mirror of https://github.com/zcash/zips.git
Correct a misstatement in the security argument for balance / binding signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
8fddbe438c
commit
ecc92df195
|
@ -2872,6 +2872,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
|
|||
are \hashFunctions used in \crossref{merklepath}.
|
||||
\sapling{$\MerkleCRHSapling$ is \collisionResistant on all its arguments, and}
|
||||
$\MerkleCRHSprout$ is \collisionResistant except on its first argument.
|
||||
|
||||
Both of these functions are instantiated in \crossref{merklecrh}.
|
||||
} %notsprout
|
||||
|
||||
|
@ -4639,10 +4640,12 @@ By the binding property of the \xPedersenCommitment, it is infeasible to find an
|
|||
opening of this commitment to a different value.
|
||||
|
||||
Similarly, the binding property of the \valueCommitments in the \spendDescriptions and
|
||||
\outputDescriptions ensures that an adversary cannot find more than one opening for any of
|
||||
those commitments, i.e.\ we may assume that
|
||||
$\vOld{\alln}$ and $\ValueCommitRandOld{\alln}$ are determined by $\cvOld{\alln}$, and that
|
||||
$\vNew{\allm}$ and $\ValueCommitRandNew{\allm}$ are determined by $\cvNew{\allm}$.
|
||||
\outputDescriptions ensures that an adversary cannot find an opening to more than one value
|
||||
for any of those commitments, i.e.\ we may assume that $\vOld{\alln}$ are determined by
|
||||
$\cvOld{\alln}$, and that $\vNew{\allm}$ are determined by $\cvNew{\allm}$. We may also
|
||||
assume, from Knowledge Soundness of $\Groth$, that the Spend proofs could not have been
|
||||
generated without knowing $\ValueCommitRandOld{\alln} \pmod{\ParamJ{r}}$, and the Output
|
||||
proofs could not have been generated without knowing $\ValueCommitRandNew{\allm} \pmod{\ParamJ{r}}$.
|
||||
|
||||
\introlist
|
||||
Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase}\,
|
||||
|
@ -10000,6 +10003,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
|
||||
\begin{itemize}
|
||||
\sapling{
|
||||
\item Correct a misstatement in the security argument in \crossref{bindingsig}:
|
||||
binding for a commitment scheme does not imply that the commitment
|
||||
determines its randomness. The rest of the security argument did not
|
||||
depend on this; it is simpler to rely of knowledge soundness of the
|
||||
Spend and Output proofs.
|
||||
\item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}.
|
||||
\item Clarify that \theoremref{thmnohashtouncommittedsapling} depends on the
|
||||
parameters of the \jubjubCurve.
|
||||
|
|
Loading…
Reference in New Issue