Comments (8)
Thanks for the quick response:)
You say earlier you will only apply sha-256 on 512 bit blocks,
The PRF uses the SHA256 compression function over 512-bit blocks, but for the commitments, we use the full SHA256 hash.
In that case, you may want to clarify in sec 3.2 or 4.2.1, that when you use the name SHA256 rather than CRH you mean the full SHA256 hash
from zips.
Great and helpful review! ๐
So, for example, last bit of pk_{enc} is always 0?
I believe to avoid the point at infinity, yes.
You say earlier you will only apply sha-256 on 512 bit blocks,
The PRF uses the SHA256 compression function over 512-bit blocks, but for the commitments, we use the full SHA256 hash.
from zips.
Thanks for your review!
@arielgabizon wrote:
I would mention that notation and names of objects are different from zerocash paper. [...] In that context, it might even be good to have a `dictionary' of names here to names in zerocash paper.
+1, I will add that near the start.
sec 3.2 : I would mention that the `i-1' is mod 2
It isn't mod 2; i is always either 1 or 2.
You say pkenc is 256
bytes[bits] long, but by looking at paper Daniel [Bernstein] paper on curve25519, it outputs an integer in range {0,..,2255-19-1}. So, for example, last bit of pkenc is always 0?
Yes. As the paper says in section 2, "Note that Curve25519 is not surjective: in particular, its final [i.e. most significant] output bit is always 0 and need not be transmitted." It is transmitted in this protocol. (This isn't anything to do with the point at infinity; it's just that a point is encoded as its x coordinate, and the size of that is not a multiple of 8 bits. The point at infinity is encoded as zero: X0(โ) = 0.)
Keys need not be validated; Curve25519 is well-defined on all inputs, and the ability to publish addresses with pkenc not in the range of its output is not a security problem. I intend to add a Security Considerations section that will deal with issues like that.
Sec 5 - You haven't defined transaction.
Agreed, there's a forward reference problem here.
Page 10-11: It's hard to understand without context, what is voldpub and vnewpub. I am guessing vnewpub is coins from the non-private part of the chain that are used in the transaction?
vnewpub is transparent value output by the JoinSplit operation.
This should be explained. I did not see any place where it is explained that we are talking about a chain with public and anonymous coins at the same time
Agreed.
Page 14:
value stored' ->
a value stored' or `values stored'
"Value" is being used as a mass noun here.
from zips.
Another small comment:
In sec 4.5,
when you start discussing treestates it's not completely clear what you mean,
and how they relate to blocks.
Do you mean the treestate of the note commitment tree?
Is the note commitment tree stored in the blocks somehow?
from zips.
I will clarify this. A treestate refers to the state of the note commitment tree and nullifier set.
from zips.
Thanks. Is the treestate specifically the merkle root of the updated note commitment tree?
If so might be good to say this explicitly.
Is the updated treestate contained in the block together with the new transactions?
Or do you think of having two separate chains, one for transactions, and one for treestates?
(perhaps not a very important distinction - but just the way it is phrased now saying `treestates are chained' leaves the reader a little unclear about how to think of it, and might help to address this)
from zips.
No, the root of that tree is called an anchor. Treestates are not explicitly contained in blocks. (The new anchor could be explicitly included in the block, and that might have some advantages, but it isn't in the current spec.)
from zips.
@arielgabizon I think these are mostly addressed; please open a new issue if anything is still unclear in 2016.0-beta-1.
from zips.
Related Issues (20)
- [protocol spec] Document infeasibility of an attack on Poseidon HOT 1
- Define a Bech32 encoding for Sapling diversifiable full/incoming viewing keys HOT 3
- ZIP 32 should explicitly say that the master seed needs at least 256 bits of entropy
- Update all conformance key word boilerplate to reference BCP 14 rather than RFC 2119
- Add GitHub Actions workflow to render HTML, and remove checked-in HTML files HOT 1
- Add GitHub Actions workflow to run link checker
- `make linkcheck` reports false positives for links into HTML files on GitHub HOT 2
- [protocol spec] Acknowledgements are missing Brian Warner as a contributor to discovery of the Faerie Gold attack on Zerocash HOT 1
- Call for comments: ZSA Swaps base proposal HOT 3
- Rendering/Format Proposal: migrate ZIPs to a single `mdbook` instance.
- Clarify in ZIP 0 and/or the ZIP Guide how Deployment sections should be written
- [protocol spec] Rename ยง4.19.3 "Decryption using a Full Viewing Key (Sapling and Orchard)" in the protocol specification HOT 1
- A typo in transaction consensus rules HOT 1
- Protocol spec version 2024.4.1
- Update protocol spec references in ZSA ZIPs to point to 2023.4.0
- Update psi' to psi^nf in ZSA ZIPs
- [ZIP 321] Add examples that include Unified Addresses
- ZSA UX considerations for AssetId discovery and authentication
- Proposal: for ZIPs proposing consensus changes, require a public persistent feature-gated testnet as a prerequisite for some maturity level. HOT 1
- [ZIP 320] Transparent-source Addresses
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zips.