From cb1e6638362c464f6ad8c202cc9ab26db9976ad1 Mon Sep 17 00:00:00 2001 From: Ariel Date: Thu, 20 Sep 2018 12:11:13 +0300 Subject: [PATCH] Improve explanation of diversifier sequence choice --- zip-0032.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zip-0032.rst b/zip-0032.rst index 1c860ceb..272742f0 100644 --- a/zip-0032.rst +++ b/zip-0032.rst @@ -228,8 +228,8 @@ CDKfvk((*ak*\ :sub:`par`\ , *nk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub: Diversifier derivation ---------------------- -The 88-bit diversifiers for a Sapling extended key are derived from its diversifier key *dk*. -In order to reach the maximum possible diversifier range without running into the birthday bound, we use +The 88-bit diversifiers for a Sapling extended key are derived from its diversifier key *dk*. To prevent the diversifier leaking how many diversified addresses have already been generated for an account; we make the sequence of diversifiers pseudorandom and uncorrelated to that of any other account. +In order to reach the maximum possible diversifier range without running into repetitions due to the birthday bound, we use FF1-AES256 as a Pseudo-Random Permutation as follows: - Let *j* be the index of the desired diversifier, in the range 0 .. 2\ :sup:`88`\ -1.