ZIP 31: child ask_i and nsk_i keys are intended to be taken modulo r_J.

Technically the ZIP was already correct because I_{ask}, I_{nsk}, ask_{par}, and nsk_{par} are all F_{r_J} elements, but that assumes a lot of familiarity with the spec notation. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-01-21 13:32:30 +00:00 · 2020-01-21 13:32:30 +00:00 · feca6f4b26
parent c01c5defb1
commit feca6f4b26
2 changed files with 9 additions and 7 deletions
--- a/zip-0032.html
+++ b/zip-0032.html
@ -53,7 +53,8 @@ License: MIT</pre>
                <li>BLAKE2b-256(<em>p</em>, <em>x</em>) refers to unkeyed BLAKE2b-256 in sequential mode, with an output digest length of 32 bytes, 16-byte personalization string <em>p</em>, and input <em>x</em>.</li>
                <li>BLAKE2b-512(<em>p</em>, <em>x</em>) refers to unkeyed BLAKE2b-512 in sequential mode, with an output digest length of 64 bytes, 16-byte personalization string <em>p</em>, and input <em>x</em>.</li>
                <li>PRF<sup>expand</sup>(<em>sk</em>, <em>t</em>) := BLAKE2b-512("Zcash_ExpandSeed", <em>sk</em> || <em>t</em>)</li>
-                <li>ToScalar(<em>x</em>) := LEOS2IP<sub>512</sub>(<em>x</em>) (mod <em>r</em><sub>𝕁</sub>), where <em>r</em><sub>𝕁</sub> is the order of the Jubjub large prime subgroup.</li>
+                <li><em>r</em><sub>𝕁</sub> is the order of the Jubjub large prime subgroup.</li>
+                <li>ToScalar(<em>x</em>) := LEOS2IP<sub>512</sub>(<em>x</em>) (mod <em>r</em><sub>𝕁</sub>).</li>
                <li>DiversifyHash(<em>d</em>) maps a diversifier <em>d</em> to a base point on the Jubjub elliptic curve, or to ⊥ if the diversifier is invalid. It is instantiated in <a href="#sapling-diversifyhash" id="id10" class="footnote_reference">10</a>.</li>
            </ul>
            <p>The following algorithm standardized in <a href="#nist-sp-800-38g" id="id11" class="footnote_reference">16</a> is used:</p>
@ -128,8 +129,8 @@ License: MIT</pre>
                        <li>Let <em>I</em><sub>nsk</sub> = ToScalar(PRF<sup>expand</sup>(<em>I</em><sub>L</sub>, [0x14]))</li>
                        <li>Return:
                            <ul>
-                                <li><em>ask</em><sub>i</sub> = <em>I</em><sub>ask</sub> + <em>ask</em><sub>par</sub></li>
-                                <li><em>nsk</em><sub>i</sub> = <em>I</em><sub>nsk</sub> + <em>nsk</em><sub>par</sub></li>
+                                <li><em>ask</em><sub>i</sub> = (<em>I</em><sub>ask</sub> + <em>ask</em><sub>par</sub>) (mod <em>r</em><sub>𝕁</sub>)</li>
+                                <li><em>nsk</em><sub>i</sub> = (<em>I</em><sub>nsk</sub> + <em>nsk</em><sub>par</sub>) (mod <em>r</em><sub>𝕁</sub>)</li>
                                <li><em>ovk</em><sub>i</sub> = truncate<sub>32</sub>(PRF<sup>expand</sup>(<em>I</em><sub>L</sub>, [0x15] || <em>ovk</em><sub>par</sub>))</li>
                                <li><em>dk</em><sub>i</sub> = truncate<sub>32</sub>(PRF<sup>expand</sup>(<em>I</em><sub>L</sub>, [0x16] || <em>dk</em><sub>par</sub>))</li>
                                <li><em>c</em><sub>i</sub> = <em>I</em><sub>R</sub></li>
--- a/zip-0032.rst
+++ b/zip-0032.rst
@ -91,8 +91,9 @@ Most of the notation and functions used in this ZIP are defined in the Sapling p

 - PRF\ :sup:`expand`\ (*sk*, *t*) := BLAKE2b-512("Zcash_ExpandSeed", *sk* || *t*)

- ToScalar(*x*) := LEOS2IP\ :sub:`512`\ (*x*) (mod *r*\ :sub:`𝕁`\ ), where *r*\ :sub:`𝕁` \ is the order
-  of the Jubjub large prime subgroup.
+- *r*\ :sub:`𝕁` \ is the order of the Jubjub large prime subgroup.
+
+- ToScalar(*x*) := LEOS2IP\ :sub:`512`\ (*x*) (mod *r*\ :sub:`𝕁`\ ).

 - DiversifyHash(*d*) maps a diversifier *d* to a base point on the Jubjub elliptic curve, or to ⊥ if the
  diversifier is invalid. It is instantiated in [#sapling-diversifyhash]_.
@ -197,8 +198,8 @@ CDKsk((*ask*\ :sub:`par`\ , *nsk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub
 - Let *I*\ :sub:`nsk` = ToScalar(PRF\ :sup:`expand`\ (*I*\ :sub:`L`\ , [0x14]))
 - Return:

-  - *ask*\ :sub:`i` = *I*\ :sub:`ask` + *ask*\ :sub:`par`
-  - *nsk*\ :sub:`i` = *I*\ :sub:`nsk` + *nsk*\ :sub:`par`
+  - *ask*\ :sub:`i` = (*I*\ :sub:`ask` + *ask*\ :sub:`par`) (mod *r*\ :sub:`𝕁`\ )
+  - *nsk*\ :sub:`i` = (*I*\ :sub:`nsk` + *nsk*\ :sub:`par`) (mod *r*\ :sub:`𝕁`\ )
  - *ovk*\ :sub:`i` = truncate\ :sub:`32`\ (PRF\ :sup:`expand`\ (*I*\ :sub:`L`\ , [0x15] || *ovk*\ :sub:`par`\ ))
  - *dk*\ :sub:`i` = truncate\ :sub:`32`\ (PRF\ :sup:`expand`\ (*I*\ :sub:`L`\ , [0x16] || *dk*\ :sub:`par`\ ))
  - *c*\ :sub:`i` = *I*\ :sub:`R`