mirror of https://github.com/zcash/zips.git
Fix for InternalH collision attack.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b3b34c21f0
commit
e20d0dd437
Binary file not shown.
|
@ -139,8 +139,6 @@
|
|||
\newcommand{\SHAOrig}{\term{SHA-256}}
|
||||
\newcommand{\cm}{\mathsf{cm}}
|
||||
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}}
|
||||
\newcommand{\InternalHashK}{\mathsf{k}}
|
||||
\newcommand{\InternalHash}{\mathsf{InternalH}}
|
||||
\newcommand{\Leading}[1]{\mathtt{Leading}_{#1}}
|
||||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||
|
||||
|
@ -443,41 +441,20 @@ break of the IK-CCA (key privacy) property.
|
|||
\subsubsection{Coin Commitments}
|
||||
|
||||
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
|
||||
and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
|
||||
multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
||||
|
||||
\newsavebox{\ihbox}
|
||||
\begin{lrbox}{\ihbox}
|
||||
\begin{bytefield}[bitwidth=0.08em]{512}
|
||||
\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
|
||||
\bitbox{256}{256 bit $\CoinAddressRand$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\newsavebox{\ihkbox}
|
||||
\begin{lrbox}{\ihkbox}
|
||||
\begin{bytefield}[bitwidth=0.08em]{512}
|
||||
\bitbox{384}{384 bit $\CoinCommitRand$} &
|
||||
\bitbox{128}{$\Leading{128}(\InternalHash)$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
and $\CoinCommitRand$ using the collision-resistant hash function $\FullHash$.
|
||||
The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
||||
|
||||
\newsavebox{\cmbox}
|
||||
\begin{lrbox}{\cmbox}
|
||||
\begin{bytefield}[bitwidth=0.08em]{512}
|
||||
\bitbox{64}{64 bit $\Value$} &
|
||||
\bitbox{192}{192 bit padding} &
|
||||
\bitbox{256}{256 bit $\InternalHashK$}
|
||||
\begin{bytefield}[bitwidth=0.045em]{832}
|
||||
\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
|
||||
\bitbox{96}{64 bit $\Value$} &
|
||||
\bitbox{256}{256 bit $\CoinAddressRand$}
|
||||
\bitbox{256}{256 bit $\CoinCommitRand$} &
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\begin{equation*}
|
||||
\begin{aligned}
|
||||
\InternalHash &:= \CRHbox{\ihbox} \\
|
||||
\InternalHashK &:= \CRHbox{\ihkbox} \\
|
||||
\cm &:= \CRHbox{\cmbox}
|
||||
\end{aligned}
|
||||
\end{equation*}
|
||||
$\cm := \FullHashbox{\cmbox}$
|
||||
|
||||
\subsubsection{Serial numbers}
|
||||
|
||||
|
@ -843,7 +820,7 @@ where:
|
|||
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
||||
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
|
||||
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ preimage.
|
||||
\item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
|
||||
\item $\CoinCommitRand$ is a 32-byte \COMMtrapdoor.
|
||||
\changed{
|
||||
\item $\Memo$ is a 64-byte \memo associated with this \coin.
|
||||
}
|
||||
|
@ -868,11 +845,11 @@ does not use it.
|
|||
The raw encoding of a \coinPlaintext consists of, in order:
|
||||
|
||||
\begin{equation*}
|
||||
\begin{bytefield}[bitwidth=0.035em]{1224}
|
||||
\begin{bytefield}[bitwidth=0.04em]{1096}
|
||||
\bitbox{80}{\changed{$\TransmitPlaintextVersionByte$}} &
|
||||
\bitbox{144}{$\Value$ (8 bytes)} &
|
||||
\bitbox{256}{$\CoinAddressRand$ (32 bytes)} &
|
||||
\bitbox{384}{$\CoinCommitRand$ (48 bytes)} &
|
||||
\bitbox{256}{$\CoinCommitRand$ (32 bytes)} &
|
||||
\changed{\bitbox{512}{$\Memo$ (64 bytes)}}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
@ -884,7 +861,7 @@ encoding of a \coinPlaintext.
|
|||
}
|
||||
\item 8 bytes specifying a big-endian encoding of $\Value$.
|
||||
\item 32 bytes specifying $\CoinAddressRand$.
|
||||
\item 48 bytes specifying $\CoinCommitRand$.
|
||||
\item 32 bytes specifying $\CoinCommitRand$.
|
||||
\changed{
|
||||
\item 64 bytes specifying $\Memo$.
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue