|
|
|
@ -1113,7 +1113,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\TransmitCiphertext}[1]{\Ctext^\enc_{#1}} |
|
|
|
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}} |
|
|
|
\newcommand{\OutCiphertext}{\Ctext^\mathsf{out}} |
|
|
|
\newcommand{\Extractor}[1]{\mathcal{E}_{#1}} |
|
|
|
\newcommand{\Extractor}[1]{\mathcal{E}_{\kern-0.05em{#1}}} |
|
|
|
\newcommand{\Adversary}{\mathcal{A}} |
|
|
|
\newcommand{\Oracle}{\mathsf{O}} |
|
|
|
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}} |
|
|
|
@ -6724,7 +6724,7 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ |
|
|
|
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. |
|
|
|
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.15em\big)$, and |
|
|
|
let $\RedDSASigS{} = \LEOStoIP{8 \mult \length(\RedDSAReprS{})}(\RedDSAReprS{})$. |
|
|
|
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$. |
|
|
|
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}\kern 0.03em}$. |
|
|
|
\vspace{-0.5ex} |
|
|
|
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$. |
|
|
|
\vspace{0.5ex} |
|
|
|
@ -9779,9 +9779,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. |
|
|
|
\item Correct some uses of $\ParamJ{r}$ that should have been $\ParamS{r}$ or $q$. |
|
|
|
\item Correct uses of $\LEOStoIP{\ell}$ in $\RedDSAVerify{}$ and $\RedDSABatchVerify{}$ |
|
|
|
to ensure that $\ell$ is a multiple of $8$ as required. |
|
|
|
\item Minor changes to avoid clashing notation, affecting extractors |
|
|
|
$\Extractor{\Adversary}$, Edwards curves $\Edwards{a,d}$, and Montgomery curves |
|
|
|
$\Montgomery{A,B}$. |
|
|
|
\item Minor changes to avoid clashing notation for |
|
|
|
Edwards curves $\Edwards{a,d}$, Montgomery curves $\Montgomery{A,B}$, and |
|
|
|
extractors $\Extractor{\Adversary}$. |
|
|
|
} %sapling |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
@ -9793,7 +9793,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. |
|
|
|
\item No changes to \Sprout. |
|
|
|
\sapling{ |
|
|
|
\item Give an informal security argument for Unlinkability of \diversifiedPaymentAddresses |
|
|
|
based on to reduction to \keyPrivacy of ElGamal encryption, for which a security proof |
|
|
|
based on reduction to \keyPrivacy of ElGamal encryption, for which a security proof |
|
|
|
is given in \cite{BBDP2001}. (This argument has gaps which will be addressed in a future |
|
|
|
version.) |
|
|
|
\item Add a reference to \cite{BGM2018} for the \Sapling \zkSNARK parameters. |
|
|
|
@ -11316,7 +11316,7 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ for all such $ |
|
|
|
|
|
|
|
\begin{proof} |
|
|
|
The given constraints are equivalent to the Montgomery addition formulae |
|
|
|
under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be |
|
|
|
under the side condition that $x_1 \neq x_2$. (Note that neither $P_i$ can be |
|
|
|
the zero point since $k_\barerange{1}{2} \neq 0 \pmod s$.) |
|
|
|
Assume for a contradiction that $x_1 = x_2$. For any |
|
|
|
$P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with |
|
|
|
@ -11993,7 +11993,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
& \textbf{Diversified address integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline |
|
|
|
$\AuthProvePublicRepr = \reprJ(\AuthProvePublic)$ |
|
|
|
& \textbf{Nullifier integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline |
|
|
|
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\big)\;\dagger$ |
|
|
|
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$ |
|
|
|
& \textbf{Diversified address integrity} & 21262 & \shortcrossref{cctblake2s} \\ \hline |
|
|
|
$\DiversifiedTransmitBase$ is on the curve |
|
|
|
& $\DiversifiedTransmitBase \typecolon \GroupJ$ & 4 & \shortcrossref{cctedvalidate} \\ \hline |
|
|
|
@ -12014,7 +12014,7 @@ Check & Implements & \heading{Cost} & Reference \\ |
|
|
|
& \textbf{Note commitment integrity} & ? & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline |
|
|
|
$\cmURepr = \ExtractJ(\cm)$ |
|
|
|
& \textbf{Merkle path validity} & 0 & \\ \cline{1-1}\cline{3-4} |
|
|
|
$\rt'$ is the root of a Merkle tree with leaf $\cmU$ and authentication path $(\TreePath{}, \NotePositionRepr)$ |
|
|
|
\raggedright $\rt'$ is the root of a Merkle tree with leaf $\cmU$, and authentication path $(\TreePath{}, \NotePositionRepr)$ |
|
|
|
& & 32 \mult 1369 & \shortcrossref{cctmerklepath} \\ \cline{1-1}\cline{3-4} |
|
|
|
$\NotePositionRepr = \ItoLEBSPOf{\MerkleDepthSapling}{\NotePosition}$ |
|
|
|
& & 1 & \shortcrossref{cctmodpack} \\ \cline{1-1}\cline{3-4} |
|
|
|
|
Daira Hopwood
6 years ago