mirror of https://github.com/zcash/zips.git
Make the public key prefix part of the input to the hash function in RedDSA, not part of the message.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0517e2dc3a
commit
df02fcf9ac
|
@ -1394,6 +1394,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}}
|
||||
\newcommand{\pk}{\mathsf{pk}}
|
||||
\newcommand{\vk}{\mathsf{vk}}
|
||||
\newcommand{\vkBytes}{\bytes{\vk}}
|
||||
\newcommand{\ZKGen}{\mathsf{ZK.Gen}}
|
||||
\newcommand{\ZKProof}{\mathsf{ZK.Proof}}
|
||||
\newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}}
|
||||
|
@ -3736,9 +3737,9 @@ where
|
|||
\item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed
|
||||
from the other fields except $\spendAuthSig$.
|
||||
I.e.\ it must be the case that $\SpendVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$.
|
||||
\item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\dataToBeSigned$
|
||||
\item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$
|
||||
using $\AuthSignRandomizedPublic$ as the public key.
|
||||
I.e.\ it must be the case that $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\spendAuthSig) = 1$.
|
||||
I.e.\ it must be the case that $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
|
||||
\end{consensusrules}
|
||||
} %sapling
|
||||
|
||||
|
@ -4111,15 +4112,6 @@ according to client implementation.
|
|||
}
|
||||
|
||||
|
||||
\newsavebox{\bindingsigmsgbox}
|
||||
\begin{lrbox}{\bindingsigmsgbox}
|
||||
\setsapling
|
||||
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\BindingPublic}\kern 0.05em}$}
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\SigHash}$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\sapling{
|
||||
\introsection
|
||||
\subsection{Balance and \BindingSignature{} (\Sapling)} \label{saplingbalance} \label{bindingsig}
|
||||
|
@ -4212,9 +4204,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
|
|||
\vspace{1ex}
|
||||
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, using $\SIGHASHALL$.
|
||||
|
||||
Let $\dataToBeSigned := \Justthebox{\bindingsigmsgbox}$.
|
||||
|
||||
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\dataToBeSigned) = 1$.
|
||||
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
|
||||
We now explain why this works.
|
||||
|
||||
|
@ -4269,7 +4259,7 @@ Thus checking the \bindingSignature ensures that the \transaction balances, with
|
|||
the individual values of the \spendDescriptions and \outputDescriptions being revealed.
|
||||
|
||||
In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the \valueCommitment
|
||||
randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\dataToBeSigned$.
|
||||
randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\SigHash$.
|
||||
|
||||
\vspace{-1ex}
|
||||
\pnote{
|
||||
|
@ -4287,15 +4277,6 @@ The technique of checking signatures using a public key derived from a sum of
|
|||
} %sapling
|
||||
|
||||
|
||||
\newsavebox{\spendauthsigmsgbox}
|
||||
\begin{lrbox}{\spendauthsigmsgbox}
|
||||
\setsapling
|
||||
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignRandomizedPublic}\kern 0.05em}$}
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\SigHash}$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\sapling{
|
||||
\subsection{\SpendAuthSignature} \label{spendauthsig}
|
||||
|
||||
|
@ -4333,8 +4314,7 @@ For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthS
|
|||
\item Generate a proof $\ProofSpend$ of the \spendStatement (\crossref{spendstatement}),
|
||||
with $\AuthSignRandomizer$ in the \auxiliaryInput and $\AuthSignRandomizedPublic$
|
||||
in the \primaryInput.
|
||||
\item Let $\dataToBeSigned = \Justthebox{\spendauthsigmsgbox}$.
|
||||
\item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\dataToBeSigned)$.
|
||||
\item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\SigHash)$.
|
||||
\end{enumerate}
|
||||
|
||||
The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
|
||||
|
@ -6124,7 +6104,8 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
|
|||
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
|
||||
\item Let $\RedDSASigR = \scalarmult{r}{\GenG{}}$.
|
||||
\item Let $\RedDSAReprR = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR}\hairspace}$.
|
||||
\item Let $\RedDSASigS = (r + \RedDSAHashToScalar(\RedDSAReprR \bconcat M) \mult \sk) \bmod \ParamG{r}$.
|
||||
\item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}}$.
|
||||
\item Let $\RedDSASigS = (r + \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M) \mult \sk) \bmod \ParamG{r}$.
|
||||
\item Let $\RedDSAReprS = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS}}$.
|
||||
\item Return $\RedDSAReprR \bconcat \RedDSAReprS$.
|
||||
\end{formulae}
|
||||
|
@ -6137,7 +6118,8 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
|
|||
let $\RedDSAReprS$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
||||
\item Let $\RedDSASigR = \abstG{}\big(\LEOStoBSPOf{\ellG{}}{\RedDSAReprR}\!\big)$, and
|
||||
let $\RedDSASigS = \LEOStoIPOf{\bitlength(\ParamG{r})}{\RedDSAReprS}$.
|
||||
\item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat M)$.
|
||||
\item Let $\vkBytes = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}}$.
|
||||
\item Let $\RedDSASigc = \RedDSAHashToScalar(\RedDSAReprR \bconcat \vkBytes \bconcat M)$.
|
||||
\item Return $1$ if $\RedDSASigR \neq \bot$ and $\RedDSASigS < \ParamG{r}$ and
|
||||
$\scalarmult{\RedDSASigS}{\GenG{}} = \RedDSASigR + \scalarmult{\RedDSASigc}{\vk}$, otherwise $0$.
|
||||
\end{formulae}
|
||||
|
@ -6172,7 +6154,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism:
|
|||
|
||||
\vspace{1ex}
|
||||
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of
|
||||
length $\ellG{}$ bits (or as a corresponding byte sequence by then applying $\LEBStoOSP{\ellG{}}$).
|
||||
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes$ by then applying $\LEBStoOSP{\ellG{}}$).
|
||||
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
|
@ -9010,6 +8992,8 @@ found by Brian Warner.
|
|||
\item Fix the description of the \balancingValue in \crossref{saplingbalance}.
|
||||
\item Correct a type error in \crossref{concretegrouphashjubjub}.
|
||||
\item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}.
|
||||
\item Make the public key prefix part of the input to the \hashFunction in $\RedDSA$,
|
||||
not part of the message.
|
||||
\item Change terminology describing constraint systems.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
|
Loading…
Reference in New Issue