librustzcash icon indicating copy to clipboard operation
librustzcash copied to clipboard
verified publisher icon zcash

librustzcash_sapling_generate_r generates alpha from 64 rather than 80 bytes of randomness

Open daira opened this issue 7 years ago • 6 comments

This is mainly a technicality; 64 bytes should be sufficient for security and the resulting alpha will be adequately uniform. However, it was specified as 640 bits, i.e. 80 bytes in the protocol spec (RedDSA.GenRandom in section 5.4.6). Either the spec or the implementation should be changed; I would prefer the implementation.

https://github.com/zcash/librustzcash/blob/041671f6425563bdef43c7c907a8396da76f8f21/librustzcash/src/rustzcash.rs#L392-L408

daira avatar Oct 22 '18 17:10 daira

Note that there's no compatibility issue with making this change.

daira avatar Oct 22 '18 17:10 daira

Here's where librustzcash_sapling_generate_r is used to generate alpha. (Arguably its name should be changed.)

https://github.com/zcash/zcash/blob/625797a0371cac7044a9eb2872ee3820728c1d7d/src/transaction_builder.cpp#L14-L21

daira avatar Oct 22 '18 21:10 daira

We did get this right when generating the randomness for T here. If the justification is the same, then we should refactor this so both sources use the same function (with associated comment).

str4d avatar Oct 22 '18 22:10 str4d

@str4d thanks for making these labels. This seems like a great place for me to start contributing if that is alright!

teh-f00l avatar Jan 16 '19 15:01 teh-f00l

@teh-f00l absolutely! I look forward to seeing your PR :grinning: Feel free to comment here or chat to us in Rocket.Chat if you have any questions.

str4d avatar Jan 16 '19 18:01 str4d

This one could be closed (https://github.com/bitcartel/librustzcash/commit/c65208d9472b41995d6d93e9ca8397bd09d5c7c8)

wowinter13 avatar Mar 01 '25 16:03 wowinter13