zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Clarify the description of the Merkle path check in Appendix A. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-10-24 16:11:40 +01:00
parent 066d424d3a
commit e24f7cede5
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
protocol/protocol.tex
View File

@ -9784,6 +9784,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
$\RedDSASign{}$, from $T \bconcat M$ to $T \bconcat \vkBytes{} \bconcat M$.
This matches the sapling-crypto implementation; the specification of this
input was unintentionally changed in version 2018.0-beta-20.
\item Clarify the description of the Merkle path check in \crossref{cctmerklepath}.
} %sapling
\end{itemize}
@ -11712,7 +11713,7 @@ Edwards addition, for a total of \todo{...} constraints.
\introsection
\subsubsection{Merkle path check} \label{cctmerklepath}
Checking a Merkle authentication path, as described in \crossref{merklepath},
Checking each layer of a Merkle authentication path, as described in \crossref{merklepath},
requires to:
\begin{itemize}
@ -11720,22 +11721,19 @@ requires to:
is a left or right child;
\item conditionally swap the previous-layer and sibling hashes
(as $\GF{r}$ elements) depending on the path bit;
\item unpack the previous-layer and sibling hashes to $255$-bit sequences;
\item compute the Merkle hash.
\item unpack the left and right hash inputs to two sequences of $255$ bits;
\item compute the Merkle hash for this node.
\end{itemize}
The unpacking need not be canonical in the sense discussed in \crossref{cctmodpack};
that is, it is \emph{not} necessary to ensure that the previous-layer or sibling
bit-sequence inputs represent integers in the range $\range{0}{\ParamS{r}-1}$.
that is, it is \emph{not} necessary to ensure that the left or right inputs to the
hash represent integers in the range $\range{0}{\ParamS{r}-1}$.
Since the root of the Merkle tree is calculated outside the circuit using the
canonical representations, and since the \xPedersenHashes are \collisionResistant
on arbitrary bit-sequence inputs, an attempt by an adversarial prover to use a
non-canonical input would result in the wrong root being calculated, and the
overall path check would fail.
Note that the leaf node input of the authentication path is given as a bit sequence,
not as a field element.
For each layer, the cost is $1 + 2 \smult 255$ boolean constraints,
$2$ constraints for the conditional swap (implemented as two selection
constraints), and todo{...} for the Merkle hash, for a total of \todo{...}