|
|
|
@ -108,7 +108,7 @@ |
|
|
|
\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}} |
|
|
|
\newcommand{\CRH}{\mathsf{CRH}} |
|
|
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\CryptoBoxSealHash}{\mathsf{blake2b}} |
|
|
|
\newcommand{\CryptoBoxSealHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\CryptoBoxSealHashbox}[1]{\CryptoBoxSealHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}} |
|
|
|
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}} |
|
|
|
@ -216,6 +216,7 @@ the leading (initial) $k$ bits of its input. |
|
|
|
$\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function |
|
|
|
is used which takes a 512-bit block and produces a 256-bit hash. This is |
|
|
|
different from the $\SHAOrig$ function, which hashes arbitrary-length strings. |
|
|
|
\cite{sha256} |
|
|
|
|
|
|
|
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent} |
|
|
|
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}$. |
|
|
|
@ -369,10 +370,11 @@ ciphertext component as follows: |
|
|
|
Any ciphertext components that fail to decrypt with a given recipient's private key |
|
|
|
will be ignored. |
|
|
|
|
|
|
|
(This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium |
|
|
|
This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium |
|
|
|
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a |
|
|
|
given \PourDescription, and with the nonce for each ciphertext component depending |
|
|
|
on the index $i$.) |
|
|
|
on the index $i$. Also, $\CryptoBoxSealHash$ (the full hash, not the compression |
|
|
|
function) is used instead of $\mathsf{blake2b}$. |
|
|
|
|
|
|
|
\subparagraph{Coin Commitments} |
|
|
|
|
|
|
|
|
Daira Hopwood
8 years ago