mirror of https://github.com/zcash/zips.git
ZIP 311: Use DiversifyHash from the spec in place of GH
This commit is contained in:
Jack Grigg
parent
ff6a98ff65
commit
aa83efbbd1
|
|
@ -140,15 +140,18 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<section id="conventions"><h2><span class="section-heading">Conventions</span><span class="section-anchor"> <a rel="bookmark" href="#conventions"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
<section id="conventions"><h2><span class="section-heading">Conventions</span><span class="section-anchor"> <a rel="bookmark" href="#conventions"><img width="24" height="24" src="assets/images/section-anchor.png" alt=""></a></span></h2>
|
||||||
<p>The following functions used in this ZIP are defined in the Zcash protocol specification: <a id="id1" class="footnote_reference" href="#protocol">3</a></p>
|
<p>The following functions used in this ZIP are defined in the Zcash protocol specification: <a id="id1" class="footnote_reference" href="#protocol">3</a></p>
|
||||||
<ul>
|
<ul>
|
||||||
|
<li>
|
||||||
|
<span class="math">\(\mathsf{DiversifyHash}(\mathsf{d})\)</span>
|
||||||
|
<a id="id2" class="footnote_reference" href="#protocol-concretediversifyhash">7</a></li>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{SpendAuthSig.RandomizePrivate}(α, \mathsf{sk})\)</span>
|
<span class="math">\(\mathsf{SpendAuthSig.RandomizePrivate}(α, \mathsf{sk})\)</span>
|
||||||
,
|
,
|
||||||
<span class="math">\(\mathsf{SpendAuthSig.Sign}(\mathsf{sk}, m)\)</span>
|
<span class="math">\(\mathsf{SpendAuthSig.Sign}(\mathsf{sk}, m)\)</span>
|
||||||
, and
|
, and
|
||||||
<span class="math">\(\mathsf{SpendAuthSig.Verify}(\mathsf{vk}, m, σ)\)</span>
|
<span class="math">\(\mathsf{SpendAuthSig.Verify}(\mathsf{vk}, m, σ)\)</span>
|
||||||
<a id="id2" class="footnote_reference" href="#protocol-concretespendauthsig">7</a></li>
|
<a id="id3" class="footnote_reference" href="#protocol-concretespendauthsig">8</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
<p>We reproduce some notation and functions from <a id="id3" class="footnote_reference" href="#protocol">3</a> here for convenience:</p>
|
<p>We reproduce some notation and functions from <a id="id4" class="footnote_reference" href="#protocol">3</a> here for convenience:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\([k] P\)</span>
|
<span class="math">\([k] P\)</span>
|
||||||
|
|
@ -199,7 +202,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
.</li>
|
.</li>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{ock}\)</span>
|
<span class="math">\(\mathsf{ock}\)</span>
|
||||||
: The outgoing cipher key that allows this output to be recovered. <a id="id4" class="footnote_reference" href="#protocol-saplingencrypt">5</a></li>
|
: The outgoing cipher key that allows this output to be recovered. <a id="id5" class="footnote_reference" href="#protocol-saplingencrypt">5</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
|
|
@ -226,11 +229,11 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<li>Any
|
<li>Any
|
||||||
<span class="math">\((\mathsf{d, pk_d})\)</span>
|
<span class="math">\((\mathsf{d, pk_d})\)</span>
|
||||||
such that
|
such that
|
||||||
<span class="math">\(\mathsf{pk_d} = [\mathsf{ivk}] GH(\mathsf{d})\)</span>
|
<span class="math">\(\mathsf{pk_d} = [\mathsf{ivk}] \mathsf{DiversifyHash}(\mathsf{d})\)</span>
|
||||||
</li>
|
</li>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{nullifier_{addr}}\)</span>
|
<span class="math">\(\mathsf{nullifier_{addr}}\)</span>
|
||||||
: A nullifier for a ZIP 304 fake note. <a id="id5" class="footnote_reference" href="#zip-0304">10</a></li>
|
: A nullifier for a ZIP 304 fake note. <a id="id6" class="footnote_reference" href="#zip-0304">11</a></li>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{zkproof_{addr}}\)</span>
|
<span class="math">\(\mathsf{zkproof_{addr}}\)</span>
|
||||||
: A Sapling spend proof.</li>
|
: A Sapling spend proof.</li>
|
||||||
|
|
@ -253,7 +256,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
.</li>
|
.</li>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{sig}\)</span>
|
<span class="math">\(\mathsf{sig}\)</span>
|
||||||
: A BIP 322 signature. <a id="id6" class="footnote_reference" href="#bip-0322">8</a>
|
: A BIP 322 signature. <a id="id7" class="footnote_reference" href="#bip-0322">9</a>
|
||||||
<ul>
|
<ul>
|
||||||
<li>TODO: <cite>zcashd</cite> currently only supports the legacy format defined in BIP 322. We may want to backport full BIP 322 support before having transparent input support in this ZIP, to ensure it does what we need.</li>
|
<li>TODO: <cite>zcashd</cite> currently only supports the legacy format defined in BIP 322. We may want to backport full BIP 322 support before having transparent input support in this ZIP, to ensure it does what we need.</li>
|
||||||
<li>TODO: BIP 322 specifies consensus rule checks as part of the signature verification process. We will likely need to migrate it over to an equivalent ZIP that specifies these for Zcash (which has a different set of script validation consensus rules).</li>
|
<li>TODO: BIP 322 specifies consensus rule checks as part of the signature verification process. We will likely need to migrate it over to an equivalent ZIP that specifies these for Zcash (which has a different set of script validation consensus rules).</li>
|
||||||
|
|
@ -269,7 +272,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<p>The inputs to a payment disclosure are:</p>
|
<p>The inputs to a payment disclosure are:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>The transaction.</li>
|
<li>The transaction.</li>
|
||||||
<li>The SLIP-44 <a id="id7" class="footnote_reference" href="#slip-0044">9</a> coin type.</li>
|
<li>The SLIP-44 <a id="id8" class="footnote_reference" href="#slip-0044">10</a> coin type.</li>
|
||||||
<li>The message
|
<li>The message
|
||||||
<span class="math">\(msg\)</span>
|
<span class="math">\(msg\)</span>
|
||||||
to be included (which may be empty).</li>
|
to be included (which may be empty).</li>
|
||||||
|
|
@ -310,7 +313,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
as well as the random
|
as well as the random
|
||||||
<span class="math">\(\alpha\)</span>
|
<span class="math">\(\alpha\)</span>
|
||||||
that was generated internally.</li>
|
that was generated internally.</li>
|
||||||
<li>[Optional] If an associated payment address was provided for this spend index, create a ZIP 304 signature proof for that payment address, <a id="id8" class="footnote_reference" href="#zip-0304">10</a> using
|
<li>[Optional] If an associated payment address was provided for this spend index, create a ZIP 304 signature proof for that payment address, <a id="id9" class="footnote_reference" href="#zip-0304">11</a> using
|
||||||
<span class="math">\(\alpha\)</span>
|
<span class="math">\(\alpha\)</span>
|
||||||
and
|
and
|
||||||
<span class="math">\(\mathsf{rk}\)</span>
|
<span class="math">\(\mathsf{rk}\)</span>
|
||||||
|
|
@ -459,10 +462,10 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<span class="math">\((\mathsf{addrProof.nullifier_{addr}}, \mathsf{spend.rk}, \mathsf{addrProof.zkproof_{addr}})\)</span>
|
<span class="math">\((\mathsf{addrProof.nullifier_{addr}}, \mathsf{spend.rk}, \mathsf{addrProof.zkproof_{addr}})\)</span>
|
||||||
as a ZIP 304 proof for
|
as a ZIP 304 proof for
|
||||||
<span class="math">\((\mathsf{addrProof.d}, \mathsf{addrProof.pk_d})\)</span>
|
<span class="math">\((\mathsf{addrProof.d}, \mathsf{addrProof.pk_d})\)</span>
|
||||||
<a id="id9" class="footnote_reference" href="#zip-0304">10</a>. If verification fails, return false.</li>
|
<a id="id10" class="footnote_reference" href="#zip-0304">11</a>. If verification fails, return false.</li>
|
||||||
<li>Decode and verify
|
<li>Decode and verify
|
||||||
<span class="math">\(\mathsf{zkproof_{spend}}\)</span>
|
<span class="math">\(\mathsf{zkproof_{spend}}\)</span>
|
||||||
as a Sapling spend proof <a id="id10" class="footnote_reference" href="#protocol-spendstatement">4</a> with primary input:
|
as a Sapling spend proof <a id="id11" class="footnote_reference" href="#protocol-spendstatement">4</a> with primary input:
|
||||||
<ul>
|
<ul>
|
||||||
<li>
|
<li>
|
||||||
<span class="math">\(\mathsf{tx.shieldedSpends[spend.index].rt}\)</span>
|
<span class="math">\(\mathsf{tx.shieldedSpends[spend.index].rt}\)</span>
|
||||||
|
|
@ -498,7 +501,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<ul>
|
<ul>
|
||||||
<li>Recover the Sapling note in
|
<li>Recover the Sapling note in
|
||||||
<span class="math">\(\mathsf{tx.shieldedOutputs}[\mathsf{output.index}]\)</span>
|
<span class="math">\(\mathsf{tx.shieldedOutputs}[\mathsf{output.index}]\)</span>
|
||||||
via the process specified in <a id="id11" class="footnote_reference" href="#protocol-saplingdecryptovk">6</a> with inputs
|
via the process specified in <a id="id12" class="footnote_reference" href="#protocol-saplingdecryptovk">6</a> with inputs
|
||||||
<span class="math">\((height, \mathsf{output.ock})\)</span>
|
<span class="math">\((height, \mathsf{output.ock})\)</span>
|
||||||
. If recovery returns
|
. If recovery returns
|
||||||
<span class="math">\(\bot\)</span>
|
<span class="math">\(\bot\)</span>
|
||||||
|
|
@ -589,10 +592,18 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<table id="protocol-concretespendauthsig" class="footnote">
|
<table id="protocol-concretediversifyhash" class="footnote">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<th>7</th>
|
<th>7</th>
|
||||||
|
<td><a href="protocol/protocol.pdf#concretediversifyhash">Zcash Protocol Specification, Version 2020.1.15. Section 5.4.1.6: DiversifyHash Hash Function</a></td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<table id="protocol-concretespendauthsig" class="footnote">
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<th>8</th>
|
||||||
<td><a href="protocol/protocol.pdf#concretespendauthsig">Zcash Protocol Specification, Version 2020.1.15. Section 5.4.6.1: Spend Authorization Signature</a></td>
|
<td><a href="protocol/protocol.pdf#concretespendauthsig">Zcash Protocol Specification, Version 2020.1.15. Section 5.4.6.1: Spend Authorization Signature</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
@ -600,7 +611,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<table id="bip-0322" class="footnote">
|
<table id="bip-0322" class="footnote">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<th>8</th>
|
<th>9</th>
|
||||||
<td><a href="https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki">BIP 322: Generic Signed Message Format</a></td>
|
<td><a href="https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki">BIP 322: Generic Signed Message Format</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
@ -608,7 +619,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<table id="slip-0044" class="footnote">
|
<table id="slip-0044" class="footnote">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<th>9</th>
|
<th>10</th>
|
||||||
<td><a href="https://github.com/satoshilabs/slips/blob/master/slip-0044.md">SLIP-0044 : Registered coin types for BIP-0044</a></td>
|
<td><a href="https://github.com/satoshilabs/slips/blob/master/slip-0044.md">SLIP-0044 : Registered coin types for BIP-0044</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
@ -616,7 +627,7 @@ Discussions-To: <<a href="https://github.com/zcash/zips/issues/387">https://g
|
||||||
<table id="zip-0304" class="footnote">
|
<table id="zip-0304" class="footnote">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<th>10</th>
|
<th>11</th>
|
||||||
<td><a href="zip-0304">ZIP 304: Sapling Address Signatures</a></td>
|
<td><a href="zip-0304">ZIP 304: Sapling Address Signatures</a></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
|
|
|
||||||
|
|
@ -142,6 +142,8 @@ Conventions
|
||||||
The following functions used in this ZIP are defined in the Zcash protocol specification:
|
The following functions used in this ZIP are defined in the Zcash protocol specification:
|
||||||
[#protocol]_
|
[#protocol]_
|
||||||
|
|
||||||
|
- :math:`\mathsf{DiversifyHash}(\mathsf{d})` [#protocol-concretediversifyhash]_
|
||||||
|
|
||||||
- :math:`\mathsf{SpendAuthSig.RandomizePrivate}(α, \mathsf{sk})`,
|
- :math:`\mathsf{SpendAuthSig.RandomizePrivate}(α, \mathsf{sk})`,
|
||||||
:math:`\mathsf{SpendAuthSig.Sign}(\mathsf{sk}, m)`, and
|
:math:`\mathsf{SpendAuthSig.Sign}(\mathsf{sk}, m)`, and
|
||||||
:math:`\mathsf{SpendAuthSig.Verify}(\mathsf{vk}, m, σ)` [#protocol-concretespendauthsig]_
|
:math:`\mathsf{SpendAuthSig.Verify}(\mathsf{vk}, m, σ)` [#protocol-concretespendauthsig]_
|
||||||
|
|
@ -192,7 +194,8 @@ A payment disclosure has the following fields:
|
||||||
- :math:`\mathsf{zkproof_{spend}}`: A Sapling spend proof.
|
- :math:`\mathsf{zkproof_{spend}}`: A Sapling spend proof.
|
||||||
- [Optional] A payment address proof `addr_proof`:
|
- [Optional] A payment address proof `addr_proof`:
|
||||||
|
|
||||||
- Any :math:`(\mathsf{d, pk_d})` such that :math:`\mathsf{pk_d} = [\mathsf{ivk}] GH(\mathsf{d})`
|
- Any :math:`(\mathsf{d, pk_d})` such that
|
||||||
|
:math:`\mathsf{pk_d} = [\mathsf{ivk}] \mathsf{DiversifyHash}(\mathsf{d})`
|
||||||
- :math:`\mathsf{nullifier_{addr}}`: A nullifier for a ZIP 304 fake note. [#zip-0304]_
|
- :math:`\mathsf{nullifier_{addr}}`: A nullifier for a ZIP 304 fake note. [#zip-0304]_
|
||||||
- :math:`\mathsf{zkproof_{addr}}`: A Sapling spend proof.
|
- :math:`\mathsf{zkproof_{addr}}`: A Sapling spend proof.
|
||||||
|
|
||||||
|
|
@ -431,6 +434,7 @@ References
|
||||||
.. [#protocol-spendstatement] `Zcash Protocol Specification, Version 2020.1.15. Section 4.15.2: Spend Statement (Sapling) <protocol/protocol.pdf#spendstatement>`_
|
.. [#protocol-spendstatement] `Zcash Protocol Specification, Version 2020.1.15. Section 4.15.2: Spend Statement (Sapling) <protocol/protocol.pdf#spendstatement>`_
|
||||||
.. [#protocol-saplingencrypt] `Zcash Protocol Specification, Version 2020.1.15. 4.17.1: Encryption (Sapling) <protocol/protocol.pdf#saplingencrypt>`_
|
.. [#protocol-saplingencrypt] `Zcash Protocol Specification, Version 2020.1.15. 4.17.1: Encryption (Sapling) <protocol/protocol.pdf#saplingencrypt>`_
|
||||||
.. [#protocol-saplingdecryptovk] `Zcash Protocol Specification, Version 2020.1.15. 4.17.3: Decryption using a Full Viewing Key (Sapling) <protocol/protocol.pdf#saplingdecryptovk>`_
|
.. [#protocol-saplingdecryptovk] `Zcash Protocol Specification, Version 2020.1.15. 4.17.3: Decryption using a Full Viewing Key (Sapling) <protocol/protocol.pdf#saplingdecryptovk>`_
|
||||||
|
.. [#protocol-concretediversifyhash] `Zcash Protocol Specification, Version 2020.1.15. Section 5.4.1.6: DiversifyHash Hash Function <protocol/protocol.pdf#concretediversifyhash>`_
|
||||||
.. [#protocol-concretespendauthsig] `Zcash Protocol Specification, Version 2020.1.15. Section 5.4.6.1: Spend Authorization Signature <protocol/protocol.pdf#concretespendauthsig>`_
|
.. [#protocol-concretespendauthsig] `Zcash Protocol Specification, Version 2020.1.15. Section 5.4.6.1: Spend Authorization Signature <protocol/protocol.pdf#concretespendauthsig>`_
|
||||||
.. [#bip-0322] `BIP 322: Generic Signed Message Format <https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki>`_
|
.. [#bip-0322] `BIP 322: Generic Signed Message Format <https://github.com/bitcoin/bips/blob/master/bip-0322.mediawiki>`_
|
||||||
.. [#slip-0044] `SLIP-0044 : Registered coin types for BIP-0044 <https://github.com/satoshilabs/slips/blob/master/slip-0044.md>`_
|
.. [#slip-0044] `SLIP-0044 : Registered coin types for BIP-0044 <https://github.com/satoshilabs/slips/blob/master/slip-0044.md>`_
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue