mirror of https://github.com/zcash/zips.git
More references and corrected description of Groth16.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0b626b087a
commit
c57d51d7a0
|
@ -7532,7 +7532,7 @@ the \Zcash protocol \SHOULD discontinue use of $\BCTV$ as soon as possible.
|
|||
The vulnerability does not affect the Zero Knowledge property of the scheme (as
|
||||
described in any version of \cite{BCTV2014a} or as implemented in any version of
|
||||
\libsnark that has been used in \Zcash), even under subversion of the parameter
|
||||
generation \cite[Theorem 4.10]{BGG2016}.
|
||||
generation \cite[Theorem 4.10]{BGG2017}.
|
||||
}
|
||||
|
||||
\introlist
|
||||
|
@ -7592,9 +7592,11 @@ verifier \MUST check, for the encoding of each element, that:
|
|||
\subsubsubsection{\GrothProvingSystem} \label{groth}
|
||||
|
||||
After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem described in
|
||||
\cite{Groth2016}. These are used in \transactionVersion 4 and later (\crossref{txnencoding})
|
||||
for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
|
||||
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
|
||||
\cite{BGM2017}, which is a modification of the system in \cite{Groth2016}. An independent
|
||||
security proof of this system is given in \cite{Maller2018}. These \zkSNARKs are used in
|
||||
\transactionVersion 4 and later (\crossref{txnencoding}) for proofs both in \Sprout
|
||||
\joinSplitDescriptions, and in \Sapling \spendDescriptions and \outputDescriptions.
|
||||
They are generated by the \bellman library \cite{Bowe-bellman}.
|
||||
|
||||
A $\Groth$ proof consists of
|
||||
$(\Proof{A} \typecolon \SubgroupSstar{1},\,
|
||||
|
@ -8133,7 +8135,7 @@ For the \Zcash production \blockchain and testnet, the $\SHAFull$ hashes of the
|
|||
\end{lines}
|
||||
|
||||
These parameters were obtained by a multi-party computation described in
|
||||
\cite{BGG-mpc} and \cite{BGG2016}. \sapling{They are used only before \Sapling
|
||||
\cite{BGG-mpc} and \cite{BGG2017}. \sapling{They are used only before \Sapling
|
||||
activation.} Due to the security vulnerability described in \crossref{bctv}, it is
|
||||
not recommended to use these parameters in new protocols, and it is recommended to
|
||||
stop using them in protocols other than \Zcash where they are currently used.
|
||||
|
@ -8157,7 +8159,7 @@ the \Sprout \joinSplitCircuit used after \Sapling activation, are respectively:
|
|||
\texttt{d5054e371842b3f88fa1b9d7e8e075249b3ebabd167fa8b0f3161292d36c180a sprout-groth16.params}
|
||||
\end{lines}
|
||||
|
||||
These parameters were obtained by a multi-party computation described in \cite{BGM2018}.
|
||||
These parameters were obtained by a multi-party computation described in \cite{BGM2017}.
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -9822,6 +9824,20 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\section{Change History}
|
||||
|
||||
|
||||
\subparagraph{2019.0-beta-37}
|
||||
2019-02-10
|
||||
|
||||
\begin{itemize}
|
||||
\item Update reference \cite{BGG2017} (previously [BGG2016]).
|
||||
\sapling{
|
||||
\item Explain the differences between the system in \cite{Groth2016} and what
|
||||
we refer to as $\Groth$.
|
||||
\item Reference Mary Maller's security proof for $\Groth$ \cite{Maller2018}.
|
||||
\item Correct [BGM2018] to \cite{BGM2017}.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2019.0-beta-36}
|
||||
2019-02-09
|
||||
|
||||
|
@ -9935,7 +9951,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
based on reduction to \keyPrivacy of ElGamal encryption, for which a security proof
|
||||
is given in \cite{BBDP2001}. (This argument has gaps which will be addressed in a future
|
||||
version.)
|
||||
\item Add a reference to \cite{BGM2018} for the \Sapling \zkSNARK parameters.
|
||||
\item Add a reference to \cite{BGM2017} for the \Sapling \zkSNARK parameters.
|
||||
\item Write \crossref{cctsaplingspend} (draft).
|
||||
\item Add a reference to the ristretto\_bulletproofs design notes
|
||||
\cite{Dalek-notes} for the synthetic blinding factor technique.
|
||||
|
@ -10603,7 +10619,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Give definitions of computational binding and computational hiding
|
||||
for commitment schemes.
|
||||
\item Give a definition of statistical zero knowledge.
|
||||
\item Reference the white paper on MPC parameter generation \cite{BGG2016}.
|
||||
\item Reference the white paper on MPC parameter generation \cite{BGG2017}.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
|
|
|
@ -147,6 +147,15 @@ Vol.~56, pages 455--461; IEEE, 2009.}
|
|||
Last revised May~31, 2016.}
|
||||
}
|
||||
|
||||
@misc{Maller2018,
|
||||
presort={Maller2018},
|
||||
author={Mary Maller},
|
||||
title={A {P}roof of {S}ecurity for the {S}apling {G}eneration of zk-{SNARK} {P}arameters in the {G}eneric {G}roup {M}odel},
|
||||
date={2018-11-16},
|
||||
url={https://github.com/zcash/sapling-security-analysis/blob/master/MaryMallerUpdated.pdf},
|
||||
urldate={2018-02-10}
|
||||
}
|
||||
|
||||
% Capitalized De/Di is correct <https://www.thoughtco.com/italian-capitalization-rules-2011478>
|
||||
@inproceedings{DSDCOPS2001,
|
||||
presort={DSDCOPS2001},
|
||||
|
@ -175,17 +184,18 @@ Proceedings of the 21st Annual International Cryptology Conference
|
|||
urldate={2017-07-16}
|
||||
}
|
||||
|
||||
@misc{BGG2016,
|
||||
presort={BGG2016},
|
||||
@misc{BGG2017,
|
||||
presort={BGG2017},
|
||||
author={Sean Bowe and Ariel Gabizon and Matthew Green},
|
||||
title={A multi-party protocol for constructing the public parameters of the {P}inocchio zk-{SNARK}},
|
||||
date={2016-11-24},
|
||||
url={https://github.com/zcash/mpc/blob/master/whitepaper.pdf},
|
||||
urldate={2017-02-11}
|
||||
url={https://eprint.iacr.org/2017/602},
|
||||
urldate={2019-02-10},
|
||||
howpublished={Cryptology ePrint Archive: Report 2017/602.
|
||||
Last revised June~25, 2017.}
|
||||
}
|
||||
|
||||
@misc{BGM2018,
|
||||
presort={BGM2018},
|
||||
@misc{BGM2017,
|
||||
presort={BGM2017},
|
||||
author={Sean Bowe and Ariel Gabizon and Ian Miers},
|
||||
title={Scalable {M}ulti-party {C}omputation for zk-{SNARK} {P}arameters in the {R}andom {B}eacon {M}odel},
|
||||
url={https://eprint.iacr.org/2017/1050},
|
||||
|
|
Loading…
Reference in New Issue