Define how to derive diversifiers from Sapling extended keys

2018-06-08 14:42:49 +12:00 · 2018-06-08 14:42:49 +12:00 · f07b6d2613
parent efd68a4474
commit f07b6d2613
1 changed files with 13 additions and 0 deletions
--- a/zip-0032.rst
+++ b/zip-0032.rst
@ -177,6 +177,18 @@ CDKfvk((*ak*\ :sub:`par`\ , *nk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub:
  - *dk*\ :sub:`i` = truncate\ :sub:`32`\ (PRF\ :sup:`expand`\ (*I*\ :sub:`L`\ , [0x16] || *dk*\ :sub:`par`\ ))
  - *c*\ :sub:`i` = *I*\ :sub:`R`

+Diversifier derivation
+----------------------
+
+The 88-bit diversifiers for a Sapling extended key are derived from its diversifier key *dk*\ :sub:`i`\ . In
+order to reach the maximum possible diversifier range without running into the birthday bound, we use the PRP
+defined in [#diversifier-prp]_ as follows:
+
+- Let *j* be the index of the desired diversifier.
+- *d*\ :sub:`i,j` = PRP(*dk*\ :sub:`i`\ , I2LEOSP\ :sub:`88`\ (*j*))
+
+The default diversifier for a Sapling extended key is defined to be *d*\ :sub:`i,0`\ .
+

 Specification: Sprout key derivation
 ====================================
@ -301,5 +313,6 @@ References
 .. [#bip-0043] `BIP 43: Purpose Field for Deterministic Wallets <https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki>`_
 .. [#bip-0044] `BIP 44: Multi-Account Hierarchy for Deterministic Wallets <https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki>`_
 .. [#slip-0044] `SLIP 44: Registered coin types for BIP-0044 <https://github.com/satoshilabs/slips/blob/master/slip-0044.md>`_
+.. [#diversifier-prp] `TODO`_
 .. [#sapling-spec] `Zcash Protocol Specification, Version 2018.0-beta-20 [Overwinter+Sapling] <https://github.com/zcash/zips/blob/master/protocol/sapling.pdf>`_
 .. [#sapling-key-components] `Section 4.2.2: Sapling Key Components. Zcash Protocol Specification, Version 2018.0-beta-20 [Overwinter+Sapling] <https://github.com/zcash/zips/blob/master/protocol/sapling.pdf>`_