zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make the public key prefix part of the input to the hash function in RedDSA, not part of the message. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-05-22 21:53:19 +01:00
parent 0517e2dc3a
commit df02fcf9ac
1 changed files with 13 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
protocol/protocol.tex
View File

@ -1394,6 +1394,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}} \newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}}
\newcommand{\pk}{\mathsf{pk}} \newcommand{\pk}{\mathsf{pk}}
\newcommand{\vk}{\mathsf{vk}} \newcommand{\vk}{\mathsf{vk}}
\newcommand{\vkBytes}{\bytes{\vk}}
\newcommand{\ZKGen}{\mathsf{ZK.Gen}} \newcommand{\ZKGen}{\mathsf{ZK.Gen}}
\newcommand{\ZKProof}{\mathsf{ZK.Proof}} \newcommand{\ZKProof}{\mathsf{ZK.Proof}}
\newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}} \newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}}
@ -3736,9 +3737,9 @@ where
\item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed
from the other fields except $\spendAuthSig$. from the other fields except $\spendAuthSig$.
I.e.\ it must be the case that $\SpendVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$. I.e.\ it must be the case that $\SpendVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$.
\item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\dataToBeSigned$ \item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$
using $\AuthSignRandomizedPublic$ as the public key. using $\AuthSignRandomizedPublic$ as the public key.
I.e.\ it must be the case that $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\spendAuthSig) = 1$. I.e.\ it must be the case that $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
\end{consensusrules} \end{consensusrules}
} %sapling } %sapling
@ -4111,15 +4112,6 @@ according to client implementation.
} }
\newsavebox{\bindingsigmsgbox}
\begin{lrbox}{\bindingsigmsgbox}
\setsapling
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\BindingPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\SigHash}$} &
\end{bytefield}
\end{lrbox}
\sapling{ \sapling{
\introsection \introsection
\subsection{Balance and \BindingSignature{} (\Sapling)} \label{saplingbalance} \label{bindingsig} \subsection{Balance and \BindingSignature{} (\Sapling)} \label{saplingbalance} \label{bindingsig}
@ -4212,9 +4204,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
\vspace{1ex} \vspace{1ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, using $\SIGHASHALL$. Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, using $\SIGHASHALL$.
Let $\dataToBeSigned := \Justthebox{\bindingsigmsgbox}$. A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\dataToBeSigned) = 1$.
We now explain why this works. We now explain why this works.
@ -4269,7 +4259,7 @@ Thus checking the \bindingSignature ensures that the \transaction balances, with
the individual values of the \spendDescriptions and \outputDescriptions being revealed. the individual values of the \spendDescriptions and \outputDescriptions being revealed.
In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the \valueCommitment In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the \valueCommitment
randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\dataToBeSigned$. randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\SigHash$.
\vspace{-1ex} \vspace{-1ex}
\pnote{ \pnote{
@ -4287,15 +4277,6 @@ The technique of checking signatures using a public key derived from a sum of
} %sapling } %sapling
\newsavebox{\spendauthsigmsgbox}
\begin{lrbox}{\spendauthsigmsgbox}
\setsapling
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignRandomizedPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\SigHash}$} &
\end{bytefield}
\end{lrbox}
\sapling{ \sapling{
\subsection{\SpendAuthSignature} \label{spendauthsig} \subsection{\SpendAuthSignature} \label{spendauthsig}
@ -4333,8 +4314,7 @@ For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthS
\item Generate a proof $\ProofSpend$ of the \spendStatement (\crossref{spendstatement}), \item Generate a proof $\ProofSpend$ of the \spendStatement (\crossref{spendstatement}),
with $\AuthSignRandomizer$ in the \auxiliaryInput and $\AuthSignRandomizedPublic$ with $\AuthSignRandomizer$ in the \auxiliaryInput and $\AuthSignRandomizedPublic$
in the \primaryInput. in the \primaryInput.
\item Let $\dataToBeSigned = \Justthebox{\spendauthsigmsgbox}$. \item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\SigHash)$.
\item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\dataToBeSigned)$.
\end{enumerate} \end{enumerate}
The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription. The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
@ -6124,7 +6104,8 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$. \item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
\item Let $\RedDSASigR = \scalarmult{r}{\GenG{}}$. \item Let $\RedDSASigR = \scalarmult{r}{\GenG{}}$.
\item Let $\RedDSAReprR = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR}\hairspace}$. \item Let $\RedDSAReprR = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR}\hairspace}$.
\item Let $\RedDSASigS = (r + \RedDSAHashToScalar(\RedDSAReprR \bconcat M) \mult \sk) \bmod \ParamG{r}$. \item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}}$.
\item Let $\RedDSASigS = (r + \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M) \mult \sk) \bmod \ParamG{r}$.
\item Let $\RedDSAReprS = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS}}$. \item Let $\RedDSAReprS = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS}}$.
\item Return $\RedDSAReprR \bconcat \RedDSAReprS$. \item Return $\RedDSAReprR \bconcat \RedDSAReprS$.
\end{formulae} \end{formulae}
@ -6137,7 +6118,8 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
let $\RedDSAReprS$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. let $\RedDSAReprS$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item Let $\RedDSASigR = \abstG{}\big(\LEOStoBSPOf{\ellG{}}{\RedDSAReprR}\!\big)$, and \item Let $\RedDSASigR = \abstG{}\big(\LEOStoBSPOf{\ellG{}}{\RedDSAReprR}\!\big)$, and
let $\RedDSASigS = \LEOStoIPOf{\bitlength(\ParamG{r})}{\RedDSAReprS}$. let $\RedDSASigS = \LEOStoIPOf{\bitlength(\ParamG{r})}{\RedDSAReprS}$.
\item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat M)$. \item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}}$.
\item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M)$.
\item Return $1$ if $\RedDSASigR \neq \bot$ and $\RedDSASigS < \ParamG{r}$ and \item Return $1$ if $\RedDSASigR \neq \bot$ and $\RedDSASigS < \ParamG{r}$ and
$\scalarmult{\RedDSASigS}{\GenG{}} = \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}$, otherwise $0$. $\scalarmult{\RedDSASigS}{\GenG{}} = \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}$, otherwise $0$.
\end{formulae} \end{formulae}
@ -6172,7 +6154,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism:
\vspace{1ex} \vspace{1ex}
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of
length $\ellG{}$ bits (or as a corresponding byte sequence by then applying $\LEBStoOSP{\ellG{}}$). length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes$ by then applying $\LEBStoOSP{\ellG{}}$).
\vspace{2ex} \vspace{2ex}
\introlist \introlist
@ -9010,6 +8992,8 @@ found by Brian Warner.
\item Fix the description of the \balancingValue in \crossref{saplingbalance}. \item Fix the description of the \balancingValue in \crossref{saplingbalance}.
\item Correct a type error in \crossref{concretegrouphashjubjub}. \item Correct a type error in \crossref{concretegrouphashjubjub}.
\item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}. \item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}.
\item Make the public key prefix part of the input to the \hashFunction in $\RedDSA$,
not part of the message.
\item Change terminology describing constraint systems. \item Change terminology describing constraint systems.
} %sapling } %sapling
\end{itemize} \end{itemize}