\Zcash is an implementation of the \emph{decentralized anonymous payment} (DAP) scheme \Zerocash with minor adjustments to terminology, functionality and performance. It bridges the existing value transfer scheme used by Bitcoin with an anonymous payment scheme protected by zero-knowledge succinct non-interactive arguments of knowledge (\textbf{zk-SNARK}s).
$\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function is used which takes a 512-bit block and produces a 256-bit hash. This is different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \textit{independent}$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant in order to prevent a double-spending attack \eli{I don't see how to use a collision to double spend. If anything, a collision in $\PRFpk{x}{i}$ seems more usable to double spend}. In \Zcash, the $\SHAName$ function is used to seed all three of these functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included (respectively) within the blocks that are hashed, ensuring that the functions are independent.
A keypair $(\PublicAddress, \PrivateAddress)$ is generated by a user any time they wish to receive value from another in the system \eli{The previous sentence seems to imply that a fresh pair is needed for each new receive, but this isn't the case. Perhaps change to ``To receive/pay values in the system, a user must set-up a key pair \ldots; differing from Bitcoin, replacing keys is not needed to protect privacy.''}. The public $\PublicAddress$ is called a $\PublicAddressName$ and is a tuple $(\SpendAuthorityPublic, \TransmitPublic)$ which are the public components of a $\SpendAuthorityName$ keypair $(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ and a $\TransmitName$ keypair $(\TransmitPublic, \TransmitPrivate)$. The private $\PrivateAddress$ is called a $\PrivateAddressName$ and is a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$ which are the respective \textit{private} components of the aforementioned $\SpendAuthorityName$ and $\TransmitName$ keypairs.
A bucket (denoted $\Bucket$) is a tuple $(\Value, \SpendAuthorityPublic_{i}, \BucketRand, \BucketAddressRand)$\eli{subscript $i$ should be removed from bucket} which represents that a value $\Value$ is spendable by the recipient who holds the $\SpendAuthorityName$ keypair $(\SpendAuthorityPublic, \SpendAuthorityPrivate)$\eli{more precise: any user that knows $\SpendAuthorityPrivate$ such that $\SpendAuthorityPublic=\PRFaddr{\SpendAuthorityPrivate}(0)$}. $\BucketRand$ and $\BucketAddressRand$ are randomly generated tokens which are used to blind the value and recipient \textit{except} to those who possess these tokens. \eli{last sentence unclear. Zcash transactions contain only hashes of financial information
(like $\Value$ and $\SpendAuthorityPublic$) and $\BucketRand$ and $\BucketAddressRand$ are used to hide this data.}
In order to send the secret $\Value$, $\BucketRand$ and $\BucketAddressRand$ to the recipient (necessary for the recipient to later spend) \textit{without} requiring an out-of-band communication channel, the $\TransmitName$ public key $\TransmitPublic$ is used to encrypt these secrets to form an \textit{encrypted bucket}. The recipient's possession of the associated $(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and $\TransmitPrivate$) is used to reconstruct the original bucket.
\subparagraph{Bucket commitments}
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\BucketRand$ and $\BucketAddressRand$ using the collision-resistant hash function $\CRH$ in a multi-layered process. The resulting hash $\bm$ is called a \textit{bucket commitment}.
A serial $\sn$\eli{serial serial number?} is produced by \eli{equals?}$\PRFsn{\SpendAuthorityPrivate}(\BucketAddressRand)$. Part of the process of spending a bucket is disclosing this serial without disclosing either $\BucketAddressRand$ or $\SpendAuthorityPrivate$. This allows it to be used to prevent double-spending. \eli{More precise: \emph{Knowledge} of $\BucketAddressRand$ and $\SpendAuthorityPrivate$ is required to spend a bucket. Knowledge of $\BucketAddressRand$ and $\SpendAuthorityPrivate$ is proved without revealing it explicitly via a
The bucket commitment tree is an \textit{incremental merkle tree} of depth $\MerkleDepth$ used to store bucket commitments that transactions produce. Just as the \textit{unspent transaction output set} (UTXO) used in Bitcoin proper, it is used to express the existence of value and the capability to spend it. However, unlike the UTXO, it is \textit{not} the job of this tree to protect against double-spending, as it is append-only.
\subparagraph{}
Blocks in the blockchain are associated (by all nodes) with the root of this tree after all of its constituent transactions' bucket commitments have been entered into the tree associated with the previous block.
\eli{Would be good to formally define the structure of a transaction, similar to the way a bucket is defined (as a quadruple).}
Transactions insert \eli{a tx is just a string, so it doesn't insert anything. Rather, nodes process tx's and the ``good'' ones lead to the addition of serials to the spent serials map.} serials into a \textit{spent serials map} which is maintained alongside the UTXO by all nodes. Transactions that attempt to insert a serial into this map that already exists within it are invalid as they are attempting to double-spend. \eli{After defining \emph{transaction}, one should define what a \emph{legal tx} is (this definition depends on a particular blockchain) and only then can one talk about ``attempts'' of transactions, and insertions of serial numbers into the spent serials map.}
\eli{Please formally define what a tx is. I don't think it's merely a sequence of inputs and outputs. The outputs are probably buckets (as defined above) and maybe the inputs are, too. Perhaps one should talk about a tx-bucket (which is unhidden) and a tx which is mostly hashed-stuff + a SNARK)}
Bitcoin transactions consist of a vector \eli{sequence? vector implies ``vector space'' which doens't exist here} of inputs ($\mathtt{vin}$) and a vector of outputs ($\mathtt{vout}$). Inputs and outputs are associated with a value \eli{assuing a tx-bucket is a pair of sequences --- an input-sequence and an output-sequence, and each sequence is a sequence of buckets, one should define the in-value of the tx-bucket as the sum of values in the in-buckets (ditto for out-value) and the remaining value is their difference}. The total value of the outputs must not exceed the total value of the inputs.
Transaction inputs insert value into a \textit{value pool}, and transaction outputs remove value from this pool. The remaining value in the pool is available to miners as a fee.
\eli{Hmm, I think things are starting to get confused here, let's try to clarify the theory/crypto. Informally, buckets and transactions are \emph{data}, whereas Pour is best thought of as a \emph{circuit} that outputs either $1$ (``true'') or $0$ (``false''). The theory of SNARKs (as supported by libsnark) is such that if the circuit outputs ``true'' then you can generate a SNARK for that set of inputs, and otherwise you can't (its cryptographically infeasible to do so). So we should describe formally what the \emph{inputs} to the Pour circuit are, and then define the \emph{computation preformed} by the Pour circuit, i.e., describe how it decides whether to output $0$ or $1$. More below}
$\Pour$s are the primary operations \eli{In the academic paper, a Pour is a circuit (that defines an NP-language), and that circuit is the most crucial part of the construction. So if you want to use ``Pour'' to describe the algorithm that generates a tx, you'll be (i) deviating from the academic paper in a rather confusing way and (ii) you still need to define the ``Pour-circuit'' which is at the heart of the construction} performed by transactions that interact with our scheme. In principle, it is the action of spending $\Nold$ buckets $\bOld{}$ and creating $\Nnew$ buckets $\bNew{}$. \Zcash transactions have an additional field $\vpour$, which is a vector of $\Pour$s. Each $\Pour$ consists of:
\item$\vpubOld$ which is a value $\vpubold$ that the pour removes from the value pool.
\item$\vpubNew$ which is a value $\vpubnew$ that the pour inserts into the value pool.
\item$\anchor$ which is a merkle root $\rt$ of the bucket commitment tree at some block height in the past, or the merkle root produced by a previous pour in this transaction. \textbf{(TODO: clarify this)}
\item$\scriptSig$ which is a Bitcoin script which creates conditions for acceptance of a $\Pour$ in a transaction. The $\SHA$ hash of this value is $\hSig$.
\item$\scriptPubKey$ which is a Bitcoin script used to satisfy the conditions of the $\scriptSig$.
\item$\serials$ which is an $\Nold$ size vector of serials $\sn^{old}_{1}, \sn^{old}_{2}, ..., \sn^{old}_{\Nold}$.
\item$\commitments$ which is a $\Nnew$ size vector of bucket commitments $\bm^{new}_{1}, \bm^{new}_{2}, ..., \bm^{new}_{\Nnew}$.
\item$\encryptedBuckets$ which is a $\Nnew$ size vector of encrypted buckets.
\item$\vmacs$ which is a $\Nold$ size vector of message authentication codes $h$ which bind $\hSig$ to each $\SpendAuthorityPrivate$ of the $\Pour$.
\item$\zkproof$ which is the zero-knowledge proof $\PourProof$.
\end{list}
\subparagraph{Merkle root validity}
A $\Pour$ is valid if $\rt$ is a bucket commitment tree root found in either the blockchain or a merkle root produced by inserting the bucket commitments of a previous $\Pour$ in the transaction to the bucket commitment tree identified by that previous $\Pour$'s $\anchor$.
\subparagraph{Non-malleability}
A $\Pour$ is valid if the script formed by appending $\scriptPubKey$ to $\scriptSig$ returns $true$. The $\scriptSig$ is cryptographically bound to $\PourProof$.
\subparagraph{Balance}
A $\Pour$ can be seen, from the perspective of the transaction, as an input and an output simultaneously. $\vpubOld$ takes value from the value pool and $\vpubNew$ adds value to the value pool. As a result, $\vpubOld$ is treated like an \textit{output} value, whereas $\vpubNew$ is treated like an \textit{input} value.
\subparagraph{Commitments and Serials}
Transactions which contain $\Pour$s, when entered into the blockchain, append to the bucket commitment tree with all constituent bucket commitments. All of the constituent serials are also entered into the spent serials map of the blockchain \textit{and} mempool. Transactions are not valid if they attempt to add a serial to the spent serials map that already exists.
\subsection{$\PourProof$}
\subparagraph{}
In \Zcash, $\Nold$ and $\Nnew$ are both $2$.
\subparagraph{}
A valid instance of $\PourProof$ assures that given a \textit{primary input} ($\rt$, $\sn^{old}_{1}$, $\sn^{old}_{2}$, $\bm^{new}_{1}$, $\bm^{new}_{2}$, $\vpubold$, $\vpubnew$, $\hSig$, $h_1$, $h_2$), a witness of \textit{auxiliary input} ($\path{1}$, $\path{2}$, $\bOld{1}$, $\bOld{2}$, $\SpendAuthorityPrivate^{old}_1$, $\SpendAuthorityPrivate^{old}_2$, $\bNew{1}$, $\bNew{2}$) exists, where:
\begin{list}{}{}
\item for each $i \in\{1, 2\}$: $\bOld{i}$ = $(\vOld{i}, \SpendAuthorityPublic^{old}_i, \BucketRand^{old}_i, \BucketAddressRand^{old}_i)$
\item for each $i \in\{1, 2\}$: $\bNew{i}$ = $(\vNew{i}, \SpendAuthorityPublic^{new}_i, \BucketRand^{new}_i, \BucketAddressRand^{new}_i)$.
\item The following conditions hold:
\end{list}
\subparagraph{Merkle path validity}
for each $i \in\{1, 2\}$$\mid$$\vOld{i}\neq0$: $\path{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak$\BucketCommitment{\bOld{i}}$ to bucket commitment merkle tree root $\rt$.