|
|
|
@ -202,6 +202,10 @@ It is required that $\PRFsn{x}$ be collision-resistant across all $x$ --- i.e. i |
|
|
|
should not be feasible to find $(x, y) \neq (x', y')$ such that |
|
|
|
$\PRFsn{x}(y) = \PRFsn{x'}(y')$. |
|
|
|
|
|
|
|
\nathan{Self-Study: Do failure analysis if we \emph{lack} collision |
|
|
|
resistance for $\PRFaddr{x}$ and/or $\PRFpk{x}$. Otherwise we should |
|
|
|
update this last statement to more generally cover all these PRfs.} |
|
|
|
|
|
|
|
In \Zcash, the $\SHAName$ function is used to construct all three of these |
|
|
|
functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included |
|
|
|
(respectively) within the blocks that are hashed, ensuring that the functions are |
|
|
|
@ -557,6 +561,15 @@ for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i |
|
|
|
|
|
|
|
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment{\cNew{i}}$ |
|
|
|
|
|
|
|
\nathan{Naming these is excellent. It takes a bit of squinting to match |
|
|
|
them to the paper though, so maybe explicitly naming which paper Pour |
|
|
|
substatement they map to would be useful?} |
|
|
|
|
|
|
|
\nathan{I'd prefer to place the Balance property (which is ``global'') |
|
|
|
first, then group the for-each assertions into those for input coins |
|
|
|
and those for output coins. Is there an order in this presentation that |
|
|
|
I'm missing?} |
|
|
|
|
|
|
|
\section{Encoding Addresses, Private keys, Coins, and Pour descriptions} |
|
|
|
|
|
|
|
This section describes how \Zcash encodes public addresses, private keys, |
|
|
|
|
Nathan Wilcox