2015-12-14 09:03:59 -08:00
|
|
|
\documentclass[8pt]{article}
|
|
|
|
\RequirePackage{amsmath}
|
|
|
|
\RequirePackage{bytefield}
|
|
|
|
\RequirePackage{graphicx}
|
2015-12-21 10:46:33 -08:00
|
|
|
\RequirePackage{newtxmath}
|
2016-01-26 15:15:17 -08:00
|
|
|
\RequirePackage{mathtools}
|
|
|
|
\RequirePackage{xspace}
|
2016-01-26 16:32:57 -08:00
|
|
|
\RequirePackage{url}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\setlength{\oddsidemargin}{-0.25in} % Left margin of 1 in + 0 in = 1 in
|
|
|
|
\setlength{\textwidth}{7in} % Right margin of 8.5 in - 1 in - 6.5 in = 1 in
|
|
|
|
\setlength{\topmargin}{-.75in} % Top margin of 2 in -0.75 in = 1 in
|
|
|
|
\setlength{\textheight}{9.2in} % Lower margin of 11 in - 9 in - 1 in = 1 in
|
2016-01-28 16:00:21 -08:00
|
|
|
\setlength{\parskip}{1.5ex}
|
|
|
|
\setlength{\parindent}{0ex}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2015-12-22 18:14:05 -08:00
|
|
|
\mathchardef\mhyphen="2D
|
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
% terminology
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\term}[1]{\textsl{#1}\xspace}
|
|
|
|
\newcommand{\termbf}[1]{\textbf{#1}\xspace}
|
|
|
|
|
|
|
|
\newcommand{\Zcash}{\termbf{Zcash}}
|
|
|
|
\newcommand{\Zerocash}{\termbf{Zerocash}}
|
2016-01-26 15:36:29 -08:00
|
|
|
\newcommand{\Bitcoin}{\termbf{Bitcoin}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\ZEC}{\termbf{ZEC}}
|
|
|
|
\newcommand{\zatoshi}{\term{zatoshi}}
|
|
|
|
|
|
|
|
\newcommand{\coin}{\term{coin}}
|
|
|
|
\newcommand{\coins}{\term{coins}}
|
|
|
|
\newcommand{\coinCommitment}{\term{coin commitment}}
|
|
|
|
\newcommand{\coinCommitments}{\term{coin commitments}}
|
|
|
|
\newcommand{\coinCommitmentTree}{\term{coin commitment tree}}
|
|
|
|
\newcommand{\PourDescription}{\term{Pour description}}
|
|
|
|
\newcommand{\PourDescriptions}{\term{Pour descriptions}}
|
|
|
|
\newcommand{\PourTransfer}{\term{Pour transfer}}
|
|
|
|
\newcommand{\PourTransfers}{\term{Pour transfers}}
|
|
|
|
\newcommand{\fullnode}{\term{full node}}
|
|
|
|
\newcommand{\fullnodes}{\term{full nodes}}
|
|
|
|
\newcommand{\anchor}{\term{anchor}}
|
|
|
|
\newcommand{\anchors}{\term{anchors}}
|
|
|
|
\newcommand{\block}{\term{block}}
|
|
|
|
\newcommand{\blocks}{\term{blocks}}
|
|
|
|
\newcommand{\transaction}{\term{transaction}}
|
|
|
|
\newcommand{\transactions}{\term{transactions}}
|
|
|
|
\newcommand{\blockchainview}{\term{blockchain view}}
|
|
|
|
\newcommand{\mempool}{\term{mempool}}
|
|
|
|
\newcommand{\treestate}{\term{treestate}}
|
|
|
|
\newcommand{\treestates}{\term{treestates}}
|
|
|
|
\newcommand{\script}{\term{script}}
|
|
|
|
\newcommand{\serialNumber}{\term{serial number}}
|
|
|
|
\newcommand{\serialNumbers}{\term{serial numbers}}
|
|
|
|
\newcommand{\publicAddress}{\term{confidential address}}
|
2016-01-26 16:49:13 -08:00
|
|
|
\newcommand{\privateAddress}{\term{confidential private key}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\transmittedPlaintext}{\term{transmitted coin plaintext}}
|
|
|
|
\newcommand{\transmittedCiphertext}{\term{transmitted coin ciphertext}}
|
|
|
|
\newcommand{\transmitPublicAlgorithm}{\term{key-private encryption}}
|
|
|
|
\newcommand{\transmitPrivateAlgorithm}{\term{key-private decryption}}
|
|
|
|
\newcommand{\spendAuthority}{\term{spend authority}}
|
|
|
|
\newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
|
|
|
|
\newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
|
2016-01-26 16:34:42 -08:00
|
|
|
\newcommand{\zkSNARK}{\term{zk-SNARK}}
|
|
|
|
\newcommand{\zkSNARKs}{\term{zk-SNARKs}}
|
2016-01-26 15:15:17 -08:00
|
|
|
|
2015-12-22 15:24:24 -08:00
|
|
|
% key pairs:
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\PublicAddress}{\mathsf{addr_{pk}}}
|
|
|
|
\newcommand{\PrivateAddress}{\mathsf{addr_{sk}}}
|
2015-12-22 15:58:55 -08:00
|
|
|
\newcommand{\PublicAddressLeadByte}{\mathbf{0x92}}
|
|
|
|
\newcommand{\PrivateAddressLeadByte}{\mathbf{0x93}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\SpendAuthorityPublic}{\mathsf{a_{pk}}}
|
|
|
|
\newcommand{\SpendAuthorityPrivate}{\mathsf{a_{sk}}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\SpendAuthorityPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
|
|
|
\newcommand{\SpendAuthorityPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
|
|
|
\newcommand{\SpendAuthorityPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
|
|
|
|
\newcommand{\SpendAuthorityPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
|
|
|
|
\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
|
|
|
|
\newcommand{\Value}{\mathsf{v}}
|
2016-01-26 15:15:17 -08:00
|
|
|
|
|
|
|
% Coins
|
|
|
|
\newcommand{\Coin}{\mathbf{c}}
|
|
|
|
\newcommand{\CoinCommitRand}{\mathsf{r}}
|
|
|
|
\newcommand{\CoinCommitRandOld}[1]{\mathsf{r^{old}_\mathnormal{#1}}}
|
|
|
|
\newcommand{\CoinCommitRandNew}[1]{\mathsf{r^{new}_\mathnormal{#1}}}
|
|
|
|
\newcommand{\CoinAddressRand}{\mathsf{\uprho}}
|
|
|
|
\newcommand{\CoinAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}}
|
|
|
|
\newcommand{\CoinAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}}
|
|
|
|
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
|
|
|
|
\newcommand{\CRH}{\mathsf{CRH}}
|
2016-01-28 14:33:43 -08:00
|
|
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}}
|
|
|
|
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}}
|
2016-01-27 05:21:11 -08:00
|
|
|
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\SHA}{\mathtt{SHA256Compress}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\SHAName}{\term{SHA-256 compression}}
|
|
|
|
\newcommand{\SHAOrig}{\term{SHA-256}}
|
|
|
|
\newcommand{\cm}{\mathsf{cm}}
|
|
|
|
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\InternalHashK}{\mathsf{k}}
|
|
|
|
\newcommand{\InternalHash}{\mathsf{InternalH}}
|
2016-01-28 14:33:13 -08:00
|
|
|
\newcommand{\Leading}[1]{\mathtt{Leading}_{#1}}
|
|
|
|
\newcommand{\Trailing}[1]{\mathtt{Trailing}_{#1}}
|
2016-01-26 15:15:17 -08:00
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
% merkle tree
|
|
|
|
\newcommand{\MerkleDepth}{\mathsf{d}}
|
|
|
|
\newcommand{\sn}{\mathsf{sn}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\snOld}[1]{\mathsf{{sn}^{old}_\mathnormal{#1}}}
|
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
% bitcoin
|
|
|
|
\newcommand{\vin}{\mathtt{vin}}
|
|
|
|
\newcommand{\vout}{\mathtt{vout}}
|
|
|
|
\newcommand{\vpour}{\mathtt{vpour}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\vpubOldField}{\mathtt{vpub\_old}}
|
|
|
|
\newcommand{\vpubNewField}{\mathtt{vpub\_new}}
|
|
|
|
\newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}}
|
|
|
|
\newcommand{\anchorField}{\mathtt{anchor}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\scriptSig}{\mathtt{scriptSig}}
|
|
|
|
\newcommand{\scriptPubKey}{\mathtt{scriptPubKey}}
|
|
|
|
\newcommand{\serials}{\mathtt{serials}}
|
|
|
|
\newcommand{\commitments}{\mathtt{commitments}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\TransmitCiphertexts}{\mathtt{ciphertexts}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\rt}{\mathsf{rt}}
|
2016-01-26 15:15:17 -08:00
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
% pour
|
|
|
|
\newcommand{\hSig}{\mathsf{h_{Sig}}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\h}[1]{\mathsf{h_{\mathnormal{#1}}}}
|
|
|
|
\newcommand{\NOld}{\mathrm{N}^\mathsf{old}}
|
|
|
|
\newcommand{\NNew}{\mathrm{N}^\mathsf{new}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\vmacs}{\mathtt{vmacs}}
|
|
|
|
\newcommand{\zkproof}{\mathtt{zkproof}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\PourCircuit}{\term{\texttt{POUR} circuit}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\PourStatement}{\texttt{POUR}}
|
|
|
|
\newcommand{\PourProof}{\pi_{\PourStatement}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}}
|
|
|
|
\newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}}
|
|
|
|
\newcommand{\cOld}[1]{\mathbf{c}_{#1}^\mathsf{old}}
|
|
|
|
\newcommand{\cNew}[1]{\mathbf{c}_{#1}^\mathsf{new}}
|
|
|
|
\newcommand{\vOld}[1]{\mathsf{v}_{#1}^\mathsf{old}}
|
|
|
|
\newcommand{\vNew}[1]{\mathsf{v}_{#1}^\mathsf{new}}
|
2015-12-14 09:03:59 -08:00
|
|
|
\newcommand{\NP}{\mathsf{NP}}
|
2016-01-26 16:32:57 -08:00
|
|
|
\newcommand{\treepath}[1]{\mathsf{path}_{#1}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\COMM}[1]{\mathsf{COMM}_{#1}}
|
2016-01-26 16:34:42 -08:00
|
|
|
\newcommand{\COMMtrapdoor}{\term{\textsf{COMM} trapdoor}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\CoinCommitment}[1]{\mathtt{CoinCommitment}(#1)}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\RequirePackage[usenames,dvipsnames]{xcolor}
|
|
|
|
% https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips
|
2015-12-16 14:17:28 -08:00
|
|
|
\newcommand{\eli}[1]{{\color{magenta}\sf{Eli: #1}}}
|
2015-12-17 08:34:46 -08:00
|
|
|
\newcommand{\sean}[1]{{\color{blue}\sf{Sean: #1}}}
|
2015-12-17 08:51:30 -08:00
|
|
|
\newcommand{\taylor}[1]{{\color{red}\sf{Taylor: #1}}}
|
2016-01-26 15:15:17 -08:00
|
|
|
\newcommand{\daira}[1]{{\color{RedOrange}\sf{Daira: #1}}}
|
|
|
|
\newcommand{\nathan}[1]{{\color{ForestGreen}\sf{Nathan: #1}}}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2015-12-16 14:17:28 -08:00
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
\begin{document}
|
|
|
|
|
|
|
|
\title{Zcash Protocol Specification}
|
2015-12-17 08:51:30 -08:00
|
|
|
\author{Sean Bowe | Daira Hopwood | Taylor Hornby}
|
2015-12-14 09:03:59 -08:00
|
|
|
\date{\today}
|
|
|
|
\maketitle
|
|
|
|
\section{Introduction}
|
|
|
|
|
2016-01-26 16:49:13 -08:00
|
|
|
\Zcash is an implementation of the \term{Decentralized Anonymous Payment}
|
|
|
|
scheme \Zerocash \cite{ZerocashOakland} with some adjustments to terminology,
|
2016-01-26 15:15:17 -08:00
|
|
|
functionality and performance. It bridges the existing \emph{transparent}
|
2016-01-26 16:49:13 -08:00
|
|
|
payment scheme used by \Bitcoin with a \emph{confidential} payment scheme
|
2016-01-26 15:15:17 -08:00
|
|
|
protected by zero-knowledge succinct non-interactive arguments of knowledge
|
2016-01-26 16:34:42 -08:00
|
|
|
(\zkSNARKs).
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\section{Concepts}
|
|
|
|
|
2015-12-16 13:38:52 -08:00
|
|
|
\subsection{Integers and Endianness}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 16:48:52 -08:00
|
|
|
All integers visible in \Zcash-specific encodings are unsigned, have a fixed
|
|
|
|
bit length, and are encoded as big-endian.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:13 -08:00
|
|
|
In bit layout diagrams, each box of the diagram represents a sequence of bits.
|
|
|
|
If the content of the box is a byte sequence, it is implicitly converted to
|
|
|
|
a sequence of bits using big endian order. The bit sequences are then
|
|
|
|
concatenated in the order shown from left to right, and the result is converted
|
|
|
|
to a sequence of bytes, again using big-endian order.
|
|
|
|
|
|
|
|
$\Leading{k}(x)$, where $k$ is an integer and $x$ is a bit sequence, returns
|
|
|
|
the leading (initial) $k$ bits of its input.
|
|
|
|
|
|
|
|
$\Trailing{k}(x)$, where $k$ is an integer and $x$ is a bit sequence, returns
|
|
|
|
the trailing (final) $k$ bits of its input.
|
2016-01-27 05:21:11 -08:00
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
\subsection{Cryptographic Functions}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
$\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function
|
|
|
|
is used which takes a 512-bit block and produces a 256-bit hash. This is
|
|
|
|
different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent}
|
2016-01-28 15:55:17 -08:00
|
|
|
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}$.
|
|
|
|
It is required that $\PRFsn{x}$ be collision-resistant across all $x$ --- i.e. it
|
|
|
|
should not be feasible to find $(x, y) \neq (x', y')$ such that
|
|
|
|
$\PRFsn{x}(y) = \PRFsn{x'}(y')$.
|
2016-01-26 16:33:48 -08:00
|
|
|
|
|
|
|
In \Zcash, the $\SHAName$ function is used to construct all three of these
|
|
|
|
functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included
|
|
|
|
(respectively) within the blocks that are hashed, ensuring that the functions are
|
|
|
|
independent.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\newsavebox{\addrbox}
|
|
|
|
\begin{lrbox}{\addrbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
|
|
|
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
|
|
|
\bitbox{14}{0} &
|
|
|
|
\bitbox{14}{0} &
|
|
|
|
\bitbox{242}{$0^{254}$} &
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{bytefield}
|
2016-01-28 14:33:43 -08:00
|
|
|
\end{lrbox}
|
|
|
|
|
|
|
|
\newsavebox{\snbox}
|
|
|
|
\begin{lrbox}{\snbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
|
|
|
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
|
|
|
\bitbox{14}{0} &
|
|
|
|
\bitbox{14}{1} &
|
|
|
|
\bitbox{242}{$\Trailing{254}(\CoinAddressRand)$} &
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{bytefield}
|
2016-01-28 14:33:43 -08:00
|
|
|
\end{lrbox}
|
|
|
|
|
|
|
|
\newsavebox{\pkbox}
|
|
|
|
\begin{lrbox}{\pkbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
|
|
|
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
|
|
|
\bitbox{14}{1} &
|
|
|
|
\bitbox{14}{0} &
|
|
|
|
\bitbox{14}{$i$} &
|
|
|
|
\bitbox{228}{$\Trailing{253}(\hSig)$}
|
|
|
|
\end{bytefield}
|
|
|
|
\end{lrbox}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\begin{equation*}
|
2016-01-28 14:33:43 -08:00
|
|
|
\begin{aligned}
|
|
|
|
\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\
|
|
|
|
\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
|
|
|
|
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox}
|
|
|
|
\end{aligned}
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{equation*}
|
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
|
|
|
|
253 bits?}
|
2016-01-27 05:21:11 -08:00
|
|
|
|
2016-01-26 16:49:13 -08:00
|
|
|
\subsection{Confidential Addresses and Private Keys}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A key pair $(\PublicAddress, \PrivateAddress)$ is generated by users who wish to
|
|
|
|
receive coins under this scheme. The public $\PublicAddress$ is called a
|
|
|
|
$\publicAddress$ and is a tuple $(\SpendAuthorityPublic, \TransmitPublic)$
|
|
|
|
consisting of the public components of a $\spendAuthority$ key pair
|
|
|
|
$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ and a $\transmitPublicAlgorithm$ key
|
|
|
|
pair $(\TransmitPublic, \TransmitPrivate)$. The private $\PrivateAddress$ is called
|
|
|
|
a $\privateAddress$ and is a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$
|
|
|
|
consisting of the respective \emph{private} components of the aforementioned
|
|
|
|
$\spendAuthority$ and $\transmitPublicAlgorithm$ key pairs.
|
2015-12-17 08:34:46 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Although users can accept payment from multiple parties with a single
|
|
|
|
$\PublicAddress$ without either party being aware, it is still recommended to
|
|
|
|
generate a new address for each expected transaction to maximize privacy in the
|
|
|
|
event that multiple sending parties are compromised or collude.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Coins}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \coin (denoted $\Coin$) is a tuple $(\SpendAuthorityPublic, \Value,
|
|
|
|
\CoinAddressRand, \CoinCommitRand)$ which represents that a value $\Value$ is
|
|
|
|
spendable by the recipient who holds the $\spendAuthority$ key pair
|
|
|
|
$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that
|
|
|
|
$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$. $\CoinAddressRand$ and
|
|
|
|
$\CoinCommitRand$ are tokens randomly generated by the sender. Only a hash of
|
|
|
|
these values is disclosed publicly, which allows these random tokens to blind the
|
|
|
|
value and recipient \emph{except} to those who possess these tokens.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{In-band secret distribution}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
In order to transmit the secret $\Value$, $\CoinAddressRand$ and $\CoinCommitRand$
|
|
|
|
to the recipient (necessary for the recipient to later spend) \emph{without}
|
|
|
|
requiring an out-of-band communication channel, the $\transmitPublicAlgorithm$
|
|
|
|
public key $\TransmitPublic$ is used to encrypt these secrets to form a
|
|
|
|
\transmittedCiphertext. The recipient's possession of the associated
|
|
|
|
$(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and
|
|
|
|
$\TransmitPrivate$) is used to reconstruct the original \coin.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subparagraph{Coin Commitments}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
|
|
|
|
and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
|
|
|
|
multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\newsavebox{\ihbox}
|
|
|
|
\begin{lrbox}{\ihbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512}
|
2015-12-14 09:03:59 -08:00
|
|
|
\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
|
2016-01-26 15:15:17 -08:00
|
|
|
\bitbox{256}{256 bit $\CoinAddressRand$}
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{bytefield}
|
2016-01-28 14:33:43 -08:00
|
|
|
\end{lrbox}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\newsavebox{\ihkbox}
|
|
|
|
\begin{lrbox}{\ihkbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512}
|
|
|
|
\bitbox{384}{384 bit $\CoinCommitRand$} &
|
|
|
|
\bitbox{128}{$\Leading{128}(\InternalHash)$}
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{bytefield}
|
2016-01-28 14:33:43 -08:00
|
|
|
\end{lrbox}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\newsavebox{\cmbox}
|
|
|
|
\begin{lrbox}{\cmbox}
|
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512}
|
2015-12-14 09:03:59 -08:00
|
|
|
\bitbox{64}{64 bit $\Value$} &
|
|
|
|
\bitbox{192}{192 bit padding} &
|
|
|
|
\bitbox{256}{256 bit $\InternalHashK$}
|
|
|
|
\end{bytefield}
|
2016-01-28 14:33:43 -08:00
|
|
|
\end{lrbox}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:33:43 -08:00
|
|
|
\begin{equation*}
|
|
|
|
\begin{aligned}
|
|
|
|
\InternalHash &:= \CRHbox{\ihbox} \\
|
|
|
|
\InternalHashK &:= \CRHbox{\ihkbox} \\
|
|
|
|
\cm &:= \CRHbox{\cmbox}
|
|
|
|
\end{aligned}
|
|
|
|
\end{equation*}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Serials}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \serialNumber (denoted $\sn$) equals
|
|
|
|
$\PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand)$. A \coin is spent by proving
|
|
|
|
knowledge of $\CoinAddressRand$ and $\SpendAuthorityPrivate$ in zero knowledge while
|
|
|
|
disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Coin Commitment Tree}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\begin{center}
|
|
|
|
\includegraphics[scale=.4]{incremental_merkle}
|
|
|
|
\end{center}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
The \coinCommitmentTree is an \incrementalMerkleTree of depth $\MerkleDepth$ used to
|
|
|
|
store \coinCommitments that \PourTransfers produce. Just as the \term{unspent
|
|
|
|
transaction output set} (UTXO) used in Bitcoin, it is used to express the existence
|
|
|
|
of value and the capability to spend it. However, unlike the UTXO, it is \emph{not}
|
|
|
|
the job of this tree to protect against double-spending, as it is append-only.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Blocks in the blockchain are associated (by all nodes) with the root of this tree
|
|
|
|
after all of its constituent \PourDescriptions' \coinCommitments have been
|
|
|
|
entered into the tree associated with the previous block.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subsection{Spent Serials Map}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Transactions insert \serialNumbers into a \spentSerialsMap which is maintained
|
|
|
|
alongside the UTXO by all nodes.
|
|
|
|
|
|
|
|
\eli{a tx is just a string, so it doesn't insert anything. Rather, nodes process
|
|
|
|
tx's and the ``good'' ones lead to the addition of serials to the spent serials
|
|
|
|
map.}
|
|
|
|
|
|
|
|
Transactions that attempt to insert a \serialNumber into this map that already
|
|
|
|
exists within it are invalid as they are attempting to double-spend.
|
|
|
|
|
|
|
|
\eli{After defining \term{transaction}, one should define what a \term{legal tx} is
|
|
|
|
(this definition depends on a particular blockchain [view]) and only then can one
|
|
|
|
talk about ``attempts'' of transactions, and insertions of serial numbers into the
|
|
|
|
spent serials map.}
|
|
|
|
|
|
|
|
\subsection{The Blockchain}
|
|
|
|
|
|
|
|
At a given point in time, the \blockchainview of each \fullnode consists of a
|
|
|
|
sequence of one or more valid \blocks. Each \block consists of a sequence of one or
|
|
|
|
more \transactions. In a given node's \blockchainview, \treestates are chained in an
|
|
|
|
obvious way:
|
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\item The input \treestate of the first \block is the empty \treestate.
|
|
|
|
\item The input \treestate of the first \transaction of a \block is the final
|
2016-01-26 15:40:53 -08:00
|
|
|
\treestate of the immediately preceding \block.
|
2016-01-26 15:15:17 -08:00
|
|
|
\item The input \treestate of each subsequent \transaction in a \block is the
|
2016-01-26 15:40:53 -08:00
|
|
|
output \treestate of the immediately preceding \transaction.
|
2016-01-26 15:15:17 -08:00
|
|
|
\item The final \treestate of a \block is the output \treestate of its last
|
|
|
|
\transaction.
|
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
An \anchor is a Merkle tree root of a \treestate, and uniquely identifies that
|
|
|
|
\treestate given the assumed security properties of the Merkle tree's hash function.
|
|
|
|
|
|
|
|
Each \transaction is associated with a sequence of \PourDescriptions. TODO They also have
|
|
|
|
a transparent value flow that interacts with the Pour $\vpubOld$ and $\vpubNew$.
|
|
|
|
Inputs and outputs are associated with a value.
|
|
|
|
|
|
|
|
The total value of the outputs must not exceed the total value of the inputs.
|
|
|
|
|
2016-01-26 15:36:53 -08:00
|
|
|
The \anchor of the first \PourDescription in a \transaction must refer to some
|
|
|
|
earlier \block's final \treestate.
|
2016-01-26 15:15:17 -08:00
|
|
|
|
2016-01-26 15:36:53 -08:00
|
|
|
The \anchor of each subsequent \PourDescription may refer either to some earlier
|
2016-01-26 15:40:53 -08:00
|
|
|
\block's final \treestate, or to the output \treestate of the immediately preceding
|
|
|
|
\PourDescription.
|
2016-01-26 15:15:17 -08:00
|
|
|
|
|
|
|
These conditions act as constraints on the blocks that a \fullnode will
|
|
|
|
accept into its \blockchainview.
|
|
|
|
|
|
|
|
We rely on Bitcoin-style consensus for \fullnodes to eventually converge on their
|
|
|
|
views of valid \blocks, and therefore of the sequence of \treestates in those
|
|
|
|
\blocks.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
|
|
|
|
\subparagraph{Value pool}
|
|
|
|
|
2016-01-26 15:36:53 -08:00
|
|
|
Transaction inputs insert value into a \term{value pool}, and transaction outputs
|
2016-01-26 15:15:17 -08:00
|
|
|
remove value from this pool. The remaining value in the pool is available to miners
|
|
|
|
as a fee.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\section{Pour Transfers and Descriptions}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \PourDescription is data included in a \block that describes a \PourTransfer,
|
|
|
|
i.e. a confidential value transfer. This kind of value transfer is the primary
|
|
|
|
\Zerocash-specific operation performed by transactions; it uses, but should not be
|
2016-01-26 15:36:53 -08:00
|
|
|
confused with, the \PourCircuit used for the \zkSNARK proof and verification.
|
2016-01-26 15:15:17 -08:00
|
|
|
|
|
|
|
A \PourTransfer spends $\NOld$ \coins $\cOld{1..\NOld}$ and creates $\NNew$ \coins
|
|
|
|
$\cNew{1..\NNew}$. \Zcash transactions have an additional field $\vpour$, which is a
|
|
|
|
sequence of \PourDescriptions.
|
|
|
|
|
|
|
|
Each \PourDescription consists of:
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\begin{list}{}{}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\vpubOldField$ which is a value $\vpubOld$ that the \PourTransfer removes
|
|
|
|
from the value pool.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\vpubNewField$ which is a value $\vpubNew$ that the \PourTransfer inserts
|
|
|
|
into the value pool.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\anchorField$ which is a merkle root $\rt$ of the \coinCommitmentTree at
|
|
|
|
some block height in the past, or the merkle root produced by a previous pour in
|
|
|
|
this transaction. \sean{We need to be more specific here.}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\scriptSig$ which is a \script that creates conditions for acceptance of a
|
|
|
|
\PourDescription in a transaction. The $\SHA$ hash of this value is $\hSig$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\daira{Why $\SHA$ and not $\SHAOrig$? The script is variable-length.}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\scriptPubKey$ which is a \script used to satisfy the conditions of the
|
|
|
|
$\scriptSig$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\serials$ which is an $\NOld$ size sequence of serials $\snOld{1..\NOld}$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\commitments$ which is a $\NNew$ size sequence of \coinCommitments
|
|
|
|
$\cmNew{1..\NNew}$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\item $\TransmitCiphertexts$ which is a $\NNew$ size sequence each element of which
|
|
|
|
is a \transmittedCiphertext.
|
|
|
|
|
|
|
|
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
|
|
|
$\h{1..\NOld}$ that bind $\hSig$ to each $\SpendAuthorityPrivate$ of the
|
|
|
|
$\PourDescription$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\item $\zkproof$ which is the zero-knowledge proof $\PourProof$.
|
|
|
|
|
|
|
|
\end{list}
|
|
|
|
|
|
|
|
\subparagraph{Merkle root validity}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A $\PourDescription$ is valid if $\rt$ is a Coin commitment tree root found in
|
|
|
|
either the blockchain or a merkle root produced by inserting the Coin commitments
|
|
|
|
of a previous $\PourDescription$ in the transaction to the Coin commitment tree
|
|
|
|
identified by that previous $\PourDescription$'s $\anchor$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Non-malleability}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A $\PourDescription$ is valid if the script formed by appending $\scriptPubKey$ to
|
|
|
|
$\scriptSig$ returns $true$. The $\scriptSig$ is cryptographically bound to
|
|
|
|
$\PourProof$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Balance}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \PourTransfer can be seen, from the perspective of the transaction, as an
|
|
|
|
input and an output simultaneously. $\vpubOld$ takes value from the value pool and
|
|
|
|
$\vpubNew$ adds value to the value pool. As a result, $\vpubOld$ is treated like an
|
|
|
|
\emph{output} value, whereas $\vpubNew$ is treated like an \emph{input} value.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Commitments and Serials}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \transaction that contains one or more \PourDescriptions, when entered into the
|
|
|
|
blockchain, appends to the \coinCommitmentTree with all constituent
|
|
|
|
\coinCommitments. All of the constituent \serialNumbers are also entered into the
|
|
|
|
\spentSerialsMap of the \blockchainview \emph{and} \mempool. A \transaction is not
|
|
|
|
valid if it attempts to add a \serialNumber to the \spentSerialsMap that already
|
|
|
|
exists in the map.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Pour Circuit and Proofs}
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
In \Zcash, $\NOld$ and $\NNew$ are both $2$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:36:53 -08:00
|
|
|
A valid instance of $\PourProof$ assures that given a \term{primary input}
|
2016-01-26 15:15:17 -08:00
|
|
|
$(\rt, \snOld{1..\NOld}, \cmNew{1..\NNew}, \vpubOld, \vpubNew, \hSig, \h{1..\NOld})$,
|
2016-01-26 15:36:53 -08:00
|
|
|
a witness of \term{auxiliary input}
|
2016-01-26 16:32:57 -08:00
|
|
|
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{1..\NOld}, \cNew{1..\NNew})$
|
2016-01-26 15:15:17 -08:00
|
|
|
exists, where:
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\begin{list}{}{}
|
|
|
|
|
2016-01-28 14:41:29 -08:00
|
|
|
\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\SpendAuthorityPublicOld{i},
|
|
|
|
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-28 14:41:29 -08:00
|
|
|
\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\SpendAuthorityPublicNew{i},
|
|
|
|
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\item The following conditions hold:
|
|
|
|
|
|
|
|
\end{list}
|
|
|
|
|
|
|
|
\subparagraph{Merkle path validity}
|
|
|
|
|
2016-01-26 16:32:57 -08:00
|
|
|
for each $i \in \{1..\NOld\}$ $\mid$ $\vOld{i} \neq 0$: $\treepath{i}$ must be a valid path
|
2016-01-26 15:15:17 -08:00
|
|
|
of depth $\MerkleDepth$ from \linebreak $\CoinCommitment{\cOld{i}}$ to Coin
|
|
|
|
commitment merkle tree root $\rt$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Balance}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
$\vpubOld + \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Serial integrity}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
for each $i \in \{1..\NNew\}$:
|
|
|
|
$\snOld{i} = \PRFsn{\SpendAuthorityPrivateOld{i}}(\CoinAddressRandOld{i})$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Spend authority}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
for each $i \in \{1..\NOld\}$:
|
|
|
|
$\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Non-malleability}
|
|
|
|
|
2016-01-27 05:21:11 -08:00
|
|
|
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
|
2015-12-14 09:03:59 -08:00
|
|
|
|
|
|
|
\subparagraph{Commitment integrity}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment{\cNew{i}}$
|
2015-12-14 09:03:59 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\section{Encoding Addresses, Private keys, Coins, and Pour descriptions}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
This section describes how \Zcash encodes public addresses, private keys,
|
2016-01-26 15:15:17 -08:00
|
|
|
coins, and \PourDescriptions.
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Addresses, keys, and coins, can be encoded as a byte string; this is called
|
|
|
|
the \term{raw encoding}. This byte string can then be further encoded using
|
2016-01-26 15:36:29 -08:00
|
|
|
Base58Check. The Base58Check layer is the same as for upstream \Bitcoin
|
|
|
|
addresses \cite{Base58Check}.
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
SHA-256 compression function outputs are always represented as strings of 32
|
|
|
|
bytes.
|
|
|
|
|
|
|
|
The language consisting of the following encoding possibilities is prefix-free.
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Transparent Public Addresses}
|
2015-12-16 13:02:22 -08:00
|
|
|
|
2016-01-26 15:36:29 -08:00
|
|
|
These are encoded in the same way as in \Bitcoin \cite{Base58Check}.
|
2015-12-16 13:02:22 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Transparent Private Keys}
|
2015-12-16 13:02:22 -08:00
|
|
|
|
2016-01-26 15:36:29 -08:00
|
|
|
These are encoded in the same way as in \Bitcoin \cite{Base58Check}.
|
2015-12-16 13:02:22 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Confidential Public Addresses}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A confidential address consists of $\SpendAuthorityPublic$ and $\TransmitPublic$.
|
2015-12-16 12:55:16 -08:00
|
|
|
$\SpendAuthorityPublic$ is a SHA-256 compression function output.
|
|
|
|
$\TransmitPublic$ is an encryption public key (currently ECIES, but this may
|
2016-01-26 15:15:17 -08:00
|
|
|
change to Curve25519/crypto\_box\_seal), which represents an equivalence class
|
|
|
|
of two points sharing an $x$ coordinate on an elliptic curve.
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
\subsubsection{Raw Encoding}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
The raw encoding of a confidential address consists of:
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
\begin{equation*}
|
|
|
|
\begin{bytefield}[bitwidth=0.07em]{520}
|
2015-12-22 15:58:55 -08:00
|
|
|
\bitbox{80}{$\PublicAddressLeadByte$} &
|
2015-12-16 12:55:16 -08:00
|
|
|
\bitbox{256}{$\SpendAuthorityPublic$ (32 bytes)} &
|
|
|
|
\bitbox{256}{A 33-byte encoding of $\TransmitPublic$}
|
|
|
|
\end{bytefield}
|
|
|
|
\end{equation*}
|
|
|
|
|
|
|
|
\begin{itemize}
|
2015-12-22 15:58:55 -08:00
|
|
|
\item A byte, $\PublicAddressLeadByte$, indicating this version of the
|
|
|
|
raw encoding of a \Zcash public address.
|
2015-12-16 12:55:16 -08:00
|
|
|
\item 32 bytes specifying $\SpendAuthorityPublic$.
|
2015-12-22 18:14:05 -08:00
|
|
|
\item An encoding of $\TransmitPublic$: The byte $\mathbf{0x01}$, followed by 32 bytes
|
|
|
|
representing the $x$ coordinate of an elliptic curve point according to
|
|
|
|
the $\mathsf{FE2OSP}$ primitive specified in section 5.5.4 of IEEE Std 1363-2000.
|
2015-12-16 12:55:16 -08:00
|
|
|
[Non-normative note: Since the curve is over a prime field, this is just
|
2015-12-22 18:14:05 -08:00
|
|
|
the 32-byte big-endian representation of the $x$ coordinate. The
|
|
|
|
overall encoding matches the $\mathsf{EC2OSP{\mhyphen}X}$ primitive
|
|
|
|
specified in section 5.5.6.3 of IEEE Std 1363a-2004. It does not
|
|
|
|
matter which of the two points with the same $x$ coordinate is used.]
|
2015-12-16 12:55:16 -08:00
|
|
|
\end{itemize}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\daira{check that this lead byte is distinct from other Bitcoin stuff,
|
2015-12-22 15:58:55 -08:00
|
|
|
and produces `z' as the Base58Check leading character.}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\nathan{what about the network version byte?}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\daira{add bibliographic references for the IEEE standards.}
|
2015-12-22 18:14:05 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Confidential Address Secrets}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A confidential address secret consists of $\SpendAuthorityPrivate$ and
|
2015-12-16 12:55:16 -08:00
|
|
|
$\TransmitPrivate$. $\SpendAuthorityPrivate$ is a SHA-256 compression function
|
|
|
|
output. $\TransmitPrivate$ is an encryption private key (currently ECIES), which
|
|
|
|
is an integer.
|
|
|
|
|
|
|
|
\subsubsection{Raw Encoding}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
The raw encoding of a confidential address secret consists of, in order:
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
\begin{equation*}
|
|
|
|
\begin{bytefield}[bitwidth=0.07em]{520}
|
2015-12-22 15:58:55 -08:00
|
|
|
\bitbox{80}{$\PrivateAddressLeadByte$} &
|
2015-12-16 12:55:16 -08:00
|
|
|
\bitbox{256}{$\SpendAuthorityPrivate$ (32 bytes)} &
|
|
|
|
\bitbox{256}{$\TransmitPrivate$ (32 bytes)}
|
|
|
|
\end{bytefield}
|
|
|
|
\end{equation*}
|
|
|
|
|
|
|
|
\begin{itemize}
|
2015-12-22 15:58:55 -08:00
|
|
|
\item A byte $\PrivateAddressLeadByte$ indicating this version of the
|
|
|
|
raw encoding of a \Zcash private key.
|
2015-12-16 12:55:16 -08:00
|
|
|
\item 32 bytes specifying $\SpendAuthorityPrivate$.
|
|
|
|
\item 32 bytes specifying a big-endian encoding of $\TransmitPrivate$.
|
|
|
|
\end{itemize}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\daira{check that this lead byte is distinct from other Bitcoin stuff,
|
2015-12-22 15:58:55 -08:00
|
|
|
and produces `z' as the Base58Check leading character.}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\nathan{what about the network version byte?}
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\subsection{Coins}
|
2015-12-22 15:24:24 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Transmitted coins are stored on the blockchain in encrypted form, together with
|
|
|
|
a \coinCommitment $\cm$.
|
2015-12-22 15:24:24 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \transmittedCiphertext is an ECIES encryption of a \transmittedPlaintext to a
|
|
|
|
\transmitPublicAlgorithm key $\TransmitPublic$.
|
2015-12-16 12:55:16 -08:00
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
A \transmittedPlaintext consists of $(\Value, \CoinAddressRand, \CoinCommitRand)$,
|
|
|
|
where:
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
\begin{itemize}
|
|
|
|
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
2016-01-26 15:15:17 -08:00
|
|
|
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
|
|
|
|
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ seed.
|
2016-01-26 16:34:42 -08:00
|
|
|
\item $\CoinCommitRand$ is a 32-byte \COMMtrapdoor.
|
2015-12-16 12:55:16 -08:00
|
|
|
\end{itemize}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
Note that the value $\mathsf{s}$ described as being part of a coin in the \Zerocash
|
2015-12-16 12:55:16 -08:00
|
|
|
paper is not encoded because it is fixed to zero.
|
|
|
|
|
|
|
|
\subsection{Raw Encoding}
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
The raw encoding of a \transmittedPlaintext consists of, in order:
|
2015-12-16 12:55:16 -08:00
|
|
|
|
|
|
|
\begin{equation*}
|
|
|
|
\begin{bytefield}[bitwidth=0.05em]{200}
|
2016-01-26 15:15:17 -08:00
|
|
|
\bitbox{80}{$\TransmitPlaintextVersionByte$} &
|
2015-12-16 12:55:16 -08:00
|
|
|
\bitbox{230}{$\Value$ (8 bytes, big endian)} &
|
2016-01-26 15:15:17 -08:00
|
|
|
\bitbox{230}{$\CoinAddressRand$ (32 bytes)} &
|
|
|
|
\bitbox{230}{$\CoinCommitRand$ (32 bytes)} &
|
2015-12-16 12:55:16 -08:00
|
|
|
\end{bytefield}
|
|
|
|
\end{equation*}
|
|
|
|
|
|
|
|
\begin{itemize}
|
2016-01-26 15:15:17 -08:00
|
|
|
\item A byte $\TransmitPlaintextVersionByte$ indicating this version of the raw
|
|
|
|
encoding of a \transmittedPlaintext.
|
2015-12-16 12:55:16 -08:00
|
|
|
\item 8 bytes specifying a big-endian encoding of $\Value$.
|
2016-01-26 15:15:17 -08:00
|
|
|
\item 32 bytes specifying $\CoinAddressRand$.
|
|
|
|
\item 32 bytes specifying $\CoinCommitRand$.
|
2015-12-16 12:55:16 -08:00
|
|
|
\end{itemize}
|
|
|
|
|
|
|
|
\section{Pours (within a transaction on the blockchain)}
|
|
|
|
|
|
|
|
TBD.
|
|
|
|
|
|
|
|
\section{Transactions}
|
|
|
|
|
|
|
|
TBD.
|
|
|
|
|
2016-01-26 15:15:17 -08:00
|
|
|
\section{References}
|
|
|
|
|
2016-01-26 16:32:57 -08:00
|
|
|
\begingroup
|
|
|
|
\renewcommand{\section}[2]{}
|
|
|
|
\bibliographystyle{plain}
|
2016-01-26 15:15:17 -08:00
|
|
|
\bibliography{zcash}
|
2016-01-26 16:32:57 -08:00
|
|
|
\endgroup
|
2016-01-26 15:15:17 -08:00
|
|
|
|
2015-12-14 09:03:59 -08:00
|
|
|
\end{document}
|