|
|
@ -1151,6 +1151,8 @@ i.e.\ it should not be feasible to find $(x, y) \neq (x', y')$ such that |
|
|
|
$\PRFnf{x}(y) = \PRFnf{x'}(y')$\changed{, and similarly for $\PRFaddr{}$ and $\PRFrho{}$}. |
|
|
|
} |
|
|
|
|
|
|
|
\pnote{$\PRFnf{}$ was called $\PRFsn{}$ in \Zerocash \cite{BCG+2014}.} |
|
|
|
|
|
|
|
\nsubsubsection{\SymmetricEncryption} \label{abstractsym} |
|
|
|
|
|
|
|
Let $\Sym$ be an \symmetricEncryptionScheme with keyspace $\Keyspace$, encrypting |
|
|
@ -3559,6 +3561,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
(The precise prefixes are not decided yet.) |
|
|
|
\item Clarify why $\Blake{\ell}$ is different from truncated $\Blake{512}$. |
|
|
|
\item Clarify a note about SU-CMA security for signatures. |
|
|
|
\item Add a note about $\PRFnf{}$ corresponding to $\PRFsn{}$ in \Zerocash. |
|
|
|
\item Add a paragraph about key length in \crossref{inbandrationale}. |
|
|
|
\item Add acknowledgements for John Tromp, Paige Peterson, Maureen Walsh, |
|
|
|
Jay Graber, and Jack Gavigan. |
|
|
|