mirror of https://github.com/zcash/zips.git
Fix an off-by-one error in the specification of the Equihash algorithm binding condition.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
215aca1c15
commit
c4d9a90ea9
|
@ -3298,6 +3298,7 @@ A \block satisfies the Proof of Work if and only if:
|
|||
\end{itemize}
|
||||
|
||||
|
||||
\introsection
|
||||
\nsubsubsection{Equihash} \label{equihash}
|
||||
|
||||
An instance of the Equihash algorithm is parameterized by positive integers $n$ and $k$,
|
||||
|
@ -3346,16 +3347,21 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
|
|||
\subparagraph{Algorithm Binding conditions}
|
||||
|
||||
\introlist
|
||||
For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$:
|
||||
\begin{itemize}
|
||||
\item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
|
||||
\item $i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} < i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
|
||||
\item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
||||
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
|
||||
\item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
||||
i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} <
|
||||
i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
|
||||
\end{itemize}
|
||||
|
||||
\pnote{
|
||||
This does not include a difficulty condition, because here we are defining validity
|
||||
of an Equihash solution independent of difficulty.
|
||||
}
|
||||
\begin{pnotes}
|
||||
\item This does not include a difficulty condition, because here we are
|
||||
defining validity of an Equihash solution independent of difficulty.
|
||||
\item Previous versions of this specification incorrectly specified the
|
||||
range of $r$ to be $\range{1}{k\!-\!1}$ for both parts of the algorithm
|
||||
binding condition. The implementation in \zcashd was as intended.
|
||||
\end{pnotes}
|
||||
|
||||
\introlist
|
||||
An Equihash solution with $n = 200$ and $k = 9$ is encoded in the $\solution$
|
||||
|
@ -3944,9 +3950,10 @@ to 254 bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcas
|
|||
Also, $\hSig$ is truncated from 256 to 253 bits in the input to $\PRFpk{}$.
|
||||
These truncations are not taken into account in the security proofs.
|
||||
|
||||
\introlist
|
||||
Both truncations affect the validity of the proof sketch for Lemma D.2 in
|
||||
the proof of Ledger Indistinguishability in \cite[Appendix D]{BCG+2014}.
|
||||
|
||||
\introlist
|
||||
In more detail:
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -4186,6 +4193,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\subparagraph{2017.0-beta-2.7}
|
||||
|
||||
\begin{itemize}
|
||||
\item Fix an off-by-one error in the specification of the Equihash algorithm
|
||||
binding condition. (The implementation in \zcashd was as intended.)
|
||||
\item Correct the types and consensus rules for \transactionVersionNumbers
|
||||
and \blockVersionNumbers. (Again, the implementation in \zcashd was as
|
||||
intended.)
|
||||
|
|
Loading…
Reference in New Issue