zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

NCC audit: Document that the use of k = 256 in hash_to_field is intentional, 

despite the Pallas curve only having 126-bit conjectured security against generic attacks.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-26 15:40:42 +00:00
parent 9d62142142
commit ab0e248036
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
protocol/protocol.tex
View File

@ -10644,6 +10644,14 @@ Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \type
since that is the only case we need. In the event of any discrepancy or change to
the Internet Draft, the definition here takes precedence.
\vspace{-0.25ex}
\item The ``security level'' $k$ in the Internet Draft is taken to be $256$. Although
this is greater than the conjectured $126$-bit security of the \pallasCurve against
generic (e.g.\ Pollard rho) attacks \cite{Hopwood2020}, this design choice is
consistent with other instances of extracting a uniformly distributed field element
from a hash output in the \Orchard protocol, such as $\ToScalar{Orchard}$ and
$\ToBase{Orchard}$ defined in \crossref{orchardkeycomponents}, and
$\RedDSAHashToScalar$ defined in \crossref{concretereddsa}.
\vspace{-0.25ex}
\item Unlike other uses of $\BlakeTwobGeneric$ in \Zcash, zero bytes are used for the
$\BlakeTwobGeneric$ personalization, in order to follow the Internet Draft which
encodes $\DST$ in the hash inputs instead.
@ -13958,6 +13966,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\cite{ID-hashtocurve}: the zero padding in $\expandmessagexmd$ should be
$128$ bytes (matching the input block size of $\BlakeTwobGeneric$), rather
than $64$ bytes.
\item Document that the use of $k = 256$ when extracting field elements
in $\hashtofield$ is intentional, despite the \pallasCurve only having
$126$-bit conjectured security against generic attacks.
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
\end{itemize}
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.