[ZIP 32] Shielded Hierarchical Deterministic Wallets

[str4d]

No description provided.

[daira]

scalar multiplication of the (elliptic curve) group element P by the scalar k.

[daira]

Nitpick: *sk*, *t* (the comma should not be in italic :-) )

[daira]

With hindsight, it would have been useful to support an "address derivation key" which allows creating (and linking) diversified addresses but without being able to decrypt notes sent to them. I don't see a way to do this with Sapling's current key derivation structure, though. We should consider this issue for the next circuit upgrade — at which time we'll have more experience with diversified addresses.

(Aside: Sapling payment addresses were intentionally made not to be "rediversifiable" –i.e. it is not possible to create one diversified address directly from another– as part of preventing Brian Warner's attack in which a note for one address is encrypted to a different address in order to attempt to link them. But that attack does not preclude support for an address derivation key, because we would not be trying to prevent linking of addresses given this key.)

[daira]

s/key/keys/

[daira]

Add a note that all testnets share coin_type index 1.

[daira]

This only makes sense if you already know that the motivation for using separate change addresses in Bitcoin was to attempt to improve privacy.

[daira]

We need some discussion of diversifier collisions here. If wallet implementors attempt to do this in the most obvious way, they will start to hit collisions after ~2⁴⁴ (or fewer, with lower probability) addresses. Should we define a PRP-based derivation method?

[daira]

Correction: ~2^43.5 (because half of diversifiers are invalid). And the maximum number is 2⁸⁷.

[str4d]

@daira and I had a pairing to figure out how to derive pseudo-random diversifiers without hitting the 2⁴⁴ birthday bound on collisions, by using a PRP. We've decided to use FFX-A2 (as being considered by NIST), with 88-bit messages and the zero-length byte string as tweak. The one additional change we are making is to use 256-bit AES keys (matching the rest of the key material); as the key size is not technically a tunable parameter within the A2 parameter set, we will refer to this as FFX-AES256-A2. EDIT: NIST standardised this in SP 800-38G as FF1-AES256.

[str4d]

Hmm, we need to be clearer here: it's not simply j = 0, but the first j that results in a valid diversifier.

[str4d]

Hmm, does unkeyed BLAKE2b-512 in sequential mode, with an output digest length of 64 bytes (and likewise for BLAKE2b-256) convey the correct meaning? We want to indicate that the only difference between the two is the digest length (so maybe unkeyed BLAKE2b in [...], but that it is not the same thing as truncating (so maybe we need more than output digest length).

[daira]

This is the same wording as in the protocol spec, and I believe it's unambiguous.

[str4d]

Put ASK after c to match the Sapling encodings.

[arielgabizon]

update these links to protocol.pdf

[daira]

The filename changes weren't made until 2018.0-beta-25. But it's correct to update it to protocol.pdf if the version is changed to be later than that.

[arielgabizon]

Change to "Deriving a normal child extended full viewing key from a parent extended full viewing key"?

[daira]

Isn't this implied? The subheading above it doesn't say "Deriving a child extended spending key from a parent extended spending key".

[arielgabizon]

dk seems better than dk_i in this section

[daira]

Only if d_i,j is also changed to d_j.

[arielgabizon]

perhaps add 'as defined above' after 'default diversifier'

[arielgabizon]

In summary to discussions, would change sentence to
"Furthermore, Wallets MUST support generating the default payment address (corresponding to the default diversifier as defined above) for any account they support".

[arielgabizon]

perhaps add 'prime order subgroup' after 'elliptic curve'

[arielgabizon]

add 'for any account' in {0,..,2^31-1}' ?

[arielgabizon]

via -> similarly - cause dk isn't in the Sapling derivation

[arielgabizon]

Could you elaborate about what you mean 'running into the birthday problem'? I think you mean also you want to get some independence of diversifier sequences of different base keys. If I just want no collisions, I could define d_{i,j} = j.

[daira]

Yes, diversifiers should follow an independent random sequence for each ivk. Otherwise, the diversifier leaks information about how many previous diversifiers were obtained from that ivk.

[arielgabizon]

That makes sense, this should be explained though.. added two new comments with suggested phrasings.

[ebfull]

My ACK is to indicate that I approve of the design -- though I would personally have advocated against specifying a Sprout key derivation model. Also, I think it may be worth mentioning the security properties like BIP32 does. (We should indicate that using the same seed byte sequence for master key derivation in BIP32 and ZIP32 is fine, even though it may be obvious to some.)

I'm confused about how this document progresses through the ZIP process, and whether we're supposed to label this as a draft or not. Do we not merge until we have test vectors and the spec is complete?

[arielgabizon]

account -> account'

[str4d]

Account is already defined earlier up as hardened, so the meaning here is clear enough.

[str4d]

(and account is in range 0..2^31-1, while account' is technically in range 2^31..2^32-1 which doesn't read as easily)

[arielgabizon]

right.

[arielgabizon]

"without running into the birthday bound," --> "without running into repetitions due to the birthday bound,".

[arielgabizon]

Add after sentence "To prevent the diversifier leaking how many diversified addresses have already been generated for an account; we make the sequence of diversifiers pseudorandom and uncorrelated to that of any other account."