zec
/
orchard
mirror of https://github.com/zcash/orchard.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

deploy: 27b95d3405

This commit is contained in:
str4d 2021-05-03 22:53:22 +00:00
parent d47f0a8f27
commit 1815d914a1
5 changed files with 156 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
design/commitment-tree.html
View File

@ -173,8 +173,8 @@
commitments from a block have been appended, and before any commitments from the next
block have been appended).</li>
</ul>
<p>The only difference is that we instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.9334479999999998em;vertical-align:0em;"></span><span class="mord"><span class="mord"><span class="mord mathsf">M</span><span class="mord mathsf">e</span><span class="mord mathsf" style="margin-right:0.01389em;">r</span><span class="mord mathsf">k</span><span class="mord mathsf">l</span><span class="mord mathsf">e</span><span class="mord mathsf">C</span><span class="mord mathsf">R</span><span class="mord mathsf">H</span></span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathsf mtight">O</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">r</span><span class="mord mathsf mtight">c</span><span class="mord mathsf mtight">h</span><span class="mord mathsf mtight">a</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">r</span><span class="mord mathsf mtight">d</span></span></span></span></span></span></span></span></span></span></span></span> with
Sinsemilla (whereas <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.9334479999999998em;vertical-align:0em;"></span><span class="mord"><span class="mord"><span class="mord mathsf">M</span><span class="mord mathsf">e</span><span class="mord mathsf" style="margin-right:0.01389em;">r</span><span class="mord mathsf">k</span><span class="mord mathsf">l</span><span class="mord mathsf">e</span><span class="mord mathsf">C</span><span class="mord mathsf">R</span><span class="mord mathsf">H</span></span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathsf mtight">S</span><span class="mord mathsf mtight">a</span><span class="mord mathsf mtight">p</span><span class="mord mathsf mtight">l</span><span class="mord mathsf mtight">i</span><span class="mord mathsf mtight">n</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">g</span></span></span></span></span></span></span></span></span></span></span></span> used a Bowe--Hopwood Pedersen
<p>The only difference is that we instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.9334479999999998em;vertical-align:0em;"></span><span class="mord"><span class="mord"><span class="mord mathsf">MerkleCRH</span></span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span> with
Sinsemilla (whereas <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.9334479999999998em;vertical-align:0em;"></span><span class="mord"><span class="mord"><span class="mord mathsf">MerkleCRH</span></span><span class="msupsub"><span class="vlist-t"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">Sapling</span></span></span></span></span></span></span></span></span></span></span></span> used a Bowe--Hopwood Pedersen
hash).</p>
<h2><a class="header" href="#uncommitted-leaves" id="uncommitted-leaves">Uncommitted leaves</a></h2>
<p>The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in

18
design/commitments.html
View File

@ -167,25 +167,25 @@
<h1><a class="header" href="#commitments" id="commitments">Commitments</a></h1>
<p>As in Sapling, we require two kinds of commitment schemes in Orchard:</p>
<ul>
<li><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><span class="mord"><span class="mord mathit">H</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">p</span><span class="mord mathit">h</span><span class="mord mathit">i</span><span class="mord mathit">c</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
<li><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><span class="mord"><span class="mord mathit">HomomorphicCommit</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
and strong binding reducible to DL.</li>
<li><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.68333em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> and <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">S</span><span class="mord mathit">h</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">t</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> are commitment schemes with perfect hiding, and
<li><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.68333em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">Commit</span></span></span></span></span> and <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">ShortCommit</span></span></span></span></span> are commitment schemes with perfect hiding, and
strong binding reducible to DL.</li>
</ul>
<p>By &quot;strong binding&quot; we mean that the scheme is collision resistant on the input and
randomness.</p>
<p>We instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><span class="mord"><span class="mord mathit">H</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">p</span><span class="mord mathit">h</span><span class="mord mathit">i</span><span class="mord mathit">c</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> with a Pedersen commitment, and use it for
<p>We instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><span class="mord"><span class="mord mathit">HomomorphicCommit</span></span></span></span></span> with a Pedersen commitment, and use it for
value commitments:</p>
<p><span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.44444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">c</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1.008448em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">H</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">p</span><span class="mord mathit">h</span><span class="mord mathit">i</span><span class="mord mathit">c</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.758448em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">r</span><span class="mord mathsf mtight">c</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">v</span></span></span></span></span><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">c</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">v</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord mathnormal" style="margin-right:0.03588em;">v</span><span class="mclose">)</span></span></span></span></span></p>
<p>We instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.68333em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> and <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">S</span><span class="mord mathit">h</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">t</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> with Sinsemilla, and use them
<p><span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.44444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf" style="margin-right:0.01389em;">cv</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1.008448em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">HomomorphicCommit</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.758448em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">rcv</span></span></span></span></span><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">cv</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord mathnormal" style="margin-right:0.03588em;">v</span><span class="mclose">)</span></span></span></span></span></p>
<p>We instantiate <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.68333em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">Commit</span></span></span></span></span> and <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">ShortCommit</span></span></span></span></span> with Sinsemilla, and use them
for all other commitments:</p>
<p><span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">i</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1.1834479999999998em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">S</span><span class="mord mathit">h</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">t</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">r</span><span class="mord mathsf mtight">i</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">v</span><span class="mord mathsf mtight">k</span></span></span></span></span><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">i</span><span class="mord mathsf mtight" style="margin-right:0.01389em;">v</span><span class="mord mathsf mtight">k</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord"><span class="mord mathsf">a</span><span class="mord mathsf">k</span></span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.16666666666666666em;"></span><span class="mord"><span class="mord mathsf">n</span><span class="mord mathsf">k</span></span><span class="mclose">)</span></span></span></span></span>
<span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.44444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">c</span><span class="mord mathsf">m</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.7473380000000001em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight" style="margin-right:0.01389em;">r</span><span class="mord mathsf mtight">c</span><span class="mord mathsf mtight">m</span></span></span></span></span><span style="top:-3.1362300000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">c</span><span class="mord mathsf mtight">m</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord text"><span class="mord">rest of note</span></span><span class="mclose">)</span></span></span></span></span></p>
<p><span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ivk</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1.1834479999999998em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">ShortCommit</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.9334479999999998em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">rivk</span></span></span></span></span><span style="top:-3.1473400000000002em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">ivk</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord"><span class="mord mathsf">ak</span></span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.16666666666666666em;"></span><span class="mord"><span class="mord mathsf">nk</span></span><span class="mclose">)</span></span></span></span></span>
<span class="katex-display"><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.44444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">cm</span></span><span class="mspace" style="margin-right:0.2777777777777778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2777777777777778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord"><span class="mord"><span class="mord mathit">Commit</span></span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.7473380000000001em;"><span style="top:-2.4530000000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">rcm</span></span></span></span></span><span style="top:-3.1362300000000003em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mtight"><span class="mord mtight"><span class="mord mathsf mtight">cm</span></span></span></span></span></span><span class="vlist-s"></span></span><span class="vlist-r"><span class="vlist" style="height:0.247em;"><span></span></span></span></span></span></span><span class="mopen">(</span><span class="mord text"><span class="mord">rest of note</span></span><span class="mclose">)</span></span></span></span></span></p>
<p>This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient
Sinsemilla instead of Bowe--Hopwood Pedersen hashes.</p>
<p>Note that we also deviate from Sapling by using <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">S</span><span class="mord mathit">h</span><span class="mord mathit">o</span><span class="mord mathit">r</span><span class="mord mathit">t</span><span class="mord mathit">C</span><span class="mord mathit">o</span><span class="mord mathit">m</span><span class="mord mathit">m</span><span class="mord mathit">i</span><span class="mord mathit">t</span></span></span></span></span> to deriving <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">i</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span>
<p>Note that we also deviate from Sapling by using <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathit">ShortCommit</span></span></span></span></span> to deriving <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ivk</span></span></span></span></span>
instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit,
at the cost of requiring <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf" style="margin-right:0.01389em;">r</span><span class="mord mathsf">i</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span> to be part of the full viewing key.</p>
at the cost of requiring <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">rivk</span></span></span></span></span> to be part of the full viewing key.</p>
</main>

16
design/keys.html
View File

@ -176,25 +176,25 @@ expensive general-purpose hashes (such as BLAKE2s) from the circuit.</p>
<p>We make several structural changes, building on the lessons learned from Sapling:</p>
<ul>
<li>
<p>The nullifier private key <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">n</span><span class="mord mathsf">s</span><span class="mord mathsf">k</span></span></span></span></span> is removed. Its purpose in Sapling was as
<p>The nullifier private key <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">nsk</span></span></span></span></span> is removed. Its purpose in Sapling was as
defense-in-depth, in case RedDSA was found to have weaknesses; an adversary who could
recover <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">a</span><span class="mord mathsf">s</span><span class="mord mathsf">k</span></span></span></span></span> would not be able to spend funds. In practice it has not been
feasible to manage <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">n</span><span class="mord mathsf">s</span><span class="mord mathsf">k</span></span></span></span></span> much more securely than a full viewing key, as the
recover <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ask</span></span></span></span></span> would not be able to spend funds. In practice it has not been
feasible to manage <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">nsk</span></span></span></span></span> much more securely than a full viewing key, as the
computational power required to generate Sapling proofs has made it necessary to perform
this step on the same device that is creating the overall transaction (rather than on a
more constrained device like a hardware wallet). We are also more confident in RedDSA
now.</p>
</li>
<li>
<p><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">n</span><span class="mord mathsf">k</span></span></span></span></span> is now a field element instead of a curve point, making it more efficient
<p><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">nk</span></span></span></span></span> is now a field element instead of a curve point, making it more efficient
to generate nullifiers.</p>
</li>
<li>
<p><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">o</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span> is now derived from <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf" style="margin-right:0.06944em;">f</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span>, instead of being derived in parallel.
This places it in a similar position within the key structure to <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">i</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span>, and
<p><span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ovk</span></span></span></span></span> is now derived from <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">fvk</span></span></span></span></span>, instead of being derived in parallel.
This places it in a similar position within the key structure to <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ivk</span></span></span></span></span>, and
also removes an issue where two full viewing keys could be constructed that have the
same <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">i</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span> but different <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">o</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span>s. Users still have control over whether
<span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">o</span><span class="mord mathsf" style="margin-right:0.01389em;">v</span><span class="mord mathsf">k</span></span></span></span></span> is used when constructing a transaction.</p>
same <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ivk</span></span></span></span></span> but different <span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ovk</span></span></span></span></span>s. Users still have control over whether
<span class="katex"><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.69444em;vertical-align:0em;"></span><span class="mord"><span class="mord mathsf">ovk</span></span></span></span></span> is used when constructing a transaction.</p>
</li>
<li>
<p>All diversifiers now result in valid payment addresses, due to group hashing into Pallas

118
design/nullifiers.html
View File

File diff suppressed because one or more lines are too long

156
print.html
View File

File diff suppressed because one or more lines are too long