zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The uses of inputs [4] and [5] to PRF^{expand}_{rseed} (or first bytes 

of the input in case of Orchard), were accidentally swapped in the
protocol specification relative to ZIP 212. The implementation in zcashd
correctly followed ZIP 212, using [4] to derive rcm and [5] to derive esk.

[Note added 2023-12-07: This commit, which is between spec versions
2022.3.8 and 2023.4.0, does not accurately reflect what was deployed.
In fact the domain separators for Sapling were implemented according to
ZIP 212, but the ones for Orchard were implemented according to the spec,
i.e. swapped relative to Sapling. This has been documented in spec
version 2023.4.0.]

Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Emma Hopwood 2023-03-02 14:27:40 +00:00
parent 04db180f3c
commit b4e3edbb8c
1 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
protocol/protocol.tex
View File

@ -5664,9 +5664,9 @@ performs the following steps:
\vspace{-0.25ex}
\item \tab Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\vspace{-0.25ex}
\item \tab Derive $\EphemeralPrivate = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$.
\item \tab Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$.
\vspace{-0.25ex}
\item \tab Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$.
\item \tab Derive $\EphemeralPrivate = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.1em\big)$.
\item \blank
} %canopy
\vspace{-0.25ex}
@ -5752,9 +5752,9 @@ performs the following steps:
\item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$.
\item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\item Let $\NoteUniqueRand = \nfOld{}$ from the same \actionDescription, and let $\NoteUniqueRandBytes = \ItoLEOSPOf{256}{\NoteUniqueRand}$.
\item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item If $\EphemeralPrivate = 0 \pmod{\ParamP{r}}$, repeat the above steps using a different $\NoteSeedBytes$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.11em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytes)\kern-0.09em\big)$.
\item Let $\cvNet{}$ be the \valueCommitment to the value of the input \note minus the value $\Value$
of the output \note for this \actionTransfer, using $\ValueCommitRand$, as described in \crossref{orchardbalance}.
@ -5881,7 +5881,7 @@ A \spendDescription for a \dummy \Sapling input \note is constructed as follows:
\vspace{-0.4ex}
\item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\vspace{-0.2ex}
\item Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$.
\vspace{-0.2ex}
\item Let $\cv = \ValueCommit{Sapling}{\ValueCommitRand}(\Value)$.
\vspace{-0.2ex}
@ -5947,7 +5947,7 @@ constructed as follows:
\item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\item Choose uniformly random $\NoteUniqueRandPoint \leftarrowR \GroupP$.
\item Let $\NoteUniqueRand = \ExtractP(\NoteUniqueRandPoint)$ and $\NoteUniqueRandBytes = \ItoLEOSPOf{256}{\NoteUniqueRand}$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$.
\item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}\big(\reprP\Of{\DiversifiedTransmitBase},
\reprP\Of{\DiversifiedTransmitPublic},
@ -7586,7 +7586,7 @@ from $\TransmitPlaintext{}$
} %nufive
\canopyonwarditem{let $\NoteCommitRandBytes = \begin{cases}
\NoteSeedBytes,&\caseif \NotePlaintextLeadByte = \hexint{01} \\
\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.11em\big),&\caseotherwise
\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.1em\big),&\caseotherwise
\end{cases}$}
\item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
and $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$
@ -7594,7 +7594,7 @@ from $\TransmitPlaintext{}$
\canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:}
\canopy{
\vspace{-0.2ex}
\item \tab $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.11em\big)$
\item \tab $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.1em\big)$
\vspace{-0.2ex}
\item \tab if $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$,
return $\bot$
@ -7726,11 +7726,11 @@ from $\TransmitPlaintext{}$
let $\NoteUniqueRandBytesOpt = \ItoLEOSPOf{256}{\NoteUniqueRand}$;
otherwise let $\NoteUniqueRandBytesOpt = [\hairspace]$\!\!
} %nufive
\canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$ and $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.11em\big) \neq \EphemeralPrivate$, return $\bot$}
\canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$ and $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.1em\big) \neq \EphemeralPrivate$, return $\bot$}
\vspace{-0.4ex}
\canopyonwarditem{let $\NoteCommitRandBytes = \begin{cases}
\NoteSeedBytes,&\caseif \NotePlaintextLeadByte = \hexint{01} \\
\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.11em\big),&\caseotherwise
\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4]\nufive{\, \bconcat \NoteUniqueRandBytesOpt})\kern-0.1em\big),&\caseotherwise
\end{cases}$}
\item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
and $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$
@ -14653,6 +14653,12 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize}
\item Change Daira Emma Hopwood's name.
\canopy{
\item The uses of inputs $[4]$ and $[5]$ to $\PRFexpand{\NoteSeedBytes}$\nufive{ (or first bytes of the input
in case of \Orchard),} were accidentally swapped in the protocol specification relative to \cite{ZIP-212}.
The implementation in \zcashd correctly followed \cite{ZIP-212}, using $[4]$ to derive $\NoteCommitRand$
and $[5]$ to derive $\EphemeralPrivate$.
} %canopy
\sapling{
\item The return type of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub} was
incorrectly given as $\SubgroupJstar$, rather than the correct $\maybe{\SubgroupJstar}$.
@ -15606,9 +15612,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\canopy{
\item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after
\Canopy activation.
\item Correct a bug in \crossref{decryptovk}: $\EphemeralPrivate$ is only to be checked
against $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$
\item Correct a bug in \crossref{decryptovk}:\\
$\EphemeralPrivate$ is only to be checked against $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$
when $\NotePlaintextLeadByte \neq \hexint{01}$.
[Later edit: this should have been $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.1em\big)$.]
} %canopy
\end{itemize}