mirror of https://github.com/zcash/zips.git
Protocol spec: fix the Ed25519 specification mess.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
161c9d05f8
commit
a593018417
|
|
@ -1641,6 +1641,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\JoinSplitSigVerify}[1]{\JoinSplitSig\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
|
||||
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
|
||||
\newcommand{\ExcludedPointEncodings}{\mathsf{ExcludedPointEncodings}}
|
||||
|
||||
\newcommand{\SpendAuthSig}{\mathsf{SpendAuthSig}}
|
||||
\newcommand{\SpendAuthSigPublic}{\SpendAuthSig\mathsf{.Public}}
|
||||
|
|
@ -6953,28 +6954,48 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
|
|||
|
||||
$\JoinSplitSig$ is a \signatureScheme as specified in \crossref{abstractsig}.
|
||||
|
||||
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDLSY2012},
|
||||
with the additional requirements that for a signature $(\EdDSAReprS, \EdDSAReprR)$:
|
||||
\changed{Let $\ExcludedPointEncodings \typecolon \powerset{\byteseq{32}} = \{$ \\
|
||||
\scalebox{0.615}[0.7]{
|
||||
\begin{tabular}{@{\hspace{1.5em}}l@{}}
|
||||
$\hexarray{00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00},$ \\
|
||||
$\hexarray{01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00},$ \\
|
||||
$\hexarray{26,e8,95,8f,c2,b2,27,b0,45,c3,f4,89,f2,ef,98,f0,d5,df,ac,05,d3,c6,33,39,b1,38,02,88,6d,53,fc,05},$ \\
|
||||
$\hexarray{c7,17,6a,70,3d,4d,d8,4f,ba,3c,0b,76,0d,10,67,0f,2a,20,53,fa,2c,39,cc,c6,4e,c7,fd,77,92,ac,03,7a},$ \\
|
||||
$\hexarray{13,e8,95,8f,c2,b2,27,b0,45,c3,f4,89,f2,ef,98,f0,d5,df,ac,05,d3,c6,33,39,b1,38,02,88,6d,53,fc,85},$ \\
|
||||
$\hexarray{b4,17,6a,70,3d,4d,d8,4f,ba,3c,0b,76,0d,10,67,0f,2a,20,53,fa,2c,39,cc,c6,4e,c7,fd,77,92,ac,03,fa},$ \\
|
||||
$\hexarray{ec,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f},$ \\
|
||||
$\hexarray{ed,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f},$ \\
|
||||
$\hexarray{ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f},$ \\
|
||||
$\hexarray{d9,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff},$ \\
|
||||
$\hexarray{da,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff}$
|
||||
\end{tabular}
|
||||
} \\
|
||||
$\}$.
|
||||
|
||||
Let $\ell = 2^{252} + 27742317777372353535851937790883648493$ (the order of the $\JoinSplitSigSpecific$
|
||||
curve's prime-order subgroup).
|
||||
|
||||
$\JoinSplitSig$ is instantiated as the $\JoinSplitSigSpecific$ \signatureScheme \cite{BDLSY2012},
|
||||
with the additional requirements that for a signature $(\EdDSAReprR, \EdDSAReprS)$:
|
||||
\begin{itemize}
|
||||
\item $\EdDSAReprS$ \MUST represent an integer less than
|
||||
the prime $\ell = 2^{252} + 27742317777372353535851937790883648493$;
|
||||
\item $\EdDSAReprR$ \MUST represent a point on the $\JoinSplitSigSpecific$ curve
|
||||
of order at least $\ell$.
|
||||
\item $\EdDSAReprR$ \MUSTNOT be in $\ExcludedPointEncodings$;
|
||||
\item $\EdDSAReprS$ \MUST represent an integer less than $\ell$.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-1ex}
|
||||
If these requirements are not met then the signature is considered invalid.
|
||||
Note that it is \emph{not} required that the encoding of the $y$-coordinate
|
||||
in $\EdDSAReprR$ is less than $2^{255}-19$; also the order of the point
|
||||
represented by $\EdDSAReprR$ is permitted to be greater than $\ell$.
|
||||
Note that it is \emph{not} required that the integer encoding the
|
||||
$y$-coordinate\notsprout{\footnotewithlabel{coordinatenames}{Here we use the $(x, y)$ naming of coordinates in
|
||||
\cite{BDLSY2012}, which is different from the $(u, \varv)$ naming used for coordinates of \ctEdwardsCurves
|
||||
in \crossref{ecbackground}.}}
|
||||
of the point represented by $\EdDSAReprR$ is less than $2^{255}-19$.
|
||||
|
||||
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
||||
|
||||
A valid $\JoinSplitSigSpecific$ \publicKey is defined as a point of order $\ell$
|
||||
on the $\JoinSplitSigSpecific$ curve, in the encoding specified by \cite{BDLSY2012}.
|
||||
Again, it is \emph{not} required that the encoding of the $y$-coordinate of the
|
||||
\publicKey is less than $2^{255}-19$.
|
||||
A valid $\JoinSplitSig$ \publicKey is defined as a sequence of $32$ bytes, not in
|
||||
$\ExcludedPointEncodings$, that encodes a $\JoinSplitSigSpecific$ \publicKey as specified
|
||||
in \cite{BDLSY2012}. Again, it is \emph{not} required that the integer encoding the
|
||||
$y$-coordinate\notsprout{\footnoteref{coordinatenames}} of the point represented by the \publicKey is
|
||||
less than $2^{255}-19$.
|
||||
}
|
||||
|
||||
\newsavebox{\sigbox}
|
||||
|
|
@ -6997,7 +7018,14 @@ The encoding of a signature is:
|
|||
\changed{
|
||||
\vspace{-1ex}
|
||||
where $\EdDSAReprR$ and $\EdDSAReprS$ are as defined in \cite{BDLSY2012}.
|
||||
The encoding of a \publicKey is as defined in \cite{BDLSY2012}.
|
||||
|
||||
\nnote{The exclusion of $\ExcludedPointEncodings$ from $\EdDSAReprR$ and public key
|
||||
encodings is due to a quirk of version 1.0.15 of the libsodium library \cite{libsodium}
|
||||
which was initially used to implement $\JoinSplitSig$ signature validation in \zcashd.
|
||||
(The \texttt{ED25519\_COMPAT} compile-time option was not set.) The intent was to
|
||||
exclude points of order less than $\ell$; however, not all such points were covered.
|
||||
It is possible, with due attention to detail, to reproduce this quirk without
|
||||
using libsodium~1.0.15.}
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -10361,6 +10389,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\historyentry{2020.1.2}{2020-03-20}
|
||||
|
||||
\begin{itemize}
|
||||
\item The implementation of \Sprout $\JoinSplitSigSpecific$ signature verification
|
||||
in \zcashd differed from what was specified in \crossref{concretejssig}.
|
||||
The specification has been changed to match the implementation.
|
||||
\heartwood{
|
||||
\item Add consensus rules for \Heartwood.
|
||||
}
|
||||
|
|
|
|||
|
|
@ -397,6 +397,13 @@ Received March~20, 2012.}
|
|||
urldate={2016-08-31}
|
||||
}
|
||||
|
||||
@misc{libsodium,
|
||||
presort={libsodium},
|
||||
title={libsodium documentation},
|
||||
url={https://libsodium.org/},
|
||||
urldate={2020-03-02}
|
||||
}
|
||||
|
||||
@misc{libsodium-Seal,
|
||||
presort={libsodium-Seal},
|
||||
title={Sealed boxes \hspace{0.2em}---\hspace{0.2em} libsodium},
|
||||
|
|
|
|||
Loading…
Reference in New Issue