This PR makes some careful changes intended to make it easier to support offloaded signing, where a computationally-limited signer device wants to work with a (possibly malicious) helper device to authorize a transaction. Overall, the goal is to ensure that if the resulting transaction verifies, its generated coin destinations, amounts, and fee are precisely those provided to the signer. Further, all such generated coins must be spendable by their intended recipients. The helper can always provide malicious auxiliary data to the signer, but this should only result in a transaction that does not verify, which is not considered a successful attack.
Code changes brief
All cryptographic hash functions in Spark that previously used Blake2b512 now use SHA512 for broader library support. The binding hash included with Chaum-Pedersen authorizing proofs now pre-hashes auxiliary data, and then adds in generated coin data. This is intended to allow the signing device to confirm that generated coins have been produced by the helper honestly.
Note in particular that the values S1 and T have been removed from the binding hash entirely. These values are included in the Chaum-Pedersen proof's Fiat-Shamir transcript, so it was redundant to include them again.
PR intention
This PR makes some careful changes intended to make it easier to support offloaded signing, where a computationally-limited signer device wants to work with a (possibly malicious) helper device to authorize a transaction. Overall, the goal is to ensure that if the resulting transaction verifies, its generated coin destinations, amounts, and fee are precisely those provided to the signer. Further, all such generated coins must be spendable by their intended recipients. The helper can always provide malicious auxiliary data to the signer, but this should only result in a transaction that does not verify, which is not considered a successful attack.
Code changes brief
All cryptographic hash functions in Spark that previously used
Blake2b512now useSHA512for broader library support. The binding hash included with Chaum-Pedersen authorizing proofs now pre-hashes auxiliary data, and then adds in generated coin data. This is intended to allow the signing device to confirm that generated coins have been produced by the helper honestly.Note in particular that the values
S1andThave been removed from the binding hash entirely. These values are included in the Chaum-Pedersen proof's Fiat-Shamir transcript, so it was redundant to include them again.