ZIP 32: disambiguate ToScalar and DiversifyHash for Sapling vs Orchard.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-31 15:25:04 +00:00 · 2021-12-31 15:25:04 +00:00 · d2b0f2d861
parent 82c59282fe
commit d2b0f2d861
1 changed files with 17 additions and 13 deletions
--- a/zip-0032.rst
+++ b/zip-0032.rst
@ -106,9 +106,13 @@ Most of the notation and functions used in this ZIP are defined in the Zcash pro

 - :math:`r_\mathbb{J}` is the order of the Jubjub large prime subgroup.

- :math:`\mathsf{ToScalar}(x) :=`:math:`\mathsf{LEOS2IP}_{512}(x) \pmod{r_\mathbb{J}}`.
+- :math:`r_\mathbb{P}` is the order of the Pallas curve.

- :math:`\mathsf{DiversifyHash}(d)` maps a diversifier :math:`d` to a base point on the Jubjub elliptic
+- :math:`\mathsf{ToScalar^{Sapling}}(x) :=`:math:`\mathsf{LEOS2IP}_{512}(x) \pmod{r_\mathbb{J}}`.
+
+- :math:`\mathsf{ToScalar^{Orchard}}(x) :=`:math:`\mathsf{LEOS2IP}_{512}(x) \pmod{r_\mathbb{P}}`.
+
+- :math:`\mathsf{DiversifyHash^{Sapling}}(d)` maps a diversifier :math:`d` to a base point on the Jubjub elliptic
  curve, or to :math:`\bot` if the diversifier is invalid. It is instantiated in [#protocol-concretediversifyhash]_.

 The following algorithm standardized in [#NIST-SP-800-38G]_ is used:
@ -182,8 +186,8 @@ Let :math:`S` be a seed byte sequence of a chosen length, which MUST be at least
 - Calculate :math:`\mathsf{ask}_m`, :math:`\mathsf{nsk}_m`, and :math:`\mathsf{ovk}_m` via the standard
  Sapling derivation [#protocol-saplingkeycomponents]_:

-  - :math:`\mathsf{ask}_m = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x00}]))`
-  - :math:`\mathsf{nsk}_m = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x01}]))`
+  - :math:`\mathsf{ask}_m = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x00}]))`
+  - :math:`\mathsf{nsk}_m = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x01}]))`
  - :math:`\mathsf{ovk}_m = \mathsf{truncate}_{32}(\mathsf{PRF^{expand}}(\mathsf{sk}_m, [\texttt{0x02}]))`.

 - Calculate :math:`\mathsf{dk}_m` similarly:
@ -214,8 +218,8 @@ Deriving a child extended spending key
    :math:`(\mathsf{ask}_{par}, \mathsf{nsk}_{par}, \mathsf{ovk}_{par})` as described in [#protocol-saplingkeycomponents]_.

 - Split :math:`I` into two 32-byte sequences, :math:`I_L` and :math:`I_R`.
- Let :math:`I_\mathsf{ask} = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x13}]))`.
- Let :math:`I_\mathsf{nsk} = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x14}]))`.
+- Let :math:`I_\mathsf{ask} = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x13}]))`.
+- Let :math:`I_\mathsf{nsk} = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x14}]))`.
 - Return:

  - :math:`\mathsf{ask}_i = (I_\mathsf{ask} + \mathsf{ask}_{par}) \pmod{r_\mathbb{J}}`
@ -227,8 +231,8 @@ Deriving a child extended spending key
 Deriving a child extended full viewing key
 ``````````````````````````````````````````

-Let :math:`\mathcal{G}` be as defined in [#protocol-concretespendauthsig]_ and let :math:`\mathcal{H}` be as defined
-in [#protocol-saplingkeycomponents]_.
+Let :math:`\mathcal{G}^\mathsf{Sapling}` be as defined in [#protocol-concretespendauthsig]_ and
+let :math:`\mathcal{H}^\mathsf{Sapling}` be as defined in [#protocol-saplingkeycomponents]_.

 :math:`\mathsf{CDKfvk}((\mathsf{ak}_{par}, \mathsf{nk}_{par}, \mathsf{ovk}_{par}, \mathsf{dk}_{par}, \mathsf{c}_{par}), i)`:math:`\rightarrow (\mathsf{ak}_{i}, \mathsf{nk}_{i}, \mathsf{ovk}_{i}, \mathsf{dk}_{i}, \mathsf{c}_{i})`

@ -239,12 +243,12 @@ in [#protocol-saplingkeycomponents]_.
    :math:`I = \mathsf{PRF^{expand}}(\mathsf{c}_{par}, [\texttt{0x12}]`:math:`||\,\mathsf{EncodeExtFVKParts}(\mathsf{ak}_{par}, \mathsf{nk}_{par}, \mathsf{ovk}_{par}, \mathsf{dk}_{par})`:math:`||\,\mathsf{I2LEOSP}_{32}(i))`.

 - Split :math:`I` into two 32-byte sequences, :math:`I_L` and :math:`I_R`.
- Let :math:`I_\mathsf{ask} = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x13}]))`.
- Let :math:`I_\mathsf{nsk} = \mathsf{ToScalar}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x14}]))`.
+- Let :math:`I_\mathsf{ask} = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x13}]))`.
+- Let :math:`I_\mathsf{nsk} = \mathsf{ToScalar^{Sapling}}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x14}]))`.
 - Return:

-  - :math:`\mathsf{ak}_i  = [I_\mathsf{ask}]\,\mathcal{G} + \mathsf{ak}_{par}`
-  - :math:`\mathsf{nk}_i  = [I_\mathsf{nsk}]\,\mathcal{H} + \mathsf{nk}_{par}`
+  - :math:`\mathsf{ak}_i  = [I_\mathsf{ask}]\,\mathcal{G}^\mathsf{Sapling} + \mathsf{ak}_{par}`
+  - :math:`\mathsf{nk}_i  = [I_\mathsf{nsk}]\,\mathcal{H}^\mathsf{Sapling} + \mathsf{nk}_{par}`
  - :math:`\mathsf{ovk}_i = \mathsf{truncate}_{32}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x15}]`:math:`||\,\mathsf{ovk}_{par}))`
  - :math:`\mathsf{dk}_i  = \mathsf{truncate}_{32}(\mathsf{PRF^{expand}}(I_L, [\texttt{0x16}]`:math:`||\,\mathsf{dk}_{par}))`
  - :math:`\mathsf{c}_i   = I_R`.
@ -261,7 +265,7 @@ use FF1-AES256 as a Pseudo-Random Permutation as follows:
 - Let :math:`j` be the index of the desired diversifier, in the range :math:`0\,.\!. 2^{88} - 1`.
 - :math:`d_j = \mathsf{FF1}\text{-}\mathsf{AES256.Encrypt}(\mathsf{dk}, \texttt{“”}, \mathsf{I2LEBSP}_{88}(j))`.

-A valid diversifier :math:`d_j` is one for which :math:`\mathsf{DiversifyHash}(d_j) \neq \bot`.
+A valid diversifier :math:`d_j` is one for which :math:`\mathsf{DiversifyHash^{Sapling}}(d_j) \neq \bot`.
 For a given :math:`\mathsf{dk}`, approximately half of the possible values of :math:`j` yield valid
 diversifiers.