zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct a misstatement in the security argument for balance / binding signatures. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2019-06-18 23:20:29 +01:00
parent 8fddbe438c
commit ecc92df195
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
protocol/protocol.tex
View File

@ -2872,6 +2872,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
are \hashFunctions used in \crossref{merklepath}.
\sapling{$\MerkleCRHSapling$ is \collisionResistant on all its arguments, and}
$\MerkleCRHSprout$ is \collisionResistant except on its first argument.
Both of these functions are instantiated in \crossref{merklecrh}.
} %notsprout
@ -4639,10 +4640,12 @@ By the binding property of the \xPedersenCommitment, it is infeasible to find an
opening of this commitment to a different value.
Similarly, the binding property of the \valueCommitments in the \spendDescriptions and
\outputDescriptions ensures that an adversary cannot find more than one opening for any of
those commitments, i.e.\ we may assume that
$\vOld{\alln}$ and $\ValueCommitRandOld{\alln}$ are determined by $\cvOld{\alln}$, and that
$\vNew{\allm}$ and $\ValueCommitRandNew{\allm}$ are determined by $\cvNew{\allm}$.
\outputDescriptions ensures that an adversary cannot find an opening to more than one value
for any of those commitments, i.e.\ we may assume that $\vOld{\alln}$ are determined by
$\cvOld{\alln}$, and that $\vNew{\allm}$ are determined by $\cvNew{\allm}$. We may also
assume, from Knowledge Soundness of $\Groth$, that the Spend proofs could not have been
generated without knowing $\ValueCommitRandOld{\alln} \pmod{\ParamJ{r}}$, and the Output
proofs could not have been generated without knowing $\ValueCommitRandNew{\allm} \pmod{\ParamJ{r}}$.
\introlist
Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase}\,
@ -10000,6 +10003,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize}
\sapling{
\item Correct a misstatement in the security argument in \crossref{bindingsig}:
binding for a commitment scheme does not imply that the commitment
determines its randomness. The rest of the security argument did not
depend on this; it is simpler to rely of knowledge soundness of the
Spend and Output proofs.
\item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}.
\item Clarify that \theoremref{thmnohashtouncommittedsapling} depends on the
parameters of the \jubjubCurve.