|
|
@ -3298,6 +3298,7 @@ A \block satisfies the Proof of Work if and only if: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
|
|
|
\introsection |
|
|
|
\nsubsubsection{Equihash} \label{equihash} |
|
|
|
|
|
|
|
An instance of the Equihash algorithm is parameterized by positive integers $n$ and $k$, |
|
|
@ -3346,16 +3347,21 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$. |
|
|
|
\subparagraph{Algorithm Binding conditions} |
|
|
|
|
|
|
|
\introlist |
|
|
|
For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$: |
|
|
|
\begin{itemize} |
|
|
|
\item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and |
|
|
|
\item $i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} < i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically. |
|
|
|
\item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}: |
|
|
|
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and |
|
|
|
\item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}: |
|
|
|
i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} < |
|
|
|
i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
This does not include a difficulty condition, because here we are defining validity |
|
|
|
of an Equihash solution independent of difficulty. |
|
|
|
} |
|
|
|
\begin{pnotes} |
|
|
|
\item This does not include a difficulty condition, because here we are |
|
|
|
defining validity of an Equihash solution independent of difficulty. |
|
|
|
\item Previous versions of this specification incorrectly specified the |
|
|
|
range of $r$ to be $\range{1}{k\!-\!1}$ for both parts of the algorithm |
|
|
|
binding condition. The implementation in \zcashd was as intended. |
|
|
|
\end{pnotes} |
|
|
|
|
|
|
|
\introlist |
|
|
|
An Equihash solution with $n = 200$ and $k = 9$ is encoded in the $\solution$ |
|
|
@ -3944,9 +3950,10 @@ to 254 bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcas |
|
|
|
Also, $\hSig$ is truncated from 256 to 253 bits in the input to $\PRFpk{}$. |
|
|
|
These truncations are not taken into account in the security proofs. |
|
|
|
|
|
|
|
\introlist |
|
|
|
Both truncations affect the validity of the proof sketch for Lemma D.2 in |
|
|
|
the proof of Ledger Indistinguishability in \cite[Appendix D]{BCG+2014}. |
|
|
|
|
|
|
|
\introlist |
|
|
|
In more detail: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
@ -4186,6 +4193,8 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\subparagraph{2017.0-beta-2.7} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Fix an off-by-one error in the specification of the Equihash algorithm |
|
|
|
binding condition. (The implementation in \zcashd was as intended.) |
|
|
|
\item Correct the types and consensus rules for \transactionVersionNumbers |
|
|
|
and \blockVersionNumbers. (Again, the implementation in \zcashd was as |
|
|
|
intended.) |
|
|
|