Remove the check that Merkle roots are not ⊥ for Orchard #530
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ecking that each intermediate Merkle root of the note commitment tree is not ⊥. Checking this rule would have imposed a significant performance penalty, since intermediate roots do not otherwise need to be computed. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
…ace of MerkleHash^Orchard ∪ {⊥}
for the inputs and output, and map a ⊥ output from SinsemillaHash to 0.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
… any output of
MerkleCRH^Orchard is 0, and add a note in \crossref{merklepath} arguing that this is safe.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
…h}: the length of the input to SinsemillaHash is 10 + 2·ℓ^Orchard_Merkle bits, not 6 + 2·ℓ^Orchard_Merkle bits. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
|
I suggest reviewing this commit-by-commit with the rendered PDF open. |
daira
changed the title
daira
commented
Jun 30, 2021
|
|
||
| \vspace{-1ex} | ||
| \consensusrule{The \merkleRoot of the \Orchard \noteCommitmentTree \MUSTNOT be $\bot$ | ||
| in any (intermediate or output) \treestate created by a \block.} |
There was a problem hiding this comment.
Note that after this change, the Orchard Merkle root in a final treestate (not just an intermediate treestate) is allowed to be 0. There's no advantage in making a distinction between intermediate and final roots, even if the latter is cheaper to check.
daira
commented
Jun 30, 2021
Comment on lines
+5931
to
+5935
| \item For \Sapling, Merkle \merkleHashes are specified to be encoded as bit sequences, but the | ||
| \merkleRoot $\rt{Sapling}$ is encoded for the \primaryInput of a \spendProof as an element | ||
| of $\GF{\ParamJ{q}}$, as specified in \crossref{cctsaplingspend}. The \spendCircuit allows | ||
| inputs to $\MerkleCRH{Sapling}$ at each \merkleNode to be \nonCanonicallyFieldElement encoded, | ||
| as specified in \crossref{cctmerklepath}. |
There was a problem hiding this comment.
This is just moving the existing note for formatting reasons.
daira
commented
Jun 30, 2021
Comment on lines
+5937
to
+5940
| \item For \Orchard, Merkle \merkleHashes have type $\MerkleHashOrchard$ as defined in | ||
| \crossref{concreteextractorpallas}. Similarly to \Sapling, the \actionCircuit allows | ||
| inputs to $\MerkleCRH{Orchard}$ at each \merkleNode to be \nonCanonicallyFieldElement | ||
| encoded. |
There was a problem hiding this comment.
Similarly, this is just moving the existing note into a list.
daira
commented
Jun 30, 2021
| \item It must be infeasible to find a input of length $6 + 2 \mult \MerkleHashLength{Orchard}$ | ||
| to $\SinsemillaHash$ that yields output $\bot$. | ||
| \item $\SinsemillaHash$ must be \collisionResistant. | ||
| \item It must be infeasible to find a input of length $10 + 2 \mult \MerkleHashLength{Orchard}$ |
There was a problem hiding this comment.
This was an independent typo.
daira
commented
Jun 30, 2021
| \end{securityrequirements} | ||
|
|
||
| \pnote{The prefix $l$ provides domain separation between inputs at different layers of the | ||
| \pnote{The prefix $\layerRepr$ provides domain separation between inputs at different layers of the |
There was a problem hiding this comment.
Similarly, an independent fix.
daira
commented
Jun 30, 2021
Comment on lines
+10876
to
+10877
| \item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$ | ||
| can only be $0$ when $P = \ZeroP$. |
There was a problem hiding this comment.
We need to say this in order to argue that MerkleCRHOrchard only returns 0 for the exceptional case that we proved would yield a discrete log.
nuttycom
added a commit
to nuttycom/orchard
that referenced
this pull request
Jun 30, 2021
nuttycom
added a commit
to nuttycom/orchard
that referenced
this pull request
Jun 30, 2021
nuttycom
approved these changes
Jun 30, 2021
therealyingtong
approved these changes
Jul 1, 2021
|
This was included in v2021.2.9. |
zkbot
added a commit
to zcash/zcash
that referenced
this pull request
Jul 9, 2021
…uttycom Update Orchard commitment tree hashes to use total MerkleCRH^Orchard. See zcash/zips#530
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.