mirror of https://github.com/zcash/zips.git
Clean up diversification.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
de01f6ed18
commit
cd930a18be
|
@ -3348,7 +3348,7 @@ is computed from its \noteCommitment $\cm$ and \notePosition $\NotePosition$
|
||||||
as follows:
|
as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\NoteAddressRand := \MixingPedersenHash(\ascii{Zcashrho}, \cm, \NotePosition)$.
|
\item $\NoteAddressRand := \MixingPedersenHash(\cm, \NotePosition)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
$\MixingPedersenHash$ is defined in \crossref{concretemixinghash}.
|
$\MixingPedersenHash$ is defined in \crossref{concretemixinghash}.
|
||||||
|
@ -3923,6 +3923,12 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
|
||||||
\securityrequirement{
|
\securityrequirement{
|
||||||
$\PedersenHash$ must be collision-resistant.
|
$\PedersenHash$ must be collision-resistant.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
\pnote{
|
||||||
|
The prefix $l$ provides domain separation between inputs at different layers of the
|
||||||
|
\noteCommitmentTree. It is distinct from the prefix used in $\NoteCommitSaplingAlg$
|
||||||
|
as noted in \crossref{concretewindowedcommit}.
|
||||||
|
}
|
||||||
} %sapling
|
} %sapling
|
||||||
|
|
||||||
|
|
||||||
|
@ -4172,20 +4178,20 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from
|
||||||
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
||||||
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
||||||
|
|
||||||
We define $\MixingPedersenHash \typecolon \byteseq{8} \times \GroupJ \times \range{0}{\ParamJ{r}-1}
|
We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
|
||||||
\rightarrow \GroupJ$ by:
|
\rightarrow \GroupJ$ by:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
|
\item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\FindGroupJHashOf{\ascii{Zcashrho}, \ascii{x}}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\securityrequirement{
|
\securityrequirement{
|
||||||
Fix $D_1, D_2 \typecolon \byteseq{8}$ with $D_1 \neq D_2$, and consider the function
|
The function
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\fun{(r, M, x) \typecolon \range{0}{\ParamJ{r}-1} \times \bitseq{\PosInt} \times
|
\item $\fun{(r, M, x) \typecolon \range{0}{\ParamJ{r}-1} \times \bitseq{\PosInt} \times
|
||||||
\range{0}{\ParamJ{r}-1}}{\MixingPedersenHash(D_2, x, \WindowedPedersenCommit{r}(D_1, M)) \typecolon \GroupJ}$.
|
\range{0}{\ParamJ{r}-1}}{\MixingPedersenHash(\WindowedPedersenCommit{r}(M), x) \typecolon \GroupJ}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
This function must be collision-resistant on $(r, M, x)$.
|
must be collision-resistant on $(r, M, x)$.
|
||||||
}
|
}
|
||||||
|
|
||||||
See \crossref{cctmixinghash} for efficient circuit implementation of this function.
|
See \crossref{cctmixinghash} for efficient circuit implementation of this function.
|
||||||
|
@ -4695,8 +4701,8 @@ construction from \crossref{concretepedersenhash}, and adding a randomized point
|
||||||
on the \jubjubCurve (see \crossref{jubjub}):
|
on the \jubjubCurve (see \crossref{jubjub}):
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\WindowedPedersenCommit{r}(D, s) :=
|
\item $\WindowedPedersenCommit{r}(s) :=
|
||||||
\PedersenHashToPoint(D, s) + \scalarmult{r}{\FindGroupJHashOf{D, \ascii{}}}$.
|
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation
|
See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation
|
||||||
|
@ -4707,18 +4713,26 @@ instantiated using $\WindowedPedersenCommitAlg$ as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\NoteCommitSapling{\NoteCommitRand}(\Diversifier, \DiversifiedTransmitPublic, \Value) :=
|
\item $\NoteCommitSapling{\NoteCommitRand}(\Diversifier, \DiversifiedTransmitPublic, \Value) :=
|
||||||
\WindowedPedersenCommit{\NoteCommitRand}(\ascii{Zcash\_cm},
|
\WindowedPedersenCommit{\NoteCommitRand}(\ones{6} \bconcat \Diversifier \bconcat
|
||||||
\Diversifier \bconcat \DiversifiedTransmitPublic \bconcat \ItoLEBSP{64}(\Value))$.
|
\DiversifiedTransmitPublic \bconcat \ItoLEBSP{64}(\Value))$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\begin{securityrequirements}
|
\begin{securityrequirements}
|
||||||
\item $\WindowedPedersenCommitAlg$ must be a computationally binding and at least
|
\item $\WindowedPedersenCommitAlg$ must be a computationally binding and at least
|
||||||
computationally hiding \commitmentScheme, for a given personalization input $D$.
|
computationally hiding \commitmentScheme.
|
||||||
\item $\NoteCommitSaplingAlg$ must be a computationally binding and at least
|
\item $\NoteCommitSaplingAlg$ must be a computationally binding and at least
|
||||||
computationally hiding \commitmentScheme.
|
computationally hiding \commitmentScheme.
|
||||||
\end{securityrequirements}
|
\end{securityrequirements}
|
||||||
|
|
||||||
(They are in fact unconditionally hiding \commitmentSchemes.)
|
(They are in fact unconditionally hiding \commitmentSchemes.)
|
||||||
|
|
||||||
|
\pnote{
|
||||||
|
The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
|
||||||
|
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
|
||||||
|
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
|
||||||
|
in $\range{0}{\MerkleDepthSapling-1}$, and so cannot collide with $\ones{6}$ because
|
||||||
|
$\MerkleDepthSapling < 64$.
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -4735,7 +4749,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||||
\scalarmult{\Value}{\FindGroupJHashOf{D}, \ascii{v}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
\scalarmult{\Value}{\FindGroupJHashOf{D}, \ascii{v}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
@ -8607,11 +8621,11 @@ $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
||||||
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
We define $\MixingPedersenHash \typecolon \byteseq{8} \times \range{0}{\ParamJ{r}-1}
|
We define $\MixingPedersenHash \typecolon \range{0}{\ParamJ{r}-1}
|
||||||
\times \GroupJ \rightarrow \GroupJ$ by:
|
\times \GroupJ \rightarrow \GroupJ$ by:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
|
\item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\FindGroupJHashOf{\ascii{Zcashrho}, \ascii{x}}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
This costs \todo{...} for the scalar multiplication, and $6$ constraints for the
|
This costs \todo{...} for the scalar multiplication, and $6$ constraints for the
|
||||||
|
@ -8662,8 +8676,8 @@ We construct \windowedPedersenCommitments by reusing the Pedersen hash
|
||||||
implementation, and adding a randomized point:
|
implementation, and adding a randomized point:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\WindowedPedersenCommit{r}(D, s) =
|
\item $\WindowedPedersenCommit{r}(s) =
|
||||||
\PedersenHashToPoint(D, s) + \scalarmult{r}{\FindGroupJHashOf{D, \ascii{}}}$
|
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -8690,7 +8704,7 @@ as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
||||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{}}}$
|
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$ bits
|
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$ bits
|
||||||
|
|
Loading…
Reference in New Issue