|
|
|
@ -228,17 +228,17 @@ CDKfvk((*ak*\ :sub:`par`\ , *nk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub: |
|
|
|
Diversifier derivation |
|
|
|
---------------------- |
|
|
|
|
|
|
|
The 88-bit diversifiers for a Sapling extended key are derived from its diversifier key *dk*\ :sub:`i`\ . |
|
|
|
The 88-bit diversifiers for a Sapling extended key are derived from its diversifier key *dk*. |
|
|
|
In order to reach the maximum possible diversifier range without running into the birthday bound, we use |
|
|
|
FF1-AES256 as a Pseudo-Random Permutation as follows: |
|
|
|
|
|
|
|
- Let *j* be the index of the desired diversifier, in the range 0 .. 2\ :sup:`88`\ -1. |
|
|
|
- *d*\ :sub:`i,j` = FF1-AES256.Encrypt(*dk*\ :sub:`i`\ , "", I2LEBSP\ :sub:`88`\ (*j*)). |
|
|
|
- *d*\ :sub:`j` = FF1-AES256.Encrypt(*dk*, "", I2LEBSP\ :sub:`88`\ (*j*)). |
|
|
|
|
|
|
|
A valid diversifier *d*\ :sub:`i,j` is one for which DiversifyHash(*d*\ :sub:`i,j`) ≠ ⊥. |
|
|
|
For a given *dk*\ :sub:`i`\ , approximately half of the possible values of *j* yield valid diversifiers. |
|
|
|
A valid diversifier *d*\ :sub:`j` is one for which DiversifyHash(*d*\ :sub:`j`) ≠ ⊥. |
|
|
|
For a given *dk*, approximately half of the possible values of *j* yield valid diversifiers. |
|
|
|
|
|
|
|
The default diversifier for a Sapling extended key is defined to be *d*\ :sub:`i,j`\ , where *j* is the |
|
|
|
The default diversifier for a Sapling extended key is defined to be *d*\ :sub:`j`\ , where *j* is the |
|
|
|
least nonnegative integer yielding a valid diversifier. |
|
|
|
|
|
|
|
|
|
|
|
|
Jack Grigg
6 years ago