|
|
@ -1665,7 +1665,7 @@ for a given key. The security notions INT-CTXT and IND-CPA are as defined in |
|
|
|
\cite{BN2007}. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{\KeyAgreement} \label{abstractkeyagreement} |
|
|
|
\nsubsubsection{\KeyAgreement} \label{concretekeyagreement} |
|
|
|
|
|
|
|
A \keyAgreementScheme is a cryptographic protocol in which two parties agree |
|
|
|
a shared secret, each using their private key and the other party's public key. |
|
|
@ -2591,7 +2591,7 @@ The motivations for this change were as follows: |
|
|
|
encrypted in each \joinSplitDescription. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\nsubsection{Omission in \Zerocash security proof} |
|
|
|
\nsubsection{Omission in \Zerocash security proof} \label{crprf} |
|
|
|
|
|
|
|
The abstract \Zerocash protocol requires $\PRFaddr{}$ only to be a PRF; |
|
|
|
it is not specified to be collision-resistant. This reveals a flaw in |
|
|
@ -2729,7 +2729,7 @@ of $\PRFaddr{}$ was found by Daira Hopwood. |
|
|
|
\item Clarify endianness, and that uses of $\BlakeGeneric$ are unkeyed. |
|
|
|
\item Minor correction to what \sighashTypes cover. |
|
|
|
\item Add ``as intended for the \Zcash release of summer 2016" to title page. |
|
|
|
\item Require $\PRFaddr{}$ to be collision-resistant. \cite{ticket836} |
|
|
|
\item Require $\PRFaddr{}$ to be collision-resistant (see \crossref{crprf}). |
|
|
|
\item Add specification of path computation for the \incrementalMerkleTree. |
|
|
|
\item Add a note in \crossref{merklepathvalidity} about how this condition |
|
|
|
corresponds to conditions in the \Zerocash paper. |
|
|
|