|
||||
|
||||
\begin{equation*}
|
||||
\begin{bytefield}[bitwidth=0.07em]{520}
|
||||
\setchanged
|
||||
\bitbox{48}{$\ViewingKeyLeadByte$} &
|
||||
\bitbox{256}{$\DiscloseKey$ (32 bytes)}
|
||||
\bitbox{256}{$\TransmitPrivate$ (32 bytes)}
|
||||
\bitbox{24}{$0^4$} &
|
||||
\bitbox{252}{252 bit $\DiscloseKey$}
|
||||
\bitbox{256}{256 bit $\TransmitPrivate$}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
|
@ -1142,15 +1160,19 @@ The raw encoding of a \viewingKey consists of, in order:
|
|||
\begin{itemize}
|
||||
\item A byte $\ViewingKeyLeadByte$ indicating this version of the
|
||||
raw encoding of a \Zcash \viewingKey.
|
||||
\item 32 bytes specifying $\DiscloseKey$.
|
||||
\item 32 bytes specifying $\TransmitPrivate$.
|
||||
\item 4 zero padding bits.
|
||||
\item 252 bits specifying $\DiscloseKey$.
|
||||
\item 256 bits specifying $\TransmitPrivate$.
|
||||
\end{itemize}
|
||||
}
|
||||
|
||||
Note that, consistent with big-endian encoding, the zero padding occupies
|
||||
the high-order 4 bits of the second byte.
|
||||
|
||||
\daira{check that this lead byte is distinct from other Bitcoin stuff,
|
||||
and produces a suitable Base58Check leading character.}
|
||||
|
||||
\nathan{what about the network version byte?}
|
||||
}
|
||||
|
||||
\subsection{Coin Plaintexts}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue