|
|
@ -5797,7 +5797,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. |
|
|
|
\securityrequirement{ |
|
|
|
$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLength}$ |
|
|
|
must be \collisionResistant on a $64$-byte input $x$. Note that this |
|
|
|
does not follow from collision-resistance of $\BlakeTwos{256}$ |
|
|
|
does not follow from \collisionResistance of $\BlakeTwos{256}$ |
|
|
|
(and the best possible concrete security is that of a $251$-bit hash |
|
|
|
rather than a $256$-bit hash), but it is a reasonable assumption |
|
|
|
given the design, structure, and cryptanalysis to date of $\BlakeTwosGeneric$. |
|
|
@ -9593,7 +9593,7 @@ Least Authority, Mary Maller, and Kudelski Security. |
|
|
|
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis |
|
|
|
of variations on the attack was performed by Daira Hopwood and Sean Bowe. |
|
|
|
The internal hash collision attack was found by Taylor Hornby. |
|
|
|
The error in the \Zerocash proof of Balance relating to collision-resistance |
|
|
|
The error in the \Zerocash proof of Balance relating to \collisionResistance |
|
|
|
of $\PRFaddr{}$ was found by Daira Hopwood. |
|
|
|
The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\crossref{truncation} were also found by Daira Hopwood. |
|
|
@ -10783,6 +10783,8 @@ and so it is only necessary to allocate separate variables for the $\Pi_m$ |
|
|
|
such that $m < n-1$ and $c_m = 1$. Furthermore if $c_{\barerange{n-2}{0}}$ has |
|
|
|
$t > 0$ trailing $1$ bits, then we do not need to allocate variables for |
|
|
|
$\Pi_{\barerange{0}{t-1}}$ because those variables will not be used below. |
|
|
|
|
|
|
|
\introlist |
|
|
|
More explicitly: |
|
|
|
|
|
|
|
Let $\Pi_{n-1} = a_{n-1}$. |
|
|
@ -10793,9 +10795,9 @@ For $i \from n-2 \downto t$, |
|
|
|
\item if $c_i = 1$, then constrain $\constraint{\Pi_{i+1}}{a_i}{\Pi_i}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
Then we constrain the $a_i$ as follows: |
|
|
|
|
|
|
|
\introlist |
|
|
|
For $i \from n-1 \downto 0$, |
|
|
|
\begin{itemize} |
|
|
|
\item if $c_i = 0$, constrain $\constraint{1 - \Pi_{i+1} - a_i}{a_i}{0}$; |
|
|
@ -10865,6 +10867,7 @@ The algorithm in \crossref{ccteddecompressvalidate} uses range checks with |
|
|
|
$c = \ParamS{r}-1$ to validate compressed Edwards points. In that case $n = 255$ and |
|
|
|
$k = 132$, so the cost of each such range check is $387$ constraints. |
|
|
|
|
|
|
|
\introsection |
|
|
|
\nnote{It is possible to optimize the computation of $\Pi_{\barerange{t}{n-2}}$ further. |
|
|
|
Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a |
|
|
|
run of $1$ bits in $c$. So for each run of $N$ $1$ bits, it is sufficient to compute |
|
|
|