Proposed fix for domain separation and truncation.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
8 years ago · ce18d51650
2 changed files with 59 additions and 44 deletions
--- a/protocol/protocol.pdf
+++ b/protocol/protocol.pdf
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -87,6 +87,7 @@
 \newcommand{\PrivateAddress}{\mathsf{addr_{sk}}}
 \newcommand{\PublicAddressLeadByte}{\mathbf{0x92}}
 \newcommand{\PrivateAddressLeadByte}{\mathbf{0x93}}
+\newcommand{\CoinCommitmentLeadByte}{\mathbf{0xF0}}
 \newcommand{\SpendAuthorityPublic}{\mathsf{a_{pk}}}
 \newcommand{\SpendAuthorityPrivate}{\mathsf{a_{sk}}}
 \newcommand{\SpendAuthorityPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
@ -112,7 +113,7 @@
 \newcommand{\CoinAddressPreRand}{\mathsf{\upvarphi}}
 \newcommand{\CoinCommitS}{\mathsf{s}}
 \newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
-\newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
+\newcommand{\hSigInputVersionByte}{\mathbf{0xF1}}
 \newcommand{\Memo}{\mathsf{memo}}
 \newcommand{\CryptoBox}{\mathsf{crypto\_box}}
 \newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
@ -243,55 +244,63 @@ $(x, y) \neq (x', y')$ such that $\PRFsn{x}(y) = \PRFsn{x'}(y')$\changed{, and s
 for $\PRFrho{}$}.

 In \Zcash, the $\SHAName$ function is used to construct all four of these
-functions. The bits $\mathtt{00}$, $\mathtt{01}$, $\mathtt{10}$\changed{, and
-$\mathtt{11}$} are included (respectively) within the blocks that are hashed,
+functions. The bits \changed{$\mathtt{000}$, $\mathtt{001}$, $\mathtt{01x}$, and
+$\mathtt{10x}$} are included (respectively) within the blocks that are hashed,
 ensuring that the functions are independent.

+\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
+
 \newsavebox{\addrbox}
 \begin{lrbox}{\addrbox}
-\begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
-        \bitbox{14}{0} &
-        \bitbox{14}{0} &
-        \bitbox{242}{$0^{254}$} &
+\begin{bytefield}[bitwidth=0.06em]{512}
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{224}{252 bit $\SpendAuthorityPrivate$} &
+        \bitbox{256}{$0^{256}$} &
 \end{bytefield}
 \end{lrbox}

 \newsavebox{\snbox}
 \begin{lrbox}{\snbox}
-\begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
-        \bitbox{14}{0} &
-        \bitbox{14}{1} &
-        \bitbox{242}{$\Leading{254}(\CoinAddressRand)$} &
+\begin{bytefield}[bitwidth=0.06em]{512}
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{18}{1} &
+        \bitbox{224}{252 bit $\SpendAuthorityPrivate$} &
+        \bitbox{256}{256 bit $\CoinAddressRand$} &
 \end{bytefield}
 \end{lrbox}

 \newsavebox{\pkbox}
 \begin{lrbox}{\pkbox}
-\begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
-        \bitbox{14}{1} &
-        \bitbox{14}{0} &
-        \bitbox{14}{$i$} &
-        \bitbox{228}{$\Leading{253}(\hSig)$}
+\begin{bytefield}[bitwidth=0.06em]{512}
+        \bitbox{18}{0} &
+        \bitbox{18}{0} &
+        \bitbox{18}{1} &
+        \bitbox{18}{\iminusone} &
+        \bitbox{224}{252 bit $\SpendAuthorityPrivate$} &
+        \bitbox{256}{256 bit $\hSig$}
 \end{bytefield}
 \end{lrbox}

 \newsavebox{\rhobox}
 \begin{lrbox}{\rhobox}
 \setchanged
-\begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\CoinAddressPreRand$} &
-        \bitbox{14}{1} &
-        \bitbox{14}{1} &
-        \bitbox{14}{$i$} &
-        \bitbox{228}{$\Leading{253}(\hSig)$}
+\begin{bytefield}[bitwidth=0.06em]{512}
+        \bitbox{18}{0} &
+        \bitbox{18}{1} &
+        \bitbox{18}{0} &
+        \bitbox{18}{\iminusone} &
+        \bitbox{224}{252 bit $\CoinAddressPreRand$} &
+        \bitbox{256}{256 bit $\hSig$}
 \end{bytefield}
 \end{lrbox}

-\nathan{Note: If we change input arity (i.e. $\NOld$), we need to be aware of how it
-is associated with this bit-packing.}
+\nathan{Note: If we change input or output arity (i.e. $\NOld$ or $\NNew$), we
+need to be aware of how it is associated with this bit-packing.}

 \begin{equation*}
 \begin{aligned}
@ -303,9 +312,6 @@ is associated with this bit-packing.}
 \end{aligned}
 \end{equation*}

-\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
-253 bits?}
-
 \subsection{Confidential Addresses and Private Keys}

 \nathan{This term, \publicAddress, may be confusing by comparison to
@ -441,20 +447,24 @@ break of the IK-CCA (key privacy) property.
 \subsubsection{Coin Commitments}

 The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
-and $\CoinCommitRand$ using the collision-resistant hash function $\FullHash$.
+and $\CoinCommitRand$ using the collision-resistant hash function \changed{$\FullHash$}.
 The resulting hash $\cm = \CoinCommitment{\Coin}$.

 \newsavebox{\cmbox}
 \begin{lrbox}{\cmbox}
-\begin{bytefield}[bitwidth=0.045em]{832}
+\setchanged
+\begin{bytefield}[bitwidth=0.040em]{840}
+        \bitbox{80}{$\CoinCommitmentLeadByte$} &
 	\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
-	\bitbox{96}{64 bit $\Value$} &
+	\bitbox{128}{64 bit $\Value$} &
 	\bitbox{256}{256 bit $\CoinAddressRand$}
 	\bitbox{256}{256 bit $\CoinCommitRand$} &
 \end{bytefield}
 \end{lrbox}

-$\cm := \FullHashbox{\cmbox}$
+\changed{
+\hskip 2em $\cm := \FullHashbox{\cmbox}$
+}

 \subsubsection{Serial numbers}

@ -751,8 +761,8 @@ The raw encoding of a confidential address consists of:
 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
    \bitbox{48}{\changed{$\PublicAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPublic$ (32 bytes)} &
-    \bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
+    \bitbox{256}{256 bit $\SpendAuthorityPublic$} &
+    \bitbox{256}{\changed{256 bit} $\TransmitPublic$}
 \end{bytefield}
 \end{equation*}

@ -761,8 +771,8 @@ The raw encoding of a confidential address consists of:
    \item A byte, $\PublicAddressLeadByte$, indicating this version of the
        raw encoding of a \Zcash public address.
 }
-    \item 32 bytes specifying $\SpendAuthorityPublic$.
-    \item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
+    \item 256 bits specifying $\SpendAuthorityPublic$.
+    \item \changed{256 bits} specifying $\TransmitPublic$, \changed{using the
        normal encoding of a Curve25519 public key \cite{Curve25519}}.
 \end{itemize}

@ -784,21 +794,26 @@ The raw encoding of a confidential address secret consists of, in order:

 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
-    \bitbox{48}{\changed{$\PrivateAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPrivate$ (32 bytes)} &
-    \bitbox{256}{$\TransmitPrivate$ (32 bytes)}
+    \bitbox{48}{$\PrivateAddressLeadByte$} &
+    \bitbox{24}{$0^4$} &
+    \bitbox{232}{252 bit $\SpendAuthorityPrivate$} &
+    \bitbox{256}{256 bit $\TransmitPrivate$}
 \end{bytefield}
 \end{equation*}

 \begin{itemize}
 \changed{
    \item A byte $\PrivateAddressLeadByte$ indicating this version of the
-        raw encoding of a \Zcash private key.
+          raw encoding of a \Zcash private key.
+    \item 4 zero padding bits.
 }
-    \item 32 bytes specifying $\SpendAuthorityPrivate$.
-    \item 32 bytes specifying $\TransmitPrivate$.
+    \item \changed{252} bits specifying $\SpendAuthorityPrivate$.
+    \item 256 bits specifying $\TransmitPrivate$.
 \end{itemize}

+Note that, consistent with big-endian encoding, the zero padding occupies
+the high-order 4 bits of the second byte.
+
 \daira{check that this lead byte is distinct from other Bitcoin stuff,
 and produces `z' as the Base58Check leading character.}