mirror of https://github.com/zcash/zips.git
Add notes in \crossref{spenddesc}, \crossref{outputdesc}, and
\crossref{concretehomomorphiccommit} saying that an implementation of HomomorphicPedersenCommit^Sapling MAY resample the commitment trapdoor until the resulting commitment is not the zero point, in order to avoid it being rejected as the cv field of a Spend description or Output description. Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
cd9371b0ee
commit
e1ae36d208
|
@ -5348,6 +5348,7 @@ where
|
|||
as specified in \crossref{spendauthsig}.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-1ex}
|
||||
\begin{consensusrules}
|
||||
\item Elements of a \spendDescription \MUST be valid encodings of the types given above.
|
||||
\item $\cv$ and $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\cv}$
|
||||
|
@ -5368,6 +5369,9 @@ where
|
|||
|
||||
\vspace{-1.5ex}
|
||||
\begin{nnotes}
|
||||
\item As stated in \crossref{concretehomomorphiccommit}, an implementation of $\HomomorphicPedersenCommit{Sapling}{}$
|
||||
\MAY resample the \commitmentTrapdoor until the resulting commitment is not $\ZeroJ$.
|
||||
\vspace{-0.25ex}
|
||||
\item The rule that $\cv$ and $\AuthSignRandomizedPublic$ \MUST not be small-order has the effect
|
||||
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
|
||||
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
|
||||
|
@ -5377,7 +5381,7 @@ where
|
|||
|
||||
|
||||
\sapling{
|
||||
\vspace{-3ex}
|
||||
\vspace{-2ex}
|
||||
\lsubsection{Output Descriptions}{outputdesc}
|
||||
|
||||
\vspace{-1ex}
|
||||
|
@ -5438,11 +5442,16 @@ where
|
|||
i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$.
|
||||
\end{consensusrules}
|
||||
|
||||
\vspace{-2ex}
|
||||
\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect
|
||||
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
|
||||
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
|
||||
$\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.}
|
||||
\vspace{-1.5ex}
|
||||
\begin{nnotes}
|
||||
\item As stated in \crossref{concretehomomorphiccommit}, an implementation of $\HomomorphicPedersenCommit{Sapling}{}$
|
||||
\MAY resample the \commitmentTrapdoor until the resulting commitment is not $\ZeroJ$.
|
||||
\vspace{-0.25ex}
|
||||
\item The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order has the effect
|
||||
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
|
||||
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
|
||||
$\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \AuthSignRandomizedPublic$.
|
||||
\end{nnotes}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -10177,6 +10186,7 @@ so there are no solutions for $\varv$ (contradiction).
|
|||
\sapling{
|
||||
\extralabel{concretevaluecommit}{\lsubsubsubsection{Homomorphic Pedersen commitments (\SaplingAndOrchardText)}{concretehomomorphiccommit}}
|
||||
|
||||
\vspace{-1ex}
|
||||
The windowed Pedersen commitments defined in the preceding section are
|
||||
highly efficient, but they do not support the homomorphic property we
|
||||
need when instantiating $\ValueCommitAlg{}$.
|
||||
|
@ -10194,10 +10204,12 @@ Useful background is given in \crossref{spendsandoutputs}\nufive{ and \crossref{
|
|||
\item $\ValueCommitGenTrapdoor{Sapling}()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-1ex}
|
||||
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||
of this function.
|
||||
|
||||
\nufive{
|
||||
\vspace{0.5ex}
|
||||
\introlist
|
||||
We also define \homomorphicPedersenCommitments for \Orchard:
|
||||
|
||||
|
@ -10209,7 +10221,6 @@ We also define \homomorphicPedersenCommitments for \Orchard:
|
|||
} %nufive
|
||||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
Define:
|
||||
|
||||
\begin{tabular}{@{\hskip 1.5em}r@{\;}l}
|
||||
|
@ -10259,6 +10270,13 @@ which is equivalent to:
|
|||
\end{securityrequirements}
|
||||
|
||||
(They are in fact unconditionally \hiding \commitmentSchemes.)
|
||||
|
||||
\vspace{-1ex}
|
||||
\nnote{The output of $\HomomorphicPedersenCommit{Sapling}{}$ may (with negligible probability for a randomly
|
||||
chosen \commitmentTrapdoor) be the zero point $\ZeroJ$. This would be rejected by consensus if it appeared as
|
||||
the $\cv$ field of a \spendDescription (\crossref{spenddesc}) or \outputDescription (\crossref{outputdesc}).
|
||||
An implementation of $\HomomorphicPedersenCommit{Sapling}{}$ \MAY resample the \commitmentTrapdoor
|
||||
until the resulting commitment is not $\ZeroJ$.}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -14693,6 +14711,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
is not of small order is technically redundant with a check in the \spendCircuit ...''.
|
||||
The small-order check excludes the zero point $\ZeroJ$, which the \snarkref{Spend authority}{spendauthority}
|
||||
check that this claim was intending to reference does not.
|
||||
\item An implementation of $\HomomorphicPedersenCommit{Sapling}{}$ \MAY resample the
|
||||
\commitmentTrapdoor until the resulting commitment is not $\ZeroJ$, in order to avoid
|
||||
it being rejected as the $\cv$ field of a \spendDescription or \outputDescription.
|
||||
Add notes in \crossref{spenddesc}, \crossref{outputdesc}, and \crossref{concretehomomorphiccommit}
|
||||
to that effect.
|
||||
} %sapling
|
||||
\item Rename the section ``Note Commitments and Nullifiers'' to \crossref{rhoandnullifiers},
|
||||
to more accurately reflect its contents.
|
||||
|
|
Loading…
Reference in New Issue