diff --git a/protocol/protocol.tex b/protocol/protocol.tex index f4949dd0..7e6f278a 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -535,6 +535,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\shaHashFunction}{\term{SHA-256 hash function}} \newcommand{\shaCompress}{\term{SHA-256 compression}} \newcommand{\shaCompressFunction}{\term{SHA-256 compression function}} +\newcommand{\BlakeTwo}{\titleterm{BLAKE2}} \newcommand{\xPedersenHash}{\term{Pedersen hash}} \newcommand{\xPedersenHashes}{\term{Pedersen hashes}} \newcommand{\PedersenHashFunction}{\titleterm{Pedersen Hash Function}} @@ -600,6 +601,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\BlakeTwos}[1]{\mathsf{BLAKE2s\kern 0.05em\mhyphen{#1}}} \newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}} \newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}} +\newcommand{\BlakeTwoGeneric}{\mathsf{BLAKE2}} \newcommand{\SHACompressBox}[1]{\SHACompress\left(\Justthebox{#1}\right)} \newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)} \newcommand{\CRHivkBox}[1]{\CRHivk\left(\Justthebox{#1}\right)} @@ -3541,6 +3543,50 @@ $\MerkleCRHSprout$. \end{formulae} +\nsubsubsubsection{\BlakeTwo{} \HashFunction} \label{concreteblake2} + +BLAKE2 is defined by \cite{ANWW2013}. +\sprout{\Zcash uses only the $\BlakeTwobGeneric$ variant.} +\sapling{\Zcash uses both the $\BlakeTwobGeneric$ and $\BlakeTwosGeneric$ +variants.} + +$\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$ +in sequential mode, with an output digest length of $\ell/8$ bytes, +$16$-byte personalization string $p$, and input $x$. + +$\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$, +and $\KDFSprout$. +\nuzero{From \NUZero onward, it is used to compute \sighashTxHashes.} +\sapling{For \Sapling, it is also used to instantiate $\KDFSapling$ and +$\PRGExpandSeed{}$, and in the $\EdJubjub$ \signatureScheme which +instantiates $\SpendAuthorizationSig$.} + +\begin{formulae} + \item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \bitseq{\ell}$ +\end{formulae} + +\vspace{-3ex} +\pnote{ +$\BlakeTwob{\ell}$ is not the same as $\BlakeTwob{512}$ truncated to +$\ell$ bits, because the digest length is encoded in the parameter +block. +} + +\sapling{ +\vspace{3ex} +$\BlakeTwos{\ell}(p, x)$ refers to unkeyed $\BlakeTwos{\ell}$ +in sequential mode, with an output digest length of $\ell/8$ bytes, +$8$-byte personalization string $p$, and input $x$. + +$\BlakeTwosGeneric$ is used to instantiate $\PRFnr{}$, $\CRHivk$, and +$\GroupJHash{}$. + +\begin{formulae} + \item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \bitseq{\ell}$ +\end{formulae} +} + + \nsubsubsubsection{\MerkleTree{} \HashFunction} \label{merklecrh} $\MerkleCRH$ is used to hash \incrementalMerkleTree \merkleHashes. @@ -3595,12 +3641,7 @@ where \end{formulae} } -$\BlakeTwob{256}(p, x)$ refers to unkeyed $\BlakeTwob{256}$ -\cite{ANWW2013} in sequential mode, with an output -digest length of $32$ bytes, $16$-byte personalization string $p$, -and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to -$256$ bits, because the digest length is encoded in the parameter -block. +$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}. \securityrequirement{ $\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant. @@ -3772,12 +3813,7 @@ Let $\EquihashGen{n, k}(S, i) := T_{\barerange{h+1}{h+n}}$, where Indices of bits in $T$ are 1-based. -$\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$ -\cite{ANWW2013} in sequential mode, with an output -digest length of $\ell/8$ bytes, $16$-byte personalization string $p$, -and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to -$\ell$ bits, because the digest length is encoded in the parameter -block. +$\BlakeTwob{\ell}(p, x)$ is defined in \crossref{concreteblake2}. \securityrequirement{ $\BlakeTwob{\ell}(\powtag, x)$ must generate output that is sufficiently @@ -4002,12 +4038,8 @@ where: \end{formulae} } -$\BlakeTwob{256}(p, x)$ refers to unkeyed $\BlakeTwob{256}$ -\cite{ANWW2013} in sequential mode, with an output -digest length of $32$ bytes, $16$-byte personalization string $p$, -and input $x$. This is not the same as $\BlakeTwob{512}$ truncated to -$256$ bits, because the digest length is encoded in the parameter -block. +$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}. + \sapling{ \nsubsubsubsection{\Sapling \KeyAgreement} \label{concretesaplingkeyagreement} @@ -4509,6 +4541,8 @@ Let $\CRS$ be the $64$-byte \commonRandomString given by the $\SHAd$ hash of the first \block in the eventual consensus \Bitcoin \blockchain having timestamp at or after 2018-03-01 00:00:00 UTC. +Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. + Let $D$ be an $8$-byte domain separator. Let $T$ be the hash input.