|
|
@ -3370,6 +3370,16 @@ KDF to a given recipient key and seed. It is necessary to adapt the |
|
|
|
``HDH independence'' assumptions and the proof slightly to take into account |
|
|
|
that the ephemeral key is reused for two encryptions. |
|
|
|
|
|
|
|
Note that the 256-bit key for $\SymSpecific$ maintains a high concrete security |
|
|
|
level even under attacks using parallel hardware \cite{Bern2005} in the multi-user |
|
|
|
setting \cite{Zave2012}. This is especially necessary because the privacy of |
|
|
|
\Zcash transactions may need to be maintained far into the future, and upgrading |
|
|
|
the encryption algorithm would not prevent a future adversary from attempting |
|
|
|
to decrypt ciphertexts encrypted before the upgrade. Other cryptovalues that |
|
|
|
could be attacked to break the privacy of transactions are also sufficiently long |
|
|
|
to resist parallel brute force in the multi-user setting: $\AuthPrivate$ is 252 bits, |
|
|
|
and $\TransmitPrivate$ is no shorter than $\AuthPrivate$. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{Omission in \Zerocash security proof} \label{crprf} |
|
|
|
|
|
|
@ -3468,6 +3478,12 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
|
|
|
|
\nsection{Change history} |
|
|
|
|
|
|
|
\subparagraph{2016.0-beta-1.6} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Add a paragraph about key length in \crossref{inbandrationale}. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\subparagraph{2016.0-beta-1.5} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|