mirror of https://github.com/zcash/zips.git
Add BLAKE2 section.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
9ee098adda
commit
bf9bd313a2
|
|
@ -535,6 +535,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\shaHashFunction}{\term{SHA-256 hash function}}
|
||||
\newcommand{\shaCompress}{\term{SHA-256 compression}}
|
||||
\newcommand{\shaCompressFunction}{\term{SHA-256 compression function}}
|
||||
\newcommand{\BlakeTwo}{\titleterm{BLAKE2}}
|
||||
\newcommand{\xPedersenHash}{\term{Pedersen hash}}
|
||||
\newcommand{\xPedersenHashes}{\term{Pedersen hashes}}
|
||||
\newcommand{\PedersenHashFunction}{\titleterm{Pedersen Hash Function}}
|
||||
|
|
@ -600,6 +601,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\BlakeTwos}[1]{\mathsf{BLAKE2s\kern 0.05em\mhyphen{#1}}}
|
||||
\newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}}
|
||||
\newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}}
|
||||
\newcommand{\BlakeTwoGeneric}{\mathsf{BLAKE2}}
|
||||
\newcommand{\SHACompressBox}[1]{\SHACompress\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\CRHivkBox}[1]{\CRHivk\left(\Justthebox{#1}\right)}
|
||||
|
|
@ -3541,6 +3543,50 @@ $\MerkleCRHSprout$.
|
|||
\end{formulae}
|
||||
|
||||
|
||||
\nsubsubsubsection{\BlakeTwo{} \HashFunction} \label{concreteblake2}
|
||||
|
||||
BLAKE2 is defined by \cite{ANWW2013}.
|
||||
\sprout{\Zcash uses only the $\BlakeTwobGeneric$ variant.}
|
||||
\sapling{\Zcash uses both the $\BlakeTwobGeneric$ and $\BlakeTwosGeneric$
|
||||
variants.}
|
||||
|
||||
$\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$
|
||||
in sequential mode, with an output digest length of $\ell/8$ bytes,
|
||||
$16$-byte personalization string $p$, and input $x$.
|
||||
|
||||
$\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$,
|
||||
and $\KDFSprout$.
|
||||
\nuzero{From \NUZero onward, it is used to compute \sighashTxHashes.}
|
||||
\sapling{For \Sapling, it is also used to instantiate $\KDFSapling$ and
|
||||
$\PRGExpandSeed{}$, and in the $\EdJubjub$ \signatureScheme which
|
||||
instantiates $\SpendAuthorizationSig$.}
|
||||
|
||||
\begin{formulae}
|
||||
\item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \bitseq{\ell}$
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-3ex}
|
||||
\pnote{
|
||||
$\BlakeTwob{\ell}$ is not the same as $\BlakeTwob{512}$ truncated to
|
||||
$\ell$ bits, because the digest length is encoded in the parameter
|
||||
block.
|
||||
}
|
||||
|
||||
\sapling{
|
||||
\vspace{3ex}
|
||||
$\BlakeTwos{\ell}(p, x)$ refers to unkeyed $\BlakeTwos{\ell}$
|
||||
in sequential mode, with an output digest length of $\ell/8$ bytes,
|
||||
$8$-byte personalization string $p$, and input $x$.
|
||||
|
||||
$\BlakeTwosGeneric$ is used to instantiate $\PRFnr{}$, $\CRHivk$, and
|
||||
$\GroupJHash{}$.
|
||||
|
||||
\begin{formulae}
|
||||
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \bitseq{\ell}$
|
||||
\end{formulae}
|
||||
}
|
||||
|
||||
|
||||
\nsubsubsubsection{\MerkleTree{} \HashFunction} \label{merklecrh}
|
||||
|
||||
$\MerkleCRH$ is used to hash \incrementalMerkleTree \merkleHashes.
|
||||
|
|
@ -3595,12 +3641,7 @@ where
|
|||
\end{formulae}
|
||||
}
|
||||
|
||||
$\BlakeTwob{256}(p, x)$ refers to unkeyed $\BlakeTwob{256}$
|
||||
\cite{ANWW2013} in sequential mode, with an output
|
||||
digest length of $32$ bytes, $16$-byte personalization string $p$,
|
||||
and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to
|
||||
$256$ bits, because the digest length is encoded in the parameter
|
||||
block.
|
||||
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
|
||||
|
||||
\securityrequirement{
|
||||
$\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
|
||||
|
|
@ -3772,12 +3813,7 @@ Let $\EquihashGen{n, k}(S, i) := T_{\barerange{h+1}{h+n}}$, where
|
|||
|
||||
Indices of bits in $T$ are 1-based.
|
||||
|
||||
$\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$
|
||||
\cite{ANWW2013} in sequential mode, with an output
|
||||
digest length of $\ell/8$ bytes, $16$-byte personalization string $p$,
|
||||
and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to
|
||||
$\ell$ bits, because the digest length is encoded in the parameter
|
||||
block.
|
||||
$\BlakeTwob{\ell}(p, x)$ is defined in \crossref{concreteblake2}.
|
||||
|
||||
\securityrequirement{
|
||||
$\BlakeTwob{\ell}(\powtag, x)$ must generate output that is sufficiently
|
||||
|
|
@ -4002,12 +4038,8 @@ where:
|
|||
\end{formulae}
|
||||
}
|
||||
|
||||
$\BlakeTwob{256}(p, x)$ refers to unkeyed $\BlakeTwob{256}$
|
||||
\cite{ANWW2013} in sequential mode, with an output
|
||||
digest length of $32$ bytes, $16$-byte personalization string $p$,
|
||||
and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to
|
||||
$256$ bits, because the digest length is encoded in the parameter
|
||||
block.
|
||||
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
|
||||
|
||||
|
||||
\sapling{
|
||||
\nsubsubsubsection{\Sapling \KeyAgreement} \label{concretesaplingkeyagreement}
|
||||
|
|
@ -4509,6 +4541,8 @@ Let $\CRS$ be the $64$-byte \commonRandomString given by the $\SHAd$ hash
|
|||
of the first \block in the eventual consensus \Bitcoin \blockchain having
|
||||
timestamp at or after 2018-03-01 00:00:00 UTC.
|
||||
|
||||
Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.
|
||||
|
||||
Let $D$ be an $8$-byte domain separator.
|
||||
|
||||
Let $T$ be the hash input.
|
||||
|
|
|
|||
Loading…
Reference in New Issue