2016-02-02 07:04:18 -08:00
\documentclass { article}
2018-03-16 08:58:23 -07:00
\usepackage [utf8] { inputenc}
\usepackage [T1] { fontenc}
\usepackage { amsmath}
\usepackage { amsthm}
\usepackage { bytefield}
\usepackage { graphicx}
\usepackage { newtxmath}
\usepackage { mathtools}
\usepackage { xspace}
\usepackage { url}
\usepackage { changepage}
\usepackage { enumitem}
\usepackage { tabularx}
\usepackage { hhline}
\usepackage [usestackEOL] { stackengine}
\usepackage { comment}
\usepackage { needspace}
\usepackage [nobottomtitles] { titlesec}
\usepackage [hang] { footmisc}
\usepackage { xstring}
\usepackage [usenames,dvipsnames] { xcolor}
\usepackage [unicode,bookmarksnumbered,bookmarksopen,allbordercolors=MidnightBlue,
citebordercolor=Plum,urlbordercolor=BrickRed]{ hyperref}
\usepackage { cleveref}
\usepackage { nameref}
\usepackage { etoolbox}
\usepackage { subdepth}
\usepackage { fix-cm}
\usepackage { hyphenat}
\usepackage { tocloft}
\usepackage [style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,
backref=true,backrefstyle=none,backend=biber]{ biblatex}
2016-08-14 12:42:14 -07:00
\addbibresource { zcash.bib}
2016-05-20 15:29:21 -07:00
% Fonts
2018-03-16 08:58:23 -07:00
\usepackage { lmodern}
\usepackage { quattrocento}
\usepackage [bb=ams] { mathalfa}
\usepackage [scr] { rsfso}
%\usepackage{txfonts}
2016-05-20 15:29:21 -07:00
% Quattrocento is beautiful but doesn't have an italic face. So we scale
% New Century Schoolbook italic to fit in with slanted Quattrocento and
% match its x height.
2018-03-16 08:58:23 -07:00
% (This has the side effect of making all italic text into boxes, so
% it won't linebreak, which has pluses and minuses.)
2016-08-08 09:06:52 -07:00
\renewcommand { \emph } [1]{ \hspace { 0.15em} { \fontfamily { pnc} \selectfont \scalebox { 1.02} [0.999]{ \textit { #1} } } \hspace { 0.02em} }
2016-05-20 15:29:21 -07:00
2018-03-16 08:58:23 -07:00
% While we're at it, let's match the tt x height to Quattrocento as well,
% and compress it a little to space space in tables.
2016-05-20 15:29:21 -07:00
\let \oldtexttt \texttt
\let \oldmathtt \mathtt
2018-03-16 08:58:23 -07:00
\renewcommand { \texttt } [1]{ \scalebox { 0.97} [1.07]{ \oldtexttt { #1} } }
\renewcommand { \mathtt } [1]{ \scalebox { 0.97} [1.07]{ $ \oldmathtt { # 1 } $ } }
2016-05-20 15:29:21 -07:00
% bold but not extended
\newcommand { \textbnx } [1]{ { \fontseries { b} \selectfont #1} }
2016-08-17 05:24:09 -07:00
\crefformat { footnote} { #2\footnotemark [#1] #3}
2016-08-14 12:42:14 -07:00
\DeclareLabelalphaTemplate {
\labelelement { \field { citekey} }
}
\DefineBibliographyStrings { english} {
page = { page} ,
pages = { pages} ,
2016-09-02 11:55:51 -07:00
backrefpage = { \mbox { $ \uparrow $ p\! } } ,
backrefpages = { \mbox { $ \uparrow $ p\! } }
2016-08-14 12:42:14 -07:00
}
2015-12-14 09:03:59 -08:00
2016-06-01 06:58:52 -07:00
\setlength { \oddsidemargin } { -0.25in}
\setlength { \textwidth } { 7in}
\setlength { \topmargin } { -0.75in}
\setlength { \textheight } { 9.2in}
2016-01-28 16:00:21 -08:00
\setlength { \parindent } { 0ex}
2018-03-16 08:58:23 -07:00
\newcommand { \defaultarraystretch } { 1.4}
\renewcommand { \arraystretch } { \defaultarraystretch }
2018-03-12 15:51:20 -07:00
% <https://tex.stackexchange.com/a/49898/78411>
\makeatletter
\renewcommand { \@ pnumwidth} { 2em}
\makeatother
2018-03-16 08:58:23 -07:00
\newcommand { \pagenumfont } { \fontfamily { pnc} \selectfont \rule [-.2\baselineskip] { 0pt} { 1.35\baselineskip } }
2018-03-12 15:51:20 -07:00
\renewcommand { \cftsecpagefont } { \pagenumfont }
\renewcommand { \cftsubsecpagefont } { \pagenumfont }
\renewcommand { \cftsubsubsecpagefont } { \pagenumfont }
\renewcommand { \cftparapagefont } { \pagenumfont }
\hfuzz =1pt
2018-03-16 08:58:23 -07:00
\overfullrule =2cm
2015-12-14 09:03:59 -08:00
2017-02-03 20:04:13 -08:00
\setlength { \footnotemargin } { 0.6em}
\setlength { \footnotesep } { 2ex}
\addtolength { \skip \footins } { 3ex}
2017-01-19 18:24:49 -08:00
\renewcommand { \bottomtitlespace } { 8ex}
% Use rubber lengths between paragraphs to improve default pagination.
2018-02-23 19:15:09 -08:00
% <https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results>
2017-01-19 18:24:49 -08:00
\setlength { \parskip } { 1.5ex plus 1pt minus 1pt}
2018-03-09 20:03:29 -08:00
\setlength { \bibitemsep } { 1.2ex} % default is too cramped!
2018-03-16 08:58:23 -07:00
\setlist [enumerate] { before=\vspace { -0.8ex} }
\setlist [itemize] { itemsep=0.5ex,topsep=0.2ex,before=\vspace { -0.8ex} ,after=\vspace { 1.5ex} }
\newlist { compactitemize} { itemize} { 3}
\setlist [compactitemize] { itemsep=-1ex,topsep=0ex,before=\vspace { -0.2ex} ,leftmargin=1.2em,label=$ \cdot $ ,after=\vspace { -3.3ex} }
2016-03-07 13:05:45 -08:00
2017-01-19 14:46:40 -08:00
\newlist { formulae} { itemize} { 3}
2017-02-05 17:24:29 -08:00
\setlist [formulae] { itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace { 1.5ex} }
2017-01-19 14:46:40 -08:00
2017-12-01 18:00:10 -08:00
\newlist { lines} { itemize} { 3}
2018-03-16 08:58:23 -07:00
\setlist [lines] { itemsep=-0.5ex,topsep=0ex,before=\vspace { 1ex} ,leftmargin=1.6em,label=,after=\vspace { 1ex} }
2017-12-01 18:00:10 -08:00
2016-04-20 18:55:27 -07:00
\newcommand { \docversion } { Version unavailable (check protocol.ver)}
2017-12-16 16:39:31 -08:00
\newcommand { \SaplingSpec } { Overwinter+Sapling}
2017-07-10 23:58:57 -07:00
\newtoggle { issapling}
\togglefalse { issapling}
2016-04-20 18:55:27 -07:00
\InputIfFileExists { protocol.ver} { } { }
2016-03-05 13:45:11 -08:00
\newcommand { \doctitle } { Zcash Protocol Specification}
2016-04-03 20:33:39 -07:00
\newcommand { \leadauthor } { Daira Hopwood}
2017-02-03 20:04:13 -08:00
\newcommand { \coauthora } { Sean Bowe}
\newcommand { \coauthorb } { Taylor Hornby}
\newcommand { \coauthorc } { Nathan Wilcox}
\newcommand { \keywords } { anonymity, applications, cryptographic protocols,\
electronic commerce and payment, financial privacy, proof of work, zero knowledge}
2016-03-05 13:45:11 -08:00
\hypersetup {
pdfborderstyle={ /S/U/W 0.7} ,
pdfinfo={
Title={ \doctitle , \docversion } ,
2017-02-03 20:04:13 -08:00
Author={ \leadauthor , \coauthora , \coauthorb , \coauthorc } ,
Keywords={ \keywords }
2016-03-05 13:45:11 -08:00
}
}
2016-03-05 12:20:11 -08:00
2017-02-03 20:04:13 -08:00
\makeatletter
2018-03-16 08:58:23 -07:00
\renewcommand * { \@ fnsymbol} [1]{ \ensuremath { \ifcase #1\or \dagger \or \ddagger \or \mathsection \or \mathparagraph \else \@ ctrerr\fi } }
2017-02-03 20:04:13 -08:00
\makeatother
2018-03-16 08:58:23 -07:00
\newcommand { \slightlylarge } { \fontsize { 10.5} { 10.5} \selectfont }
\newcommand { \notsolarge } { \fontsize { 11} { 11} \selectfont }
\newcommand { \largeish } { \fontsize { 12} { 12} \selectfont }
\newcommand { \larger } { \fontsize { 13} { 13} \selectfont }
\newcommand { \Larger } { \fontsize { 16} { 16} \selectfont }
2018-02-26 01:44:19 -08:00
\titleformat * { \subsection } { \larger \bfseries }
\titleformat * { \subsubsection } { \largeish \bfseries }
\titleformat * { \paragraph } { \notsolarge \bfseries }
\titleformat * { \subparagraph } { \slightlylarge \bfseries }
2018-03-16 08:58:23 -07:00
% Fix the height of citation link underlines.
% Also, biblatex really doesn't want to support Unicode citation labels, but I will not be beaten.
\newcommand { \linkstrut } { \rule [-0.4ex] { 0ex} { \fontcharht \font `X} }
\DeclareFieldFormat { labelalpha} { \linkstrut \smash { \StrSubstitute { #1} { MAEA2010} { MAEÁ2010} } }
\DeclareFieldFormat { postnote} { \linkstrut \smash { #1} }
\let \oldcite \cite
\renewcommand { \cite } [2][]{ \raisebox { 0ex} { \oldcite [{#1}] { #2} } }
\let \oldfootnote \footnote
\renewcommand { \footnote } [1]{ \hairspace { \oldfootnote { #1} } }
\newcommand { \footnotewithlabel } [2]{ \hairspace \oldfootnote { \label { #1} { #2} } }
\newcommand { \crossref } [1]{ \raisebox { 0ex} { \autoref { #1} } \hspace { 0.2em} \emph { `\nameref * { #1} \kern -0.05em'} on p.\, \pageref * { #1} }
\newcommand { \theoremref } [1]{ \raisebox { 0ex} { \autoref { #1} } on p.\, \pageref * { #1} }
\newcommand { \footnoteref } [1]{ \hairspace \raisebox { 0ex} { \cref { #1} } }
\newcommand { \autorefprefix } { \linkstrut \S \! }
\renewcommand { \sectionautorefname } { \autorefprefix }
\renewcommand { \subsectionautorefname } { \autorefprefix }
\renewcommand { \subsubsectionautorefname } { \autorefprefix }
\renewcommand { \paragraphautorefname } { \autorefprefix }
\renewcommand { \subparagraphautorefname } { \autorefprefix }
%\let\oldhref\href
%\renewcommand{\href}[2]{\raisebox{0ex}{\oldhref{#1}{\linkstrut\smash{#2}}}}
%\let\oldurl\url
%\renewcommand{\url}[1]{\href{#1}{\nolinkurl{#1}}}
2016-03-05 13:02:46 -08:00
2018-02-23 19:15:09 -08:00
% <https://tex.stackexchange.com/a/60212/78411>
2017-08-03 08:07:05 -07:00
\newcommand { \subsubsubsection } [1]{ \paragraph { #1} \mbox { } \\ }
2018-02-26 01:44:19 -08:00
\newcommand { \subsubsubsubsection } [1]{ \subparagraph { #1} \mbox { } \\ }
2017-08-03 08:07:05 -07:00
\setcounter { secnumdepth} { 4}
\setcounter { tocdepth} { 4}
2017-01-19 18:24:49 -08:00
\newcommand { \introlist } { \needspace { 15ex} }
2018-02-23 19:15:09 -08:00
\newcommand { \introsection } { \needspace { 35ex} }
2018-03-16 08:58:23 -07:00
\newcommand { \intropart } { \needspace { 55ex} }
2017-01-19 18:24:49 -08:00
2015-12-22 18:14:05 -08:00
\mathchardef \mhyphen ="2D
2018-01-30 16:52:59 -08:00
\newcommand { \lrarrow } { \texorpdfstring { $ \leftrightarrow $ } { ↔} }
2018-03-06 14:49:54 -08:00
% Using the astral plane character 𝕊 works, but triggers bugs in PDF readers 😛
2018-03-06 14:45:51 -08:00
\newcommand { \rS } { \texorpdfstring { $ \ParamS { r } $ } { rS} }
2018-02-23 19:15:09 -08:00
% <https://tex.stackexchange.com/a/309445/78411>
2016-06-01 06:58:52 -07:00
\DeclareFontFamily { U} { FdSymbolA} { }
\DeclareFontShape { U} { FdSymbolA} { m} { n} {
<-> s*[.4] FdSymbolA-Regular
} { }
\DeclareSymbolFont { fdsymbol} { U} { FdSymbolA} { m} { n}
\DeclareMathSymbol { \smallcirc } { \mathord } { fdsymbol} { "60}
\makeatletter
\newcommand { \hollowcolon } { \mathpalette \hollow @colon\relax }
\newcommand { \hollow @colon} [2]{
2016-08-08 09:06:52 -07:00
\mspace { 0.7mu}
2016-06-01 06:58:52 -07:00
\vbox { \hbox { $ \m @th# 1 \smallcirc $ } \nointerlineskip \kern .45ex \hbox { $ \m @th# 1 \smallcirc $ } \kern -.06ex}
\mspace { 1mu}
}
\makeatother
\newcommand { \typecolon } { \; \hollowcolon \; }
2018-02-26 01:44:19 -08:00
% <https://tex.stackexchange.com/a/235120/78411>
\makeatletter
\newcommand * \bigcdot { \mathpalette \bigcdot @{ .5} }
\newcommand * \bigcdot @[2]{ \mathbin { \vcenter { \hbox { \scalebox { #2} { $ \m @th# 1 \bullet $ } } } } }
\makeatother
2017-01-19 18:36:58 -08:00
% We just want one ampersand symbol from boisik.
\DeclareSymbolFont { bskadd} { U} { bskma} { m} { n}
\DeclareFontFamily { U} { bskma} { \skewchar \font 130 }
\DeclareFontShape { U} { bskma} { m} { n} { <->bskma10} { }
\DeclareMathSymbol { \binampersand } { \mathbin } { bskadd} { "EE}
2018-01-30 16:48:43 -08:00
% $v$ is too close to $u$.
% <https://tex.stackexchange.com/questions/130569/sharp-or-angled-v-in-math-mode-varv>
\DeclareSymbolFont { matha} { OML} { txmi} { m} { it}
\DeclareMathSymbol { \varv } { \mathord } { matha} { 118}
2016-08-17 05:24:09 -07:00
\newcommand { \hairspace } { ~\! }
2017-05-08 17:17:56 -07:00
\newcommand { \hparen } { \hphantom { (} }
2018-01-29 15:08:08 -08:00
\newcommand { \mhspace } [1]{ \mbox { \hspace { #1} } }
\newcommand { \tab } { \hspace { 1.5em} }
2018-03-16 08:58:23 -07:00
\newcommand { \raisedstrut } { \raisebox { 0.3ex} { \strut } }
2018-01-29 15:08:08 -08:00
\newcommand { \plus } { \hairspace +\hairspace }
2018-01-30 16:48:43 -08:00
\newcommand { \vv } { \hspace { 0.071em} \varv \hspace { 0.064em} }
\newcommand { \varvv } { \varv \kern 0.02em\varv }
2016-08-17 05:24:09 -07:00
2016-09-18 18:46:11 -07:00
\newcommand { \hfrac } [2]{ \scalebox { 0.8} { $ \genfrac { } { } { 0 . 5 pt } { 0 } { # 1 } { # 2 } $ } }
2018-03-10 13:00:27 -08:00
\newcommand { \ssqrt } [1]{ \rlap { \scalebox { 0.64} [1]{ $ \sqrt { \scalebox { 1 . 5625 } [ 1 ] { $ { #1} \strut $ } } $ } } %
\hspace { 0.005em} \scalebox { 0.64} [1]{ $ \sqrt { \scalebox { 1 . 5625 } [ 1 ] { $ \phantom { #1} \strut $ } } $ } }
\newcommand { \sbitbox } [2]{ \bitbox { #1} { \strut #2} }
2016-09-18 18:46:11 -07:00
2018-02-23 19:15:09 -08:00
% <https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips>
2017-12-01 18:03:23 -08:00
2016-02-11 07:04:56 -08:00
\newcommand { \todo } [1]{ { \color { Sepia} \sf { TODO: #1} } }
2018-02-07 17:22:02 -08:00
\definecolor { green} { RGB} { 0,100,10}
2016-02-11 07:04:56 -08:00
\newcommand { \changedcolor } { magenta}
\newcommand { \setchanged } { \color { \changedcolor } }
2016-03-05 12:20:11 -08:00
\newcommand { \changed } [1]{ \texorpdfstring { { \setchanged { #1} } } { #1} }
2017-07-26 03:44:44 -07:00
\newcommand { \saplingcolor } { green}
2017-12-01 18:03:23 -08:00
\newcommand { \nuzerocolor } { blue}
2017-07-10 23:58:57 -07:00
\iftoggle { issapling} {
\newcommand { \sprout } [1]{ }
2017-07-26 03:44:44 -07:00
\newcommand { \notsprout } [1]{ #1}
2017-07-10 23:58:57 -07:00
\newcommand { \setsapling } { \color { \saplingcolor } }
\newcommand { \sapling } [1]{ \texorpdfstring { { \setsapling { #1} } } { #1} }
2017-12-01 18:03:23 -08:00
\newcommand { \setnuzero } { \color { \nuzerocolor } }
\newcommand { \nuzero } [1]{ \texorpdfstring { { \setnuzero { #1} } } { #1} }
2018-02-07 02:21:25 -08:00
\newcommand { \optSprout } [1]{ { #1} ^ \mathsf { Sprout} }
2018-02-07 17:22:02 -08:00
\pagecolor { yellow!3}
2017-07-10 23:58:57 -07:00
} {
\newcommand { \sprout } [1]{ #1}
2017-07-26 03:44:44 -07:00
\newcommand { \notsprout } [1]{ }
2017-07-10 23:58:57 -07:00
\newcommand { \setsapling } { }
\newcommand { \sapling } [1]{ }
2017-12-01 18:03:23 -08:00
\newcommand { \setnuzero } { }
\newcommand { \nuzero } [1]{ }
2018-02-07 02:21:25 -08:00
\newcommand { \optSprout } [1]{ #1}
2017-07-10 23:58:57 -07:00
}
2016-02-11 07:04:56 -08:00
2018-01-29 15:08:08 -08:00
\newtheorem { theorem} { Theorem}
\numberwithin { theorem} { subsection}
2018-02-07 17:23:18 -08:00
\newtheorem * { lemma*} { Lemma}
2017-12-01 18:03:23 -08:00
2018-02-07 02:02:05 -08:00
% Terminology
2015-12-14 09:03:59 -08:00
2016-05-20 15:29:21 -07:00
\newcommand { \term } [1]{ \textsl { #1} \kern 0.05em\xspace }
2016-04-03 19:05:18 -07:00
\newcommand { \titleterm } [1]{ #1}
2016-01-26 15:15:17 -08:00
\newcommand { \termbf } [1]{ \textbf { #1} \xspace }
2016-10-27 20:39:04 -07:00
\newcommand { \quotedterm } [1]{ ``~\! \! \term { #1} ''}
2016-04-04 09:29:16 -07:00
\newcommand { \conformance } [1]{ \textbnx { #1} \xspace }
2016-01-26 15:15:17 -08:00
\newcommand { \Zcash } { \termbf { Zcash} }
\newcommand { \Zerocash } { \termbf { Zerocash} }
2018-01-29 15:08:08 -08:00
\newcommand { \Sprout } { \termbf { Sprout} }
\newcommand { \SproutOrZcash } { \notsprout { \Sprout } \sprout { \Zcash } }
2018-02-07 02:21:25 -08:00
\newcommand { \SproutOrNothing } { \notsprout { \Sprout } }
2018-03-16 08:58:23 -07:00
\newcommand { \pSproutOrNothing } { \notsprout { (\Sprout )} }
2017-07-26 03:44:44 -07:00
\newcommand { \Sapling } { \termbf { Sapling} }
2017-12-16 16:39:31 -08:00
\newcommand { \NUZero } { \termbf { Overwinter} }
2016-01-26 15:36:29 -08:00
\newcommand { \Bitcoin } { \termbf { Bitcoin} }
2017-02-11 16:02:23 -08:00
\newcommand { \CryptoNote } { \termbf { CryptoNote} }
2016-01-26 15:15:17 -08:00
\newcommand { \ZEC } { \termbf { ZEC} }
\newcommand { \zatoshi } { \term { zatoshi} }
2017-07-09 21:35:56 -07:00
\newcommand { \zcashd } { \textsf { zcashd} \, }
2016-01-26 15:15:17 -08:00
2016-02-16 11:49:37 -08:00
\newcommand { \MUST } { \conformance { MUST} }
\newcommand { \MUSTNOT } { \conformance { MUST NOT} }
\newcommand { \SHOULD } { \conformance { SHOULD} }
\newcommand { \SHOULDNOT } { \conformance { SHOULD NOT} }
2018-02-07 02:21:25 -08:00
\newcommand { \RECOMMENDED } { \conformance { RECOMMENDED} }
\newcommand { \MAY } { \conformance { MAY} }
2016-09-16 06:47:44 -07:00
\newcommand { \ALLCAPS } { \conformance { ALL CAPS} }
2016-02-16 11:49:37 -08:00
2018-03-16 08:58:23 -07:00
\newcommand { \collisionResistant } { collision\hyp resistant }
\newcommand { \collisionResistance } { collision\hyp resistance }
2016-03-28 18:28:07 -07:00
\newcommand { \note } { \term { note} }
\newcommand { \notes } { \term { notes} }
2016-09-03 17:08:02 -07:00
\newcommand { \Note } { \titleterm { Note} }
\newcommand { \Notes } { \titleterm { Notes} }
2016-09-03 20:13:30 -07:00
\newcommand { \dummy } { \term { dummy} }
\newcommand { \dummyNotes } { \term { dummy notes} }
\newcommand { \DummyNotes } { \titleterm { Dummy Notes} }
2016-09-02 20:03:28 -07:00
\newcommand { \commitmentScheme } { \term { commitment scheme} }
2018-02-26 01:44:19 -08:00
\newcommand { \commitmentSchemes } { \term { commitment schemes} }
2016-09-02 20:03:28 -07:00
\newcommand { \commitmentTrapdoor } { \term { commitment trapdoor} }
\newcommand { \commitmentTrapdoors } { \term { commitment trapdoors} }
\newcommand { \trapdoor } { \term { trapdoor} }
2016-03-28 18:28:07 -07:00
\newcommand { \noteCommitment } { \term { note commitment} }
\newcommand { \noteCommitments } { \term { note commitments} }
2018-01-22 10:24:16 -08:00
\newcommand { \xNoteCommitments } { \term { Note commitments} }
2016-03-28 18:28:07 -07:00
\newcommand { \NoteCommitment } { \titleterm { Note Commitment} }
\newcommand { \NoteCommitments } { \titleterm { Note Commitments} }
\newcommand { \noteCommitmentTree } { \term { note commitment tree} }
2017-12-01 18:04:39 -08:00
\newcommand { \noteCommitmentTrees } { \term { note commitment trees} }
\newcommand { \NoteCommitmentTrees } { \titleterm { Note Commitment Trees} }
2018-02-26 01:44:19 -08:00
\newcommand { \notePosition } { \term { note position} }
\newcommand { \notePositions } { \term { note positions} }
\newcommand { \positionedNote } { \term { positioned note} }
\newcommand { \positionedNotes } { \term { positioned notes} }
2016-09-02 12:03:17 -07:00
\newcommand { \noteTraceabilitySet } { \term { note traceability set} }
\newcommand { \noteTraceabilitySets } { \term { note traceability sets} }
2018-02-26 03:42:52 -08:00
\newcommand { \KeyComponents } { \titleterm { Key Components} }
2018-02-07 02:21:25 -08:00
\newcommand { \valueCommitment } { \term { value commitment} }
\newcommand { \valueCommitments } { \term { value commitments} }
2016-03-28 18:28:50 -07:00
\newcommand { \joinSplitDescription } { \term { JoinSplit description} }
\newcommand { \joinSplitDescriptions } { \term { JoinSplit descriptions} }
2016-09-02 20:01:08 -07:00
\newcommand { \JoinSplitDescriptions } { \titleterm { JoinSplit Descriptions} }
2018-03-11 10:27:43 -07:00
\newcommand { \sequenceOfJoinSplitDescriptions } { \changed { sequence of} \joinSplitDescription { } \kern -0.05em\changed { \term { s} } }
2016-09-02 20:01:08 -07:00
\newcommand { \joinSplitTransfer } { \term { JoinSplit transfer} }
\newcommand { \joinSplitTransfers } { \term { JoinSplit transfers} }
\newcommand { \JoinSplitTransfer } { \titleterm { JoinSplit Transfer} }
\newcommand { \JoinSplitTransfers } { \titleterm { JoinSplit Transfers} }
2016-03-30 07:18:50 -07:00
\newcommand { \joinSplitSignature } { \term { JoinSplit signature} }
2016-09-05 13:14:29 -07:00
\newcommand { \joinSplitSignatures } { \term { JoinSplit signatures} }
2018-02-07 02:21:25 -08:00
\newcommand { \JoinSplitSignature } { \titleterm { JoinSplit Signature} }
2016-09-03 20:22:46 -07:00
\newcommand { \joinSplitSigningKey } { \term { JoinSplit signing key} }
\newcommand { \joinSplitVerifyingKey } { \term { JoinSplit verifying key} }
2016-08-08 09:27:28 -07:00
\newcommand { \joinSplitStatement } { \term { JoinSplit statement} }
\newcommand { \joinSplitStatements } { \term { JoinSplit statements} }
2016-09-02 14:47:05 -07:00
\newcommand { \JoinSplitStatement } { \titleterm { JoinSplit Statement} }
2016-09-03 17:08:02 -07:00
\newcommand { \joinSplitProof } { \term { JoinSplit proof} }
2018-02-07 02:21:25 -08:00
\newcommand { \shieldedTransfer } { \term { shielded transfer} }
\newcommand { \shieldedTransfers } { \term { shielded transfers} }
\newcommand { \shieldedSpend } { \term { shielded spend} }
\newcommand { \shieldedSpends } { \term { shielded spends} }
\newcommand { \shieldedInput } { \term { shielded input} }
\newcommand { \shieldedInputs } { \term { shielded inputs} }
\newcommand { \spendDescription } { \term { Spend description} }
\newcommand { \spendDescriptions } { \term { Spend descriptions} }
\newcommand { \SpendDescriptions } { \titleterm { Spend Descriptions} }
2018-01-22 10:24:16 -08:00
\newcommand { \spendTransfer } { \term { Spend transfer} }
\newcommand { \spendTransfers } { \term { Spend transfers} }
2018-02-07 02:21:25 -08:00
\newcommand { \SpendTransfers } { \titleterm { Spend Transfers} }
2018-01-29 15:08:08 -08:00
\newcommand { \spendCircuit } { \term { Spend circuit} }
2017-12-01 18:00:10 -08:00
\newcommand { \spendStatement } { \term { Spend statement} }
\newcommand { \spendStatements } { \term { Spend statements} }
\newcommand { \SpendStatement } { \titleterm { Spend Statement} }
2018-01-29 15:08:08 -08:00
\newcommand { \spendProof } { \term { Spend proof} }
2018-02-26 01:44:19 -08:00
\newcommand { \spendAuthSignature } { \term { spend authorization signature} }
\newcommand { \spendAuthSignatures } { \term { spend authorization signatures} }
\newcommand { \SpendAuthSignature } { \titleterm { Spend Authorization Signature} }
2018-02-07 02:21:25 -08:00
\newcommand { \outputDescription } { \term { Output description} }
\newcommand { \outputDescriptions } { \term { Output descriptions} }
\newcommand { \OutputDescriptions } { \titleterm { Output Descriptions} }
2018-01-22 10:24:16 -08:00
\newcommand { \outputTransfer } { \term { Output transfer} }
\newcommand { \outputTransfers } { \term { Output transfers} }
2018-02-07 02:21:25 -08:00
\newcommand { \OutputTransfers } { \titleterm { Output Transfers} }
2018-01-29 15:08:08 -08:00
\newcommand { \outputCircuit } { \term { Output circuit} }
2018-01-22 10:24:16 -08:00
\newcommand { \outputStatement } { \term { Output statement} }
\newcommand { \outputStatements } { \term { Output statements} }
\newcommand { \OutputStatement } { \titleterm { Output Statement} }
2018-01-29 15:08:08 -08:00
\newcommand { \outputProof } { \term { Output proof} }
2018-02-07 02:21:25 -08:00
\newcommand { \shieldedOutput } { \term { shielded output} }
\newcommand { \shieldedOutputs } { \term { shielded outputs} }
2016-09-02 14:47:05 -07:00
\newcommand { \statement } { \term { statement} }
2017-12-16 16:11:38 -08:00
\newcommand { \ZkSNARKStatements } { \titleterm { Zk-SNARK Statements} }
2016-09-02 14:47:05 -07:00
\newcommand { \zeroKnowledgeProof } { \term { zero-knowledge proof} }
2018-01-22 10:24:16 -08:00
\newcommand { \zeroKnowledgeProofs } { \term { zero-knowledge proofs} }
2016-09-02 14:47:05 -07:00
\newcommand { \provingSystem } { \term { proving system} }
2017-12-01 18:00:10 -08:00
\newcommand { \provingSystems } { \term { proving systems} }
2016-09-02 14:47:05 -07:00
\newcommand { \zeroKnowledgeProvingSystem } { \term { zero-knowledge proving system} }
\newcommand { \ZeroKnowledgeProvingSystem } { \titleterm { Zero-Knowledge Proving System} }
2017-12-01 18:00:10 -08:00
\newcommand { \ZeroKnowledgeProvingSystems } { \titleterm { Zero-Knowledge Proving Systems} }
2018-01-22 10:24:16 -08:00
\newcommand { \quadraticArithmeticProgram } { \term { quadratic arithmetic program} }
2018-01-30 16:58:58 -08:00
\newcommand { \quadraticArithmeticPrograms } { \term { quadratic arithmetic programs} }
2018-01-22 10:24:16 -08:00
\newcommand { \QuadraticArithmeticPrograms } { \titleterm { Quadratic Arithmetic Programs} }
\newcommand { \linearCombination } { \term { linear combination} }
\newcommand { \linearCombinations } { \term { linear combinations} }
2017-12-01 17:03:17 -08:00
\newcommand { \representedGroup } { \term { represented group} }
\newcommand { \representedGroups } { \term { represented groups} }
\newcommand { \RepresentedGroup } { \titleterm { Represented Group} }
\newcommand { \hashExtractor } { \term { hash extractor} }
\newcommand { \HashExtractor } { \titleterm { Hash Extractor} }
\newcommand { \groupHash } { \term { group hash} }
\newcommand { \groupHashes } { \term { group hashes} }
\newcommand { \GroupHash } { \titleterm { Group Hash} }
\newcommand { \representedPairing } { \term { represented pairing} }
\newcommand { \RepresentedPairing } { \titleterm { Represented Pairing} }
\newcommand { \RepresentedGroupsAndPairings } { \titleterm { Represented Groups and Pairings} }
2017-12-01 18:00:10 -08:00
\newcommand { \PHGR } { \mathsf { PHGR13} }
\newcommand { \Groth } { \mathsf { Groth16} }
\newcommand { \EncodingOfPHGRProofs } { \titleterm { Encoding of PHGR13 Proofs} }
\newcommand { \EncodingOfGrothProofs } { \titleterm { Encoding of Groth16 Proofs} }
\newcommand { \PHGRProvingSystem } { \titleterm { PHGR13} }
\newcommand { \GrothProvingSystem } { \titleterm { Groth16} }
2017-12-01 17:03:17 -08:00
\newcommand { \BNCurve } { \mathsf { BN\mhyphen { } 254} }
\newcommand { \BLSCurve } { \mathsf { BLS12\mhyphen { } 381} }
2018-01-22 10:24:16 -08:00
\newcommand { \JubjubCurve } { \mathsf { Jubjub} }
2018-03-10 12:47:34 -08:00
\newcommand { \jubjubCurve } { \term { Jubjub curve} }
2018-01-22 10:24:16 -08:00
\newcommand { \Jubjub } { \titleterm { Jubjub} }
2018-02-07 02:21:25 -08:00
\newcommand { \EdJubjub } { \mathsf { EdJubjub} }
2018-02-10 03:30:37 -08:00
\newcommand { \commonRandomString } { \term { Common Random String} }
2017-12-01 17:03:17 -08:00
\newcommand { \BNRepresentedPairing } { \titleterm { BN-254} }
\newcommand { \BLSRepresentedPairing } { \titleterm { BLS12-381} }
2016-09-02 14:47:05 -07:00
\newcommand { \ppzkSNARK } { \term { preprocessing zk-SNARK} }
2016-09-03 17:08:02 -07:00
\newcommand { \provingKey } { \term { proving key} }
2018-01-29 15:08:08 -08:00
\newcommand { \provingKeys } { \term { proving keys} }
2016-09-02 14:47:05 -07:00
\newcommand { \zkProvingKeys } { \term { zero-knowledge proving keys} }
2016-09-03 17:08:02 -07:00
\newcommand { \verifyingKey } { \term { verifying key} }
2018-01-29 15:08:08 -08:00
\newcommand { \verifyingKeys } { \term { verifying keys} }
2016-09-02 14:47:05 -07:00
\newcommand { \zkVerifyingKeys } { \term { zero-knowledge verifying keys} }
2016-09-03 17:08:02 -07:00
\newcommand { \joinSplitParameters } { \term { JoinSplit parameters} }
2018-01-29 15:08:08 -08:00
\newcommand { \SproutZKParameters } { \titleterm { \notsprout { \Sprout } zk-SNARK Parameters} }
2017-12-01 18:00:10 -08:00
\newcommand { \SaplingZKParameters } { \titleterm { \Sapling zk-SNARK Parameters} }
2016-09-02 14:47:05 -07:00
\newcommand { \arithmeticCircuit } { \term { arithmetic circuit} }
\newcommand { \rankOneConstraintSystem } { \term { Rank 1 Constraint System} }
2018-01-30 16:58:58 -08:00
\newcommand { \rankOneConstraintSystems } { \term { Rank 1 Constraint Systems} }
2016-09-02 14:47:05 -07:00
\newcommand { \primary } { \term { primary} }
\newcommand { \primaryInput } { \term { primary input} }
\newcommand { \primaryInputs } { \term { primary inputs} }
\newcommand { \auxiliaryInput } { \term { auxiliary input} }
\newcommand { \auxiliaryInputs } { \term { auxiliary inputs} }
2018-02-07 03:05:39 -08:00
\newcommand { \fullValidator } { \term { full validator} }
\newcommand { \fullValidators } { \term { full validators} }
2018-03-16 08:58:23 -07:00
\newcommand { \consensusRuleChange } { \term { consensus rule change} }
2016-01-26 15:15:17 -08:00
\newcommand { \anchor } { \term { anchor} }
\newcommand { \anchors } { \term { anchors} }
\newcommand { \block } { \term { block} }
\newcommand { \blocks } { \term { blocks} }
2017-01-19 18:35:11 -08:00
\newcommand { \header } { \term { header} }
\newcommand { \headers } { \term { headers} }
2016-08-09 13:56:34 -07:00
\newcommand { \blockHeader } { \term { block header} }
2016-08-11 06:13:27 -07:00
\newcommand { \blockHeaders } { \term { block headers} }
2017-01-19 18:35:11 -08:00
\newcommand { \Blockheader } { \term { Block header} }
\newcommand { \BlockHeader } { \titleterm { Block Header} }
2016-08-09 13:56:34 -07:00
\newcommand { \blockVersionNumber } { \term { block version number} }
2017-07-09 21:35:56 -07:00
\newcommand { \blockVersionNumbers } { \term { block version numbers} }
2017-01-19 18:35:11 -08:00
\newcommand { \Blockversions } { \term { Block versions} }
2016-08-09 13:56:34 -07:00
\newcommand { \blockTime } { \term { block time} }
2016-09-18 18:46:11 -07:00
\newcommand { \blockHeight } { \term { block height} }
2017-01-19 18:35:11 -08:00
\newcommand { \blockHeights } { \term { block heights} }
2018-02-26 01:44:19 -08:00
\newcommand { \activationHeight } { \term { activation block height} }
\newcommand { \activationHeights } { \term { activation block heights} }
2016-09-18 18:46:11 -07:00
\newcommand { \genesisBlock } { \term { genesis block} }
2016-01-26 15:15:17 -08:00
\newcommand { \transaction } { \term { transaction} }
\newcommand { \transactions } { \term { transactions} }
2016-09-02 20:01:08 -07:00
\newcommand { \Transactions } { \titleterm { Transactions} }
2016-09-18 18:46:11 -07:00
\newcommand { \transactionFee } { \term { transaction fee} }
\newcommand { \transactionFees } { \term { transaction fees} }
2016-09-02 20:01:08 -07:00
\newcommand { \transactionVersionNumber } { \term { transaction version number} }
2017-07-09 21:35:56 -07:00
\newcommand { \transactionVersionNumbers } { \term { transaction version numbers} }
2017-01-19 18:35:11 -08:00
\newcommand { \Transactionversion } { \term { Transaction version} }
2018-03-18 15:02:42 -07:00
\newcommand { \versionGroupID } { \term { version group ID} }
2016-06-21 14:46:00 -07:00
\newcommand { \coinbaseTransaction } { \term { coinbase transaction} }
\newcommand { \coinbaseTransactions } { \term { coinbase transactions} }
2016-09-18 18:46:11 -07:00
\newcommand { \CoinbaseTransactions } { \titleterm { Coinbase Transactions} }
2016-09-03 17:08:02 -07:00
\newcommand { \transparent } { \term { transparent} }
2016-09-18 18:44:18 -07:00
\newcommand { \xTransparent } { \term { Transparent} }
2016-09-26 09:01:39 -07:00
\newcommand { \Transparent } { \titleterm { Transparent} }
2016-09-02 14:49:27 -07:00
\newcommand { \transparentValuePool } { \term { transparent value pool} }
2018-02-07 02:21:25 -08:00
\newcommand { \transparentAddress } { \term { transparent address} }
\newcommand { \transparentAddresses } { \term { transparent addresses} }
\newcommand { \xTransparentAddresses } { \term { Transparent addresses} }
\newcommand { \TransparentAddresses } { \titleterm { Transparent Addresses} }
\newcommand { \transparentTransfers } { \term { transparent transfers} }
2016-10-27 20:39:04 -07:00
\newcommand { \shielded } { \term { shielded} }
\newcommand { \shieldedNote } { \term { shielded note} }
\newcommand { \shieldedNotes } { \term { shielded notes} }
\newcommand { \xShielded } { \term { Shielded} }
\newcommand { \Shielded } { \titleterm { Shielded} }
2016-08-08 09:06:52 -07:00
\newcommand { \blockchain } { \term { block chain} }
2017-02-03 20:24:45 -08:00
\newcommand { \blockchains } { \term { block chains} }
2018-02-07 02:21:25 -08:00
\newcommand { \validBlockchain } { \term { valid block chain} }
\newcommand { \bestValidBlockchain } { \term { best valid block chain} }
2016-01-26 15:15:17 -08:00
\newcommand { \mempool } { \term { mempool} }
\newcommand { \treestate } { \term { treestate} }
\newcommand { \treestates } { \term { treestates} }
2016-03-29 17:36:34 -07:00
\newcommand { \nullifier } { \term { nullifier} }
\newcommand { \nullifiers } { \term { nullifiers} }
2018-01-22 10:24:16 -08:00
\newcommand { \xNullifier } { \term { Nullifier} }
2017-03-04 15:25:28 -08:00
\newcommand { \xNullifiers } { \term { Nullifiers} }
2016-03-29 17:36:34 -07:00
\newcommand { \Nullifier } { \titleterm { Nullifier} }
\newcommand { \Nullifiers } { \titleterm { Nullifiers} }
\newcommand { \nullifierSet } { \term { nullifier set} }
2017-12-01 18:04:39 -08:00
\newcommand { \nullifierSets } { \term { nullifier sets} }
\newcommand { \NullifierSets } { \titleterm { Nullifier Sets} }
2018-02-07 03:05:39 -08:00
\newcommand { \paymentAddress } { \term { shielded payment address} }
\newcommand { \paymentAddresses } { \term { shielded payment addresses} }
\newcommand { \PaymentAddresses } { \titleterm { Shielded Payment Addresses} }
2018-01-25 03:16:21 -08:00
\newcommand { \diversifiedPaymentAddress } { \term { diversified payment address} }
\newcommand { \diversifiedPaymentAddresses } { \term { diversified payment addresses} }
2018-03-18 13:33:07 -07:00
\newcommand { \diversifiedBase } { \term { diversified base} }
\newcommand { \diversifiedBases } { \term { diversified bases} }
2018-02-07 02:21:25 -08:00
\newcommand { \diversifier } { \term { diversifier} }
\newcommand { \diversifiers } { \term { diversifiers} }
2017-12-16 16:08:57 -08:00
\newcommand { \incomingViewingKey } { \term { incoming viewing key} }
\newcommand { \incomingViewingKeys } { \term { incoming viewing keys} }
\newcommand { \IncomingViewingKeys } { \titleterm { Incoming Viewing Keys} }
2018-01-25 03:16:21 -08:00
\newcommand { \fullViewingKey } { \term { full viewing key} }
\newcommand { \fullViewingKeys } { \term { full viewing keys} }
2018-02-07 02:21:25 -08:00
\newcommand { \FullViewingKeys } { \titleterm { Full Viewing Keys} }
2017-02-23 12:31:13 -08:00
\newcommand { \receivingKey } { \term { receiving key} }
\newcommand { \receivingKeys } { \term { receiving keys} }
2016-02-16 12:07:31 -08:00
\newcommand { \spendingKey } { \term { spending key} }
\newcommand { \spendingKeys } { \term { spending keys} }
2018-02-07 02:21:25 -08:00
\newcommand { \SpendingKeys } { \titleterm { Spending Keys} }
2016-04-18 10:31:22 -07:00
\newcommand { \payingKey } { \term { paying key} }
\newcommand { \transmissionKey } { \term { transmission key} }
\newcommand { \transmissionKeys } { \term { transmission keys} }
2018-02-07 02:21:25 -08:00
\newcommand { \diversifiedTransmissionKey } { \term { diversified transmission key} }
\newcommand { \diversifiedTransmissionKeys } { \term { diversified transmission keys} }
2018-02-07 03:05:39 -08:00
\newcommand { \authSigningKey } { \term { spend authorizing key} }
\newcommand { \authSigningKeys } { \term { spend authorizing keys} }
2018-03-18 14:43:57 -07:00
\newcommand { \authRandomizedVerifyingKey } { \term { randomized spend verifying key} }
\newcommand { \authRandomizedVerifyingKeys } { \term { randomized spend verifying keys} }
2018-02-07 03:53:07 -08:00
\newcommand { \authProvingKey } { \term { proof authorizing key} }
\newcommand { \authProvingKeys } { \term { proof authorizing keys} }
2018-03-18 13:57:20 -07:00
\newcommand { \nullifierKey } { \term { nullifier deriving key} }
\newcommand { \nullifierKeys } { \term { nullifier deriving keys} }
2018-02-07 02:21:25 -08:00
\newcommand { \humanReadablePart } { \term { Human-Readable Part} }
2016-03-28 18:28:07 -07:00
\newcommand { \notePlaintext } { \term { note plaintext} }
\newcommand { \notePlaintexts } { \term { note plaintexts} }
\newcommand { \NotePlaintexts } { \titleterm { Note Plaintexts} }
2018-02-26 03:41:15 -08:00
\newcommand { \noteCiphertext } { \term { transmitted note ciphertext} }
2016-03-28 18:28:07 -07:00
\newcommand { \notesCiphertext } { \term { transmitted notes ciphertext} }
2016-04-08 12:45:53 -07:00
\newcommand { \incrementalMerkleTree } { \term { incremental Merkle tree} }
2018-02-07 02:21:25 -08:00
\newcommand { \MerkleTree } { \titleterm { Merkle Tree} }
2016-04-08 12:45:53 -07:00
\newcommand { \merkleRoot } { \term { root} }
\newcommand { \merkleNode } { \term { node} }
\newcommand { \merkleNodes } { \term { nodes} }
2016-06-01 06:58:52 -07:00
\newcommand { \merkleHash } { \term { hash value} }
\newcommand { \merkleHashes } { \term { hash values} }
\newcommand { \merkleLeafNode } { \term { leaf node} }
\newcommand { \merkleLeafNodes } { \term { leaf nodes} }
\newcommand { \merkleInternalNode } { \term { internal node} }
\newcommand { \merkleInternalNodes } { \term { internal nodes} }
\newcommand { \MerkleInternalNodes } { \term { Internal nodes} }
2018-03-16 08:58:23 -07:00
\newcommand { \merklePath } { \term { Merkle tree path} }
2016-04-08 12:45:53 -07:00
\newcommand { \merkleLayer } { \term { layer} }
2016-06-01 06:58:52 -07:00
\newcommand { \merkleLayers } { \term { layers} }
2016-04-08 12:45:53 -07:00
\newcommand { \merkleIndex } { \term { index} }
\newcommand { \merkleIndices } { \term { indices} }
2016-01-26 16:34:42 -08:00
\newcommand { \zkSNARK } { \term { zk-SNARK} }
\newcommand { \zkSNARKs } { \term { zk-SNARKs} }
2018-02-07 02:21:25 -08:00
\newcommand { \zkSNARKProof } { \term { zk-SNARK proof} }
2018-02-10 03:30:37 -08:00
\newcommand { \zkSNARKCircuit } { \term { zk-SNARK circuit} }
\newcommand { \zkSNARKCircuits } { \term { zk-SNARK circuits} }
2016-08-08 09:46:24 -07:00
\newcommand { \libsnark } { \term { libsnark} }
2017-12-01 18:00:10 -08:00
\newcommand { \bellman } { \term { bellman} }
2016-02-01 14:11:36 -08:00
\newcommand { \memo } { \term { memo field} }
2016-08-08 09:21:02 -07:00
\newcommand { \memos } { \term { memo fields} }
2016-03-18 14:09:24 -07:00
\newcommand { \Memos } { \titleterm { Memo Fields} }
2016-06-21 15:58:09 -07:00
\newcommand { \keyAgreementScheme } { \term { key agreement scheme} }
2018-02-07 02:21:25 -08:00
\newcommand { \keyAgreementSchemes } { \term { key agreement schemes} }
2016-06-01 06:58:52 -07:00
\newcommand { \keyDerivationFunction } { \term { Key Derivation Function} }
2018-02-07 02:21:25 -08:00
\newcommand { \keyDerivationFunctions } { \term { Key Derivation Functions} }
2018-02-23 19:15:09 -08:00
\newcommand { \KeyAgreement } { \titleterm { Key Agreement} }
2016-06-30 15:18:43 -07:00
\newcommand { \KeyDerivation } { \titleterm { Key Derivation} }
2018-02-26 01:44:19 -08:00
\newcommand { \KeyAgreementAndDerivation } { \titleterm { Key Agreement and Derivation} }
2018-02-07 02:21:25 -08:00
\newcommand { \hashFunction } { \term { hash function} }
2018-02-10 03:30:37 -08:00
\newcommand { \hashFunctions } { \term { hash functions} }
2018-02-07 02:21:25 -08:00
\newcommand { \HashFunction } { \titleterm { Hash Function} }
\newcommand { \HashFunctions } { \titleterm { Hash Functions} }
2016-09-03 20:17:27 -07:00
\newcommand { \encryptionScheme } { \term { encryption scheme} }
2016-06-30 15:18:43 -07:00
\newcommand { \symmetricEncryptionScheme } { \term { authenticated one-time symmetric encryption scheme} }
\newcommand { \SymmetricEncryption } { \titleterm { Authenticated One-Time Symmetric Encryption} }
\newcommand { \signatureScheme } { \term { signature scheme} }
2016-06-01 06:58:52 -07:00
\newcommand { \pseudoRandomFunction } { \term { Pseudo Random Function} }
\newcommand { \pseudoRandomFunctions } { \term { Pseudo Random Functions} }
\newcommand { \PseudoRandomFunctions } { \titleterm { Pseudo Random Functions} }
2018-02-07 02:21:25 -08:00
\newcommand { \pseudoRandomGenerator } { \term { Pseudo Random Generator} }
\newcommand { \pseudoRandomGenerators } { \term { Pseudo Random Generators} }
\newcommand { \PseudoRandomGenerators } { \titleterm { Pseudo Random Generators} }
\newcommand { \expandedSeed } { \term { expanded seed} }
2018-02-23 17:56:32 -08:00
\newcommand { \shaHashFunction } { \term { SHA-256 hash function} }
\newcommand { \shaCompress } { \term { SHA-256 compression} }
\newcommand { \shaCompressFunction } { \term { SHA-256 compression function} }
2018-02-23 18:05:09 -08:00
\newcommand { \BlakeTwo } { \titleterm { BLAKE2} }
2018-01-22 10:24:16 -08:00
\newcommand { \xPedersenHash } { \term { Pedersen hash} }
\newcommand { \xPedersenHashes } { \term { Pedersen hashes} }
2018-02-10 03:30:37 -08:00
\newcommand { \PedersenHashFunction } { \titleterm { Pedersen Hash Function} }
2018-01-22 10:24:16 -08:00
\newcommand { \xPedersenCommitment } { \term { Pedersen commitment} }
\newcommand { \xPedersenCommitments } { \term { Pedersen commitments} }
\newcommand { \xPedersenValueCommitment } { \term { Pedersen value commitment} }
\newcommand { \xPedersenValueCommitments } { \term { Pedersen value commitments} }
2018-03-06 14:16:55 -08:00
\newcommand { \windowedPedersenCommitment } { \term { windowed Pedersen commitment} }
\newcommand { \windowedPedersenCommitments } { \term { windowed Pedersen commitments} }
\newcommand { \WindowedPedersenCommitment } { \titleterm { Windowed Pedersen Commitment} }
2018-03-06 14:34:18 -08:00
\newcommand { \homomorphicPedersenCommitment } { \term { homomorphic Pedersen commitment} }
\newcommand { \homomorphicPedersenCommitments } { \term { homomorphic Pedersen commitments} }
\newcommand { \HomomorphicPedersenCommitment } { \titleterm { Homomorphic Pedersen Commitment} }
2018-01-29 15:08:08 -08:00
\newcommand { \distinctXCriterion } { \term { distinct-$ x $ criterion} }
2016-01-26 15:15:17 -08:00
2018-02-07 02:02:05 -08:00
% Conventions
2016-03-06 19:38:00 -08:00
\newcommand { \bytes } [1]{ \underline { \raisebox { -0.22ex} { } \smash { #1} } }
\newcommand { \zeros } [1]{ [0]^ { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \ones } [1]{ [1]^ { #1} }
2017-03-07 17:14:12 -08:00
\newcommand { \bit } { \mathbb { B} }
2018-03-06 14:16:55 -08:00
\newcommand { \overlap } [2]{ \rlap { #2} \hspace { #1} { #2} }
\newcommand { \byte } { \mathbb { B} \kern -0.1em\raisebox { 0.55ex} { \overlap { 0.0001em} { \scalebox { 0.7} { $ \mathbb { Y } $ } } } }
2016-09-18 17:57:28 -07:00
\newcommand { \Nat } { \mathbb { N} }
\newcommand { \PosInt } { \mathbb { N} ^ +}
2018-03-18 13:57:20 -07:00
\newcommand { \Int } { \mathbb { Z} }
2016-09-18 17:57:28 -07:00
\newcommand { \Rat } { \mathbb { Q} }
2018-02-10 03:30:37 -08:00
\newcommand { \GF } [1]{ \mathbb { F} _ { \! #1} }
\newcommand { \GFstar } [1]{ \mathbb { F} ^ \ast _ { #1} }
2016-09-18 17:57:28 -07:00
\newcommand { \typeexp } [2]{ { #1} \vphantom { )} ^ { [{ #2} ]} }
\newcommand { \bitseq } [1]{ \typeexp { \bit } { #1} }
2018-02-10 03:30:37 -08:00
\newcommand { \bitseqs } { \bitseq { \Nat } }
2018-02-26 01:44:19 -08:00
\newcommand { \byteseq } [1]{ \typeexp { \byte } { #1} }
2018-02-10 03:30:37 -08:00
\newcommand { \byteseqs } { \byteseq { \Nat } }
2016-08-09 13:54:50 -07:00
\newcommand { \concatbits } { \mathsf { concat} _ \bit }
2018-02-10 03:30:37 -08:00
\newcommand { \bconcat } { \, ||\, }
2018-03-10 13:06:47 -08:00
\newcommand { \listcomp } [1]{ \overlap { 0.06em} { \ensuremath { [} } ~{ #1} ~\overlap { 0.06em} { \ensuremath { ]} } }
2018-02-10 03:30:37 -08:00
\newcommand { \fun } [2]{ { #1} \mapsto { #2} }
\newcommand { \first } { \mathsf { first} }
2017-01-19 14:46:40 -08:00
\newcommand { \for } { \text { for } }
\newcommand { \from } { \text { from } }
\newcommand { \upto } { \text { up to } }
\newcommand { \downto } { \text { down to } }
2018-02-26 01:44:19 -08:00
\newcommand { \tand } { \text { \; and\, } }
2018-03-06 14:16:55 -08:00
\newcommand { \tor } { \text { \; or\, } }
2017-01-19 14:46:40 -08:00
\newcommand { \squash } { \! \! \! }
\newcommand { \caseif } { \squash \text { if } }
\newcommand { \caseotherwise } { \squash \text { otherwise} }
2018-02-26 01:44:19 -08:00
\newcommand { \sidecondition } [1]{ \hspace { 3em} \left [{#1}\right] }
2017-01-19 18:36:58 -08:00
\newcommand { \sorted } { \mathsf { sorted} }
\newcommand { \length } { \mathsf { length} }
\newcommand { \mean } { \mathsf { mean} }
\newcommand { \median } { \mathsf { median} }
2018-02-07 03:05:39 -08:00
\newcommand { \bound } [2]{ \mathsf { bound\, } _ { #1} ^ { #2} }
2017-01-19 18:36:58 -08:00
\newcommand { \Lower } { \mathsf { lower} }
\newcommand { \Upper } { \mathsf { upper} }
\newcommand { \bitlength } { \mathsf { bitlength} }
\newcommand { \size } { \mathsf { size} }
\newcommand { \mantissa } { \mathsf { mantissa} }
\newcommand { \ToCompact } { \mathsf { ToCompact} }
\newcommand { \ToTarget } { \mathsf { ToTarget} }
2018-02-12 04:54:48 -08:00
\newcommand { \hexint } [1]{ \mathtt { 0x{ #1} } }
2016-03-06 19:38:00 -08:00
\newcommand { \dontcare } { \kern -0.06em\raisebox { 0.1ex} { \footnotesize { $ \times $ } } }
2018-03-06 14:16:55 -08:00
\newcommand { \ascii } [1]{ \textbf { ``\texttt { #1} ''} }
2018-03-10 13:00:27 -08:00
\newcommand { \Justthebox } [2][-1.8ex]{ \raisebox { #1} { \; \usebox { #2} \; } }
2016-03-06 20:36:29 -08:00
\newcommand { \setof } [1]{ \{ { #1} \} }
2018-03-16 08:58:23 -07:00
\newcommand { \powerset } [1]{ \raisebox { -0.28ex} { \scalebox { 1.25} { $ \mathscr { P } $ } } \kern -0.35em\left (\strut { #1} \right )}
2018-03-06 14:16:55 -08:00
\newcommand { \barerange } [2]{ { { #1} \, ..\, { #2} } }
2018-01-29 15:08:08 -08:00
\newcommand { \range } [2]{ \setof { \barerange { #1} { #2} } }
2018-02-12 05:05:23 -08:00
\newcommand { \rangenozero } [2]{ \range { #1} { #2} \difference \setof { 0} }
2018-01-29 15:08:08 -08:00
\newcommand { \alln } { \barerange { 1} { n} }
2016-03-28 17:16:06 -07:00
\newcommand { \minimum } { \mathsf { min} }
2017-01-19 18:36:58 -08:00
\newcommand { \maximum } { \mathsf { max} }
2016-08-09 13:54:50 -07:00
\newcommand { \floor } [1]{ \mathsf { floor} \! \left ({ #1} \right )}
2017-01-19 18:36:58 -08:00
\newcommand { \trunc } [1]{ \mathsf { trunc} \! \left ({ #1} \right )}
2018-03-11 10:27:43 -07:00
\newcommand { \ceiling } [1]{ \mathsf { ceiling} \! \left ({ #1} \right )}
\newcommand { \sceiling } [1]{ \mathsf { ceiling} \left ({ #1} \right )}
2018-03-16 08:58:23 -07:00
\newcommand { \vop } [3]{ \, \raisebox { 0.29ex} { \scalebox { 0.89} { $ \smashoperator [ r ] { # 3 _ { # 1 } ^ { # 2 } } $ \, } } }
\newcommand { \sop } [3]{ \! \scalebox { 0.89} { $ \scalebox { 1 . 404 } { $ \strut #3$ } _ { # 1 } ^ { # 2 } $ } }
\newcommand { \vsum } [2]{ \vop { #1} { #2} { \sum } }
\newcommand { \ssum } [2]{ \sop { #1} { #2} { \sum } }
\newcommand { \vproduct } [2]{ \vop { #1} { #2} { \prod } }
\newcommand { \sproduct } [2]{ \sop { #1} { #2} { \prod } }
\newcommand { \vxor } [2]{ \vop { #1} { #2} { \bigoplus } }
\newcommand { \sxor } [2]{ \sop { #1} { #2} { \bigoplus } }
2016-04-08 12:45:53 -07:00
\newcommand { \xor } { \oplus }
2017-01-19 18:36:58 -08:00
\newcommand { \band } { \binampersand }
2018-01-29 15:08:08 -08:00
\newcommand { \suband } { \raisebox { -0.6ex} { \kern -0.06em\scalebox { 0.65} { $ \binampersand $ } } }
2018-03-16 08:58:23 -07:00
\newcommand { \bchoose } { \; \scalebox { 1.2} [1]{ \textsf { ?} } \; }
2016-09-18 17:57:28 -07:00
\newcommand { \mult } { \cdot }
2018-01-29 15:08:08 -08:00
\newcommand { \smult } { \! \cdot \! }
2018-02-10 03:30:37 -08:00
\newcommand { \scalarmult } [2]{ \boldsymbol { [} { #1} \boldsymbol { ]} \, { #2} }
2018-03-16 08:58:23 -07:00
\newcommand { \rightarrowR } { \phantom { (} \smash { \buildrel { \scriptstyle \mathrm { R} } \over \rightarrow } \phantom { )} }
\newcommand { \leftarrowR } { \phantom { (} \smash { \buildrel { \scriptstyle \mathrm { R} } \over \leftarrow } \phantom { )} }
2017-12-01 17:03:17 -08:00
\newcommand { \union } { \cup }
\newcommand { \intersection } { \cap }
2018-02-12 05:05:23 -08:00
\newcommand { \difference } { \setminus }
\newcommand { \suchthat } { \, \vert \; }
2018-02-26 01:44:19 -08:00
\newcommand { \paramdot } { \bigcdot }
2018-03-10 13:00:27 -08:00
\newcommand { \lincomb } [1]{ \left (\strut \kern -.025em{ #1} \kern -0.04em\right )}
2018-01-30 16:52:59 -08:00
\newcommand { \constraint } [3]{ \lincomb { #1} \hairspace \times \hairspace \lincomb { #2} \hairspace =\hairspace \lincomb { #3} }
2016-03-06 19:38:00 -08:00
2018-03-10 12:47:34 -08:00
% Hashes
\newcommand { \hSigCRH } { \mathsf { hSigCRH} }
\newcommand { \hSigLength } { \mathsf { \ell _ { hSig} } }
\newcommand { \hSigType } { \bitseq { \hSigLength } }
\newcommand { \EquihashGen } [1]{ \mathsf { EquihashGen} _ { #1} }
\newcommand { \CRH } { \mathsf { CRH} }
\newcommand { \SHACompress } { \mathsf { SHA256Compress} }
\newcommand { \SHACompressBox } [1]{ \SHACompress \left (\Justthebox { #1} \right )}
\newcommand { \SHAFull } { \mathsf { SHA\mhyphen 256} }
\newcommand { \SHAFullBox } [1]{ \SHAFull \left (\Justthebox { #1} \right )}
\newcommand { \BlakeTwoGeneric } { \mathsf { BLAKE2} }
\newcommand { \BlakeTwobGeneric } { \mathsf { BLAKE2b} }
\newcommand { \BlakeTwob } [1]{ \mathsf { BLAKE2b\kern 0.05em\mhyphen { #1} } }
\newcommand { \BlakeTwobOf } [2]{ \BlakeTwob { #1} \! \left ({ #2} \right )}
\newcommand { \BlakeTwosGeneric } { \mathsf { BLAKE2s} }
\newcommand { \BlakeTwos } [1]{ \mathsf { BLAKE2s\kern 0.05em\mhyphen { #1} } }
\newcommand { \BlakeTwosOf } [2]{ \BlakeTwos { #1} \! \left ({ #2} \right )}
2018-03-16 08:58:23 -07:00
\newcommand { \CRHivk } { \mathsf { CRH^ { \InViewingKey } } }
2018-03-10 12:47:34 -08:00
\newcommand { \CRHivkText } { \texorpdfstring { $ \CRHivk $ } { CRHivk} }
\newcommand { \CRHivkOutput } { \CRHivk \mathsf { .Output} }
\newcommand { \CRHivkBox } [1]{ \CRHivk \! \left (\Justthebox { #1} \right )}
2018-03-18 13:33:07 -07:00
\newcommand { \DiversifyHash } { \mathsf { DiversifyHash} }
2018-03-10 12:47:34 -08:00
2018-02-07 02:02:05 -08:00
% Key pairs
2016-02-16 12:07:31 -08:00
\newcommand { \PaymentAddress } { \mathsf { addr_ { pk} } }
2018-01-25 03:16:21 -08:00
\newcommand { \DiversifiedPaymentAddress } { \mathsf { addr_ { d} } }
2016-06-22 15:20:50 -07:00
\newcommand { \PaymentAddressLeadByte } { \hexint { 16} }
\newcommand { \PaymentAddressSecondByte } { \hexint { 9A} }
2017-12-16 16:08:57 -08:00
\newcommand { \InViewingKey } { \mathsf { ivk} }
2018-03-18 13:57:20 -07:00
\newcommand { \InViewingKeyLength } { \ell _ { \InViewingKey } }
2017-12-16 16:10:09 -08:00
\newcommand { \InViewingKeyLeadByte } { \hexint { A8} }
\newcommand { \InViewingKeySecondByte } { \hexint { AB} }
\newcommand { \InViewingKeyThirdByte } { \hexint { D3} }
2016-06-22 15:20:50 -07:00
\newcommand { \SpendingKeyLeadByte } { \hexint { AB} }
\newcommand { \SpendingKeySecondByte } { \hexint { 36} }
2016-10-04 13:11:44 -07:00
\newcommand { \PtoSHAddressLeadByte } { \hexint { 1C} }
\newcommand { \PtoSHAddressSecondByte } { \hexint { BD} }
\newcommand { \PtoPKHAddressLeadByte } { \hexint { 1C} }
\newcommand { \PtoPKHAddressSecondByte } { \hexint { B8} }
\newcommand { \PaymentAddressTestnetLeadByte } { \hexint { 16} }
\newcommand { \PaymentAddressTestnetSecondByte } { \hexint { B6} }
2017-12-16 16:10:09 -08:00
\newcommand { \InViewingKeyTestnetLeadByte } { \hexint { A8} }
\newcommand { \InViewingKeyTestnetSecondByte } { \hexint { AC} }
\newcommand { \InViewingKeyTestnetThirdByte } { \hexint { 0C} }
2016-10-04 13:11:44 -07:00
\newcommand { \SpendingKeyTestnetLeadByte } { \hexint { AC} }
\newcommand { \SpendingKeyTestnetSecondByte } { \hexint { 08} }
\newcommand { \PtoSHAddressTestnetLeadByte } { \hexint { 1C} }
\newcommand { \PtoSHAddressTestnetSecondByte } { \hexint { BA} }
\newcommand { \PtoPKHAddressTestnetLeadByte } { \hexint { 1D} }
\newcommand { \PtoPKHAddressTestnetSecondByte } { \hexint { 25} }
2018-02-07 03:53:07 -08:00
\newcommand { \NotePlaintextLeadByteSprout } { \hexint { 00} }
\newcommand { \NotePlaintextLeadByteSapling } { \hexint { 01} }
2016-02-16 12:07:31 -08:00
\newcommand { \AuthPublic } { \mathsf { a_ { pk} } }
2016-02-25 13:42:00 -08:00
\newcommand { \AuthPrivate } { \mathsf { a_ { sk} } }
2018-02-23 19:15:09 -08:00
\newcommand { \AuthPrivateSup } [1]{ \mathsf { a^ \mathrm { #1} _ { sk} } }
2016-06-01 06:58:52 -07:00
\newcommand { \AuthPrivateLength } { \mathsf { \ell _ { \AuthPrivate } } }
2016-02-16 12:07:31 -08:00
\newcommand { \AuthPublicOld } [1]{ \mathsf { a^ { old} _ { pk,\mathnormal { #1} } } }
\newcommand { \AuthPrivateOld } [1]{ \mathsf { a^ { old} _ { sk,\mathnormal { #1} } } }
2017-03-07 12:52:04 -08:00
\newcommand { \AuthEmphPublicOld } [1]{ \mathsf { a^ { old} _ { \textsf { \textbf { pk} } ,\mathnormal { #1} } } }
2016-08-08 09:27:28 -07:00
\newcommand { \AuthPublicOldX } [1]{ \mathsf { a^ { old} _ { pk,\mathrm { #1} } } }
\newcommand { \AuthPrivateOldX } [1]{ \mathsf { a^ { old} _ { sk,\mathrm { #1} } } }
2016-02-16 12:07:31 -08:00
\newcommand { \AuthPublicNew } [1]{ \mathsf { a^ { new} _ { pk,\mathnormal { #1} } } }
\newcommand { \AuthPrivateNew } [1]{ \mathsf { a^ { new} _ { sk,\mathnormal { #1} } } }
\newcommand { \AddressPublicNew } [1]{ \mathsf { addr^ { new} _ { pk,\mathnormal { #1} } } }
\newcommand { \enc } { \mathsf { enc} }
2016-09-03 20:17:27 -07:00
\newcommand { \DHSecret } [1]{ \mathsf { sharedSecret} _ { #1} }
2016-02-16 17:57:21 -08:00
\newcommand { \EphemeralPublic } { \mathsf { epk} }
2018-03-18 17:01:25 -07:00
\newcommand { \EphemeralPublicRepr } { \Repr { \EphemeralPublic } }
2016-02-16 17:57:21 -08:00
\newcommand { \EphemeralPrivate } { \mathsf { esk} }
\newcommand { \TransmitPublic } { \mathsf { pk_ { enc} } }
2016-09-02 14:36:20 -07:00
\newcommand { \TransmitPublicSup } [1]{ \mathsf { pk} ^ { #1} _ \mathsf { enc} }
2016-02-16 12:07:31 -08:00
\newcommand { \TransmitPublicNew } [1]{ \mathsf { pk^ { new} _ { \enc ,\mathnormal { #1} } } }
2016-02-16 17:57:21 -08:00
\newcommand { \TransmitPrivate } { \mathsf { sk_ { enc} } }
2016-09-02 14:36:20 -07:00
\newcommand { \TransmitPrivateSup } [1]{ \mathsf { sk} ^ { #1} _ \mathsf { enc} }
2018-02-26 01:44:19 -08:00
\newcommand { \TransmitBase } { \mathsf { g} }
2016-09-02 12:13:35 -07:00
2018-01-25 03:16:21 -08:00
% Sapling
2018-02-07 02:02:05 -08:00
2018-03-18 14:43:57 -07:00
\newcommand { \Repr } [1]{ { #1} ^ *}
2018-03-11 00:40:49 -08:00
\newcommand { \SpendingKey } { \mathsf { sk} }
\newcommand { \SpendingKeyLength } { \mathsf { \ell _ { \SpendingKey } } }
2018-01-25 03:16:21 -08:00
\newcommand { \AuthSignPrivate } { \mathsf { ask} }
2018-02-07 02:21:25 -08:00
\newcommand { \AuthSignBase } { \mathcal { G} }
2018-01-25 03:16:21 -08:00
\newcommand { \AuthSignPublic } { \mathsf { ak} }
2018-03-18 14:43:57 -07:00
\newcommand { \AuthSignPublicRepr } { \Repr { \AuthSignPublic } }
\newcommand { \AuthSignRandomizedPublic } { \mathsf { rk} }
\newcommand { \AuthSignRandomizedPublicRepr } { \Repr { \AuthSignRandomizedPublic } }
\newcommand { \AuthSignRandomizedPublicOld } { \AuthSignRandomizedPublic ^ { \mathsf { old} } }
\newcommand { \AuthSignRandomizedPublicOldRepr } { \AuthSignRandomizedPublic ^ { \mathsf { old} *} }
\newcommand { \AuthSignRandomness } { \mathsf { ar} }
\newcommand { \AuthProvePrivate } { \mathsf { nsk} }
2018-02-07 02:21:25 -08:00
\newcommand { \AuthProveBase } { \mathcal { H} }
2018-03-18 14:43:57 -07:00
\newcommand { \AuthProvePublic } { \mathsf { nk} }
\newcommand { \AuthProvePublicRepr } { \Repr { \AuthProvePublic } }
2018-02-26 01:44:19 -08:00
\newcommand { \NotePosition } { \mathsf { pos} }
\newcommand { \NotePositionBase } { \mathcal { J} }
2018-03-06 14:48:13 -08:00
\newcommand { \NotePositionTypeSprout } { \range { 0} { 2^ { \MerkleDepthSprout } -1} }
\newcommand { \NotePositionTypeSapling } { \range { 0} { 2^ { \MerkleDepthSapling } -1} }
2018-01-25 03:16:21 -08:00
\newcommand { \Diversifier } { \mathsf { d} }
2018-02-07 02:21:25 -08:00
\newcommand { \DiversifierLength } { \mathsf { \ell _ { \Diversifier } } }
2018-03-18 13:33:07 -07:00
\newcommand { \DiversifierType } { \bitseq { \DiversifierLength } }
2018-02-07 02:21:25 -08:00
\newcommand { \DiversifiedTransmitBase } { \mathsf { g_ d} }
2018-03-18 14:43:57 -07:00
\newcommand { \DiversifiedTransmitBaseRepr } { \Repr { \DiversifiedTransmitBase } }
2018-02-07 02:55:53 -08:00
\newcommand { \DiversifiedTransmitPublic } { \mathsf { pk_ d} }
2018-03-18 14:43:57 -07:00
\newcommand { \DiversifiedTransmitPublicRepr } { \Repr { \DiversifiedTransmitPublic } }
2018-01-25 03:16:21 -08:00
2016-09-02 12:13:35 -07:00
% PRFs
2018-02-07 02:02:05 -08:00
2016-09-02 12:13:35 -07:00
\newcommand { \PRF } [2]{ \mathsf { { PRF} ^ { #2} _ \mathnormal { #1} } }
\newcommand { \PRFaddr } [1]{ \PRF { #1} { addr} }
2018-03-11 00:40:49 -08:00
\newcommand { \PRFexpand } [1]{ \PRF { #1} { expand} }
2016-09-02 12:13:35 -07:00
\newcommand { \PRFnf } [1]{ \PRF { #1} { \nf } }
\newcommand { \PRFsn } [1]{ \PRF { #1} { sn} }
\newcommand { \PRFpk } [1]{ \PRF { #1} { pk} }
\newcommand { \PRFrho } [1]{ \PRF { #1} { \NoteAddressRand } }
2018-03-18 14:43:57 -07:00
\newcommand { \PRFnfSapling } [1]{ \PRF { #1} { nfSapling} }
2016-06-01 06:58:52 -07:00
\newcommand { \PRFOutputLength } { \mathsf { \ell _ { PRF} } }
2016-06-30 15:18:43 -07:00
\newcommand { \PRFOutput } { \bitseq { \PRFOutputLength } }
2018-03-18 14:43:57 -07:00
\newcommand { \PRFOutputLengthSapling } { \mathsf { \ell _ { PRFSapling} } }
\newcommand { \PRFOutputSapling } { \bitseq { \PRFOutputLengthSapling } }
2016-01-26 15:15:17 -08:00
2016-09-02 14:24:49 -07:00
% Commitments
2018-02-07 02:21:25 -08:00
\newcommand { \UncommittedSprout } { \optSprout { \mathsf { Uncommitted} } }
\newcommand { \UncommittedSapling } { \mathsf { Uncommitted^ { Sapling} } }
\newcommand { \NoteCommitmentSprout } { \optSprout { \mathsf { NoteCommitment} } }
\newcommand { \NoteCommitmentSapling } { \mathsf { NoteCommitment^ { Sapling} } }
2018-02-07 02:55:53 -08:00
\newcommand { \CommitAlg } { \mathsf { COMM} }
\newcommand { \Commit } [1]{ \CommitAlg _ { #1} }
\newcommand { \CommitTrapdoor } { \CommitAlg \mathsf { .Trapdoor} }
\newcommand { \CommitInput } { \CommitAlg \mathsf { .Input} }
\newcommand { \CommitOutput } { \CommitAlg \mathsf { .Output} }
2018-03-06 14:16:55 -08:00
\newcommand { \NoteCommitSproutAlg } { \mathsf { \sprout { COMM} \notsprout { NoteCommit} } ^ { \mathsf { Sprout} } }
2018-02-07 02:21:25 -08:00
\newcommand { \NoteCommitSprout } [1]{ \NoteCommitSproutAlg _ { #1} }
\newcommand { \NoteCommitSproutTrapdoor } { \NoteCommitSproutAlg \mathsf { .Trapdoor} }
\newcommand { \NoteCommitSproutInput } { \NoteCommitSproutAlg \mathsf { .Input} }
\newcommand { \NoteCommitSproutOutput } { \NoteCommitSproutAlg \mathsf { .Output} }
2018-03-06 14:16:55 -08:00
\newcommand { \NoteCommitSaplingAlg } { \mathsf { NoteCommit} ^ { \mathsf { Sapling} } }
2018-02-07 02:21:25 -08:00
\newcommand { \NoteCommitSapling } [1]{ \NoteCommitSaplingAlg _ { #1} }
\newcommand { \NoteCommitSaplingTrapdoor } { \NoteCommitSaplingAlg \mathsf { .Trapdoor} }
\newcommand { \NoteCommitSaplingInput } { \NoteCommitSaplingAlg \mathsf { .Input} }
\newcommand { \NoteCommitSaplingOutput } { \NoteCommitSaplingAlg \mathsf { .Output} }
\newcommand { \ValueCommitAlg } { \mathsf { ValueCommit} }
\newcommand { \ValueCommit } [1]{ \ValueCommitAlg _ { #1} }
\newcommand { \ValueCommitTrapdoor } { \ValueCommitAlg \mathsf { .Trapdoor} }
\newcommand { \ValueCommitInput } { \ValueCommitAlg \mathsf { .Input} }
\newcommand { \ValueCommitOutput } { \ValueCommitAlg \mathsf { .Output} }
2016-09-02 14:24:49 -07:00
2016-09-02 12:13:35 -07:00
% Symmetric encryption
2018-02-07 02:02:05 -08:00
2016-09-02 12:13:35 -07:00
\newcommand { \Sym } { \mathsf { Sym} }
2018-02-07 07:47:05 -08:00
\newcommand { \SymEncrypt } [1]{ \Sym \mathsf { .Encrypt} _ { #1} }
\newcommand { \SymDecrypt } [1]{ \Sym \mathsf { .Decrypt} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \SymSpecific } { \mathsf { AEAD\_ CHACHA20\_ POLY1305} }
\newcommand { \SymCipher } { \mathsf { ChaCha20} }
\newcommand { \SymAuth } { \mathsf { Poly1305} }
2016-06-30 15:18:43 -07:00
\newcommand { \Ptext } { \mathsf { P} }
\newcommand { \Plaintext } { \mathsf { Sym.} \mathbf { P} }
\newcommand { \Ctext } { \mathsf { C} }
\newcommand { \Ciphertext } { \mathsf { Sym.} \mathbf { C} }
2016-02-25 09:13:31 -08:00
\newcommand { \Key } { \mathsf { K} }
2016-06-30 15:18:43 -07:00
\newcommand { \Keyspace } { \mathsf { Sym.} \mathbf { K} }
\newcommand { \TransmitPlaintext } [1]{ \Ptext ^ \enc _ { #1} }
\newcommand { \TransmitCiphertext } [1]{ \Ctext ^ \enc _ { #1} }
2016-02-25 09:13:31 -08:00
\newcommand { \TransmitKey } [1]{ \Key ^ \enc _ { #1} }
2016-09-05 13:11:09 -07:00
\newcommand { \Adversary } { \mathcal { A} }
2018-03-06 14:29:14 -08:00
\newcommand { \Oracle } { \mathsf { O} }
2016-09-05 13:11:09 -07:00
\newcommand { \CryptoBoxSeal } { \mathsf { crypto\_ box\_ seal} }
2016-09-02 12:13:35 -07:00
% Key agreement
2018-02-07 02:02:05 -08:00
2016-06-30 15:18:43 -07:00
\newcommand { \KA } { \mathsf { KA} }
2018-02-07 02:55:53 -08:00
\newcommand { \KAPublic } { \KA \mathsf { .Public} }
\newcommand { \KAPrivate } { \KA \mathsf { .Private} }
\newcommand { \KASharedSecret } { \KA \mathsf { .SharedSecret} }
\newcommand { \KAFormatPrivate } { \KA \mathsf { .FormatPrivate} }
\newcommand { \KADerivePublic } { \KA \mathsf { .DerivePublic} }
\newcommand { \KAAgree } { \KA \mathsf { .Agree} }
2018-02-26 01:44:19 -08:00
\newcommand { \KABase } { \KA \mathsf { .Base} }
2018-02-07 02:21:25 -08:00
\newcommand { \KASprout } { \mathsf { \optSprout { KA} } }
\newcommand { \KASproutPublic } { \KASprout \mathsf { .Public} }
\newcommand { \KASproutPrivate } { \KASprout \mathsf { .Private} }
\newcommand { \KASproutSharedSecret } { \KASprout \mathsf { .SharedSecret} }
\newcommand { \KASproutFormatPrivate } { \KASprout \mathsf { .FormatPrivate} }
\newcommand { \KASproutDerivePublic } { \KASprout \mathsf { .DerivePublic} }
\newcommand { \KASproutAgree } { \KASprout \mathsf { .Agree} }
2018-02-26 01:44:19 -08:00
\newcommand { \KASproutBase } { \KASprout \mathsf { .Base} }
2018-02-07 02:21:25 -08:00
\newcommand { \KASapling } { \mathsf { KA^ { Sapling} } }
\newcommand { \KASaplingPublic } { \KASapling \mathsf { .Public} }
\newcommand { \KASaplingPrivate } { \KASapling \mathsf { .Private} }
\newcommand { \KASaplingSharedSecret } { \KASapling \mathsf { .SharedSecret} }
\newcommand { \KASaplingFormatPrivate } { \KASapling \mathsf { .FormatPrivate} }
\newcommand { \KASaplingDerivePublic } { \KASapling \mathsf { .DerivePublic} }
\newcommand { \KASaplingAgree } { \KASapling \mathsf { .Agree} }
2016-09-02 12:13:35 -07:00
\newcommand { \CurveMultiply } { \mathsf { Curve25519} }
\newcommand { \CurveBase } { \bytes { 9} }
2016-02-25 09:13:31 -08:00
\newcommand { \Clamp } { \mathsf { clamp_ { Curve25519} } }
2016-09-02 12:13:35 -07:00
% KDF
2018-02-07 02:02:05 -08:00
2016-09-02 12:13:35 -07:00
\newcommand { \KDF } { \mathsf { KDF} }
2018-02-07 02:21:25 -08:00
\newcommand { \KDFSprout } { \optSprout { \KDF } }
\newcommand { \KDFSapling } { \mathsf { KDF^ { Sapling} } }
2016-09-02 12:13:35 -07:00
\newcommand { \kdftag } { \mathsf { kdftag} }
\newcommand { \kdfinput } { \mathsf { kdfinput} }
% Notes
2018-02-07 02:02:05 -08:00
2016-09-02 12:13:35 -07:00
\newcommand { \Value } { \mathsf { v} }
2018-02-23 19:15:09 -08:00
\newcommand { \ValueNew } [1]{ \Value ^ \mathsf { new} _ { #1} }
\newcommand { \ValueOld } [1]{ \Value ^ \mathsf { old} _ { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \ValueCommitRand } { \mathsf { rcv} }
\newcommand { \ValueCommitRandLength } { \mathsf { \ell _ { \ValueCommitRand } } }
2018-03-11 14:29:49 -07:00
\newcommand { \ValueCommitRandOld } [1]{ \ValueCommitRand ^ \mathsf { old} _ { #1} }
\newcommand { \ValueCommitRandNew } [1]{ \ValueCommitRand ^ \mathsf { new} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \NoteTuple } [1]{ \mathbf { n} _ { #1} }
2018-02-07 03:53:07 -08:00
\newcommand { \NoteTypeSprout } { \optSprout { \mathsf { Note} } }
\newcommand { \NoteTypeSapling } { \mathsf { Note^ { Sapling} } }
2016-09-02 12:13:35 -07:00
\newcommand { \NotePlaintext } [1]{ \mathbf { np} _ { #1} }
2018-02-07 03:05:39 -08:00
\newcommand { \NoteCommitRand } { \mathsf { \sprout { r} \notsprout { rcm} } }
2016-09-02 12:13:35 -07:00
\newcommand { \NoteCommitRandLength } { \mathsf { \ell _ { \NoteCommitRand } } }
2018-02-07 02:55:53 -08:00
\newcommand { \NoteCommitRandOld } [1]{ \NoteCommitRand ^ \mathsf { old} _ { #1} }
\newcommand { \NoteCommitRandNew } [1]{ \NoteCommitRand ^ \mathsf { new} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \NoteAddressRand } { \mathsf { \uprho } }
2018-02-23 19:15:09 -08:00
\newcommand { \NoteAddressRandOld } [1]{ \NoteAddressRand ^ \mathsf { old} _ { #1} }
\newcommand { \NoteAddressRandNew } [1]{ \NoteAddressRand ^ \mathsf { new} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \NoteAddressPreRand } { \mathsf { \upvarphi } }
\newcommand { \NoteAddressPreRandLength } { \mathsf { \ell _ { \NoteAddressPreRand } } }
2018-02-07 02:21:25 -08:00
\newcommand { \OutputIndex } { \mathsf { idx} }
\newcommand { \OutputIndexType } { \mathsf { OutputIndex} }
2016-09-02 12:13:35 -07:00
\newcommand { \NoteCommitS } { \mathsf { s} }
2018-02-26 01:44:19 -08:00
\newcommand { \cv } { \mathsf { cv} }
2018-03-06 14:48:13 -08:00
\newcommand { \cvOld } [1]{ \cv ^ \mathsf { old} _ { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \cvNew } [1]{ \cv ^ \mathsf { new} _ { #1} }
2016-09-05 13:11:09 -07:00
\newcommand { \cm } { \mathsf { cm} }
2018-02-23 19:15:09 -08:00
\newcommand { \cmOld } [1]{ \cm ^ \mathsf { old} _ { #1} }
\newcommand { \cmNew } [1]{ \cm ^ \mathsf { new} _ { #1} }
\newcommand { \snOld } [1]{ \mathsf { sn} ^ \mathsf { old} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \nf } { \mathsf { nf} }
2018-02-23 19:15:09 -08:00
\newcommand { \nfOld } [1]{ \nf ^ \mathsf { old} _ { #1} }
2016-09-02 12:13:35 -07:00
\newcommand { \Memo } { \mathsf { memo} }
\newcommand { \DecryptNote } { \mathtt { DecryptNote} }
2016-09-05 13:11:09 -07:00
\newcommand { \ReplacementCharacter } { \textsf { U+FFFD} }
2016-09-02 12:13:35 -07:00
2016-09-18 18:46:11 -07:00
% Money supply
2018-02-07 02:02:05 -08:00
2016-09-18 18:46:11 -07:00
\newcommand { \MAXMONEY } { \mathsf { MAX\_ MONEY} }
\newcommand { \BlockSubsidy } { \mathsf { BlockSubsidy} }
\newcommand { \MinerSubsidy } { \mathsf { MinerSubsidy} }
\newcommand { \FoundersReward } { \mathsf { FoundersReward} }
\newcommand { \SlowStartInterval } { \mathsf { SlowStartInterval} }
\newcommand { \SlowStartShift } { \mathsf { SlowStartShift} }
\newcommand { \SlowStartRate } { \mathsf { SlowStartRate} }
\newcommand { \HalvingInterval } { \mathsf { HalvingInterval} }
\newcommand { \MaxBlockSubsidy } { \mathsf { MaxBlockSubsidy} }
\newcommand { \NumFounderAddresses } { \mathsf { NumFounderAddresses} }
\newcommand { \FounderAddressChangeInterval } { \mathsf { FounderAddressChangeInterval} }
\newcommand { \FoundersFraction } { \mathsf { FoundersFraction} }
\newcommand { \BlockHeight } { \mathsf { height} }
\newcommand { \Halving } { \mathsf { Halving} }
\newcommand { \FounderAddress } { \mathsf { FounderAddress} }
\newcommand { \FounderAddressList } { \mathsf { FounderAddressList} }
\newcommand { \FounderAddressIndex } { \mathsf { FounderAddressIndex} }
2016-10-01 19:56:27 -07:00
\newcommand { \RedeemScriptHash } { \mathsf { RedeemScriptHash} }
2016-09-18 18:46:11 -07:00
\newcommand { \blockSubsidy } { \term { block subsidy} }
\newcommand { \minerSubsidy } { \term { miner subsidy} }
\newcommand { \foundersReward } { \term { Founders' Reward} }
\newcommand { \slowStartPeriod } { \term { slow-start period} }
\newcommand { \halvingInterval } { \term { halving interval} }
2017-01-19 18:36:58 -08:00
\newcommand { \PoWLimit } { \mathsf { PoWLimit} }
\newcommand { \PoWAveragingWindow } { \mathsf { PoWAveragingWindow} }
2017-01-19 18:35:11 -08:00
\newcommand { \PoWMedianBlockSpan } { \mathsf { PoWMedianBlockSpan} }
2017-01-19 18:36:58 -08:00
\newcommand { \PoWMaxAdjustDown } { \mathsf { PoWMaxAdjustDown} }
\newcommand { \PoWMaxAdjustUp } { \mathsf { PoWMaxAdjustUp} }
\newcommand { \PoWDampingFactor } { \mathsf { PoWDampingFactor} }
\newcommand { \PoWTargetSpacing } { \mathsf { PoWTargetSpacing} }
\newcommand { \MeanTarget } { \mathsf { MeanTarget} }
\newcommand { \MedianTime } { \mathsf { MedianTime} }
\newcommand { \AveragingWindowTimespan } { \mathsf { AveragingWindowTimespan} }
\newcommand { \MinActualTimespan } { \mathsf { MinActualTimespan} }
\newcommand { \MaxActualTimespan } { \mathsf { MaxActualTimespan} }
\newcommand { \ActualTimespan } { \mathsf { ActualTimespan} }
\newcommand { \ActualTimespanDamped } { \mathsf { ActualTimespanDamped} }
2018-02-07 03:05:39 -08:00
\newcommand { \ActualTimespanBounded } { \mathsf { ActualTimespanBounded} }
2017-01-19 18:36:58 -08:00
\newcommand { \Threshold } { \mathsf { Threshold} }
\newcommand { \ThresholdBits } { \mathsf { ThresholdBits} }
2017-01-19 18:35:11 -08:00
\newcommand { \targetThreshold } { \term { target threshold} }
\newcommand { \targetThresholds } { \term { target thresholds} }
2016-09-02 12:13:35 -07:00
% Signatures
2018-02-07 02:02:05 -08:00
2016-09-05 13:14:29 -07:00
\newcommand { \Sig } { \mathsf { Sig} }
2018-02-07 02:55:53 -08:00
\newcommand { \SigPublic } { \Sig \mathsf { .Public} }
\newcommand { \SigPrivate } { \Sig \mathsf { .Private} }
\newcommand { \SigMessage } { \Sig \mathsf { .Message} }
\newcommand { \SigSignature } { \Sig \mathsf { .Signature} }
\newcommand { \SigGen } { \Sig \mathsf { .Gen} }
\newcommand { \SigSign } [1]{ \Sig \mathsf { .Sign} _ { #1} }
\newcommand { \SigVerify } [1]{ \Sig \mathsf { .Verify} _ { #1} }
2018-03-06 14:29:14 -08:00
\newcommand { \SigRandom } { \Sig \mathsf { .Random} }
\newcommand { \SigRandomizePublic } { \Sig \mathsf { .RandomizePublic} }
\newcommand { \SigRandomizePrivate } { \Sig \mathsf { .RandomizePrivate} }
\newcommand { \SigRandomnessId } { \Sig \mathsf { .Id} }
\newcommand { \SigRandomness } { r}
2018-02-07 02:55:53 -08:00
2016-09-05 13:14:29 -07:00
\newcommand { \JoinSplitSig } { \mathsf { JoinSplitSig} }
2018-02-07 02:55:53 -08:00
\newcommand { \JoinSplitSigPublic } { \JoinSplitSig \mathsf { .Public} }
\newcommand { \JoinSplitSigPrivate } { \JoinSplitSig \mathsf { .Private} }
\newcommand { \JoinSplitSigMessage } { \JoinSplitSig \mathsf { .Message} }
\newcommand { \JoinSplitSigSignature } { \JoinSplitSig \mathsf { .Signature} }
\newcommand { \JoinSplitSigGen } { \JoinSplitSig \mathsf { .Gen} }
\newcommand { \JoinSplitSigSign } [1]{ \JoinSplitSig \mathsf { .Sign} _ { #1} }
\newcommand { \JoinSplitSigVerify } [1]{ \JoinSplitSig \mathsf { .Verify} _ { #1} }
2016-06-21 14:46:14 -07:00
\newcommand { \JoinSplitSigSpecific } { \mathsf { Ed25519} }
\newcommand { \JoinSplitSigHashName } { \mathsf { SHA\mhyphen 512} }
2018-02-07 02:21:25 -08:00
2018-02-26 01:44:19 -08:00
\newcommand { \SpendAuthSig } { \mathsf { SpendAuthSig} }
\newcommand { \SpendAuthSigPublic } { \SpendAuthSig \mathsf { .Public} }
\newcommand { \SpendAuthSigPrivate } { \SpendAuthSig \mathsf { .Private} }
\newcommand { \SpendAuthSigMessage } { \SpendAuthSig \mathsf { .Message} }
\newcommand { \SpendAuthSigSignature } { \SpendAuthSig \mathsf { .Signature} }
\newcommand { \SpendAuthSigGen } { \SpendAuthSig \mathsf { .Gen} }
\newcommand { \SpendAuthSigSign } [1]{ \SpendAuthSig \mathsf { .Sign} _ { #1} }
\newcommand { \SpendAuthSigVerify } [1]{ \SpendAuthSig \mathsf { .Verify} _ { #1} }
\newcommand { \SpendAuthSigSpecific } { \mathsf { EdJubjub} }
\newcommand { \SpendAuthSigHashName } { \mathsf { BlakeTwob{ 512} } }
2018-02-07 02:21:25 -08:00
2018-02-26 03:41:15 -08:00
\newcommand { \EdDSA } { \mathsf { EdDSA} }
2016-06-21 14:46:14 -07:00
\newcommand { \EdDSAr } { R}
\newcommand { \EdDSAs } { S}
\newcommand { \EdDSAR } { \bytes { R} }
\newcommand { \EdDSAS } { \bytes { S} }
2016-09-02 14:08:05 -07:00
\newcommand { \RandomSeedLength } { \mathsf { \ell _ { Seed} } }
\newcommand { \RandomSeedType } { \bitseq { \mathsf { \ell _ { Seed} } } }
2016-09-05 13:11:09 -07:00
\newcommand { \pksig } { \mathsf { pk_ { sig} } }
2016-09-05 13:14:29 -07:00
\newcommand { \sk } { \mathsf { sk} }
2016-09-05 13:11:09 -07:00
\newcommand { \hSigInput } { \mathsf { hSigInput} }
2018-02-07 07:41:46 -08:00
\newcommand { \crhInput } { \mathsf { crhInput} }
2016-09-05 13:11:09 -07:00
\newcommand { \dataToBeSigned } { \mathsf { dataToBeSigned} }
2016-01-26 15:15:17 -08:00
2016-09-02 11:55:51 -07:00
% Merkle tree
2018-02-07 03:05:39 -08:00
\newcommand { \MerkleDepth } { \mathsf { MerkleDepth} }
2018-02-07 03:53:07 -08:00
\newcommand { \MerkleDepthSprout } { \optSprout { \MerkleDepth } }
\newcommand { \MerkleDepthSapling } { \MerkleDepth ^ \mathsf { Sapling} }
2016-04-08 12:45:53 -07:00
\newcommand { \MerkleNode } [2]{ \mathsf { M} ^ { #1} _ { #2} }
\newcommand { \MerkleSibling } { \mathsf { sibling} }
2016-06-01 06:58:52 -07:00
\newcommand { \MerkleCRH } { \mathsf { MerkleCRH} }
2018-02-07 02:21:25 -08:00
\newcommand { \MerkleCRHSprout } { \optSprout { \MerkleCRH } }
\newcommand { \MerkleCRHSapling } { \MerkleCRH ^ \mathsf { Sapling} }
2016-06-01 06:58:52 -07:00
\newcommand { \MerkleHashLength } { \mathsf { \ell _ { Merkle} } }
2018-02-07 02:21:25 -08:00
\newcommand { \MerkleHashLengthSprout } { \mathsf { \ell _ { \sprout { Merkle} \notsprout { MerkleSprout} } } }
\newcommand { \MerkleHashLengthSapling } { \mathsf { \ell _ { MerkleSapling} } }
2016-06-01 06:58:52 -07:00
\newcommand { \MerkleHash } { \bitseq { \MerkleHashLength } }
2018-02-07 02:21:25 -08:00
\newcommand { \MerkleHashSprout } { \bitseq { \MerkleHashLengthSprout } }
\newcommand { \MerkleHashSapling } { \bitseq { \MerkleHashLengthSapling } }
2018-02-26 01:44:19 -08:00
\newcommand { \MerkleLayer } { \range { 0} { \MerkleDepth -1} }
\newcommand { \MerkleLayerSprout } { \range { 0} { \MerkleDepthSprout -1} }
\newcommand { \MerkleLayerSapling } { \range { 0} { \MerkleDepthSapling -1} }
2016-01-26 15:15:17 -08:00
2016-09-05 13:14:29 -07:00
% Transactions
2018-02-07 02:02:05 -08:00
2018-03-18 15:02:42 -07:00
\newcommand { \headerField } { \mathtt { header} }
2018-02-26 01:44:19 -08:00
\newcommand { \fOverwintered } { \mathtt { fOverwintered} }
2016-09-02 20:01:08 -07:00
\newcommand { \versionField } { \mathtt { version} }
2018-03-18 15:02:42 -07:00
\newcommand { \nVersionGroupId } { \mathtt { nVersionGroupId} }
2016-09-02 20:01:08 -07:00
\newcommand { \txInCount } { \mathtt { tx\_ in\_ count} }
\newcommand { \txIn } { \mathtt { tx\_ in} }
\newcommand { \txOutCount } { \mathtt { tx\_ out\_ count} }
\newcommand { \txOut } { \mathtt { tx\_ out} }
\newcommand { \lockTime } { \mathtt { lock\_ time} }
2018-03-18 15:02:42 -07:00
\newcommand { \nExpiryHeight } { \mathtt { nExpiryHeight} }
\newcommand { \nShieldedSpend } { \mathtt { nShieldedSpend} }
\newcommand { \vShieldedSpend } { \mathtt { vShieldedSpend} }
\newcommand { \nShieldedOutput } { \mathtt { nShieldedOutput} }
\newcommand { \vShieldedOutput } { \mathtt { vShieldedOutput} }
2016-03-28 18:28:50 -07:00
\newcommand { \nJoinSplit } { \mathtt { nJoinSplit} }
\newcommand { \vJoinSplit } { \mathtt { vJoinSplit} }
2016-01-26 15:15:17 -08:00
\newcommand { \vpubOldField } { \mathtt { vpub\_ old} }
\newcommand { \vpubNewField } { \mathtt { vpub\_ new} }
\newcommand { \anchorField } { \mathtt { anchor} }
2016-03-28 18:28:50 -07:00
\newcommand { \joinSplitSig } { \mathtt { joinSplitSig} }
2016-09-05 13:14:29 -07:00
\newcommand { \joinSplitPrivKey } { \mathtt { joinSplitPrivKey} }
2016-03-28 18:28:50 -07:00
\newcommand { \joinSplitPubKey } { \mathtt { joinSplitPubKey} }
2018-02-26 03:41:15 -08:00
\newcommand { \nullifierField } { \mathtt { nullifier} }
2016-03-29 17:36:34 -07:00
\newcommand { \nullifiersField } { \mathtt { nullifiers} }
2018-03-18 14:43:57 -07:00
\newcommand { \rkField } { \mathtt { rk} }
2018-02-26 03:41:15 -08:00
\newcommand { \cvField } { \mathtt { cv} }
\newcommand { \cmField } { \mathtt { cm} }
\newcommand { \commitment } { \mathtt { commitment} }
2015-12-14 09:03:59 -08:00
\newcommand { \commitments } { \mathtt { commitments} }
2016-02-16 17:57:21 -08:00
\newcommand { \ephemeralKey } { \mathtt { ephemeralKey} }
2018-02-26 03:41:15 -08:00
\newcommand { \encCiphertext } { \mathtt { encCiphertext} }
2016-02-16 12:07:31 -08:00
\newcommand { \encCiphertexts } { \mathtt { encCiphertexts} }
2016-02-25 15:38:31 -08:00
\newcommand { \randomSeed } { \mathtt { randomSeed} }
2018-02-26 03:42:52 -08:00
\newcommand { \spendAuthSig } { \mathtt { spendAuthSig} }
2018-03-16 08:58:23 -07:00
\newcommand { \Varies } { \textit { \! Varies} }
2016-03-17 18:20:44 -07:00
\newcommand { \heading } [1]{ \multicolumn { 1} { c|} { #1} }
\newcommand { \type } [1]{ \texttt { #1} }
2016-09-16 06:50:18 -07:00
\newcommand { \compactSize } { \type { compactSize uint} }
2016-01-26 15:15:17 -08:00
2018-02-26 01:44:19 -08:00
\newcommand { \sighashTxHashes } { \term { SIGHASH transaction hashes} }
2016-03-30 07:18:50 -07:00
\newcommand { \sighashType } { \term { SIGHASH type} }
\newcommand { \sighashTypes } { \term { SIGHASH types} }
\newcommand { \SIGHASHALL } { \mathsf { SIGHASH\_ ALL} }
\newcommand { \scriptSig } { \mathtt { scriptSig} }
2016-10-01 19:56:27 -07:00
\newcommand { \scriptPubKey } { \mathtt { scriptPubKey} }
2016-09-05 13:14:29 -07:00
\newcommand { \ScriptOP } [1]{ \texttt { OP\_ { #1} } }
2016-03-30 07:18:50 -07:00
2016-08-09 13:56:34 -07:00
% Equihash and block headers
2018-02-07 02:02:05 -08:00
2016-08-09 13:56:34 -07:00
\newcommand { \validEquihashSolution } { \term { valid Equihash solution} }
\newcommand { \powtag } { \mathsf { powtag} }
2016-09-03 19:46:42 -07:00
\newcommand { \powheader } { \mathsf { powheader} }
\newcommand { \powcount } { \mathsf { powcount} }
2016-08-09 13:56:34 -07:00
\newcommand { \nVersion } { \mathtt { nVersion} }
\newcommand { \hashPrevBlock } { \mathtt { hashPrevBlock} }
\newcommand { \hashMerkleRoot } { \mathtt { hashMerkleRoot} }
\newcommand { \hashReserved } { \mathtt { hashReserved} }
2018-02-26 01:44:19 -08:00
\newcommand { \hashFinalSaplingRoot } { \mathtt { hashFinalSaplingRoot} }
2017-01-19 18:35:11 -08:00
\newcommand { \nTimeField } { \mathtt { nTime} }
\newcommand { \nTime } { \mathsf { nTime} }
\newcommand { \nBitsField } { \mathtt { nBits} }
\newcommand { \nBits } { \mathsf { nBits} }
2016-08-09 13:56:34 -07:00
\newcommand { \nNonce } { \mathtt { nNonce} }
2016-09-16 06:50:18 -07:00
\newcommand { \solutionSize } { \mathtt { solutionSize} }
\newcommand { \solution } { \mathtt { solution} }
2016-08-09 17:01:51 -07:00
\newcommand { \SHAd } { \term { SHA-256d} }
2016-08-09 13:56:34 -07:00
2016-09-02 14:47:05 -07:00
% Proving system
2018-02-07 02:02:05 -08:00
2016-09-02 14:47:05 -07:00
\newcommand { \ZK } { \mathsf { ZK} }
\newcommand { \ZKProvingKey } { \mathsf { ZK.ProvingKey} }
\newcommand { \ZKVerifyingKey } { \mathsf { ZK.VerifyingKey} }
\newcommand { \pk } { \mathsf { pk} }
\newcommand { \vk } { \mathsf { vk} }
2016-09-05 13:15:19 -07:00
\newcommand { \ZKGen } { \mathsf { ZK.Gen} }
2016-09-02 14:47:05 -07:00
\newcommand { \ZKProof } { \mathsf { ZK.Proof} }
\newcommand { \ZKPrimary } { \mathsf { ZK.PrimaryInput} }
\newcommand { \ZKAuxiliary } { \mathsf { ZK.AuxiliaryInput} }
\newcommand { \ZKSatisfying } { \mathsf { ZK.SatisfyingInputs} }
\newcommand { \ZKProve } [1]{ \mathsf { ZK.} \mathtt { Prove} _ { #1} }
\newcommand { \ZKVerify } [1]{ \mathsf { ZK.} \mathtt { Verify} _ { #1} }
2017-02-11 15:53:38 -08:00
\newcommand { \Simulator } { \mathcal { S} }
\newcommand { \Distinguisher } { \mathcal { D} }
2018-01-29 15:08:08 -08:00
\newcommand { \JoinSplit } { \mathsf { ZKJoinSplit} }
\newcommand { \JoinSplitVerify } { \JoinSplit \mathsf { .Verify} }
\newcommand { \JoinSplitProve } { \JoinSplit \mathsf { .Prove} }
\newcommand { \JoinSplitProof } { \JoinSplit \mathsf { .Proof} }
\newcommand { \Spend } { \mathsf { ZKSpend} }
\newcommand { \SpendVerify } { \Spend \mathsf { .Verify} }
\newcommand { \SpendProve } { \Spend \mathsf { .Prove} }
\newcommand { \SpendProof } { \Spend \mathsf { .Proof} }
\newcommand { \Output } { \mathsf { ZKOutput} }
\newcommand { \OutputVerify } { \Output \mathsf { .Verify} }
\newcommand { \OutputProve } { \Output \mathsf { .Prove} }
\newcommand { \OutputProof } { \Output \mathsf { .Proof} }
2017-12-01 18:00:10 -08:00
\newcommand { \Proof } [1]{ \pi _ { \! { #1} } }
2018-01-29 15:08:08 -08:00
\newcommand { \ProofJoinSplit } { \pi _ \JoinSplit }
\newcommand { \ProofSpend } { \pi _ \Spend }
\newcommand { \ProofOutput } { \pi _ \Output }
2016-09-02 14:47:05 -07:00
\newcommand { \zkproof } { \mathtt { zkproof} }
2016-09-02 20:13:25 -07:00
\newcommand { \POUR } { \texttt { POUR} }
2017-02-11 15:53:38 -08:00
\newcommand { \Prob } [2]{ \mathrm { Pr} \scalebox { 0.88} { \ensuremath {
\left [\!\!\begin{array}{c}#1\end{array} \middle| \begin{array}{l}#2\end{array}\!\!\right]
} } }
2018-02-10 03:30:37 -08:00
\newcommand { \BNImpl } { \mathtt { ALT\_ BN128} }
2016-09-02 14:47:05 -07:00
2016-03-28 18:28:50 -07:00
% JoinSplit
2018-02-07 02:02:05 -08:00
2015-12-14 09:03:59 -08:00
\newcommand { \hSig } { \mathsf { h_ { Sig} } }
2016-03-15 16:23:05 -07:00
\newcommand { \hSigText } { \texorpdfstring { $ \hSig $ } { hSig} }
2016-01-26 15:15:17 -08:00
\newcommand { \h } [1]{ \mathsf { h_ { \mathnormal { #1} } } }
\newcommand { \NOld } { \mathrm { N} ^ \mathsf { old} }
\newcommand { \NNew } { \mathrm { N} ^ \mathsf { new} }
2016-03-06 20:36:29 -08:00
\newcommand { \allN } [1]{ \mathrm { 1} ..\mathrm { N} ^ \mathsf { #1} }
\newcommand { \allOld } { \allN { old} }
\newcommand { \allNew } { \allN { new} }
\newcommand { \setofOld } { \setof { \allOld } }
\newcommand { \setofNew } { \setof { \allNew } }
2015-12-14 09:03:59 -08:00
\newcommand { \vmacs } { \mathtt { vmacs} }
2018-02-10 03:30:37 -08:00
\newcommand { \vpubOld } { \mathsf { v_ { pub} ^ { old} } }
\newcommand { \vpubNew } { \mathsf { v_ { pub} ^ { new} } }
\newcommand { \nOld } [1]{ \NoteTuple { #1} ^ \mathsf { old} }
\newcommand { \nNew } [1]{ \NoteTuple { #1} ^ \mathsf { new} }
\newcommand { \vOld } [1]{ \mathsf { v} _ { #1} ^ \mathsf { old} }
\newcommand { \vNew } [1]{ \mathsf { v} _ { #1} ^ \mathsf { new} }
\newcommand { \RandomSeed } { \mathsf { randomSeed} }
\newcommand { \rt } { \mathsf { rt} }
\newcommand { \treepath } [1]{ \mathsf { path} _ { #1} }
\newcommand { \Receive } { \mathsf { Receive} }
\newcommand { \EnforceMerklePath } [1]{ \mathsf { enforceMerklePath} _ { ~\! \! #1} }
% Elliptic curve stuff
2017-12-01 17:03:17 -08:00
\newcommand { \Curve } { E}
\newcommand { \Zero } { \mathcal { O} }
\newcommand { \Generator } { \mathcal { P} }
2018-03-11 07:00:00 -07:00
\newcommand { \Selectu } { \scalebox { 1.53} { $ u $ } }
2018-03-06 14:16:55 -08:00
\newcommand { \SelectuOf } [1]{ \Selectu \! \left ({ #1} \right )\! }
2018-03-11 07:00:00 -07:00
\newcommand { \Selectv } { \scalebox { 1.53} { $ \varv $ } }
2018-03-06 14:16:55 -08:00
\newcommand { \SelectvOf } [1]{ \Selectv \! \left ({ #1} \right )\! }
2017-12-01 17:03:17 -08:00
\newcommand { \ParamP } [1]{ { { #1} _ \mathbb { P} } }
\newcommand { \ParamPexp } [2]{ { { #1} _ \mathbb { P} \! } ^ { #2} }
\newcommand { \GroupP } [1]{ \mathbb { P} _ { #1} }
\newcommand { \GroupPstar } [1]{ \mathbb { P} ^ \ast _ { #1} }
2018-02-07 02:55:53 -08:00
\newcommand { \CurveP } [1]{ \Curve _ { \GroupP { #1} } }
\newcommand { \ZeroP } [1]{ \Zero _ { \GroupP { #1} } }
\newcommand { \GenP } [1]{ \Generator _ { \GroupP { #1} } }
\newcommand { \ellP } [1]{ \ell _ { \GroupP { #1} } }
2018-02-07 02:21:25 -08:00
\newcommand { \reprP } [1]{ \repr _ { \GroupP { #1} } }
\newcommand { \abstP } [1]{ \abst _ { \GroupP { #1} } }
2017-12-01 17:03:17 -08:00
\newcommand { \PairingP } { \ParamP { \hat { e} } }
\newcommand { \ParamG } [1]{ { { #1} _ \mathbb { G} } }
\newcommand { \ParamGexp } [2]{ { { #1} _ \mathbb { G} \! } ^ { #2} }
2016-08-08 09:46:24 -07:00
\newcommand { \GroupG } [1]{ \mathbb { G} _ { #1} }
2017-05-08 17:23:27 -07:00
\newcommand { \GroupGstar } [1]{ \mathbb { G} ^ \ast _ { #1} }
2018-02-07 03:05:39 -08:00
\newcommand { \GroupGHash } [1]{ \mathsf { GroupHash} ^ \GroupG { #1} }
2018-02-07 02:55:53 -08:00
\newcommand { \CurveG } [1]{ \Curve _ { \GroupG { #1} } }
\newcommand { \ZeroG } [1]{ \Zero _ { \GroupG { #1} } }
\newcommand { \GenG } [1]{ \Generator _ { \GroupG { #1} } }
\newcommand { \ellG } [1]{ \ell _ { \GroupG { #1} } }
2018-02-07 02:21:25 -08:00
\newcommand { \reprG } [1]{ \repr _ { \GroupG { #1} } }
\newcommand { \abstG } [1]{ \abst _ { \GroupG { #1} } }
2017-12-01 17:03:17 -08:00
\newcommand { \PairingG } { \ParamG { \hat { e} } }
\newcommand { \ExtractG } { \ParamG { \mathsf { Extract} } }
\newcommand { \ParamS } [1]{ { { #1} _ \mathbb { \hskip 0.03em S} } }
\newcommand { \ParamSexp } [2]{ { { #1} _ \mathbb { \hskip 0.03em S} \! } ^ { #2} }
\newcommand { \GroupS } [1]{ \mathbb { S} _ { #1} }
\newcommand { \GroupSstar } [1]{ \mathbb { S} ^ \ast _ { #1} }
2018-02-07 02:55:53 -08:00
\newcommand { \CurveS } [1]{ \Curve _ { \GroupS { #1} } }
\newcommand { \ZeroS } [1]{ \Zero _ { \GroupS { #1} } }
\newcommand { \GenS } [1]{ \Generator _ { \GroupS { #1} } }
\newcommand { \ellS } [1]{ \ell _ { \GroupS { #1} } }
2018-02-07 02:21:25 -08:00
\newcommand { \reprS } [1]{ \repr _ { \GroupG { #1} } }
\newcommand { \abstS } [1]{ \abst _ { \GroupG { #1} } }
2017-12-01 17:03:17 -08:00
\newcommand { \PairingS } { \ParamS { \hat { e} } }
2018-02-07 02:55:53 -08:00
\newcommand { \ParamJ } [1]{ { { #1} _ \mathbb { \hskip 0.01em J} } }
\newcommand { \ParamJexp } [2]{ { { #1} _ \mathbb { \hskip 0.01em J} \! } ^ { #2} }
2018-01-22 10:24:16 -08:00
\newcommand { \GroupJ } { \mathbb { J} }
2018-02-07 03:05:39 -08:00
\newcommand { \GroupJHash } [1]{ \mathsf { GroupHash} ^ \mathbb { J} _ { #1} }
2018-02-07 02:55:53 -08:00
\newcommand { \CurveJ } { \Curve _ { \GroupJ } }
\newcommand { \ZeroJ } { \Zero _ { \GroupJ } }
\newcommand { \GenJ } { \Generator _ { \GroupJ } }
\newcommand { \ellJ } { \ell _ { \GroupJ } }
2018-02-07 02:21:25 -08:00
\newcommand { \reprJ } { \repr _ { \GroupJ } }
2018-03-06 14:16:55 -08:00
\newcommand { \reprJOf } [1]{ \reprJ \! \left ({ #1} \right )\! }
2018-02-07 02:21:25 -08:00
\newcommand { \abstJ } { \abst _ { \GroupJ } }
2018-03-06 14:16:55 -08:00
\newcommand { \abstJOf } [1]{ \abstJ \! \left ({ #1} \right )\! }
2018-01-22 10:24:16 -08:00
\newcommand { \ExtractJ } { \ParamJ { \mathsf { Extract} } }
2018-02-10 03:30:37 -08:00
\newcommand { \FindGroupJHash } { \mathsf { FindGroupHash} ^ \mathbb { J} }
2018-03-06 14:16:55 -08:00
\newcommand { \FindGroupJHashOf } [1]{ \FindGroupJHash \! \left ({ #1} \right )\! }
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\newcommand { \ParamM } [1]{ { { #1} _ \mathbb { \hskip 0.03em M} } }
\newcommand { \ParamMexp } [2]{ { { #1} _ \mathbb { \hskip 0.03em M} \! } ^ { #2} }
2018-03-06 14:48:13 -08:00
\newcommand { \pack } { \mathsf { pack} }
2018-01-29 15:08:08 -08:00
\newcommand { \Acc } { \mathsf { Acc} }
2018-03-06 14:31:35 -08:00
\newcommand { \Base } { \mathsf { Base} }
\newcommand { \Addend } { \mathsf { Addend} }
2018-01-29 15:08:08 -08:00
\newcommand { \Sum } { \mathsf { Sum} }
2018-03-11 10:42:49 -07:00
\newcommand { \Ainv } { A_ { \mathsf { inv} } }
2018-03-16 08:58:23 -07:00
\newcommand { \Inv } [1]{ { #1} _ { \mathsf { inv} } }
2018-01-29 15:08:08 -08:00
2017-12-01 17:03:17 -08:00
\newcommand { \repr } { \mathsf { repr} }
\newcommand { \abst } { \mathsf { abst} }
2017-05-08 17:17:56 -07:00
\newcommand { \xP } { { x_ { \hspace { -0.12em} P} } }
\newcommand { \yP } { { y_ { \hspace { -0.03em} P} } }
2018-02-10 03:30:37 -08:00
\newcommand { \CRS } { \mathsf { CRS} }
\newcommand { \CRSType } { \mathsf { CRSType} }
% Conversions
2016-08-08 09:46:24 -07:00
\newcommand { \ECtoOSP } { \mathsf { EC2OSP} }
\newcommand { \ECtoOSPXL } { \mathsf { EC2OSP\mhyphen { } XL} }
\newcommand { \ECtoOSPXS } { \mathsf { EC2OSP\mhyphen { } XS} }
\newcommand { \FEtoIP } { \mathsf { FE2IP} }
2017-12-01 17:03:17 -08:00
\newcommand { \FEtoIPP } { \mathsf { FE2IPP} }
2018-02-26 01:44:19 -08:00
\newcommand { \ItoLEBSP } [1]{ \mathsf { I2LEBSP} _ { #1} }
\newcommand { \ItoBEBSP } [1]{ \mathsf { I2BEBSP} _ { #1} }
\newcommand { \LEOStoIP } [1]{ \mathsf { LEOS2IP} _ { #1} }
2018-03-11 05:45:51 -07:00
\newcommand { \LEOStoIPOf } [2]{ \LEOStoIP { #1} \! \left ({ #2} \right )}
2018-02-26 01:44:19 -08:00
\newcommand { \LEBStoOSP } [1]{ \mathsf { LEBS2OSP} _ { #1} }
\newcommand { \LEBStoOSPOf } [2]{ \LEBStoOSP { #1} \! \left ({ #2} \right )}
2015-12-14 09:03:59 -08:00
2018-01-22 10:24:16 -08:00
% Sapling circuits
2018-02-07 02:02:05 -08:00
2018-01-22 10:24:16 -08:00
\newcommand { \DecompressValidate } { \mathsf { DecompressValidate} }
\newcommand { \FixedScalarMult } { \mathsf { FixedScalarMult} }
\newcommand { \VariableScalarMult } { \mathsf { VariableScalarMult} }
\newcommand { \MontToEdwards } { \mathsf { MontToEdwards} }
\newcommand { \EdwardsToMont } { \mathsf { EdwardsToMont} }
\newcommand { \AffineEdwardsJubjub } { \mathsf { AffineEdwardsJubjub} }
\newcommand { \AffineMontJubjub } { \mathsf { AffineMontJubjub} }
\newcommand { \CompressedEdwardsJubjub } { \mathsf { CompressedEdwardsJubjub} }
\newcommand { \PedersenHash } { \mathsf { PedersenHash} }
2018-02-26 01:44:19 -08:00
\newcommand { \PedersenGenAlg } { \mathcal { I} }
\newcommand { \PedersenGen } [2]{ \PedersenGenAlg ^ { \kern -0.05em{ #1} } _ { \kern 0.1em { #2} } }
2018-02-10 03:30:37 -08:00
\newcommand { \PedersenEncode } [1]{ \langle { #1} \rangle }
2018-02-26 01:44:19 -08:00
\newcommand { \PedersenEncodeSub } [2]{ \langle { #2} \rangle _ { \kern -0.1em { #1} \vphantom { S'} } }
\newcommand { \PedersenEncodeNonneg } [1]{ \langle { #1} \rangle ^ { \PedersenRangeOffset } }
\newcommand { \PedersenHashToPoint } { \mathsf { PedersenHashToPoint} }
\newcommand { \MixingPedersenHash } { \mathsf { MixingPedersenHash} }
\newcommand { \WindowedPedersenCommitAlg } { \mathsf { WindowedPedersenCommit} }
\newcommand { \WindowedPedersenCommit } [1]{ \WindowedPedersenCommitAlg _ { #1} }
2018-03-06 14:34:18 -08:00
\newcommand { \HomomorphicPedersenCommitAlg } { \mathsf { HomomorphicPedersenCommit} }
\newcommand { \HomomorphicPedersenCommit } [1]{ \HomomorphicPedersenCommitAlg _ { #1} }
2018-02-12 05:13:12 -08:00
\newcommand { \Digits } { \mathsf { Digits} }
2018-02-26 01:44:19 -08:00
\newcommand { \PedersenRangeOffset } { \Delta }
\newcommand { \Mask } { \mathsf { Mask} }
2018-02-12 05:13:12 -08:00
\newcommand { \abs } { \mathsf { abs} }
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
% Consensus rules
2018-02-07 02:02:05 -08:00
2017-01-19 18:24:49 -08:00
\newcommand { \consensusrule } [1]{ \needspace { 3ex} \subparagraph { Consensus rule:} { #1} }
2018-03-16 08:58:23 -07:00
\newenvironment { consensusrules} { \vspace { -4ex} \introlist \subparagraph { Consensus rules:} \begin { itemize} } { \end { itemize} }
2018-03-06 14:16:55 -08:00
\newcommand { \sproutspecificitem } [1]{ \item \sproutspecific { #1} }
\newcommand { \sproutonlyitem } [1]{ \item \sproutonly { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \saplingonwarditem } [1]{ \sapling { \item { [\Sapling onward]} \, { #1} } }
2018-03-06 14:16:55 -08:00
\newcommand { \prenuzeroitem } [1]{ \item \prenuzero { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \nuzeroonlyitem } [1]{ \nuzero { \item { [\NUZero only, pre-\Sapling \! ]} \, { #1} } }
2018-03-06 14:16:55 -08:00
\newcommand { \nuzeroonwarditem } [1]{ \nuzero { \item { [\NUZero onward]} \, { #1} } }
\newcommand { \sproutspecific } [1]{ \notsprout { [\Sprout \! ]\, } { #1} }
2017-12-16 16:10:47 -08:00
\newcommand { \sproutonly } [1]{ \notsprout { [\Sprout only]\, } { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \saplingonward } [1]{ \sapling { [\Sapling onward]\, { #1} } }
\newcommand { \prenuzero } [1]{ \notsprout { [Pre-\NUZero \! ]\, } { #1} }
\newcommand { \nuzeroonly } [1]{ \nuzero { [\NUZero only, pre-\Sapling \! ]\, { #1} } }
2018-03-06 14:16:55 -08:00
\newcommand { \nuzeroonward } [1]{ \nuzero { [\NUZero onward]\, { #1} } }
2017-07-26 03:44:44 -07:00
2017-01-19 18:24:49 -08:00
\newcommand { \securityrequirement } [1]{ \needspace { 3ex} \subparagraph { Security requirement:} { #1} }
\newenvironment { securityrequirements} { \introlist \subparagraph { Security requirements:} \begin { itemize} } { \end { itemize} }
2016-09-03 17:08:02 -07:00
\newcommand { \pnote } [1]{ \subparagraph { Note:} { #1} }
2017-01-19 18:24:49 -08:00
\newenvironment { pnotes} { \introlist \subparagraph { Notes:} \begin { itemize} } { \end { itemize} }
2018-03-06 14:16:55 -08:00
\newcommand { \sproutspecificpnote } [1]{ \notsprout { [\Sprout \! ]\, \, } \textbf { Note:\, } { #1} }
2017-12-16 16:10:47 -08:00
\newcommand { \sproutonlypnote } [1]{ \notsprout { [\Sprout only]\, \, } \textbf { Note:\, } { #1} }
2018-02-26 01:44:19 -08:00
\newcommand { \prenuzeropnote } [1]{ \notsprout { [Pre-\NUZero \! ]\, \, } \textbf { Note:\, } { #1} }
\newcommand { \nuzeroonlypnote } [1]{ \nuzero { [\NUZero only, pre-\Sapling \! ]\, \, } \textbf { Note:\, } { #1} }
2018-03-06 14:16:55 -08:00
\newcommand { \nuzeroonwardpnote } [1]{ \nuzero { [\NUZero onward]\, \, } \textbf { Note:\, } { #1} }
2018-02-14 00:04:45 -08:00
\newcommand { \fact } [1]{ \subparagraph { Fact:} { #1} }
\newcommand { \facts } [1]{ \subparagraph { Facts:} { #1} }
2018-03-16 08:58:23 -07:00
\newcommand { \snarkcondition } [1]{ \vspace { -3.5ex} \introlist \subparagraph { #1} }
2016-06-01 06:58:52 -07:00
2017-02-03 20:04:13 -08:00
\newcommand { \affiliation } { \hairspace $ ^ \dagger $ \; }
2015-12-16 14:17:28 -08:00
2015-12-14 09:03:59 -08:00
\begin { document}
2018-01-22 10:24:16 -08:00
\title { \textbf { \doctitle } \\
2017-02-03 20:04:13 -08:00
\Large \docversion }
\author {
\Large \leadauthor \hairspace \thanks { \; Zerocoin Electric Coin Company} \\
2017-08-03 07:58:12 -07:00
\Large \coauthora \affiliation — \coauthorb \affiliation — \coauthorc \affiliation }
2015-12-14 09:03:59 -08:00
\date { \today }
\maketitle
2017-02-03 20:04:13 -08:00
\renewcommand { \abstractname } { }
2016-10-04 14:06:26 -07:00
\vspace { -8ex}
2017-02-03 20:04:13 -08:00
\begin { abstract}
\normalsize \noindent \textbf { Abstract.}
\Zcash is an implementation of the \term { Decentralized Anonymous Payment}
scheme \Zerocash , with security fixes and adjustments
to terminology, functionality and performance. It bridges the existing
\emph { transparent} payment scheme used by \Bitcoin with a
\emph { shielded} payment scheme secured by zero-knowledge succinct
non-interactive arguments of knowledge (\zkSNARKs ). It attempts to
address the problem of mining centralization by use of the Equihash
memory-hard proof-of-work algorithm.
2017-02-21 12:35:35 -08:00
\vspace { 1.5ex}
2017-07-10 23:58:57 -07:00
\sprout { \noindent This specification defines the \Zcash consensus protocol and explains
its differences from \Zerocash and \Bitcoin .}
2018-02-26 01:44:19 -08:00
\sapling { \noindent This \em { draft} specification defines the next
upgrade of the \Zcash consensus protocol, codenamed \NUZero , and the
subsequent upgrade, codenamed \Sapling . It is a work in progress
2017-12-01 18:03:23 -08:00
and should not be used as a reference for the current protocol.}
2017-02-03 20:04:13 -08:00
\vspace { 2.5ex}
\noindent \textbf { Keywords:} ~ \StrSubstitute [0] { \keywords } { ,} { , } .
\end { abstract}
2016-10-04 14:06:26 -07:00
\phantomsection
2018-03-12 15:51:20 -07:00
\addcontentsline { toc} { section} { \larger { Contents} }
2016-02-11 10:54:23 -08:00
2016-10-04 14:06:26 -07:00
\renewcommand { \contentsname } { }
2018-02-23 19:15:09 -08:00
% <https://tex.stackexchange.com/a/182744/78411>
2017-02-03 20:04:13 -08:00
\renewcommand { \baselinestretch } { 0.85} \normalsize
2016-02-11 10:54:23 -08:00
\tableofcontents
2017-02-03 20:04:13 -08:00
\renewcommand { \baselinestretch } { 1.0} \normalsize
2016-02-11 10:54:23 -08:00
\newpage
2018-03-12 15:51:20 -07:00
\section { Introduction}
2015-12-14 09:03:59 -08:00
2016-01-26 16:49:13 -08:00
\Zcash is an implementation of the \term { Decentralized Anonymous Payment}
2016-08-14 15:35:37 -07:00
scheme \Zerocash \cite { BCG+2014} , with some security fixes and adjustments
to terminology, functionality and performance. It bridges the existing
2016-08-14 16:16:05 -07:00
\emph { transparent} payment scheme used by \Bitcoin \cite { Naka2008} with a
2016-10-27 20:39:04 -07:00
\emph { shielded} payment scheme secured by zero-knowledge succinct
2016-08-14 16:16:05 -07:00
non-interactive arguments of knowledge (\zkSNARKs ).
2015-12-14 09:03:59 -08:00
2016-08-14 15:35:37 -07:00
Changes from the original \Zerocash are explained in \crossref { differences} ,
and highlighted in \changed { \changedcolor } throughout the document.
2018-03-06 14:16:55 -08:00
\notsprout { Changes specific to the \NUZero upgrade (which are also changes from
2017-12-01 18:03:23 -08:00
\Zerocash ) are highlighted in \nuzero { \nuzerocolor } .
Changes specific to the \Sapling upgrade following \NUZero (which are also
changes from \Zerocash ) are highlighted in \sapling { \saplingcolor } .
The name \Sprout is used for the \Zcash protocol prior to \Sapling
(both before and after \NUZero ).
2018-03-09 20:11:23 -08:00
} %notsprout
2016-02-11 07:04:56 -08:00
2018-02-07 02:55:53 -08:00
Technical terms for concepts that play an important rôle in \Zcash are
2016-08-17 05:27:38 -07:00
written in \term { slanted text} . \emph { Italics} are used for emphasis and
for references between sections of the document.
2018-03-18 13:57:20 -07:00
The key words \MUST , \MUSTNOT , \SHOULD ,
\sprout { and \SHOULDNOT } \notsprout { \SHOULDNOT , \MAY , and \RECOMMENDED } in
this document are to be interpreted as described in \cite { RFC-2119} when
they appear in \ALLCAPS . These words may also appear in this document in
2016-09-16 06:47:44 -07:00
lower case as plain English words, absent their normative meanings.
2017-01-19 18:24:49 -08:00
\vspace { 2ex}
\introlist
2016-05-20 15:52:29 -07:00
This specification is structured as follows:
\begin { itemize}
2017-08-03 07:58:12 -07:00
\item Notation — definitions of notation used throughout the document;
\item Concepts — the principal abstractions needed to understand the protocol;
\item Abstract Protocol — a high-level description of the protocol in terms
2016-05-20 15:52:29 -07:00
of ideal cryptographic components;
2017-08-03 07:58:12 -07:00
\item Concrete Protocol — how the functions and encodings of the abstract
2016-05-20 15:52:29 -07:00
protocol are instantiated;
2017-12-01 18:03:23 -08:00
\notsprout {
2018-03-18 13:57:20 -07:00
\item Network Upgrades — the strategy for upgrading from \Sprout to \NUZero
2017-12-01 18:03:23 -08:00
and then \Sapling ;
}
2017-08-03 07:58:12 -07:00
\item Consensus Changes from \Bitcoin — how \Zcash differs from \Bitcoin at
2016-08-14 16:15:43 -07:00
the consensus layer, including the Proof of Work;
2017-08-03 07:58:12 -07:00
\item Differences from the \Zerocash protocol — a summary of changes from the
2016-08-14 12:42:14 -07:00
protocol in \cite { BCG+2014} .
2018-01-22 10:24:16 -08:00
\notsprout {
\item Appendix: Circuit Design — details of how the \Sapling circuit is defined
as a Quadratic Arithmetic Program.
}
2016-05-20 15:52:29 -07:00
\end { itemize}
2016-02-25 10:32:18 -08:00
2016-05-20 15:52:29 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Caution}
2016-04-03 20:04:07 -07:00
2016-08-14 16:15:43 -07:00
\Zcash security depends on consensus. Should a program interacting with the
\Zcash network diverge from consensus, its security will be weakened or destroyed.
The cause of the divergence doesn't matter: it could be a bug in your program,
it could be an error in this documentation which you implemented as described,
or it could be that you do everything right but other software on the network
behaves unexpectedly. The specific cause will not matter to the users of your
software whose wealth is lost.
2016-02-16 11:49:37 -08:00
Having said that, a specification of \emph { intended} behaviour is essential
for security analysis, understanding of the protocol, and maintenance of
2016-08-14 16:15:43 -07:00
\Zcash and related software. If you find any mistake in this specification,
2018-03-18 13:57:20 -07:00
please file an issue at \url { https://github.com/zcash/zips/issues} or contact
\texttt { <security@z.cash>} .
2016-02-16 11:49:37 -08:00
2018-03-12 15:51:20 -07:00
\subsection { High-level Overview}
2016-08-17 05:24:09 -07:00
The following overview is intended to give a concise summary of the ideas
behind the protocol, for an audience already familiar with \blockchain -based
cryptocurrencies such as \Bitcoin . It is imprecise in some aspects and is not
2017-12-01 18:04:39 -08:00
part of the normative protocol specification. \notsprout { This overview applies
to both \Sprout and \Sapling , differences in the cryptographic constructions
used notwithstanding.}
2016-08-17 05:24:09 -07:00
2018-02-23 19:15:09 -08:00
\introsection
2016-10-27 20:39:04 -07:00
Value in \Zcash is either \transparent or \shielded . Transfers of \transparent
2016-09-03 20:26:04 -07:00
value work essentially as in \Bitcoin and have the same privacy properties.
2018-03-16 08:58:23 -07:00
\xShielded value is carried by \notes \footnotewithlabel { notesandnullifiers} { In
\Zerocash \cite { BCG+2014} , \notes were called \quotedterm { coins} , and \nullifiers
2018-02-07 02:55:53 -08:00
were called \quotedterm { serial numbers} .} ,
2018-02-07 03:53:07 -08:00
which specify an amount and \sprout { a \payingKey . The \payingKey is part of}
\notsprout { (indirectly)}
2016-08-17 05:24:09 -07:00
a \paymentAddress , which is a destination to which \notes can be sent.
As in \Bitcoin , this is associated with a private key that can be used to
spend \notes sent to the address; in \Zcash this is called a \spendingKey .
To each \note there is cryptographically associated a \noteCommitment , and
2018-03-16 08:58:23 -07:00
a \nullifier \footnoteref { notesandnullifiers} (so that there is a 1:1:1 relation
2016-09-22 09:04:52 -07:00
between \notes , \noteCommitments , and \nullifiers ). Computing the \nullifier
2018-03-18 13:57:20 -07:00
requires the associated private \spendingKey \sapling { (or the \nullifierKey for \Sapling \notes )} .
2018-02-07 03:53:07 -08:00
It is infeasible to correlate the \noteCommitment with the corresponding
\nullifier without knowledge of at least this \sprout { \spendingKey } \notsprout { key} .
An unspent valid \note , at a given point on the \blockchain ,
2016-09-22 09:04:52 -07:00
is one for which the \noteCommitment has been publically revealed on the
\blockchain prior to that point, but the \nullifier has not.
2018-02-26 01:44:19 -08:00
\notsprout { \todo { The ``1:1:1'' part isn't correct for \Sapling .} }
2016-08-17 05:24:09 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-10-02 23:15:19 -07:00
A \transaction can contain \transparent inputs, outputs, and scripts, which all
2018-02-07 03:53:07 -08:00
work as in \Bitcoin \cite { Bitc-Protocol} .
\sprout {
It also contains a sequence of zero or more \joinSplitDescriptions .
2018-03-16 08:58:23 -07:00
Each of these describes a \joinSplitTransfer \footnote {
2018-02-07 02:55:53 -08:00
\joinSplitTransfers in \Zcash generalize \quotedterm { Mint} and \quotedterm { Pour}
\transactions in \Zerocash ; see \crossref { trstructure} for differences.}
2016-09-03 17:08:02 -07:00
which takes in a \transparent value and up to two input \notes , and produces a
2018-02-07 03:53:07 -08:00
\transparent value and up to two output \notes .
}
\notsprout {
It also includes \joinSplitDescriptions , \spendDescriptions , and \outputDescriptions .
Together these describe \shieldedTransfers which take in \shieldedInput \notes ,
and/or produce \shieldedOutput \notes .
(For \Sprout , each \joinSplitDescription handles up to two \shieldedInputs and
up to two \shieldedOutputs . For \Sapling , each \shieldedInput or \shieldedOutput
has its own description.)
It is also possible for value to be transferred between the \transparent and
\shielded domains.
}
The \nullifiers of the input \notes are revealed (preventing them from being
spent again) and the commitments of the output \notes are revealed (allowing
them to be spent in future).
\sprout {
Each \joinSplitDescription also includes a computationally sound \zkSNARK proof,
2018-03-11 05:34:06 -07:00
which proves that all of the following hold except with insignificant probability:
2016-08-17 05:24:09 -07:00
\begin { itemize}
2016-09-22 09:04:52 -07:00
\item The input and output values balance (individually for each \joinSplitTransfer ).
2016-08-17 05:24:09 -07:00
\item For each input \note of non-zero value, some revealed \noteCommitment
exists for that \note .
\item The prover knew the private \spendingKeys of the input \notes .
\item The \nullifiers and \noteCommitments are computed correctly.
\item The private \spendingKeys of the input \notes are cryptographically
linked to a signature over the whole \transaction , in such a way that
the \transaction cannot be modified by a party who did not know these
private keys.
2016-09-22 09:04:52 -07:00
\item Each output \note is generated in such a way that it is infeasible to
cause its \nullifier to collide with the \nullifier of any other \note .
2016-08-17 05:24:09 -07:00
\end { itemize}
2018-03-09 20:11:23 -08:00
} %sprout
2018-02-07 03:53:07 -08:00
\notsprout {
A \transaction also includes computationally sound \zkSNARK proofs, which prove
2018-03-11 05:34:06 -07:00
that all of the following hold except with insignificant probability:
2018-02-07 03:53:07 -08:00
For each \shieldedInput ,
\begin { itemize}
2018-02-26 01:44:19 -08:00
\item \saplingonward { there is a revealed \valueCommitment to the same value as
2018-02-07 03:53:07 -08:00
the input \note ;}
\item some revealed \noteCommitment exists for the input \note ;
\item the prover knew the \authProvingKey of the input \note ;
\item the \nullifier and \noteCommitment are computed correctly.
\end { itemize}
and for each \shieldedOutput ,
\begin { itemize}
2018-02-26 01:44:19 -08:00
\item \saplingonward { there is a revealed \valueCommitment to the same value as
2018-02-07 03:53:07 -08:00
the output \note ;}
\item the \noteCommitment is computed correctly;
\item the output \note is generated in such a way that it is infeasible to
cause its \nullifier to collide with the \nullifier of any other \note .
\end { itemize}
For \Sprout , the \joinSplitStatement also includes an explicit balance check.
For \Sapling , the \valueCommitments corresponding to the inputs and outputs are
checked to balance (together with any net \transparent input or output)
outside the \zkSNARK .
In addition, various measures (differing between \Sprout and \Sapling ) are
used to ensure that the \transaction cannot be modified by a party not authorized
to do so.
2018-03-09 20:11:23 -08:00
} %notsprout
2016-08-17 05:24:09 -07:00
2018-02-07 02:55:53 -08:00
Outside the \zkSNARK , it is \sprout { also} checked that the \nullifiers for the input
2016-08-17 05:24:09 -07:00
\notes had not already been revealed (i.e.\ they had not already been spent).
2018-02-07 03:53:07 -08:00
A \paymentAddress includes
\sprout { two public keys: a \payingKey matching that of \notes sent to the address, and}
a \transmissionKey for a key-private asymmetric encryption
2018-02-07 02:55:53 -08:00
scheme. \quotedterm { Key-private} means that ciphertexts do not reveal information
about which key they were encrypted to, except to a holder of the corresponding
2017-02-23 12:31:13 -08:00
private key, which in this context is called the \receivingKey . This facility is
2016-08-17 05:24:09 -07:00
used to communicate encrypted output \notes on the \blockchain to their
2017-02-23 12:31:13 -08:00
intended recipient, who can use the \receivingKey to scan the \blockchain for
2016-08-17 05:24:09 -07:00
\notes addressed to them and then decrypt those \notes .
The basis of the privacy properties of \Zcash is that when a \note is spent,
the spender only proves that some commitment for it had been revealed, without
revealing which one. This implies that a spent \note cannot be linked to the
2016-09-02 12:03:17 -07:00
\transaction in which it was created. That is, from an adversary's point of
view the set of possibilities for a given \note input to a \transaction
---its \noteTraceabilitySet --- includes \emph { all} previous notes that the
adversary does not control or know to have been spent. This contrasts with
2017-08-03 08:05:29 -07:00
other proposals for private payment systems, such as CoinJoin \cite { Bitc-CoinJoin}
2017-02-11 16:02:23 -08:00
or \CryptoNote \cite { vanS2014} , that are based on mixing of a limited number of
2016-09-02 12:03:17 -07:00
transactions and that therefore have smaller \noteTraceabilitySets .
2016-08-17 05:24:09 -07:00
2016-09-02 14:47:58 -07:00
The \nullifiers are necessary to prevent double-spending: each note only has
one valid \nullifier , and so attempting to spend a \note twice would reveal the
\nullifier twice, which would cause the second \transaction to be rejected.
2016-02-25 10:32:18 -08:00
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\section { Notation}
2015-12-14 09:03:59 -08:00
2017-02-05 17:22:20 -08:00
$ \bit $ means the type of bit values, i.e.\ $ \setof { 0 , 1 } $ .
2016-03-06 19:38:00 -08:00
2018-02-26 01:44:19 -08:00
$ \byte $ means the type of byte values, i.e.\ $ \range { 0 } { 255 } $ .
2018-03-18 13:57:20 -07:00
$ \Nat $ means the type of nonnegative integers. $ \PosInt $ ~means
the type of positive integers. $ \Int $ ~means the type of integers.
$ \Rat $ ~means the type of rationals.
2016-09-18 17:57:28 -07:00
2017-02-05 17:22:20 -08:00
$ x \typecolon T $ is used to specify that $ x $ has type $ T $ .
2016-09-18 17:57:28 -07:00
A cartesian product type is denoted by $ S \times T $ , and a function type
2016-09-26 13:31:38 -07:00
by $ S \rightarrow T $ . An argument to a function can determine other argument
or result types.
The type of a randomized algorithm is denoted by $ S \rightarrowR T $ .
2016-09-18 17:57:28 -07:00
The domain of a randomized algorithm may be $ ( ) $ , indicating that it requires
2016-09-26 13:31:38 -07:00
no arguments. Given $ f \typecolon S \rightarrowR T $ and $ s \typecolon S $ ,
sampling a variable $ x \typecolon T $ from the output of $ f $ applied to $ s $
is denoted by $ x \leftarrowR f ( s ) $ .
2016-09-18 17:57:28 -07:00
Initial arguments to a function or randomized algorithm may be
written as subscripts, e.g.\ if $ x \typecolon X $ , $ y \typecolon Y $ , and
2016-09-22 09:04:52 -07:00
$ f \typecolon X \times Y \rightarrow Z $ , then an invocation of
$ f ( x, y ) $ can also be written $ f _ x ( y ) $ .
2016-09-18 17:57:28 -07:00
2018-02-10 03:30:37 -08:00
\notsprout {
$ \fun { x \typecolon T } { e _ x \typecolon U } $ means the function of type $ T \rightarrow U $
2018-03-16 08:58:23 -07:00
mapping formal parameter $ x $ to $ e _ x $ (an expression depending on~$ x $ ).
2018-02-10 03:30:37 -08:00
The types $ T $ and $ U $ are always explicit.
2018-03-06 14:29:14 -08:00
$ \powerset { T } $ means the powerset of $ T $ .
2018-02-10 03:30:37 -08:00
}
2017-02-05 17:22:20 -08:00
$ \typeexp { T } { \ell } $ , where $ T $ is a type and $ \ell $ is an integer,
2016-09-18 17:57:28 -07:00
means the type of sequences of length $ \ell $ with elements in $ T $ . For example,
2018-02-26 01:44:19 -08:00
$ \bitseq { \ell } $ means the set of sequences of $ \ell $ bits, and
2018-03-10 13:06:47 -08:00
$ \byteseq { k } $ means the set of sequences of $ k $ bytes.
2018-02-26 01:44:19 -08:00
$ \byteseqs $ means the type of byte sequences of arbitrary length.
2016-09-18 17:57:28 -07:00
2017-02-05 17:22:20 -08:00
$ \length ( S ) $ means the length of (number of elements in) $ S $ .
2017-01-19 18:36:58 -08:00
2017-02-05 17:22:20 -08:00
$ T \subseteq U $ indicates that $ T $ is an inclusive subset or subtype of $ U $ .
2016-09-18 17:57:28 -07:00
2018-02-12 05:05:23 -08:00
\notsprout {
$ \setof { x \typecolon T \suchthat p ( x ) } $ means the subset of $ x $ from $ T $
for which $ p ( x ) $ holds.
}
$ S \union T $ means the set union of $ S $ and $ T $ , or the type corresponding
to it.
$ S \intersection T $ means the set intersection of $ S $ and $ T $ .
\notsprout {
$ S \difference T $ means the set difference obtained by removing elements
in $ T $ from $ S $ , i.e. $ \setof { x \typecolon S \suchthat x \neq T } $ .
}
2017-12-01 17:03:17 -08:00
2018-02-12 04:54:48 -08:00
$ \hexint { } $ followed by a string of $ \mathtt { monospace } $ hexadecimal
2016-09-18 17:57:28 -07:00
digits means the corresponding integer converted from hexadecimal.
2017-02-05 17:22:20 -08:00
$ \ascii { ... } $ means the given string represented as a
2016-03-29 19:28:01 -07:00
sequence of bytes in US-ASCII. For example, $ \ascii { abc } $ represents the
byte sequence $ [ \hexint { 61 } , \hexint { 62 } , \hexint { 63 } ] $ .
2017-02-05 17:23:09 -08:00
$ \zeros { \ell } $ means the sequence of $ \ell $ zero bits.
2018-02-26 01:44:19 -08:00
\notsprout { $ \ones { \ell } $ means the sequence of $ \ell $ one bits.}
2017-02-05 17:23:09 -08:00
2017-02-05 17:22:20 -08:00
$ a..b $ , used as a subscript, means the sequence of values
2016-08-09 13:54:50 -07:00
with indices $ a $ through $ b $ inclusive. For example,
2018-03-16 08:58:23 -07:00
$ \AuthPublicNew { \allNew } $ means the sequence
$ \vphantom { \mathsf { a _ a } } \smash { [ \AuthPublicNew { \mathrm { 1 } } , \AuthPublicNew { \mathrm { 2 } } , ... \, \AuthPublicNew { \NNew } ] } $ .
2016-08-14 12:42:14 -07:00
(For consistency with the notation in \cite { BCG+2014} and in \cite { BK2016} ,
2016-08-09 13:54:50 -07:00
this specification uses 1-based indexing and inclusive ranges,
2018-03-16 08:58:23 -07:00
\raisedstrut notwithstanding the compelling arguments to the contrary made in
2016-08-14 16:15:43 -07:00
\cite { EWD-831} .)
2016-02-25 09:12:28 -08:00
2017-02-05 17:22:20 -08:00
$ \range { a } { b } $ means the set or type of integers from $ a $ through
2016-09-03 19:46:42 -07:00
$ b $ inclusive.
2016-08-09 13:54:50 -07:00
2017-02-05 17:22:20 -08:00
$ \listcomp { f ( x ) \for x \from a \upto b } $ means the sequence
2016-08-17 05:28:08 -07:00
formed by evaluating $ f $ on each integer from $ a $ to $ b $ inclusive, in
2017-01-19 14:46:40 -08:00
ascending order. Similarly, $ \listcomp { f ( x ) \for x \from a \downto b } $ means
2016-08-17 05:28:08 -07:00
the sequence formed by evaluating $ f $ on each integer from $ a $ to $ b $
inclusive, in descending order.
2016-08-09 13:54:50 -07:00
2018-02-10 03:30:37 -08:00
$ a \bconcat b $ means the concatenation of sequences $ a $ then $ b $ .
2016-09-03 19:46:42 -07:00
2017-02-05 17:22:20 -08:00
$ \concatbits ( S ) $ means the sequence of bits obtained by
2016-08-09 13:54:50 -07:00
concatenating the elements of $ S $ viewed as bit sequences. If the
elements of $ S $ are byte sequences, they are converted to bit sequences
with the \emph { most significant} bit of each byte first.
2017-02-05 17:22:20 -08:00
$ \sorted ( S ) $ means the sequence formed by sorting the elements
2017-01-19 18:36:58 -08:00
of $ S $ .
2017-02-05 17:22:20 -08:00
$ \GF { n } $ means the finite field with $ n $ elements, and
2016-09-02 14:47:05 -07:00
$ \GFstar { n } $ means its group under multiplication.
2018-03-18 13:57:20 -07:00
Where there is a need to make the distinction, we denote the unique
representative of $ a \typecolon \GF { n } $ in the range $ \range { 0 } { n - 1 } $
(or the unique representative of $ a \typecolon \GFstar { n } $ in the range
$ \range { 1 } { n - 1 } $ ) as $ a \bmod n $ . Conversely, we denote the element
of $ \GF { n } $ corresponding to an integer $ k \typecolon \Int $
as $ k \pmod { n } $ . We also use the latter notation in the context of
an equality $ k = k' \pmod { n } $ as shorthand for $ k \bmod n = k' \bmod n $ ,
and similarly $ k \neq k' \pmod { n } $ as shorthand for $ k \bmod n \neq k' \bmod n $ .
(When referring to constants such as $ 0 $ and $ 1 $ it is usually not
necessary to make the distinction between field elements and their
representatives, since the meaning is normally clear from context.)
2016-09-02 14:47:05 -07:00
$ \GF { n } [ z ] $ means the ring of polynomials over $ z $ with coefficients
in $ \GF { n } $ .
2016-08-08 09:46:24 -07:00
2018-03-18 13:57:20 -07:00
$ a + b $ means the sum of $ a $ and $ b $ . This may refer to addition of
integers, rationals, finite field elements, or group elements
(see \crossref { abstractgroup} ) according to context.
$ - a $ means the value of the appropriate integer, rational,
finite field, or group type such that $ ( - a ) + a = 0 $
(or when $ a $ is an element of a group $ \GroupG { } $ , $ ( - a ) + a = \ZeroG { } $ ),
and $ a - b $ means $ a + ( - b ) $ .
2018-02-23 19:15:09 -08:00
$ a \mult b $ means the product of multiplying $ a $ and $ b $ .
2016-09-18 17:57:28 -07:00
This may refer to multiplication of integers, rationals, or
2018-03-18 13:57:20 -07:00
finite field elements according to context (this notation is not
used for group elements).
2016-09-18 17:57:28 -07:00
2018-03-18 13:57:20 -07:00
$ a / b $ (also written $ \hfrac { a } { b } $ ) means the value of the
appropriate integer, rational, or finite field type such that
$ ( a / b ) \mult b = a $ .
2016-09-18 17:57:28 -07:00
2017-02-05 17:22:20 -08:00
$ a \bmod q $ , for $ a \typecolon \Nat $ and $ q \typecolon \PosInt $ ,
2018-03-18 13:57:20 -07:00
means the remainder on dividing $ a $ by $ q $ . (This usage does not
conflict with the notation above for the unique representative of
a field element.)
2016-06-01 06:58:52 -07:00
2017-02-05 17:22:20 -08:00
$ a \xor b $ means the bitwise-exclusive-or of $ a $ and $ b $ ,
2017-01-19 18:36:58 -08:00
and $ a \band b $ means the bitwise-and of $ a $ and $ b $ . These are
2018-03-18 13:57:20 -07:00
defined on integers or (equal-length) bit sequences according to context.
2016-08-09 13:54:50 -07:00
2018-03-16 08:58:23 -07:00
$ \! \vsum { i = 1 } { \mathrm { N } } a _ i $ means the sum of $ a _ { \allN { } } $ .\;
2018-03-18 13:57:20 -07:00
$ \vproduct { i = 1 } { \mathrm { N } } a _ i $ means the product of $ a _ { \allN { } } $ .\;
2016-09-03 17:08:02 -07:00
$ \vxor { i = 1 } { \mathrm { N } } a _ i $ means the bitwise exclusive-or of $ a _ { \allN { } } $ .
2016-08-09 13:54:50 -07:00
2018-03-18 13:57:20 -07:00
When $ N = 0 $ these yield the appropriate neutral element, i.e.
\smash { $ \vsum { i = 1 } { 0 } a _ i = 0 $ , $ \vproduct { i = 1 } { 0 } a _ i = 1 $ , and
$ \vxor { i = 1 } { 0 } a _ i = 0 $ } or the all-zero bit sequence of the
appropriate length given by the type of $ a $ .
2018-01-30 16:52:59 -08:00
\notsprout {
$ b \bchoose x : y $ means $ x $ when $ b = 1 $ , or $ y $ when $ b = 0 $ .
}
2018-03-18 13:57:20 -07:00
$ a ^ b $ , for $ a $ an integer or finite field element and
$ b \typecolon \Int $ , means the result of raising $ a $ to the exponent $ b $ ,
i.e.
\begin { formulae}
\item $ a ^ b : = \begin { cases }
\sproduct { i=1} { b} \kern 0.15em a, & \caseif b \geq 0 \\ [1.5ex]
\sproduct { i=1} { -b} \kern 0.1em \hfrac { 1} { a} , & \caseotherwise .
\end { cases} $
\end { formulae}
The $ \scalarmult { k } { P } $ notation for scalar multiplication in a group is
defined in \crossref { abstractgroup} .
2016-09-26 09:03:42 -07:00
The binary relations $ < $ , $ \leq $ , $ = $ , $ \geq $ , and $ > $ have their conventional
meanings on integers and rationals, and are defined lexicographically on
sequences of integers.
2017-02-05 17:22:20 -08:00
$ \floor { x } $ means the largest integer $ \leq x $ .
2016-08-09 13:54:50 -07:00
$ \ceiling { x } $ means the smallest integer $ \geq x $ .
2017-02-05 17:22:20 -08:00
$ \bitlength ( x ) $ , for $ x \typecolon \Nat $ , means the smallest integer
2017-01-19 18:36:58 -08:00
$ \ell $ such that $ 2 ^ \ell > x $ .
2018-01-30 16:58:58 -08:00
The symbol $ \bot $ is used to indicate unavailable information, or a failed
decryption or validity check.
2016-03-03 06:01:39 -08:00
2016-06-01 06:58:52 -07:00
The following integer constants will be instantiated in \crossref { constants} :
2018-02-26 01:44:19 -08:00
\notsprout { \begin { formulae} \item }
$ \MerkleDepthSprout $ , \sapling { $ \MerkleDepthSapling $ ,}
$ \NOld $ , $ \NNew $ , $ \MerkleHashLengthSprout $ , \sapling { $ \MerkleHashLengthSapling $ ,}
2018-03-11 00:40:49 -08:00
$ \hSigLength $ , $ \PRFOutputLength $ , $ \NoteCommitRandLength $ ,
2018-03-18 14:43:57 -07:00
\changed { $ \RandomSeedLength $ ,} $ \AuthPrivateLength $ , \changed { $ \NoteAddressPreRandLength $ ,}
\sapling { $ \SpendingKeyLength $ , $ \DiversifierLength $ , $ \InViewingKeyLength $ ,}
$ \MAXMONEY $ , $ \SlowStartInterval $ , $ \HalvingInterval $ ,
2018-02-26 01:44:19 -08:00
$ \MaxBlockSubsidy $ , $ \NumFounderAddresses $ , $ \PoWAveragingWindow $ , $ \PoWLimit $ ,
$ \PoWMedianBlockSpan $ , $ \PoWDampingFactor $ , $ \PoWTargetSpacing $ .
\notsprout { \end { formulae} }
2018-02-07 03:53:07 -08:00
\sprout { The bit sequence constant $ \UncommittedSprout \typecolon \bitseq { \MerkleHashLengthSprout } $ ,}
\notsprout { The bit sequence constants $ \UncommittedSprout \typecolon \bitseq { \MerkleHashLengthSprout } $
and $ \UncommittedSapling \typecolon \bitseq { \MerkleHashLengthSapling } $ ,}
and rational constants $ \FoundersFraction $ , $ \PoWMaxAdjustDown $ , and
2017-01-19 18:36:58 -08:00
$ \PoWMaxAdjustUp $ will also be defined in that section.
2016-06-01 06:58:52 -07:00
2016-02-25 10:32:18 -08:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { Concepts}
2016-02-25 10:32:18 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Payment Addresses and Keys} \label { addressesandkeys}
2015-12-14 09:03:59 -08:00
2017-02-23 12:05:10 -08:00
Users who wish to receive payments under this scheme first generate a
2018-01-25 03:16:21 -08:00
random \spendingKey \sprout { $ \AuthPrivate $ } .
2018-01-30 16:52:59 -08:00
\notsprout { In \Sprout this is called $ \AuthPrivate $ \sapling { and in \Sapling it is
2018-03-11 00:40:49 -08:00
called $ \SpendingKey $ } .}
2016-01-28 16:10:30 -08:00
2018-02-07 02:55:53 -08:00
\introlist
2018-01-25 03:16:21 -08:00
The following diagram depicts the relations between key
components\notsprout { in \Sprout } \sapling { and \Sapling } .
2016-02-16 17:57:21 -08:00
Arrows point from a component to any other component(s) that can be derived
2016-04-03 20:04:07 -07:00
from it.
2016-02-16 12:07:31 -08:00
\begin { center}
2018-03-16 08:58:23 -07:00
\sprout { \includegraphics [scale=.7,interpolate] { key_ components} }
\sapling { \includegraphics [scale=.5,interpolate] { key_ components_ sapling} }
2016-02-16 12:07:31 -08:00
\end { center}
2018-03-06 14:16:55 -08:00
\sproutspecific {
2018-01-25 03:16:21 -08:00
The \receivingKey $ \TransmitPrivate $ , the \incomingViewingKey
$ \InViewingKey = ( \AuthPublic , \TransmitPrivate ) $ , and the \paymentAddress
$ \PaymentAddress = ( \AuthPublic , \TransmitPublic ) $ are derived from
2018-02-07 03:53:07 -08:00
$ \AuthPrivate $ , as described in \crossref { sproutkeycomponents} .
2018-03-09 20:11:23 -08:00
} %sproutspecific
2017-12-01 18:04:39 -08:00
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-01-25 03:16:21 -08:00
The \authSigningKey $ \AuthSignPrivate $ ,
2018-02-07 03:53:07 -08:00
the \authProvingKey $ ( \AuthSignPublic , \AuthProvePrivate ) $ ,
the \fullViewingKey $ ( \AuthSignPublic , \AuthProvePublic ) $ ,
2018-01-25 03:16:21 -08:00
the \incomingViewingKey $ \InViewingKey $ , and
each \diversifiedPaymentAddress $ \DiversifiedPaymentAddress = ( \Diversifier , \DiversifiedTransmitPublic ) $
2018-03-11 00:40:49 -08:00
are derived from $ \SpendingKey $ , as described in \crossref { saplingkeycomponents} .
2018-03-09 20:11:23 -08:00
} %saplingonward
2017-12-16 16:08:57 -08:00
2018-01-25 03:16:21 -08:00
The composition of \paymentAddresses , \changed { \incomingViewingKeys ,}
\sapling { \fullViewingKeys ,} and \spendingKeys is a cryptographic protocol
detail that should not normally be exposed to users. However, user-visible
2018-02-07 03:53:07 -08:00
operations should be provided to obtain a
\paymentAddress \changed { or \incomingViewingKey } \sapling { or \fullViewingKey }
from a \spendingKey .
2015-12-17 08:34:46 -08:00
2016-04-18 10:31:22 -07:00
Users can accept payment from multiple parties with a single \paymentAddress
2018-01-25 03:16:21 -08:00
and the fact that these payments are destined to
2016-08-08 09:06:52 -07:00
the same payee is not revealed on the \blockchain , even to the
2016-01-28 16:10:30 -08:00
paying parties. \emph { However} if two parties collude to compare a
2016-04-18 10:31:22 -07:00
\paymentAddress they can trivially determine they are the same. In the
2016-01-28 16:10:30 -08:00
case that a payee wishes to prevent this they should create a distinct
2016-02-16 12:07:31 -08:00
\paymentAddress for each payer.
2018-01-25 03:16:21 -08:00
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-01-25 03:16:21 -08:00
\Sapling provides a mechanism to allow the efficient creation of
\diversifiedPaymentAddresses with the same spending authority. A group of
such addresses shares the same \fullViewingKey and \incomingViewingKey , and
so creating as many unlinkable addresses as needed does not increase the cost
of scanning the \blockchain for relevant \transactions .
2018-03-09 20:11:23 -08:00
} %saplingonward
2015-12-14 09:03:59 -08:00
2016-09-03 19:55:09 -07:00
\pnote {
2016-04-18 10:31:22 -07:00
It is conventional in cryptography to refer to the key used to encrypt
2018-02-07 02:55:53 -08:00
a message in an asymmetric encryption scheme as the \quotedterm { public key} .
2018-01-25 03:16:21 -08:00
However, the public key used as the \transmissionKey component of an address
($ \TransmitPublic $ \sapling { or $ \DiversifiedTransmitPublic $ } ) need not be
publically distributed; it has the same distribution as the \paymentAddress itself.
As mentioned above, limiting the distribution of the \paymentAddress is important
for some use cases. This also helps to reduce reliance of the overall protocol
on the security of the cryptosystem used for \note encryption
(see \crossref { inband} ), since an adversary would have to know
2018-01-30 16:58:58 -08:00
$ \TransmitPublic $ \sapling { or some $ \DiversifiedTransmitPublic $ } in order to
2018-01-25 03:16:21 -08:00
exploit a hypothetical weakness in that cryptosystem.
2016-09-03 19:55:09 -07:00
}
2016-04-18 10:31:22 -07:00
2017-02-24 22:25:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { \Notes } \label { notes}
2017-12-01 18:04:39 -08:00
2018-02-07 03:53:07 -08:00
\sprout {
2016-03-28 18:28:07 -07:00
A \note (denoted $ \NoteTuple { } $ ) is a tuple $ \changed { ( \AuthPublic , \Value ,
2016-09-02 11:55:51 -07:00
\NoteAddressRand , \NoteCommitRand )} $ . It represents that a value $ \Value $ is
2016-02-27 12:38:58 -08:00
spendable by the recipient who holds the \spendingKey $ \AuthPrivate $ corresponding
to $ \AuthPublic $ , as described in the previous section.
2018-03-09 20:11:23 -08:00
} %sprout
2018-02-07 03:53:07 -08:00
\notsprout {
A \note (denoted $ \NoteTuple { } $ ) can be a \Sprout \note \sapling { or a
\Sapling \note } . In either case it represents that a value $ \Value $ is
spendable by the recipient who holds the \spendingKey corresponding
to a given \paymentAddress .
2018-03-09 20:11:23 -08:00
} %notsprout
2016-05-20 16:06:15 -07:00
2018-03-16 08:58:23 -07:00
\introlist
2018-02-07 04:04:10 -08:00
A \SproutOrNothing \note is a tuple $ \changed { ( \AuthPublic ,
2018-02-07 03:53:07 -08:00
\Value , \NoteAddressRand , \NoteCommitRand )} $ , where:
2016-02-25 11:43:03 -08:00
\begin { itemize}
2018-02-07 02:55:53 -08:00
\item $ \AuthPublic \typecolon \PRFOutput $ is the \payingKey of the
recipient's \paymentAddress ;
2016-09-03 17:08:02 -07:00
\item $ \Value \typecolon \range { 0 } { \MAXMONEY } $ is an integer
representing the value of the \note in \zatoshi
($ 1 $ \ZEC = $ 10 ^ 8 $ \zatoshi );
\item $ \NoteAddressRand \typecolon \PRFOutput $
is used as input to $ \PRFnf { \AuthPrivate } $ to derive the
\nullifier of the \note ;
2018-02-07 03:53:07 -08:00
\item $ \NoteCommitRand \typecolon \NoteCommitSproutTrapdoor $
2018-02-26 01:44:19 -08:00
is a random \commitmentTrapdoor as defined in \crossref { abstractcommit} .
2016-02-25 11:43:03 -08:00
\end { itemize}
2016-02-07 14:37:36 -08:00
2018-03-16 08:58:23 -07:00
\introlist
2018-03-06 14:16:55 -08:00
Let $ \NoteTypeSprout $ be the type of a \SproutOrNothing \note , i.e.
\begin { formulae}
\item $ \NoteTypeSprout : = \changed { \PRFOutput \times \range { 0 } { \MAXMONEY } \times \PRFOutput
\times \NoteCommitSproutTrapdoor } $ .
\end { formulae}
2018-02-07 03:53:07 -08:00
\sapling {
\vspace { 2ex}
2018-03-16 08:58:23 -07:00
\introlist
2018-02-07 03:53:07 -08:00
A \Sapling \note is a tuple $ ( \Diversifier , \DiversifiedTransmitPublic ,
2018-02-26 01:44:19 -08:00
\Value , \NoteCommitRand )$ , where:
2018-02-07 03:53:07 -08:00
\begin { itemize}
2018-02-26 01:44:19 -08:00
\item $ \Diversifier \typecolon \DiversifierType $
2018-02-07 03:53:07 -08:00
is the \diversifier of the recipient's \paymentAddress ;
2018-03-18 14:43:57 -07:00
\item $ \DiversifiedTransmitPublic \typecolon \GroupJ $
2018-02-07 03:53:07 -08:00
is the \diversifiedTransmissionKey of the recipient's \paymentAddress ;
\item $ \Value \typecolon \range { 0 } { \MAXMONEY } $ is an integer
representing the value of the \note in \zatoshi ;
\item $ \NoteCommitRand \typecolon \NoteCommitSaplingTrapdoor $
2018-02-26 01:44:19 -08:00
is a random \commitmentTrapdoor as defined in \crossref { abstractcommit} .
2018-02-07 03:53:07 -08:00
\end { itemize}
2018-03-16 08:58:23 -07:00
\introlist
2018-03-06 14:16:55 -08:00
Let $ \NoteTypeSapling $ be the type of a \Sapling \note , i.e.
\begin { formulae}
2018-03-18 14:43:57 -07:00
\item $ \NoteTypeSapling : = \DiversifierType \times \GroupJ \times \range { 0 } { \MAXMONEY }
\times \NoteCommitSaplingTrapdoor $ .
2018-03-06 14:16:55 -08:00
\end { formulae}
2018-03-09 20:11:23 -08:00
} %sapling
2015-12-14 09:03:59 -08:00
2016-09-03 20:26:04 -07:00
Creation of new \notes is described in \crossref { send} . When \notes are sent,
2018-02-26 01:44:19 -08:00
only a commitment (see \crossref { abstractcommit} ) to the above values is disclosed
publically, and added to a data structure called the \noteCommitmentTree .
This allows the value and recipient to be kept private, while the commitment is
used by the \zeroKnowledgeProof when the \note is spent, to check that it exists
on the \blockchain .
2015-12-14 09:03:59 -08:00
2018-02-07 03:53:07 -08:00
\vspace { 2ex}
2018-03-16 08:58:23 -07:00
\introlist
A \SproutOrNothing { } \noteCommitment on a \note
2018-03-11 14:29:49 -07:00
$ \NoteTuple { } = \changed { ( \AuthPublic , \Value , \NoteAddressRand , \NoteCommitRand ) } $ is computed as
2018-03-16 08:58:23 -07:00
2018-02-07 03:53:07 -08:00
\begin { formulae}
\item $ \NoteCommitmentSprout ( \NoteTuple { } ) =
\NoteCommitSprout { \NoteCommitRand } (\AuthPublic , \Value , \NoteAddressRand )$ ,
\end { formulae}
\vspace { -1.5ex}
2018-02-26 01:44:19 -08:00
where $ \NoteCommitSprout { } $ is instantiated in \crossref { concretesproutcommit} .
2018-02-07 03:53:07 -08:00
2018-03-16 08:58:23 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
\vspace { 2ex}
2018-03-16 08:58:23 -07:00
\introlist
2018-03-18 13:33:07 -07:00
Let $ \DiversifyHash $ be as defined in \crossref { concretediversifyhash} .
2018-02-26 01:44:19 -08:00
2018-03-16 08:58:23 -07:00
A \Sapling { } \noteCommitment on a \note
2018-03-11 14:29:49 -07:00
$ \NoteTuple { } = ( \Diversifier , \DiversifiedTransmitPublic , \Value , \NoteCommitRand ) $ is computed as
2018-03-06 14:16:55 -08:00
\begin { formulae}
2018-03-18 13:33:07 -07:00
\item $ \DiversifiedTransmitBase : = \DiversifyHash ( \Diversifier ) $
2018-03-11 14:29:49 -07:00
\item $ \NoteCommitmentSapling ( \NoteTuple { } ) : = \begin { cases }
\bot , & \caseif \DiversifiedTransmitBase = \bot \\
2018-03-18 13:33:07 -07:00
\NoteCommitSapling { \NoteCommitRand } (\reprJOf { \DiversifiedTransmitBase } ,
\reprJOf { \DiversifiedTransmitPublic } ,
\Value ), & \caseotherwise .
2018-03-11 14:29:49 -07:00
\end { cases} $
2018-03-06 14:16:55 -08:00
\end { formulae}
\vspace { -1.5ex}
2018-02-26 01:44:19 -08:00
where $ \NoteCommitSapling { } $ is instantiated in \crossref { concretewindowedcommit} .
Notice that the above definition of a \Sapling \note does not have a
$ \NoteAddressRand $ field. There is in fact a $ \NoteAddressRand $ value associated
with each \Sapling \note , but this only be computed once its position in the
\noteCommitmentTree is known (see \crossref { blockchain} and \crossref { transactions} ).
We refer to the combination of a \note and its \notePosition $ \NotePosition $ , as a
\positionedNote .
For a \positionedNote , we can compute the value
2018-03-18 14:43:57 -07:00
$ \NoteAddressRand \typecolon \bitseq { \PRFOutputLengthSapling } $ ; see
\crossref { commitmentsandnullifiers} .
2018-03-09 20:11:23 -08:00
} %sapling
2015-12-14 09:03:59 -08:00
2018-02-07 03:53:07 -08:00
\vspace { 2ex}
2018-02-26 01:44:19 -08:00
A \nullifier (denoted $ \nf $ ) is derived from the $ \NoteAddressRand $ value
2018-02-07 03:53:07 -08:00
of a \note and the recipient's
2018-03-18 13:57:20 -07:00
\spendingKey $ \AuthPrivate $ \sapling { or \nullifierKey $ \AuthProvePublic $ } .
This computation uses a \pseudoRandomFunction (see \crossref { abstractprfs} ),
as described in \crossref { commitmentsandnullifiers} .
2018-02-07 03:53:07 -08:00
2018-03-18 16:54:36 -07:00
A \note is spent by proving knowledge of
$ ( \NoteAddressRand , \AuthPrivate ) $ \sapling { or $ ( \NoteAddressRand , \AuthSignPublic , \AuthProvePrivate ) $ }
2018-02-07 03:53:07 -08:00
in zero knowledge while publically disclosing its \nullifier $ \nf $ ,
2018-03-18 13:57:20 -07:00
allowing $ \nf $ to be used to prevent double-spending. \sapling { In the case
of \Sapling , a \spendAuthSignature is also required, in order to demonstrate
knowledge of $ \AuthSignPrivate $ .}
2015-12-14 09:03:59 -08:00
2018-02-23 19:15:09 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \NotePlaintexts { } and \Memos } \label { noteptconcept}
2016-02-25 11:43:03 -08:00
2016-08-08 09:06:52 -07:00
Transmitted \notes are stored on the \blockchain in encrypted form, together with
2016-03-28 18:28:07 -07:00
a \noteCommitment $ \cm $ .
2016-02-25 11:43:03 -08:00
2016-05-20 15:29:21 -07:00
The \notePlaintexts in a \joinSplitDescription are encrypted to the
2018-02-07 03:53:07 -08:00
respective \transmissionKeys $ \TransmitPublicNew { \allNew } $ .
Each \notsprout { \Sprout } \notePlaintext (denoted $ \NotePlaintext { } $ ) consists of
$ ( \Value , \NoteAddressRand , \NoteCommitRand \changed { , \Memo } ) $ .
2016-02-25 11:43:03 -08:00
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-02-07 03:53:07 -08:00
The \notePlaintext in each \outputDescription is encrypted to the
\diversifiedTransmissionKey $ \DiversifiedTransmitPublic $ .
Each \Sapling \notePlaintext (denoted $ \NotePlaintext { } $ ) consists of
2018-02-26 01:44:19 -08:00
$ ( \Diversifier , \Value , \NoteCommitRand , \Memo ) $ .
2018-03-09 20:11:23 -08:00
} %saplingonward
2017-12-01 18:04:39 -08:00
2016-03-29 19:47:57 -07:00
\changed {
2016-05-20 16:06:15 -07:00
$ \Memo $ represents a \memo associated with this \note . The usage of the
\memo is by agreement between the sender and recipient of the \note .
2016-03-29 19:47:57 -07:00
}
2016-03-05 10:37:40 -08:00
2018-02-07 03:53:07 -08:00
Other fields are as defined in \crossref { notes} .
2018-03-18 13:57:20 -07:00
Encodings are given in \crossref { notept} .
2018-02-07 03:53:07 -08:00
The result of encryption forms part of a \notesCiphertext (see \crossref { inband}
for further details).
2016-03-05 10:37:40 -08:00
2018-03-12 15:51:20 -07:00
\subsection { The Block Chain} \label { blockchain}
2016-08-08 12:01:34 -07:00
2018-02-07 03:05:39 -08:00
At a given point in time, each \fullValidator is aware of a set of candidate
2017-02-03 20:24:45 -08:00
\blocks . These form a tree rooted at the \genesisBlock , where each node
in the tree refers to its parent via the $ \hashPrevBlock $ \blockHeader field
(see \crossref { blockheader} ).
A path from the root toward the leaves of the tree consisting of a sequence
2018-02-07 02:55:53 -08:00
of one or valid \blocks consistent with consensus rules, is called a
\validBlockchain .
2016-08-08 12:01:34 -07:00
2017-02-03 20:24:45 -08:00
Each \block in a \blockchain has a \blockHeight . The \blockHeight of the
2018-03-16 08:58:23 -07:00
\genesisBlock is $ 0 $ , and the \blockHeight of each subsequent \block in the
\blockchain increments by $ 1 $ .
2017-01-19 18:35:11 -08:00
2018-02-07 02:55:53 -08:00
In order to choose the \bestValidBlockchain in its view of the
overall \block tree, a node sums the work, as defined in \crossref { workdef} , of
2018-02-26 01:44:19 -08:00
all \blocks in each chain, and considers the \validBlockchain with greatest
total work to be best. To break ties between leaf \blocks , a node will prefer the
2017-02-03 20:27:42 -08:00
\block that it received first.
2017-02-03 20:24:45 -08:00
The consensus protocol is designed to ensure that for any given \blockHeight ,
2018-02-07 02:55:53 -08:00
the vast majority of nodes should eventually agree on their \bestValidBlockchain
up to that height.
2017-02-03 20:24:45 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Transactions and Treestates} \label { transactions}
2017-02-03 20:24:45 -08:00
Each \block contains one or more \transactions .
2016-09-02 14:49:27 -07:00
Inputs to a \transaction insert value into a \transparentValuePool , and outputs
2016-08-08 12:01:34 -07:00
remove value from this pool. As in \Bitcoin , the remaining value in the pool is
available to miners as a fee.
2017-02-03 20:24:45 -08:00
\vspace { -3ex}
\consensusrule {
2017-02-05 17:23:36 -08:00
The remaining value in the \transparentValuePool { } \MUST be nonnegative.
2017-02-03 20:24:45 -08:00
}
\vspace { 2ex}
2018-02-07 03:53:07 -08:00
\sprout { To each \transaction there is associated an initial \treestate .}
\notsprout { To each \transaction there are associated initial \treestates
2018-02-26 01:44:19 -08:00
for \Sprout \sapling { and for \Sapling } .}
2017-12-01 18:04:39 -08:00
2018-03-06 14:16:55 -08:00
\introlist
2018-02-26 01:44:19 -08:00
\sprout { A} \sapling { Each} \treestate consists of:
2018-03-06 14:16:55 -08:00
2017-12-01 18:04:39 -08:00
\begin { itemize}
\item a \noteCommitmentTree (\crossref { merkletree} );
2018-02-07 03:53:07 -08:00
\item a \nullifierSet (\crossref { nullifierset} ).
2017-12-01 18:04:39 -08:00
\end { itemize}
2018-02-07 03:53:07 -08:00
Validation state associated with \transparentTransfers , such as the UTXO
(Unspent Transaction Output) set, is not described in this document; it is
used in essentially the same way as in \Bitcoin .
An \anchor is a Merkle tree root of a \noteCommitmentTree \sapling { (either the
\Sprout tree or the \Sapling tree)} . It uniquely identifies a \noteCommitmentTree
state given the assumed security properties of the Merkle tree's
\hashFunction . Since the \nullifierSet is always updated together with the
\noteCommitmentTree , this also identifies a particular state of the associated
2018-02-26 01:44:19 -08:00
\nullifierSet .
2016-08-08 12:01:34 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2018-02-07 03:53:07 -08:00
In a given \blockchain , \sapling { for each of \Sprout and \Sapling ,}
\treestates are chained as follows:
2016-08-08 12:01:34 -07:00
\begin { itemize}
\item The input \treestate of the first \block is the empty \treestate .
\item The input \treestate of the first \transaction of a \block is the final
\treestate of the immediately preceding \block .
\item The input \treestate of each subsequent \transaction in a \block is the
output \treestate of the immediately preceding \transaction .
\item The final \treestate of a \block is the output \treestate of its last
\transaction .
\end { itemize}
2018-02-07 03:53:07 -08:00
\joinSplitDescriptions also have interstitial input and output
\treestates \notsprout { for \Sprout } , explained in the following section.
\sapling { There is no equivalent of interstitial \treestates for \Sapling .}
2016-08-08 12:01:34 -07:00
2018-03-12 15:51:20 -07:00
\subsection { \JoinSplitTransfers { } and Descriptions} \label { joinsplit}
2016-06-21 16:00:54 -07:00
A \joinSplitDescription is data included in a \transaction that describes a \joinSplitTransfer ,
2018-02-07 03:53:07 -08:00
i.e.\ a \shielded value transfer.
\sprout { This kind of value transfer is}
\notsprout { In \Sprout , this kind of value transfer was}
the primary \Zcash -specific operation performed by \transactions .
2016-06-21 16:00:54 -07:00
2016-09-03 17:08:02 -07:00
A \joinSplitTransfer spends $ \NOld $ \notes $ \nOld { \allOld } $ and \transparent input
$ \vpubOld $ , and creates $ \NNew $ \notes $ \nNew { \allNew } $ and \transparent output
2016-06-21 16:00:54 -07:00
$ \vpubNew $ .
2018-02-07 03:53:07 -08:00
It is associated with an instance of a \joinSplitStatement (\crossref { joinsplitstatement} ),
2018-03-11 10:27:43 -07:00
for which it provides a \zkSNARKProof { } .
2016-06-21 16:00:54 -07:00
2018-03-11 10:27:43 -07:00
Each \transaction has a \sequenceOfJoinSplitDescriptions { } .
2016-08-08 12:01:34 -07:00
The \changed { total $ \vpubNew $ value adds to, and the total} $ \vpubOld $
2016-09-02 14:49:27 -07:00
value subtracts from the \transparentValuePool of the containing \transaction .
2016-08-08 12:01:34 -07:00
2017-02-11 21:52:59 -08:00
The \anchor of each \joinSplitDescription in a \transaction { } refers to a
2018-03-18 13:57:20 -07:00
\SproutOrNothing \treestate .
For each of the $ \NOld $ \shieldedInputs , a \nullifier is revealed. This allows
detection of double-spends as described in \crossref { nullifierset} .
2017-02-11 21:52:59 -08:00
\changed {
For each \joinSplitDescription in a \transaction , an interstitial output \treestate is
constructed which adds the \noteCommitments and \nullifiers specified in that
\joinSplitDescription to the input \treestate referred to by its \anchor .
This interstitial output \treestate is available for use as the \anchor of subsequent
\joinSplitDescriptions in the same \transaction .
Interstitial \treestates are necessary because when a \transaction is constructed,
it is not known where it will eventually appear in a mined \block . Therefore the
\anchors that it uses must be independent of its eventual position.
}
2017-02-03 20:24:45 -08:00
\begin { consensusrules}
\item The input and output values of each \joinSplitTransfer { } \MUST balance
exactly.
2018-03-18 13:57:20 -07:00
\item For the first \joinSplitDescription of a \transaction , the \anchor \MUST
be the output \SproutOrNothing \treestate of a previous \block .
2016-08-08 12:01:34 -07:00
\changed {
2017-02-03 20:24:45 -08:00
\item The \anchor of each \joinSplitDescription in a \transaction { } \MUST refer
2018-02-07 03:53:07 -08:00
to either some earlier \block 's final \SproutOrNothing \treestate , or to
the interstitial output \treestate of any prior \joinSplitDescription in
the same \transaction .
2016-08-08 12:01:34 -07:00
}
2017-02-03 20:24:45 -08:00
\end { consensusrules}
2016-08-08 12:01:34 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsection { \SpendTransfers , \OutputTransfers , and their Descriptions} \label { spendsandoutputs}
2018-02-07 03:53:07 -08:00
\joinSplitTransfers are not used for \Sapling \notes . Instead, there is a
separate \spendTransfer for each \shieldedInput , and a separate \outputTransfer
for each \shieldedOutput .
\spendDescriptions and \outputDescriptions are data included in a transaction
that describe \spendTransfers and \outputTransfers , respectively.
A \spendTransfer spends a \note $ \nOld { } $ . Its \spendDescription includes a
\xPedersenValueCommitment to the value of the \note .
It is associated with an instance of a \spendStatement (\crossref { spendstatement} )
2018-03-11 10:27:43 -07:00
for which it provides a \zkSNARKProof { } .
2018-02-07 03:53:07 -08:00
An \outputTransfer creates a \note $ \nNew { } $ . Similarly, its \outputDescription
includes a \xPedersenValueCommitment to the \note value.
It is associated with an instance of an \outputStatement (\crossref { outputstatement} )
2018-03-11 10:27:43 -07:00
for which it provides a \zkSNARKProof { } .
2018-02-07 03:53:07 -08:00
Each \transaction has a sequence of \spendDescriptions and a sequence of
\outputDescriptions .
To ensure balance, we use a homomorphic property of \xPedersenCommitments that
2018-03-06 14:16:55 -08:00
allows them to be added and subtracted, as elliptic curve points. The result
2018-02-07 03:53:07 -08:00
of adding two \xPedersenValueCommitments , committing to values $ \Value _ 1 $ and
$ \Value _ 2 $ , is a new \xPedersenValueCommitment that commits to $ \Value _ 1 + \Value _ 2 $ .
Subtraction works similarly.
Therefore, balance can be enforced by adding all of the \valueCommitments for
\shieldedInputs , subtracting all of the \valueCommitments for \shieldedOutputs ,
and checking that the result commits to a value consistent with the net \transparent
value change (see \crossref { saplingbalance} for a full specification).
This approach allows all of the \zkSNARK statements to be independent of
each other, potentially increasing opportunities for precomputation.
2018-03-18 13:57:20 -07:00
A \spendDescription includes an \anchor , which refers to the output
\Sapling \treestate of a previous \block . It also reveals a \nullifier ,
which allows detection of double-spends as described in \crossref { nullifierset} .
2018-02-07 03:53:07 -08:00
\pnote {
Interstitial \treestates are not necessary for \Sapling , because a \spendTransfer
in a given \transaction cannot spend any of the \shieldedOutputs of the same
\transaction . This is not an onerous restriction because, unlike \Sprout where
each \joinSplitTransfer must balance individually, in \Sapling it is only necessary
for the whole \transaction to balance.
}
\begin { consensusrules}
\item The \transaction { } \MUST balance as specified in \crossref { saplingbalance} .
\item The \anchor of each \spendDescription in a \transaction { } \MUST refer
to some earlier \block 's final \Sapling \treestate .
\end { consensusrules}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
2018-03-12 15:51:20 -07:00
\subsection { \NoteCommitmentTrees } \label { merkletree}
2015-12-14 09:03:59 -08:00
\begin { center}
2018-03-16 08:58:23 -07:00
\includegraphics [scale=.4,interpolate] { incremental_ merkle}
2015-12-14 09:03:59 -08:00
\end { center}
2018-03-11 14:29:49 -07:00
\sapling { \todo { The commitment indices in the above diagram should be zero-based to reflect the \notePosition { } .} }
2018-02-07 03:53:07 -08:00
The \noteCommitmentTree is an \incrementalMerkleTree of fixed depth used to store
\noteCommitments that \joinSplitTransfers \sapling { and \spendTransfers } produce.
Just as the \term { unspent transaction output set} (UTXO set) used in \Bitcoin ,
it is used to express the existence of value and the capability to spend it.
However, unlike the UTXO set, it is \emph { not} the job of this tree to protect
against double-spending, as it is append-only.
2015-12-14 09:03:59 -08:00
2017-02-11 21:52:59 -08:00
A \merkleRoot of this tree is associated with each \treestate , as described in
\crossref { transactions} .
2015-12-14 09:03:59 -08:00
2016-06-01 06:58:52 -07:00
Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash of
2018-02-07 03:53:07 -08:00
size $ \MerkleHashLengthSprout $ \sapling { or $ \MerkleHashLengthSapling $ } bits.
2016-04-08 12:45:53 -07:00
The \merkleLayer numbered $ h $ , counting from \merkleLayer $ 0 $ at the \merkleRoot , has
2016-08-08 09:06:52 -07:00
$ 2 ^ h $ \merkleNodes with \merkleIndices $ 0 $ to $ 2 ^ h - 1 $ inclusive.
The \merkleHash associated with the \merkleNode at \merkleIndex $ i $ in \merkleLayer $ h $
is denoted $ \MerkleNode { h } { i } $ .
2016-04-08 12:45:53 -07:00
2018-03-12 15:51:20 -07:00
\subsection { \NullifierSets } \label { nullifierset}
2015-12-14 09:03:59 -08:00
2018-02-07 03:05:39 -08:00
Each \fullValidator maintains a \nullifierSet logically associated with each \treestate .
2018-02-07 03:53:07 -08:00
As valid \transactions containing \joinSplitTransfers \sapling { or \spendTransfers } are
processed, the \nullifiers revealed in \joinSplitDescriptions \sapling { and \spendDescriptions }
2018-02-26 01:44:19 -08:00
are inserted into the \nullifierSet associated with the new \treestate .
2015-12-14 09:03:59 -08:00
2018-02-07 02:55:53 -08:00
\xNullifiers are enforced to be unique within a \validBlockchain , in order to
2017-03-04 15:25:28 -08:00
prevent double-spends.
\consensusrule {
A \nullifier { } \MUSTNOT repeat either within a \transaction , or across
2018-02-07 02:55:53 -08:00
\transactions in a \validBlockchain .
2017-03-04 15:25:28 -08:00
}
2015-12-14 09:03:59 -08:00
2017-12-01 18:04:39 -08:00
\sapling { \pnote {
\Sprout and \Sapling \nullifiers are considered disjoint, even if they have
2018-02-26 01:44:19 -08:00
the same bit pattern.
2017-12-01 18:04:39 -08:00
} }
2016-05-20 15:52:29 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Block Subsidy and Founders' Reward} \label { subsidyconcepts}
2016-06-21 14:46:00 -07:00
2016-09-18 18:46:11 -07:00
Like \Bitcoin , \Zcash creates currency when \blocks are mined. The value created on
mining a \block is called the \blockSubsidy . It is composed of a \minerSubsidy and a
\foundersReward . As in \Bitcoin , the miner of a \block also receives \transactionFees .
2016-06-21 14:46:00 -07:00
2017-01-19 18:35:11 -08:00
The calculations of the \blockSubsidy , \minerSubsidy , and \foundersReward depend on
the \blockHeight , as defined in \crossref { blockchain} .
2016-06-21 14:46:00 -07:00
2017-01-19 18:35:11 -08:00
These calculations are described in \crossref { subsidies} .
2016-06-21 14:46:00 -07:00
2018-03-12 15:51:20 -07:00
\subsection { \CoinbaseTransactions }
2016-09-18 18:46:11 -07:00
The first \transaction in a block must be a \coinbaseTransaction , which should
collect and spend any \minerSubsidy and \transactionFees paid by \transactions
included in this \block . The \coinbaseTransaction must also pay the \foundersReward
2017-01-19 18:35:11 -08:00
as described in \crossref { foundersreward} .
2016-06-21 14:46:00 -07:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { Abstract Protocol}
2016-05-20 15:52:29 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Abstract Cryptographic Schemes}
2016-05-20 16:06:15 -07:00
2018-03-12 15:51:20 -07:00
\subsubsection { \HashFunctions } \label { abstracthashes}
2016-05-20 16:06:15 -07:00
2018-03-18 13:57:20 -07:00
Let $ \MerkleDepthSprout $ , $ \MerkleHashLengthSprout $ ,
\sapling { $ \MerkleDepthSapling $ , $ \MerkleHashLengthSapling $ , $ \InViewingKeyLength $ ,}
$ \RandomSeedLength $ , $ \hSigLength $ , $ \PRFOutputLength $ , and $ \NOld $
be as defined in \crossref { constants} .
2018-03-18 14:43:57 -07:00
\sapling { Let $ \ellJ $ be as defined in \crossref { jubjub} .}
2018-02-26 01:44:19 -08:00
\sprout {
$ \MerkleCRH \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout $
2018-03-16 08:58:23 -07:00
is a \collisionResistant \hashFunction used in \crossref { merklepath} .
2016-06-01 06:58:52 -07:00
It is instantiated in \crossref { merklecrh} .
2018-03-09 20:11:23 -08:00
} %sprout
2018-02-26 01:44:19 -08:00
\notsprout {
The functions $ \MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
\rightarrow \MerkleHashSprout $
\sapling { and (for \Sapling ),
$ \MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \times \MerkleHashSapling
\rightarrow \MerkleHashSapling $
}
2018-03-06 14:49:54 -08:00
are \hashFunctions used in \crossref { merklepath} .
2018-03-16 08:58:23 -07:00
\sapling { $ \MerkleCRHSapling $ is \collisionResistant on all its arguments, and}
$ \MerkleCRHSprout $ is \collisionResistant except on its first argument.
2018-02-26 01:44:19 -08:00
Both of these functions are instantiated in \crossref { merklecrh} .
2018-03-09 20:11:23 -08:00
} %notsprout
2016-05-20 16:06:15 -07:00
2016-06-01 06:58:52 -07:00
\changed {
2016-09-18 17:57:28 -07:00
$ \hSigCRH { } \typecolon \bitseq { \RandomSeedLength } \times \typeexp { \PRFOutput } { \NOld } \times \JoinSplitSigPublic \rightarrow \hSigType $
2018-03-16 08:58:23 -07:00
is a \collisionResistant \hashFunction used in \crossref { joinsplitdesc} .
2016-09-03 19:46:42 -07:00
It is instantiated in \crossref { hsigcrh} .
$ \EquihashGen { } \typecolon ( n \typecolon \PosInt ) \times \PosInt \times \byteseqs \times \PosInt \rightarrow \bitseq { n } $
2018-02-07 02:55:53 -08:00
is another \hashFunction , used in \crossref { equihash} to generate
2016-09-03 19:46:42 -07:00
input to the Equihash solver. The first two arguments, representing
the Equihash parameters $ n $ and $ k $ , are written subscripted.
It is instantiated in \crossref { equihashgen} .
2016-06-01 06:58:52 -07:00
}
2016-05-20 16:06:15 -07:00
2018-03-18 14:43:57 -07:00
\sapling {
$ \CRHivk \typecolon \bitseq { \ellJ } \times \bitseq { \ellJ } \rightarrow \range { 0 } { 2 ^ { \InViewingKeyLength } \! - \! 1 } $
is a \collisionResistant \hashFunction used in \crossref { saplingkeycomponents}
to derive an \incomingViewingKey for a \Sapling \paymentAddress . It is also used
in the \spendStatement (\crossref { spendstatement} ) to confirm use of the correct
key for the \note being spent. It is instantiated in \crossref { concretecrhivk} .
$ \DiversifyHash \typecolon \DiversifierType \rightarrow \GroupJ $ is a \hashFunction
satisfying the Discrete Logarithm Independence property (which implies \collisionResistance \! \! )
described in \crossref { abstractgrouphash} .
It is used to derive a \diversifiedBase from a \diversifier in \crossref { saplingkeycomponents} .
It is instantiated in \crossref { concretediversifyhash} .
} %sapling
2018-02-07 02:55:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \PseudoRandomFunctions } \label { abstractprfs}
2016-06-01 06:58:52 -07:00
2018-02-07 03:53:07 -08:00
$ \PRF { x } { } $ is a \pseudoRandomFunction keyed by $ x $ .
2018-03-18 14:43:57 -07:00
Let $ \AuthPrivateLength $ , $ \NoteAddressPreRandLength $ , $ \hSigLength $ ,
$ \PRFOutputLength $ , \sapling { $ \PRFOutputLengthSapling $ ,} $ \NOld $ , and $ \NNew $
be as defined in \crossref { constants} .
2018-02-07 03:53:07 -08:00
2018-03-18 14:43:57 -07:00
\sapling { Let $ \ellJ $ and $ \ParamJ { r } $ be as defined in \crossref { jubjub} .}
2018-02-07 03:53:07 -08:00
\sprout { \changed { Four} \emph { independent} $ \PRF { x } { } $ are needed in our protocol:}
\notsprout { For \Sprout , \changed { four} \emph { independent} $ \PRF { x } { } $ are needed:}
2016-08-15 07:25:15 -07:00
2018-03-18 14:43:57 -07:00
\begin { tabular} { @{ \hskip 2em} l@{ \hskip 1.85em} l@{ \; } l@{ \; } l@{ \; } l}
$ \PRFaddr { } $ & $ \typecolon \; \bitseq { \AuthPrivateLength } $ & $ \times \; \range { 0 } { 255 } $ & & $ \rightarrow \PRFOutput $ \\
$ \PRFnf { } $ & $ \typecolon \; \bitseq { \AuthPrivateLength } $ & $ \times \; \PRFOutput $ & & $ \rightarrow \PRFOutput $ \\
$ \PRFpk { } $ & $ \typecolon \; \bitseq { \AuthPrivateLength } $ & $ \times \; \setofOld $ & $ \times \; \hSigType $ & $ \rightarrow \PRFOutput $ \\
$ \PRFrho { } $ & $ \typecolon \; \bitseq { \NoteAddressPreRandLength } $ & $ \times \; \setofNew $ & $ \times \; \hSigType $ & $ \rightarrow \PRFOutput $
2016-08-15 10:05:13 -07:00
\end { tabular}
2018-01-29 15:08:08 -08:00
These are used in \crossref { joinsplitstatement} ; $ \PRFaddr { } $ is also used to
2018-02-07 03:53:07 -08:00
derive a \paymentAddress from a \spendingKey in \crossref { sproutkeycomponents} .
2017-12-01 18:04:39 -08:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-11 00:40:49 -08:00
For \Sapling , two additional $ \PRF { x } { } $ are needed:
2018-02-07 03:53:07 -08:00
2018-03-11 00:40:49 -08:00
\begin { tabular} { @{ \hskip 2em} l@{ \; } l@{ \hskip 0.6em} l@{ \; } l@{ \hskip 4.25em} l}
2018-03-18 14:43:57 -07:00
$ \PRFexpand { } $ & $ \typecolon \; \bitseq { \SpendingKeyLength } $ & $ \times \; \range { 0 } { 255 } $ & & $ \rightarrow \GF { \ParamJ { r } } $ \\
$ \PRFnfSapling { } $ & $ \typecolon \; \bitseq { \ellJ } $ & $ \times \; \bitseq { \ellJ } $ & & $ \rightarrow \PRFOutputSapling $
2018-02-07 03:53:07 -08:00
\end { tabular}
2018-03-16 08:58:23 -07:00
$ \PRFexpand { } $ is used in \crossref { saplingkeycomponents} .
2018-03-18 14:43:57 -07:00
$ \PRFnfSapling { } $ is used in \crossref { spendstatement} .
2018-03-11 00:40:49 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
\sprout { They} \notsprout { All of these \pseudoRandomFunctions } are instantiated in \crossref { concreteprfs} .
2016-06-01 06:58:52 -07:00
2018-02-07 03:46:15 -08:00
\begin { securityrequirements}
\item Security definitions for \pseudoRandomFunctions are given in \cite [section 4] { BDJR2000} .
\item In addition to being \pseudoRandomFunctions , it is required that
2018-03-18 14:43:57 -07:00
$ \PRFnf { x } $ ,\changed { $ \PRFaddr { x } $ ,\sprout { and} $ \PRFrho { x } $ } \sapling { , and $ \PRFnfSapling { x } $ }
2018-03-16 08:58:23 -07:00
be \collisionResistant across all $ x $ --- i.e.\ finding $ ( x, y ) \neq ( x', y' ) $
2018-02-12 05:06:12 -08:00
such that $ \PRFnf { x } ( y ) = \PRFnf { x' } ( y' ) $ should not be feasible\changed { , and
2018-03-18 14:43:57 -07:00
similarly for $ \PRFaddr { } $ and $ \PRFrho { } $ \sapling { and $ \PRFnfSapling { } $ } } .
2018-02-07 03:46:15 -08:00
\end { securityrequirements}
\pnote { $ \PRFnf { } $ was called $ \PRFsn { } $ in \Zerocash \cite { BCG+2014} .}
2018-02-26 01:44:19 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \SymmetricEncryption } \label { abstractsym}
2016-06-30 15:18:43 -07:00
Let $ \Sym $ be an \symmetricEncryptionScheme with keyspace $ \Keyspace $ , encrypting
plaintexts in $ \Plaintext $ to produce ciphertexts in $ \Ciphertext $ .
2016-05-20 16:06:15 -07:00
2016-06-01 06:58:52 -07:00
$ \SymEncrypt { } \typecolon \Keyspace \times \Plaintext \rightarrow \Ciphertext $
2016-06-30 15:18:43 -07:00
is the encryption algorithm.
2016-06-01 06:58:52 -07:00
$ \SymDecrypt { } \typecolon \Keyspace \times \Ciphertext \rightarrow
2017-12-01 18:04:39 -08:00
\Plaintext \union \setof { \bot } $ is the corresponding decryption algorithm, such that
2016-06-30 15:18:43 -07:00
for any $ \Key \in \Keyspace $ and $ \Ptext \in \Plaintext $ ,
$ \SymDecrypt { \Key } ( \SymEncrypt { \Key } ( \Ptext ) ) = \Ptext $ .
2016-06-01 06:58:52 -07:00
$ \bot $ is used to represent the decryption of an invalid ciphertext.
\securityrequirement {
2018-02-07 02:55:53 -08:00
$ \Sym $ must be one-time (INT-CTXT $ \wedge $ IND-CPA)-secure. \quotedterm { One-time} here
means that an honest protocol participant will almost surely encrypt only one message
with a given key; however, the attacker may make many adaptive chosen ciphertext
queries for a given key. The security notions INT-CTXT and IND-CPA are as defined in
2016-06-30 15:18:43 -07:00
\cite { BN2007} .
2016-06-01 06:58:52 -07:00
}
2018-03-12 15:51:20 -07:00
\subsubsection { \KeyAgreement } \label { abstractkeyagreement}
2016-06-01 06:58:52 -07:00
2016-06-21 15:58:09 -07:00
A \keyAgreementScheme is a cryptographic protocol in which two parties agree
a shared secret, each using their private key and the other party's public key.
2016-06-01 06:58:52 -07:00
2016-06-30 15:18:43 -07:00
A \keyAgreementScheme $ \KA $ defines a type of public keys $ \KAPublic $ , a type
of private keys $ \KAPrivate $ , and a type of shared secrets $ \KASharedSecret $ .
Let $ \KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate $ be a function
that converts a bit string of length $ \PRFOutputLength $ to a $ \KA $ private key.
2016-06-01 06:58:52 -07:00
2018-02-26 01:44:19 -08:00
Let $ \KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic $
be a function that derives the $ \KA $ public key corresponding to a given $ \KA $
private key and base point.
2016-06-30 15:18:43 -07:00
Let $ \KAAgree \typecolon \KAPrivate \times \KAPublic \rightarrow \KASharedSecret $
2016-06-21 15:58:09 -07:00
be the agreement function.
2016-06-01 06:58:52 -07:00
2018-02-26 01:44:19 -08:00
\sapling { Optional:} Let $ \KABase \typecolon \KAPublic $ be a public base point.
2016-09-03 19:55:09 -07:00
\pnote {
2016-09-02 14:36:20 -07:00
The range of $ \KADerivePublic $ may be a strict subset of $ \KAPublic $ .
2016-09-03 19:55:09 -07:00
}
2016-09-02 14:36:20 -07:00
\begin { securityrequirements}
\item $ \KAFormatPrivate $ must preserve sufficient entropy from its input to be used
as a secure $ \KA $ private key.
\item The key agreement and the KDF defined in the next section must together
satisfy a suitable adaptive security assumption along the lines of
\cite [section 3] { Bern2006} or \cite [Definition 3] { ABR1999} .
\end { securityrequirements}
More precise formalization of these requirements is beyond the scope of this
specification.
2016-06-30 15:18:43 -07:00
2016-06-01 06:58:52 -07:00
2018-03-12 15:51:20 -07:00
\subsubsection { \KeyDerivation } \label { abstractkdf}
2016-06-21 16:01:35 -07:00
A \keyDerivationFunction is defined for a particular \keyAgreementScheme and
\symmetricEncryptionScheme ; it takes the shared secret produced by the key
agreement and additional arguments, and derives a key suitable for the encryption
scheme.
2016-09-03 19:46:42 -07:00
Let $ \KDF \typecolon \setofNew \times \hSigType \times \KASharedSecret
2016-06-30 15:18:43 -07:00
\times \KAPublic \times \KAPublic \rightarrow \Keyspace $ be a
\keyDerivationFunction suitable for use with $ \KA $ , deriving keys
2016-06-21 16:01:35 -07:00
for $ \SymEncrypt { } $ .
2016-06-30 15:18:43 -07:00
\securityrequirement {
2016-09-02 14:36:20 -07:00
In addition to adaptive security of the key agreement and KDF,
the following security property is required:
2018-02-26 01:44:19 -08:00
\notsprout {
2018-02-07 03:53:07 -08:00
\todo { adapt this definition to handle \Sapling , or maybe just remove it.}
2018-02-26 01:44:19 -08:00
Let $ \TransmitBase : = \todo { ? } $
2018-02-07 03:53:07 -08:00
}
2018-02-26 01:44:19 -08:00
\sprout { Let $ \TransmitBase : = \KABase $ .}
2018-02-07 03:53:07 -08:00
2016-09-02 14:36:20 -07:00
Let $ \TransmitPrivateSup { 1 } $ and $ \TransmitPrivateSup { 2 } $ each be chosen uniformly and
independently at random from $ \KAPrivate $ .
2018-02-26 01:44:19 -08:00
Let $ \TransmitPublicSup { j } : = \KADerivePublic ( \TransmitPrivateSup { j } , \TransmitBase ) $ .
2016-09-02 14:36:20 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-09-02 14:36:20 -07:00
An adversary can adaptively query a function
2016-09-03 19:46:42 -07:00
$ Q \typecolon \range { 1 } { 2 } \times \hSigType \rightarrow
\KAPublic \times \Keyspace _ { \allNew } $ where $ Q_ j(\hSig )$ is defined as follows:
2016-09-02 14:36:20 -07:00
\begin { enumerate}
\item Choose $ \EphemeralPrivate $ uniformly at random from $ \KAPrivate $ .
2018-02-26 01:44:19 -08:00
\item Let $ \EphemeralPublic : = \KADerivePublic ( \EphemeralPrivate , \TransmitBase ) $ .
2016-09-02 14:36:20 -07:00
\item For $ i \in \setofNew $ , let $ \Key _ i : =
\KDF (i, \hSig , \KAAgree (\EphemeralPrivate , \TransmitPublicSup { j} ), \EphemeralPublic , \TransmitPublicSup { j} ))$ .
\item Return $ ( \EphemeralPublic , \Key _ { \allNew } ) $ .
\end { enumerate}
2016-09-03 17:08:02 -07:00
Then the adversary must make another query to $ Q _ j $ with random unknown
$ j \in \range { 1 } { 2 } $ , and guess $ j $ with probability greater than chance.
2016-06-30 15:18:43 -07:00
}
2018-03-11 05:34:06 -07:00
If the adversary's advantage is insignificant, then the asymmetric encryption scheme
2016-09-02 14:36:20 -07:00
constructed from $ \KA $ , $ \KDF $ and $ \Sym $ in \crossref { inband} will be key-private
as defined in \cite { BBDP2001} .
2018-03-16 08:58:23 -07:00
\pnote { The given definition only requires ciphertexts to be indistinguishable
2016-09-02 14:36:20 -07:00
between \transmissionKeys that are outputs of $ \KADerivePublic $ (which
2018-02-07 03:53:07 -08:00
includes all keys generated as in \crossref { sproutkeycomponents} ). If a
2016-09-02 14:36:20 -07:00
\transmissionKey not in that range is used, it may be distinguishable.
This is not considered to be a significant security weakness.
2016-09-03 19:55:09 -07:00
}
2016-09-02 14:36:20 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { Signature} \label { abstractsig}
2016-06-30 15:18:43 -07:00
2016-09-05 13:14:29 -07:00
A signature scheme $ \Sig $ defines:
\begin { itemize}
\item a type of signing keys $ \SigPrivate $ ;
\item a type of verifying keys $ \SigPublic $ ;
\item a type of messages $ \SigMessage $ ;
\item a type of signatures $ \SigSignature $ ;
\item a randomized key pair generation algorithm $ \SigGen \typecolon ( ) \rightarrowR \SigPrivate \times \SigPublic $ ;
\item a randomized signing algorithm $ \SigSign { } \typecolon \SigPrivate \times \SigMessage \rightarrowR \SigSignature $ ;
\item a verifying algorithm $ \SigVerify { } \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit $ ;
\end { itemize}
2016-09-26 13:31:38 -07:00
such that for any key pair $ ( \sk , \vk ) \leftarrowR \SigGen ( ) $ , and
any $ m \typecolon \SigMessage $ and $ s \typecolon \SigSignature \leftarrowR \SigSign { \sk } ( m ) $ ,
2016-09-05 13:14:29 -07:00
$ \SigVerify { \vk } ( m, s ) = 1 $ .
2018-03-16 08:58:23 -07:00
\introlist
2018-02-26 01:44:19 -08:00
\Zcash uses \sprout { two} \sapling { three} signature schemes:
2018-02-07 03:53:07 -08:00
\begin { itemize}
\item one used for signatures that can be verified by script operations such as
\ScriptOP { CHECKSIG} and \ScriptOP { CHECKMULTISIG} as in \Bitcoin ;
2018-02-26 01:44:19 -08:00
\item one called $ \JoinSplitSig $ (instantiated in \crossref { concretejssig} ),
2018-02-07 03:53:07 -08:00
which is used to sign \transactions that contain at least one
2018-02-26 01:44:19 -08:00
\joinSplitDescription \sprout { .} \notsprout { ;}
2018-03-11 07:00:00 -07:00
\saplingonwarditem { one called $ \SpendAuthSig $ (instantiated in
\crossref { concretespendauthsig} ), which is used to sign authorizations of
2018-02-26 01:44:19 -08:00
\spendDescriptions .}
2018-02-07 03:53:07 -08:00
\end { itemize}
2018-03-11 07:02:22 -07:00
The following defines only the security properties needed for $ \JoinSplitSig $ .
\sapling { Security properties for $ \SpendAuthSig $ are defined in the next section,
\crossref { abstractsigrerand} .}
2016-09-05 13:14:29 -07:00
\securityrequirement {
2018-03-11 14:31:33 -07:00
$ \JoinSplitSig $ must be Strongly Unforgeable under (non-adaptive) Chosen Message Attack
(SU-CMA), as defined for example in \cite [Definition 6] { BDEHR2011} . This allows an
adversary to obtain signatures on chosen messages, and then requires it to be infeasible
2016-09-05 13:14:29 -07:00
for the adversary to forge a previously unseen valid \mbox { (message, signature)}
pair without access to the signing key.
}
2018-03-11 14:31:33 -07:00
\todo { Reference a different paper for the security definition. \cite { BDEHR2011} has
a flawed security proof; this doesn't affect \Zcash but it would be better to avoid
confusion that it might.}
2016-09-05 13:14:29 -07:00
\begin { pnotes}
2018-02-26 01:44:19 -08:00
\item A fresh signature key pair is generated for each \transaction containing
2018-03-11 14:31:33 -07:00
a \joinSplitDescription { } .
2018-02-26 01:44:19 -08:00
Since each key pair is only used for one signature (see \crossref { nonmalleability} ),
2018-03-11 14:31:33 -07:00
a one-time signature scheme would suffice for $ \JoinSplitSig $ .
2018-02-26 01:44:19 -08:00
This is also the reason why only security against \emph { non-adaptive}
2018-03-11 14:31:33 -07:00
chosen message attack is needed. In fact the instantiation of $ \JoinSplitSig $
uses a scheme designed for security under adaptive attack even when multiple
signatures are signed under the same key.
2016-09-26 09:24:55 -07:00
\item SU-CMA security requires it to be infeasible for the adversary, not
knowing the private key, to forge a distinct signature on a previously
2018-03-11 14:31:33 -07:00
seen message. That is, \joinSplitSignatures are intended to be nonmalleable
in the sense of \cite { BIP-62} .
2016-09-05 13:14:29 -07:00
\end { pnotes}
2016-06-21 16:01:35 -07:00
2016-09-02 20:03:28 -07:00
2018-03-18 13:57:20 -07:00
\sapling {
2018-03-06 14:29:14 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Signature with Re-Randomizable Keys} \label { abstractsigrerand}
2018-03-06 14:29:14 -08:00
A signature scheme with re-randomizable keys $ \Sig $ is a signature scheme that
additionally defines:
\begin { itemize}
\item a type of randomizers $ \SigRandom $ ;
\item a public key randomization algorithm $ \SigRandomizePublic \typecolon \SigPublic \times \SigRandom \rightarrow \SigPublic $ ;
\item a private key randomization algorithm $ \SigRandomizePrivate \typecolon \SigPrivate \times \SigRandom \rightarrow \SigPrivate $
\item a distinguished ``identity'' randomizer $ \SigRandomnessId \typecolon \SigRandom $
\end { itemize}
\vspace { -1ex}
such that if $ ( \pk \typecolon \SigPublic , \sk \typecolon \SigPrivate ) $ is a
valid $ \Sig $ key pair, then:
\vspace { 1ex}
\begin { itemize}
\item $ \left ( \SigRandomizePublic ( \pk , \SigRandomness ) , \SigRandomizePrivate ( \sk , \SigRandomness ) \right ) $
is also a valid $ \Sig $ key pair for any $ \SigRandomness \typecolon \SigRandom $ ;
\item $ \SigRandomizePrivate ( \paramdot , \SigRandomness ) \typecolon \SigPrivate \rightarrow \SigPrivate $
is injective and easily invertible for any $ \SigRandomness \typecolon \SigRandom $ ;
\item For \emph { any} key pair $ ( \pk , \sk ) $ returned by $ \SigGen ( ) $ , the distribution of
\begin { formulae}
\item $ \left ( \SigRandomizePublic ( \pk , \SigRandomness ) , \SigRandomizePrivate ( \sk , \SigRandomness ) \right ) :
\SigRandomness \leftarrowR \SigRandom $
\end { formulae}
2018-03-16 08:58:23 -07:00
\vspace { -0.5ex} is identical to the distribution of $ \SigGen ( ) $ .
2018-03-06 14:29:14 -08:00
\item $ \left ( \SigRandomizePublic ( \pk , \SigRandomnessId ) , \SigRandomizePrivate ( \sk , \SigRandomnessId ) \right ) = ( \pk , \sk ) $ .
\end { itemize}
The following security requirement for such signature schemes is based on that
given in \cite [section 3] { FKMSSS2016} . Note that we require Strong Unforgeability
2018-03-11 14:31:33 -07:00
with Re-randomized Keys, not Existential Unforgeability with Re-randomized Keys
2018-03-16 08:58:23 -07:00
(the latter is called ``Unforgeability under Re-randomized Keys'' in
2018-03-11 14:31:33 -07:00
\cite [Definition 8] { FKMSSS2016} ). Unlike the case for $ \JoinSplitSig $ , we require
security under adaptive chosen message attack with multiple messages signed using
a given key. (Although each \note uses a different re-randomized key pair, the same
original key pair can be re-randomized for multiple \notes , and also it can happen
that multiple \transactions spending the same \note are revealed to an adversary.)
2018-03-06 14:29:14 -08:00
\introsection
2018-03-11 14:31:33 -07:00
\securityrequirement { \textbf { Strong Unforgeability with Re-randomized Keys under adaptive Chosen Message Attack (SURK-CMA)}
2018-03-06 14:29:14 -08:00
Let $ \Oracle \typecolon \SigPrivate \times \SigMessage \times \SigRandom \rightarrow \SigSignature $
be a generator of signing oracles.
A signing oracle $ \Oracle _ { \sk } $ for private key $ \sk $ has state
$ Q \typecolon \powerset { \SigMessage \times \SigSignature } $ initialized to $ \setof { } $
that records queried messages and corresponding signatures.
\begin { formulae}
\item $ \Oracle _ { \sk } : = $ var $ Q \leftarrow \setof { } $ in $ \fun { ( m \typecolon \SigMessage , \SigRandomness \typecolon \SigRandom ) } { } $
\item \tab let $ \sigma = \SigSign { \SigRandomizePrivate ( \sk , \SigRandomness ) } ( m ) $
\item \tab $ Q \leftarrow Q \union \setof { ( m, \sigma ) } $
\item \tab return $ \sigma \typecolon \SigSignature $ .
\end { formulae}
For random $ ( \pk , \sk ) \leftarrowR \SigGen ( ) $ , it must be infeasible for an adversary
given $ \pk $ and a new instance of $ \Oracle _ { \sk } $ to find $ ( m ^ * , \sigma ^ * , \SigRandomness ^ * ) $
such that $ \SigVerify { \SigRandomizePublic ( \pk , \SigRandomness ^ * ) } ( m ^ * , \sigma ^ * ) = 1 $ and
$ ( m ^ * , \sigma ^ * ) \not \in \Oracle _ { \sk } \mathsf { . } Q $ .
}
\begin { pnotes}
2018-03-11 14:31:33 -07:00
\item The requirement for $ \SigRandomnessId $ simplifies the definition of SURK-CMA
2018-03-06 14:29:14 -08:00
by removing the need for two oracles (since the oracle for original keys,
called $ \Oracle _ 1 $ in \cite { FKMSSS2016} , is a special case of the oracle for
randomized keys).
2018-03-18 16:57:09 -07:00
\item Since
2018-03-06 14:29:14 -08:00
$ \left ( \SigRandomizePublic ( \pk , \SigRandomness ) , \SigRandomizePrivate ( \sk , \SigRandomness ) \right ) :
\SigRandomness \leftarrowR \SigRandom $ is identically distributed to $ \SigGen ()$ ,
2018-03-18 16:57:09 -07:00
the combination of a re-randomized public key and signature(s)
2018-03-06 14:29:14 -08:00
under that key do not reveal the key from which it was re-randomized.
\item Since $ \SigRandomizePrivate ( \paramdot , \SigRandomness ) $ is injective and
easily invertible, knowledge of $ \SigRandomizePrivate ( \sk , \SigRandomness ) $
\emph { and} $ \SigRandomness $ implies knowledge of $ \sk $ .
\end { pnotes}
2018-03-18 13:57:20 -07:00
} %sapling
2018-03-06 14:29:14 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { Commitment} \label { abstractcommit}
2016-09-02 20:03:28 -07:00
A \commitmentScheme is a function that, given a random \commitmentTrapdoor
and an input, can be used to commit to the input in such a way that:
2017-01-19 18:24:49 -08:00
2016-09-02 20:03:28 -07:00
\begin { itemize}
2018-02-07 02:55:53 -08:00
\item no information is revealed about it without the \trapdoor (\quotedterm { hiding} ),
\item given the \trapdoor and input, the commitment can be verified to \quotedterm { open}
to that input and no other (\quotedterm { binding} ).
2016-09-02 20:03:28 -07:00
\end { itemize}
\vspace { -3ex}
2018-02-07 02:55:53 -08:00
A \commitmentScheme $ \CommitAlg $ defines a type of inputs $ \CommitInput $ ,
2016-09-02 20:03:28 -07:00
a type of commitments $ \CommitOutput $ , and a type of \commitmentTrapdoors
$ \CommitTrapdoor $ .
2018-02-07 02:55:53 -08:00
Let $ \CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput $
2017-02-11 15:53:38 -08:00
be a function satisfying the security requirements below.
\begin { securityrequirements}
\item \textbf { Computational hiding:} For all $ x, x' \typecolon \CommitInput $ ,
the distributions $ \{ \; \Commit { r } ( x ) \; | \; r \leftarrowR \CommitTrapdoor \; \} $
and $ \{ \; \Commit { r } ( x' ) \; | \; r \leftarrowR \CommitTrapdoor \; \} $ are
computationally indistinguishable.
\item \textbf { Computational binding:} It is infeasible to find
$ x, x' \typecolon \CommitInput $ and
$ r, r' \typecolon \CommitTrapdoor $
such that $ x \neq x' $ and $ \Commit { r } ( x ) = \Commit { r' } ( x' ) $ .
\end { securityrequirements}
2016-09-02 20:03:28 -07:00
2018-02-26 01:44:19 -08:00
\pnote {
If it were feasible to find $ x \typecolon \CommitInput $ and
$ r, r' \typecolon \CommitTrapdoor $ such that $ r \neq r' $ and
$ \Commit { r } ( x ) = \Commit { r' } ( x ) $ , this would not by itself contradict
the computational binding security requirement.
}
2016-09-02 20:03:28 -07:00
2018-02-07 02:55:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \RepresentedGroup } \label { abstractgroup}
2017-12-01 17:03:17 -08:00
A \representedGroup $ \GroupG { } $ consists of:
\begin { itemize}
\item a subgroup order parameter $ \ParamG { r } \typecolon \PosInt $ , which must be prime;
\item a cofactor parameter $ \ParamG { h } \typecolon \PosInt $ ;
\item a group $ \GroupG { } $ of order $ \ParamG { h } \mult \ParamG { r } $ , written additively
with operation $ + \typecolon \GroupG { } \times \GroupG { } \rightarrow \GroupG { } $ ,
and additive identity $ \ZeroG { } $ ;
\item a generator $ \GenG { } $ of the subgroup of $ \GroupG { } $ of order $ \ParamG { r } $ ;
\item a bit-length parameter $ \ellG { } \typecolon \Nat $ ;
2018-03-16 08:58:23 -07:00
\item a representation function \smash { $ \reprG { } \typecolon \GroupG { } \rightarrow \bitseq { \ellG { } } $ } ;
\item an abstraction function \smash { $ \abstG { } \typecolon \bitseq { \ellG { } } \rightarrow \GroupG { } \union \setof { \bot } $ } ;
2017-12-01 17:03:17 -08:00
\end { itemize}
2018-03-16 08:58:23 -07:00
\vspace { -1.5ex}
2018-02-07 02:55:53 -08:00
such that $ \abstG { } $ is the left inverse of $ \reprG { } $ , i.e.
for all $ P \in \GroupG { } $ , $ \abstG { } ( \reprG { } ( P ) ) = P $ , and
for all $ S $ not in the image of $ \reprG { } $ , $ \abstG { } ( S ) = \bot $ .
2017-12-01 17:03:17 -08:00
2018-02-07 03:53:07 -08:00
% Do we actually need \GenG? It is natural to include it for some groups
% and not others.
2018-03-18 13:57:20 -07:00
For $ G \typecolon \GroupG { } $ we write $ - G $ for the negation of $ G $ , such that
$ ( - G ) + G = \ZeroG { } $ . We write $ G - H $ for $ G + ( - H ) $ .
2017-12-01 17:03:17 -08:00
2018-03-18 13:57:20 -07:00
We also extend the $ \vsum { } { } $ notation to addition on group elements.
For $ G \typecolon \GroupG { } $ and $ k \typecolon \Int $ we write $ \scalarmult { k } { G } $
for scalar multiplication on the group, i.e.
\begin { formulae}
\item $ \scalarmult { k } { G } : = \begin { cases }
\ssum { i = 1} { k} G, & \caseif k \geq 0 \\ [1.5ex]
\ssum { i = 1} { -k} (-G), & \caseotherwise .
\end { cases} $
\end { formulae}
For $ G \typecolon \GroupG { } $ and $ a \typecolon \GF { \ParamG { r } } $ , we may also write
$ \scalarmult { a } { G } $ meaning $ \scalarmult { a \bmod \ParamG { r } } { G } $ as defined above.
(This variant is not defined for fields other than $ \GF { \ParamG { r } } $ .)
2017-12-01 17:03:17 -08:00
\sapling {
2018-02-07 02:55:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \HashExtractor } \label { abstractextractor}
2017-12-01 17:03:17 -08:00
A \hashExtractor for a \representedGroup $ \GroupG { } $ is a function
2018-02-10 03:30:37 -08:00
$ \ExtractG \typecolon \GroupG { } \rightarrow T $ for some type $ T $ ,
such that $ \ExtractG $ is injective on the subgroup of $ \GroupG { } $ of order
$ \ParamG { r } $ .
2017-12-01 17:03:17 -08:00
\pnote {
2018-02-07 02:55:53 -08:00
Unlike the representation function $ \reprG { } $ , $ \ExtractG $ need not have an
2017-12-01 17:03:17 -08:00
efficiently computable left inverse.
}
2018-03-09 20:11:23 -08:00
} %sapling
2017-12-01 17:03:17 -08:00
2017-12-01 18:04:39 -08:00
\sapling {
2017-12-01 17:03:17 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { \GroupHash } \label { abstractgrouphash}
2017-12-01 17:03:17 -08:00
2018-02-10 03:30:37 -08:00
Given a represented group $ \GroupG { } $ and a type $ \CRSType $ , we define a
\term { family of group hashes into\, $ \GroupG { } $ } as a function
2018-02-26 01:44:19 -08:00
\begin { formulae}
\item $ \GroupGHash { } \typecolon \CRSType \times \bitseq { \ell } \rightarrow \GroupG { } $
\end { formulae}
\vspace { -1ex}
2018-02-10 03:30:37 -08:00
with the following security requirement.
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
\securityrequirement { \textbf { Discrete Logarithm Independence}
For a randomly selected member $ \GroupGHash { \CRS } $ of the family, it is infeasible to find
2017-12-01 17:03:17 -08:00
a sequence of distinct inputs $ m _ { \alln } \typecolon \typeexp { \bitseq { \ell } } { n } $
and a sequence of nonzero scalars $ x _ { \alln } \typecolon \typeexp { \GFstar { \ParamG { r } } } { n } $
2018-03-16 08:58:23 -07:00
such that $ \ssum { i = 1 } { n } \! \left ( \scalarmult { x _ i } { \GroupGHash { \CRS } ( m _ i ) } \right ) = \ZeroG { } $ .
2018-03-06 14:16:55 -08:00
}
2017-12-01 17:03:17 -08:00
2018-02-07 03:53:07 -08:00
\begin { pnotes}
\item This property implies (and is stronger than) collision-resistance,
2018-02-10 03:30:37 -08:00
since a collision $ ( m _ 1 , m _ 2 ) $ for $ \GroupGHash { \CRS } $ trivially gives a
2018-02-07 03:53:07 -08:00
discrete logarithm relation with $ x _ 1 = 1 $ and $ x _ 2 = - 1 $ .
2018-02-10 03:30:37 -08:00
\item An alternative approach is to model $ \GroupGHash { \CRS } $ as a random
2018-02-07 03:53:07 -08:00
oracle, and assume that the Discrete Logarithm Problem is hard in
the group. We prefer to avoid the Random Oracle Model and instead make
a more specific standard-model assumption, which is effectively no
stronger than the assumptions made in the random oracle approach.
2018-02-10 03:30:37 -08:00
\item $ \CRS $ is a \commonRandomString ; we choose it verifiably at random,
\emph { after} fixing the concrete group hash algorithm to be used.
If we publish the algorithm and the method of choosing the
\commonRandomString before the $ \CRS $ could be known, then this
mitigates the possibility that the group hash algorithm could have
been backdoored.
2018-02-07 03:53:07 -08:00
\end { pnotes}
2018-03-09 20:11:23 -08:00
} %sapling
2017-12-01 17:03:17 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { \RepresentedPairing } \label { abstractpairing}
2017-12-01 17:03:17 -08:00
A \representedPairing $ \GroupP { } $ consists of:
\begin { itemize}
\item a group order parameter $ \ParamP { r } \typecolon \PosInt $ which must be prime;
\item two \representedGroups $ \GroupP { 1 .. 2 } $ , both of order $ \ParamP { r } $ ;
2018-03-16 08:58:23 -07:00
\item a group $ \GroupP { T } $ of order $ \ParamP { r } $ , written multiplicatively with operation\,
2017-12-01 17:03:17 -08:00
$ \mult \typecolon \GroupP { T } \times \GroupP { T } \rightarrow \GroupP { T } $
and multiplicative identity $ \ParamP { \mathbf { 1 } } $ ;
\item a pairing function
$ \PairingP \typecolon \GroupP { 1 } \times \GroupP { 2 } \rightarrow \GroupP { T } $
satisfying:
\begin { itemize}
\item (Bilinearity)\; for all $ a, b \typecolon \GFstar { r } $ ,
2018-03-16 08:58:23 -07:00
$ P \typecolon \GroupP { 1 } $ , and $ Q \typecolon \GroupP { 2 } $ ,\;
$ \PairingP ( \scalarmult { a } { P } , \scalarmult { b } { Q } ) = \PairingP ( P, Q ) ^ { a \mult b } $ ;\, and
2017-12-01 17:03:17 -08:00
\item (Nondegeneracy)\; there does not exist $ P \typecolon \GroupP { 1 } \setminus \ZeroP { 1 } $
2018-03-16 08:58:23 -07:00
such that for all $ Q \typecolon \GroupP { 2 } , \;
\PairingP (P, Q) = \ParamP { \mathbf { 1} } $ .
2017-12-01 17:03:17 -08:00
\end { itemize}
\end { itemize}
2018-03-12 15:51:20 -07:00
\subsubsection { \ZeroKnowledgeProvingSystem } \label { abstractzk}
2016-09-02 14:47:05 -07:00
A \zeroKnowledgeProvingSystem is a cryptographic protocol that allows
proving a particular \statement , dependent on \primary and \auxiliaryInputs ,
in zero knowledge --- that is, without revealing information about the
\auxiliaryInputs other than that implied by the \statement . The type of
\zeroKnowledgeProvingSystem needed by \Zcash is a \ppzkSNARK .
2017-01-19 18:24:49 -08:00
\introlist
2016-09-02 14:47:05 -07:00
A \ppzkSNARK instance $ \ZK $ defines:
\begin { itemize}
\item a type of \zkProvingKeys , $ \ZKProvingKey $ ;
\item a type of \zkVerifyingKeys , $ \ZKVerifyingKey $ ;
\item a type of \primaryInputs $ \ZKPrimary $ ;
\item a type of \auxiliaryInputs $ \ZKAuxiliary $ ;
2016-09-05 13:15:19 -07:00
\item a type of proofs $ \ZKProof $ ;
2016-09-02 14:47:05 -07:00
\item a type $ \ZKSatisfying \subseteq \ZKPrimary \times \ZKAuxiliary $ of inputs satisfying
the \statement ;
2016-09-05 13:15:19 -07:00
\item a randomized key pair generation algorithm $ \ZKGen \typecolon ( ) \rightarrowR \ZKProvingKey \times \ZKVerifyingKey $ ;
\item a proving algorithm $ \ZKProve { } \typecolon \ZKProvingKey \times \ZKSatisfying \rightarrow \ZKProof $ ;
\item a verifying algorithm $ \ZKVerify { } \typecolon \ZKVerifyingKey \times \ZKPrimary \times \ZKProof \rightarrow \bit $ ;
2016-09-02 14:47:05 -07:00
\end { itemize}
The security requirements below are supposed to hold with overwhelming
2016-09-26 13:31:38 -07:00
probability for $ ( \pk , \vk ) \leftarrowR \ZKGen ( ) $ .
2016-09-02 14:47:05 -07:00
\begin { securityrequirements}
\item \textbf { Completeness:} An honestly generated proof will convince a verifier:
2017-12-01 18:00:10 -08:00
for any $ ( x, w ) \in \ZKSatisfying $ , if $ \ZKProve { \pk } ( x, w ) $ outputs $ \Proof { } $ ,
then $ \ZKVerify { \vk } ( x, \Proof { } ) = 1 $ .
\item \textbf { Knowledge Soundness:} For any adversary $ \Adversary $ able to find an
$ x \typecolon \ZKPrimary $ and proof $ \Proof { } \typecolon \ZKProof $ such that $ \ZKVerify { \vk } ( x, \Proof { } ) = 1 $ ,
2016-09-02 14:47:05 -07:00
there is an efficient extractor $ E _ { \Adversary } $ such that if $ E _ { \Adversary } ( \vk , \pk ) $
2018-03-11 05:34:06 -07:00
returns $ w $ , then the probability that $ ( x, w ) \not \in \ZKSatisfying $ is insignificant.
2016-09-02 14:47:05 -07:00
\item \textbf { Statistical Zero Knowledge:} An honestly generated proof is statistical
2017-02-11 15:53:38 -08:00
zero knowledge. That is, there is a feasible stateful simulator $ \Simulator $ such that,
for all stateful distinguishers $ \Distinguisher $ , the following two probabilities are
2018-03-11 05:34:06 -07:00
not significantly different:
2017-02-11 15:53:38 -08:00
\vspace { 0.5ex}
$ \; \; \Prob {
(x, w) \in \ZKSatisfying \\
2017-12-01 18:00:10 -08:00
\Distinguisher (\Proof { } ) = 1
2017-02-11 15:53:38 -08:00
} {
(\pk , \vk ) \leftarrowR \ZKGen () \\
(x, w) \leftarrowR \Distinguisher (\pk , \vk ) \\
2017-12-01 18:00:10 -08:00
\Proof { } \leftarrowR \ZKProve { \pk } (x, w)
2017-02-11 15:53:38 -08:00
}
\text { \; and \; }
\Prob {
(x, w) \in \ZKSatisfying \\
2017-12-01 18:00:10 -08:00
\Distinguisher (\Proof { } ) = 1
2017-02-11 15:53:38 -08:00
} {
(\pk , \vk ) \leftarrowR \Simulator () \\
(x, w) \leftarrowR \Distinguisher (\pk , \vk ) \\
2017-12-01 18:00:10 -08:00
\Proof { } \leftarrowR \Simulator (x)
2017-02-11 15:53:38 -08:00
} $
2016-09-02 14:47:05 -07:00
\end { securityrequirements}
These definitions are derived from those in \cite [Appendix C] { BCTV2014} , adapted to
2017-02-11 15:53:38 -08:00
state concrete security for a fixed circuit, rather than asymptotic security for
arbitrary circuits. ($ \ZKProve { } $ corresponds to $ P $ , $ \ZKVerify { } $ corresponds to $ V $ ,
and $ \ZKSatisfying $ corresponds to $ \mathcal { R } _ C $ in the notation of that appendix.)
2016-09-02 14:47:05 -07:00
2017-12-01 18:00:10 -08:00
The Knowledge Soundness definition is a way to formalize the property that it is
infeasible to find a new proof $ \Proof { } $ where $ \ZKVerify { \vk } ( x, \Proof { } ) = 1 $ without
2016-09-02 14:47:05 -07:00
\emph { knowing} an \auxiliaryInput $ w $ such that $ ( x, w ) \in \ZKSatisfying $ .
2017-12-01 18:00:10 -08:00
Note that Knowledge Soundness implies Soundness --- i.e.\ the property that it is
infeasible to find a new proof $ \Proof { } $ where $ \ZKVerify { \vk } ( x, \Proof { } ) = 1 $ without
2017-02-11 15:53:38 -08:00
\emph { there existing} an \auxiliaryInput $ w $ such that $ ( x, w ) \in \ZKSatisfying $ .
It is possible to replay proofs, but informally, a proof for a given $ ( x, w ) $ gives
no information that helps to find a proof for other $ ( x, w ) $ .
2016-09-02 14:47:05 -07:00
2017-12-01 18:00:10 -08:00
\sprout {
The \provingSystem is instantiated in \crossref { phgr} .
2018-01-29 15:08:08 -08:00
$ \JoinSplit $ refers to this \provingSystem with the $ \BNCurve $ pairing,
specialized to the \joinSplitStatement given in \crossref { joinsplitstatement} .
In this case we omit the key subscripts on $ \JoinSplitProve $ and $ \JoinSplitVerify $ ,
2017-12-01 18:00:10 -08:00
taking them to be the particular \provingKey and \verifyingKey defined by the
\joinSplitParameters in \crossref { sproutparameters} .
2018-03-09 20:11:23 -08:00
} %sprout
2017-12-01 18:00:10 -08:00
\sapling {
\Zcash uses two \provingSystems :
\begin { itemize}
\item $ \PHGR $ (\crossref { phgr} ) is used with the
$ \BNCurve $ pairing (\crossref { bnpairing} ),
to prove and verify the \Sprout \joinSplitStatement
2018-01-29 15:08:08 -08:00
(\crossref { joinsplitstatement} ).
2017-12-01 18:00:10 -08:00
\item $ \Groth $ (\crossref { groth} ) is used with the
$ \BLSCurve $ pairing (\crossref { blspairing} ),
to prove and verify the \Sapling \spendStatement
2018-01-29 15:08:08 -08:00
(\crossref { spendstatement} ) and \outputStatement
(\crossref { outputstatement} ).
2017-12-01 18:00:10 -08:00
\end { itemize}
These specializations are referred to as
2018-01-29 15:08:08 -08:00
$ \JoinSplit $ for the \Sprout \joinSplitStatement ,
$ \Spend $ for the \Sapling \spendStatement , and
$ \Output $ for the \Sapling \outputStatement .
2016-09-02 14:47:05 -07:00
2018-01-29 15:08:08 -08:00
We omit the key subscripts on $ \JoinSplitProve $ and
$ \JoinSplitVerify $ , taking them to be the $ \PHGR $ \provingKey
2017-12-01 18:00:10 -08:00
and \verifyingKey defined in \crossref { sproutparameters} .
2018-01-29 15:08:08 -08:00
Similarly, we omit the key subscripts on $ \SpendProve $ ,
$ \SpendVerify $ , $ \OutputProve $ , and $ \OutputVerify $ , taking
2018-02-07 02:55:53 -08:00
them to be the $ \Groth $ \provingKeys and
2018-01-29 15:08:08 -08:00
\verifyingKeys defined in \crossref { saplingparameters} .
2018-03-09 20:11:23 -08:00
} %sapling
2016-09-02 14:47:05 -07:00
2018-03-12 15:51:20 -07:00
\subsection { \KeyComponents } \label { keycomponents}
2016-08-15 07:24:35 -07:00
2018-03-12 15:51:20 -07:00
\notsprout { \subsubsection { \Sprout { } \KeyComponents } } \label { sproutkeycomponents}
2018-01-29 15:08:08 -08:00
2017-01-09 11:53:02 -08:00
Let $ \PRFaddr { } $ be a \pseudoRandomFunction , instantiated in \crossref { concreteprfs} .
2018-02-07 03:53:07 -08:00
Let $ \KASprout $ be a \keyAgreementScheme , instantiated in \crossref { concretesproutkeyagreement} .
2016-08-15 07:24:35 -07:00
2018-02-26 01:44:19 -08:00
A new \SproutOrNothing \spendingKey $ \AuthPrivate $ is generated by choosing a bit sequence
2016-08-15 07:24:35 -07:00
uniformly at random from $ \bitseq { \AuthPrivateLength } $ .
2017-01-19 18:24:49 -08:00
\introlist
2016-09-02 20:14:42 -07:00
\changed {
2016-08-15 07:24:35 -07:00
$ \AuthPublic $ , $ \TransmitPrivate $ and $ \TransmitPublic $ are derived from
$ \AuthPrivate $
as follows:}
2017-02-03 20:28:08 -08:00
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
$ \AuthPublic $ & $ : = \changed { \PRFaddr { \AuthPrivate } ( 0 ) } $ \\
2018-02-07 03:53:07 -08:00
$ \TransmitPrivate $ & $ : = \changed { \KASproutFormatPrivate ( \PRFaddr { \AuthPrivate } ( 1 ) ) } $ \\
2018-02-26 01:44:19 -08:00
$ \TransmitPublic $ & $ : = \changed { \KASproutDerivePublic ( \TransmitPrivate , \KASproutBase ) } $ .
2017-02-03 20:28:08 -08:00
\end { tabular}
2016-08-15 07:24:35 -07:00
2018-01-29 15:08:08 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \Sapling { } \KeyComponents } \label { saplingkeycomponents}
2018-01-29 15:08:08 -08:00
2018-03-11 00:40:49 -08:00
Let $ \PRFexpand { } $ be a \pseudoRandomFunction , instantiated in \crossref { concreteprfs} .
2018-01-29 15:08:08 -08:00
2018-02-07 03:53:07 -08:00
Let $ \KASapling $ be a \keyAgreementScheme , instantiated in \crossref { concretesaplingkeyagreement} .
2018-01-29 15:08:08 -08:00
2018-02-07 03:53:07 -08:00
Let $ \CRHivk $ be a \hashFunction , instantiated in \crossref { concretecrhivk} .
2018-03-18 13:33:07 -07:00
Let $ \DiversifyHash $ be a \hashFunction , instantiated in \crossref { concretediversifyhash} .
2018-03-11 14:29:49 -07:00
Let $ \FindGroupJHash $ be as defined in \crossref { concretegrouphashjubjub} .
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
Let $ \AuthSignBase = \FindGroupJHashOf { \ascii { Zcash \_ G \_ } , \ascii { } } $ and
let $ \AuthProveBase = \FindGroupJHashOf { \ascii { Zcash \_ H \_ } , \ascii { } } $ .
2018-02-07 03:53:07 -08:00
Let $ \reprJ $ be the representation function for the $ \JubjubCurve $ \representedGroup ,
instantiated in \crossref { jubjub} .
2018-03-11 10:27:43 -07:00
Let $ \LEBStoOSP { } \typecolon ( \ell \typecolon \Nat ) \times \bitseq { \ell } \rightarrow \byteseq { \sceiling { \ell / 8 } } $
2018-02-26 01:44:19 -08:00
be defined as in \crossref { endian} .
2018-02-07 07:41:46 -08:00
2018-02-07 03:53:07 -08:00
\vspace { 2ex}
2018-03-11 00:40:49 -08:00
A new \Sapling \spendingKey $ \SpendingKey $ is generated by choosing a bit sequence
uniformly at random from $ \bitseq { \SpendingKeyLength } $ .
2018-01-29 15:08:08 -08:00
2018-03-11 00:40:49 -08:00
\introlist
From this \spendingKey , the \authSigningKey $ \AuthSignPrivate $ and \authProvingKey $ \AuthProvePrivate $
are derived as follows:
2018-02-07 03:53:07 -08:00
2018-03-11 00:40:49 -08:00
\begin { formulae}
\item $ \AuthSignPrivate : = \PRFexpand { \SpendingKey } ( 0 ) $
\item $ \AuthProvePrivate : = \PRFexpand { \SpendingKey } ( 1 ) $
\end { formulae}
} %sapling
2018-02-07 03:53:07 -08:00
\newsavebox { \crhivkinputbox }
\begin { lrbox} { \crhivkinputbox }
2018-02-26 01:44:19 -08:00
\begin { bytefield} [bitwidth=0.06em]{ 512}
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-18 14:45:27 -07:00
\sbitbox { 256} { $ 256 $ -bit $ \reprJOf { \AuthSignPublic } $ } &
\sbitbox { 256} { $ 256 $ -bit $ \reprJOf { \AuthProvePublic } $ }
2018-02-07 03:53:07 -08:00
}
\end { bytefield}
\end { lrbox}
\sapling {
2018-01-29 15:08:08 -08:00
\introlist
2018-03-11 00:40:49 -08:00
$ \AuthSignPublic $ , $ \AuthProvePublic $ , and $ \InViewingKey $ are then derived as follows:
2018-01-29 15:08:08 -08:00
2018-03-18 16:57:09 -07:00
\begin { tabular} { @{ \hskip 1.7em} r@{ \; } l}
2018-02-07 03:53:07 -08:00
$ \AuthSignPublic $ & $ : = \scalarmult { \AuthSignPrivate } { \AuthSignBase } $ \\
$ \AuthProvePublic $ & $ : = \scalarmult { \AuthProvePrivate } { \AuthProveBase } $ \\
2018-02-26 01:44:19 -08:00
$ \InViewingKey $ & $ : = \CRHivkBox { \crhivkinputbox } $ .
2018-01-29 15:08:08 -08:00
\end { tabular}
2018-02-07 03:53:07 -08:00
\vspace { 2ex}
As explained in \crossref { addressesandkeys} , \Sapling allows the efficient
creation of multiple \diversifiedPaymentAddresses with the same spending
authority. A group of such addresses shares the same \fullViewingKey and
\incomingViewingKey .
To create a new \diversifiedPaymentAddress given an \incomingViewingKey
2018-03-18 13:33:07 -07:00
$ \InViewingKey $ , repeatedly pick a \diversifier $ \Diversifier $ uniformly at
random from $ \DiversifierType $ until
$ \DiversifiedTransmitBase = \DiversifyHash ( \Diversifier ) $ is not $ \bot $ .
2018-02-07 03:53:07 -08:00
Then calculate:
2018-01-29 15:08:08 -08:00
2018-03-18 13:33:07 -07:00
\begin { formulae}
\item $ \DiversifiedTransmitPublic : = \KASaplingDerivePublic ( \InViewingKey , \DiversifiedTransmitBase ) $ .
\end { formulae}
2018-01-29 15:08:08 -08:00
2018-02-07 03:53:07 -08:00
The resulting \diversifiedPaymentAddress is $ ( \Diversifier , \DiversifiedTransmitPublic ) $ .
\begin { pnotes}
\item The protocol does not prevent using the \diversifier $ \Diversifier $ to produce
\quotedterm { vanity} addresses that start with a meaningful string when
encoded in Bech32 (see \crossref { saplingpaymentaddrencoding} ).
Users and writers of software that generates addresses should be aware that
this provides weaker privacy properties than a randomly chosen \diversifier ,
since a vanity address can obviously be distinguished, and might leak more
information than intended as to who created it.
\item Similarly, address generators \MAY encode information in the \diversifier
that can be recovered by the recipient of a payment to determine which
\diversifiedPaymentAddress was used. It is \RECOMMENDED that such \diversifiers
be randomly chosen unique byte sequences used to index into a database, rather
than directly encoding the needed data.
\end { pnotes}
2018-03-09 20:11:23 -08:00
} %sapling
2018-01-29 15:08:08 -08:00
2018-02-26 01:44:19 -08:00
2018-03-12 15:51:20 -07:00
\subsection { \JoinSplitDescriptions } \label { joinsplitdesc}
2015-12-14 09:03:59 -08:00
2016-09-02 20:01:08 -07:00
A \joinSplitTransfer , as specified in \crossref { joinsplit} , is encoded in
\transactions as a \joinSplitDescription .
2016-03-28 17:16:06 -07:00
2016-09-02 20:01:08 -07:00
Each \transaction includes a sequence of zero or more \joinSplitDescriptions .
When this sequence is non-empty, the \transaction also includes encodings of a
2016-09-05 13:14:29 -07:00
$ \JoinSplitSig $ public verification key and signature.
2016-03-30 07:18:50 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2017-12-16 16:10:47 -08:00
A \joinSplitDescription consists of $ ( \vpubOld , \vpubNew , \rt , \nfOld { \allOld } ,
2018-01-29 15:08:08 -08:00
\cmNew { \allNew } , \EphemeralPublic , \RandomSeed , \h { \allOld } , \ProofJoinSplit ,
2017-12-16 16:10:47 -08:00
\TransmitCiphertext { \allNew } )$
2016-03-17 18:20:44 -07:00
2016-09-02 20:01:08 -07:00
where
\begin { itemize}
\item \changed { $ \vpubOld \typecolon \range { 0 } { \MAXMONEY } $ is
the value that the \joinSplitTransfer removes from the \transparentValuePool } ;
\item $ \vpubNew \typecolon \range { 0 } { \MAXMONEY } $ is
the value that the \joinSplitTransfer inserts into the \transparentValuePool ;
\item $ \rt \typecolon \MerkleHash $ is an \anchor , as defined in
\crossref { blockchain} , for the output \treestate of either
a previous \block , or a previous \joinSplitTransfer in this
\transaction .
2016-09-18 17:57:28 -07:00
\item $ \nfOld { \allOld } \typecolon \typeexp { \PRFOutput } { \NOld } $ is
2016-09-02 20:01:08 -07:00
the sequence of \nullifiers for the input \notes ;
2018-02-07 03:53:07 -08:00
\item $ \cmNew { \allNew } \typecolon \typeexp { \NoteCommitSproutOutput } { \NNew } $ is
2016-09-02 20:01:08 -07:00
the sequence of \noteCommitments for the output \notes ;
2018-02-07 03:53:07 -08:00
\item \changed { $ \EphemeralPublic \typecolon \KASproutPublic $ is
2016-09-02 20:01:08 -07:00
a key agreement public key, used to derive the key for encryption
of the \notesCiphertext (\crossref { inband} )} ;
\item \changed { $ \RandomSeed \typecolon \RandomSeedType $ is
a seed that must be chosen independently at random for each
\joinSplitDescription } ;
2016-09-18 17:57:28 -07:00
\item $ \h { \allOld } \typecolon \typeexp { \PRFOutput } { \NOld } $ is
2016-09-02 20:01:08 -07:00
a sequence of tags that bind $ \hSig $ to each
$ \AuthPrivate $ of the input \notes ;
2018-01-29 15:08:08 -08:00
\item $ \ProofJoinSplit \typecolon \JoinSplitProof $ is
2016-09-02 20:01:08 -07:00
the \zeroKnowledgeProof for the \joinSplitStatement ;
2016-09-18 17:57:28 -07:00
\item $ \TransmitCiphertext { \allNew } \typecolon \typeexp { \Ciphertext } { \NNew } $ is
2016-09-02 20:01:08 -07:00
a sequence of ciphertext components for the encrypted output \notes .
\end { itemize}
2015-12-14 09:03:59 -08:00
2016-03-28 18:28:07 -07:00
The $ \ephemeralKey $ and $ \encCiphertexts $ fields together form the \notesCiphertext .
2015-12-14 09:03:59 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2016-09-26 13:32:08 -07:00
The value $ \hSig $ is also computed from \changed { $ \RandomSeed $ , $ \nfOld { \allOld } $ , and} the
2016-09-03 19:46:42 -07:00
$ \joinSplitPubKey $ of the containing \transaction :
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \hSig : = \hSigCRH ( \changed { \RandomSeed , \nfOld { \allOld } , \, } \joinSplitPubKey ) $ .
\end { formulae}
2016-09-03 19:46:42 -07:00
$ \hSigCRH $ is instantiated in \crossref { hsigcrh} .
2016-02-07 14:37:36 -08:00
2016-09-03 20:28:29 -07:00
\begin { consensusrules}
\item Elements of a \joinSplitDescription { } \MUST have the types given
above (for example: $ 0 \leq \vpubOld \leq \MAXMONEY $ and $ 0 \leq \vpubNew \leq \MAXMONEY $ ).
\item Either $ \vpubOld $ or $ \vpubNew $ \MUST be zero.
2017-12-01 18:00:10 -08:00
\item The proof $ \Proof { \JoinSplit } $ \MUST be valid given a \primaryInput formed
2016-09-03 20:28:29 -07:00
from the other fields and $ \hSig $ .
2018-01-30 16:52:59 -08:00
I.e.\ it must be the case that $ \JoinSplitVerify { } ( ( \rt , \nfOld { \allOld } , \cmNew { \allNew } ,
2017-12-01 18:00:10 -08:00
\vpubOld , \vpubNew , \hSig , \h { \allOld } ), \Proof { \JoinSplit } ) = 1$ .
2016-09-03 20:28:29 -07:00
\end { consensusrules}
2016-02-07 14:37:36 -08:00
2018-02-26 01:44:19 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsection { \SpendDescriptions } \label { spenddesc}
2018-02-26 01:44:19 -08:00
A \spendTransfer , as specified in \crossref { spendsandoutputs} , is encoded in
\transactions as a \spendDescription .
Each \transaction includes a sequence of zero or more \spendDescriptions .
Unlike \joinSplitSignatures of which there is at most one per \transaction ,
\emph { each} \spendDescription is authorized by a signature, called the
\spendAuthSignature .
\introlist
2018-03-18 14:43:57 -07:00
A \spendDescription consists of $ ( \cv , \rt , \nf , \AuthSignRandomizedPublic , \ProofSpend , \spendAuthSig ) $
2018-02-26 01:44:19 -08:00
where
\begin { itemize}
2018-03-11 07:02:22 -07:00
\item $ \cv \typecolon \ValueCommitOutput $ is the \valueCommitment to the value of the input \note ;
2018-02-26 01:44:19 -08:00
\item $ \rt \typecolon \MerkleHashSapling $ is an \anchor , as defined in
\crossref { blockchain} , for the output \treestate of a previous \block .
2018-03-18 14:43:57 -07:00
\item $ \nf \typecolon \bitseq { \PRFOutputLengthSapling } $ is the \nullifier for the input \note ;
\item $ \AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic $ is a randomized public key
that should be used to verify $ \spendAuthSig $ ;
2018-03-16 08:58:23 -07:00
\item $ \ProofSpend \typecolon \SpendProof $ is the \zeroKnowledgeProof for the \spendStatement ;
2018-02-26 01:44:19 -08:00
\item $ \spendAuthSig \typecolon \SpendAuthSigSignature $ is a signature authorizing this spend.
\end { itemize}
\begin { consensusrules}
\item Elements of a \spendDescription { } \MUST have the types given above.
\item The proof $ \Proof { \Spend } $ \MUST be valid given a \primaryInput formed
from the other fields except $ \spendAuthSig $ .
2018-02-26 03:41:15 -08:00
I.e.\ it must be the case that $ \SpendVerify { } ( ( \cv , \rt , \nf ) , \Proof { \Spend } ) = 1 $ .
2018-02-26 01:44:19 -08:00
\item The \spendAuthSignature { } \MUST be a valid $ \SpendAuthSig $ signature using
2018-03-18 14:43:57 -07:00
$ \AuthSignRandomizedPublic $ as the public key, over \todo { ...}
2018-02-26 01:44:19 -08:00
\end { consensusrules}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2018-03-09 20:11:23 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsection { \OutputDescriptions } \label { outputdesc}
2018-02-26 01:44:19 -08:00
An \outputTransfer , as specified in \crossref { spendsandoutputs} , is encoded in
\transactions as an \outputDescription .
Each \transaction includes a sequence of zero or more \outputDescriptions .
There are no signatures associated with \outputDescriptions .
\introlist
An \outputDescription consists of $ ( \cv , \cm , \EphemeralPublic , \TransmitCiphertext { } , \ProofOutput ) $
where
\begin { itemize}
2018-03-11 07:02:22 -07:00
\item $ \cv \typecolon \ValueCommitOutput $ is the \valueCommitment to the value of the output \note ;
\item $ \cm \typecolon \NoteCommitSaplingOutput $ is the \noteCommitment for the output \note ;
2018-02-26 01:44:19 -08:00
\item $ \EphemeralPublic \typecolon \KASaplingPublic $ is
a key agreement public key, used to derive the key for encryption
of the \notesCiphertext (\crossref { inband} );
\item $ \TransmitCiphertext { } \typecolon \Ciphertext $ is
a ciphertext component for the encrypted output \note .
\item $ \ProofOutput \typecolon \OutputProof $ is
the \zeroKnowledgeProof for the \outputStatement .
\end { itemize}
\begin { consensusrules}
\item Elements of an \outputDescription { } \MUST have the types given above.
\item The proof $ \Proof { \Output } $ \MUST be valid given a \primaryInput formed
from the other fields except $ \TransmitCiphertext { } $ .
I.e.\ it must be the case that $ \SpendVerify { } ( ( \cv , \cm , \EphemeralPublic ) , \Proof { \Output } ) = 1 $ .
\end { consensusrules}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsection { Sending \Notes } \label { send}
2016-02-07 14:37:36 -08:00
2018-03-12 15:51:20 -07:00
\notsprout { \subsubsection { Sending \Notes { } (\Sprout )} } \label { sproutsend}
2018-02-07 03:53:07 -08:00
2016-10-27 20:39:04 -07:00
In order to send \shielded value, the sender constructs a \transaction
2016-09-03 20:13:30 -07:00
containing one or more \joinSplitDescriptions . This involves first generating
2016-09-05 13:14:29 -07:00
a new $ \JoinSplitSig $ key pair:
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ ( \joinSplitPrivKey , \joinSplitPubKey ) \leftarrowR \JoinSplitSigGen ( ) $ .
\end { formulae}
2015-12-14 09:03:59 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2016-09-03 20:13:30 -07:00
For each \joinSplitDescription , the sender chooses $ \RandomSeed $ uniformly at
random on $ \bitseq { \RandomSeedLength } $ , and selects
the input \notes . At this point there is sufficient information to compute $ \hSig $ ,
2016-09-26 13:32:08 -07:00
as described in the previous section. \changed { The sender also chooses $ \NoteAddressPreRand $
uniformly at random on $ \bitseq { \NoteAddressPreRandLength } $ .}
2016-09-03 20:13:30 -07:00
Then it creates each output \note with index $ i \typecolon \setofNew $ as follows:
2017-01-19 18:24:49 -08:00
2016-09-03 20:13:30 -07:00
\begin { itemize}
\item Choose $ \NoteCommitRandNew { i } $ uniformly at random on $ \bitseq { \NoteCommitRandLength } $ .
2016-09-26 13:32:08 -07:00
\changed {
2018-03-06 14:16:55 -08:00
\item Compute $ \NoteAddressRandNew { i } = \PRFrho { \NoteAddressPreRand } ( i, \hSig ) $ .
2016-09-26 13:32:08 -07:00
}
2016-09-03 20:13:30 -07:00
\item Encrypt the \note to the recipient \transmissionKey $ \TransmitPublicNew { i } $ ,
as described in \crossref { inband} , giving the ciphertext component
$ \TransmitCiphertext { i } $ .
\end { itemize}
In order to minimize information leakage, the sender \SHOULD randomize the order
of the input \notes and of the output \notes . Other considerations relating to
information leakage from the structure of \transactions are beyond the
scope of this specification.
2017-01-19 18:24:49 -08:00
\introlist
2016-09-05 13:14:29 -07:00
After generating all of the \joinSplitDescriptions , the sender obtains the
$ \dataToBeSigned $ (\crossref { nonmalleability} ), and signs it with
the private \joinSplitSigningKey :
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \joinSplitSig \leftarrowR \JoinSplitSigSign { \text { \small \joinSplitPrivKey } } ( \dataToBeSigned ) $
\end { formulae}
2016-09-05 13:14:29 -07:00
Then the encoded \transaction including $ \joinSplitSig $ is submitted to the network.
2016-09-03 20:13:30 -07:00
2018-03-16 08:58:23 -07:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { \DummyNotes \notsprout { (\Sprout )} } \label { dummynotes}
2016-09-03 20:13:30 -07:00
The fields in a \joinSplitDescription allow for $ \NOld $ input \notes , and
$ \NNew $ output \notes . In practice, we may wish to encode a \joinSplitTransfer
with fewer input or output \notes . This is achieved using \dummyNotes .
2017-01-19 18:24:49 -08:00
\introlist
2016-09-26 13:32:08 -07:00
\changed {
2016-09-03 20:13:30 -07:00
A \dummy input \note , with index $ i $ in the \joinSplitDescription , is constructed
as follows:
2017-01-19 18:24:49 -08:00
2016-09-03 20:13:30 -07:00
\begin { itemize}
\item Generate a new random \spendingKey $ \AuthPrivateOld { i } $ and derive its
\payingKey $ \AuthPublicOld { i } $ .
\item Set $ \vOld { i } : = 0 $ .
\item Choose $ \NoteAddressRandOld { i } $ uniformly at random on $ \PRFOutput $ .
\item Choose $ \NoteCommitRandOld { i } $ uniformly at random on $ \bitseq { \NoteCommitRandLength } $ .
\item Compute $ \nfOld { i } : = \PRFnf { \AuthPrivateOld { i } } ( \NoteAddressRandOld { i } ) $ .
\item Construct a \dummy \merklePath $ \treepath { i } $ for use in the
\auxiliaryInput to the \joinSplitStatement (this will not be checked).
2017-02-24 22:23:37 -08:00
\item When generating the \joinSplitProof \! \! , set $ \EnforceMerklePath { i } $ to $ 0 $ .
2016-09-03 20:13:30 -07:00
\end { itemize}
2016-09-26 13:32:08 -07:00
}
2016-09-03 20:13:30 -07:00
A \dummy output \note is constructed as normal but with zero value, and
sent to a random \paymentAddress .
2015-12-14 09:03:59 -08:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-16 08:58:23 -07:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { Sending \Notes { } (\Sapling )} \label { saplingsend}
2018-02-07 03:53:07 -08:00
In order to send \shielded value, the sender constructs a \transaction
2018-02-26 01:44:19 -08:00
containing one or more \shieldedOutputs .
2018-02-07 03:53:07 -08:00
Let $ \OutputIndexType $ be the type $ \range { 0 } { 2 ^ { 32 } - 1 } $ .
\introlist
For each \outputDescription with index $ \OutputIndex \typecolon \OutputIndexType $ , the sender
selects a value $ \ValueNew { \OutputIndex } $ and a destination \Sapling \paymentAddress
$ ( \Diversifier , \DiversifiedTransmitPublic ) $ , and then performs the following steps:
\begin { enumerate}
\item Check that $ \DiversifiedTransmitPublic $ is a valid compressed representation of
2018-03-11 07:00:00 -07:00
an Edwards point on the \jubjubCurve and this point is not of small order
2018-02-26 01:44:19 -08:00
(i.e. $ \abstJOf { \DiversifiedTransmitPublic } \neq \bot $ and
$ \scalarmult { 8 } { \abstJOf { \DiversifiedTransmitPublic } } \neq \ZeroJ $ ).
2018-02-07 03:53:07 -08:00
2018-03-18 13:33:07 -07:00
\item Calculate $ \DiversifiedTransmitBase = \DiversifyHash ( \Diversifier ) $
2018-02-07 03:53:07 -08:00
and check that $ \DiversifiedTransmitBase \neq \bot $ .
\item Choose $ \EphemeralPrivate $ uniformly at random on $ \range { 0 } { \ParamJ { r } - 1 } $ .
\item Choose independent random commitment trapdoors:
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
2018-02-26 01:44:19 -08:00
$ \ValueCommitRandNew { \OutputIndex } $ & $ \typecolon \ValueCommitTrapdoor $ \\
$ \NoteCommitRandNew { \OutputIndex } $ & $ \typecolon \NoteCommitSaplingTrapdoor $
2018-02-07 03:53:07 -08:00
\end { tabular}
\item Calculate
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
2018-03-11 14:29:49 -07:00
$ \cvNew { \OutputIndex } $ & $ : = \ValueCommit { \ValueCommitRandNew { \OutputIndex } } ( \ValueNew { \OutputIndex } ) $ \\ [1ex]
2018-02-26 01:44:19 -08:00
$ \cmNew { \OutputIndex } $ & $ : =
2018-03-18 14:43:57 -07:00
\NoteCommitSapling { \NoteCommitRandNew { \OutputIndex } } (\reprJOf { \DiversifiedTransmitBase } ,
\reprJOf { \DiversifiedTransmitPublic } ,
\ValueNew { \OutputIndex } )$ \\ [ 1 ex ]
2018-03-18 16:57:09 -07:00
$ \EphemeralPublic $ & $ : = \KASaplingDerivePublic ( \EphemeralPrivate , \DiversifiedTransmitBase ) $ \\
$ \DHSecret { } $ & $ : = \KASaplingAgree ( \EphemeralPrivate , \DiversifiedTransmitPublic ) $ .
2018-02-07 03:53:07 -08:00
\end { tabular}
2018-02-26 01:44:19 -08:00
\item Let $ \Key : = \KDFSapling ( \OutputIndex , \DHSecret { } , \EphemeralPublic ) $ .
2018-02-07 03:53:07 -08:00
\item Let $ \Ptext $ be the raw encoding of the \notePlaintext
2018-02-26 01:44:19 -08:00
$ ( \Diversifier , \ValueNew { \OutputIndex } , \NoteCommitRandNew { \OutputIndex } , \Memo ) $ .
2018-02-07 03:53:07 -08:00
2018-03-18 16:54:36 -07:00
(See \crossref { notept} .)
2018-02-07 03:53:07 -08:00
\item Encrypt $ \Ptext $ using the IETF version of $ \SymSpecific $ , with empty associated data,
all zero $ 96 $ -bit nonce, and $ 256 $ -bit key $ \Key $ , giving $ \Ctext $ .
\item Generate a proof $ \ProofOutput $ for the \outputCircuit described below.
2018-02-26 01:44:19 -08:00
\item Return $ ( \cvNew { \OutputIndex } , \cmNew { \OutputIndex } , \EphemeralPublic , \Ctext , \ProofOutput ) $ .
2018-02-07 03:53:07 -08:00
% \item Encrypt the \note to the recipient \transmissionKey $\TransmitPublicNew{i}$,
% as described in \crossref{inbandsapling}, giving the ciphertext component
% $\TransmitCiphertext{i}$.
\end { enumerate}
In order to minimize information leakage, the sender \SHOULD randomize the order
of the input \notes and of the output \notes . Other considerations relating to
information leakage from the structure of \transactions are beyond the
scope of this specification.
2018-02-26 01:44:19 -08:00
The encoded \transaction is submitted to the network.
2018-03-18 13:57:20 -07:00
2018-03-18 16:54:36 -07:00
\todo { The actual encryption should be split into a subsection of \crossref { inband}
as it is for \Sprout .}
2018-03-18 13:57:20 -07:00
\todo { Receiving a \Sapling note.}
2018-03-09 20:11:23 -08:00
} %sapling
2016-09-03 17:08:02 -07:00
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Merkle path validity} \label { merklepath}
2016-09-03 17:08:02 -07:00
2018-02-07 03:53:07 -08:00
\sprout {
2016-09-03 17:08:02 -07:00
The depth of the \noteCommitmentTree is $ \MerkleDepth $ (defined in \crossref { constants} ).
2018-03-09 20:11:23 -08:00
} %sprout
2018-02-07 03:53:07 -08:00
\notsprout {
Let $ \MerkleDepth $ be $ \MerkleDepthSprout $ for the \Sprout \noteCommitmentTree \sapling { ,
or $ \MerkleDepthSapling $ for the \Sapling \noteCommitmentTree } . These constants are
defined in \crossref { constants} .
Similarly, let $ \MerkleCRH $ be $ \MerkleCRHSprout $ for \Sprout \sapling { , or $ \MerkleDepthSapling $
for \Sapling } .
The following discussion applies independently to the \Sprout and \Sapling \noteCommitmentTrees .
2018-03-09 20:11:23 -08:00
} %notsprout
2016-06-01 06:58:52 -07:00
Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash ,
2018-03-16 08:58:23 -07:00
which is a bit sequence.
The \merkleLayer numbered $ h $ , counting from \merkleLayer $ 0 $ at the \merkleRoot ,
has $ 2 ^ h $ \merkleNodes with \merkleIndices $ 0 $ to $ 2 ^ h - 1 $ inclusive.
2016-06-01 06:58:52 -07:00
Let $ \MerkleNode { h } { i } $ be the \merkleHash associated with the \merkleNode at
\merkleIndex $ i $ in \merkleLayer $ h $ .
The \merkleNodes at \merkleLayer $ \MerkleDepth $ are called \merkleLeafNodes .
When a \noteCommitment is added to the tree, it occupies the \merkleLeafNode
2018-02-26 01:44:19 -08:00
\merkleHash $ \MerkleNode { \MerkleDepth } { i } $ for the next available $ i $ .
As-yet unused \merkleLeafNodes are associated with a distinguished \merkleHash
$ \UncommittedSprout $ \sapling { or $ \UncommittedSapling $ } .
2016-06-01 06:58:52 -07:00
It is assumed to be infeasible to find a preimage \note $ \NoteTuple { } $ such that
2018-02-26 01:44:19 -08:00
$ \NoteCommitmentSprout ( \NoteTuple { } ) = \UncommittedSprout $ .
\sapling { (No similar assumption is needed for \Sapling because we use a representation
2018-03-11 14:29:49 -07:00
for $ \UncommittedSapling $ that cannot occur as an output of $ \NoteCommitmentSapling $ .)}
2016-06-01 06:58:52 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2018-02-26 01:44:19 -08:00
The \merkleNodes at \merkleLayers $ 0 $ to $ \MerkleDepth - 1 $ inclusive are called
2016-06-01 06:58:52 -07:00
\merkleInternalNodes , and are associated with $ \MerkleCRH $ outputs.
\MerkleInternalNodes are computed from their children in the next \merkleLayer
as follows: for $ 0 \leq h < \MerkleDepth $ and $ 0 \leq i < 2 ^ h $ ,
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \MerkleNode { h } { i } : = \MerkleCRH ( \MerkleNode { h + 1 } { 2 i } , \MerkleNode { h + 1 } { 2 i + 1 } ) $ .
\end { formulae}
2016-06-01 06:58:52 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-06-01 06:58:52 -07:00
A \merklePath from \merkleLeafNode $ \MerkleNode { \MerkleDepth } { i } $ in the
\incrementalMerkleTree is the sequence
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \listcomp { \MerkleNode { h } { \MerkleSibling ( h, i ) } \for
h \from \MerkleDepth \downto 1} $ ,
\end { formulae}
2016-06-01 06:58:52 -07:00
where
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-03-11 14:29:49 -07:00
\item $ \MerkleSibling ( h, i ) : = \floor { \frac { i } { \strut 2 ^ { \MerkleDepth - h } } } \xor 1 $
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-06-01 06:58:52 -07:00
2016-08-09 13:54:50 -07:00
Given such a \merklePath , it is possible to verify that \merkleLeafNode
$ \MerkleNode { \MerkleDepth } { i } $ is in a tree with a given \merkleRoot $ \rt = \MerkleNode { 0 } { 0 } $ .
2016-06-01 06:58:52 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Non-malleability} \label { nonmalleability}
2015-12-14 09:03:59 -08:00
2016-03-30 07:18:50 -07:00
\Bitcoin defines several \sighashTypes that cover various parts of a transaction.
2016-09-03 20:22:46 -07:00
\changed { In \Zcash , all of these \sighashTypes are extended to cover the \Zcash -specific
2016-09-05 13:14:29 -07:00
fields $ \nJoinSplit $ , $ \vJoinSplit $ , and (if present) $ \joinSplitPubKey $ , described in
\crossref { txnencoding} . They \emph { do not} cover the field $ \joinSplitSig $ .
2016-03-30 07:18:50 -07:00
2016-06-01 06:58:52 -07:00
\consensusrule {
2016-04-04 09:29:16 -07:00
If $ \nJoinSplit > 0 $ , the \transaction { } \MUSTNOT use \sighashTypes other than
2016-03-30 07:18:50 -07:00
$ \SIGHASHALL $ .
2016-06-01 06:58:52 -07:00
}
2016-09-03 20:22:46 -07:00
}
2016-03-30 07:18:50 -07:00
2018-03-16 08:58:23 -07:00
\vspace { 3ex}
2016-09-03 20:22:46 -07:00
Let $ \dataToBeSigned $ be the hash of the \transaction { } \changed { using the $ \SIGHASHALL $
\sighashType } . \changed { This \emph { excludes} all of the $ \scriptSig $ fields in
the non-\Zcash -specific parts of the \transaction .}
2016-03-15 18:36:37 -07:00
2016-03-28 18:28:50 -07:00
In order to ensure that a \joinSplitDescription is cryptographically bound to the
2016-09-03 17:08:02 -07:00
\transparent inputs and outputs corresponding to $ \vpubNew $ and $ \vpubOld $ , and
2016-09-05 13:14:29 -07:00
to the other \joinSplitDescriptions in the same \transaction , an ephemeral $ \JoinSplitSig $
2016-03-15 18:36:37 -07:00
key pair is generated for each \transaction , and the $ \dataToBeSigned $ is
signed with the private signing key of this key pair. The corresponding public
2016-03-28 18:28:50 -07:00
verification key is included in the \transaction encoding as $ \joinSplitPubKey $ .
2016-03-15 18:36:37 -07:00
2018-02-26 01:44:19 -08:00
$ \JoinSplitSig $ is instantiated in \crossref { concretejssig} .
2016-03-15 16:20:17 -07:00
2016-09-03 20:22:46 -07:00
\changed {
2016-06-21 14:46:14 -07:00
If $ \nJoinSplit $ is zero, the $ \joinSplitPubKey $ and $ \joinSplitSig $ fields are
2016-09-05 13:14:29 -07:00
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if and only if
$ \JoinSplitSigVerify { \text { \small \joinSplitPubKey } } ( \dataToBeSigned , \joinSplitSig ) = 1 $ .
% FIXME: distinguish pubkey and signature from their encodings.
2016-03-15 18:36:37 -07:00
}
2016-03-15 17:06:01 -07:00
2018-03-16 08:58:23 -07:00
\introsection
Let $ \hSig $ be computed as specified in \crossref { joinsplitdesc} .
Let $ \PRFpk { } $ be as defined in \crossref { abstractprfs} .
2017-07-09 14:13:20 -07:00
For each $ i \in \setofOld $ , the creator of a \joinSplitDescription calculates
$ \h { i } = \PRFpk { \AuthPrivateOld { i } } ( i, \hSig ) $ .
The correctness of $ \h { \allOld } $ is enforced by the \joinSplitStatement
2017-12-16 16:10:47 -08:00
given in \crossref { sproutnonmalleablejs} . This ensures that a holder of
2017-12-01 18:00:10 -08:00
all of the $ \AuthPrivateOld { \allOld } $ for every \joinSplitDescription in the
2017-07-09 14:13:20 -07:00
\transaction has authorized the use of the private signing key corresponding
2016-03-28 18:28:50 -07:00
to $ \joinSplitPubKey $ to sign this \transaction .
2017-12-01 18:00:10 -08:00
2018-02-26 01:44:19 -08:00
\saplingonward {
\todo { Specify the \spendAuthSignature .}
2017-12-01 18:00:10 -08:00
}
2016-03-15 16:20:17 -07:00
2015-12-14 09:03:59 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Balance} \label { balance} \label { saplingbalance}
2015-12-14 09:03:59 -08:00
2016-04-03 20:04:07 -07:00
A \joinSplitTransfer can be seen, from the perspective of the \transaction , as
2016-02-11 07:04:56 -08:00
an input \changed { and an output simultaneously} .
2018-03-16 08:58:23 -07:00
2016-09-02 14:49:27 -07:00
\changed { $ \vpubOld $ takes value from the \transparentValuePool and}
$ \vpubNew $ adds value to the \transparentValuePool . As a result, \changed { $ \vpubOld $ is
2016-04-03 20:04:07 -07:00
treated like an \emph { output} value, whereas} $ \vpubNew $ is treated like an
2016-02-11 07:04:56 -08:00
\emph { input} value.
\changed {
2016-08-14 12:42:14 -07:00
Unlike original \Zerocash \cite { BCG+2014} , \Zcash does not have
2016-03-18 14:09:24 -07:00
a distinction between Mint and Pour operations. The addition of $ \vpubOld $ to a
2018-03-16 08:58:23 -07:00
\joinSplitDescription subsumes the functionality of both Mint and Pour.
Also, a difference in the number of real input \notes does not by itself cause two
2017-03-07 12:53:25 -08:00
\joinSplitDescriptions to be distinguishable.
2016-03-28 17:16:06 -07:00
2016-06-30 15:18:43 -07:00
As stated in \crossref { joinsplitdesc} , either $ \vpubOld $ or $ \vpubNew $ \MUST be zero.
2016-03-28 17:16:06 -07:00
No generality is lost because, if a \transaction in which both $ \vpubOld $ and
$ \vpubNew $ were nonzero were allowed, it could be replaced by an equivalent one
in which $ \minimum ( \vpubOld , \vpubNew ) $ is subtracted from both of these values.
This restriction helps to avoid unnecessary distinctions between \transactions
according to client implementation.
2016-02-11 07:04:56 -08:00
}
2015-12-14 09:03:59 -08:00
2018-02-26 01:44:19 -08:00
\sapling { \todo { Add details of balance checking for \Sapling \transactions .} }
2018-03-12 15:51:20 -07:00
\subsection { \NoteCommitments { } and \Nullifiers } \label { commitmentsandnullifiers}
2015-12-14 09:03:59 -08:00
2018-02-26 01:44:19 -08:00
A \transaction that contains one or more
\joinSplitDescriptions \sapling { or \spendDescriptions } , when entered
2017-02-03 20:24:45 -08:00
into the \blockchain , appends to the \noteCommitmentTree with all constituent
2018-03-16 08:58:23 -07:00
\noteCommitments .
All of the constituent \nullifiers are also entered into the
2017-02-03 20:24:45 -08:00
\nullifierSet of the associated \treestate . A \transaction is not valid if it
2018-03-18 13:57:20 -07:00
would have added a \nullifier to the \nullifierSet that already exists in the set
(see \crossref { nullifierset} ).
2015-12-14 09:03:59 -08:00
2018-02-26 01:44:19 -08:00
\sprout { Each} \notsprout { In \Sprout , each} \note has a $ \NoteAddressRand $ component.
\sapling {
In \Sapling , each \positionedNote has an associated $ \NoteAddressRand $ value which
is computed from its \noteCommitment $ \cm $ and \notePosition $ \NotePosition $
as follows:
\begin { formulae}
2018-03-11 14:31:18 -07:00
\item $ \NoteAddressRand : = \MixingPedersenHash ( \cm , \NotePosition ) $ .
2018-02-26 01:44:19 -08:00
\end { formulae}
$ \MixingPedersenHash $ is defined in \crossref { concretemixinghash} .
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2018-03-18 14:43:57 -07:00
Let $ \PRFnf { } { } $ \sapling { and $ \PRFnfSapling { } { } $ } be as instantiated in \crossref { concreteprfs} .
2018-02-26 01:44:19 -08:00
2018-03-16 08:58:23 -07:00
\sprout { The \nullifier of a \note } \notsprout { For a \Sprout { } \note , the \nullifier }
2018-02-26 01:44:19 -08:00
is derived as $ \PRFnf { \AuthPrivate } ( \NoteAddressRand ) $ .
\sapling {
2018-03-16 08:58:23 -07:00
For a \Sapling { } \note , the \nullifier is derived as
2018-03-18 14:43:57 -07:00
$ \PRFnfSapling { \AuthProvePublic } ( \NoteAddressRand ) $ .
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2017-12-16 16:11:38 -08:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\subsection { \ZkSNARKStatements } \label { snarkstatements}
2017-12-16 16:11:38 -08:00
2018-03-16 08:58:23 -07:00
\subsubsection { \JoinSplitStatement { } \pSproutOrNothing } \label { joinsplitstatement}
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
A valid instance of $ \ProofJoinSplit $ assures that given a \primaryInput :
2015-12-14 09:03:59 -08:00
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-03-06 14:49:54 -08:00
\item $ ( \rt \typecolon \MerkleHashSprout , \\
2017-05-08 17:17:56 -07:00
\hparen \nfOld { \allOld } \typecolon \typeexp { \PRFOutput } { \NOld } ,\vspace { 0.4ex} \\
2018-02-07 03:53:07 -08:00
\hparen \cmNew { \allNew } \typecolon \typeexp { \NoteCommitSproutOutput } { \NNew } ,\vspace { 0.8ex} \\
2017-05-08 17:17:56 -07:00
\hparen \changed { \vpubOld \typecolon \range { 0} { 2^ { 64} -1} ,} \vspace { 0.4ex} \\
\hparen \vpubNew \typecolon \range { 0} { 2^ { 64} -1} ,\\
\hparen \hSig \typecolon \hSigType ,\\
2018-03-16 08:58:23 -07:00
\hparen \h { \allOld } \typecolon \smash { \typeexp { \PRFOutput } { \NOld } )} $ ,
2017-01-19 14:46:40 -08:00
\end { formulae}
2018-03-16 08:58:23 -07:00
\vspace { -1ex}
2017-01-19 18:24:49 -08:00
\introlist
2018-03-16 08:58:23 -07:00
the prover knows an \auxiliaryInput :
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-03-06 14:49:54 -08:00
\item $ ( \treepath { \allOld } \typecolon \typeexp { \typeexp { \MerkleHashSprout } { \MerkleDepthSprout }
\times \NotePositionTypeSprout } { \NOld } ,\\
2018-02-07 03:53:07 -08:00
\hparen \nOld { \allOld } \typecolon \typeexp { \NoteTypeSprout } { \NOld } ,\\
2017-05-08 17:17:56 -07:00
\hparen \AuthPrivateOld { \allOld } \typecolon \typeexp { \bitseq { \AuthPrivateLength } } { \NOld } ,\\
2018-02-07 03:53:07 -08:00
\hparen \nNew { \allNew } \typecolon \typeexp { \NoteTypeSprout } { \NNew } \changed { ,} \vspace { 0.8ex} \\
2017-05-08 17:17:56 -07:00
\hparen \changed { \NoteAddressPreRand \typecolon \bitseq { \NoteAddressPreRandLength } ,} \\
\hparen \changed { \EnforceMerklePath { \allOld } \typecolon \bitseq { \NOld } } )$ ,
2017-01-19 14:46:40 -08:00
\end { formulae}
2018-03-16 08:58:23 -07:00
\vspace { -1ex}
2017-01-19 18:24:49 -08:00
\introlist
2016-02-25 13:42:28 -08:00
where:
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item for each $ i \in \setofOld $ : $ \nOld { i } = ( \AuthPublicOld { i } ,
2016-03-28 18:28:07 -07:00
\vOld { i} , \NoteAddressRandOld { i} , \NoteCommitRandOld { i} )$ ;
2017-01-19 14:46:40 -08:00
\item for each $ i \in \setofNew $ : $ \nNew { i } = ( \AuthPublicNew { i } ,
2016-03-28 18:28:07 -07:00
\vNew { i} , \NoteAddressRandNew { i} , \NoteCommitRandNew { i} )$
2017-01-19 14:46:40 -08:00
\end { formulae}
2017-01-19 18:24:49 -08:00
\introlist
2016-02-25 13:42:28 -08:00
such that the following conditions hold:
2018-03-16 08:58:23 -07:00
\vspace { 2ex}
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Merkle path validity} \label { sproutmerklepathvalidity}
2015-12-14 09:03:59 -08:00
2017-02-24 22:23:37 -08:00
for each $ i \in \setofOld $ \changed { $ \mid $ $ \EnforceMerklePath { i } = 1 $ } :
2018-03-16 08:58:23 -07:00
$ \treepath { i } $ is a valid \merklePath (see \crossref { merklepath} ) of depth
$ \MerkleDepthSprout $ from $ \NoteCommitmentSprout ( \nOld { i } ) $ to the \anchor $ \rt $ .
2015-12-14 09:03:59 -08:00
2016-04-11 14:14:15 -07:00
\textbf { Note:} Merkle path validity covers both conditions 1. (a) and 1. (d) of the NP statement
2018-03-16 08:58:23 -07:00
in \cite [section 4.2] { BCG+2014} .
\vspace { 2ex}
2016-04-11 14:14:15 -07:00
2016-09-26 13:32:08 -07:00
\changed {
2018-03-16 08:58:23 -07:00
\snarkcondition { Merkle path enforcement} \label { sproutmerklepathenforcement}
2016-09-03 20:13:30 -07:00
2017-02-24 22:23:37 -08:00
for each $ i \in \setofOld $ , if $ \vOld { i } \neq 0 $ then $ \EnforceMerklePath { i } = 1 $ .
2016-09-26 13:32:08 -07:00
}
2016-09-03 20:13:30 -07:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Balance} \label { sproutbalance}
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
$ \changed { \vpubOld \; + } \ssum { i = 1 } { \NOld } \vOld { i } = \vpubNew + \ssum { i = 1 } { \NNew } \vNew { i } \in \range { 0 } { 2 ^ { 64 } - 1 } $ .
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { \Nullifier { } integrity} \label { sproutnullifierintegrity}
2015-12-14 09:03:59 -08:00
2017-02-03 20:04:59 -08:00
for each $ i \in \setofOld $ :
2016-03-29 17:36:34 -07:00
$ \nfOld { i } = \PRFnf { \AuthPrivateOld { i } } ( \NoteAddressRandOld { i } ) $ .
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Spend authority} \label { sproutspendauthority}
2015-12-14 09:03:59 -08:00
2016-03-06 20:36:29 -08:00
for each $ i \in \setofOld $ :
2016-03-12 18:16:30 -08:00
$ \AuthPublicOld { i } = \changed { \PRFaddr { \AuthPrivateOld { i } } ( 0 ) } $ .
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Non-malleability} \label { sproutnonmalleablejs}
2015-12-14 09:03:59 -08:00
2016-03-06 20:36:29 -08:00
for each $ i \in \setofOld $ :
2016-02-25 17:56:04 -08:00
$ \h { i } = \PRFpk { \AuthPrivateOld { i } } ( i, \hSig ) $ .
2015-12-14 09:03:59 -08:00
2016-02-11 10:21:39 -08:00
\changed {
2018-03-16 08:58:23 -07:00
\snarkcondition { Uniqueness of $ \NoteAddressRandNew { i } $ } \label { sproutuniquerho}
2016-02-07 14:37:36 -08:00
2016-03-06 20:36:29 -08:00
for each $ i \in \setofNew $ :
2016-03-28 18:28:07 -07:00
$ \NoteAddressRandNew { i } = \PRFrho { \NoteAddressPreRand } ( i, \hSig ) $ .
2016-02-11 10:21:39 -08:00
}
2016-02-07 14:37:36 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Note commitment integrity} \label { sproutcommitmentintegrity}
2017-12-01 18:00:10 -08:00
2018-03-18 13:57:20 -07:00
for each $ i \in \setofNew $ : $ \cmNew { i } $ = $ \NoteCommitmentSprout ( \nNew { i } ) $ .
2017-12-01 18:00:10 -08:00
\vspace { 2.5ex}
For details of the form and encoding of proofs, see \crossref { phgr} .
2018-03-09 20:11:23 -08:00
2017-12-01 18:00:10 -08:00
\sapling {
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \SpendStatement { } (\Sapling )} \label { spendstatement}
2017-12-01 18:00:10 -08:00
2018-03-18 14:43:57 -07:00
Let $ \AuthSignBase $ be as defined in \crossref { saplingkeycomponents} .
2018-03-18 13:57:20 -07:00
A valid instance of $ \ProofSpend $ assures that given a \primaryInput :
2017-12-01 18:00:10 -08:00
2018-03-06 14:48:13 -08:00
\begin { formulae}
\item $ ( \rt \typecolon \MerkleHashSapling , \\
\hparen \cvOld { } \typecolon \ValueCommitOutput ,\\
2018-03-18 14:43:57 -07:00
\hparen \nfOld { } \typecolon \bitseq { \PRFOutputLengthSapling } ,\\
\hparen \AuthSignRandomizedPublicOldRepr \typecolon \bitseq { \ellJ } )$ ,
2018-03-06 14:48:13 -08:00
\end { formulae}
\introlist
2018-03-16 08:58:23 -07:00
the prover knows an \auxiliaryInput :
2018-03-06 14:48:13 -08:00
\begin { formulae}
\item $ ( \treepath { } \typecolon \typeexp { \MerkleHash } { \MerkleDepthSapling } \times \NotePositionTypeSapling , \\
2018-03-18 14:43:57 -07:00
\hparen \DiversifiedTransmitBaseRepr \typecolon \bitseq { \ellJ } ,\\
\hparen \DiversifiedTransmitPublicRepr \typecolon \bitseq { \ellJ } ,\\
\hparen \vOld { } \typecolon \range { 0} { 2^ { 64} -1} ,\\
2018-03-11 14:29:49 -07:00
\hparen \ValueCommitRandOld { } \typecolon \ValueCommitTrapdoor ,\\
2018-03-18 16:54:36 -07:00
\hparen \cmOld { } \typecolon \MerkleHashSapling ,\\
\hparen \NoteCommitRandOld { } \typecolon \NoteCommitSaplingTrapdoor ,\\
2018-03-18 14:43:57 -07:00
\hparen \AuthSignRandomness \typecolon \range { 0} { 2^ { 252} -1} ,\\
\hparen \AuthSignPublicRepr \typecolon \bitseq { \ellJ } ,\\
\hparen \AuthProvePrivate \typecolon \range { 0} { 2^ { 252} -1} )$ % FIXME better type
2018-03-06 14:48:13 -08:00
\end { formulae}
\introlist
such that the following conditions hold:
2017-12-01 18:00:10 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Note commitment integrity} \label { saplingnotecommitmentintegrity}
2017-12-01 18:00:10 -08:00
2018-03-18 14:43:57 -07:00
$ \pack ( \cmOld { } ) = \NoteCommitSapling { \NoteCommitRandOld { } } ( \DiversifiedTransmitBaseRepr ,
\DiversifiedTransmitPublicRepr ,
\vOld { } )$ .
2017-12-01 18:00:10 -08:00
2018-03-18 16:54:36 -07:00
\todo { define $ \pack $ .}
2018-03-16 08:58:23 -07:00
\snarkcondition { Merkle path validity} \label { saplingmerklepathvalidity}
2017-12-01 18:00:10 -08:00
2018-03-18 16:57:09 -07:00
$ \treepath { } $ is a valid \merklePath , as defined in \crossref { merklepath} , of depth
$ \MerkleDepthSapling $ from $ \cmOld { } $ to the \anchor $ \rt $ .
2017-12-01 18:00:10 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Value commitment integrity} \label { saplingvaluecommitmentintegrity}
2017-12-01 18:00:10 -08:00
2018-03-06 14:48:13 -08:00
$ \cvOld { } = \ValueCommit { \ValueCommitRandOld { } } ( \vOld { } ) $ .
2017-12-01 18:00:10 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { Point validity checks} \label { saplingpointvalidity}
2017-12-01 18:00:10 -08:00
2018-03-18 16:57:09 -07:00
$ \AuthSignRandomizedPublicOld , \AuthSignPublic , \DiversifiedTransmitBase \in \GroupJ $ and
are not of small order, i.e.\ $ \scalarmult { 8 } { \AuthSignRandomizedPublicOld } \neq \ZeroJ $
and $ \scalarmult { 8 } { \AuthSignPublic } \neq \ZeroJ $
and $ \scalarmult { 8 } { \DiversifiedTransmitBase } \neq \ZeroJ $ .
2018-03-06 14:48:13 -08:00
2018-03-16 08:58:23 -07:00
\snarkcondition { \Nullifier { } integrity} \label { saplingnullifierintegrity}
2018-03-06 14:48:13 -08:00
2018-03-18 16:57:09 -07:00
$ \nfOld { } = \PRFnfSapling { \AuthProvePublic } ( \NoteAddressRand ) $ where
2018-03-06 14:48:13 -08:00
\begin { formulae}
\item $ \AuthProvePublic = \scalarmult { \AuthProvePrivate } { \AuthProveBase } $
2018-03-18 16:57:09 -07:00
\item $ \NoteAddressRand = \MixingPedersenHash ( \cmOld { } , \NotePosition ) $ .
2018-03-06 14:48:13 -08:00
\end { formulae}
2018-03-16 08:58:23 -07:00
\snarkcondition { Spend authority} \label { saplingspendauthority}
2018-03-06 14:48:13 -08:00
2018-03-18 16:57:09 -07:00
$ \AuthSignRandomizedPublicOld = \AuthSignPublic + \scalarmult { \AuthSignRandomness } { \AuthSignBase } $ where
2018-03-18 14:43:57 -07:00
\begin { formulae}
2018-03-18 16:57:09 -07:00
\item $ \AuthSignRandomizedPublicOld \typecolon \GroupJ = \abstJOf { \strut \smash { \AuthSignRandomizedPublicOldRepr } } $
\item $ \AuthSignPublic \typecolon \GroupJ = \abstJOf { \AuthSignPublicRepr } $ .
2018-03-18 14:43:57 -07:00
\end { formulae}
\snarkcondition { Diversified address integrity} \label { saplingaddressintegrity}
2018-03-18 16:57:09 -07:00
$ \DiversifiedTransmitPublic = \scalarmult { \InViewingKey } { \DiversifiedTransmitBase } $ where
2018-03-18 14:43:57 -07:00
\begin { formulae}
\item $ \InViewingKey = \CRHivk ( \AuthSignPublicRepr , \AuthProvePublicRepr ) $
2018-03-18 16:57:09 -07:00
\item $ \DiversifiedTransmitBase = \abstJOf { \DiversifiedTransmitBaseRepr } $ .
2018-03-18 14:43:57 -07:00
\end { formulae}
2018-03-06 14:48:13 -08:00
\vspace { 2.5ex}
2018-02-26 01:44:19 -08:00
For details of the form and encoding of \spendStatement proofs, see \crossref { groth} .
2018-03-09 20:11:23 -08:00
} %sapling
2018-01-29 15:08:08 -08:00
2018-03-09 20:11:23 -08:00
\sapling {
2018-01-29 15:08:08 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \OutputStatement { } (\Sapling )} \label { outputstatement}
2018-01-29 15:08:08 -08:00
2018-03-18 17:01:25 -07:00
A valid instance of $ \ProofOutput $ assures that given a \primaryInput :
2018-02-26 01:44:19 -08:00
2018-03-18 17:01:25 -07:00
\begin { formulae}
\item $ ( \cvNew { } \typecolon \ValueCommitOutput , \\
\hparen \cmNew { } \typecolon \NoteCommitSaplingOutput ,\\
\hparen \EphemeralPublic \typecolon \GroupJ )$ ,
\end { formulae}
\introlist
the prover knows an \auxiliaryInput :
\begin { formulae}
\item $ ( \DiversifiedTransmitBaseRepr \typecolon \bitseq { \ellJ } , \\
\hparen \DiversifiedTransmitPublicRepr \typecolon \bitseq { \ellJ } ,\\
\hparen \vNew { } \typecolon \range { 0} { 2^ { 64} -1} ,\\
\hparen \ValueCommitRandNew { } \typecolon \ValueCommitTrapdoor ,\\
\hparen \NoteCommitRandNew { } \typecolon \NoteCommitSaplingTrapdoor ,\\
\hparen \EphemeralPrivate \typecolon \range { 0} { 2^ { 252} -1} )$
\end { formulae}
\introlist
such that the following conditions hold:
\snarkcondition { Note commitment integrity} \label { outputnotecommitmentintegrity}
$ \pack ( \cmNew { } ) = \NoteCommitSapling { \NoteCommitRandNew { } } ( \DiversifiedTransmitBaseRepr ,
\DiversifiedTransmitPublicRepr ,
\vNew { } )$ .
\todo { define $ \pack $ .}
\snarkcondition { Value commitment integrity} \label { outputvaluecommitmentintegrity}
$ \cvNew { } = \ValueCommit { \ValueCommitRandNew { } } ( \vNew { } ) $ .
\snarkcondition { Point validity checks} \label { outputpointvalidity}
$ \DiversifiedTransmitBase \in \GroupJ $ and is not of small order,
i.e.\ $ \scalarmult { 8 } { \DiversifiedTransmitBase } \neq \ZeroJ $ , where
\begin { formulae}
\item $ \DiversifiedTransmitBase = \abstJOf { \DiversifiedTransmitBaseRepr } $ .
\end { formulae}
\snarkcondition { Ephemeral public key integrity} \label { outputepkintegrity}
$ \EphemeralPublic = \scalarmult { \EphemeralPrivate } { \DiversifiedTransmitBase } $ where
\begin { formulae}
\item $ \EphemeralPublic = \abstJOf { \EphemeralPublicRepr } $ .
\end { formulae}
\vspace { 2.5ex}
2018-02-26 01:44:19 -08:00
For details of the form and encoding of \outputStatement proofs, see \crossref { groth} .
2018-03-09 20:11:23 -08:00
} %sapling
2016-08-08 09:46:24 -07:00
2016-02-27 12:58:39 -08:00
2018-03-12 15:51:20 -07:00
\subsection { In-band secret distribution} \label { inband}
2016-02-25 10:32:18 -08:00
2018-02-07 03:53:07 -08:00
The secrets that need to be transmitted to a recipient of funds in order for
them to later spend, are $ \Value $ , $ \NoteAddressRand $ , $ \NoteCommitRand $ \sapling { ,
and in the case of \Sapling $ \Diversifier $ and $ \DiversifiedTransmitPublic $ } .
\changed { A \memo (\crossref { noteptconcept} ) is also transmitted.}
In order to the transmit these secrets securely to a recipient
\emph { without} requiring an out-of-band communication channel, the
\transmissionKey $ \TransmitPublic $ \sapling { or $ \DiversifiedTransmitPublic $ }
is used to encrypt them. The recipient's possession of the associated
\incomingViewingKey $ \InViewingKey $ is used to reconstruct the original
\note \changed { and \memo } .
2016-02-25 10:32:18 -08:00
2016-03-28 18:28:07 -07:00
All of the resulting ciphertexts are combined to form a \notesCiphertext .
2016-02-25 10:32:18 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-16 08:58:23 -07:00
\sprout {
2016-09-03 20:17:27 -07:00
For both encryption and decryption,
2017-01-19 18:24:49 -08:00
2016-09-03 20:17:27 -07:00
\begin { itemize}
2018-03-16 08:58:23 -07:00
\item let $ \Sym $ be the \encryptionScheme instantiated in \crossref { concretesym} ;
\item let $ \KDFSprout $ be the \keyDerivationFunction instantiated in \crossref { concretesproutkdf} ;
\item let $ \KASprout $ be the \keyAgreementScheme instantiated in \crossref { concretesproutkeyagreement} ;
\item let $ \hSig $ be the value computed for this \joinSplitDescription in \crossref { joinsplitdesc} .
2016-09-03 20:17:27 -07:00
\end { itemize}
2018-03-16 08:58:23 -07:00
} %sprout
2018-02-07 03:53:07 -08:00
\notsprout {
2018-03-16 08:58:23 -07:00
For both encryption and decryption:
2016-09-03 20:17:27 -07:00
2018-03-16 08:58:23 -07:00
Let $ \Sym $ be the \encryptionScheme instantiated in \crossref { concretesym} .
Let $ \KDFSprout $ \sapling { and $ \KDFSapling $ } be the \keyDerivationFunctions instantiated in
\crossref { concretesproutkdf} .
Let $ \KASprout $ \sapling { and $ \KASapling $ } be the \keyAgreementSchemes instantiated in
\crossref { concretekaandkdf} .
\sproutspecific { Let $ \hSig $ be the value computed for this \joinSplitDescription in
\crossref { joinsplitdesc} .}
} %notsprout
\subsubsection { Encryption \pSproutOrNothing }
2016-02-25 10:32:18 -08:00
2016-09-03 20:17:27 -07:00
Let $ \TransmitPublicNew { \allNew } $ be the \transmissionKeys
for the intended recipient addresses of each new \note .
2016-06-30 15:18:43 -07:00
2016-09-03 20:17:27 -07:00
Let $ \NotePlaintext { \allNew } $ be the \notePlaintexts as defined in \crossref { notept} .
2016-02-25 13:42:00 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2016-02-25 10:32:18 -08:00
Then to encrypt:
2017-01-19 18:24:49 -08:00
2016-02-25 10:32:18 -08:00
\begin { itemize}
\changed {
2018-02-07 03:53:07 -08:00
\item Generate a new $ \KASprout $ (public, private) key pair
2016-03-02 08:09:52 -08:00
$ ( \EphemeralPublic , \EphemeralPrivate ) $ .
2016-03-06 20:36:29 -08:00
\item For $ i \in \setofNew $ ,
2016-02-25 10:32:18 -08:00
\begin { itemize}
2016-03-28 18:28:07 -07:00
\item Let $ \TransmitPlaintext { i } $ be the raw encoding of $ \NotePlaintext { i } $ .
2018-02-07 03:53:07 -08:00
\item Let $ \DHSecret { i } : = \KASproutAgree ( \EphemeralPrivate ,
2016-02-27 13:12:50 -08:00
\TransmitPublicNew { i} )$ .
2018-02-07 03:53:07 -08:00
\item Let $ \TransmitKey { i } : = \KDFSprout ( i, \hSig , \DHSecret { i } , \EphemeralPublic ,
2016-03-22 13:40:52 -07:00
\TransmitPublicNew { i} )$ .
2016-02-25 13:42:00 -08:00
\item Let $ \TransmitCiphertext { i } : =
2016-02-25 17:56:04 -08:00
\SymEncrypt { \TransmitKey { i} } (\TransmitPlaintext { i} )$ .
2016-02-25 10:32:18 -08:00
\end { itemize}
2016-03-03 10:43:10 -08:00
}
2016-02-25 10:32:18 -08:00
\end { itemize}
2016-03-28 18:28:07 -07:00
The resulting \notesCiphertext is $ \changed { ( \EphemeralPublic ,
2016-03-12 18:16:30 -08:00
\TransmitCiphertext { \allNew } )} $ .
2016-02-25 10:32:18 -08:00
2016-09-22 09:04:52 -07:00
\pnote {
It is technically possible to replace $ \TransmitCiphertext { i } $ for a given \note
with a random (and undecryptable) dummy ciphertext, relying instead on out-of-band
transmission of the \note to the recipient. In this case the ephemeral key \MUST
2018-02-26 01:44:19 -08:00
still be generated as a random public key (rather than a random bit sequence) to ensure
2016-09-22 09:04:52 -07:00
indistinguishability from other \joinSplitDescriptions . This mode of operation raises
further security considerations, for example of how to validate a \note received
out-of-band, which are not addressed in this document.
}
2018-03-16 08:58:23 -07:00
\subsubsection { Decryption by a Recipient \pSproutOrNothing }
2016-02-25 13:42:00 -08:00
2017-12-16 16:08:57 -08:00
Let $ \InViewingKey = ( \AuthPublic , \TransmitPrivate ) $ be the recipient's \incomingViewingKey ,
2017-02-23 12:31:13 -08:00
and let $ \TransmitPublic $ be the corresponding \transmissionKey derived from
$ \TransmitPrivate $ as specified in \crossref { keycomponents} .
2016-09-03 20:17:27 -07:00
2016-03-28 18:28:07 -07:00
Let $ \cmNew { \allNew } $ be the \noteCommitments of each output coin.
2016-09-03 20:17:27 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-03-20 16:36:54 -07:00
Then for each $ i \in \setofNew $ , the recipient will attempt to decrypt that ciphertext
component as follows:
2016-02-25 10:32:18 -08:00
\changed {
2018-03-06 14:16:55 -08:00
\begin { formulae}
\item let $ \DHSecret { i } = \KASproutAgree ( \TransmitPrivate , \EphemeralPublic ) $
\item let $ \TransmitKey { i } = \KDFSprout ( i, \hSig , \DHSecret { i } , \EphemeralPublic ,
\TransmitPublic )$
\item return $ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } ,
2016-03-20 16:36:54 -07:00
\AuthPublic ).$
2018-03-06 14:16:55 -08:00
\end { formulae}
2016-02-25 10:32:18 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2016-03-20 16:36:54 -07:00
$ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } , \AuthPublic ) $
is defined as follows:
2016-02-25 10:32:18 -08:00
2018-03-06 14:16:55 -08:00
\begin { formulae}
\item let $ \TransmitPlaintext { i } =
\SymDecrypt { \TransmitKey { i} } (\TransmitCiphertext { i} )$
\item if $ \TransmitPlaintext { i } = \bot $ , return $ \bot $
\item extract $ \NotePlaintext { i } = ( \ValueNew { i } ,
\NoteAddressRandNew { i} , \NoteCommitRandNew { i} , \Memo _ i)$ from $ \TransmitPlaintext { i} $
\item if $ \NoteCommitSprout ( ( \AuthPublic , \ValueNew { i } , \NoteAddressRandNew { i } ,
2016-03-28 18:28:07 -07:00
\NoteCommitRandNew { i} )) \neq \cmNew { i} $ , return $ \bot $ , else return $ \NotePlaintext { i} $ .
2018-03-06 14:16:55 -08:00
\end { formulae}
2016-02-25 10:32:18 -08:00
}
2017-02-03 20:24:45 -08:00
To test whether a \note is unspent in a particular \blockchain also requires
2016-04-18 10:31:22 -07:00
the \spendingKey $ \AuthPrivate $ ; the coin is unspent if and only if
2016-03-29 17:36:34 -07:00
$ \nf = \PRFnf { \AuthPrivate } ( \NoteAddressRand ) $ is not in the \nullifierSet
2017-02-03 20:24:45 -08:00
for that \blockchain .
2016-02-25 10:32:18 -08:00
2016-09-03 17:08:02 -07:00
\begin { pnotes}
2016-09-03 20:17:27 -07:00
\item The decryption algorithm corresponds to step 3 (b) i. and ii.
(first bullet point) of the $ \Receive $ algorithm shown in \cite [Figure 2] { BCG+2014} .
2017-02-03 20:24:45 -08:00
\item A \note can change from being unspent to spent as a node's view of the best
2018-02-23 19:15:09 -08:00
\blockchain is extended by new \transactions . Also, \blockchain reorganizations
2017-02-03 20:24:45 -08:00
can cause a node to switch to a different best \blockchain that does not
contain the \transaction in which a \note was output.
2016-09-03 17:08:02 -07:00
\end { pnotes}
2016-02-25 10:32:18 -08:00
2016-08-08 09:21:02 -07:00
See \crossref { inbandrationale} for further discussion of the security and
engineering rationale behind this encryption scheme.
2015-12-14 09:03:59 -08:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { Concrete Protocol}
2016-05-20 15:52:29 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Caution}
2016-09-02 20:10:55 -07:00
\todo { Explain the kind of things that can go wrong with linkage between
abstract and concrete protocol. E.g. \crossref { internalh} }
2018-03-12 15:51:20 -07:00
\subsection { Integers, Bit Sequences, and Endianness} \label { boxnotation} \label { endian}
2016-05-20 15:52:29 -07:00
2018-03-16 08:58:23 -07:00
All integers in \Zcash -specific encodings are unsigned, have a fixed
2016-08-09 13:54:50 -07:00
bit length, and are encoded in little-endian byte order \emph { unless otherwise
specified} .
2016-05-20 15:52:29 -07:00
2018-03-18 13:57:20 -07:00
\sprout {
Define $ \ItoBEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow \bitseq { \ell } $
such that $ \ItoBEBSP { \ell } ( x ) $ is the sequence of $ \ell $ bits representing $ x $ in
\emph { big-endian} order.
} %sprout
\notsprout {
2018-02-26 01:44:19 -08:00
The following functions convert between sequences of bits, sequences of bytes,
and integers:
\begin { itemize}
\item $ \ItoLEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow \bitseq { \ell } $ ,
such that $ \ItoLEBSP { \ell } ( x ) $ is the sequence of $ \ell $ bits representing $ x $ in
little-endian order;
\item $ \ItoBEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow \bitseq { \ell } $
2018-03-18 13:57:20 -07:00
such that $ \ItoBEBSP { \ell } ( x ) $ is the sequence of $ \ell $ bits representing $ x $ in
2018-02-26 01:44:19 -08:00
big-endian order.
\item $ \LEOStoIP { } \typecolon ( k \typecolon \Nat ) \times \byteseq { k } \rightarrow \range { 0 } { 256 ^ k \! - \! 1 } $
such that $ \LEOStoIP { k } ( S ) $ is the integer represented in little-endian order by the
byte sequence $ S $ of length $ k $ .
2018-03-11 10:27:43 -07:00
\item $ \LEBStoOSP { } \typecolon ( \ell \typecolon \Nat ) \times \bitseq { \ell } \rightarrow \byteseq { \sceiling { \ell / 8 } } $
2018-02-26 01:44:19 -08:00
defined as follows: pad the input on the right with $ 8 \mult \ceiling { \ell / 8 } - \ell $ zero bits
so that its length is a multiple of 8 bits. Then convert each group of 8 bits to a byte
value with the \emph { least} significant bit first, and concatenate the resulting bytes
in the same order as the groups.
\end { itemize}
2018-03-18 13:57:20 -07:00
} %notsprout
2018-02-26 01:44:19 -08:00
2016-05-20 15:52:29 -07:00
In bit layout diagrams, each box of the diagram represents a sequence of bits.
2016-08-15 03:20:31 -07:00
Diagrams are read from left-to-right, with lines read from top-to-bottom;
the breaking of boxes across lines has no significance.
2018-03-18 13:57:20 -07:00
The bit length $ \ell $ is given explicitly in each box, except when it is obvious
(e.g. for a single bit, or for the notation $ \zeros { \ell } $ representing the sequence
of $ \ell $ zero bits\notsprout { , or for the output of $ \LEBStoOSP { \ell } $ } ).
2016-05-20 15:52:29 -07:00
The entire diagram represents the sequence of \emph { bytes} formed by first
concatenating these bit sequences, and then treating each subsequence of 8 bits
as a byte with the bits ordered from \emph { most significant} to
\emph { least significant} . Thus the \emph { most significant} bit in each byte
is toward the left of a diagram. Where bit fields are used, the text will
clarify their position in each case.
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Constants} \label { constants}
2016-06-01 06:58:52 -07:00
Define:
2018-03-16 08:58:23 -07:00
\begin { formulae} [itemsep=\sprout { 1ex} \notsprout { 0.2ex} ]
2018-02-26 01:44:19 -08:00
\item $ \MerkleDepthSprout \typecolon \Nat : = \changed { 29 } $
\sapling {
2018-03-18 13:58:28 -07:00
\item $ \MerkleDepthSapling \typecolon \Nat : = 32 $
2018-03-09 20:11:23 -08:00
} %sapling
2017-01-19 14:46:40 -08:00
\item $ \NOld \typecolon \Nat : = 2 $
\item $ \NNew \typecolon \Nat : = 2 $
2018-02-07 03:53:07 -08:00
\item $ \MerkleHashLengthSprout \typecolon \Nat : = 256 $
\sapling {
\item $ \MerkleHashLengthSapling \typecolon \Nat : = 255 $
2018-03-09 20:11:23 -08:00
} %sapling
2017-01-19 14:46:40 -08:00
\item $ \hSigLength \typecolon \Nat : = 256 $
\item $ \PRFOutputLength \typecolon \Nat : = 256 $
\item $ \NoteCommitRandLength \typecolon \Nat : = \changed { 256 } $
\item $ \changed { \RandomSeedLength \typecolon \Nat : = 256 } $
\item $ \AuthPrivateLength \typecolon \Nat : = \changed { 252 } $
2018-03-16 08:58:23 -07:00
\item $ \changed { \NoteAddressPreRandLength \typecolon \Nat : = 252 } $
2018-02-23 19:15:09 -08:00
\sapling {
2018-03-11 00:40:49 -08:00
\item $ \SpendingKeyLength \typecolon \Nat : = 256 $
2018-02-26 01:44:19 -08:00
\item $ \DiversifierLength \typecolon \Nat : = 88 $
2018-03-18 13:57:20 -07:00
\item $ \InViewingKeyLength \typecolon \Nat : = 251 $
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
\item $ \UncommittedSprout \typecolon \bitseq { \MerkleHashLengthSprout } : = \zeros { \MerkleHashLengthSprout } $
\sapling {
2018-03-11 10:09:32 -07:00
\item $ \UncommittedSapling \typecolon \bitseq { \MerkleHashLengthSapling } : = \ItoLEBSP { \MerkleHashLengthSapling } ( 1 ) $
2018-03-09 20:11:23 -08:00
} %sapling
2018-01-29 15:08:08 -08:00
\item $ \MAXMONEY \typecolon \Nat : = \changed { 2 . 1 \smult 10 ^ { 15 } } $ (\zatoshi )
2017-01-19 14:46:40 -08:00
\item $ \SlowStartInterval \typecolon \Nat : = 20000 $
\item $ \HalvingInterval \typecolon \Nat : = 840000 $
2018-01-29 15:08:08 -08:00
\item $ \MaxBlockSubsidy \typecolon \Nat : = 1 . 25 \smult 10 ^ 9 $ (\zatoshi )
2017-01-19 14:46:40 -08:00
\item $ \NumFounderAddresses \typecolon \Nat : = 48 $
\item $ \FoundersFraction \typecolon \Rat : = \frac { 1 } { 5 } $
2017-01-19 18:36:58 -08:00
\item $ \PoWLimit \typecolon \Nat : = \begin { cases }
2^ { 243} - 1,& \squash \text { for the production network} \\
2^ { 251} - 1,& \squash \text { for the test network}
\end { cases} $
\item $ \PoWAveragingWindow \typecolon \Nat : = 17 $
\item $ \PoWMedianBlockSpan \typecolon \Nat : = 11 $
\item $ \PoWMaxAdjustDown \typecolon \Rat : = \frac { 32 } { 100 } $
\item $ \PoWMaxAdjustUp \typecolon \Rat : = \frac { 16 } { 100 } $
\item $ \PoWDampingFactor \typecolon \Nat : = 4 $
\item $ \PoWTargetSpacing \typecolon \Nat : = 150 $ (seconds).
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-06-01 06:58:52 -07:00
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Concrete Cryptographic Schemes}
2017-12-01 18:04:39 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \HashFunctions }
2016-06-01 06:58:52 -07:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { SHA-256 and SHA256Compress \HashFunctions } \label { concretesha256}
2018-02-23 17:56:32 -08:00
SHA-256 is defined by \cite { NIST2015} .
\Zcash uses the full \shaHashFunction to instantiate $ \NoteCommitmentSprout $ .
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \SHAFull \typecolon \byteseqs \rightarrow \byteseq { 32 } $
2018-02-23 17:56:32 -08:00
\end { formulae}
2018-03-18 13:41:41 -07:00
\cite { NIST2015} strictly speaking only specifies the application of SHA-256 to
messages that are bit sequences, producing outputs (``message digests'') that
are also bit sequences. In practice, SHA-256 is universally implemented with a
byte-sequence interface for messages and outputs, such that the
\emph { most significant} bit of each byte corresponds to the first bit of the
associated bit sequence. (In the NIST specification ``first'' is conflated with
``leftmost''.)
\Zcash also uses the \shaCompressFunction , $ \SHACompress $ . This operates
2018-02-23 17:56:32 -08:00
on a single $ 512 $ -bit block and \emph { excludes} the padding step specified
2018-03-18 13:41:41 -07:00
in \cite [section 5.1] { NIST2015} .
That is, the input to $ \SHACompress $ is what
2018-02-23 17:56:32 -08:00
\cite [section 5.2] { NIST2015} refers to as ``the message and its padding''.
The Initial Hash Value is the same as for full $ \SHAFull $ .
2018-03-06 14:16:55 -08:00
\introlist
2018-03-18 13:41:41 -07:00
$ \SHACompress $ is used to instantiate several \pseudoRandomFunctions and
2018-02-23 17:56:32 -08:00
$ \MerkleCRHSprout $ .
\begin { formulae}
\item $ \SHACompress \typecolon \bitseq { 512 } \rightarrow \bitseq { 256 } $
\end { formulae}
2018-03-18 13:41:41 -07:00
The ordering of bits within words in the interface to $ \SHACompress $ is
consistent with \cite [section 3.1] { NIST2015} , i.e.\ big-endian.
2018-02-26 01:44:19 -08:00
2018-02-23 17:56:32 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { \BlakeTwo { } \HashFunction } \label { concreteblake2}
2018-02-23 18:05:09 -08:00
BLAKE2 is defined by \cite { ANWW2013} .
\sprout { \Zcash uses only the $ \BlakeTwobGeneric $ variant.}
\sapling { \Zcash uses both the $ \BlakeTwobGeneric $ and $ \BlakeTwosGeneric $
variants.}
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { \ell } { p, x } $ refers to unkeyed $ \BlakeTwob { \ell } $
2018-02-23 18:05:09 -08:00
in sequential mode, with an output digest length of $ \ell / 8 $ bytes,
$ 16 $ -byte personalization string $ p $ , and input $ x $ .
2018-03-06 14:16:55 -08:00
\introlist
2018-02-23 18:05:09 -08:00
$ \BlakeTwobGeneric $ is used to instantiate $ \hSigCRH $ , $ \EquihashGen { } $ ,
and $ \KDFSprout $ .
2018-03-18 13:57:20 -07:00
\nuzero { From \NUZero onward, it is used to compute \sighashTxHashes
as specified in \cite { ZIP-143} .}
2018-03-11 00:40:49 -08:00
\sapling { For \Sapling , it is also used to instantiate $ \KDFSapling $ ,
and in the $ \EdJubjub $ \signatureScheme which instantiates $ \SpendAuthSig $ .}
2018-02-23 18:05:09 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \BlakeTwob { \ell } \typecolon \byteseq { 16 } \times \byteseqs \rightarrow \byteseq { \ell / 8 } $
2018-02-23 18:05:09 -08:00
\end { formulae}
\vspace { -3ex}
\pnote {
$ \BlakeTwob { \ell } $ is not the same as $ \BlakeTwob { 512 } $ truncated to
$ \ell $ bits, because the digest length is encoded in the parameter
block.
}
\sapling {
\vspace { 3ex}
2018-03-11 05:45:51 -07:00
$ \BlakeTwosOf { \ell } { p, x } $ refers to unkeyed $ \BlakeTwos { \ell } $
2018-02-23 18:05:09 -08:00
in sequential mode, with an output digest length of $ \ell / 8 $ bytes,
$ 8 $ -byte personalization string $ p $ , and input $ x $ .
2018-03-18 14:43:57 -07:00
$ \BlakeTwosGeneric $ is used to instantiate $ \PRFexpand { } $ , $ \PRFnfSapling { } $ ,
2018-03-11 00:40:49 -08:00
$ \CRHivk $ , and $ \GroupJHash { } $ .
2018-02-23 18:05:09 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \BlakeTwos { \ell } \typecolon \byteseq { 8 } \times \byteseqs \rightarrow \byteseq { \ell / 8 } $
2018-02-23 18:05:09 -08:00
\end { formulae}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-23 18:05:09 -08:00
2018-02-26 01:44:19 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { \MerkleTree { } \HashFunction } \label { merklecrh}
2016-06-01 06:58:52 -07:00
\newsavebox { \merklebox }
\begin { lrbox} { \merklebox }
\begin { bytefield} [bitwidth=0.04em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \mathsf { left } $ } &
\sbitbox { 256} { $ 256 $ -bit $ \mathsf { right } $ }
2016-06-01 06:58:52 -07:00
\end { bytefield}
\end { lrbox}
2018-02-26 01:44:19 -08:00
\sprout {
$ \MerkleCRHSprout $ is used to hash \incrementalMerkleTree \merkleHashes .
Let $ \SHACompress $ be as specified in \crossref { concretesha256} .
$ \MerkleCRHSprout \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout $
is defined as follows:
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \MerkleCRHSprout ( \mathsf { left } , \mathsf { right } ) : = \SHACompressBox { \merklebox } $ .
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-06-01 06:58:52 -07:00
2016-09-03 19:55:09 -07:00
\pnote {
2018-02-23 17:56:32 -08:00
$ \SHACompress $ is not the same as the $ \SHAFull $ function, which hashes arbitrary-length
2017-02-03 20:28:08 -08:00
byte sequences.
2016-09-03 19:55:09 -07:00
}
2018-02-26 01:44:19 -08:00
}
\notsprout {
$ \MerkleCRHSprout $ and $ \MerkleCRHSapling $ are used to hash
\incrementalMerkleTree \merkleHashes for \Sprout and \Sapling respectively.
\subsubsubsubsection { $ \MerkleCRHSprout $ \HashFunction } \label { merklecrhsprout}
2016-06-01 06:58:52 -07:00
2018-02-26 01:44:19 -08:00
Let $ \SHACompress $ be as specified in \crossref { concretesha256} .
$ \MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
\rightarrow \MerkleHashSprout $ is defined as follows:
\begin { formulae}
\item $ \MerkleCRHSprout ( \mathsf { layer } , \mathsf { left } , \mathsf { right } ) : = \SHACompressBox { \merklebox } $ .
\end { formulae}
\vspace { -4ex}
\begin { pnotes}
\item The $ \mathsf { layer } $ argument does not affect the output.
\item $ \SHACompress $ is not the same as the $ \SHAFull $ function, which hashes arbitrary-length
byte sequences.
\end { pnotes}
}
\vspace { -2ex}
2016-06-01 06:58:52 -07:00
\securityrequirement {
2018-03-16 08:58:23 -07:00
$ \SHACompress $ must be \collisionResistant , and it must be infeasible to find a preimage $ x $
2018-02-23 17:56:32 -08:00
such that $ \SHACompress ( x ) = \zeros { 256 } $ .
2016-06-01 06:58:52 -07:00
}
2018-02-26 01:44:19 -08:00
\sapling {
\subsubsubsubsection { $ \MerkleCRHSapling $ \HashFunction } \label { merklecrhsapling}
Let $ \PedersenHash $ be as specified in \crossref { concretepedersenhash} .
$ \MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \times \MerkleHashSapling
\rightarrow \MerkleHashSapling $ is defined as follows:
\begin { formulae}
\item $ \MerkleCRHSapling ( \mathsf { layer } , \mathsf { left } , \mathsf { right } ) : = \PedersenHash ( \ascii { Zcash \_ PH } ,
2018-03-06 14:49:54 -08:00
l \bconcat \mathsf { left} \bconcat \mathsf { right} )$
\item \tab where $ l = \ItoLEBSP { 6 } ( \MerkleDepthSapling - 1 - \mathsf { layer } ) $ .
2018-02-26 01:44:19 -08:00
\end { formulae}
\vspace { -2ex}
\securityrequirement {
2018-03-16 08:58:23 -07:00
$ \PedersenHash $ must be \collisionResistant \! .
2018-02-26 01:44:19 -08:00
}
2018-03-11 14:31:18 -07:00
\pnote {
The prefix $ l $ provides domain separation between inputs at different layers of the
\noteCommitmentTree . It is distinct from the prefix used in $ \NoteCommitSaplingAlg $
as noted in \crossref { concretewindowedcommit} .
}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { \hSigText { } \HashFunction } \label { hsigcrh}
2016-09-03 19:46:42 -07:00
\newsavebox { \hsigbox }
\begin { lrbox} { \hsigbox }
\setchanged
\begin { bytefield} [bitwidth=0.04em]{ 1024}
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \RandomSeed $ } &
\sbitbox { 256} { \hfill $ 256 $ -bit $ \nfOld { \mathrm { 1 } } $ \hfill ...\; } &
\sbitbox { 256} { $ 256 $ -bit $ \nfOld { \NOld } $ } &
\sbitbox { 300} { $ 256 $ -bit $ \joinSplitPubKey $ }
2016-09-03 19:46:42 -07:00
\end { bytefield}
\end { lrbox}
$ \hSigCRH $ is used to compute the value $ \hSig $ in \crossref { joinsplitdesc} .
2016-06-01 06:58:52 -07:00
\changed {
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-03-11 05:45:51 -07:00
\item $ \hSigCRH ( \RandomSeed , \nfOld { \allOld } , \joinSplitPubKey ) : = \BlakeTwobOf { 256 } { \ascii { ZcashComputehSig } , \; \hSigInput } $
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-06-01 06:58:52 -07:00
2016-09-03 19:46:42 -07:00
where
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \hSigInput : = \Justthebox { \hsigbox } $ .
\end { formulae}
2016-09-03 19:46:42 -07:00
}
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { 256 } { p, x } $ is defined in \crossref { concreteblake2} .
2016-06-01 06:58:52 -07:00
\securityrequirement {
2018-03-16 08:58:23 -07:00
$ \BlakeTwobOf { 256 } { \ascii { ZcashComputehSig } , x } $ must be \collisionResistant on $ x $ .
2016-06-01 06:58:52 -07:00
}
2016-09-03 19:46:42 -07:00
2018-02-07 07:41:46 -08:00
\newsavebox { \crhivkbox }
\begin { lrbox} { \crhivkbox }
2018-03-10 13:00:27 -08:00
\setsapling
2018-02-07 07:41:46 -08:00
\begin { bytefield} [bitwidth=0.05em]{ 512}
2018-03-18 14:45:27 -07:00
\sbitbox { 256} { $ 256 $ -bit $ \LEBStoOSPOf { 256 } { \AuthSignPublicRepr } $ } &
\sbitbox { 256} { $ 256 $ -bit $ \LEBStoOSPOf { 256 } { \AuthProvePublicRepr } $ }
2018-02-07 07:41:46 -08:00
\end { bytefield}
\end { lrbox}
2018-02-23 19:15:09 -08:00
\sapling {
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { \CRHivkText { } \HashFunction } \label { concretecrhivk}
2018-02-23 19:15:09 -08:00
2018-02-07 07:41:46 -08:00
$ \CRHivk $ is used to derive the \incomingViewingKey $ \InViewingKey $
for a \Sapling \paymentAddress .
For its use when generating an address see \crossref { saplingkeycomponents} ,
and for its use in the \spendStatement see \crossref { spendstatement} .
\introlist
It is defined as follows:
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \CRHivk ( \AuthSignPublic , \AuthProvePublic ) : =
2018-03-18 14:43:57 -07:00
\LEOStoIPOf { 256} { \BlakeTwosOf { 256} { \ascii { Zcashivk} ,\; \crhInput } } \bmod 2^ { \InViewingKeyLength } $
2018-02-07 07:41:46 -08:00
\end { formulae}
where
\begin { formulae}
\item $ \crhInput : = \Justthebox { \crhivkbox } $
\end { formulae}
\vspace { 2ex}
2018-03-18 13:57:20 -07:00
$ \BlakeTwobOf { 256 } { p, x } $ is defined in \crossref { concreteblake2} .
2018-02-07 07:41:46 -08:00
\securityrequirement {
2018-03-18 13:57:20 -07:00
$ \LEOStoIPOf { 256 } { \BlakeTwosOf { 256 } { \ascii { Zcashivk } , x } } \bmod 2 ^ { \InViewingKeyLength } $
2018-03-16 08:58:23 -07:00
must be \collisionResistant on a $ 64 $ -byte input $ x $ . Note that this
2018-02-07 07:41:46 -08:00
does not follow from collision-resistance of $ \BlakeTwos { 256 } $
(and the best possible concrete security is that of a $ 251 $ -bit hash
rather than a $ 256 $ -bit hash), but it is a reasonable assumption
2018-03-18 13:57:20 -07:00
given the design, structure, and cryptanalysis to date of $ \BlakeTwosGeneric $ .
2018-02-07 07:41:46 -08:00
}
\pnote {
The variable output digest length feature of $ \BlakeTwosGeneric $ does
not support arbitrary bit lengths, otherwise that would have been
used rather than external truncation. However, the protocol-specific
personalization string together with truncation achieve essentially
the same effect as using that feature.
}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-07 07:41:46 -08:00
2018-03-18 13:33:07 -07:00
\sapling {
\introlist
\subsubsubsection { $ \DiversifyHash $ \HashFunction } \label { concretediversifyhash}
$ \DiversifyHash $ is used to derive a \diversifiedBase from a \diversifier in
\crossref { saplingkeycomponents} .
Let $ \GroupJHash { } $ and $ U $ be as defined in \crossref { concretegrouphashjubjub} .
Define
\begin { formulae}
\item $ \DiversifyHash ( \Diversifier ) : = \GroupJHash { U } ( \ascii { Zcash \_ gd } , \LEBStoOSPOf { \DiversifierLength } { \Diversifier } ) $
\end { formulae}
\securityrequirement {
$ \DiversifyHash $ must satisfy the Discrete Logarithm Independence property
described in \crossref { abstractgrouphash} . \todo { make this more precise.}
}
} %sapling
2018-02-10 03:30:37 -08:00
\sapling {
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { \PedersenHashFunction } \label { concretepedersenhash}
2018-02-10 03:30:37 -08:00
$ \PedersenHash $ is an algebraic hash function with collision resistance
2018-02-26 01:44:19 -08:00
(for fixed input length) derived from assumed hardness of the
2018-03-11 07:00:00 -07:00
Discrete Logarithm Problem on the \jubjubCurve .
2018-03-06 14:24:45 -08:00
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in
\cite { CDG1987} , \cite { BCP1988} and \cite { CvHP1991} ,
2018-02-26 01:44:19 -08:00
and of Mihir Bellare, Oded Goldreich, and Shafi Goldwasser in \cite { BGG1995} ,
2018-02-10 03:30:37 -08:00
with optimizations for efficient instantiation in \zkSNARKCircuits
by Sean Bowe and Daira Hopwood.
$ \PedersenHash $ is used in the \incrementalMerkleTree over \noteCommitments
(\crossref { merkletree} ) and in the definition of \xPedersenCommitments
2018-02-26 01:44:19 -08:00
(\crossref { concretewindowedcommit} ).
2018-02-10 03:30:37 -08:00
Let $ \GroupJ $ be as defined in \crossref { jubjub} .
Let $ \ExtractJ $ be as defined in \crossref { concreteextractorjubjub} .
Let $ \FindGroupJHash $ be as defined in \crossref { concretegrouphashjubjub} .
2018-03-06 14:16:55 -08:00
Let $ c : = 63 $ .
2018-02-12 05:10:14 -08:00
2018-02-10 03:30:37 -08:00
\newsavebox { \gencountbox }
\begin { lrbox} { \gencountbox }
\begin { bytefield} [bitwidth=0.28em]{ 32}
2018-03-10 13:00:27 -08:00
\sbitbox { 32} { $ 32 $ -bit $ \floor { \frac { i - 1 } { c } } $ }
2018-02-10 03:30:37 -08:00
\end { bytefield}
\end { lrbox}
\introlist
2018-02-12 05:10:14 -08:00
\vspace { 2ex}
2018-02-26 01:44:19 -08:00
Define $ \PedersenGenAlg \typecolon \byteseq { 8 } \times \Nat \rightarrow \GroupJ $ by:
2018-02-10 03:30:37 -08:00
2018-02-26 01:44:19 -08:00
\begin { formulae}
\item $ \PedersenGen { D } { i } : = \FindGroupJHashOf { D, \Justthebox { \gencountbox } } $ .
\end { formulae}
2018-02-10 03:30:37 -08:00
2018-02-26 01:44:19 -08:00
\newcommand { \sj } [1]{ s^ { \kern 0.02em j} _ { #1} }
2018-02-10 03:30:37 -08:00
\vspace { 2ex}
2018-02-26 01:44:19 -08:00
\introsection
Define $ \PedersenHashToPoint ( D \typecolon \byteseq { 8 } , M \typecolon \bitseq { \PosInt } ) $ as follows:
2018-02-10 03:30:37 -08:00
\begin { formulae}
\item Pad $ M $ to a multiple of $ 3 $ bits by appending zero bits, giving $ M' $ .
2018-02-26 01:44:19 -08:00
\item Let $ n = \ceiling { \hfrac { \length ( M' ) } { 3 \mult c } } $ .
2018-03-06 14:16:55 -08:00
\item Split $ M' $ into $ n $ \quotedterm { segments} $ M _ \barerange { 1 } { n } $
so that $ M' = \concatbits ( M _ \barerange { 1 } { n } ) $ , and
each of $ M _ \barerange { 1 } { n - 1 } $ is of length $ 3 \smult c $ bits.
2018-02-26 01:44:19 -08:00
($ M _ n $ may be shorter.)
\item Return $ \vsum { i = 1 } { n } \scalarmult { \PedersenEncode { M _ i } } { \PedersenGen { D } { i } } \typecolon \GroupJ $ .
\end { formulae}
where
$ \PedersenEncode { \paramdot } \typecolon \bitseq { 3 \mult \range { 1 } { c } } \rightarrow
\rangenozero { -\hfrac { \ParamJ { r} -1} { 2} } { \hfrac { \ParamJ { r} -1} { 2} } $ is defined as:
\begin { formulae}
\item Let $ k _ i = \length ( M _ i ) / 3 $ .
2018-03-06 14:16:55 -08:00
\item Split $ M _ i $ into $ 3 $ -bit \quotedterm { chunks} $ m _ \barerange { 1 } { k _ i } $
so that $ M _ i = \concatbits ( m _ \barerange { 1 } { k _ i } ) $ .
2018-02-26 01:44:19 -08:00
\item Write each $ m _ j $ as $ [ \sj { 0 } , \sj { 1 } , \sj { 2 } ] $ , and let
2018-03-18 13:57:20 -07:00
$ \enc ( m _ j ) = ( 1 - 2 \smult \sj { 2 } ) \mult ( 1 + \sj { 0 } + 2 \smult \sj { 1 } ) \typecolon \Int $ .
2018-02-26 01:44:19 -08:00
\item Let $ \PedersenEncode { M _ i } = \vsum { j = 1 } { k _ i } \enc ( m _ j ) \mult 2 ^ { 4 \mult ( j - 1 ) } $ .
\end { formulae}
2018-03-11 07:02:22 -07:00
Finally, define $ \PedersenHash \typecolon \byteseq { 8 } \times \bitseq { \PosInt } \rightarrow \MerkleHashSapling $ by:
2018-02-26 01:44:19 -08:00
\begin { formulae}
2018-03-11 07:02:22 -07:00
\item $ \PedersenHash ( D, M ) : = \ItoLEBSP { \MerkleHashLengthSapling } ( \ExtractJ ( \PedersenHashToPoint ( D, M ) ) ) $ .
2018-02-10 03:30:37 -08:00
\end { formulae}
See \crossref { cctpedersenhash} for rationale and efficient circuit implementation
2018-02-26 01:44:19 -08:00
of these functions.
\securityrequirement {
2018-03-16 08:58:23 -07:00
$ \PedersenHash $ and $ \PedersenHashToPoint $ are required to be \collisionResistant
2018-02-26 01:44:19 -08:00
between inputs of fixed length, for a given personalization input $ D $ .
No other security properties commonly associated with \hashFunctions are needed.
}
\vspace { 2ex}
2018-03-16 08:58:23 -07:00
\introsection
2018-02-26 01:44:19 -08:00
\begin { theorem} \label { thmpedersenencodeinjective}
The encoding function $ \PedersenEncode { \paramdot } $ is injective.
\end { theorem}
\begin { proof}
We first check that the range of
$ \vsum { j = 1 } { k _ i } \enc ( m _ j ) \mult 2 ^ { 4 \mult ( j - 1 ) } $ is a subset of
the allowable range $ \rangenozero { - \hfrac { \ParamJ { r } - 1 } { 2 } } { \hfrac { \ParamJ { r } - 1 } { 2 } } $ .
The range of this expression is a subset of
$ \rangenozero { - \PedersenRangeOffset } { \PedersenRangeOffset } $ where
$ \PedersenRangeOffset = 4 \mult \vsum { i = 0 } { c - 1 } 2 ^ { 4 \mult i } = 4 \mult \hfrac { 2 ^ { 4 \mult c } } { 15 } $ .
2018-03-16 08:58:23 -07:00
\introlist
2018-02-26 01:44:19 -08:00
When $ c = 63 $ , we have
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
$ 4 \mult \hfrac { 2 ^ { 4 \mult c } } { 15 } $ & $ = \hexint { 444444444444444444444444444444444444444444444444444444444444444 } $ \\
& \\ [-2ex]
$ \hfrac { \ParamJ { r } - 1 } { 2 } $ & $ = \hexint { 73 EDA 753299 D 7 D 483339 D 80809 A 1 D 8053341049 E 6640841684 B 872 F 6 B 7 B 965 B } $
\end { tabular}
so the required condition is met. This implies that there is no ``wrap around''
2018-03-16 08:58:23 -07:00
and so $ \ssum { j = 1 } { k _ i } \enc ( m _ j ) \mult 2 ^ { 4 \mult ( j - 1 ) } $ may be treated as an
2018-02-26 01:44:19 -08:00
integer expression.
$ \enc $ is injective. In order to prove that $ \PedersenEncode { \paramdot } $ is injective,
consider $ \PedersenEncodeNonneg { \paramdot } \typecolon \bitseq { 3 \mult \range { 1 } { c } } \rightarrow
\range { 0} { 2 \smult \PedersenRangeOffset } $ such that
$ \PedersenEncodeNonneg { M _ i } = \PedersenEncode { M _ i } + \PedersenRangeOffset $ .
With $ k _ i $ and $ m _ j $ defined as above, we have
2018-03-16 08:58:23 -07:00
$ \PedersenEncodeNonneg { M _ i } = \ssum { j = 1 } { k _ i } \enc ' ( m _ j ) \mult 2 ^ { 4 \mult ( j - 1 ) } $
2018-02-26 01:44:19 -08:00
where $ \enc ' ( m _ j ) = \enc ( m _ j ) + 4 $ is in $ \range { 0 } { 8 } $ and $ \enc ' $ is injective.
Express this sum in hexadecimal; then each $ m _ j $ affects only one hex digit, and
it is easy to see that $ \PedersenEncodeNonneg { \paramdot } $ is injective.
Therefore so is $ \PedersenEncode { \paramdot } $ .
\end { proof}
Since the security proof from \cite [Appendix A] { BGG1995}
depends only on the encoding being injective and its range not including
zero, the proof can be adapted straightforwardly to show that $ \PedersenHashToPoint $
2018-03-16 08:58:23 -07:00
is \collisionResistant under the same assumptions and security bounds.
2018-03-11 07:02:22 -07:00
Because $ \ItoLEBSP { \MerkleHashLengthSapling } $ and $ \ExtractJ $ are injective,
2018-03-16 08:58:23 -07:00
it follows that $ \PedersenHash $ is equally \collisionResistant \! .
2018-03-11 10:09:32 -07:00
\vspace { 2ex}
\begin { theorem} \label { thmnohashtouncommittedsapling}
$ \UncommittedSapling = \ItoLEBSP { \MerkleHashLengthSapling } ( 1 ) $ is not in the range of $ \PedersenHash $ .
\end { theorem}
\begin { proof}
2018-03-16 08:58:23 -07:00
By the definition of $ \PedersenHash $ , $ \ItoLEBSP { \smash { \MerkleHashLengthSapling } } ( 1 ) $
can be in the range of $ \PedersenHash $ only if there exist $ D \typecolon \byteseq { 8 } $ and
$ M \typecolon \bitseq { \PosInt } $ such that $ \ExtractJ ( \PedersenHashToPoint ( D, M ) ) = 1 $ .
The latter can only be the affine-Edwards $ u $ -coordinate of a point in $ \strut \GroupJ $ .
2018-03-11 10:09:32 -07:00
We show that there are no points in $ \GroupJ $ with affine-Edwards $ u $ -coordinate $ 1 $ .
Suppose for a contradiction that $ ( u, \varv ) \in \GroupJ $ for $ u = 1 $ and some
$ \varv \typecolon \GF { \ParamJ { r } } $ . By writing the curve equation as
$ \varv ^ 2 = ( 1 - \ParamJ { a } \smult u ^ 2 ) / ( 1 - \ParamJ { d } \smult u ^ 2 ) $ , and noting that
$ 1 - \ParamJ { d } \smult u ^ 2 \neq 0 $ , we have $ \varv ^ 2 = ( 1 - \ParamJ { a } ) / ( 1 - \ParamJ { d } ) $ .
The right-hand-side is a nonsquare in $ \GF { \ParamJ { r } } $ , so there are no solutions for $ \varv $
(contradiction).
\end { proof}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { Mixing Pedersen \HashFunction } \label { concretemixinghash}
2018-02-26 01:44:19 -08:00
A mixing \xPedersenHash is used to compute $ \NoteAddressRand $ from
$ \cm $ and $ \NotePosition $ in \crossref { commitmentsandnullifiers} . It takes as
input a \xPedersenCommitment $ P $ , and hashes it with another input $ x $ .
2018-03-18 14:43:57 -07:00
Let $ \NotePositionBase = \FindGroupJHashOf { \ascii { Zcash \_ J \_ } , \ascii { } } $ .
2018-03-11 14:31:18 -07:00
We define $ \MixingPedersenHash \typecolon \GroupJ \times \range { 0 } { \ParamJ { r } - 1 }
2018-02-26 01:44:19 -08:00
\rightarrow \GroupJ $ by:
\begin { formulae}
2018-03-18 14:43:57 -07:00
\item $ \MixingPedersenHash ( P, x ) : = P + \scalarmult { x } { \NotePositionBase } $ .
2018-02-26 01:44:19 -08:00
\end { formulae}
2018-02-10 03:30:37 -08:00
2018-03-18 16:57:09 -07:00
\vspace { -3ex}
2018-02-10 03:30:37 -08:00
\securityrequirement {
2018-03-11 14:31:18 -07:00
The function
2018-02-26 03:42:52 -08:00
\begin { formulae}
\item $ \fun { ( r, M, x ) \typecolon \range { 0 } { \ParamJ { r } - 1 } \times \bitseq { \PosInt } \times
2018-03-16 08:58:23 -07:00
\range { 0} { \ParamJ { r} -1} } { \MixingPedersenHash (\WindowedPedersenCommit { r} (M), x) \typecolon \GroupJ } $
2018-02-26 03:42:52 -08:00
\end { formulae}
2018-03-16 08:58:23 -07:00
\vspace { -1ex}
must be \collisionResistant on $ ( r, M, x ) $ .
2018-02-10 03:30:37 -08:00
}
2018-02-26 01:44:19 -08:00
2018-03-18 16:57:09 -07:00
\vspace { 2ex}
2018-03-11 07:02:22 -07:00
See \crossref { cctmixinghash} for efficient circuit implementation of this function.
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-10 03:30:37 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Equihash Generator} \label { equihashgen}
2016-09-03 19:46:42 -07:00
2018-02-07 02:55:53 -08:00
$ \EquihashGen { n, k } $ is a specialized \hashFunction that maps an input
2016-09-03 19:46:42 -07:00
and an index to an output of length $ n $ bits. It is used in \crossref { equihash} .
\newsavebox { \powtagbox }
\begin { lrbox} { \powtagbox }
\begin { bytefield} [bitwidth=0.16em]{ 128}
2018-03-10 13:00:27 -08:00
\sbitbox { 64} { 64-bit $ \ascii { ZcashPoW } $ } &
\sbitbox { 32} { 32-bit $ n $ } &
\sbitbox { 32} { 32-bit $ k $ }
2016-09-03 19:46:42 -07:00
\end { bytefield}
\end { lrbox}
\newsavebox { \powcountbox }
\begin { lrbox} { \powcountbox }
\begin { bytefield} [bitwidth=0.16em]{ 32}
2018-03-10 13:00:27 -08:00
\sbitbox { 32} { 32-bit $ g $ }
2016-09-03 19:46:42 -07:00
\end { bytefield}
\end { lrbox}
Let $ \powtag : = \Justthebox { \powtagbox } $ .
Let $ \powcount ( g ) : = \Justthebox { \powcountbox } $ .
\vspace { 2ex}
2017-01-19 18:24:49 -08:00
\introlist
2018-03-11 07:00:00 -07:00
% Blech. Dijkstra was right \cite{EWD-831}.
2018-03-06 14:16:55 -08:00
Let $ \EquihashGen { n, k } ( S, i ) : = T _ \barerange { h + 1 } { h + n } $ , where
2017-01-19 14:46:40 -08:00
\begin { formulae}
2016-09-03 19:46:42 -07:00
\item $ m : = \floor { \frac { 512 } { n } } $ ;
2016-09-18 17:57:28 -07:00
\item $ h : = ( i - 1 \bmod m ) \mult n $ ;
2018-03-11 05:45:51 -07:00
\item $ T : = \BlakeTwobOf { ( \mathnormal { n \mult m } ) } { \powtag , \, S \bconcat \powcount ( \floor { \frac { i - 1 } { m } } ) } $ .
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-09-03 19:46:42 -07:00
2016-09-10 17:14:03 -07:00
Indices of bits in $ T $ are 1-based.
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { \ell } { p, x } $ is defined in \crossref { concreteblake2} .
2016-09-03 19:46:42 -07:00
\securityrequirement {
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { \ell } { \powtag , x } $ must generate output that is sufficiently
2016-09-10 17:14:03 -07:00
unpredictable to avoid short-cuts to the Equihash solution process.
It would suffice to model it as a random oracle.
}
\pnote {
2017-02-03 20:28:08 -08:00
When $ \EquihashGen { } $ is evaluated for sequential indices, as
in the Equihash solving process (\crossref { equihash} ),
2018-01-22 10:24:16 -08:00
the number of calls to $ \BlakeTwobGeneric $ can be reduced by a factor of
$ \floor { \frac { 512 } { n } } $ in the best case (which is a factor of 2 for
$ n = 200 $ ).
2016-06-01 06:58:52 -07:00
}
2018-03-09 20:11:23 -08:00
2017-02-24 22:25:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \PseudoRandomFunctions } \label { concreteprfs}
2016-06-01 06:58:52 -07:00
2018-03-06 14:16:55 -08:00
$ \PRFaddr { } $ , $ \PRFnf { } $ , $ \PRFpk { } $ \changed { , and $ \PRFrho { } $ } ,
described in \crossref { abstractprfs} , are all instantiated using the \shaCompressFunction
defined in \crossref { concretesha256} :
2016-05-20 15:52:29 -07:00
\newcommand { \iminusone } { \hspace { 0.3pt} \scriptsize { $ i $ \hspace { 0.6pt} -1} }
\newsavebox { \addrbox }
\begin { lrbox} { \addrbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 224} { $ 252 $ -bit $ x $ } &
\sbitbox { 56} { $ 8 $ -bit $ t $ } &
\sbitbox { 200} { $ \zeros { 248 } $ }
2016-05-20 15:52:29 -07:00
\end { bytefield}
\end { lrbox}
\newsavebox { \nfbox }
\begin { lrbox} { \nfbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 224} { $ 252 $ -bit $ \AuthPrivate $ } &
\sbitbox { 256} { $ 256 $ -bit $ \NoteAddressRand $ }
2016-05-20 15:52:29 -07:00
\end { bytefield}
\end { lrbox}
\newsavebox { \pkbox }
\begin { lrbox} { \pkbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 18} { \iminusone } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 224} { $ 252 $ -bit $ \AuthPrivate $ } &
\sbitbox { 256} { $ 256 $ -bit $ \hSig $ }
2016-05-20 15:52:29 -07:00
\end { bytefield}
\end { lrbox}
\newsavebox { \rhobox }
\begin { lrbox} { \rhobox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 18} { \iminusone } &
\sbitbox { 18} { $ 1 $ } &
\sbitbox { 18} { $ 0 $ } &
\sbitbox { 224} { $ 252 $ -bit $ \NoteAddressPreRand $ } &
\sbitbox { 256} { $ 256 $ -bit $ \hSig $ }
2016-05-20 15:52:29 -07:00
\end { bytefield}
\end { lrbox}
2016-09-03 20:30:40 -07:00
\vspace { -2ex}
2016-05-20 15:52:29 -07:00
\begin { equation*}
\begin { aligned}
2018-02-23 17:56:32 -08:00
\setchanged \PRFaddr { x} (t) & \setchanged := \SHACompressBox { \addrbox } \\
\PRFnf { \AuthPrivate } (\NoteAddressRand ) & := \SHACompressBox { \nfbox } \\
\PRFpk { \AuthPrivate } (i, \hSig ) & := \SHACompressBox { \pkbox } \\
\setchanged \PRFrho { \NoteAddressPreRand } (i, \hSig ) & \setchanged := \SHACompressBox { \rhobox }
2016-05-20 15:52:29 -07:00
\end { aligned}
\end { equation*}
2016-08-15 10:05:13 -07:00
\begin { securityrequirements}
2018-03-16 08:58:23 -07:00
\item The \shaCompressFunction must be \collisionResistant \! .
2018-02-23 17:56:32 -08:00
\item The \shaCompressFunction must be a PRF when keyed by the bits
2016-08-15 10:05:13 -07:00
corresponding to $ x $ , $ \AuthPrivate $ or $ \NoteAddressPreRand $
in the above diagrams, with input in the remaining bits.
\end { securityrequirements}
2016-05-20 15:52:29 -07:00
\changed {
2016-09-03 19:55:09 -07:00
\pnote {
2016-08-17 05:27:03 -07:00
The first four bits --i.e.\ the most significant four bits of the first byte--
2018-03-16 08:58:23 -07:00
are used to separate distinct uses of $ \SHACompress $ , ensuring that the functions
are independent. As well as the inputs shown here, bits $ \mathtt { 1011 } $
2018-02-23 17:56:32 -08:00
in this position are used to distinguish uses of the full $ \SHAFull $ hash
2018-03-16 08:58:23 -07:00
function; see \crossref { concretesproutcommit} .
2018-02-07 03:53:07 -08:00
(The specific bit patterns chosen here were motivated by the possibility of future
extensions that might have increased $ \NOld $ and/or $ \NNew $ to 3, or added an
additional bit to $ \AuthPrivate $ to encode a new key type, or that would have
required an additional PRF.\sapling { In fact since \Sapling switches to
2018-02-23 17:56:32 -08:00
non-$ \SHACompress $ -based cryptographic primitives, these extensions are unlikely to
2018-02-07 03:53:07 -08:00
be necessary.} )
}
}
2018-03-11 00:40:49 -08:00
\newsavebox { \expandbox }
\begin { lrbox} { \expandbox }
\setsapling
2018-03-18 14:45:27 -07:00
\begin { bytefield} [bitwidth=0.042em]{ 264}
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \SpendingKey } $ } &
2018-03-11 00:40:49 -08:00
\sbitbox { 80} { $ 8 $ -bit $ t $ }
\end { bytefield}
\end { lrbox}
2018-03-18 14:43:57 -07:00
\newsavebox { \nfsaplingbox }
\begin { lrbox} { \nfsaplingbox }
2018-03-11 00:44:49 -08:00
\setsapling
2018-03-18 14:45:27 -07:00
\begin { bytefield} [bitwidth=0.046em]{ 512}
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \AuthProvePublic } } $ } &
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \NoteAddressRand } } $ }
2018-03-06 14:30:15 -08:00
\end { bytefield}
\end { lrbox}
\sapling {
\introlist
\vspace { 2ex}
2018-03-11 00:40:49 -08:00
Let $ \LEOStoIP { } $ be as defined in \crossref { endian} .
$ \PRFexpand { } $ is used in \crossref { saplingkeycomponents} to derive the
\authSigningKey $ \AuthSignPrivate $ and the \authProvingKey $ \AuthProvePrivate $ .
It is instantiated using the $ \BlakeTwobGeneric $ \hashFunction defined in
\crossref { concreteblake2} :
\begin { formulae}
2018-03-18 13:57:20 -07:00
\item $ \PRFexpand { \SpendingKey } ( t ) : =
2018-03-16 08:58:23 -07:00
\LEOStoIPOf { 512} { \BlakeTwobOf { 512} { \ascii { Zcash\_ ExpandSeed} , \Justthebox { \expandbox } } } \pmod { \ParamJ { r} } $
2018-03-11 00:40:49 -08:00
\end { formulae}
\securityrequirement {
$ \BlakeTwobOf { 512 } { \ascii { Zcash \_ ExpandSeed } , \Justthebox { \expandbox } } $ must be a PRF for output range
$ \byteseq { 64 } $ when keyed by the bits corresponding to $ \SpendingKey $ , with input in the bits
corresponding to $ t $ . In that case it follows that $ \PRFexpand { } $ is also a PRF for output range
$ \GF { \ParamJ { r } } $ , since $ \LEOStoIP { 512 } \typecolon \byteseq { 64 } \rightarrow \range { 0 } { 2 ^ { 512 } - 1 } $
is injective and $ 2 ^ { 512 } $ is large compared to $ \ParamJ { r } $ .
}
2018-03-06 14:30:15 -08:00
2018-03-11 00:44:49 -08:00
\vspace { 2ex}
\introlist
2018-03-18 14:43:57 -07:00
$ \PRFnfSapling { } $ is used to derive the \nullifier for a \Sapling { } \note .
2018-03-11 00:44:49 -08:00
It is instantiated using the $ \BlakeTwosGeneric $ \hashFunction defined in \crossref { concreteblake2} :
2018-03-06 14:30:15 -08:00
\begin { formulae}
2018-03-18 14:43:57 -07:00
\item $ \PRFnfSapling { \AuthProvePublic } ( \NoteAddressRand ) : = \BlakeTwosOf { 256 } { \ascii { Zcash \_ nf } , \Justthebox { \nfsaplingbox } } $ .
2018-03-06 14:30:15 -08:00
\end { formulae}
2018-03-18 14:43:57 -07:00
\securityrequirement {
$ \BlakeTwosOf { 256 } { \ascii { Zcash \_ nf } , \Justthebox { \nfsaplingbox } } $ must be a
\collisionResistant PRF for output range $ \byteseq { 32 } $ when keyed by the bits
corresponding to $ \AuthProvePublic $ , with input in the bits corresponding to
$ \NoteAddressRand $ .
}
2018-03-11 00:44:49 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
2016-05-20 15:52:29 -07:00
2018-02-07 02:55:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \SymmetricEncryption } \label { concretesym}
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
\changed {
Let $ \Keyspace : = \bitseq { 256 } $ , $ \Plaintext : = \byteseqs $ , and $ \Ciphertext : = \byteseqs $ .
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
Let $ \SymEncrypt { \Key } ( \Ptext ) $ be authenticated encryption using
$ \SymSpecific $ \cite { RFC-7539} encryption of plaintext $ \Ptext \in \Plaintext $ ,
2018-02-23 19:15:09 -08:00
with empty ``associated data", all-zero nonce $ \zeros { 96 } $ , and $ 256 $ -bit key
2016-09-03 20:17:27 -07:00
$ \Key \in \Keyspace $ .
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
Similarly, let $ \SymDecrypt { \Key } ( \Ctext ) $ be $ \SymSpecific $
decryption of ciphertext $ \Ctext \in \Ciphertext $ , with empty
2018-02-23 19:15:09 -08:00
``associated data", all-zero nonce $ \zeros { 96 } $ , and $ 256 $ -bit key
2016-09-03 20:17:27 -07:00
$ \Key \in \Keyspace $ . The result is either the plaintext byte sequence,
or $ \bot $ indicating failure to decrypt.
}
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
\pnote {
The ``IETF" definition of $ \SymSpecific $ from \cite { RFC-7539} is
2017-12-01 18:04:39 -08:00
used; this has a 32-bit block count and a 96-bit nonce, rather than a 64-bit
2016-09-03 20:17:27 -07:00
block count and 64-bit nonce as in the original definition of $ \SymCipher $ .
2016-08-15 07:27:10 -07:00
}
2018-03-12 15:51:20 -07:00
\subsubsection { \KeyAgreementAndDerivation } \label { concretekaandkdf}
2018-02-26 01:44:19 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { \SproutOrNothing \KeyAgreement } \label { concretesproutkeyagreement}
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
\changed {
The \keyAgreementScheme specified in \crossref { abstractkeyagreement} is
instantiated using Curve25519 \cite { Bern2006} as follows.
2016-08-15 07:27:10 -07:00
2018-02-07 03:53:07 -08:00
Let $ \KASproutPublic $ and $ \KASproutSharedSecret $ be the type of Curve25519 public keys
(i.e.\ a sequence of $ 32 $ bytes), and let $ \KASproutPrivate $ be the type of Curve25519
2016-09-03 20:17:27 -07:00
secret keys.
2016-08-15 07:27:10 -07:00
2016-09-03 20:17:27 -07:00
Let $ \CurveMultiply ( \bytes { n } , \bytes { q } ) $ be the result of point
2016-08-15 07:27:10 -07:00
multiplication of the Curve25519 public key represented by the byte
sequence $ \bytes { q } $ by the Curve25519 secret key represented by the
2016-09-03 20:17:27 -07:00
byte sequence $ \bytes { n } $ , as defined in \cite [section 2] { Bern2006} .
2018-02-26 01:44:19 -08:00
Let $ \KASproutBase : = \CurveBase $ be the public byte sequence representing
the Curve25519 base point.
2016-09-03 20:17:27 -07:00
Let $ \Clamp ( \bytes { x } ) $ take a 32-byte sequence $ \bytes { x } $ as input
and return a byte sequence representing a Curve25519 private key, with
2016-08-14 12:42:14 -07:00
bits ``clamped'' as described in \cite [section 3] { Bern2006} :
2016-08-15 07:27:10 -07:00
``clear bits $ 0 , 1 , 2 $ of the first byte, clear bit $ 7 $ of the last byte,
and set bit $ 6 $ of the last byte.'' Here the bits of a byte are numbered
such that bit $ b $ has numeric weight $ 2 ^ b $ .
2016-09-03 20:17:27 -07:00
2018-02-07 03:53:07 -08:00
Define $ \KASproutFormatPrivate ( x ) : = \Clamp ( x ) $ .
2016-09-03 20:17:27 -07:00
2018-02-07 03:53:07 -08:00
Define $ \KASproutAgree ( n, q ) : = \CurveMultiply ( n, q ) $ .
2016-08-15 07:27:10 -07:00
}
2018-02-07 03:53:07 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { \SproutOrNothing \KeyDerivation } \label { concretesproutkdf}
2016-06-21 15:59:39 -07:00
\newsavebox { \kdftagbox }
\begin { lrbox} { \kdftagbox }
\setchanged
\begin { bytefield} [bitwidth=0.16em]{ 128}
2018-03-10 13:00:27 -08:00
\sbitbox { 64} { $ 64 $ -bit $ \ascii { ZcashKDF } $ } &
\sbitbox { 32} { $ 8 $ -bit $ i \! - \! 1 $ } &
\sbitbox { 56} { $ \zeros { 56 } $ }
2016-06-21 15:59:39 -07:00
\end { bytefield}
\end { lrbox}
\newsavebox { \kdfinputbox }
\begin { lrbox} { \kdfinputbox }
\setchanged
\begin { bytefield} [bitwidth=0.04em]{ 1024}
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \hSig $ } &
\sbitbox { 256} { $ 256 $ -bit $ \DHSecret { i } $ } &
\sbitbox { 256} { $ 256 $ -bit $ \EphemeralPublic $ } &
\sbitbox { 256} { $ 256 $ -bit $ \TransmitPublicNew { i } $ }
2016-06-21 15:59:39 -07:00
\end { bytefield}
\end { lrbox}
\changed {
2016-08-08 09:06:52 -07:00
The \keyDerivationFunction specified in \crossref { abstractkdf} is instantiated
2018-01-22 10:24:16 -08:00
using $ \BlakeTwob { 256 } $ as follows:
2016-06-21 15:59:39 -07:00
2017-01-19 14:46:40 -08:00
\begin { formulae}
2018-02-07 03:53:07 -08:00
\item $ \KDFSprout ( i, \hSig , \DHSecret { i } , \EphemeralPublic , \TransmitPublicNew { i } ) : =
2018-03-11 05:45:51 -07:00
\BlakeTwobOf { 256} { \kdftag , \kdfinput } $
2017-01-19 14:46:40 -08:00
\end { formulae}
2018-02-07 03:53:07 -08:00
\introlist
2016-06-21 15:59:39 -07:00
where:
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \kdftag : = \Justthebox { \kdftagbox } $
\item $ \kdfinput : = \Justthebox { \kdfinputbox } $ .
\end { formulae}
2016-06-21 15:59:39 -07:00
}
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { 256 } { p, x } $ is defined in \crossref { concreteblake2} .
2018-02-23 18:05:09 -08:00
2016-09-26 09:05:28 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \Sapling \KeyAgreement } \label { concretesaplingkeyagreement}
2018-02-07 03:53:07 -08:00
The \keyAgreementScheme specified in \crossref { abstractkeyagreement} is
instantiated using Diffie-Hellman with cofactor multiplication on $ \JubjubCurve $
as follows.
Let $ \KASaplingPublic $ and $ \KASaplingSharedSecret $ be the type of compressed
$ \JubjubCurve $ points $ \CompressedEdwardsJubjub $ , and let $ \KASaplingPrivate $ be
the type of $ \JubjubCurve $ secret keys. \todo { expand this}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-26 01:44:19 -08:00
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
\newsavebox { \kdfsaplinginputbox }
\begin { lrbox} { \kdfsaplinginputbox }
2018-03-10 13:00:27 -08:00
\setsapling
2018-02-26 03:42:52 -08:00
\begin { bytefield} [bitwidth=0.07em]{ 544}
2018-03-10 13:00:27 -08:00
\sbitbox { 80} { $ 32 $ -bit $ \OutputIndex $ } &
2018-03-18 14:45:27 -07:00
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \DHSecret { } } } $ } &
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \EphemeralPublic } } $ }
2018-02-26 01:44:19 -08:00
\end { bytefield}
\end { lrbox}
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \Sapling \KeyDerivation } \label { concretesaplingkdf}
2018-02-07 03:53:07 -08:00
2018-03-16 08:58:23 -07:00
The $ \KDFSapling $ \keyDerivationFunction is specified in \crossref { abstractkdf} .
It is instantiated using $ \BlakeTwob { 256 } $ as follows:
2018-02-26 01:44:19 -08:00
\begin { formulae}
\item $ \KDFSapling ( \OutputIndex , \DHSecret { } , \EphemeralPublic ) : =
2018-03-11 05:45:51 -07:00
\BlakeTwobOf { 256} { \ascii { Zcash\_ SaplingKDF} , \kdfinput } $ .
2018-02-26 01:44:19 -08:00
\end { formulae}
\introlist
where:
\begin { formulae}
\item $ \kdfinput : = \Justthebox { \kdfsaplinginputbox } $ .
\end { formulae}
2018-03-11 05:45:51 -07:00
$ \BlakeTwobOf { 256 } { p, x } $ is defined in \crossref { concreteblake2} .
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
2018-02-23 19:15:09 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \JoinSplitSignature } \label { concretejssig}
2016-06-21 15:59:39 -07:00
2016-09-05 13:14:29 -07:00
$ \JoinSplitSig $ is specified in \crossref { abstractsig} .
2018-02-07 02:55:53 -08:00
\changed { It is instantiated as $ \JoinSplitSigSpecific $ \cite { BDLSY2012} ,
2018-01-29 16:42:35 -08:00
with the additional requirements that:
\begin { itemize}
\item $ \EdDSAS $ \MUST represent an integer less than
the prime $ \ell = 2 ^ { 252 } + 27742317777372353535851937790883648493 $ ;
\item $ \EdDSAR $ \MUST represent a point of order $ \ell $ on the Ed25519 curve;
\end { itemize}
If these requirements are not met then the signature is considered invalid.
2018-02-07 02:55:53 -08:00
Note that it is \emph { not} required that the encoding of the $ y $ -coordinate
2018-01-29 16:42:35 -08:00
in $ \EdDSAR $ is less than $ 2 ^ { 255 } - 19 $ .
2016-09-03 20:22:46 -07:00
$ \JoinSplitSigSpecific $ is defined as using $ \JoinSplitSigHashName $ internally.
2018-02-26 01:44:19 -08:00
A valid $ \JoinSplitSigSpecific $ public key is defined as a point of order $ \ell $
on the Ed25519 curve, in the encoding specified by \cite { BDLSY2012} . Again, it is
\emph { not} required that the encoding of the y-coordinate of the public key is
less than $ 2 ^ { 255 } - 19 $ .
2016-09-03 20:22:46 -07:00
}
\newsavebox { \sigbox }
\begin { lrbox} { \sigbox }
\setchanged
\begin { bytefield} [bitwidth=0.075em]{ 512}
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \EdDSAR $ } &
\sbitbox { 256} { $ 256 $ -bit $ \EdDSAS $ }
2016-09-03 20:22:46 -07:00
\end { bytefield}
\end { lrbox}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-03 20:22:46 -07:00
\changed {
The encoding of a signature is:
}
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \Justthebox { \sigbox } $
\end { formulae}
2016-09-03 20:22:46 -07:00
\changed {
2018-02-07 02:55:53 -08:00
where $ \EdDSAR $ and $ \EdDSAS $ are as defined in \cite { BDLSY2012} .
2016-09-03 20:22:46 -07:00
2018-02-07 02:55:53 -08:00
The encoding of a public key is as defined in \cite { BDLSY2012} .
2016-09-03 20:22:46 -07:00
}
2016-05-20 16:06:15 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \SpendAuthSignature } \label { concretespendauthsig}
2018-02-07 03:53:07 -08:00
2018-03-11 07:02:22 -07:00
$ \SpendAuthSig $ is a signature scheme with re-randomizable keys specified in
\crossref { abstractsigrerand} .
2018-02-07 03:53:07 -08:00
2018-02-26 03:44:33 -08:00
It is instantiated as EdJubjub, which is defined as $ \EdDSA $ \cite { BJLSY2015} over the
2018-03-11 07:00:00 -07:00
\jubjubCurve which these additional constraints: \todo { ...}
2018-03-06 14:24:45 -08:00
\cite { FKMSSS2016}
2018-03-09 20:11:23 -08:00
} %sapling
2018-02-07 03:53:07 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { Commitment schemes} \label { concretecommit}
2018-02-26 01:44:19 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { \SproutOrNothing { } \NoteCommitments } \label { concretesproutcommit}
2016-05-20 16:06:15 -07:00
\newsavebox { \cmbox }
\begin { lrbox} { \cmbox }
\setchanged
2018-03-16 08:58:23 -07:00
\begin { bytefield} [bitwidth=0.027em]{ 840}
\sbitbox { 28} { $ 1 $ } &
\sbitbox { 28} { $ 0 $ } &
\sbitbox { 28} { $ 1 $ } &
\sbitbox { 28} { $ 1 $ } &
\sbitbox { 28} { $ 0 $ } &
\sbitbox { 28} { $ 0 $ } &
\sbitbox { 28} { $ 0 $ } &
\sbitbox { 28} { $ 0 $ } &
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \AuthPublic $ } &
2018-03-16 08:58:23 -07:00
\sbitbox { 140} { $ 64 $ -bit $ \Value $ } &
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \NoteAddressRand $ } &
\sbitbox { 256} { $ 256 $ -bit $ \NoteCommitRand $ }
2016-05-20 16:06:15 -07:00
\end { bytefield}
\end { lrbox}
2018-02-26 01:44:19 -08:00
The commitment scheme $ \NoteCommitSprout { } $ specified in \crossref { abstractcommit} is
2018-02-23 17:56:32 -08:00
instantiated using $ \SHAFull $ as follows:
2016-09-03 20:26:04 -07:00
2017-01-19 14:46:40 -08:00
\begin { formulae} [leftmargin=1em]
2018-03-16 08:58:23 -07:00
\item $ \NoteCommitSprout { \NoteCommitRand } ( \AuthPublic , \Value , \NoteAddressRand ) : = \SHAFullBox { \cmbox } $
2017-01-19 14:46:40 -08:00
\end { formulae}
2016-05-20 16:06:15 -07:00
2016-09-03 19:55:09 -07:00
\pnote {
2018-02-23 17:56:32 -08:00
The leading byte of the $ \SHAFull $ input is $ \hexint { B 0 } $ .
2016-05-20 16:06:15 -07:00
}
2017-02-11 21:44:15 -08:00
\begin { securityrequirements}
2018-03-16 08:58:23 -07:00
\item The \shaCompressFunction must be \collisionResistant \! .
2018-02-23 18:08:14 -08:00
\item The \shaCompressFunction must be a PRF when keyed by the bits corresponding
2018-02-23 17:56:32 -08:00
to the position of $ \NoteCommitRand $ in the second block of $ \SHAFull $
2017-02-11 21:44:15 -08:00
input, with input to the PRF in the remaining bits of the block and
the chaining variable.
\end { securityrequirements}
2016-05-20 16:06:15 -07:00
2018-02-26 01:44:19 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { Windowed Pedersen commitments} \label { concretewindowedcommit}
2018-02-26 01:44:19 -08:00
We construct \quotedterm { windowed} \xPedersenCommitments by reusing the \xPedersenHash
construction from \crossref { concretepedersenhash} , and adding a randomized point
2018-03-11 07:00:00 -07:00
on the \jubjubCurve (see \crossref { jubjub} ):
2018-02-26 01:44:19 -08:00
\begin { formulae}
2018-03-11 14:31:18 -07:00
\item $ \WindowedPedersenCommit { r } ( s ) : =
\PedersenHashToPoint (\ascii { Zcash\_ PH} , s) + \scalarmult { r} { \FindGroupJHashOf { \ascii { Zcash\_ PH} , \ascii { r} } } $
2018-02-26 01:44:19 -08:00
\end { formulae}
See \crossref { cctwindowedcommit} for rationale and efficient circuit implementation
of this function.
The commitment scheme $ \NoteCommitSprout { } $ specified in \crossref { abstractcommit} is
instantiated using $ \WindowedPedersenCommitAlg $ as follows:
\begin { formulae}
2018-03-18 14:43:57 -07:00
\item $ \NoteCommitSapling { \NoteCommitRand } ( \DiversifiedTransmitBaseRepr , \DiversifiedTransmitPublicRepr , \Value ) : =
\WindowedPedersenCommit { \NoteCommitRand } (\ones { 6} \bconcat \DiversifiedTransmitBaseRepr \bconcat
\DiversifiedTransmitPublicRepr \bconcat \ItoLEBSP { 64} (\Value ))$ .
2018-02-26 01:44:19 -08:00
\end { formulae}
\begin { securityrequirements}
\item $ \WindowedPedersenCommitAlg $ must be a computationally binding and at least
2018-03-11 14:31:18 -07:00
computationally hiding \commitmentScheme .
2018-02-26 01:44:19 -08:00
\item $ \NoteCommitSaplingAlg $ must be a computationally binding and at least
computationally hiding \commitmentScheme .
\end { securityrequirements}
(They are in fact unconditionally hiding \commitmentSchemes .)
2018-03-11 14:31:18 -07:00
\pnote {
The prefix $ \ones { 6 } $ distinguishes the use of $ \WindowedPedersenCommitAlg $ in
$ \NoteCommitSaplingAlg $ from the layer prefix used in $ \MerkleCRHSapling $ (see
\crossref { merklecrh} ). The latter is a $ 6 $ -bit little-endian encoding of an integer
in $ \range { 0 } { \MerkleDepthSapling - 1 } $ , and so cannot collide with $ \ones { 6 } $ because
$ \MerkleDepthSapling < 64 $ .
}
2018-02-26 01:44:19 -08:00
}
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { Homomorphic Pedersen commitments} \label { concretehomomorphiccommit}
2018-02-26 01:44:19 -08:00
The windowed Pedersen commitments defined in the preceding section are
highly efficient, but they do not support the homomorphic property we
2018-03-16 08:58:23 -07:00
need when instantiating $ \ValueCommit { } $ (see \crossref { saplingbalance} and
\crossref { spendsandoutputs} ).
2018-02-26 01:44:19 -08:00
2018-03-06 14:34:18 -08:00
In order to support this property, we also define \quotedterm { homomorphic}
2018-02-26 01:44:19 -08:00
\xPedersenCommitments as follows:
\begin { formulae}
2018-03-06 14:34:18 -08:00
\item $ \HomomorphicPedersenCommit { \ValueCommitRand } ( D, \Value ) : =
2018-03-16 08:58:23 -07:00
\scalarmult { \Value } { \FindGroupJHashOf { D, \ascii { v} } } + \scalarmult { \ValueCommitRand } { \FindGroupJHashOf { D, \ascii { r} } } $
2018-02-26 01:44:19 -08:00
\end { formulae}
2018-03-06 14:34:18 -08:00
See \crossref { ccthomomorphiccommit} for rationale and efficient circuit implementation
2018-02-26 01:44:19 -08:00
of this function.
The commitment scheme $ \ValueCommit { } $ specified in \crossref { abstractcommit} is
2018-03-06 14:34:18 -08:00
instantiated using $ \HomomorphicPedersenCommit { } $ as follows:
2018-02-26 01:44:19 -08:00
\begin { formulae}
\item $ \ValueCommit { \ValueCommitRand } ( \Value ) : =
2018-03-06 14:34:18 -08:00
\HomomorphicPedersenCommit { \ValueCommitRand } (\ascii { Zcash\_ cv} , \Value )$ .
2018-02-26 01:44:19 -08:00
\end { formulae}
\begin { securityrequirements}
2018-03-06 14:34:18 -08:00
\item $ \HomomorphicPedersenCommitAlg $ must be a computationally binding and at least
2018-02-26 01:44:19 -08:00
computationally hiding \commitmentScheme , for a given personalization input $ D $ .
\item $ \ValueCommitAlg $ must be a computationally binding and at least
computationally hiding \commitmentScheme .
\end { securityrequirements}
(They are in fact unconditionally hiding \commitmentSchemes .)
}
2018-02-07 02:55:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \RepresentedGroupsAndPairings } \label { concretepairing}
2017-12-01 17:03:17 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { \BNRepresentedPairing } \label { bnpairing}
2017-12-01 17:03:17 -08:00
The \representedPairing $ \BNCurve $ is defined in this section.
2018-03-06 14:16:55 -08:00
Let $ \ParamG { q } : = 21888242871839275222246405745257275088696311157297823662689037894645226208583 $ .
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamG { r } : = 21888242871839275222246405745257275088548364400416034343698204186575808495617 $ .
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamG { b } : = 3 $ .
2017-12-01 17:03:17 -08:00
(\hairspace $ \ParamG { q } $ and $ \ParamG { r } $ are prime.)
Let $ \GroupG { 1 } $ be the group of points on a Barreto--Naehrig curve $ \CurveG { 1 } $ over
$ \GF { \ParamG { q } } $ with equation $ y ^ 2 = x ^ 3 + \ParamG { b } $ .
This curve has embedding degree 12 with respect to $ \ParamG { r } $ .
Let $ \GroupG { 2 } $ be the subgroup of order $ r $ in the sextic twist $ \CurveG { 2 } $ of
$ \GroupG { 1 } $ over $ \GF { \ParamGexp { q } { 2 } } $ with equation $ y ^ 2 = x ^ 3 + \frac { \ParamG { b } } { \xi } $ ,
where $ \xi \typecolon \GF { \ParamGexp { q } { 2 } } $ .
We represent elements of $ \GF { \ParamGexp { q } { 2 } } $ as polynomials
$ a _ 1 \mult t + a _ 0 \typecolon \GF { \ParamG { q } } [ t ] $ , modulo the irreducible polynomial
$ t ^ 2 + 1 $ ; in this representation, $ \xi $ is given by $ t + 9 $ .
Let $ \GroupG { T } $ be the subgroup of $ \ParamGexp { r } { \mathrm { th } } $ roots of unity in
$ \GFstar { \ParamGexp { q } { 12 } } $ .
Let $ \PairingG $ be the optimized ate pairing of type
$ \GroupG { 1 } \times \GroupG { 2 } \rightarrow \GroupG { T } $ .
For $ i \typecolon \range { 1 } { 2 } $ , let $ \ZeroG { i } $ be the point at infinity
(which is the additive identity) in $ \GroupG { i } $ , and let
2018-03-06 14:16:55 -08:00
$ \GroupGstar { i } : = \GroupG { i } \setminus \setof { \ZeroG { i } } $ .
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \GenG { 1 } \typecolon \GroupGstar { 1 } : = ( 1 , 2 ) $ .
2017-12-01 17:03:17 -08:00
\begin { tabular} { @{ } l@{ } r@{ } l@{ } }
2018-03-06 14:16:55 -08:00
Let $ \GenG { 2 } \typecolon \GroupGstar { 2 } : = \; $
2017-12-01 17:03:17 -08:00
% are these the right way round?
2018-03-16 08:58:23 -07:00
& $ ( 11559732032986387107991004021392285783925812861821192530917403151452391805634 $ & $ \, \mult \, t \; + $ \\
& $ 10857046999023057135944570762232829481370756359578518086990519993285655852781 $ & $ , $ \\
& $ 4082367875863433681332203403145435568316851327593401208105741076214120093531 $ & $ \, \mult \, t \; + $ \\
& $ 8495653923123431417604973247489272438418190587263600148770280649306958101930 $ & $ ) . $
2017-12-01 17:03:17 -08:00
\end { tabular}
$ \GenG { 1 } $ and $ \GenG { 2 } $ are generators of $ \GroupG { 1 } $ and $ \GroupG { 2 } $ respectively.
\newsavebox { \gonebox }
\begin { lrbox} { \gonebox }
\setchanged
\begin { bytefield} [bitwidth=0.045em]{ 264}
2018-03-10 13:00:27 -08:00
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 1 $ } &
\sbitbox { 80} { $ 1 $ -bit $ \tilde { y } $ } &
\sbitbox { 256} { $ 256 $ -bit $ \ItoBEBSP { 256 } ( x ) $ }
2017-12-01 17:03:17 -08:00
\end { bytefield}
\end { lrbox}
\newsavebox { \gtwobox }
\begin { lrbox} { \gtwobox }
\setchanged
\begin { bytefield} [bitwidth=0.045em]{ 520}
2018-03-10 13:00:27 -08:00
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 1 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 20} { $ 1 $ } &
\sbitbox { 80} { $ 1 $ -bit $ \tilde { y } $ } &
\sbitbox { 512} { $ 512 $ -bit $ \ItoBEBSP { 512 } ( x ) $ }
2017-12-01 17:03:17 -08:00
\end { bytefield}
\end { lrbox}
2018-02-26 01:44:19 -08:00
Define $ \ItoBEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow
\bitseq { \ell } $ as in \crossref { endian } .
2017-12-01 17:03:17 -08:00
\introlist
For a point $ P \typecolon \GroupGstar { 1 } = ( \xP , \yP ) $ :
\begin { itemize}
\item The field elements $ \xP $ and $ \yP \typecolon \GF { q } $ are represented as
integers $ x $ and $ y \typecolon \range { 0 } { q \! - \! 1 } $ .
\item Let $ \tilde { y } = y \bmod 2 $ .
\item $ P $ is encoded as $ \Justthebox { \gonebox } $ .
\end { itemize}
\introlist
For a point $ P \typecolon \GroupGstar { 2 } = ( \xP , \yP ) $ :
\begin { itemize}
\item Define $ \FEtoIP \typecolon \GF { \ParamG { q } } [ t ] / ( t ^ 2 + 1 ) \rightarrow
\range { 0} { \ParamGexp { q} { 2} \! -\! 1} $ such that
$ \FEtoIP ( a _ { w, 1 } \mult t + a _ { w, 0 } ) = a _ { w, 1 } \mult q + a _ { w, 0 } $ .
\item Let $ x = \FEtoIP ( \xP ) $ , $ y = \FEtoIP ( \yP ) $ , and $ y' = \FEtoIP ( - \yP ) $ .
\item Let $ \tilde { y } = \begin { cases }
1, & \caseif y > y' \\
0, & \caseotherwise .
\end { cases} $
\item $ P $ is encoded as $ \Justthebox { \gtwobox } $ .
\end { itemize}
\introlist
\subparagraph { Non-normative notes:}
\begin { itemize}
2018-02-26 01:44:19 -08:00
\item The use of big-endian order by $ \ItoBEBSP { } $ is different from the encoding
2017-12-01 17:03:17 -08:00
of most other integers in this protocol.
The encodings for $ \GroupGstar { 1 , 2 } $ are consistent with the
definition of $ \ECtoOSP { } $ for compressed curve points in
\cite [section 5.5.6.2] { IEEE2004} . The LSB compressed form
(i.e.\ $ \ECtoOSPXL $ ) is used for points in $ \GroupGstar { 1 } $ ,
and the SORT compressed form (i.e.\ $ \ECtoOSPXS $ ) for points in
$ \GroupGstar { 2 } $ .
\item The points at infinity $ \ZeroG { 1 , 2 } $ never occur in proofs and
have no defined encodings in this protocol.
\item Testing $ y > y' $ for the compression of $ \GroupGstar { 2 } $ points is equivalent
to testing whether $ ( a _ { y, 1 } , a _ { y, 0 } ) > ( a _ { - y, 1 } , a _ { - y, 0 } ) $ in lexicographic order.
\item Algorithms for decompressing points from the above encodings are
given in \cite [Appendix A.12.8] { IEEE2000} for $ \GroupGstar { 1 } $ , and
\cite [Appendix A.12.11] { IEEE2004} for $ \GroupGstar { 2 } $ .
\item A rational point $ P \neq \ZeroG { 2 } $ on the curve $ \CurveG { 2 } $ can be
verified to be of order $ \ParamG { r } $ , and therefore in $ \GroupGstar { 2 } $ ,
by checking that $ \ParamG { r } \mult P = \ZeroG { 2 } $ .
\end { itemize}
When computing square roots in $ \GF { \ParamG { q } } $ or $ \GF { \ParamGexp { q } { 2 } } $ in
order to decompress a point encoding, the implementation \MUSTNOT assume that
the square root exists, or that the encoding represents a point on the curve.
\newsavebox { \sonebox }
\begin { lrbox} { \sonebox }
\setsapling
\begin { bytefield} [bitwidth=0.045em]{ 384}
2018-03-10 13:00:27 -08:00
\sbitbox { 20} { $ 1 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 80} { $ 1 $ -bit $ \tilde { y } $ } &
\sbitbox { 381} { $ 381 $ -bit $ \ItoBEBSP { 381 } ( x ) $ }
2017-12-01 17:03:17 -08:00
\end { bytefield}
\end { lrbox}
\newsavebox { \stwobox }
\begin { lrbox} { \stwobox }
\setsapling
\begin { bytefield} [bitwidth=0.045em]{ 768}
2018-03-10 13:00:27 -08:00
\sbitbox { 20} { $ 1 $ } &
\sbitbox { 20} { $ 0 $ } &
\sbitbox { 80} { $ 1 $ -bit $ \tilde { y } $ } &
\sbitbox { 381} { $ 381 $ -bit $ \ItoBEBSP { 381 } ( x _ 1 ) $ } &
\sbitbox { 384} { $ 384 $ -bit $ \ItoBEBSP { 384 } ( x _ 2 ) $ }
2017-12-01 17:03:17 -08:00
\end { bytefield}
\end { lrbox}
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \BLSRepresentedPairing } \label { blspairing}
2017-12-01 17:03:17 -08:00
The \representedPairing $ \BLSCurve $ is defined in this section. Parameters are taken from
\cite { Bowe2017} .
\introlist
2018-03-16 08:58:23 -07:00
Let $ \ParamS { q } : = \; $ \scalebox { 0.81} [1]{ $ 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787 $ .}
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamS { r } : = 52435875175126190479447740508185965837690552500527637822603658699938581184513 $ .
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamS { u } : = - 15132376222941642752 $ .
2017-12-01 17:03:17 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamS { b } : = 4 $ .
2017-12-01 17:03:17 -08:00
(\hairspace $ \ParamS { q } $ and $ \ParamS { r } $ are prime.)
Let $ \GroupS { 1 } $ be the group of points on a Barreto--Lynn--Scott curve $ \CurveS { 1 } $ over
$ \GF { \ParamS { q } } $ with equation $ y ^ 2 = x ^ 3 + \ParamS { b } $ .
This curve has embedding degree 12 with respect to $ \ParamS { r } $ .
Let $ \GroupS { 2 } $ be the subgroup of order $ \ParamS { r } $ in the sextic twist $ \CurveS { 2 } $ of
$ \GroupS { 1 } $ over $ \GF { \ParamSexp { q } { 2 } } $ with equation $ y ^ 2 = x ^ 3 + 4 ( i + 1 ) $ , where
$ i \typecolon \GF { \ParamSexp { q } { 2 } } $ .
We represent elements of $ \GF { \ParamSexp { q } { 2 } } $ as polynomials
$ a _ 1 \mult t + a _ 0 \typecolon \GF { \ParamS { q } } [ t ] $ , modulo the irreducible polynomial
$ t ^ 2 + 1 $ ; in this representation, $ i $ is given by \todo { $ ? $ } .
Let $ \GroupS { T } $ be the subgroup of $ \ParamSexp { r } { \mathrm { th } } $ roots of unity in
$ \GFstar { \ParamSexp { q } { 12 } } $ .
Let $ \PairingS $ be the optimized ate pairing of type
$ \GroupS { 1 } \times \GroupS { 2 } \rightarrow \GroupS { T } $ .
For $ i \typecolon \range { 1 } { 2 } $ , let $ \ZeroS { i } $ be the point at infinity in $ \GroupS { i } $ ,
2018-03-06 14:16:55 -08:00
and let $ \GroupSstar { i } : = \GroupS { i } \setminus \setof { \ZeroS { i } } $ .
2017-12-01 17:03:17 -08:00
\introlist
2018-03-06 14:16:55 -08:00
Let $ \GenS { 1 } \typecolon \GroupSstar { 1 } : = ( 1 , 2 ) $ .
2017-12-01 17:03:17 -08:00
\begin { tabular} { @{ } l@{ } r@{ } l@{ } }
2018-03-06 14:16:55 -08:00
Let $ \GenS { 2 } \typecolon \GroupSstar { 2 } : = \; $
2017-12-01 17:03:17 -08:00
% are these the right way round?
2018-03-16 08:58:23 -07:00
& $ ( 11559732032986387107991004021392285783925812861821192530917403151452391805634 $ & $ \, \mult \, t \; + $ \\
& $ 10857046999023057135944570762232829481370756359578518086990519993285655852781 $ & $ , $ \\
& $ 4082367875863433681332203403145435568316851327593401208105741076214120093531 $ & $ \, \mult \, t \; + $ \\
& $ 8495653923123431417604973247489272438418190587263600148770280649306958101930 $ & $ ) . $
2017-12-01 17:03:17 -08:00
\end { tabular}
$ \GenS { 1 } $ and $ \GenS { 2 } $ are generators of $ \GroupS { 1 } $ and $ \GroupS { 2 } $ respectively.
2018-02-26 01:44:19 -08:00
Define $ \ItoBEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow
\bitseq { \ell } $ as in \crossref { endian } .
2017-12-01 17:03:17 -08:00
\introlist
For a point $ P \typecolon \GroupSstar { 1 } = ( \xP , \yP ) $ :
\begin { itemize}
\item The field elements $ \xP $ and $ \yP \typecolon \GF { \ParamS { q } } $ are represented as
integers $ x $ and $ y \typecolon \range { 0 } { \ParamS { q } \! - \! 1 } $ .
\item Let $ \tilde { y } = \begin { cases }
1, & \caseif y > \ParamS { q} -y \\
0, & \caseotherwise .
\end { cases} $
\item $ P $ is encoded as $ \Justthebox { \sonebox } $ .
\end { itemize}
\introlist
For a point $ P \typecolon \GroupSstar { 2 } = ( \xP , \yP ) $ :
\begin { itemize}
\item Define $ \FEtoIPP \typecolon \GF { \ParamS { q } } [ t ] / ( t ^ 2 + 1 ) \rightarrow
\typeexp { \range { 0} { \ParamS { q} \! -\! 1} } { 2} $ such that
$ \FEtoIPP ( a _ { w, 1 } \mult t + a _ { w, 0 } ) = [ a _ { w, 1 } , a _ { w, 0 } ] $ .
\item Let $ x = \FEtoIPP ( \xP ) $ , $ y = \FEtoIPP ( \yP ) $ , and $ y' = \FEtoIPP ( - \yP ) $ .
\item Let $ \tilde { y } = \begin { cases }
1, & \caseif y > y' \text { lexicographically} \\
0, & \caseotherwise .
\end { cases} $
\item $ P $ is encoded as $ \Justthebox { \stwobox } $ .
\end { itemize}
\introlist
\subparagraph { Non-normative notes:}
\begin { itemize}
2018-02-26 01:44:19 -08:00
\item The encodings for $ \GroupSstar { 1 , 2 } $ are specific to \Zcash .
2017-12-01 17:03:17 -08:00
\item The points at infinity $ \ZeroS { 1 , 2 } $ never occur in proofs and
have no defined encodings in this protocol.
\item Algorithms for decompressing points from the encodings of
$ \GroupSstar { 1 , 2 } $ are defined analogously to those for
$ \GroupGstar { 1 , 2 } $ in \crossref { bnpairing} , taking into account that
the SORT compressed form (not the LSB compressed form) is used
for $ \GroupGstar { 1 } $ .
\item A rational point $ P \neq \ZeroS { 2 } $ on the curve $ \CurveS { 2 } $ can be
verified to be of order $ \ParamS { r } $ , and therefore in $ \GroupSstar { 2 } $ ,
by checking that $ \ParamS { r } \mult P = \ZeroS { 2 } $ .
\end { itemize}
When computing square roots in $ \GF { \ParamS { q } } $ or $ \GF { \ParamSexp { q } { 2 } } $
in order to decompress a point encoding, the implementation \MUSTNOT assume
that the square root exists, or that the encoding represents a point on the
curve.
}
2018-01-22 10:24:16 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \Jubjub } \label { jubjub}
2018-01-22 10:24:16 -08:00
The \representedGroup $ \JubjubCurve $ is defined in this section.
2018-03-06 14:16:55 -08:00
Let $ \ParamJ { q } : = \ParamS { r } $ , as defined in \crossref { blspairing} .
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamJ { r } : = 6554484396890773809930967563523245729705921265872317281365359162392183254199 $ .
2018-02-07 03:53:07 -08:00
(\hairspace $ \ParamJ { q } $ and $ \ParamJ { r } $ are prime.)
2018-03-06 14:16:55 -08:00
Let $ \ParamJ { a } : = - 1 $ .
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ParamJ { d } : = - 10240 / 10241 \pmod { \ParamJ { q } } $ .
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
Let $ \GroupJ $ be the group of points $ ( u, \varv ) $ on a twisted Edwards curve $ \CurveJ $
2018-01-30 16:48:43 -08:00
over $ \GF { \ParamJ { q } } $ with equation $ \ParamJ { a } \smult u ^ 2 + \varv ^ 2 = 1 + \ParamJ { d } \smult u ^ 2 \smult \varv ^ 2 $ .
2018-02-07 03:53:07 -08:00
The zero point with coordinates $ ( 0 , 1 ) $ is denoted $ \ZeroJ $ .
$ \GroupJ $ has order $ 8 \smult \ParamJ { r } $ .
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
Let $ \ellJ : = 256 $ .
2018-01-22 10:24:16 -08:00
Define $ \ItoLEBSP { } \typecolon ( \ell \typecolon \Nat ) \times \range { 0 } { 2 ^ \ell \! - \! 1 } \rightarrow \bitseq { \ell } $
2018-02-26 01:44:19 -08:00
as in \crossref { endian} .
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
Define $ \reprJ \typecolon \GroupJ \rightarrow \bitseq { \ellJ } $ such
2018-02-26 01:44:19 -08:00
that $ \reprJOf { u, \varv } = \ItoLEBSP { 256 } ( \varv + 2 ^ { 255 } \smult \tilde { u } ) $ , where
2018-02-07 03:53:07 -08:00
$ \tilde { u } = u \bmod 2 $ .
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
Let $ \abstJ \typecolon \bitseq { \ellJ } \rightarrow \GroupJ \union \setof { \bot } $
be the left inverse of $ \reprJ $ such that if $ S $ is not in the range of
2018-02-26 01:44:19 -08:00
$ \reprJ $ , then $ \abstJOf { S } = \bot $ .
2018-01-22 10:24:16 -08:00
\introlist
\subparagraph { Non-normative notes:}
\begin { itemize}
\item The encoding of a compressed twisted Edwards point used here is
consistent with that used in EdDSA \cite { BJLSY2015} for public keys and
2018-01-30 16:58:58 -08:00
the $ R $ element of a signature.
2018-01-22 10:24:16 -08:00
\item Algorithms for decompressing points from the encoding of
$ \GroupJ $ are given in \cite [``Encoding and parsing curve points''] { BJLSY2015} .
\end { itemize}
When computing square roots in $ \GF { \ParamJ { q } } $ in order to decompress a point encoding,
the implementation \MUSTNOT assume that the square root exists, or that the encoding
represents a point on the curve.
This specification requires ``strict'' parsing as defined in
\cite [``Encoding and parsing integers''] { BJLSY2015} .
Note that algorithms elsewhere in this specification that use $ \JubjubCurve $ may impose
other conditions on points, for example that they are not the zero point, or are in the
large prime-order subgroup.
}
2018-02-07 17:23:18 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \HashExtractor { } for \Jubjub } \label { concreteextractorjubjub}
2018-02-07 17:23:18 -08:00
2018-02-23 19:15:09 -08:00
Let $ \SelectuOf { ( u, \varv ) } = u $ and let $ \SelectvOf { ( u, \varv ) } = \varv $ .
2018-02-07 17:23:18 -08:00
2018-02-10 03:30:37 -08:00
Let $ \ExtractJ \typecolon \GroupJ \rightarrow \GF { \ParamJ { q } } $ be $ \Selectu $ .
2018-02-07 17:23:18 -08:00
Let $ G $ be the subgroup of $ \GroupJ $ of order $ \ParamJ { r } $ (an odd prime).
2018-02-14 00:04:45 -08:00
\facts { The point $ ( 0 , 1 ) = \ZeroJ $ , and the point $ ( 0 , - 1 ) $ has order $ 2 $ in $ \GroupJ $ .}
2018-02-07 17:23:18 -08:00
% <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
2018-02-10 03:30:37 -08:00
\vspace { 2ex}
2018-02-07 17:23:18 -08:00
\begin { lemma*}
2018-02-10 03:30:37 -08:00
Let $ P = ( u, \varv ) \in G $ . Then $ ( u, - \varv ) \notin G $ .
2018-02-07 17:23:18 -08:00
\end { lemma*}
\begin { proof}
2018-02-10 03:30:37 -08:00
If $ P = \ZeroJ $ then $ ( u, - \varv ) = ( 0 , - 1 ) \notin G $ .
2018-02-07 17:23:18 -08:00
Else, $ P $ is of odd-prime order. Note that $ \varv \neq 0 $ .
(If $ \varv = 0 $ then $ a \mult u ^ 2 = 1 $ , and so applying the doubling formula
gives $ \scalarmult { 2 } { P } = ( 0 , - 1 ) $ , then $ \scalarmult { 4 } { P } = ( 0 , 1 ) = \ZeroJ $ ;
2018-02-10 03:30:37 -08:00
contradiction since then $ P $ would not be of odd-prime order.)
2018-02-07 17:23:18 -08:00
Therefore, $ - \varv \neq \varv $ .
Now suppose $ ( u, - \varv ) = Q $ is a point in $ G $ . Then by applying the
doubling formula we have $ \scalarmult { 2 } { Q } = - \scalarmult { 2 } { P } $ .
But also $ \scalarmult { 2 } { ( - P ) } = - \scalarmult { 2 } { P } $ . Therefore either
2018-03-11 07:00:00 -07:00
$ Q = - P $ (then $ \SelectvOf { Q } = \SelectvOf { - P } $ \, ; contradiction since
2018-02-07 17:23:18 -08:00
$ - \varv \neq \varv $ ), or doubling is not injective on $ G $ (contradiction
2018-02-10 03:30:37 -08:00
since $ G $ is of odd order \cite { KvE2013} ).
2018-02-07 17:23:18 -08:00
\end { proof}
2018-02-10 03:30:37 -08:00
\vspace { 0.5ex}
2018-02-14 00:02:10 -08:00
\begin { theorem} \label { thmselectuinjective}
2018-02-10 03:30:37 -08:00
$ \Selectu $ is injective on $ G $ .
2018-02-07 17:23:18 -08:00
\end { theorem}
\begin { proof}
By writing the curve equation as
$ \varv ^ 2 = ( 1 - a \smult u ^ 2 ) / ( 1 - d \smult u ^ 2 ) $ , and noting that the
potentially exceptional case $ 1 - d \smult u ^ 2 = 0 $ does not occur for a
complete twisted Edwards curve, we see that for a given $ u $ there can be at
most two possible solutions for $ \varv $ , and that if there are two solutions
2018-02-10 03:30:37 -08:00
they can be written as $ \varv $ and $ - \varv $ . In that case by the Lemma, at
most one of $ ( u, \varv ) $ and $ ( u, - \varv ) $ is in $ G $ . Therefore, $ \Selectu $
is injective on points in $ G $ .
2018-02-07 17:23:18 -08:00
\end { proof}
}
2018-02-23 19:15:09 -08:00
2018-02-07 17:19:05 -08:00
\sapling {
2018-03-11 14:29:49 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { \GroupHash { } into \Jubjub } \label { concretegrouphashjubjub}
2018-02-07 17:19:05 -08:00
2018-02-26 03:44:33 -08:00
%Let $\CRS$ be the $64$-byte \commonRandomString given by the $\SHAd$ hash
%(expressed as an ASCII lowercase hex string in RPC byte order \cite{Bitc-ByteOrder})
%of the first \block in the eventual consensus \Bitcoin \blockchain having
%timestamp at or after 2018-03-01 00:00:00 UTC.
\todo { Define $ \CRS $ using the MPC randomness beacon.}
2018-02-10 03:30:37 -08:00
2018-02-23 18:05:09 -08:00
Let $ \BlakeTwos { 256 } $ be as defined in \crossref { concreteblake2} .
2018-03-11 14:29:49 -07:00
Let $ \LEOStoIP { } $ be as defined in \crossref { endian} .
2018-02-26 01:44:19 -08:00
Let $ \abstJ $ be as defined in \crossref { jubjub} .
2018-02-10 03:30:37 -08:00
2018-02-26 01:44:19 -08:00
Let $ D \typecolon \byteseq { 8 } $ be an $ 8 $ -byte domain separator, and
let $ M \typecolon \byteseqs $ be the hash input.
2018-02-10 03:30:37 -08:00
2018-03-11 14:29:49 -07:00
\introlist
2018-02-10 03:30:37 -08:00
The hash $ \GroupJHash { \CRS } ( D, M ) $ is calculated as follows:
\begin { formulae}
2018-03-11 14:29:49 -07:00
\item $ P : = \abstJOf { \LEOStoIPOf { 256 } { \BlakeTwosOf { 256 } { D, \, \CRS \bconcat \, M } } } $
2018-02-10 03:30:37 -08:00
\item If $ P = \bot $ then return $ \bot $ .
\item $ Q : = \scalarmult { 8 } { P } $
\item If $ Q = \ZeroJ $ then return $ \bot $ , else return $ Q $ .
\end { formulae}
2018-03-11 14:22:53 -07:00
Define $ \first \typecolon ( \Nat \rightarrow T \union \setof { \bot } ) \rightarrow T \union \setof { \bot } $
so that $ \first ( f ) = f ( i ) $ where $ i $ is the least integer in $ \range { 0 } { 255 } $
such that $ f ( i ) \neq \bot $ , or $ \bot $ if no such $ i $ exists.
2018-02-10 03:30:37 -08:00
2018-02-23 19:15:09 -08:00
Let $ \FindGroupJHashOf { D, M } =
2018-03-11 14:22:53 -07:00
\first (\fun { i \typecolon \Nat } { \GroupJHash { \CRS } (D, M \bconcat [i]) \typecolon \GroupJ } )$ .
2018-02-10 03:30:37 -08:00
\begin { pnotes}
2018-03-11 14:22:53 -07:00
\item The $ \BlakeTwos { 256 } $ chaining variable after processing $ \CRS $ may be precomputed.
\item For random input, $ \FindGroupJHash $ returns $ \bot $ with probability approximately $ 2 ^ { - 256 } $ .
2018-03-16 08:58:23 -07:00
In the \Zcash protocol, uses of $ \FindGroupJHash $ never return $ \bot $ .
2018-02-10 03:30:37 -08:00
\end { pnotes}
2018-02-07 17:19:05 -08:00
}
2018-02-07 17:23:18 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \ZeroKnowledgeProvingSystems }
2017-12-01 18:00:10 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { \PHGRProvingSystem } \label { phgr}
2017-12-01 18:00:10 -08:00
\Zcash uses \zkSNARKs generated by its fork of \libsnark \cite { libsnark-fork}
with the \provingSystem described in \cite { BCTV2015} , which is a refinement of
2018-02-07 02:55:53 -08:00
the systems in \cite { PHGR2013} and \cite { BCGTV2013} .
2017-12-01 18:00:10 -08:00
A proof consists of a tuple
$ ( \Proof { A } \typecolon \GroupGstar { 1 } , \;
\Proof { A} ' \typecolon \GroupGstar { 1} ,\;
\Proof { B} \typecolon \GroupGstar { 2} ,\;
\Proof { B} ' \typecolon \GroupGstar { 1} ,\;
\Proof { C} \typecolon \GroupGstar { 1} ,\;
\Proof { C} ' \typecolon \GroupGstar { 1} ,\;
\Proof { K} \typecolon \GroupGstar { 1} ,\;
\Proof { H} \typecolon \GroupGstar { 1} )$ .
It is computed using the parameters above as described in \cite [Appendix B] { BCTV2015} .
\pnote {
Many details of the \provingSystem are beyond the scope of this protocol
2018-01-30 16:58:58 -08:00
document. For example, the \quadraticArithmeticProgram verifying the \joinSplitStatement ,
or its expression as a \rankOneConstraintSystem , are not specified in this document.
2017-12-01 18:00:10 -08:00
In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref { sproutparameters} ),
and a \provingSystem implementation that is interoperable with the \Zcash fork of
\libsnark , to ensure compatibility.
}
\introlist
\subparagraph { \EncodingOfPHGRProofs } \vspace { 1ex} \label { phgrencoding}
\newsavebox { \phgrbox }
\begin { lrbox} { \phgrbox }
\setchanged
\begin { bytefield} [bitwidth=0.021em]{ 2368}
2018-03-10 13:00:27 -08:00
\sbitbox { 264} { 264-bit $ \Proof { A } $ } &
\sbitbox { 264} { 264-bit $ \Proof { A } ' $ } &
\sbitbox { 520} { 520-bit $ \Proof { B } $ } &
\sbitbox { 264} { 264-bit $ \Proof { B } ' $ } &
\sbitbox { 264} { 264-bit $ \Proof { C } $ } &
\sbitbox { 264} { 264-bit $ \Proof { C } ' $ } &
\sbitbox { 264} { 264-bit $ \Proof { K } $ } &
\sbitbox { 264} { 264-bit $ \Proof { H } $ }
2017-12-01 18:00:10 -08:00
\end { bytefield}
\end { lrbox}
A $ \PHGR $ proof is encoded by concatenating the encodings of its elements:
\begin { formulae} [leftmargin=0.2em]
\item $ \Justthebox { \phgrbox } $
\end { formulae}
The resulting proof size is 296 bytes.
\vspace { 0.8ex}
\introlist
In addition to the steps to verify a proof given in \cite [Appendix B] { BCTV2015} , the
verifier \MUST check, for the encoding of each element, that:
\begin { itemize}
\item the lead byte is of the required form;
\item the remaining bytes encode a big-endian representation of an integer in
$ \range { 0 } { \ParamS { q } \! - \! 1 } $ or (in the case of $ \Proof { B } $ )
$ \range { 0 } { \ParamSexp { q } { 2 } \! - \! 1 } $ ;
\item the encoding represents a point in $ \GroupGstar { 1 } $ or (in the case of
$ \Proof { B } $ ) $ \GroupGstar { 2 } $ , including checking that it is of order
$ \ParamG { r } $ in the latter case.
\end { itemize}
2018-02-23 19:15:09 -08:00
\newsavebox { \grothbox }
\begin { lrbox} { \grothbox }
\setsapling
\begin { bytefield} [bitwidth=0.021em]{ 1536}
2018-03-10 13:00:27 -08:00
\sbitbox { 384} { 384-bit $ \Proof { A } $ } &
\sbitbox { 768} { 768-bit $ \Proof { B } $ } &
\sbitbox { 384} { 384-bit $ \Proof { C } $ }
2018-02-23 19:15:09 -08:00
\end { bytefield}
\end { lrbox}
2017-12-01 18:00:10 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsubsection { \GrothProvingSystem } \label { groth}
2017-12-01 18:00:10 -08:00
\Sapling uses \zkSNARKs generated by the \bellman library, with the \provingSystem
described in \cite { Grot2016} .
A proof consists of a tuple
$ ( \Proof { A } \typecolon \GroupSstar { 1 } , \;
\Proof { B} \typecolon \GroupSstar { 2} ,\;
\Proof { C} \typecolon \GroupSstar { 1} )$ .
It is computed using the parameters above as described in \cite { Grot2016} .
\pnote {
2018-01-30 16:58:58 -08:00
The \quadraticArithmeticPrograms verifying the \spendStatement and
\outputStatement are described in \crossref { circuitdesign} . However, many
other details of the \provingSystem are beyond the scope of this protocol
document. For example, the expressions of the \spendStatement and \outputStatement
as \rankOneConstraintSystems are not specified in this document.
2017-12-01 18:00:10 -08:00
In practice it will be necessary to use the specific proving and verification keys
generated for the \Zcash production \blockchain (see \crossref { saplingparameters} ),
and a \provingSystem implementation that is interoperable with the \bellman
library used by \Zcash , to ensure compatibility.
}
\introlist
\subparagraph { \EncodingOfGrothProofs } \vspace { 1ex} \label { grothencoding}
A $ \Groth $ proof is encoded by concatenating the encodings of its elements:
\begin { formulae} [leftmargin=0.2em]
\item $ \Justthebox { \grothbox } $
\end { formulae}
The resulting proof size is 192 bytes.
\vspace { 0.8ex}
\introlist
In addition to the steps to verify a proof given in \cite { Grot2016} , the
verifier \MUST check, for the encoding of each element, that:
\begin { itemize}
\item the leading bitfield is of the required form;
\item the remaining bits encode a big-endian representation of an integer
in $ \range { 0 } { \ParamS { q } \! - \! 1 } $ or (in the case of $ \Proof { B } $ ) two integers in
that range;
\item the encoding represents a point in $ \GroupSstar { 1 } $ or (in the case of $ \Proof { B } $ )
$ \GroupSstar { 2 } $ , including checking that it is of order $ \ParamS { r } $
in the latter case.
\end { itemize}
}
2018-03-18 13:57:20 -07:00
\subsection { Encodings of \NotePlaintexts { } and \Memos } \label { notept}
2016-05-20 16:06:15 -07:00
2018-02-07 03:53:07 -08:00
As explained in \crossref { noteptconcept} , transmitted \notes are stored on
the \blockchain in encrypted form.
2016-05-20 16:06:15 -07:00
2018-02-26 01:44:19 -08:00
% FIXME duplication with {noteptconcept}.
2018-02-07 03:53:07 -08:00
The \notePlaintexts in a \joinSplitDescription are encrypted to the
respective \transmissionKeys $ \TransmitPublicNew { \allNew } $ .
Each \notsprout { \Sprout } \notePlaintext (denoted $ \NotePlaintext { } $ ) consists of
2016-05-20 16:06:15 -07:00
$ ( \Value , \NoteAddressRand , \NoteCommitRand \changed { , \Memo } ) $ .
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-02-07 03:53:07 -08:00
The \notePlaintext in each \outputDescription is encrypted to the
\diversifiedTransmissionKey $ \DiversifiedTransmitPublic $ .
Each \Sapling \notePlaintext (denoted $ \NotePlaintext { } $ ) consists of
2018-02-26 01:44:19 -08:00
$ ( \Diversifier , \Value , \NoteCommitRand , \Memo ) $ .
2018-02-07 03:53:07 -08:00
}
2016-08-08 09:49:20 -07:00
\changed { $ \Memo $ is a 512-byte \memo associated with this \note .
2016-05-20 16:06:15 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-05-20 16:06:15 -07:00
The usage of the \memo is by agreement between the sender and recipient of the
\note . The \memo { } \SHOULD be encoded either as:
2017-01-19 18:24:49 -08:00
2016-05-20 16:06:15 -07:00
\begin { itemize}
2016-06-22 15:20:50 -07:00
\item a UTF-8 human-readable string \cite { Unicode} , padded by appending zero bytes; or
2016-08-08 09:49:20 -07:00
\item an arbitrary sequence of 512 bytes starting with a byte value of $ \hexint { F 5 } $
2016-05-20 16:06:15 -07:00
or greater, which is therefore not a valid UTF-8 string.
\end { itemize}
In the former case, wallet software is expected to strip any trailing zero bytes
and then display the resulting \mbox { UTF-8} string to the recipient user, where applicable.
Incorrect UTF-8-encoded byte sequences should be displayed as replacement characters
(\ReplacementCharacter ).
In the latter case, the contents of the \memo { } \SHOULDNOT be displayed. A start byte
of $ \hexint { F 5 } $ is reserved for use by automated software by private agreement.
2018-02-07 03:09:50 -08:00
A start byte of $ \hexint { F 6 } $ followed by $ 511 $ $ \hexint { 00 } $ bytes means ``no memo''.
A start byte of $ \hexint { F 6 } $ followed by anything else, or a start byte of $ \hexint { F 7 } $
or greater, are reserved for use in future \Zcash protocol extensions.
2016-05-20 16:06:15 -07:00
}
2018-02-07 03:53:07 -08:00
Other fields are as defined in \crossref { notes} .
2017-01-19 18:24:49 -08:00
\introlist
2018-02-07 03:53:07 -08:00
The encoding of a \SproutOrNothing \notePlaintext consists of:
2017-02-20 18:08:51 -08:00
\vspace { 2ex}
2016-05-20 16:06:15 -07:00
\begin { equation*}
2018-02-26 03:42:52 -08:00
\begin { bytefield} [bitwidth=0.029em]{ 1672}
2016-05-20 16:06:15 -07:00
\changed {
2018-03-10 13:00:27 -08:00
\sbitbox { 180} { $ 8 $ -bit $ \NotePlaintextLeadByteSprout $ }
& } \sbitbox { 180} { $ 64 $ -bit $ \Value $ } &
\sbitbox { 256} { $ 256 $ -bit $ \NoteAddressRand $ } &
\sbitbox { 256} { \changed { $ 256 $ } -bit $ \NoteCommitRand $ } &
\changed { \sbitbox { 800} { $ \Memo $ ($ 512 $ bytes)} }
2016-05-20 16:06:15 -07:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\changed {
2018-02-07 03:53:07 -08:00
\item A byte, $ \NotePlaintextLeadByteSprout $ , indicating this version of the
encoding of a \SproutOrNothing \notePlaintext .
2016-05-20 16:06:15 -07:00
}
2018-02-07 02:55:53 -08:00
\item $ 8 $ bytes specifying $ \Value $ .
\item $ 32 $ bytes specifying $ \NoteAddressRand $ .
2016-05-20 16:06:15 -07:00
\item \changed { 32} bytes specifying $ \NoteCommitRand $ .
\changed {
2018-02-07 02:55:53 -08:00
\item $ 512 $ bytes specifying $ \Memo $ .
2016-05-20 16:06:15 -07:00
}
\end { itemize}
2016-08-08 09:06:52 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
\introlist
The encoding of a \Sapling \notePlaintext consists of:
\vspace { 2ex}
\begin { equation*}
2018-02-26 03:42:52 -08:00
\begin { bytefield} [bitwidth=0.029em]{ 1672}
2018-03-10 13:00:27 -08:00
\sbitbox { 180} { $ 8 $ -bit $ \NotePlaintextLeadByteSapling $ }
\sbitbox { 240} { $ 88 $ -bit $ \Diversifier $ }
\sbitbox { 180} { $ 64 $ -bit $ \Value $ }
\sbitbox { 256} { $ 256 $ -bit $ \NoteCommitRand $ }
\sbitbox { 800} { $ \Memo $ ($ 512 $ bytes)}
2018-02-07 03:53:07 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\item A byte, $ \NotePlaintextLeadByteSapling $ , indicating this version of the
encoding of a \Sapling \notePlaintext .
\item $ 11 $ bytes specifying $ \Diversifier $ .
\item $ 8 $ bytes specifying $ \Value $ .
\item $ 32 $ bytes specifying $ \NoteCommitRand $ .
\item $ 512 $ bytes specifying $ \Memo $ .
\end { itemize}
2018-03-16 08:58:23 -07:00
} %sapling
2018-02-07 03:53:07 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Encodings of Addresses and Keys} \label { addressandkeyencoding}
2015-12-16 12:55:16 -08:00
2017-12-16 16:08:57 -08:00
This section describes how \Zcash encodes \paymentAddresses \changed { , \incomingViewingKeys ,}
2016-04-18 10:31:22 -07:00
and \spendingKeys .
2015-12-16 12:55:16 -08:00
2016-03-06 19:38:00 -08:00
Addresses and keys can be encoded as a byte sequence; this is called
the \term { raw encoding} . This byte sequence can then be further encoded using
2016-01-26 15:36:29 -08:00
Base58Check. The Base58Check layer is the same as for upstream \Bitcoin
2017-08-03 08:05:29 -07:00
addresses \cite { Bitc-Base58} .
2015-12-16 12:55:16 -08:00
2018-01-22 10:24:16 -08:00
\sapling {
For \Sapling -specific key and address formats, Bech32 \cite { BIP-173} is used
instead of Base58Check.
}
2018-02-23 17:56:32 -08:00
$ \shaCompress $ outputs are always represented as sequences of $ 32 $ bytes.
2015-12-16 12:55:16 -08:00
The language consisting of the following encoding possibilities is prefix-free.
2015-12-16 13:02:22 -08:00
2018-02-07 03:53:07 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \TransparentAddresses } \label { transparentaddrencoding}
2018-02-07 03:53:07 -08:00
\xTransparentAddresses are either P2SH (Pay to Script Hash) \cite { BIP-13}
2017-08-03 08:05:29 -07:00
or P2PKH (Pay to Public Key Hash) \cite { Bitc-P2PKH} addresses.
2015-12-16 13:02:22 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2016-09-26 09:01:39 -07:00
The raw encoding of a P2SH address consists of:
2017-02-20 18:08:51 -08:00
\vspace { 2ex}
2016-09-26 09:01:39 -07:00
\begin { equation*}
\begin { bytefield} [bitwidth=0.1em]{ 176}
2018-03-10 13:00:27 -08:00
\sbitbox { 80} { $ 8 $ -bit $ \PtoSHAddressLeadByte $ }
\sbitbox { 80} { $ 8 $ -bit $ \PtoSHAddressSecondByte $ }
\sbitbox { 160} { $ 160 $ -bit script hash}
2016-09-26 09:01:39 -07:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\item Two bytes $ [ \PtoSHAddressLeadByte , \PtoSHAddressSecondByte ] $ ,
indicating this version of the raw encoding of a P2SH address
on the production network. (Addresses on the test network use
$ [ \PtoSHAddressTestnetLeadByte , \PtoSHAddressTestnetSecondByte ] $
instead.)
2018-02-07 02:55:53 -08:00
\item $ 20 $ bytes specifying a script hash \cite { Bitc-P2SH} .
2016-09-26 09:01:39 -07:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-26 09:01:39 -07:00
The raw encoding of a P2PKH address consists of:
2017-02-20 18:08:51 -08:00
\vspace { 2ex}
2016-09-26 09:01:39 -07:00
\begin { equation*}
\begin { bytefield} [bitwidth=0.1em]{ 176}
2018-03-10 13:00:27 -08:00
\sbitbox { 80} { $ 8 $ -bit $ \PtoPKHAddressLeadByte $ }
\sbitbox { 80} { $ 8 $ -bit $ \PtoPKHAddressSecondByte $ }
\sbitbox { 160} { $ 160 $ -bit public key hash}
2016-09-26 09:01:39 -07:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\item Two bytes $ [ \PtoPKHAddressLeadByte , \PtoPKHAddressSecondByte ] $ ,
indicating this version of the raw encoding of a P2PKH address
on the production network. (Addresses on the test network use
$ [ \PtoPKHAddressTestnetLeadByte , \PtoPKHAddressTestnetSecondByte ] $
instead.)
2018-02-07 02:55:53 -08:00
\item $ 20 $ bytes specifying a public key hash, which is a RIPEMD-160
2016-09-26 09:01:39 -07:00
hash \cite { RIPEMD160} of a SHA-256 hash \cite { NIST2015}
of an uncompressed ECDSA key encoding.
\end { itemize}
\begin { pnotes}
\item In \Bitcoin a single byte is used for the version field identifying
the address type. In \Zcash two bytes are used. For addresses on
2016-10-04 13:11:44 -07:00
the production network, this and the encoded length cause the first
two characters of the Base58Check encoding to be fixed as \ascii { t3}
for P2SH addresses, and as \ascii { t1} for P2PKH addresses. (This does
\emph { not} imply that a \transparent \Zcash address can be parsed
identically to a \Bitcoin address just by removing the \ascii { t} .)
2016-09-26 09:01:39 -07:00
\item \Zcash does not yet support Hierarchical Deterministic Wallet
addresses \cite { BIP-32} .
\end { pnotes}
2018-02-07 02:55:53 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \Transparent { } Private Keys} \label { transparentkeyencoding}
2016-09-26 09:01:39 -07:00
2017-08-03 08:05:29 -07:00
These are encoded in the same way as in \Bitcoin \cite { Bitc-Base58} ,
2016-10-02 23:11:04 -07:00
for both the production and test networks.
2015-12-16 13:02:22 -08:00
2015-12-16 12:55:16 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \SproutOrNothing \PaymentAddresses } \label { sproutpaymentaddrencoding}
2018-02-07 03:53:07 -08:00
A \SproutOrNothing \paymentAddress consists of $ \AuthPublic \typecolon \PRFOutput $
and $ \TransmitPublic \typecolon \KASproutPublic $ .
2017-12-16 16:08:57 -08:00
2018-02-23 17:56:32 -08:00
$ \AuthPublic $ is a $ \shaCompress $ output.
2018-02-07 03:53:07 -08:00
$ \TransmitPublic $ is a $ \KASproutPublic $ key (see \crossref { concretesproutkeyagreement} ),
2017-01-09 11:10:53 -08:00
for use with the encryption scheme defined in \crossref { inband} . These
2018-02-07 03:53:07 -08:00
components are derived from a \spendingKey as described in \crossref { sproutkeycomponents} .
2015-12-16 12:55:16 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-02-07 03:53:07 -08:00
The raw encoding of a \SproutOrNothing \paymentAddress consists of:
2017-02-20 18:08:51 -08:00
\vspace { 2ex}
2015-12-16 12:55:16 -08:00
\begin { equation*}
2016-02-08 16:51:25 -08:00
\begin { bytefield} [bitwidth=0.07em]{ 520}
2016-02-16 12:07:31 -08:00
\changed {
2018-03-10 13:00:27 -08:00
\sbitbox { 80} { $ 8 $ -bit $ \PaymentAddressLeadByte $ }
\sbitbox { 80} { $ 8 $ -bit $ \PaymentAddressSecondByte $ }
& } \sbitbox { 256} { $ 256 $ -bit $ \AuthPublic $ } &
\sbitbox { 256} { \changed { $ 256 $ } -bit $ \TransmitPublic $ }
2015-12-16 12:55:16 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
2016-02-11 07:04:56 -08:00
\changed {
2018-02-07 02:55:53 -08:00
\item Two bytes $ [ \PaymentAddressLeadByte , \PaymentAddressSecondByte ] $ ,
2018-02-07 03:53:07 -08:00
indicating this version of the raw encoding of a \SproutOrZcash \paymentAddress
2016-06-22 15:20:50 -07:00
on the production network. (Addresses on the test network use
$ [ \PaymentAddressTestnetLeadByte , \PaymentAddressTestnetSecondByte ] $
instead.)
2016-02-11 07:04:56 -08:00
}
2018-02-07 03:53:07 -08:00
\item $ 32 $ bytes specifying $ \AuthPublic $ .
\item \changed { $ 32 $ bytes} specifying $ \TransmitPublic $ , \changed { using the
2016-08-14 12:42:14 -07:00
normal encoding of a Curve25519 public key \cite { Bern2006} } .
2015-12-16 12:55:16 -08:00
\end { itemize}
2016-10-04 13:11:44 -07:00
\pnote {
For addresses on the production network, the lead bytes and encoded length
cause the first two characters of the Base58Check encoding to be fixed as
\ascii { zc} . For the test network, the first two characters are fixed as
\ascii { zt} .
}
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \Sapling \PaymentAddresses } \label { saplingpaymentaddrencoding}
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
A \Sapling \paymentAddress consists of $ \Diversifier \typecolon \DiversifierType $
2018-02-07 03:53:07 -08:00
and $ \DiversifiedTransmitPublic \typecolon \KASaplingPublic $ .
2018-03-06 14:16:55 -08:00
$ \Diversifier $ is a sequence of 11 bytes.
$ \DiversifiedTransmitPublic $ is an encoding of a $ \KASaplingPublic $ key
(see \crossref { concretesaplingkeyagreement} ),
2018-02-07 03:53:07 -08:00
for use with the encryption scheme defined in \crossref { inband} .
These components are derived as described in \crossref { saplingkeycomponents} .
\introlist
The raw encoding of a \Sapling \paymentAddress consists of:
\vspace { 2ex}
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 344}
2018-03-18 14:45:27 -07:00
\sbitbox { 120} { $ \LEBStoOSPOf { 88 } { \Diversifier } $ }
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \DiversifiedTransmitPublic } } $ }
2018-02-07 03:53:07 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\item $ 11 $ bytes specifying $ \Diversifier $ .
\item $ 32 $ bytes specifying the compressed Edwards encoding of $ \DiversifiedTransmitPublic $
(see \crossref { jubjub} ).
\end { itemize}
2018-03-18 13:57:20 -07:00
When decoding the representation of $ \DiversifiedTransmitPublic $ , the address is
not valid if $ \abstJ $ returns $ \bot $ .
2018-02-07 03:53:07 -08:00
For addresses on the production network, the \humanReadablePart is \ascii { zs} .
For addresses on the test network, the \humanReadablePart is \ascii { ztestsapling} .
}
2018-03-12 15:51:20 -07:00
\subsubsection { \SproutOrNothing \IncomingViewingKeys } \label { sproutinviewingkeyencoding}
2017-02-23 12:09:15 -08:00
\changed {
2018-02-07 03:53:07 -08:00
An \incomingViewingKey consists of $ \AuthPublic \typecolon \PRFOutput $ and
$ \TransmitPrivate \typecolon \KASproutPrivate $ .
2017-12-16 16:08:57 -08:00
2018-02-23 17:56:32 -08:00
$ \AuthPublic $ is a $ \shaCompress $ output.
2018-02-07 03:53:07 -08:00
$ \TransmitPrivate $ is a $ \KASproutPrivate $ key (see \crossref { concretesproutkeyagreement} ),
2017-02-23 12:09:15 -08:00
for use with the encryption scheme defined in \crossref { inband} . These
2018-02-07 03:53:07 -08:00
components are derived from a \spendingKey as described in \crossref { sproutkeycomponents} .
2017-02-23 12:09:15 -08:00
\introlist
2017-12-16 16:08:57 -08:00
The raw encoding of an \incomingViewingKey consists of, in order:
2017-12-16 16:10:09 -08:00
}
2017-02-23 12:09:15 -08:00
\vspace { 2ex}
\begin { equation*}
2017-12-16 16:10:09 -08:00
\begin { bytefield} [bitwidth=0.062em]{ 536}
\changed {
2018-03-10 13:00:27 -08:00
\sbitbox { 88} { $ 8 $ -bit $ \InViewingKeyLeadByte $ }
\sbitbox { 88} { $ 8 $ -bit $ \InViewingKeySecondByte $ }
\sbitbox { 88} { $ 8 $ -bit $ \InViewingKeyThirdByte $ }
\sbitbox { 256} { $ 256 $ -bit $ \AuthPublic $ }
\sbitbox { 256} { $ 256 $ -bit $ \TransmitPrivate $ }
2017-12-16 16:10:09 -08:00
}
2017-02-23 12:09:15 -08:00
\end { bytefield}
\end { equation*}
2017-12-16 16:10:09 -08:00
\changed {
2017-02-23 12:09:15 -08:00
\begin { itemize}
2017-12-16 16:10:09 -08:00
\item Three bytes $ [ \InViewingKeyLeadByte , \InViewingKeySecondByte , \InViewingKeyThirdByte ] $ ,
2017-12-16 16:08:57 -08:00
indicating this version of the raw encoding of a \Zcash \incomingViewingKey
2017-02-23 12:09:15 -08:00
on the production network. (Addresses on the test network use
2017-12-16 16:10:09 -08:00
$ [ \InViewingKeyTestnetLeadByte , \InViewingKeyTestnetSecondByte , \InViewingKeyTestnetThirdByte ] $
2017-02-23 12:09:15 -08:00
instead.)
2018-02-07 02:55:53 -08:00
\item $ 32 $ bytes specifying $ \AuthPublic $ .
\item $ 32 $ bytes specifying $ \TransmitPrivate $ , using the normal encoding
2017-02-23 12:09:15 -08:00
of a Curve25519 private key \cite { Bern2006} .
\end { itemize}
2018-02-07 03:53:07 -08:00
$ \TransmitPrivate $ \MUST be ``clamped'' using $ \KASproutFormatPrivate $ as specified
in \crossref { sproutkeycomponents} . That is, a decoded \incomingViewingKey { } \MUST be
considered invalid if $ \TransmitPrivate \neq \KASproutFormatPrivate ( \TransmitPrivate ) $ .
2018-03-16 08:58:23 -07:00
$ \KASproutFormatPrivate $ is defined in \crossref { concretesproutkeyagreement} .
2017-02-23 12:24:57 -08:00
2017-02-23 12:09:15 -08:00
\pnote {
For addresses on the production network, the lead bytes and encoded length
2017-12-16 16:10:09 -08:00
cause the first four characters of the Base58Check encoding to be fixed as
\ascii { ZiVK} . For the test network, the first four characters are fixed as
\ascii { ZiVt} .
2017-02-23 12:09:15 -08:00
}
}
2015-12-16 12:55:16 -08:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \Sapling \IncomingViewingKeys } \label { saplinginviewingkeyencoding}
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
A \Sapling \incomingViewingKey consists of $ \InViewingKey \typecolon \KASproutPrivate $
(see \crossref { concretesaplingkeyagreement} ).
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
$ \InViewingKey $ is a $ \KASproutPrivate $ key for use with the encryption scheme
defined in \crossref { inband} . It is derived as described in \crossref { saplingkeycomponents} .
2015-12-16 12:55:16 -08:00
2017-01-19 18:24:49 -08:00
\introlist
2018-02-07 03:53:07 -08:00
The raw encoding of an \incomingViewingKey consists of:
\vspace { 2ex}
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 256}
2018-03-10 13:00:27 -08:00
\sbitbox { 256} { $ 256 $ -bit $ \InViewingKey $ }
2018-02-07 03:53:07 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
2018-03-18 13:57:20 -07:00
\item $ 32 $ bytes (little-endian) specifying $ \InViewingKey $ .
2018-02-07 03:53:07 -08:00
\end { itemize}
2018-03-18 13:57:20 -07:00
$ \InViewingKey $ \MUST be in the range $ \range { 0 } { 2 ^ { \InViewingKeyLength } - 1 } $ as specified
2018-02-07 03:53:07 -08:00
in \crossref { saplingkeycomponents} . That is, a decoded \incomingViewingKey { } \MUST be
considered invalid if $ \InViewingKey $ is not in this range.
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii { zivks} .
For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii { zivktestsapling} .
}
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \Sapling \FullViewingKeys } \label { saplingfullviewingkeyencoding}
2018-02-07 03:53:07 -08:00
A \Sapling \fullViewingKey consists of $ \AuthSignPublic \typecolon \GroupJ $
and $ \AuthProvePublic \typecolon \GroupJ $ .
2018-03-11 07:00:00 -07:00
$ \AuthSignPublic $ and $ \AuthProvePublic $ are points on the \jubjubCurve
2018-02-07 03:53:07 -08:00
(see \crossref { jubjub} ). They are derived as described in \crossref { saplingkeycomponents} .
\introlist
The raw encoding of a \fullViewingKey consists of:
\vspace { 2ex}
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 512}
2018-03-18 14:45:27 -07:00
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \AuthSignPublic } } $ }
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \reprJOf { \AuthProvePublic } } $ }
2018-02-07 03:53:07 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
\item $ 32 $ bytes specifying the compressed Edwards encoding of $ \AuthSignPublic $
(see \crossref { jubjub} ).
\item $ 32 $ bytes specifying the compressed Edwards encoding of $ \AuthProvePublic $ .
\end { itemize}
When decoding this representation, the key is not valid if $ \abstJ $ returns $ \bot $
for either point.
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii { zviews} .
For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii { zviewtestsapling} .
}
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \SproutOrNothing \SpendingKeys } \label { sproutspendingkeyencoding}
2018-02-07 03:53:07 -08:00
A \SproutOrNothing \spendingKey consists of $ \AuthPrivate $ , which is a sequence of
2018-02-23 19:15:09 -08:00
\changed { $ 252 $ } bits (see \crossref { sproutkeycomponents} ).
2018-02-07 03:53:07 -08:00
\introlist
The raw encoding of a \SproutOrNothing \spendingKey consists of:
2017-02-20 18:08:51 -08:00
\vspace { 2ex}
2015-12-16 12:55:16 -08:00
\begin { equation*}
2016-02-25 11:41:06 -08:00
\begin { bytefield} [bitwidth=0.07em]{ 264}
2016-02-16 12:07:31 -08:00
\changed {
2018-03-10 13:00:27 -08:00
\sbitbox { 80} { $ 8 $ -bit $ \SpendingKeyLeadByte $ }
\sbitbox { 80} { $ 8 $ -bit $ \SpendingKeySecondByte $ }
\sbitbox { 32} { $ \zeros { 4 } $ } &
& } \sbitbox { 252} { \changed { $ 252 $ } -bit $ \AuthPrivate $ }
2015-12-16 12:55:16 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
2016-02-11 07:04:56 -08:00
\changed {
2018-02-07 02:55:53 -08:00
\item Two bytes $ [ \SpendingKeyLeadByte , \SpendingKeySecondByte ] $ ,
2016-06-22 15:20:50 -07:00
indicating this version of the raw encoding of a \Zcash \spendingKey
on the production network. (Addresses on the test network use
$ [ \SpendingKeyTestnetLeadByte , \SpendingKeyTestnetSecondByte ] $
instead.)
2016-02-11 07:04:56 -08:00
}
2018-02-07 02:55:53 -08:00
\item $ 32 $ bytes: \changed { $ 4 $ zero padding bits and $ 252 $ bits} specifying $ \AuthPrivate $ .
2015-12-16 12:55:16 -08:00
\end { itemize}
2016-06-22 15:20:50 -07:00
\changed {
The zero padding occupies the most significant 4 bits of the third byte.
}
2016-10-04 13:11:44 -07:00
\begin { pnotes}
\changed {
\item If an implementation represents $ \AuthPrivate $ internally as a
2018-02-07 02:55:53 -08:00
sequence of $ 32 $ bytes with the $ 4 $ bits of zero padding intact,
2016-10-04 13:11:44 -07:00
it will be in the correct form for use as an input to $ \PRFaddr { } $ ,
$ \PRFnf { } $ , and $ \PRFpk { } $ without need for bit-shifting.
Future key representations may make use of these padding bits.
2016-09-03 19:55:09 -07:00
}
2016-10-04 13:11:44 -07:00
\item For addresses on the production network, the lead bytes and encoded
length cause the first two characters of the Base58Check encoding to
be fixed as \ascii { SK} . For the test network, the first two characters
are fixed as \ascii { ST} .
\end { pnotes}
2015-12-16 12:55:16 -08:00
2018-02-07 03:53:07 -08:00
\sapling {
2018-03-12 15:51:20 -07:00
\subsubsection { \Sapling \SpendingKeys } \label { saplingspendingkeyencoding}
2018-02-07 03:53:07 -08:00
2018-03-11 00:40:49 -08:00
A \Sapling \spendingKey consists of $ \SpendingKey \typecolon \bitseq { \SpendingKeyLength } $
2018-02-07 03:53:07 -08:00
(see \crossref { sproutkeycomponents} ).
\introlist
The raw encoding of a \Sapling \spendingKey consists of:
\vspace { 2ex}
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 256}
2018-03-18 14:45:27 -07:00
\sbitbox { 256} { $ \LEBStoOSPOf { 256 } { \SpendingKey } $ }
2018-02-07 03:53:07 -08:00
\end { bytefield}
\end { equation*}
\begin { itemize}
2018-03-11 00:40:49 -08:00
\item $ 32 $ bytes specifying $ \SpendingKey $ .
2018-02-07 03:53:07 -08:00
\end { itemize}
For \spendingKeys on the production network, the \humanReadablePart is \ascii { secret-spending-key-main} .
For \spendingKeys on the test network, the \humanReadablePart is \ascii { secret-spending-key-test} .
}
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsection { \SproutZKParameters } \label { sproutparameters}
2016-08-08 09:46:24 -07:00
2018-02-23 17:56:32 -08:00
For the \Zcash production \blockchain and testnet, the $ \SHAFull $ hashes of the
2018-01-29 15:08:08 -08:00
\provingKey and \verifyingKey for the \SproutOrZcash \joinSplitStatement , encoded in
2017-12-01 18:04:39 -08:00
\libsnark format, are:
2016-08-08 09:46:24 -07:00
2017-12-01 18:04:39 -08:00
\begin { lines}
\item [] \texttt { 8bc20a7f013b2b58970cddd2e7ea028975c88ae7ceb9259a5344a16bc2c0eef7 sprout-proving.key}
\item [] \texttt { 4bd498dae0aacfd8e98dc306338d017d9c08dd0918ead18172bd0aec2fc5df82 sprout-verifying.key}
\end { lines}
2016-08-08 09:46:24 -07:00
2017-12-01 18:04:39 -08:00
These parameters were obtained by a multi-party computation described in
\cite { GitHub-mpc} and \cite { BGG2016} .
2016-08-08 09:46:24 -07:00
2017-12-01 18:04:39 -08:00
\sapling {
\introsection
2018-03-12 15:51:20 -07:00
\subsection { \SaplingZKParameters } \label { saplingparameters}
2016-08-08 09:46:24 -07:00
2018-02-23 17:56:32 -08:00
The $ \SHAFull $ hashes of the \provingKey and \verifyingKey for the \Sapling
2017-12-01 18:04:39 -08:00
\spendStatement , encoded in \bellman format, are:
2016-08-08 09:46:24 -07:00
2017-12-01 18:04:39 -08:00
\begin { lines}
2018-01-29 15:08:08 -08:00
\item [] \texttt { xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sapling-spend-proving.key}
\item [] \texttt { xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sapling-spend-verifying.key}
2017-12-01 18:04:39 -08:00
\end { lines}
2017-01-19 18:24:49 -08:00
2018-02-23 17:56:32 -08:00
The $ \SHAFull $ hashes of the \provingKey and \verifyingKey for the \Sapling
2018-01-29 15:08:08 -08:00
\outputStatement , encoded in \bellman format, are:
2016-08-08 09:46:24 -07:00
2018-01-29 15:08:08 -08:00
\begin { lines}
\item [] \texttt { xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sapling-output-proving.key}
\item [] \texttt { xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx sapling-output-verifying.key}
\end { lines}
These parameters were obtained by a multi-party computation described in \todo { } .
2017-12-01 18:04:39 -08:00
}
\sapling {
\introsection
2018-03-18 13:38:55 -07:00
\section { Network Upgrades} \label { networkupgrades}
2016-08-08 09:46:24 -07:00
2017-12-01 18:04:39 -08:00
\Zcash launched with a protocol revision that we call \Sprout .
2018-03-06 14:26:22 -08:00
At the time of writing, two upgrades are planned: \NUZero , and
\Sapling . This section summarizes the planned strategy for upgrading
from \Sprout to \NUZero and then \Sapling .
2016-09-03 20:27:45 -07:00
2018-03-06 14:26:22 -08:00
The upgrade mechanism is described in \cite { ZIP-200} .
2018-03-16 08:58:23 -07:00
The specifications of the \NUZero upgrade are described in \cite { ZIP-201} ,
2018-03-06 14:26:22 -08:00
\cite { ZIP-202} , \cite { ZIP-203} , and \cite { ZIP-143} .
2018-03-18 13:38:55 -07:00
\NUZero and \Sapling will each be introduced as a
\quotedterm { bilateral consensus rule change} . In this kind of upgrade,
2016-09-03 20:27:45 -07:00
2018-03-16 08:58:23 -07:00
\begin { itemize}
2018-03-18 13:38:55 -07:00
\item there is a \blockHeight at which the \consensusRuleChange
takes effect;
2017-12-01 18:04:39 -08:00
\item \blocks and \transactions that are valid according to
2018-03-18 13:38:55 -07:00
the post-upgrade rules are not valid before the upgrade
\blockHeight ;
2017-12-01 18:04:39 -08:00
\item \blocks and \transactions that are valid according to
2018-03-18 13:38:55 -07:00
the pre-upgrade rules are no longer valid at or after the
upgrade \blockHeight .
2018-03-16 08:58:23 -07:00
\end { itemize}
2016-09-03 20:27:45 -07:00
2018-03-06 14:26:22 -08:00
Full support for each upgrade is indicated by a minimum version
2018-03-18 13:38:55 -07:00
of the peer-to-peer protocol. At the planned upgrade \blockHeight ,
nodes that support a given upgrade will disconnect from (and will not
2017-12-01 18:04:39 -08:00
reconnect to) nodes with a protocol version lower than this
2018-03-18 13:38:55 -07:00
minimum. See \cite { ZIP-201} for how this applies to the \NUZero
upgrade.
2017-12-01 18:04:39 -08:00
2018-03-18 13:38:55 -07:00
This ensures that upgrade-supporting nodes transition cleanly
2017-12-01 18:04:39 -08:00
from the old protocol to the new protocol. Nodes that do not
2018-03-18 13:38:55 -07:00
support the upgrade will find themselves on a network that uses
the old protocol and is fully partitioned from the upgrade-supporting
network.
2017-12-01 18:04:39 -08:00
This allows us to specify arbitrary protocol changes that
take effect at a given \blockHeight . Note, however, that a
2018-03-18 13:38:55 -07:00
\blockchain reorganization across the upgrade \blockHeight is possible.
2018-02-23 19:15:09 -08:00
In the case of such a reorganization, \blocks at a height
2018-03-18 13:38:55 -07:00
before the upgrade \blockHeight will still be created and
validated according to the pre-upgrade rules, and
upgrade-supporting nodes \MUST allow for this.
2017-12-01 18:04:39 -08:00
2018-03-18 13:38:55 -07:00
%\todo{how upgrade-dependent rules are described in this specification.}
2017-12-01 18:04:39 -08:00
2018-03-18 13:38:55 -07:00
%For the \Sapling upgrade, a new \nullifierSet and \noteCommitmentTree
%are created for use by \Sapling \transactions.
2017-12-01 18:04:39 -08:00
}
2016-09-03 20:27:45 -07:00
2016-08-09 13:56:34 -07:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { Consensus Changes from \Bitcoin }
2016-08-09 13:56:34 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Encoding of \Transactions } \label { txnencoding}
2016-09-02 20:01:08 -07:00
The \Zcash \transaction format is as follows:
\begin { center}
2018-03-18 15:02:42 -07:00
\scalebox { 0.92} {
\notsprout { \renewcommand { \arraystretch } { 1.2} }
2016-09-03 20:30:40 -07:00
\hbadness =10000
2018-03-18 15:02:42 -07:00
\begin { tabularx} { 1\textwidth } { |c|c|l|p{ 10em} |X|}
2016-09-02 20:01:08 -07:00
\hline
2018-03-18 15:02:42 -07:00
\! \! Version\! \! & \heading { Bytes} & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|=|}
$ \geq 1 $ & $ 4 $ & $ \headerField $ & \type { uint32} & Contains: \begin { compactitemize}
\item $ \fOverwintered $ flag (bit $ 31 $ )
\item $ \versionField $ (bits $ \barerange { 30 } { 0 } $ ) --
\transactionVersionNumber .
\end { compactitemize} \\ \hline
\notsprout {
$ \geq 3 $ & $ 4 $ & $ \nVersionGroupId \! $ & \type { uint32} & Version group ID (nonzero). \\ \hline
}
$ \geq 1 $ & \Varies & $ \txInCount $ & \compactSize & Number of \transparent inputs in this \transaction . \\ \hline
$ \geq 1 $ & \Varies & $ \txIn $ & $ \txIn $ & \xTransparent inputs, encoded as in \Bitcoin . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 1 $ & \Varies & $ \txOutCount $ & \compactSize & Number of \transparent outputs in this \transaction . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 1 $ & \Varies & $ \txOut $ & $ \txOut $ & \xTransparent outputs, encoded as in \Bitcoin . \\ \hline
$ \geq 1 $ & $ 4 $ & $ \lockTime $ & \type { uint32} & A Unix epoch time (UTC) or \blockHeight , encoded as in \Bitcoin . \\ \hline
\notsprout {
$ \geq 3 $ & $ 4 $ & $ \nExpiryHeight $ & \type { uint32} & A \blockHeight in the range $ \range { 1 } { 499999999 } $ after which
the \transaction will expire, or $ 0 $ to disable expiry (\smash { \cite { ZIP-203} } ). \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 4 $ & \Varies & $ \nShieldedSpend $ & \compactSize & The number of \spendDescriptions
in $ \vShieldedSpend $ . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 4 $ & \Longunderstack { $ 384 \mult $ \\ $ \! \nShieldedSpend \! $ } & $ \vShieldedSpend $ & \type { SpendDescription} \type { [$ \nShieldedSpend $ ]} &
A sequence of \spendDescriptions { } , each encoded as in \crossref { spendencoding} . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 4 $ & \Varies & $ \nShieldedOutput \! $ & \compactSize & The number of \outputDescriptions
in $ \vShieldedOutput $ . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 4 $ & \Longunderstack { $ 580 \mult $ \\ $ \! \nShieldedOutput \! $ } & $ \vShieldedOutput \! $ & \type { OutputDescription} \type { [$ \nShieldedOutput $ ]} &
A sequence of \outputDescriptions { } , each encoded as in \crossref { outputencoding} . \\ \hline
} %notsprout
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 2 $ & \Varies & $ \nJoinSplit $ & \compactSize & The number of \joinSplitDescriptions
2016-09-02 20:01:08 -07:00
in $ \vJoinSplit $ . \\ \hline
2018-03-18 15:02:42 -07:00
$ \geq 2 $ & \Longunderstack { $ 1802 \mult $ \\ $ \nJoinSplit $ } & $ \vJoinSplit $ & \type { JoinSplitDescription} \! \! \type { [$ \nJoinSplit $ ]} &
A \sequenceOfJoinSplitDescriptions { } , each encoded as in \crossref { joinsplitencoding} . \\ \hline
2016-09-02 20:01:08 -07:00
2018-03-18 15:02:42 -07:00
$ \geq 2 \; \dagger $ & $ 32 $ & $ \joinSplitPubKey \! $ & \type { char[32]} & An encoding of a $ \JoinSplitSig $
2016-09-02 20:01:08 -07:00
public verification key. \\ \hline
2018-03-18 15:02:42 -07:00
$ \geq 2 \; \dagger $ & $ 64 $ & $ \joinSplitSig $ & \type { char[64]} & A signature on a prefix of the \transaction encoding,
2016-09-02 20:01:08 -07:00
to be verified using $ \joinSplitPubKey $ . \\ \hline
\end { tabularx}
2018-03-18 15:02:42 -07:00
\renewcommand { \arraystretch } { \defaultarraystretch }
} %scalebox
2016-09-02 20:01:08 -07:00
\end { center}
2018-03-18 15:02:42 -07:00
$ \dagger $ The $ \joinSplitPubKey $ and $ \joinSplitSig $ fields are present if and only if
$ \versionField \geq 2 $ and $ \nJoinSplit > 0 $ .
2016-09-02 20:01:08 -07:00
The encoding of $ \joinSplitPubKey $ and the data to be signed are specified in
\crossref { nonmalleability} .
2017-01-19 18:35:11 -08:00
\begin { consensusrules}
2018-03-18 15:02:42 -07:00
\item The \transactionVersionNumber { } \MUST be greater than or equal to $ 1 $ .
\sproutonlyitem { The \fOverwintered { } flag \MUSTNOT be set.}
\nuzeroonwarditem { The \fOverwintered { } flag \MUST be set.}
\nuzeroonwarditem { The \versionGroupID { } \MUST be recognized.}
\nuzeroonlyitem { The \transactionVersionNumber { } \MUST be $ 3 $ , and the \versionGroupID { } \MUST
be $ \hexint { 03 C 48270 } $ .}
\saplingonwarditem { The \transactionVersionNumber { } and \versionGroupID { } \MUST be
either $ ( 3 , \hexint { 03 C 48270 } ) $ or $ ( 4 , \todo { \Sapling \, \versionGroupID { } } ) $ .}
\sproutonlyitem { If $ \versionField = 1 $ or $ \nJoinSplit = 0 $ , then \txInCount { } \MUSTNOT be $ 0 $ .}
\saplingonwarditem { At least one of \txInCount , \nShieldedSpend , and \nJoinSplit { } \MUST be nonzero.}
2018-02-08 14:24:14 -08:00
\item A \transaction with one or more inputs from \coinbaseTransactions { } \MUST have no
\transparent outputs (i.e.\ \txOutCount { } \MUST be $ 0 $ ).
2017-01-19 18:35:11 -08:00
\item If $ \nJoinSplit > 0 $ , then \joinSplitSig { } \MUST represent a valid signature
over $ \dataToBeSigned $ as defined in \crossref { nonmalleability} .
2018-02-26 01:44:19 -08:00
\item If $ \nJoinSplit > 0 $ , then \joinSplitPubKey { } \MUST represent a valid
$ \JoinSplitSigSpecific $ public key encoding as specified in \crossref { concretejssig} .
2018-02-08 14:23:02 -08:00
\sproutonlyitem { The encoded size of the \transaction { } \MUST be less than or equal to
2018-02-07 03:08:45 -08:00
$ 100000 $ bytes.}
2018-02-08 14:24:14 -08:00
\item A \coinbaseTransaction { } \MUSTNOT have any
\joinSplitDescriptions \sapling { , \spendDescriptions , or \outputDescriptions } .
\item A \transaction { } \MUSTNOT spend an output of a \coinbaseTransaction
(necessarily a \transparent output) from a \block less than 100 \blocks prior
to the spend.
2018-03-18 15:02:42 -07:00
\nuzeroonwarditem { \nExpiryHeight { } \MUST be less than or equal to 499999999.}
\nuzeroonwarditem { If a \transaction is not a \coinbaseTransaction and its \nExpiryHeight { } field
is nonzero, then it \MUSTNOT be mined at a \blockHeight greater than its \nExpiryHeight .}
2017-01-19 18:35:11 -08:00
\item \todo { Other rules inherited from \Bitcoin .}
\end { consensusrules}
2018-03-18 15:02:42 -07:00
In addition, consensus rules associated with each \joinSplitDescription (\crossref { joinsplitencoding} )\sapling { ,
2018-03-18 16:57:09 -07:00
each \spendDescription (\crossref { spendencoding} ), and each \outputDescription (\crossref { outputencoding} )}
2018-03-18 15:02:42 -07:00
\MUST be followed.
2017-07-09 21:35:56 -07:00
\begin { pnotes}
2018-03-18 15:02:42 -07:00
\item Previous versions of this specification defined what is now the \headerField { } field
as a signed $ \type { int 32 } $ field which was required to be positive. The consensus
rule that the \fOverwintered { } flag \MUSTNOT be set before \NUZero has activated,
has the same effect.
\sprout { (\NUZero is an upgrade of the \Zcash protocol, not specified in
this document.)}
2018-02-26 01:44:19 -08:00
\item The semantics of \transactions with \transactionVersionNumber not equal to\sprout {
2018-02-07 02:55:53 -08:00
either $ 1 $ or $ 2 $ is not currently defined. Miners \MUSTNOT create \blocks
2017-07-09 21:35:56 -07:00
containing such \transactions .
2018-02-26 01:44:19 -08:00
} \notsprout {
$ 1 $ , $ 2 $ , \nuzero { $ 3 $ ,} \sapling { or $ 4 $ } is not currently defined.
Miners \MUSTNOT create \blocks before the \NUZero \activationHeight
containing \transactions with version other than $ 1 $ or $ 2 $ .
2017-12-01 18:04:39 -08:00
}
2018-02-26 01:44:19 -08:00
\item The exclusion of \transactions with \transactionVersionNumber
\emph { greater than} $ 2 $ is not a consensus rule\notsprout { before \NUZero activation} .
Such \transactions may exist in the \blockchain and \MUST be treated
identically to version $ 2 $ \transactions .
\nuzeroonwarditem { Once \NUZero has activated, limits on the maximum
\transactionVersionNumber are consensus rules.}
2018-03-18 13:38:55 -07:00
\item Note that a future upgrade might use \emph { any} \transactionVersionNumber .
It is likely that an upgrade that changes the \transactionVersionNumber
2017-12-01 18:04:39 -08:00
will also change the \transaction format, and software that parses
\transactions { } \SHOULD take this into account.
2018-02-26 01:44:19 -08:00
\nuzero {
\item \todo { Describe interpretation of $ \fOverwintered $ and $ \versionField $ .}
}
2018-02-07 02:55:53 -08:00
\item A \transactionVersionNumber of $ 2 $ does not have the same meaning as in
2017-07-09 21:35:56 -07:00
\Bitcoin , where it is associated with support for \ScriptOP { CHECKSEQUENCEVERIFY}
as specified in \cite { BIP-68} . \Zcash was forked from \Bitcoin v0.11.2
and does not currently support BIP 68, or the related BIPs 9, 112 and 113.
\end { pnotes}
2017-01-19 18:24:49 -08:00
\introlist
2018-02-07 02:55:53 -08:00
The changes relative to \Bitcoin version $ 1 $ \transactions as described in \cite { Bitc-Format} are:
2017-01-19 18:24:49 -08:00
2016-09-02 20:01:08 -07:00
\begin { itemize}
2018-02-07 02:55:53 -08:00
\item \Transactionversion $ 0 $ is not supported.
\item A version $ 1 $ \transaction is equivalent to a version $ 2 $ \transaction with
2017-07-09 21:35:56 -07:00
$ \nJoinSplit = 0 $ .
2016-09-02 20:01:08 -07:00
\item The $ \nJoinSplit $ , $ \vJoinSplit $ , $ \joinSplitPubKey $ , and $ \joinSplitSig $ fields
have been added.
2017-01-19 18:35:11 -08:00
\item In \Zcash it is permitted for a \transaction to have no \transparent inputs provided
that $ \nJoinSplit > 0 $ .
2018-02-07 03:08:45 -08:00
\item A consensus rule limiting \transaction size has been added. In \Bitcoin there is
a corresponding standard rule but no consensus rule.
2016-09-02 20:01:08 -07:00
\end { itemize}
2017-12-01 18:04:39 -08:00
\sproutonly {
2018-02-07 02:55:53 -08:00
Software that creates \transactions { } \SHOULD use version $ 1 $ for \transactions with no
2016-09-02 20:01:08 -07:00
\joinSplitDescriptions .
2017-12-01 18:04:39 -08:00
}
2016-09-02 20:01:08 -07:00
2017-07-09 21:35:56 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Encoding of \JoinSplitDescriptions } \label { joinsplitencoding}
2016-09-02 20:01:08 -07:00
An abstract \joinSplitDescription , as described in \crossref { joinsplit} , is encoded in
a \transaction as an instance of a \type { JoinSplitDescription} type as follows:
\begin { center}
\hbadness =2000
\begin { tabularx} { 0.92\textwidth } { |c|l|l|X|}
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
2018-03-18 13:57:20 -07:00
\setchanged 8 & \setchanged $ \vpubOldField $ & \setchanged \type { uint64} & \mbox { } \setchanged
2016-09-02 20:01:08 -07:00
A value $ \vpubOld $ that the \joinSplitTransfer removes from the \transparentValuePool . \\ \hline
2018-03-18 13:57:20 -07:00
$ 8 $ & $ \vpubNewField $ & \type { uint64} & A value $ \vpubNew $ that the \joinSplitTransfer inserts
2016-09-02 20:01:08 -07:00
into the \transparentValuePool . \\ \hline
2018-03-11 07:00:00 -07:00
$ 32 $ & $ \anchorField $ & \type { char[32]} & A \merkleRoot $ \rt $ of the \SproutOrNothing
\noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous
2018-02-26 03:41:15 -08:00
\joinSplitTransfer in this \transaction . \\ \hline
2016-09-02 20:01:08 -07:00
2018-02-07 02:55:53 -08:00
$ 64 $ & $ \nullifiersField $ & \type { char[32][$ \NOld $ ]} & A sequence of \nullifiers of the input
2018-03-11 07:00:00 -07:00
\notes $ \nfOld { \allOld } $ . \\ [0.4ex] \hline
2016-09-02 20:01:08 -07:00
2018-02-07 02:55:53 -08:00
$ 64 $ & $ \commitments $ & \type { char[32][$ \NNew $ ]} & A sequence of \noteCommitments for the
2016-09-02 20:01:08 -07:00
output \notes $ \cmNew { \allNew } $ . \\ \hline
2018-02-07 02:55:53 -08:00
\setchanged $ 32 $ & \setchanged $ \ephemeralKey $ & \setchanged \type { char[32]} & \mbox { } \setchanged
2016-09-02 20:01:08 -07:00
A Curve25519 public key $ \EphemeralPublic $ . \\ \hline
2018-02-07 02:55:53 -08:00
\setchanged $ 32 $ & \setchanged $ \randomSeed $ & \setchanged \type { char[32]} & \mbox { } \setchanged
A $ 256 $ -bit seed that must be chosen independently at random for each \joinSplitDescription . \\ \hline
2016-09-02 20:01:08 -07:00
2018-02-07 02:55:53 -08:00
$ 64 $ & $ \vmacs $ & \type { char[32][$ \NOld $ ]} & A sequence of message authentication tags
2016-09-02 20:01:08 -07:00
$ \h { \allOld } $ that bind $ \hSig $ to each $ \AuthPrivate $ of the
$ \joinSplitDescription $ . \\ \hline
2018-02-07 02:55:53 -08:00
$ 296 $ & $ \zkproof $ & \type { char[296]} & An encoding of the \zeroKnowledgeProof
2018-01-29 15:08:08 -08:00
$ \ProofJoinSplit $ (see \crossref { phgr} ). \\ \hline
2016-09-02 20:01:08 -07:00
2018-02-07 02:55:53 -08:00
$ 1202 $ & $ \encCiphertexts $ & \type { char[601][$ \NNew $ ]} & A sequence of ciphertext
2016-09-02 20:01:08 -07:00
components for the encrypted output \notes , $ \TransmitCiphertext { \allNew } $ . \\ \hline
\end { tabularx}
\end { center}
2017-07-09 14:13:20 -07:00
The $ \vmacs $ field encodes $ \h { \allOld } $ which are computed as described in
\crossref { nonmalleability} .
The $ \ephemeralKey $ and $ \encCiphertexts $ fields together form the \notesCiphertext ,
which is computed as described in \crossref { inband} .
2016-09-02 20:01:08 -07:00
2017-01-19 18:35:11 -08:00
Consensus rules applying to a \joinSplitDescription are given in \crossref { joinsplitdesc} .
2016-09-02 20:01:08 -07:00
2017-01-19 18:35:11 -08:00
2018-02-26 03:41:15 -08:00
\sapling {
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Encoding of \SpendDescriptions } \label { spendencoding}
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
Let $ \LEBStoOSP { } { } $ be as defined in \crossref { endian} .
2018-02-26 03:41:15 -08:00
An abstract \spendDescription , as described in \crossref { spendsandoutputs} , is encoded in
a \transaction as an instance of a \type { SpendDescription} type as follows:
\begin { center}
\hbadness =2000
\begin { tabularx} { 0.92\textwidth } { |c|l|l|X|}
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \cvField $ & \type { char[32]} & A \valueCommitment to the value of the input \note ,
$ \LEBStoOSPOf { 256 } { \cv } $ . \\ \hline
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \anchorField $ & \type { char[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree
at some \blockHeight in the past, $ \LEBStoOSPOf { 256 } { \rt } $ . \\ \hline
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \nullifierField $ & \type { char[32]} & The \nullifier of the input \note ,
$ \LEBStoOSPOf { 256 } { \nf } $ . \\ \hline
2018-02-26 03:41:15 -08:00
2018-03-18 14:43:57 -07:00
$ 32 $ & $ \rkField $ & \type { char[32]} & The randomized public key for $ \spendAuthSig $ ,
$ \LEBStoOSPOf { 256 } { \reprJOf { \AuthSignRandomizedPublic } } $ . \\ \hline
2018-02-26 03:41:15 -08:00
$ 192 $ & $ \zkproof $ & \type { char[192]} & An encoding of the \zeroKnowledgeProof
$ \ProofSpend $ (see \crossref { groth} ). \\ \hline
$ 64 $ & $ \spendAuthSig $ & \type { char[64]} & A signature authorizing this spend. \\ \hline
\end { tabularx}
\end { center}
Consensus rules applying to a \spendDescription are given in \crossref { spenddesc} .
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Encoding of \OutputDescriptions } \label { outputencoding}
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
Let $ \LEBStoOSP { } { } $ be as defined in \crossref { endian} .
2018-03-18 16:57:09 -07:00
An abstract \outputDescription , described in \crossref { spendsandoutputs} , is encoded in
2018-02-26 03:41:15 -08:00
a \transaction as an instance of an \type { OutputDescription} type as follows:
\begin { center}
\hbadness =2000
\begin { tabularx} { 0.92\textwidth } { |c|l|l|X|}
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \cvField $ & \type { char[32]} & A \valueCommitment to the value of the output \note ,
$ \LEBStoOSPOf { 256 } { \cv } $ . \\ \hline
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \cmField $ & \type { char[32]} & The \noteCommitment for the output \note ,
$ \LEBStoOSPOf { 256 } { \cm } $ . \\ \hline
2018-02-26 03:41:15 -08:00
2018-03-11 07:02:22 -07:00
$ 32 $ & $ \ephemeralKey $ & \type { char[32]} & An encoding of a $ \JubjubCurve $ public key $ \EphemeralPublic $
(see \crossref { concretesaplingkeyagreement} ). \\ \hline
2018-02-26 03:41:15 -08:00
$ 580 $ & $ \encCiphertext $ & \type { char[580]} & A ciphertext component for the
encrypted output \note , $ \TransmitCiphertext { } $ . \\ \hline
$ 192 $ & $ \zkproof $ & \type { char[192]} & An encoding of the \zeroKnowledgeProof
$ \ProofOutput $ (see \crossref { groth} ). \\ \hline
\end { tabularx}
\end { center}
The $ \ephemeralKey $ and $ \encCiphertext $ fields together form the \noteCiphertext ,
which is computed as described in \crossref { inband} .
Consensus rules applying to an \outputDescription are given in \crossref { outputdesc} .
}
2018-03-06 14:16:55 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { \BlockHeader } \label { blockheader}
2016-08-09 13:56:34 -07:00
The \Zcash \blockHeader format is as follows:
\begin { center}
2017-01-19 18:35:11 -08:00
\hbadness =2500
2018-02-26 01:44:19 -08:00
\begin { tabularx} { 0.92\textwidth } { |c|l|p{ 8.6em} |X|}
2016-08-09 13:56:34 -07:00
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
2018-03-18 13:57:20 -07:00
$ 4 $ & $ \nVersion $ & \type { int32} & The \blockVersionNumber indicates which set of
2016-08-09 13:56:34 -07:00
\block validation rules to follow. The current and only defined \blockVersionNumber
for \Zcash is $ 4 $ . \\ \hline
2018-02-07 02:55:53 -08:00
$ 32 $ & $ \hashPrevBlock $ & \type { char[32]} & A $ \SHAd $ hash in internal byte order of the
2017-01-19 18:35:11 -08:00
previous \block 's \header . This ensures no previous \block can be changed without also
changing this \block 's \header . \\ \hline
2016-08-09 13:56:34 -07:00
2018-02-07 02:55:53 -08:00
$ 32 $ & $ \hashMerkleRoot $ & \type { char[32]} & A $ \SHAd $ hash in internal byte order. The
2016-08-09 13:56:34 -07:00
merkle root is derived from the hashes of all \transactions included in this \block ,
2017-01-19 18:35:11 -08:00
ensuring that none of those \transactions can be modified without modifying the \header . \\ \hline
2016-08-09 13:56:34 -07:00
2018-02-26 01:44:19 -08:00
$ 32 $ & \sprout { $ \hashReserved $ }
\notsprout { \Longunderstack [l] { $ \hashReserved $ /\\ \sapling { $ \hashFinalSaplingRoot $ } } } &
\type { char[32]} &
\sproutonly { A reserved field which should be ignored.}
\saplingonward { A \merkleRoot (\todo { specify bit sequence to byte sequence conversion} ) of the \Sapling { }
\noteCommitmentTree corresponding to the final \Sapling { } \treestate of this \block .} \\ \hline
2016-08-09 13:56:34 -07:00
2018-03-18 13:57:20 -07:00
$ 4 $ & $ \nTimeField $ & \type { uint32} & The \blockTime is a Unix epoch time (UTC) when the miner
2017-01-19 18:35:11 -08:00
started hashing the \header (according to the miner). \\ \hline
2016-08-09 13:56:34 -07:00
2018-03-18 13:57:20 -07:00
$ 4 $ & $ \nBitsField $ & \type { uint32} & An encoded version of the \targetThreshold this \block 's
2017-01-19 18:35:11 -08:00
\header hash must be less than or equal to, in the same nBits format used by \Bitcoin .
2017-12-01 18:04:39 -08:00
\cite { Bitc-nBits} \\ \hline
2016-08-09 13:56:34 -07:00
2018-03-16 08:58:23 -07:00
$ 32 $ & $ \nNonce $ & \type { char[32]} & An arbitrary field that miners can change to modify the
2017-01-19 18:35:11 -08:00
\header hash in order to produce a hash less than or equal to the \targetThreshold . \\ \hline
2016-08-09 13:56:34 -07:00
2018-02-07 02:55:53 -08:00
$ 3 $ & $ \solutionSize $ & \compactSize & The size of an Equihash solution in bytes (always $ 1344 $ ). \\ \hline
2016-09-16 06:50:18 -07:00
2018-02-07 02:55:53 -08:00
$ 1344 $ & $ \solution $ & \type { char[1344]} & The Equihash solution. \\ \hline
2016-08-09 13:56:34 -07:00
\end { tabularx}
\end { center}
2017-07-09 21:35:56 -07:00
A \block consists of a \blockHeader and a sequence of \transactions . How transactions
are encoded in a \block is part of the Zcash peer-to-peer protocol but not part of
the consensus protocol.
2017-01-19 18:36:58 -08:00
Let $ \ThresholdBits $ be as defined in \crossref { diffadjustment} , and let $ \PoWMedianBlockSpan $
be the constant defined in \crossref { constants} .
2017-01-19 18:35:11 -08:00
\begin { consensusrules}
2018-02-26 01:44:19 -08:00
\item The \blockVersionNumber { } \MUST be greater than or equal to $ 4 $ .
\item For a \block at \blockHeight $ \BlockHeight $ , $ \nBitsField $ \MUST be equal to
2017-01-19 18:36:58 -08:00
$ \ThresholdBits ( \BlockHeight ) $ .
2017-01-19 18:35:11 -08:00
\item The \block { } \MUST pass the difficulty filter defined in \crossref { difficulty} .
2018-02-26 01:44:19 -08:00
\item $ \solution $ \MUST represent a valid Equihash solution as defined in \crossref { equihash} .
\item $ \nTimeField $ \MUST be strictly greater than the median time of the previous
2017-01-19 18:35:11 -08:00
$ \PoWMedianBlockSpan $ \blocks .
2018-02-07 02:55:53 -08:00
\item The size of a \block { } \MUST be less than or equal to $ 2000000 $ bytes.
2018-02-26 01:44:19 -08:00
\saplingonwarditem { $ \hashFinalSaplingRoot $ \MUST be the \merkleRoot of the
\Sapling { } \noteCommitmentTree for the final \Sapling { } \treestate
of this \block .}
2017-01-19 18:35:11 -08:00
\item \todo { Other rules inherited from \Bitcoin .}
\end { consensusrules}
2018-02-07 03:05:39 -08:00
In addition, a \fullValidator { } \MUSTNOT accept \blocks with $ \nTimeField $ more than two hours
2017-01-19 18:35:11 -08:00
in the future according to its clock. This is not strictly a consensus rule because it is
nondeterministic, and clock time varies between nodes. Also note that a \block that is
rejected by this rule at a given point in time may later be accepted.
2016-09-16 06:50:18 -07:00
\begin { pnotes}
2018-02-07 02:55:53 -08:00
\item The semantics of blocks with \blockVersionNumber { } not equal to $ 4 $
2017-07-09 21:35:56 -07:00
is not currently defined. Miners \MUSTNOT create such \blocks , and
2018-03-18 13:57:20 -07:00
\SHOULDNOT mine other blocks that chain to them.
2018-02-07 02:55:53 -08:00
\item The exclusion of \blocks with \blockVersionNumber { } \emph { greater than} $ 4 $
2017-07-09 21:35:56 -07:00
is not a consensus rule; such \blocks may exist in the \blockchain
2018-02-07 02:55:53 -08:00
and \MUST be treated identically to version $ 4 $ \blocks by \fullValidators .
2018-03-18 13:38:55 -07:00
Note that a future upgrade might use \blockVersionNumber { } either
greater than or less than $ 4 $ . It is likely that such an upgrade will
2017-07-09 21:35:56 -07:00
change the \block header and/or \transaction format, and software that
parses \blocks { } \SHOULD take this into account.
2018-03-18 13:57:20 -07:00
\item The $ \nVersion $ field is a signed integer. (It was specified
2017-07-09 21:35:56 -07:00
as unsigned in a previous version of this specification.) A future
2018-03-18 13:38:55 -07:00
upgrade might use negative values for this field, or otherwise change
2017-07-09 21:35:56 -07:00
its interpretation.
2016-09-16 06:50:18 -07:00
\item There is no relation between the values of the $ \versionField $ field of a \transaction ,
and the $ \nVersion $ field of a \blockHeader .
\item Like other serialized fields of type $ \compactSize $ , the $ \solutionSize $ field \MUST
2018-02-07 02:55:53 -08:00
be encoded with the minimum number of bytes ($ 3 $ in this case), and other encodings
2016-09-16 06:50:18 -07:00
\MUST be rejected. This is necessary to avoid a potential attack in which a miner
could test several distinct encodings of each Equihash solution against the difficulty
filter, rather than only the single intended encoding.
2017-01-19 18:35:11 -08:00
\item As in \Bitcoin , the $ \nTimeField $ field \MUST represent a time \emph { strictly greater than}
2017-05-08 17:24:30 -07:00
the median of the timestamps of the past $ \PoWMedianBlockSpan $ \blocks . The
2017-08-03 08:05:29 -07:00
Bitcoin Developer Reference \cite { Bitc-Block} was previously in error on this point,
2017-05-08 17:24:30 -07:00
but has now been corrected.
2018-02-26 01:44:19 -08:00
\nuzero {
\item There are no changes to the \blockVersionNumber or format for \NUZero .
}
\sapling {
\item Although the \blockVersionNumber does not change for \Sapling ,
the previously reserved (and ignored) field $ \hashReserved $ has been
repurposed for $ \hashFinalSaplingRoot $ . There are no other format changes.
}
2016-09-16 06:50:18 -07:00
\end { pnotes}
2016-08-09 13:56:34 -07:00
2017-07-09 21:35:56 -07:00
\introlist
2018-02-07 02:55:53 -08:00
The changes relative to \Bitcoin version $ 4 $ blocks as described in \cite { Bitc-Block} are:
2017-07-09 21:35:56 -07:00
\begin { itemize}
2018-02-07 02:55:53 -08:00
\item \Blockversions less than $ 4 $ are not supported.
2018-02-26 01:44:19 -08:00
\item The $ \hashReserved $ \sapling { (or $ \hashFinalSaplingRoot $ )} , $ \solutionSize $ , and
$ \solution $ fields have been added.
2018-03-18 13:57:20 -07:00
\item The type of the $ \nNonce $ field has changed from \type { uint32} to \type { char[32]} .
2018-02-07 02:55:53 -08:00
\item The maximum \block size has been doubled to $ 2000000 $ bytes.
2017-07-09 21:35:56 -07:00
\end { itemize}
2018-02-23 19:15:09 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Proof of Work}
2016-08-09 13:56:34 -07:00
2016-08-14 12:42:14 -07:00
\Zcash uses Equihash \cite { BK2016} as its Proof of Work. Motivations for
2016-08-09 17:01:51 -07:00
changing the Proof of Work from \SHAd used by \Bitcoin are described
2016-08-14 12:42:14 -07:00
in \cite { WG2016} .
2016-08-09 13:56:34 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-08-09 13:56:34 -07:00
A \block satisfies the Proof of Work if and only if:
2017-01-19 18:24:49 -08:00
2016-08-09 13:56:34 -07:00
\begin { itemize}
2016-09-16 06:50:18 -07:00
\item The $ \solution $ field encodes a \validEquihashSolution according to \crossref { equihash} .
2016-08-09 13:56:34 -07:00
\item The \blockHeader satisfies the difficulty check according to \crossref { difficulty} .
\end { itemize}
2017-07-09 21:36:52 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { Equihash} \label { equihash}
2016-08-09 13:56:34 -07:00
An instance of the Equihash algorithm is parameterized by positive integers $ n $ and $ k $ ,
2016-08-09 17:01:51 -07:00
such that $ n $ is a multiple of $ k + 1 $ . We assume $ k \geq 3 $ .
2016-08-09 13:56:34 -07:00
2016-09-03 20:29:59 -07:00
The Equihash parameters for the production and test networks are $ n = 200 , k = 9 $ .
2016-08-09 13:56:34 -07:00
The Generalized Birthday Problem is defined as follows: given a sequence
2018-03-06 14:16:55 -08:00
$ X _ \barerange { 1 } { \mathrm { N } } $ of $ n $ -bit strings, find $ 2 ^ k $ distinct $ X _ { i _ j } $ such that
2018-03-16 08:58:23 -07:00
$ \sxor { j = 1 } { 2 ^ k } X _ { i _ j } = 0 $ .
2016-08-09 13:56:34 -07:00
2018-03-06 14:16:55 -08:00
In Equihash, $ \mathrm { N } = 2 ^ { \frac { n } { k + 1 } + 1 } $ , and the sequence $ X _ \barerange { 1 } { \mathrm { N } } $ is
2018-03-16 08:58:23 -07:00
derived from the \blockHeader and a nonce.
2016-08-09 13:56:34 -07:00
2016-09-03 19:46:42 -07:00
\newsavebox { \powheaderbox }
\begin { lrbox} { \powheaderbox }
2016-08-09 13:56:34 -07:00
\begin { bytefield} [bitwidth=0.064em]{ 1152}
2018-03-10 13:00:27 -08:00
\sbitbox { 128} { $ 32 $ -bit $ \nVersion $ } &
\sbitbox { 256} { $ 256 $ -bit $ \hashPrevBlock $ } &
\sbitbox { 256} { $ 256 $ -bit $ \hashMerkleRoot $ } \\
\sbitbox { 256} { $ 256 $ -bit $ \hashReserved $ } &
\sbitbox { 128} { $ 32 $ -bit $ \nTimeField $ } &
\sbitbox { 128} { $ 32 $ -bit $ \nBitsField $ } \\
\sbitbox { 256} { $ 256 $ -bit $ \nNonce $ }
2016-08-09 13:56:34 -07:00
\end { bytefield}
\end { lrbox}
2016-09-03 19:46:42 -07:00
Let $ \powheader : = \Justthebox [ - 11 . 5 ex ] { \powheaderbox } $
2016-08-09 13:56:34 -07:00
2018-03-16 08:58:23 -07:00
\vspace { 1ex}
2016-09-03 19:46:42 -07:00
For $ i \in \range { 1 } { N } $ , let $ X _ i = \EquihashGen { n, k } ( \powheader , i ) $ .
2016-08-09 17:01:51 -07:00
2016-09-03 19:46:42 -07:00
$ \EquihashGen { } $ is instantiated in \crossref { equihashgen} .
2016-08-09 13:56:34 -07:00
2018-02-26 01:44:19 -08:00
Define $ \ItoBEBSP { } \typecolon ( u \typecolon \Nat ) \times \range { 0 } { 2 ^ u \! - \! 1 } \rightarrow \bitseq { u } $
as in \crossref { endian} .
2016-08-09 13:56:34 -07:00
A \validEquihashSolution is then a sequence $ i \typecolon \range { 1 } { N } ^ { 2 ^ k } $ that
satisfies the following conditions:
2018-03-16 08:58:23 -07:00
\vspace { -4ex}
2016-08-09 13:56:34 -07:00
\subparagraph { Generalized Birthday condition}
$ \vxor { j = 1 } { 2 ^ k } X _ { i _ j } = 0 $ .
2018-03-16 08:58:23 -07:00
\vspace { -2ex}
2016-08-09 13:56:34 -07:00
\subparagraph { Algorithm Binding conditions}
2018-03-16 08:58:23 -07:00
\vspace { -2ex}
2017-01-19 18:24:49 -08:00
\introlist
2016-08-09 13:56:34 -07:00
\begin { itemize}
2017-07-09 21:36:52 -07:00
\item For all $ r \in \range { 1 } { k \! - \! 1 } $ , for all $ w \in \range { 0 } { 2 ^ { k - r } \! - \! 1 } :
2018-03-16 08:58:23 -07:00
\smash { \vxor { j=1} { 2^ r} } X_ { i_ { w \mult 2^ r + j} } $ has $ \frac { n \mult r} { k+1} $ leading zeros; and
2017-07-09 21:36:52 -07:00
\item For all $ r \in \range { 1 } { k } $ , for all $ w \in \range { 0 } { 2 ^ { k - r } \! - \! 1 } :
i_ { w \mult 2^ r + 1 .. w \mult 2^ r + 2^ { r-1} } <
i_ { w \mult 2^ r + 2^ { r-1} + 1 .. w \mult 2^ r + 2^ r} $ lexicographically.
2016-08-09 13:56:34 -07:00
\end { itemize}
2018-03-16 08:58:23 -07:00
\vspace { -2ex}
2017-07-09 21:36:52 -07:00
\begin { pnotes}
\item This does not include a difficulty condition, because here we are
defining validity of an Equihash solution independent of difficulty.
\item Previous versions of this specification incorrectly specified the
range of $ r $ to be $ \range { 1 } { k \! - \! 1 } $ for both parts of the algorithm
binding condition. The implementation in \zcashd was as intended.
\end { pnotes}
2016-08-09 13:56:34 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-09-16 06:50:18 -07:00
An Equihash solution with $ n = 200 $ and $ k = 9 $ is encoded in the $ \solution $
2016-08-09 13:56:34 -07:00
field of a \blockHeader as follows:
\newsavebox { \solutionbox }
\begin { lrbox} { \solutionbox }
\begin { bytefield} [bitwidth=0.45em]{ 105}
2018-03-10 13:00:27 -08:00
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( i _ 1 - 1 ) $ } &
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( i _ 2 - 1 ) $ } &
\sbitbox { 42} { $ \cdots $ } &
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( i _ { 512 } - 1 ) $ }
2016-08-09 13:56:34 -07:00
\end { bytefield}
\end { lrbox}
2018-03-10 13:00:27 -08:00
\newcommand { \zb } { \sbitbox { 1} { $ 0 $ } }
\newcommand { \ob } { \sbitbox { 1} { $ 1 $ } }
2016-08-09 13:56:34 -07:00
\newsavebox { \eqexamplebox }
\begin { lrbox} { \eqexamplebox }
\begin { bytefield} [bitwidth=0.75em]{ 63}
2018-03-10 13:00:27 -08:00
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( 68 ) $ } &
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( 41 ) $ } &
\sbitbox { 21} { $ \ItoBEBSP { 21 } ( 2 ^ { 21 } - 1 ) $ } \\
2016-08-09 13:56:34 -07:00
\zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \ob \zb \zb \zb \ob \zb \zb
\zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \zb \ob \zb \ob \zb \zb \ob
\ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \ob \\
2018-03-10 13:00:27 -08:00
\sbitbox { 8} { 8-bit $ 0 $ }
\sbitbox { 8} { 8-bit $ 2 $ }
\sbitbox { 8} { 8-bit $ 32 $ }
\sbitbox { 8} { 8-bit $ 0 $ }
\sbitbox { 8} { 8-bit $ 10 $ }
\sbitbox { 8} { 8-bit $ 127 $ }
\sbitbox { 8} { 8-bit $ 255 $ }
\sbitbox { 7} { $ \cdots $ }
2016-08-09 13:56:34 -07:00
\end { bytefield}
\end { lrbox}
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \Justthebox { \solutionbox } $
\end { formulae}
2016-08-09 13:56:34 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-08-09 13:56:34 -07:00
Recall from \crossref { boxnotation} that bits in the above diagram are
ordered from most to least significant in each byte.
2018-02-07 02:55:53 -08:00
For example, if the first $ 3 $ elements of $ i $ are $ [ 69 , 42 , 2 ^ { 21 } ] $ ,
2016-08-09 13:56:34 -07:00
then the corresponding bit array is:
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \Justthebox { \eqexamplebox } $
\end { formulae}
2016-08-09 13:56:34 -07:00
2018-02-07 02:55:53 -08:00
and so the first $ 7 $ bytes of $ \solution $ would be
2016-08-09 13:56:34 -07:00
$ [ 0 , 2 , 32 , 0 , 10 , 127 , 255 ] $ .
2016-09-10 17:14:03 -07:00
\pnote {
2018-02-26 01:44:19 -08:00
$ \ItoBEBSP { } $ is big-endian, while integer field encodings in $ \powheader $
2016-09-26 09:03:42 -07:00
and in the instantiation of $ \EquihashGen { } $ are little-endian.
The rationale for this is that little-endian serialization of
\blockHeaders is consistent with \Bitcoin , but using little-endian
ordering of bits in the solution encoding would require bit-reversal
(as opposed to only shifting).
2016-09-10 17:14:03 -07:00
}
2016-08-09 17:01:51 -07:00
2018-03-12 15:51:20 -07:00
\subsubsection { Difficulty filter} \label { difficulty}
2016-08-09 13:56:34 -07:00
2017-01-19 18:36:58 -08:00
Let $ \ToTarget $ be as defined in \crossref { nbits} .
Difficulty is defined in terms of a \targetThreshold , which is adjusted for each
\block according to the algorithm defined in \crossref { diffadjustment} .
2016-08-09 17:01:51 -07:00
The difficulty filter is unchanged from \Bitcoin , and is calculated using
2016-09-16 06:50:18 -07:00
\SHAd on the whole \blockHeader (including $ \solutionSize $ and $ \solution $ ).
2018-02-23 19:15:09 -08:00
The result is interpreted as a $ 256 $ -bit integer represented in little-endian
2017-01-19 18:36:58 -08:00
byte order, which \MUST be less than or equal to the \targetThreshold given by
$ \ToTarget ( \nBitsField ) $ .
2016-08-09 13:56:34 -07:00
2018-03-12 15:51:20 -07:00
\subsubsection { Difficulty adjustment} \label { diffadjustment}
2016-08-09 13:56:34 -07:00
2017-01-19 20:31:45 -08:00
\Zcash uses a difficulty adjustment algorithm based on DigiShield v3/v4 \cite { DigiByte-PoW} ,
2016-08-09 17:01:51 -07:00
with simplifications and altered parameters, to adjust difficulty to target
the desired 2.5-minute block time.
2016-08-09 13:56:34 -07:00
Unlike \Bitcoin , the difficulty adjustment occurs after every block.
2017-01-19 18:36:58 -08:00
The constants $ \PoWLimit $ , $ \PoWAveragingWindow $ , $ \PoWMaxAdjustDown $ , $ \PoWMaxAdjustUp $ ,
$ \PoWDampingFactor $ , and $ \PoWTargetSpacing $ are instantiated in \crossref { constants} .
Let $ \ToCompact $ and $ \ToTarget $ be as defined in \crossref { nbits} .
2016-08-09 13:56:34 -07:00
2017-01-19 18:36:58 -08:00
Let $ \nTime ( \BlockHeight ) $ be the value of the $ \nTimeField $ field in the \header of the
\block at \blockHeight $ \BlockHeight $ .
2016-08-09 13:56:34 -07:00
2017-01-19 18:36:58 -08:00
Let $ \nBits ( \BlockHeight ) $ be the value of the $ \nBitsField $ field in the \header of the
\block at \blockHeight $ \BlockHeight $ .
\Blockheader fields are specified in \crossref { blockheader} .
\vspace { 1ex}
\introlist
Define:
\begin { formulae}
\hfuzz =10pt
\item $ \mean ( S ) : = \left ( \vsum { i = 1 } { \length ( S ) } S _ i \right ) \raisebox { - 0 . 4 ex } { \scalebox { 1 . 4 } { / \, } } \length ( S ) $ .
2018-03-11 10:27:43 -07:00
\item $ \median ( S ) : = \sorted ( S ) _ { \sceiling { \length ( S ) / 2 } } $
2018-02-07 03:05:39 -08:00
\item $ \bound { \Lower } { \Upper } ( x ) : = \maximum ( \Lower , \minimum ( \Upper , x ) ) ) $
2017-01-19 18:36:58 -08:00
\item $ \trunc { x } : = \begin { cases }
\floor { x} ,& \caseif x \geq 0 \\
-\floor { -x} ,& \caseotherwise
\end { cases} $
\item $ \AveragingWindowTimespan : = \PoWAveragingWindow \mult \PoWTargetSpacing $
\item $ \MinActualTimespan : = \floor { \AveragingWindowTimespan \mult ( 1 - \PoWMaxAdjustUp ) } $
\item $ \MaxActualTimespan : = \floor { \AveragingWindowTimespan \mult ( 1 + \PoWMaxAdjustDown ) } $
\item $ \MedianTime ( \BlockHeight ) : = \median ( \listcomp { \nTime ( i ) \for i \from
\maximum (0, \BlockHeight - \PoWMedianBlockSpan ) \upto \BlockHeight - 1} )$
\item $ \ActualTimespan ( \BlockHeight ) : = \MedianTime ( \BlockHeight ) - \MedianTime ( \BlockHeight - \PoWAveragingWindow ) $
\item $ \ActualTimespanDamped ( \BlockHeight ) : = \AveragingWindowTimespan + \trunc { \scalebox { 0 . 98 } { \hfrac { \ActualTimespan ( \BlockHeight ) - \AveragingWindowTimespan } { \PoWDampingFactor } } } $
2018-02-07 03:05:39 -08:00
\item $ \ActualTimespanBounded ( \BlockHeight ) : = \bound { \MinActualTimespan } { \MaxActualTimespan } ( \ActualTimespanDamped ( \BlockHeight ) ) $
2017-01-19 18:36:58 -08:00
\item $ \MeanTarget ( \BlockHeight ) : = \begin { cases }
\PoWLimit , \hspace { 16em} \text { if } \BlockHeight \leq \PoWAveragingWindow \\
\mean (\listcomp { \ToTarget (\nBits (i)) \for i \from \BlockHeight - \PoWAveragingWindow \upto \BlockHeight - 1} ),\\
\hspace { 20.7em} \text { otherwise}
\end { cases} $
\end { formulae}
\vspace { 1ex}
\introlist
The \targetThreshold for a given \blockHeight $ \BlockHeight $ is then calculated as:
\begin { formulae}
\item $ \Threshold ( \BlockHeight ) \hspace { 0 . 43 em } : = \hspace { 0 . 43 em } \begin { cases }
\PoWLimit , \hspace { 16em} \text { if } \BlockHeight = 0 \\
\minimum (\PoWLimit , \floor { \hfrac { \MeanTarget (\BlockHeight )} { \AveragingWindowTimespan } }
2018-02-07 03:05:39 -08:00
\mult \ActualTimespanBounded (\BlockHeight )),\\
2017-01-19 18:36:58 -08:00
\hspace { 20.7em} \text { otherwise}
\end { cases} $
\item $ \ThresholdBits ( \BlockHeight ) : = \ToCompact ( \Threshold ( \BlockHeight ) ) $ .
\end { formulae}
\pnote {
The convention used for the height parameters to $ \MedianTime $ , $ \ActualTimespan $ ,
2018-02-07 03:05:39 -08:00
$ \ActualTimespanDamped $ , $ \ActualTimespanBounded $ , $ \MeanTarget $ , $ \Threshold $ , and
2017-01-19 18:36:58 -08:00
$ \ThresholdBits $ is that these functions use only information from \blocks \emph { preceding}
the given \blockHeight .
}
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { nBits conversion} \label { nbits}
2017-01-19 18:36:58 -08:00
Deterministic conversions between a \targetThreshold and a ``compact" nBits value are not
2017-08-03 08:05:29 -07:00
fully defined in the Bitcoin documentation \cite { Bitc-nBits} , and so we define them here:
2017-01-19 18:36:58 -08:00
\begin { formulae} [leftmargin=1.5em,label=]
\item $ \size ( x ) : = \ceiling { \hfrac { \bitlength ( x ) } { 8 } } $
\item $ \mantissa ( x ) : = \floor { x \mult 256 ^ { 3 - \size ( x ) } } $
\item $ \ToCompact ( x ) : = \begin { cases }
2018-01-29 15:08:08 -08:00
\mantissa (x) + 2^ { 24} \smult \size (x),& \caseif \mantissa (x) < 2^ { 23} \\
\floor { \hfrac { \mantissa (x)} { 256} } + 2^ { 24} \smult (\size (x)+1),& \caseotherwise
2017-01-19 18:36:58 -08:00
\end { cases} $
\item $ \ToTarget ( x ) : = \begin { cases }
0,& \caseif x \band 2^ { 23} = 2^ { 23} \\
(x \band (2^ { 23} -1)) \mult 256^ { \floor { x / 2^ { 24} } - 3} ,& \caseotherwise .
\end { cases} $
\end { formulae}
2017-02-03 20:27:42 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsection { Definition of Work} \label { workdef}
2017-02-03 20:27:42 -08:00
As explained in \crossref { blockchain} , a node chooses the ``best'' \blockchain
visible to it by finding the chain of valid \blocks with the greatest total work.
Let $ \ToTarget $ be as defined in \crossref { nbits} .
The work of a \block with value $ \nBits $ for the $ \nBitsField $ field
in its \blockHeader is defined as $ \floor { \hfrac { 2 ^ { 256 } } { \ToTarget ( \nBits ) + 1 } } $ .
2017-01-19 18:36:58 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsection { Calculation of Block Subsidy and Founders' Reward} \label { subsidies}
2016-09-18 18:46:11 -07:00
\crossref { subsidyconcepts} defines the \blockSubsidy , \minerSubsidy , and \foundersReward .
Their amounts in \zatoshi are calculated from the \blockHeight using
the formulae below. The constants $ \SlowStartInterval $ , $ \HalvingInterval $ ,
$ \MaxBlockSubsidy $ , and $ \FoundersFraction $ are instantiated in \crossref { constants} .
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \SlowStartShift \typecolon \Nat : = \hfrac { \SlowStartInterval } { 2 } $
\item $ \SlowStartRate \typecolon \Nat : = \hfrac { \MaxBlockSubsidy } { \SlowStartInterval } $
\item $ \Halving ( \BlockHeight ) : = \floor { \hfrac { \BlockHeight - \SlowStartShift } { \HalvingInterval } } $
\item $ \BlockSubsidy ( \BlockHeight ) : = \begin { cases }
2018-02-07 03:05:39 -08:00
\SlowStartRate \mult \BlockHeight ,& \caseif \BlockHeight < \hfrac { \SlowStartInterval } { 2} \\ [1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),& \caseif \hfrac { \SlowStartInterval } { 2} \leq \BlockHeight < \SlowStartInterval \\ [1.4ex]
\floor { \hfrac { \MaxBlockSubsidy } { 2^ { \Halving (\BlockHeight )} } } ,& \caseotherwise
2017-01-19 14:46:40 -08:00
\end { cases} $
2016-09-18 18:46:11 -07:00
2017-01-19 14:46:40 -08:00
\item $ \FoundersReward ( \BlockHeight ) : = \begin { cases }
\BlockSubsidy (\BlockHeight ) \mult \FoundersFraction ,& \caseif \BlockHeight < \SlowStartShift + \HalvingInterval \\
0,& \caseotherwise
\end { cases} $
2016-09-18 18:46:11 -07:00
2017-01-19 14:46:40 -08:00
\item $ \MinerSubsidy ( \BlockHeight ) : = \BlockSubsidy ( \BlockHeight ) - \FoundersReward ( \BlockHeight ) $ .
\end { formulae}
2016-09-18 18:46:11 -07:00
2017-02-24 22:25:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Payment of Founders' Reward} \label { foundersreward}
2016-09-18 18:46:11 -07:00
The \foundersReward is paid by a \transparent output in the \coinbaseTransaction , to
one of $ \NumFounderAddresses $ \transparent addresses, depending on the \blockHeight .
2018-03-16 08:58:23 -07:00
\renewcommand { \arraystretch } { 1}
2016-09-18 18:46:11 -07:00
2018-03-16 08:58:23 -07:00
\vspace { 1ex}
2018-03-06 14:16:55 -08:00
For the production network, $ \FounderAddressList _ \barerange { \mathrm { 1 } } { \NumFounderAddresses } $ is:
2016-09-18 18:46:11 -07:00
2018-03-16 08:58:23 -07:00
\scalebox { 0.95} {
2016-10-27 20:40:46 -07:00
\begin { tabular} { @{ \hskip 2.5em} l@{ \; } l}
[& \ascii { t3Vz22vK5z2LcKEdg16Yv4FFneEL1zg9ojd} , \ascii { t3cL9AucCajm3HXDhb5jBnJK2vapVoXsop3} , \\
& \ascii { t3fqvkzrrNaMcamkQMwAyHRjfDdM2xQvDTR} , \ascii { t3TgZ9ZT2CTSK44AnUPi6qeNaHa2eC7pUyF} , \\
& \ascii { t3SpkcPQPfuRYHsP5vz3Pv86PgKo5m9KVmx} , \ascii { t3Xt4oQMRPagwbpQqkgAViQgtST4VoSWR6S} , \\
& \ascii { t3ayBkZ4w6kKXynwoHZFUSSgXRKtogTXNgb} , \ascii { t3adJBQuaa21u7NxbR8YMzp3km3TbSZ4MGB} , \\
& \ascii { t3K4aLYagSSBySdrfAGGeUd5H9z5Qvz88t2} , \ascii { t3RYnsc5nhEvKiva3ZPhfRSk7eyh1CrA6Rk} , \\
& \ascii { t3Ut4KUq2ZSMTPNE67pBU5LqYCi2q36KpXQ} , \ascii { t3ZnCNAvgu6CSyHm1vWtrx3aiN98dSAGpnD} , \\
& \ascii { t3fB9cB3eSYim64BS9xfwAHQUKLgQQroBDG} , \ascii { t3cwZfKNNj2vXMAHBQeewm6pXhKFdhk18kD} , \\
& \ascii { t3YcoujXfspWy7rbNUsGKxFEWZqNstGpeG4} , \ascii { t3bLvCLigc6rbNrUTS5NwkgyVrZcZumTRa4} , \\
& \ascii { t3VvHWa7r3oy67YtU4LZKGCWa2J6eGHvShi} , \ascii { t3eF9X6X2dSo7MCvTjfZEzwWrVzquxRLNeY} , \\
& \ascii { t3esCNwwmcyc8i9qQfyTbYhTqmYXZ9AwK3X} , \ascii { t3M4jN7hYE2e27yLsuQPPjuVek81WV3VbBj} , \\
& \ascii { t3gGWxdC67CYNoBbPjNvrrWLAWxPqZLxrVY} , \ascii { t3LTWeoxeWPbmdkUD3NWBquk4WkazhFBmvU} , \\
& \ascii { t3P5KKX97gXYFSaSjJPiruQEX84yF5z3Tjq} , \ascii { t3f3T3nCWsEpzmD35VK62JgQfFig74dV8C9} , \\
& \ascii { t3Rqonuzz7afkF7156ZA4vi4iimRSEn41hj} , \ascii { t3fJZ5jYsyxDtvNrWBeoMbvJaQCj4JJgbgX} , \\
& \ascii { t3Pnbg7XjP7FGPBUuz75H65aczphHgkpoJW} , \ascii { t3WeKQDxCijL5X7rwFem1MTL9ZwVJkUFhpF} , \\
& \ascii { t3Y9FNi26J7UtAUC4moaETLbMo8KS1Be6ME} , \ascii { t3aNRLLsL2y8xcjPheZZwFy3Pcv7CsTwBec} , \\
& \ascii { t3gQDEavk5VzAAHK8TrQu2BWDLxEiF1unBm} , \ascii { t3Rbykhx1TUFrgXrmBYrAJe2STxRKFL7G9r} , \\
& \ascii { t3aaW4aTdP7a8d1VTE1Bod2yhbeggHgMajR} , \ascii { t3YEiAa6uEjXwFL2v5ztU1fn3yKgzMQqNyo} , \\
& \ascii { t3g1yUUwt2PbmDvMDevTCPWUcbDatL2iQGP} , \ascii { t3dPWnep6YqGPuY1CecgbeZrY9iUwH8Yd4z} , \\
& \ascii { t3QRZXHDPh2hwU46iQs2776kRuuWfwFp4dV} , \ascii { t3enhACRxi1ZD7e8ePomVGKn7wp7N9fFJ3r} , \\
& \ascii { t3PkLgT71TnF112nSwBToXsD77yNbx2gJJY} , \ascii { t3LQtHUDoe7ZhhvddRv4vnaoNAhCr2f4oFN} , \\
& \ascii { t3fNcdBUbycvbCtsD2n9q3LuxG7jVPvFB8L} , \ascii { t3dKojUU2EMjs28nHV84TvkVEUDu1M1FaEx} , \\
& \ascii { t3aKH6NiWN1ofGd8c19rZiqgYpkJ3n679ME} , \ascii { t3MEXDF9Wsi63KwpPuQdD6by32Mw2bNTbEa} , \\
& \ascii { t3WDhPfik343yNmPTqtkZAoQZeqA83K7Y3f} , \ascii { t3PSn5TbMMAEw7Eu36DYctFezRzpX1hzf3M} , \\
& \ascii { t3R3Y5vnBLrEn8L6wFjPjBLnxSUQsKnmFpv} , \ascii { t3Pcm737EsVkGTbhsu2NekKtJeG92mvYyoN} \, ]
\end { tabular}
2018-03-16 08:58:23 -07:00
} %scalebox
2016-10-27 20:40:46 -07:00
2018-03-16 08:58:23 -07:00
\vspace { 1ex}
2017-01-19 18:24:49 -08:00
\introlist
2018-03-06 14:16:55 -08:00
For the test network, $ \FounderAddressList _ \barerange { \mathrm { 1 } } { \NumFounderAddresses } $ is:
2016-09-18 18:46:11 -07:00
2018-03-16 08:58:23 -07:00
\scalebox { 0.96} {
2016-09-18 18:46:11 -07:00
\begin { tabular} { @{ \hskip 2.5em} l@{ \; } l}
2016-10-04 13:11:44 -07:00
[& \ascii { t2UNzUUx8mWBCRYPRezvA363EYXyEpHokyi} , \ascii { t2N9PH9Wk9xjqYg9iin1Ua3aekJqfAtE543} , \\
2017-02-20 14:03:46 -08:00
& \ascii { t2NGQjYMQhFndDHguvUw4wZdNdsssA6K7x2} , \ascii { t2ENg7hHVqqs9JwU5cgjvSbxnT2a9USNfhy} , \\
& \ascii { t2BkYdVCHzvTJJUTx4yZB8qeegD8QsPx8bo} , \ascii { t2J8q1xH1EuigJ52MfExyyjYtN3VgvshKDf} , \\
& \ascii { t2Crq9mydTm37kZokC68HzT6yez3t2FBnFj} , \ascii { t2EaMPUiQ1kthqcP5UEkF42CAFKJqXCkXC9} , \\
& \ascii { t2F9dtQc63JDDyrhnfpzvVYTJcr57MkqA12} , \ascii { t2LPirmnfYSZc481GgZBa6xUGcoovfytBnC} , \\
& \ascii { t26xfxoSw2UV9Pe5o3C8V4YybQD4SESfxtp} , \ascii { t2D3k4fNdErd66YxtvXEdft9xuLoKD7CcVo} , \\
& \ascii { t2DWYBkxKNivdmsMiivNJzutaQGqmoRjRnL} , \ascii { t2C3kFF9iQRxfc4B9zgbWo4dQLLqzqjpuGQ} , \\
& \ascii { t2MnT5tzu9HSKcppRyUNwoTp8MUueuSGNaB} , \ascii { t2AREsWdoW1F8EQYsScsjkgqobmgrkKeUkK} , \\
& \ascii { t2Vf4wKcJ3ZFtLj4jezUUKkwYR92BLHn5UT} , \ascii { t2K3fdViH6R5tRuXLphKyoYXyZhyWGghDNY} , \\
& \ascii { t2VEn3KiKyHSGyzd3nDw6ESWtaCQHwuv9WC} , \ascii { t2F8XouqdNMq6zzEvxQXHV1TjwZRHwRg8gC} , \\
& \ascii { t2BS7Mrbaef3fA4xrmkvDisFVXVrRBnZ6Qj} , \ascii { t2FuSwoLCdBVPwdZuYoHrEzxAb9qy4qjbnL} , \\
& \ascii { t2SX3U8NtrT6gz5Db1AtQCSGjrpptr8JC6h} , \ascii { t2V51gZNSoJ5kRL74bf9YTtbZuv8Fcqx2FH} , \\
& \ascii { t2FyTsLjjdm4jeVwir4xzj7FAkUidbr1b4R} , \ascii { t2EYbGLekmpqHyn8UBF6kqpahrYm7D6N1Le} , \\
& \ascii { t2NQTrStZHtJECNFT3dUBLYA9AErxPCmkka} , \ascii { t2GSWZZJzoesYxfPTWXkFn5UaxjiYxGBU2a} , \\
& \ascii { t2RpffkzyLRevGM3w9aWdqMX6bd8uuAK3vn} , \ascii { t2JzjoQqnuXtTGSN7k7yk5keURBGvYofh1d} , \\
& \ascii { t2AEefc72ieTnsXKmgK2bZNckiwvZe3oPNL} , \ascii { t2NNs3ZGZFsNj2wvmVd8BSwSfvETgiLrD8J} , \\
& \ascii { t2ECCQPVcxUCSSQopdNquguEPE14HsVfcUn} , \ascii { t2JabDUkG8TaqVKYfqDJ3rqkVdHKp6hwXvG} , \\
& \ascii { t2FGzW5Zdc8Cy98ZKmRygsVGi6oKcmYir9n} , \ascii { t2DUD8a21FtEFn42oVLp5NGbogY13uyjy9t} , \\
& \ascii { t2UjVSd3zheHPgAkuX8WQW2CiC9xHQ8EvWp} , \ascii { t2TBUAhELyHUn8i6SXYsXz5Lmy7kDzA1uT5} , \\
& \ascii { t2Tz3uCyhP6eizUWDc3bGH7XUC9GQsEyQNc} , \ascii { t2NysJSZtLwMLWEJ6MH3BsxRh6h27mNcsSy} , \\
& \ascii { t2KXJVVyyrjVxxSeazbY9ksGyft4qsXUNm9} , \ascii { t2J9YYtH31cveiLZzjaE4AcuwVho6qjTNzp} , \\
& \ascii { t2QgvW4sP9zaGpPMH1GRzy7cpydmuRfB4AZ} , \ascii { t2NDTJP9MosKpyFPHJmfjc5pGCvAU58XGa4} , \\
& \ascii { t29pHDBWq7qN4EjwSEHg8wEqYe9pkmVrtRP} , \ascii { t2Ez9KM8VJLuArcxuEkNRAkhNvidKkzXcjJ} , \\
& \ascii { t2D5y7J5fpXajLbGrMBQkFg2mFN8fo3n8cX} , \ascii { t2UV2wr1PTaUiybpkV3FdSdGxUJeZdZztyt} \, ]
2016-09-18 18:46:11 -07:00
\end { tabular}
2018-03-16 08:58:23 -07:00
} %scalebox
\renewcommand { \arraystretch } { \defaultarraystretch }
2016-09-18 18:46:11 -07:00
2017-02-20 14:03:46 -08:00
\pnote { For the test network only, the addresses from index 4 onward have been changed from
2018-03-18 13:38:55 -07:00
what was implemented at launch. This reflects an upgrade on the test network, starting
2017-02-20 14:03:46 -08:00
from \blockHeight 53127. \cite { ZcashIssue-2113} }
2016-10-27 20:40:46 -07:00
Each address representation in $ \FounderAddressList $ denotes a \transparent
P2SH multisig address.
2017-02-05 17:24:29 -08:00
\introlist
2016-10-27 20:40:46 -07:00
Let $ \SlowStartShift $ be defined as in the previous section.
2016-09-18 18:46:11 -07:00
Define:
2017-01-19 14:46:40 -08:00
\begin { formulae}
\item $ \FounderAddressChangeInterval : = \ceiling { \hfrac { \SlowStartShift + \HalvingInterval } { \NumFounderAddresses } } $
\item $ \FounderAddressIndex ( \BlockHeight ) : = 1 + \floor { \hfrac { \BlockHeight } { \FounderAddressChangeInterval } } $ .
\end { formulae}
2016-09-18 18:46:11 -07:00
2016-10-01 19:56:27 -07:00
Let $ \RedeemScriptHash ( \BlockHeight ) $ be the standard redeem script hash, as defined in
2017-08-03 08:05:29 -07:00
\cite { Bitc-Multisig} , for the P2SH multisig address with Base58Check representation
2017-01-19 18:26:22 -08:00
given by $ \FounderAddressList _ { \, \FounderAddressIndex ( \BlockHeight ) } $ .
2016-10-01 19:56:27 -07:00
\consensusrule {
A \coinbaseTransaction for \blockHeight $ \BlockHeight \in \range { 1 } { \SlowStartShift + \HalvingInterval - 1 } $
\MUST include at least one output that pays exactly $ \FoundersReward ( \BlockHeight ) $ \zatoshi
with a standard P2SH script of the form \ScriptOP { HASH160} \; $ \RedeemScriptHash ( \BlockHeight ) $ \; \ScriptOP { EQUAL}
as its $ \scriptPubKey $ .
}
\begin { pnotes}
\item No \foundersReward is required to be paid for $ \BlockHeight \geq \SlowStartShift + \HalvingInterval $
2017-02-03 20:28:08 -08:00
(i.e.\ after the first halving), or for $ \BlockHeight = 0 $ (i.e.\ the \genesisBlock ).
2016-10-01 19:56:27 -07:00
\item The \foundersReward addresses are not treated specially in any other way, and
there can be other outputs to them, in \coinbaseTransactions or otherwise.
In particular, it is valid for a \coinbaseTransaction with
$ \BlockHeight \in \range { 1 } { \SlowStartShift + \HalvingInterval - 1 } $ to have
other outputs, possibly to the same address, that do not meet the criterion
in the above consensus rule, as long as at least one output meets it.
\end { pnotes}
2016-09-18 18:46:11 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Changes to the Script System} \label { scripts}
2016-10-02 23:12:56 -07:00
The \ScriptOP { CODESEPARATOR} opcode has been disabled. This opcode also no longer
affects the calculation of signature hashes.
2018-03-12 15:51:20 -07:00
\subsection { Bitcoin Improvement Proposals} \label { bips}
2016-10-02 14:26:28 -07:00
In general, Bitcoin Improvement Proposals (BIPs) do not apply to \Zcash unless
otherwise specified in this section.
All of the BIPs referenced below should be interpreted by replacing
``BTC'', or ``bitcoin'' used as a currency unit, with ``ZEC''; and
``satoshi'' with ``zatoshi''.
The following BIPs apply, otherwise unchanged, to \Zcash :
\cite { BIP-11} ,
\cite { BIP-14} ,
\cite { BIP-31} ,
\cite { BIP-35} ,
\cite { BIP-37} ,
\cite { BIP-61} .
2016-12-19 13:11:05 -08:00
The following BIPs apply starting from the \Zcash \genesisBlock , i.e.\ any activation
2016-10-02 14:26:28 -07:00
rules or exceptions for particular \blocks in the \Bitcoin \blockchain are to
be ignored:
\cite { BIP-16} ,
\cite { BIP-30} ,
\cite { BIP-65} ,
\cite { BIP-66} .
2016-12-19 13:11:05 -08:00
\cite { BIP-34} applies to all blocks other than the \Zcash \genesisBlock
(for which the ``height in coinbase'' was inadvertently omitted).
2016-10-02 14:26:28 -07:00
\cite { BIP-13} applies with the changes to address version bytes described
in \crossref { transparentaddrencoding} .
\begin { comment}
\cite { BIP-22} and \cite { BIP-23} apply with some protocol changes, which are
to be specified in a Zcash Improvement Proposal.
The following BIPs can be used unchanged, but do not define consensus rules:
\cite { BIP-69} ,
\cite { BIP-126} .
The following BIPs can be used by replacing the URI scheme \ascii { bitcoin:}
with \ascii { zcash:} , and the MIME types starting with \ascii { bitcoin-} with
corresponding types starting with \ascii { zcash-} :
\cite { BIP-21} ,
\cite { BIP-70} ,
\cite { BIP-71} ,
\cite { BIP-72} ,
\cite { BIP-73} .
(Note that this URI scheme and these MIME types are not formally allocated,
and would require an RFC in order to do so.)
\end { comment}
2017-02-24 22:25:53 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\section { Differences from the Zerocash paper} \label { differences}
2015-12-16 12:55:16 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Transaction Structure} \label { trstructure}
2016-03-12 17:23:04 -08:00
\Zerocash introduces two new operations, which are described in
the paper as new transaction types, in addition to the original
transaction type of the cryptocurrency on which it is based
2016-08-17 05:27:03 -07:00
(e.g.\ \Bitcoin ).
2016-03-12 17:23:04 -08:00
In \Zcash , there is only the original \Bitcoin transaction type,
which is extended to contain a sequence of zero or more
\Zcash -specific operations.
2016-10-27 20:39:04 -07:00
This allows for the possibility of chaining transfers of \shielded
value in a single \Zcash \transaction , e.g.\ to spend a \shieldedNote
2016-03-20 13:26:37 -07:00
that has just been created. (In \Zcash , we refer to value stored in
2016-09-03 17:08:02 -07:00
UTXOs as \transparent , and value stored in \joinSplitTransfer output
2016-10-27 20:39:04 -07:00
\notes as \shielded .)
2016-03-12 17:23:04 -08:00
This was not possible in the \Zerocash design without using multiple
2016-10-27 20:39:04 -07:00
transactions. It also allows \transparent and \shielded transfers to
2016-03-12 17:23:04 -08:00
happen atomically --- possibly under the control of nontrivial script
conditions, at some cost in distinguishability.
2016-03-15 18:36:37 -07:00
\todo { Describe changes to signing.}
2016-03-12 17:23:04 -08:00
2018-03-12 15:51:20 -07:00
\subsection { \Memos }
2016-09-02 20:06:39 -07:00
\Zcash adds a \memo sent from the creator of a \joinSplitDescription to
the recipient of each output \note . This feature is described in
more detail in \crossref { notept} .
2017-01-19 18:24:49 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsection { Unification of Mints and Pours}
2016-02-26 16:54:06 -08:00
2016-03-12 17:23:04 -08:00
In the original \Zerocash protocol, there were two kinds of transaction
2016-10-27 20:39:04 -07:00
relating to \shieldedNotes :
2017-01-19 18:24:49 -08:00
2016-03-12 17:23:04 -08:00
\begin { itemize}
2016-09-03 17:08:02 -07:00
\item a ``Mint'' transaction takes value from \transparent UTXOs as
2016-10-27 20:39:04 -07:00
input and produces a new \shieldedNote as output.
\item a ``Pour'' transaction takes up to $ \NOld $ \shieldedNotes
as input, and produces up to $ \NNew $ \shieldedNotes and a
2016-09-03 17:08:02 -07:00
\transparent UTXO as output.
2016-03-12 17:23:04 -08:00
\end { itemize}
Only ``Pour'' transactions included a \zkSNARK proof.
2017-12-01 18:04:39 -08:00
\sproutonly {
2016-03-20 13:26:37 -07:00
In \Zcash , the sequence of operations added to a \transaction
2017-12-01 18:04:39 -08:00
(see \crossref { trstructure} ) consists only of \joinSplitTransfers .
2016-09-03 17:08:02 -07:00
A \joinSplitTransfer is a Pour operation generalized to take a \transparent
2016-03-28 18:28:50 -07:00
UTXO as input, allowing \joinSplitTransfers to subsume the functionality of
2016-03-18 14:09:24 -07:00
Mints. An advantage of this is that a \Zcash \transaction that takes
2016-03-28 18:28:07 -07:00
input from an UTXO can produce up to $ \NNew $ output \notes , improving
2016-03-18 14:09:24 -07:00
the indistinguishability properties of the protocol. A related change
2016-03-28 18:28:50 -07:00
conceals the input arity of the \joinSplitTransfer : an unused (zero-value)
2016-03-28 18:28:07 -07:00
input is indistinguishable from an input that takes value from a \note .
2017-12-01 18:04:39 -08:00
}
2016-03-12 17:23:04 -08:00
This unification also simplifies the fix to the Faerie Gold attack
described below, since no special case is needed for Mints.
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-01-22 10:24:16 -08:00
In \Sapling , there are still no ``Mint'' transactions. Instead of
\joinSplitTransfers , there are \spendTransfers and \outputTransfers .
These make use of \xPedersenValueCommitments to represent the shielded
values that are transferred. Because these commitments are additively
homomorphic (using elliptic curve addition), it is possible to check
that all \spendTransfers and \outputTransfers balance; see \crossref { saplingbalance}
for detail. This reduces the granularity of the circuit, allowing
a substantial performance improvement (orthogonal to other \Sapling
circuit improvements) when the numbers of \shielded inputs and outputs
are significantly different. This comes at the cost of revealing the
2018-02-26 01:44:19 -08:00
exact number of \shielded inputs and outputs, but dummy (zero-valued)
outputs are still possible.
2018-01-22 10:24:16 -08:00
}
2016-03-12 17:23:04 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Faerie Gold attack and fix} \label { faeriegold}
2016-02-11 07:04:56 -08:00
2016-10-27 20:39:04 -07:00
When a \shieldedNote is created in \Zerocash , the creator is
2016-03-28 18:28:07 -07:00
supposed to choose a new $ \NoteAddressRand $ value at random.
2016-03-29 17:36:34 -07:00
The \nullifier of the \note is derived from its \spendingKey
2016-03-28 18:28:07 -07:00
($ \AuthPrivate $ ) and $ \NoteAddressRand $ . The \noteCommitment
2016-03-12 17:23:04 -08:00
is derived from the recipient address component $ \AuthPublic $ ,
2016-03-28 18:28:07 -07:00
the value $ \Value $ , and the commitment trapdoor $ \NoteCommitRand $ ,
as well as $ \NoteAddressRand $ . However nothing prevents creating
multiple \notes with different $ \Value $ and $ \NoteCommitRand $
(hence different \noteCommitments ) but the same $ \NoteAddressRand $ .
2016-03-12 17:23:04 -08:00
2016-03-28 18:28:07 -07:00
An adversary can use this to mislead a \note recipient, by sending
two \notes both of which are verified as valid by $ \Receive $ (as
2016-08-14 12:42:14 -07:00
defined in \cite [Figure 2] { BCG+2014} ), but only one of
2016-03-12 17:23:04 -08:00
which can be spent.
We call this a ``Faerie Gold'' attack --- referring to various Celtic
legends in which faeries pay mortals in what appears to be gold,
but which soon after reveals itself to be leaves, gorse blossoms,
gingerbread cakes, or other less valuable things \cite { LG2004} .
2017-01-19 18:24:49 -08:00
\introlist
2016-03-12 17:23:04 -08:00
This attack does not violate the security definitions given in
2016-08-14 12:42:14 -07:00
\cite { BCG+2014} . The issue could be framed as a problem
2016-03-12 17:23:04 -08:00
either with the definition of Completeness, or the definition of
Balance:
\begin { itemize}
\item The Completeness property asserts that a validly received
2016-03-29 17:36:34 -07:00
\note can be spent provided that its \nullifier does not appear
2016-03-12 17:23:04 -08:00
on the ledger. This does not take into account the possibility
2016-03-28 18:28:07 -07:00
that distinct \notes , which are validly received, could have the
2016-03-29 17:36:34 -07:00
same \nullifier . That is, the security definition depends on
a protocol detail --\nullifiers -- that is not part of the
2016-03-12 17:23:04 -08:00
intended abstract security property, and that could be implemented
incorrectly.
\item The Balance property only asserts that an adversary cannot
obtain \emph { more} funds than they have minted or received via
payments. It does not prevent an adversary from causing others'
funds to decrease. In a Faerie Gold attack, an adversary can cause
2016-03-28 18:28:07 -07:00
spending of a \note to reduce (to zero) the effective value of another
\note for which the attacker does not know the \spendingKey , which
2016-03-12 17:23:04 -08:00
violates an intuitive conception of global balance.
\end { itemize}
These problems with the security definitions need to be repaired,
but doing so is outside the scope of this specification. Here we
only describe how \Zcash addresses the immediate attack.
It would be possible to address the attack by requiring that a
2016-03-28 18:28:07 -07:00
recipient remember all of the $ \NoteAddressRand $ values for all
\notes they have ever received, and reject duplicates (as proposed
2016-03-12 17:23:04 -08:00
in \cite { GGM2016} ). However, this requirement would interfere
with the intended \Zcash feature that a holder of a \spendingKey
can recover access to (and be sure that they are able to spend) all
of their funds, even if they have forgotten everything but the
\spendingKey .
2018-03-06 14:16:55 -08:00
\sproutspecific {
2016-03-12 17:23:04 -08:00
Instead, \Zcash enforces that an adversary must choose distinct values
2016-03-28 18:28:07 -07:00
for each $ \NoteAddressRand $ , by making use of the fact that all of the
2018-02-07 02:55:53 -08:00
\nullifiers in \joinSplitDescriptions that appear in a \validBlockchain
2016-08-12 10:45:16 -07:00
must be distinct. This is true regardless of whether the \nullifiers
2016-09-03 20:13:30 -07:00
corresponded to real or dummy notes (see \crossref { dummynotes} ).
2016-09-10 17:14:03 -07:00
The \nullifiers are used as input to $ \hSigCRH $ to derive a public value
$ \hSig $ which uniquely identifies the transaction, as described in
\crossref { joinsplitdesc} . ($ \hSig $ was already used in \Zerocash
2016-03-12 17:23:04 -08:00
in a way that requires it to be unique in order to maintain
2016-03-29 17:36:34 -07:00
indistinguishability of \joinSplitDescriptions ; adding the \nullifiers
2016-03-12 17:23:04 -08:00
to the input of the hash used to calculate it has the effect of making
this uniqueness property robust even if the \transaction creator is an
adversary.)
2017-12-01 18:04:39 -08:00
}
2016-03-12 17:23:04 -08:00
2018-03-06 14:16:55 -08:00
\sproutspecific {
2016-03-28 18:28:07 -07:00
The $ \NoteAddressRand $ value for each output \note is then derived from
a random private seed $ \NoteAddressPreRand $ and $ \hSig $ using
$ \PRFrho { \NoteAddressPreRand } $ . The correct construction of
2017-12-16 16:10:47 -08:00
$ \NoteAddressRand $ for each output \note is enforced by
\crossref { sproutuniquerho} in the \joinSplitStatement .
2017-12-01 18:04:39 -08:00
}
2016-03-12 17:23:04 -08:00
2018-03-06 14:16:55 -08:00
\sproutspecific {
2016-03-28 18:28:50 -07:00
Now even if the creator of a \joinSplitDescription does not choose
2016-03-29 17:36:34 -07:00
$ \NoteAddressPreRand $ randomly, uniqueness of \nullifiers and
2016-09-10 17:14:03 -07:00
collision resistance of both $ \hSigCRH $ and $ \PRFrho { } $ will ensure
2016-03-28 18:28:07 -07:00
that the derived $ \NoteAddressRand $ values are unique, at least for
2018-02-07 02:55:53 -08:00
any two \joinSplitDescriptions that get into a \validBlockchain .
2016-03-12 17:23:04 -08:00
This is sufficient to prevent the Faerie Gold attack.
2017-12-01 18:04:39 -08:00
}
2015-12-16 12:55:16 -08:00
2017-02-24 22:24:47 -08:00
A variation on the attack attempts to cause the \nullifier of a sent
\note to be repeated, without repeating $ \NoteAddressRand $ .
However, since the \nullifier is computed as
$ \PRFnf { \AuthPrivate } ( \NoteAddressRand ) $ , this is only possible if
2017-12-01 18:04:39 -08:00
the adversary finds a collision (across both inputs) on $ \PRFnf { } $ ,
which is assumed to be infeasible --- see \crossref { abstractprfs} .
2017-02-24 22:24:47 -08:00
2018-03-06 14:16:55 -08:00
\sproutspecific {
2018-02-07 02:55:53 -08:00
Crucially, ``\nullifier integrity'' (\crossref { sproutnullifierintegrity} )
2017-02-24 22:24:47 -08:00
is enforced whether or not the $ \EnforceMerklePath { i } $ flag is set
for an input \note . If this were not the case then an adversary could
perform the attack by creating a zero-valued \note with a repeated
2018-03-18 13:57:20 -07:00
\nullifier , since the \nullifier would not depend on the value.
2018-01-22 10:24:16 -08:00
}
2018-03-06 14:16:55 -08:00
\sproutspecific {
2018-01-22 10:24:16 -08:00
\xNullifier { } integrity also prevents a ``roadblock attack'' in which the
attacker sees a victim's \transaction , and is able to publish another
\transaction that is mined first and blocks the victim's \transaction .
This attack would be possible if the public value(s) used to
enforce uniqueness of $ \NoteAddressRand $ could be chosen arbitrarily
by the \transaction creator: the victim's \transaction , rather than
the attacker's, would be considered to be repeating these values.
In the chosen solution that uses \nullifiers for these public values,
they are enforced to be dependent on \spendingKeys controlled by the
original \transaction creator (whether or not each input note is a
dummy), and so a roadblock attack cannot be performed by another party
who does not know these keys.
}
2018-02-26 01:44:19 -08:00
\saplingonward {
In \Sapling , uniqueness of $ \NoteAddressRand $ is ensured by making it
dependent on the position of the \noteCommitment in the \Sapling { }
\noteCommitmentTree . Specifically,
$ \NoteAddressRand = \cm + \scalarmult { \NotePosition } { \NotePositionBase } $ ,
where $ \NotePositionBase $ is a generator independent of the generators
used in $ \NoteCommitSaplingAlg $ . Therefore, $ \NoteAddressRand $ commits uniquely
2018-03-16 08:58:23 -07:00
to the \note and its position, and this commitment is \collisionResistant
2018-02-26 01:44:19 -08:00
by the same argument used to prove collision resistance of \xPedersenHashes .
Note that it is possible for two distinct \Sapling \positionedNotes (having
different $ \NoteAddressRand $ values and \nullifiers , but different
\notePositions ) to have the same \noteCommitment , but this causes no security
problem. Roadblock attacks are not possible because a given \notePosition
does not repeat for outputs of different \transactions in the same \blockchain .
2018-02-07 03:53:07 -08:00
}
2017-02-24 22:24:47 -08:00
2016-02-26 16:54:06 -08:00
2018-03-12 15:51:20 -07:00
\subsection { Internal hash collision attack and fix} \label { internalh}
2016-02-26 16:54:06 -08:00
The \Zerocash security proof requires that the composition of
2016-09-02 14:24:49 -07:00
$ \Commit { \NoteCommitRand } $ and $ \Commit { \NoteCommitS } $ is a
computationally binding commitment to its inputs $ \AuthPublic $ ,
$ \Value $ , and $ \NoteAddressRand $ . However, the instantiation of
$ \Commit { \NoteCommitRand } $ and $ \Commit { \NoteCommitS } $ in
section 5.1 of the paper did not meet the definition of a binding
2018-02-07 02:55:53 -08:00
commitment at a $ 128 $ -bit security level. Specifically, the internal
hash of $ \AuthPublic $ and $ \NoteAddressRand $ is truncated to $ 128 $ bits
2016-09-02 14:24:49 -07:00
(motivated by providing statistical hiding security). This allows an
attacker, with a work factor on the order of $ 2 ^ { 64 } $ , to find distinct
2018-01-22 10:24:16 -08:00
pairs $ ( \AuthPublic , \NoteAddressRand ) $ and $ ( \AuthPublic \! ', \NoteAddressRand ' ) $
2017-02-24 22:25:38 -08:00
with colliding outputs of the truncated hash, and therefore the same
\noteCommitment . This would have allowed such an attacker to break the
Balance property by double-spending \notes , potentially creating arbitrary
amounts of currency for themself \cite { HW2016} .
2016-02-26 16:54:06 -08:00
2018-01-22 10:24:16 -08:00
\Zcash uses a simpler construction with a single
2018-02-07 02:55:53 -08:00
\notsprout { hash evaluation for the commitment:
2018-02-23 17:56:32 -08:00
$ \SHAFull $ for \Sprout \sapling { , and $ \PedersenHash $ for \Sapling } .}
\sprout { $ \SHAFull $ evaluation for the commitment.}
2018-01-22 10:24:16 -08:00
The motivation for the nested construction in \Zerocash
2016-02-26 16:54:06 -08:00
was to allow Mint transactions to be publically verified without requiring
2016-09-02 20:01:08 -07:00
a \zeroKnowledgeProof (as described under step 3 in
2016-08-14 12:42:14 -07:00
\cite [section 1.3] { BCG+2014} ). Since \Zcash combines ``Mint'' and ``Pour''
2018-03-16 08:58:23 -07:00
transactions into generalized \notsprout { \joinSplitTransfers (for \Sprout ),
\sapling { or \spendTransfers and \outputTransfers (for \Sapling )} , and each
transfer always uses a \zeroKnowledgeProof \! \! ,
\Zcash does not require the nesting.} \sprout { \joinSplitTransfers ,
and each transfer always uses a \zeroKnowledgeProof \! \! , it does not require the nesting.}
2018-01-22 10:24:16 -08:00
A side benefit is that this reduces the cost of computing the
2018-02-23 17:56:32 -08:00
\noteCommitments : \notsprout { for \Sprout } it reduces the number of $ \SHACompress $
2018-01-22 10:24:16 -08:00
evaluations needed to compute each \noteCommitment from three to two,
2018-02-23 17:56:32 -08:00
saving a total of four $ \SHACompress $ evaluations in the \joinSplitStatement .
2016-02-26 16:54:06 -08:00
2018-03-06 14:16:55 -08:00
\sproutspecificpnote {
2018-01-22 10:24:16 -08:00
\notsprout { \Sprout \noteCommitments are not statistically hiding, so for \Sprout notes,}
\sprout { \Zcash \noteCommitments are not statistically hiding, so}
\Zcash does not support the ``everlasting anonymity'' property
2016-08-14 12:42:14 -07:00
described in \cite [section 8.1] { BCG+2014} ,
2016-02-26 16:54:06 -08:00
even when used as described in that section. While it is possible to
define a statistically hiding, computationally binding commitment scheme
for this use at a 128-bit security level, the overhead of doing so
2016-09-02 20:01:08 -07:00
within the \joinSplitStatement was not considered to justify the benefits.
2016-09-03 19:55:09 -07:00
}
2016-02-26 16:54:06 -08:00
2018-02-26 01:44:19 -08:00
\saplingonward {
2018-02-23 17:56:32 -08:00
In \Sapling , \xPedersenCommitments are used instead of $ \SHACompress $ .
2018-01-22 10:24:16 -08:00
These commitments are statistically hiding, and so ``everlasting anonymity''
2018-02-07 03:53:07 -08:00
is supported for \Sapling notes under the same conditions as in \Zerocash
(by the protocol, not necessarily by \zcashd ).
2017-12-01 18:04:39 -08:00
}
2018-03-12 15:51:20 -07:00
\subsection { Changes to PRF inputs and truncation} \label { truncation}
2016-02-26 16:54:06 -08:00
2016-09-02 20:06:05 -07:00
The format of inputs to the PRFs instantiated in \crossref { concreteprfs}
has changed relative to \Zerocash . There is also a requirement for another PRF,
$ \PRFrho { } $ , which must be domain-separated from the others.
2018-02-23 19:15:09 -08:00
In the \Zerocash protocol, $ \NoteAddressRandOld { i } $ is truncated from $ 256 $
2018-02-07 02:55:53 -08:00
to $ 254 $ bits in the input to $ \PRFsn { } $ (which corresponds to $ \PRFnf { } $ in \Zcash ).
Also, $ \hSig $ is truncated from $ 256 $ to $ 253 $ bits in the input to $ \PRFpk { } $ .
2016-09-02 20:06:05 -07:00
These truncations are not taken into account in the security proofs.
Both truncations affect the validity of the proof sketch for Lemma D.2 in
the proof of Ledger Indistinguishability in \cite [Appendix D] { BCG+2014} .
2017-07-09 21:36:52 -07:00
\introlist
2016-09-02 20:06:05 -07:00
In more detail:
2017-01-19 18:24:49 -08:00
2016-09-02 20:06:05 -07:00
\begin { itemize}
\item In the argument relating $ \mathbf { H } $ and $ \Game _ 2 $ , it is stated that in $ \Game _ 2 $ ,
``for each $ i \in \setof { 1 , 2 } , \mathsf { sn } _ i : = \PRFsn { \AuthPrivate } ( \NoteAddressRand ) $
for a random (and not previously used) $ \NoteAddressRand $ ''. It is also
argued that ``the calls to $ \PRFsn { \AuthPrivate } $ are each by definition unique''.
The latter assertion depends on the fact that $ \NoteAddressRand $
is ``not previously used''. However, the argument is incorrect
because the truncated input to $ \PRFsn { \AuthPrivate } $ , i.e.
$ [ \NoteAddressRand ] _ { 254 } $ , may repeat even if $ \NoteAddressRand $ does not.
\item In the same argument, it is stated that ``with overwhelming probability,
$ \hSig $ is unique''. In fact what is required to be unique is the
2016-12-19 13:11:18 -08:00
truncated input to $ \PRFpk { } $ , i.e.\ $ [ \hSig ] _ { 253 } = [ \CRH ( \pksig ) ] _ { 253 } $ .
2016-09-02 20:06:05 -07:00
In practice this value will be unique under a plausible assumption on
$ \CRH $ provided that $ \pksig $ is chosen randomly, but no formal argument
for this is presented.
\end { itemize}
Note that $ \NoteAddressRand $ is truncated in the input to $ \PRFsn { } $
but not in the input to $ \Commit { \NoteCommitRand } $ , which further
complicates the analysis.
As further evidence that it is essential for the proofs to explicitly take any
such truncations into account, consider a slightly modified protocol in which
$ \NoteAddressRand $ is truncated in the input to $ \Commit { \NoteCommitRand } $
but not in the input to $ \PRFsn { } $ . In that case, it would be possible to
violate balance by creating two \notes for which $ \NoteAddressRand $ differs
only in the truncated bits. These \notes would have the same \noteCommitment
but different \nullifiers , so it would be possible to spend the same value
twice.
2018-03-06 14:16:55 -08:00
\sproutspecific {
2016-09-02 20:06:05 -07:00
For resistance to Faerie Gold attacks as described in
2017-12-01 18:04:39 -08:00
\crossref { faeriegold} , \Zcash depends on collision resistance of
2018-03-06 14:16:55 -08:00
$ \hSigCRH $ (instantiated using $ \BlakeTwob { 256 } $ ) and $ \PRFrho { } $
(instantiated using $ \SHACompress $ ). Collision resistance of a truncated hash
2016-09-02 20:06:05 -07:00
does not follow from collision resistance of the original hash, even if the
2016-09-10 17:14:03 -07:00
truncation is only by one bit. This motivated avoiding truncation along any
path from the inputs to the computation of $ \hSig $ to the uses of
$ \NoteAddressRand $ .
2018-01-22 10:24:16 -08:00
}
2016-09-02 20:06:05 -07:00
2018-03-06 14:16:55 -08:00
\sproutspecific {
2018-02-23 17:56:32 -08:00
Since the PRFs are instantiated using $ \SHACompress $ which has an input block
2018-02-23 19:15:09 -08:00
size of $ 512 $ bits (of which $ 256 $ bits are used for the PRF input and $ 4 $ bits
2016-09-02 20:06:05 -07:00
are used for domain separation), it was necessary to reduce the size of the
2018-02-23 19:15:09 -08:00
PRF key to $ 252 $ bits. The key is set to $ \AuthPrivate $ in the case of
2016-09-02 20:06:05 -07:00
$ \PRFaddr { } $ , $ \PRFnf { } $ , and $ \PRFpk { } $ , and to $ \NoteAddressPreRand $ (which
does not exist in \Zerocash ) for $ \PRFrho { } $ , and so those values have been
2018-02-23 19:15:09 -08:00
reduced to $ 252 $ bits. This is preferable to requiring reasoning about truncation,
and $ 252 $ bits is quite sufficient for security of these cryptovalues.
2017-12-01 18:04:39 -08:00
}
2016-02-26 16:54:06 -08:00
2018-01-22 10:24:16 -08:00
\sapling {
2018-02-23 17:56:32 -08:00
\Sapling uses \xPedersenHashes and $ \BlakeTwosGeneric $ where \Sprout used $ \SHACompress $ .
2018-01-22 10:24:16 -08:00
\xPedersenHashes can be efficiently instantiated for arbitrary input lengths.
2018-02-07 02:55:53 -08:00
$ \BlakeTwosGeneric $ has an input block size of $ 512 $ bits, and uses a finalization flag
2018-01-22 10:24:16 -08:00
rather than padding of the last input block; it also supports domain separation
via a personalization parameter distinct from the input. Therefore, there is
no need for truncation in the inputs to any of these hashes.
2018-02-07 03:53:07 -08:00
\todo { check, especially $ \CRHivk $ which has truncated output.}
2018-01-22 10:24:16 -08:00
}
2016-02-26 16:54:33 -08:00
2018-03-12 15:51:20 -07:00
\subsection { In-band secret distribution} \label { inbandrationale}
2015-12-16 12:55:16 -08:00
2016-08-08 09:21:02 -07:00
\Zerocash specified ECIES (referencing Certicom's SEC 1 standard) as the
encryption scheme used for the in-band secret distribution. This has been
2018-01-22 10:24:16 -08:00
changed to a key agreement scheme based on
\sprout { Curve25519,}
\notsprout { Curve25519 (for \Sprout ) \sapling { or $ \JubjubCurve $ (for \Sapling )} }
and the authenticated encryption algorithm $ \SymSpecific $ . This scheme is
still loosely based on ECIES, and on the $ \CryptoBoxSeal $ scheme defined in
libsodium \cite { libsodium-Seal} .
2016-08-08 09:21:02 -07:00
2017-01-19 18:24:49 -08:00
\introlist
2016-08-08 09:21:02 -07:00
The motivations for this change were as follows:
\begin { itemize}
\item The \Zerocash paper did not specify the curve to be used.
We believe that Curve25519 has significant side-channel resistance,
performance, implementation complexity, and robustness advantages
2016-08-14 12:42:14 -07:00
over most other available curve choices, as explained in \cite { Bern2006} .
2018-03-11 07:00:00 -07:00
\sapling { For \Sapling , the \jubjubCurve was designed according to a
2018-02-26 01:44:19 -08:00
similar design process following the ``Safe curves'' criteria
\cite { BL-SafeCurves} \cite { GitHub-jubjub} .
2018-01-22 10:24:16 -08:00
This retains Curve25519's advantages while keeping \paymentAddress sizes
short, because the same public key material supports both encryption and
spend authentication.}
2016-08-08 09:21:02 -07:00
\item ECIES permits many options, which were not specified. There are at least
--counting conservatively-- 576 possible combinations of options and
algorithms over the four standards (ANSI X9.63, IEEE Std 1363a-2004,
2016-08-14 12:42:14 -07:00
ISO/IEC 18033-2, and SEC 1) that define ECIES variants \cite { MAEA2010} .
2016-08-08 09:21:02 -07:00
\item Although the \Zerocash paper states that ECIES satisfies key privacy
(as defined in \cite { BBDP2001} ), it is not clear that this holds for
all curve parameters and key distributions. For example, if a group of
non-prime order is used, the distribution of ciphertexts could be
distinguishable depending on the order of the points representing the
ephemeral and recipient public keys. Public key validity is also a concern.
2018-01-22 10:24:16 -08:00
Curve25519 \sapling { (and $ \JubjubCurve $ )} key agreement is defined in a way that
avoids these concerns due to the curve structure and the ``clamping'' of
private keys\sapling { (or explicit cofactor multiplication and point
validation for \Sapling )} .
2016-08-14 12:42:14 -07:00
\item Unlike the DHAES/DHIES proposal on which it is based \cite { ABR1999} , ECIES
2016-08-08 09:21:02 -07:00
does not require a representation of the sender's ephemeral public key
to be included in the input to the KDF, which may impair the security
2016-08-14 12:42:14 -07:00
properties of the scheme. (The Std 1363a-2004 version of ECIES \cite { IEEE2004}
2016-08-08 09:21:02 -07:00
has a ``DHAES mode'' that allows this, but the representation of the key
input is underspecified, leading to incompatible implementations.)
The scheme we use has both the ephemeral and recipient public key
encodings --which are unambiguous for Curve25519-- and also $ \hSig $ and
2018-01-22 10:24:16 -08:00
a nonce as described below, as input to the KDF. Note that being able to
break the Elliptic Curve Diffie-Hellman Problem on Curve25519 (without breaking
$ \SymSpecific $ as an authenticated encryption scheme or $ \BlakeTwob { 256 } $ as
2016-08-08 09:21:02 -07:00
a KDF) would not help to decrypt the \notesCiphertext unless
$ \TransmitPublic $ is known or guessed.
2018-03-06 14:16:55 -08:00
\item \sproutspecific { The KDF also takes a public seed $ \hSig $ as input.
2018-01-22 10:24:16 -08:00
This can be modeled as using a different ``randomness extractor'' for each
\joinSplitTransfer , which limits degradation of security with the number of
\joinSplitTransfers .
2016-08-08 09:21:02 -07:00
This facilitates security analysis as explained in \cite { DGKM2011} --- see
section 7 of that paper for a security proof that can be applied to this
2018-01-22 10:24:16 -08:00
construction under the assumption that single-block $ \BlakeTwob { 256 } $ is a
2016-08-08 09:21:02 -07:00
``weak PRF''.
2018-02-07 02:55:53 -08:00
Note that $ \hSig $ is authenticated, by the \zkSNARKProof \! \! , as having been chosen
2016-08-08 09:21:02 -07:00
with knowledge of $ \AuthPrivateOld { \allOld } $ , so an adversary cannot
modify it in a ciphertext from someone else's transaction for use in a
2018-01-22 10:24:16 -08:00
chosen-ciphertext attack without detection.}
2018-02-26 01:44:19 -08:00
\sapling { In \Sapling , there is no equivalent to $ \hSig $ . \todo { Explain why this is ok.} }
2018-03-06 14:16:55 -08:00
\item \sproutspecific { The scheme used by \SproutOrZcash includes an optimization that reuses
2018-01-22 10:24:16 -08:00
the same ephemeral key (with different nonces) for the two ciphertexts
encrypted in each \joinSplitDescription .}
2016-08-08 09:21:02 -07:00
\end { itemize}
2016-02-01 14:08:13 -08:00
2016-09-02 20:08:27 -07:00
The security proofs of \cite { ABR1999} can be adapted straightforwardly to the
resulting scheme. Although DHAES as defined in that paper does not pass the
2018-02-07 02:55:53 -08:00
recipient public key or a public seed to the \hashFunction $ H $ , this does not
2016-09-02 20:08:27 -07:00
impair the proof because we can consider $ H $ to be the specialization of our
2018-03-18 13:57:20 -07:00
KDF to a given recipient key and seed. (Passing the recipient public key to
the KDF could in principle compromise key privacy, but not confidentiality of
encryption.) \sproutspecific { It is necessary to adapt the
2016-09-02 20:08:27 -07:00
``HDH independence'' assumptions and the proof slightly to take into account
2018-01-22 10:24:16 -08:00
that the ephemeral key is reused for two encryptions.}
2016-09-02 20:08:27 -07:00
2018-02-23 19:15:09 -08:00
Note that the $ 256 $ -bit key for $ \SymSpecific $ maintains a high concrete security
2016-09-23 20:09:31 -07:00
level even under attacks using parallel hardware \cite { Bern2005} in the multi-user
setting \cite { Zave2012} . This is especially necessary because the privacy of
\Zcash transactions may need to be maintained far into the future, and upgrading
the encryption algorithm would not prevent a future adversary from attempting
to decrypt ciphertexts encrypted before the upgrade. Other cryptovalues that
could be attacked to break the privacy of transactions are also sufficiently long
2018-01-22 10:24:16 -08:00
to resist parallel brute force in the multi-user setting: \notsprout { for \Sprout ,}
2018-02-23 19:15:09 -08:00
$ \AuthPrivate $ is $ 252 $ bits, and $ \TransmitPrivate $ is no shorter than $ \AuthPrivate $ .
2016-09-23 20:09:31 -07:00
2016-09-02 20:08:27 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Omission in \Zerocash security proof} \label { crprf}
2016-05-06 07:47:59 -07:00
2016-08-08 09:27:28 -07:00
The abstract \Zerocash protocol requires $ \PRFaddr { } $ only to be a PRF;
2018-03-16 08:58:23 -07:00
it is not specified to be \collisionResistant \! . This reveals a flaw in
2016-08-08 09:27:28 -07:00
the proof of the Balance property.
Suppose that an adversary finds a collision on $ \PRFaddr { } $ such that
2018-02-23 19:15:09 -08:00
$ \AuthPrivateSup { 1 } $ and $ \AuthPrivateSup { 2 } $ are distinct \spendingKeys for
2016-08-08 09:27:28 -07:00
the same $ \AuthPublic $ . Because the \noteCommitment is to $ \AuthPublic $ ,
but the \nullifier is computed from $ \AuthPrivate $ (and $ \NoteAddressRand $ ),
the adversary is able to double-spend the note, once with each $ \AuthPrivate $ .
This is not detected because each spend reveals a different \nullifier .
The \joinSplitStatements are still valid because they can only
check that the $ \AuthPrivate $ in the witness is \emph { some} preimage of
the $ \AuthPublic $ used in the \noteCommitment .
2017-01-19 18:24:49 -08:00
\introlist
2016-08-14 12:42:14 -07:00
The error is in the proof of Balance in \cite [Appendix D.3] { BCG+2014} .
2016-08-08 09:27:28 -07:00
For the ``$ \Adversary $ violates Condition I'' case, the proof says:
\begin { itemize}
2018-02-23 19:15:09 -08:00
\item [``(i)] If $ \cmOld { 1 } = \cmOld { 2 } $ , then the fact that
$ \snOld { 1 } \neq \snOld { 2 } $ implies that the witness $ a $ contains
two distinct openings of $ \cmOld { 1 } $ (the first opening contains
$ ( \AuthPrivateOldX { 1 } , \NoteAddressRandOld { 1 } ) $ , while the second
opening contains $ ( \AuthPrivateOldX { 2 } , \NoteAddressRandOld { 2 } ) $ ).
2018-02-07 02:55:53 -08:00
This violates the binding property of the commitment scheme $ \CommitAlg $ ."
2016-08-08 09:27:28 -07:00
\end { itemize}
In fact the openings do not contain $ \AuthPrivateOld { i } $ ; they contain
2018-01-29 15:08:08 -08:00
$ \AuthEmphPublicOld { i } $ . (In \SproutOrZcash $ \cmOld { i } $ opens directly to
2017-03-07 12:52:04 -08:00
$ ( \AuthEmphPublicOld { i } , \ValueOld { i } , \NoteAddressRandOld { i } ) $ , and
in \Zerocash it opens to $ ( \ValueOld { i } ,
\Commit { \NoteCommitS } (\AuthEmphPublicOld { i} , \NoteAddressRandOld { i} )$ . )
2016-08-08 09:27:28 -07:00
A similar error occurs in the argument for the ``$ \Adversary $ violates
Condition II'' case.
The flaw is not exploitable for the actual instantiations of $ \PRFaddr { } $
2018-03-16 08:58:23 -07:00
in \Zerocash and \SproutOrZcash , which \emph { are} \collisionResistant assuming
2018-02-23 17:56:32 -08:00
that $ \SHACompress $ is.
2016-08-08 09:27:28 -07:00
The proof can be straightforwardly repaired. The intuition is that we can rely
on collision resistance of $ \PRFaddr { } $ (on both its arguments) to argue that
distinctness of $ \AuthPrivateOldX { 1 } $ and $ \AuthPrivateOldX { 2 } $ , together with
2017-12-01 18:00:10 -08:00
constraint 1(b) of the \joinSplitStatement (see \crossref { sproutspendauthority} ),
2016-08-08 09:27:28 -07:00
implies distinctness of $ \AuthPublicOldX { 1 } $ and $ \AuthPublicOldX { 2 } $ , therefore
distinct openings of the \noteCommitment when Condition I or II is violated.
2016-05-06 07:47:59 -07:00
2018-03-12 15:51:20 -07:00
\subsection { Miscellaneous}
2016-02-01 14:08:13 -08:00
\begin { itemize}
2016-09-02 20:09:58 -07:00
\item The paper defines a \note as $ ( ( \AuthPublic , \TransmitPublic ) , \Value ,
2016-08-08 09:27:28 -07:00
\NoteAddressRand , \NoteCommitRand , \NoteCommitS , \cm )$ , whereas this
2018-02-07 03:53:07 -08:00
specification defines \sprout { it} \notsprout { a \Sprout \note } as
$ ( \AuthPublic , \Value , \NoteAddressRand , \NoteCommitRand ) $ .
2016-09-02 14:24:49 -07:00
The instantiation of $ \Commit { \NoteCommitS } $ in section 5.1 of the paper
2016-08-08 09:27:28 -07:00
did not actually use $ \NoteCommitS $ , and neither does the new
2018-02-07 03:53:07 -08:00
instantiation of $ \NoteCommitSprout { } $ in \SproutOrZcash . $ \TransmitPublic $ is also
not needed as part of a \note : it is not an input to $ \NoteCommitSprout { } $ nor
2016-09-03 20:30:40 -07:00
is it constrained by the \Zerocash \POUR { } \statement or the
2016-09-02 20:09:58 -07:00
\Zcash \joinSplitStatement . $ \cm $ can be computed from the other fields.
2018-02-07 02:55:53 -08:00
\sapling { (The definition of \notes for \Sapling is different again.)}
\item The length of proof encodings given in the paper is $ 288 $ bytes.
2018-03-06 14:16:55 -08:00
\sproutspecific { This differs from the $ 296 $ bytes specified in \crossref { phgr} ,
2016-10-29 19:03:51 -07:00
because both the $ x $ -coordinate and compressed $ y $ -coordinate of each
point need to be represented. Although it is possible to encode a proof
2018-02-07 02:55:53 -08:00
in $ 288 $ bytes by making use of the fact that elements of $ \GF { q } $ can
be represented in $ 254 $ bits, we prefer to use the standard formats for points
2016-10-29 19:03:51 -07:00
defined in \cite { IEEE2004} . The fork of \libsnark used by \Zcash uses
this standard encoding rather than the less efficient (uncompressed) one
2018-01-22 10:24:16 -08:00
used by upstream \libsnark .}
2016-09-02 20:10:23 -07:00
\item The range of monetary values differs. In \Zcash , this range is
$ \range { 0 } { \MAXMONEY } $ ; in \Zerocash it is $ \range { 0 } { 2 ^ { 64 } - 1 } $ .
(The \joinSplitStatement still only directly enforces that the sum
of amounts in a given \joinSplitTransfer is in the latter range;
this enforcement is technically redundant given that the Balance
property holds.)
2016-02-01 14:08:13 -08:00
\end { itemize}
2018-03-16 08:58:23 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\section { Acknowledgements}
2016-02-26 16:54:33 -08:00
The inventors of \Zerocash are Eli Ben-Sasson, Alessandro Chiesa,
Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars
Virza.
The authors would like to thank everyone with whom they have discussed
the \Zerocash protocol design; in addition to the inventors, this includes
Mike Perry, Isis Lovecruft, Leif Ryge, Andrew Miller, Zooko Wilcox,
2016-08-09 17:04:54 -07:00
Samantha Hulsey, Jack Grigg, Simon Liu, Ariel Gabizon, jl777, Ben Blaxill,
2016-09-16 06:52:37 -07:00
Alex Balducci, Jake Tarren, Solar Designer, Ling Ren, Alison Stevenson,
2016-09-26 09:05:58 -07:00
John Tromp, Paige Peterson, Maureen Walsh, Jay Graber, Jack Gavigan,
2018-02-26 01:44:19 -08:00
Filippo Valsorda, Zaki Manian, George Tankersley, Tracy Hu,
and no doubt others.
2016-09-16 06:52:37 -07:00
\Zcash has benefited from security audits performed by NCC Group and
Coinspect.
2016-02-26 16:54:33 -08:00
2017-02-24 22:24:47 -08:00
The Faerie Gold attack was found by Zooko Wilcox; subsequent analysis
of variations on the attack was performed by Daira Hopwood and Sean Bowe.
2016-02-26 16:54:33 -08:00
The internal hash collision attack was found by Taylor Hornby.
2016-09-02 20:09:06 -07:00
The error in the \Zerocash proof of Balance relating to collision-resistance
2016-05-06 07:47:59 -07:00
of $ \PRFaddr { } $ was found by Daira Hopwood.
2016-09-02 20:09:06 -07:00
The errors in the proof of Ledger Indistinguishability mentioned in
\crossref { truncation} were also found by Daira Hopwood.
2016-05-06 07:47:59 -07:00
2018-02-07 03:53:07 -08:00
\sapling {
The design of \Sapling is primarily due to Matthew Green, Ian Miers,
Daira Hopwood, Sean Bowe, and Jack Grigg.
}
2016-05-06 07:47:59 -07:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { Change History}
2018-02-07 03:05:39 -08:00
2018-03-16 08:58:23 -07:00
\subparagraph { 2018.0-beta-15}
\begin { itemize}
2018-03-18 13:41:41 -07:00
\item Clarify the bit ordering of SHA-256.
2018-03-18 13:57:20 -07:00
\item Drop $ \type { \_ t } $ from the names of representation types.
\item Remove functions from the \Sprout specification that it does not use.
2018-03-18 15:02:42 -07:00
\nuzero {
\item Updates to transaction format and consensus rules for Overwinter and Sapling.
} %nuzero
2018-03-18 13:58:28 -07:00
\sapling {
2018-03-18 17:01:25 -07:00
\item Add specification of the \outputStatement .
2018-03-18 13:58:28 -07:00
\item Change $ \MerkleDepthSapling $ from $ 29 $ to $ 32 $ .
2018-03-18 14:43:57 -07:00
\item Updates to \Sapling construction, changing how the \nullifier is
computed and separating it from the \authRandomizedVerifyingKey
($ \AuthSignRandomizedPublic $ ).
2018-03-18 14:45:27 -07:00
\item Clarify conversions between bit and byte sequences for
$ \SpendingKey $ , $ \reprJOf { \AuthSignPublic } $ , and $ \reprJOf { \AuthProvePublic } $ .
2018-03-18 15:02:42 -07:00
} %sapling
2018-03-16 08:58:23 -07:00
\item Change the \texttt { Makefile} to avoid multiple reloads in PDF readers while
rebuilding the PDF.
\item Spacing and pagination improvements.
\end { itemize}
\introlist
2018-03-11 14:36:55 -07:00
\subparagraph { 2018.0-beta-14}
\begin { itemize}
\item Only cosmetic changes to \Sprout .
\sapling {
\item Simplify $ \FindGroupJHash $ to use a single-byte index.
\item Changes to diversification for \xPedersenHashes and \xPedersenCommitments { } .
\item Improve security definitions for signatures.
}
\end { itemize}
\introlist
2018-03-11 00:40:49 -08:00
\subparagraph { 2018.0-beta-13}
\begin { itemize}
\item Only cosmetic changes to \Sprout .
\sapling {
\item Change how $ ( \AuthSignPrivate , \AuthProvePrivate ) $ are derived from the \spendingKey
$ \SpendingKey $ to ensure they are on the full range of $ \GF { \ParamJ { r } } $ .
2018-03-16 08:58:23 -07:00
\item Change $ \PRF { } { \mathsf { nr } } $ to produce output computationally indistinguishable from uniform on
2018-03-11 00:44:49 -08:00
$ \GF { \ParamJ { r } } $ .
2018-03-11 10:09:32 -07:00
\item Change $ \UncommittedSapling $ to be a $ u $ -coordinate for which there is no point on the curve.
2018-03-11 10:42:49 -07:00
\item Appendix A updates:
\begin { itemize}
\item categorize components into larger sections
\item fill in the [de]compression and validation algorithm
\item more precisely state the assumptions for inputs and outputs
\item delete not-all-one component which is no longer needed
\item factor out xor into its own component
\item specify [un]packing more precisely; separate it from boolean constraints
\item optimize checking for non-small order
\item notation in variable-base multiplication algorithm.
\end { itemize}
2018-03-11 00:40:49 -08:00
}
\end { itemize}
\introlist
2018-03-06 14:59:17 -08:00
\subparagraph { 2018.0-beta-12}
\begin { itemize}
\item No changes to \Sprout .
\nuzero {
\item Add references to \NUZero ZIPs and update the section on
\NUZero /\Sapling transitions.
}
\sapling {
\item Add a section on re-randomizable signatures.
2018-03-16 08:58:23 -07:00
\item Add definition of $ \PRF { } { \mathsf { nr } } $ .
2018-03-06 14:59:17 -08:00
\item Work-in-progress on \Sapling statements.
\item Rename \quotedterm { raw} to \quotedterm { homomorphic} \xPedersenCommitments .
\item Add packing modulo the field size and range checks to Appendix A.
\item Update the algorithm for variable-base scalar multiplication to
what is implemented by sapling-crypto.
}
\end { itemize}
\introlist
2018-02-26 03:41:15 -08:00
\subparagraph { 2018.0-beta-11}
\begin { itemize}
\item No changes to \Sprout .
\sapling {
\item Add sections on \spendDescriptions and \outputDescriptions .
\item Swap order of $ \cv $ and $ \rt $ in a \spendDescription for consistency.
2018-02-26 03:44:01 -08:00
\item Fix off-by-one error in the range of $ \InViewingKey $ .
2018-02-26 03:41:15 -08:00
}
\end { itemize}
\introlist
2018-02-23 17:56:32 -08:00
\subparagraph { 2018.0-beta-10}
\begin { itemize}
\item Split the descriptions of $ \SHAFull $ and $ \SHACompress $ \sapling { , and of $ \BlakeTwoGeneric $ ,}
into their own sections. Specify $ \SHACompress $ more precisely.
2018-02-26 01:44:19 -08:00
\item Add Tracy Hu to acknowledgements\sapling { (for the idea of explicitly
encoding the root of the \Sapling \noteCommitmentTree in \blockHeaders )} .
2018-03-11 07:02:22 -07:00
\item Move bit/byte/integer conversion primitives into \crossref { endian} .
2018-02-26 01:44:19 -08:00
\sapling {
\item Refer to \NUZero and \Sapling just as ``upgrades'' in the abstract, not as
the next ``minor version'' and ``major version''.
2018-03-16 08:58:23 -07:00
\item $ \PRF { } { \mathsf { nr } } $ must be \collisionResistant \! .
2018-02-26 01:44:19 -08:00
\item Correct an error in the \xPedersenHash specification.
\item Use a named variable, $ c $ , for chunks per segment in the \xPedersenHash
specification, and change its value from $ 61 $ to $ 63 $ . Add a proof
justifying this value of $ c $ .
\item Specify \xPedersenCommitments .
\item Notation changes.
\item Generalize the \distinctXCriterion (\theoremref { thmdistinctxcriterion} )
to allow negative indices.
}
2018-02-23 17:56:32 -08:00
\end { itemize}
\introlist
2018-02-08 14:23:02 -08:00
\subparagraph { 2018.0-beta-9}
\begin { itemize}
2018-02-08 14:24:14 -08:00
\item Specify the coinbase maturity rule, and the rule that \coinbaseTransactions
cannot contain \joinSplitDescriptions \sapling { , \spendDescriptions , or
\outputDescriptions } .
2018-02-08 14:23:02 -08:00
\nuzero {
\item Delay lifting the 100000-byte \transaction size limit from \NUZero to
\Sapling .
}
2018-02-10 03:30:37 -08:00
\sapling {
\item Improve presentation of the proof of injectivity for $ \ExtractJ $ .
\item Specify $ \GroupJHash { } $ .
\item Specify \xPedersenHashes .
}
2018-02-08 14:23:02 -08:00
\end { itemize}
\introlist
2018-02-07 07:41:46 -08:00
\subparagraph { 2018.0-beta-8}
\begin { itemize}
\item No changes to \Sprout .
\sapling {
\item Add instantiation of $ \CRHivk $ .
2018-02-07 17:23:18 -08:00
\item Add instantiation of a hash extractor for \Jubjub .
2018-02-07 17:22:02 -08:00
\item Make the background lighter and the \Sapling green darker, for contrast.
2018-02-07 07:41:46 -08:00
}
\end { itemize}
\introlist
2018-02-07 03:05:39 -08:00
\subparagraph { 2018.0-beta-7}
\begin { itemize}
2018-02-07 03:08:45 -08:00
\item Specify the $ 100000 $ -byte limit on \transaction size.
(The implementation in \zcashd was as intended.)
2018-02-07 03:09:50 -08:00
\item Specify that $ \hexint { F 6 } $ followed by $ 511 $ zero bytes encodes an
empty \memo .
2018-02-07 03:46:15 -08:00
\item Reference security definitions for
\pseudoRandomFunctions \sapling { and \pseudoRandomGenerators } .
2018-02-07 03:05:39 -08:00
\item Rename $ \mathsf { clamp } $ to $ \mathsf { bound } $ and
$ \mathsf { ActualTimespanClamped } $ to $ \ActualTimespanBounded $
in the difficulty adjustment algorithm, to avoid a name
collision with Curve25519 scalar ``clamping''.
\item Change uses of the term \term { full node} to \fullValidator .
A \term { full node} by definition participates in the
peer-to-peer network, whereas a \fullValidator just needs a copy
of the \blockchain from somewhere. The latter is what was meant.
2018-02-07 03:53:07 -08:00
\sapling {
\item Add an explanation of how \Sapling prevents Faerie Gold and
roadblock attacks.
\item \Sapling work in progress.
}
2018-02-07 03:05:39 -08:00
\end { itemize}
\introlist
2018-01-30 16:58:58 -08:00
\subparagraph { 2018.0-beta-6}
\begin { itemize}
\item No changes to \Sprout .
\sapling {
2018-02-07 02:55:53 -08:00
\item \Sapling work in progress, mainly on \crossref { circuitdesign} .
2018-01-30 16:58:58 -08:00
}
\end { itemize}
\introlist
2018-01-29 15:08:08 -08:00
\subparagraph { 2018.0-beta-5}
\begin { itemize}
2018-01-29 16:42:35 -08:00
\item Specify more precisely the requirements on $ \JoinSplitSigSpecific $
public keys and signatures.
2018-01-29 15:08:08 -08:00
\sapling {
2018-02-07 02:55:53 -08:00
\item \Sapling work in progress.
2018-01-29 15:08:08 -08:00
}
\end { itemize}
\introlist
2018-01-25 12:20:53 -08:00
\subparagraph { 2018.0-beta-4}
\begin { itemize}
\item No changes to \Sprout .
\sapling {
2018-02-07 02:55:53 -08:00
\item Update key components diagram for \Sapling .
2018-01-25 12:20:53 -08:00
}
\end { itemize}
\introlist
2018-01-22 10:24:16 -08:00
\subparagraph { 2018.0-beta-3}
\begin { itemize}
\item Explain how the chosen fix to Faerie Gold avoids a potential
``roadblock'' attack.
\sapling {
2018-02-07 02:55:53 -08:00
\item Update some explanations of changes from \Zerocash for \Sapling .
2018-03-11 07:00:00 -07:00
\item Add a description of the \jubjubCurve .
2018-02-07 02:55:53 -08:00
\item Add an acknowledgement to George Tankersley.
\item Add an appendix on the design of the \Sapling circuits at the
\quadraticArithmeticProgram level.
2018-01-22 10:24:16 -08:00
}
\end { itemize}
\introlist
2017-12-16 16:10:09 -08:00
\subparagraph { 2017.0-beta-2.9}
\begin { itemize}
\item Refer to $ \TransmitPrivate $ as a \receivingKey rather than as a
viewing key.
\item Updates for \incomingViewingKey support.
2018-02-07 02:55:53 -08:00
\nuzero {
\item Refer to Network Upgrade 0 as \NUZero .
}
2017-12-16 16:10:09 -08:00
\end { itemize}
\introlist
2017-12-01 17:03:17 -08:00
\subparagraph { 2017.0-beta-2.8}
\begin { itemize}
\item Correct the non-normative note describing how to check the order
of $ \Proof { B } $ .
2018-02-07 02:55:53 -08:00
\sapling {
\item Initial version of draft \Sapling protocol specification.
}
2017-12-01 17:03:17 -08:00
\end { itemize}
\introlist
2017-07-09 14:13:20 -07:00
\subparagraph { 2017.0-beta-2.7}
\begin { itemize}
2017-07-09 21:36:52 -07:00
\item Fix an off-by-one error in the specification of the Equihash algorithm
binding condition. (The implementation in \zcashd was as intended.)
2017-07-09 21:35:56 -07:00
\item Correct the types and consensus rules for \transactionVersionNumbers
and \blockVersionNumbers . (Again, the implementation in \zcashd was as
intended.)
2017-07-09 14:13:20 -07:00
\item Clarify the computation of $ \h { i } $ in a \joinSplitStatement .
\end { itemize}
\introlist
2017-05-08 17:23:27 -07:00
\subparagraph { 2017.0-beta-2.6}
\begin { itemize}
\item Be more precise when talking about curve points and pairing groups.
\end { itemize}
\introlist
2017-03-04 15:25:28 -08:00
\subparagraph { 2017.0-beta-2.5}
\begin { itemize}
\item Clarify the consensus rule preventing double-spends.
2017-03-07 12:52:04 -08:00
\item Clarify what a \noteCommitment opens to in \crossref { crprf} .
2018-02-26 01:44:19 -08:00
\item Correct the order of arguments to $ \CommitAlg $ in \crossref { concretesproutcommit} .
2017-03-07 12:53:25 -08:00
\item Correct a statement about indistinguishability of \joinSplitDescriptions .
2017-02-20 14:03:46 -08:00
\item Change the \foundersReward addresses, for the test network only, to
2018-03-18 13:38:55 -07:00
reflect the hard-fork upgrade described in \cite { ZcashIssue-2113} .
2017-03-04 15:25:28 -08:00
\end { itemize}
\introlist
2017-02-24 22:23:37 -08:00
\subparagraph { 2017.0-beta-2.4}
\begin { itemize}
2017-02-24 22:24:47 -08:00
\item Explain a variation on the Faerie Gold attack and why it is prevented.
2017-02-24 22:25:38 -08:00
\item Generalize the description of the InternalH attack to include finding
collisions on $ ( \AuthPublic , \NoteAddressRand ) $ rather than just on
$ \NoteAddressRand $ .
2017-02-24 22:23:37 -08:00
\item Rename $ \mathsf { enforce } _ i $ to $ \EnforceMerklePath { i } $ .
\end { itemize}
\introlist
2017-02-11 21:44:15 -08:00
\subparagraph { 2017.0-beta-2.3}
\begin { itemize}
2018-02-23 17:56:32 -08:00
\item Specify the security requirements on the $ \shaCompress $ function in order
2018-02-26 01:44:19 -08:00
for the scheme in \crossref { concretesproutcommit} to be a secure commitment.
2017-02-11 21:51:31 -08:00
\item Specify $ \GroupG { 2 } $ more precisely.
2017-02-11 21:52:59 -08:00
\item Explain the use of interstitial \treestates in chained \joinSplitTransfers .
2017-02-11 21:44:15 -08:00
\end { itemize}
\introlist
2017-02-11 15:53:38 -08:00
\subparagraph { 2017.0-beta-2.2}
\begin { itemize}
\item Give definitions of computational binding and computational hiding
for commitment schemes.
\item Give a definition of statistical zero knowledge.
2017-02-11 15:54:35 -08:00
\item Reference the white paper on MPC parameter generation \cite { BGG2016} .
2017-02-11 15:53:38 -08:00
\end { itemize}
\introlist
2017-02-05 22:27:56 -08:00
\subparagraph { 2017.0-beta-2.1}
\begin { itemize}
\item $ \MerkleHashLength $ is a bit length, not a byte length.
2017-02-05 22:28:28 -08:00
\item Specify the maximum \block size.
2017-02-05 22:27:56 -08:00
\end { itemize}
\introlist
2017-02-03 20:04:13 -08:00
\subparagraph { 2017.0-beta-2}
\begin { itemize}
\item Add abstract and keywords.
2017-02-03 20:04:59 -08:00
\item Fix a typo in the definition of \nullifier integrity.
2017-02-03 20:24:45 -08:00
\item Make the description of \blockchains more consistent with
upstream \Bitcoin documentation (referring to ``best`` chains
rather than using the concept of a \term { block chain view} ).
2017-02-03 20:27:42 -08:00
\item Define how nodes select a best chain.
2017-02-03 20:04:13 -08:00
\end { itemize}
\introlist
2017-01-09 11:53:02 -08:00
\subparagraph { 2016.0-beta-1.13}
\begin { itemize}
2017-01-19 18:36:58 -08:00
\item Specify the difficulty adjustment algorithm.
2017-01-19 18:35:11 -08:00
\item Clarify some definitions of fields in a \blockHeader .
2018-02-07 03:53:07 -08:00
\item Define $ \PRFaddr { } $ in \crossref { sproutkeycomponents} .
2017-01-09 11:53:02 -08:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2017-01-06 13:27:25 -08:00
\subparagraph { 2016.0-beta-1.12}
\begin { itemize}
\item Update the hashes of proving and verifying keys for the final Sprout parameters.
2017-01-09 11:10:53 -08:00
\item Add cross references from \paymentAddress and \spendingKey encoding
sections to where the key components are specified.
\item Add acknowledgements for Filippo Valsorda and Zaki Manian.
2017-01-06 13:27:25 -08:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-12-19 12:28:14 -08:00
\subparagraph { 2016.0-beta-1.11}
\begin { itemize}
2017-12-01 18:00:10 -08:00
\item Specify a check on the order of $ \Proof { B } $ in a \zeroKnowledgeProof .
2016-12-19 13:11:05 -08:00
\item Note that due to an oversight, the \Zcash \genesisBlock does not
follow \cite { BIP-34} .
2016-12-19 12:28:14 -08:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-10-29 19:03:51 -07:00
\subparagraph { 2016.0-beta-1.10}
\begin { itemize}
2016-10-29 19:06:42 -07:00
\item Update reference to the Equihash paper \cite { BK2016} . (The newer version
has no algorithmic changes, but the section discussing potential ASIC
implementations is substantially expanded.)
2016-10-29 19:03:51 -07:00
\item Clarify the discussion of proof size in ``Differences from the \Zerocash paper''.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-10-27 20:39:04 -07:00
\subparagraph { 2016.0-beta-1.9}
\begin { itemize}
2016-10-27 20:40:46 -07:00
\item Add \foundersReward addresses for the production network.
2016-10-27 20:39:04 -07:00
\item Change \quotedterm { protected} terminology to \quotedterm { shielded} .
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-10-02 10:27:30 -07:00
\subparagraph { 2016.0-beta-1.8}
\begin { itemize}
2016-10-04 13:11:44 -07:00
\item Revise the lead bytes for \transparent P2SH and P2PKH addresses,
and reencode the testnet \foundersReward addresses.
2016-10-02 14:26:28 -07:00
\item Add a section on which BIPs apply to \Zcash .
2016-10-02 23:12:56 -07:00
\item Specify that \ScriptOP { CODESEPARATOR} has been disabled, and
no longer affects signature hashes.
2016-10-02 10:27:30 -07:00
\item Change the representation type of $ \vpubOldField $ and $ \vpubNewField $
2018-03-18 13:57:20 -07:00
to \type { uint64} . (This is not a consensus change because the type of
2016-10-02 10:27:30 -07:00
$ \vpubOld $ and $ \vpubNew $ was already specified to be $ \range { 0 } { \MAXMONEY } $ ;
it just better reflects the implementation.)
2016-10-02 23:11:58 -07:00
\item Correct the representation type of the \block $ \nVersion $ field to
2018-03-18 13:57:20 -07:00
\type { uint32} .
2016-10-02 10:27:30 -07:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-10-01 19:56:27 -07:00
\subparagraph { 2016.0-beta-1.7}
\begin { itemize}
\item Clarify the consensus rule for payment of the \foundersReward , in
response to an issue raised by the NCC audit.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-23 20:09:31 -07:00
\subparagraph { 2016.0-beta-1.6}
\begin { itemize}
2016-09-26 09:03:42 -07:00
\item Fix an error in the definition of the sortedness condition for Equihash:
it is the sequences of indices that are sorted, not the sequences of
hashes.
2016-09-26 09:02:31 -07:00
\item Correct the number of bytes in the encoding of $ \solutionSize $ .
2016-09-26 09:01:39 -07:00
\item Update the section on encoding of \transparent addresses.
(The precise prefixes are not decided yet.)
2018-01-22 10:24:16 -08:00
\item Clarify why $ \BlakeTwob { \ell } $ is different from truncated $ \BlakeTwob { 512 } $ .
2016-09-26 09:24:55 -07:00
\item Clarify a note about SU-CMA security for signatures.
2016-09-26 09:26:16 -07:00
\item Add a note about $ \PRFnf { } $ corresponding to $ \PRFsn { } $ in \Zerocash .
2016-09-23 20:09:31 -07:00
\item Add a paragraph about key length in \crossref { inbandrationale} .
2016-09-26 09:05:58 -07:00
\item Add acknowledgements for John Tromp, Paige Peterson, Maureen Walsh,
Jay Graber, and Jack Gavigan.
2016-09-23 20:09:31 -07:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-22 09:04:52 -07:00
\subparagraph { 2016.0-beta-1.5}
\begin { itemize}
\item Update the \foundersReward address list.
\item Add some clarifications based on Eli Ben-Sasson's review.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-18 17:57:28 -07:00
\subparagraph { 2016.0-beta-1.4}
\begin { itemize}
2016-09-18 18:46:11 -07:00
\item Specify the \blockSubsidy , \minerSubsidy , and the \foundersReward .
\item Specify \coinbaseTransaction outputs to \foundersReward addresses.
2016-09-18 17:57:28 -07:00
\item Improve notation (for example ``$ \mult $ '' for multiplication and
``$ \typeexp { T } { \ell } $ '' for sequence types) to avoid ambiguity.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-16 06:47:44 -07:00
\subparagraph { 2016.0-beta-1.3}
\begin { itemize}
2016-09-16 06:50:18 -07:00
\item Correct the omission of $ \solutionSize $ from the \blockHeader format.
2016-10-01 19:58:26 -07:00
\item Document that \compactSize { } encodings must be canonical.
2016-09-16 06:47:44 -07:00
\item Add a note about conformance language in the introduction.
2016-09-16 06:52:37 -07:00
\item Add acknowledgements for Solar Designer, Ling Ren and Alison Stevenson,
and for the NCC Group and Coinspect security audits.
2016-09-16 06:47:44 -07:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-10 17:14:03 -07:00
\subparagraph { 2016.0-beta-1.2}
\begin { itemize}
\item Remove $ \mathsf { GeneralCRH } $ in favour of specifying $ \hSigCRH $ and
2018-01-22 10:24:16 -08:00
$ \EquihashGen { } $ directly in terms of $ \BlakeTwob { \ell } $ .
2016-09-10 17:14:03 -07:00
\item Correct the security requirement for $ \EquihashGen { } $ .
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-05 13:25:26 -07:00
\subparagraph { 2016.0-beta-1.1}
\begin { itemize}
\item Add a specification of abstract signatures.
\item Clarify what is signed in the ``Sending Notes'' section.
\item Specify ZK parameter generation as a randomized algorithm, rather
than as a distribution of parameters.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-06-23 08:56:43 -07:00
\subparagraph { 2016.0-beta-1}
\begin { itemize}
2018-02-23 19:15:09 -08:00
\item Major reorganization to separate the abstract cryptographic protocol
2016-06-23 08:56:43 -07:00
from the algorithm instantiations.
2016-09-03 20:31:09 -07:00
\item Add type declarations.
\item Add a ``High-level Overview'' section.
2016-09-02 14:47:05 -07:00
\item Add a section specifying the \zeroKnowledgeProvingSystem and the
2016-08-08 09:46:24 -07:00
encoding of proofs. Change the encoding of points in proofs to follow
2016-08-16 08:53:48 -07:00
IEEE Std 1363[a].
2016-08-09 13:56:34 -07:00
\item Add a section on consensus changes from \Bitcoin , and the specification
of Equihash.
2016-08-15 07:27:37 -07:00
\item Complete the ``Differences from the \Zerocash paper'' section.
2016-09-03 20:31:09 -07:00
\item Correct the Merkle tree depth to 29.
2016-08-08 09:49:20 -07:00
\item Change the length of \memos to 512 bytes.
2016-06-23 08:56:43 -07:00
\item Switch the \joinSplitSignature scheme to Ed25519, with consequent
changes to the computation of $ \hSig $ .
\item Fix the lead bytes in \paymentAddress and \spendingKey encodings to
match the implemented protocol.
2016-08-16 08:53:48 -07:00
\item Add a consensus rule about the ranges of $ \vpubOld $ and $ \vpubNew $ .
2016-06-23 08:56:43 -07:00
\item Clarify cryptographic security requirements and added definitions
relating to the in-band secret distribution.
\item Add various citations: the ``Fixing Vulnerabilities in the Zcash
2016-08-16 08:53:48 -07:00
Protocol'' and ``Why Equihash?'' blog posts, several crypto papers
2017-02-11 16:02:23 -08:00
for security definitions, the \Bitcoin whitepaper, the \CryptoNote
2016-09-03 20:31:09 -07:00
whitepaper, and several references to \Bitcoin documentation.
2016-08-08 09:10:32 -07:00
\item Reference the extended version of the \Zerocash paper rather than the
Oakland proceedings version.
2016-06-23 08:56:43 -07:00
\item Add \joinSplitTransfers to the Concepts section.
\item Add a section on Coinbase Transactions.
2016-08-12 10:45:16 -07:00
\item Add acknowledgements for Jack Grigg, Simon Liu, Ariel Gabizon, jl777,
2016-09-02 14:26:27 -07:00
Ben Blaxill, Alex Balducci, and Jake Tarren.
2016-06-23 08:56:43 -07:00
\item Fix a \texttt { Makefile} compatibility problem with the escaping behaviour
of \texttt { echo} .
2016-08-16 08:53:48 -07:00
\item Switch to \texttt { biber} for the bibliography generation, and add
backreferences.
2016-06-23 08:56:43 -07:00
\item Make the date format in references more consistent.
2016-09-03 20:31:09 -07:00
\item Add visited dates to all URLs in references.
\item Terminology changes.
2016-09-02 14:25:29 -07:00
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-09-02 14:25:29 -07:00
\subparagraph { 2016.0-alpha-3.1}
\begin { itemize}
2016-06-23 08:56:43 -07:00
\item Change main font to Quattrocento.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-05-09 13:15:50 -07:00
\subparagraph { 2016.0-alpha-3}
\begin { itemize}
\item Change version numbering convention (no other changes).
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-05-06 07:47:59 -07:00
\subparagraph { 2.0-alpha-3}
\begin { itemize}
\item Allow anchoring to any previous output \treestate in the same \transaction ,
rather than just the immediately preceding output \treestate .
\item Add change history.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-05-06 07:47:59 -07:00
\subparagraph { 2.0-alpha-2}
\begin { itemize}
2018-01-22 10:24:16 -08:00
\item Change from truncated $ \BlakeTwob { 512 } $ to $ \BlakeTwob { 256 } $ .
\item Clarify endianness, and that uses of $ \BlakeTwobGeneric $ are unkeyed.
2016-05-06 07:47:59 -07:00
\item Minor correction to what \sighashTypes cover.
\item Add ``as intended for the \Zcash release of summer 2016" to title page.
2018-03-16 08:58:23 -07:00
\item Require $ \PRFaddr { } $ to be \collisionResistant (see \crossref { crprf} ).
2016-05-06 07:47:59 -07:00
\item Add specification of path computation for the \incrementalMerkleTree .
2017-12-01 18:00:10 -08:00
\item Add a note in \crossref { sproutmerklepathvalidity} about how this condition
2016-05-06 07:47:59 -07:00
corresponds to conditions in the \Zerocash paper.
\item Changes to terminology around keys.
\end { itemize}
2017-01-19 18:24:49 -08:00
\introlist
2016-05-06 07:47:59 -07:00
\subparagraph { 2.0-alpha-1}
\begin { itemize}
\item First version intended for public review.
\end { itemize}
2016-02-26 16:54:33 -08:00
2018-03-16 08:58:23 -07:00
\intropart
2018-03-12 15:51:20 -07:00
\section { References}
2016-01-26 15:15:17 -08:00
2016-01-26 16:32:57 -08:00
\begingroup
2016-08-17 19:58:03 -07:00
\hfuzz =2pt
2016-01-26 16:32:57 -08:00
\renewcommand { \section } [2]{ }
2016-08-14 12:42:14 -07:00
\renewcommand { \emph } [1]{ \textit { #1} }
\printbibliography
2016-01-26 16:32:57 -08:00
\endgroup
2016-01-26 15:15:17 -08:00
2018-01-29 16:42:35 -08:00
\notsprout {
2018-01-22 10:24:16 -08:00
2018-03-16 08:58:23 -07:00
\intropart
2018-01-22 10:24:16 -08:00
\vspace { 20ex}
\appendix
\phantomsection
2018-03-12 15:51:20 -07:00
\addcontentsline { toc} { section} { \larger { Appendices} }
2018-01-22 10:24:16 -08:00
{ \Larger { \textbf { Appendices} } }
2018-03-12 15:51:20 -07:00
\section { Circuit Design} \label { circuitdesign}
2018-01-22 10:24:16 -08:00
2018-03-12 15:51:20 -07:00
\subsection { \QuadraticArithmeticPrograms }
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\Sapling defines two circuits, Spend and Output, each implementing an abstract
statement described in \crossref { spendstatement} and \crossref { outputstatement}
respectively.
At the next lower level, each circuit is defined in terms of a
2018-01-22 10:24:16 -08:00
\quadraticArithmeticProgram , detailed in this section. The description
given here is necessary to compute witness elements for the circuit.
2018-01-29 15:08:08 -08:00
\vspace { 1.5ex}
2018-01-22 10:24:16 -08:00
Let $ \GF { \ParamS { r } } $ be the finite field over which $ \JubjubCurve $ is defined, as
given in \crossref { jubjub} .
2018-02-07 02:55:53 -08:00
\introlist
2018-01-29 15:08:08 -08:00
A \quadraticArithmeticProgram consists of a set of constraints over
variables in $ \GF { \ParamS { r } } $ , each of the form:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
\item $ \constraint { A } { B } { C } $
\end { formulae}
\vspace { -2ex}
2018-01-30 16:58:58 -08:00
where $ \lincomb { A } $ , $ \lincomb { B } $ , and $ \lincomb { C } $ are \linearCombinations
of variables and constants in $ \GF { \ParamS { r } } $ .
2018-01-22 10:24:16 -08:00
Here $ \times $ and $ \mult $ both represent multiplication in the field $ \GF { \ParamS { r } } $ ,
but we use $ \times $ for multiplications corresponding to gates of the circuit,
and $ \mult $ for multiplications by constants in the terms of a \linearCombination .
2018-03-12 15:51:20 -07:00
\subsection { Elliptic curve background} \label { ecbackground}
2018-01-22 10:24:16 -08:00
The circuit makes use of a twisted Edwards curve, $ \JubjubCurve $ , and also a
2018-01-30 16:58:58 -08:00
Montgomery curve that is birationally equivalent to $ \JubjubCurve $ .
2018-02-26 01:44:19 -08:00
From here on we omit ``twisted'' when referring to the Edwards $ \JubjubCurve $
2018-03-18 13:57:20 -07:00
curve or coordinates. Following the notation in \cite { BL2017} we use
$ ( u, \varv ) $ for affine coordinates on the Edwards curve, and $ ( x, y ) $ for
affine coordinates on the Montgomery curve.
2018-01-30 16:58:58 -08:00
2018-02-26 01:44:19 -08:00
\introlist
The Montgomery curve has parameters $ \ParamM { A } = 40962 $ and $ \ParamM { B } = 1 $ .
2018-01-30 16:58:58 -08:00
We use an affine representation of this curve with the formula:
\begin { formulae}
\item $ \ParamM { B } \smult y ^ 2 = x ^ 3 + \ParamM { A } \smult x ^ 2 + x $
\end { formulae}
2018-01-22 10:24:16 -08:00
Usually, elliptic curve arithmetic over prime fields is implemented using
some form of projective coordinates, in order to reduce the number of expensive
inversions required. In the circuit, it turns out that a division can be
2018-01-30 16:52:59 -08:00
implemented at the same cost as a multiplication, i.e.\ one constraint.
2018-01-30 16:58:58 -08:00
Therefore it is beneficial to use affine coordinates for both curves.
2018-01-22 10:24:16 -08:00
2018-02-23 19:15:09 -08:00
\introlist
2018-01-22 10:24:16 -08:00
We define the following types representing affine Edwards and Montgomery
2018-01-29 15:08:08 -08:00
coordinates respectively:
2018-01-22 10:24:16 -08:00
2018-02-23 19:15:09 -08:00
\begin { tabular} { @{ \hskip 2em} r@{ \; } l@{ \; } l}
$ \AffineEdwardsJubjub $ & $ : = ( u \typecolon \GF { \ParamS { r } } ) \times ( \hspace { 0 . 04 em } \varv \hspace { 0 . 04 em } \typecolon \GF { \ParamS { r } } ) $
& $ : \ParamJ { a } \smult u ^ 2 + \varv ^ 2 = 1 + \ParamJ { d } \smult u ^ 2 \smult \varv ^ 2 $ \\
$ \AffineMontJubjub $ & $ : = ( x \typecolon \GF { \ParamS { r } } ) \times ( y \typecolon \GF { \ParamS { r } } ) $
& $ : \ParamM { B } \smult y ^ 2 = x ^ 3 + \ParamM { A } \smult x ^ 2 + x $
\end { tabular}
2018-01-22 10:24:16 -08:00
2018-02-23 19:15:09 -08:00
\introlist
2018-01-30 16:52:59 -08:00
We also define a type representing compressed, \emph { not necessarily valid} ,
Edwards coordinates:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-02-23 19:15:09 -08:00
\item $ \CompressedEdwardsJubjub : = ( \tilde { u } \typecolon \bit ) \times ( \varv \typecolon \GF { \ParamS { r } } ) $
2018-01-29 15:08:08 -08:00
\end { formulae}
\vspace { -1.5ex}
2018-01-30 16:52:59 -08:00
See \crossref { jubjub} for how this type is represented as a byte sequence in
external encodings.
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\vspace { 2ex}
2018-01-22 10:24:16 -08:00
We use affine Montgomery arithmetic in parts of the circuit because it is
2018-01-30 16:58:58 -08:00
more efficient, in terms of the number of constraints, than affine Edwards
2018-01-22 10:24:16 -08:00
arithmetic.
An important consideration when using Montgomery arithmetic is that the
addition formula is not complete, that is, there are cases where it produces
the wrong answer. We must ensure that these cases do not arise.
2018-02-26 01:44:19 -08:00
\introlist
We will need the theorem below about $ y $ -coordinates of points on
Montgomery curves.
\fact { $ \ParamM { A } ^ 2 - 4 $ is a nonsquare in $ \GF { \ParamJ { r } } $ .}
\begin { theorem} \label { thmmontynotzero}
Let $ P = ( x, y ) $ be a point other than $ ( 0 , 0 ) $ on a Montgomery curve
over $ \GF { r } $ with parameter $ A $ , such that $ A ^ 2 - 4 $ is a nonsquare in $ \GF { r } $ .
Then $ y \neq 0 $ .
\end { theorem}
\begin { proof}
Substituting $ y = 0 $ into the Montgomery curve equation gives
$ 0 = x ^ 3 + A \mult x ^ 2 + x = x \mult ( x ^ 2 + A \mult x + 1 ) $ .
So either $ x = 0 $ or $ x ^ 2 + A \mult x + 1 = 0 $ .
Since $ P \neq ( 0 , 0 ) $ , the case $ x = 0 $ is excluded.
In the other case, complete the square for $ x ^ 2 + A \mult x + 1 = 0 $
to give the equivalent $ ( 2 \mult x + A ) ^ 2 = A ^ 2 - 4 $ .
The left-hand side is a square, so if the right-hand side is a nonsquare,
then there are no solutions for $ x $ .
\end { proof}
2018-01-22 10:24:16 -08:00
2018-02-23 19:15:09 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { Circuit Components}
2018-01-22 10:24:16 -08:00
2018-01-30 16:58:58 -08:00
Each of the following sections describes how to implement a particular
component of the circuit, and counts the number of constraints required.
Some components make use of others; the order of presentation is ``bottom-up''.
2018-02-26 01:44:19 -08:00
It is important for security to ensure that variables intended to be of
boolean type are boolean-constrained; and for efficiency that they are
2018-03-11 10:42:49 -07:00
boolean-constrained only once. We explicitly state for the boolean inputs and
outputs of each component whether they are boolean-constrained by the component,
or are assumed to have been boolean-constrained separately.
Affine coordinates for elliptic curve points are assumed to represent points
on the relevant curve, unless otherwise specified.
2018-02-26 01:44:19 -08:00
In this section, variables have type $ \GF { \ParamS { r } } $ unless otherwise specified.
In contrast to most of this document, we use zero-based indexing in order
to more closely match the implementation.
2018-01-30 16:58:58 -08:00
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { Operations on individual bits} \label { cctbitops}
2018-03-11 10:42:49 -07:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { Boolean constraints} \label { cctboolean}
2018-01-29 15:08:08 -08:00
A boolean constraint $ b \in \bit $ can be implemented as:
\begin { formulae}
\item $ \constraint { 1 - b } { b } { 0 } $
\end { formulae}
2018-02-23 19:15:09 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Selection constraints} \label { cctselection}
2018-01-29 15:08:08 -08:00
2018-03-11 10:42:49 -07:00
A selection constraint $ b \bchoose x : y = z $ , where $ b \typecolon \bit $ has been
boolean-constrained, can be implemented as:
2018-01-29 15:08:08 -08:00
\begin { formulae}
\item $ \constraint { b } { y - x } { y - z } $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Nonzero constraints} \label { cctnonzero}
2018-02-26 01:44:19 -08:00
Since only nonzero elements of $ \GF { \ParamS { r } } $ have a multiplicative inverse, the
assertion $ a \neq 0 $ can be implemented by witnessing the inverse,
2018-03-16 08:58:23 -07:00
$ \Inv { a } = a ^ { - 1 } \pmod { \ParamS { r } } $ :
2018-02-26 01:44:19 -08:00
\begin { formulae}
2018-03-16 08:58:23 -07:00
\item $ \constraint { \Inv { a } } { a } { 1 } $
2018-02-26 01:44:19 -08:00
\end { formulae}
A global optimization allows to use a single inverse computation outside
the circuit for any number of nonzero constraints. Suppose that we have
$ n $ variables (or \linearCombinations ) that are supposed to be nonzero:
2018-03-11 10:42:49 -07:00
$ a _ \barerange { 0 } { n - 1 } $ . Multiply these together (using $ n \! - \! 1 $ constraints)
2018-03-16 08:58:23 -07:00
to give $ a ^ * = \sproduct { i = 0 } { n - 1 } a _ i $ ; then, constrain $ a ^ * $ to be nonzero.
2018-03-11 10:42:49 -07:00
This works because the product $ a ^ * $ is nonzero if and only if all of
$ a _ \barerange { 0 } { n - 1 } $ are nonzero.
2018-02-26 01:44:19 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Exclusive-or constraints} \label { cctxor}
2018-02-26 01:44:19 -08:00
2018-03-11 10:42:49 -07:00
An exclusive-or operation $ a \xor b = c $ , where $ a, b \typecolon \bit $ are
already boolean-constrained, can be implemented in one constraint as:
2018-02-26 01:44:19 -08:00
\begin { formulae}
2018-03-11 10:42:49 -07:00
\item $ \constraint { 2 \smult a } { b } { a + b - c } $
2018-02-26 01:44:19 -08:00
\end { formulae}
2018-03-11 10:42:49 -07:00
This automatically boolean-constrains $ c $ . Its correctness can be seen
by checking the truth table of $ ( a, b ) $ .
2018-02-26 01:44:19 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { Operations on multiple bits} \label { cctmultibitops}
2018-02-26 01:44:19 -08:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { [Un]packing modulo \rS } \label { cctmodpack}
2018-02-26 01:44:19 -08:00
2018-03-18 13:57:20 -07:00
Let $ n \typecolon \PosInt $ be a constant.
The operation of converting a field element, $ a \typecolon \GF { \ParamS { r } } $ ,
to a sequence of boolean variables $ b _ \barerange { 0 } { n - 1 } \typecolon \bitseq { n } $
such that $ a = \ssum { i = 0 } { n - 1 } b _ i \mult 2 ^ i \pmod { \ParamS { r } } $ , is called
2018-03-11 10:42:49 -07:00
\quotedterm { unpacking} . The inverse operation is called \quotedterm { packing} .
2018-02-26 01:44:19 -08:00
2018-03-11 10:42:49 -07:00
In the \quadraticArithmeticProgram these are the same operation (but
see the note about canonical representation below). We assume that
the variables $ b _ \barerange { 0 } { n - 1 } $ are boolean-constrained separately.
2018-03-06 14:45:51 -08:00
2018-03-18 13:57:20 -07:00
We have $ a \bmod \ParamS { r } = \left ( \vsum { i = 0 } { n - 1 } b _ i \mult 2 ^ i \right ) \bmod \ParamS { r }
= \left (\vsum { i=0} { n-1} b_ i \mult (2^ i \bmod \ParamS { r} )\! \right ) \bmod \ParamS { r} $ .
2018-03-06 14:45:51 -08:00
2018-03-11 10:42:49 -07:00
\introlist
This can be implemented in one constraint:
2018-03-06 14:45:51 -08:00
2018-03-11 10:42:49 -07:00
\begin { formulae}
\item $ \constraint { \vsum { i = 0 } { n - 1 } b _ i \mult ( 2 ^ i \bmod \ParamS { r } ) } { 1 } { a } $
\end { formulae}
\begin { pnotes}
2018-03-18 14:43:57 -07:00
\item The bit length $ n $ is not limited by the field element size.
2018-03-11 10:42:49 -07:00
\item Since the constraint has only a trivial multiplication, it is
possible to eliminate it by merging it into the boolean constraint
of one of the output bits, expressing that bit as a linear
combination of the others and $ a $ . However, this optimization
requires substitutions that would interfere with the modularity
of the circuit implementation (for a saving of only one constraint
per unpacking operation), and so we do not use it for the
\Sapling circuit.
\todo { Do we want to use it internally to the BLAKE2s implementation
where modularity is not significantly affected?}
\item In the case $ n = 255 $ , for $ a < 2 ^ { 255 } - \ParamS { r } $ there are two
possible representations of $ a \typecolon \GF { \ParamS { r } } $ as a
sequence of $ 255 $ bits, corresponding to $ \ItoLEBSP { 255 } ( a ) $ and
$ \ItoLEBSP { 255 } ( a + \ParamS { r } ) $ . This is a potential hazard, but
it may or may not be necessary to force use of the canonical
representation $ \ItoLEBSP { 255 } ( a ) $ , depending on the context
in which the [un]packing operation is used. We therefore do not
consider this to be part of the [un]packing operation itself.
\end { pnotes}
2018-03-06 14:45:51 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Range check} \label { cctrange}
2018-03-06 14:45:51 -08:00
2018-03-18 13:57:20 -07:00
Let $ n \typecolon \PosInt $ be a constant, and let
$ a = \ssum { i = 0 } { n - 1 } a _ i \mult 2 ^ i \typecolon \Nat $ .
Suppose we want to constrain $ a \leq c $ for some \emph { constant}
$ c = \ssum { i = 0 } { n - 1 } c _ i \mult 2 ^ i \typecolon \Nat $ .
2018-03-06 14:45:51 -08:00
Without loss of generality we can assume that $ c _ { n - 1 } = 1 $ , because if it
2018-03-16 08:58:23 -07:00
were not then we would decrease $ n $ accordingly.
2018-03-06 14:45:51 -08:00
Note that since $ a $ and $ c $ are provided in binary representation, their
bit length $ n $ is not limited by the field element size. We \emph { do not} assume
that the bits $ a _ \barerange { 0 } { n - 1 } $ are already boolean-constrained.
Suppose $ c $ has $ k $ bits set to $ 1 $ , and let $ j _ \barerange { 0 } { k - 1 } $ be the
indices of those bits in ascending order. Let $ t $ be the minimum of $ k - 1 $ and
the number of trailing $ 1 $ bits in $ c $ .
2018-03-16 08:58:23 -07:00
\introlist
2018-03-06 14:45:51 -08:00
Let $ \Pi _ { j _ { k - 1 } } = a _ { j _ { k - 1 } } $ . For $ z \in \range { t } { k - 2 } $ , constrain:
\begin { formulae}
\item $ \constraint { \Pi _ { j _ { z + 1 } } } { a _ { j _ z } } { \Pi _ { j _ z } } $
\end { formulae}
2018-03-16 08:58:23 -07:00
\introlist
2018-03-06 14:45:51 -08:00
For $ i \in \range { 0 } { n - 1 } $ :
\begin { itemize}
\item if $ c _ i = 0 $ , constrain $ \constraint { 1 - \Pi _ { j _ z } - a _ i } { a _ i } { 0 } $ where $ j _ z $ is the least element of $ j $ greater than $ i $ ;
\item if $ c _ i = 1 $ , boolean-constrain $ a _ i $ as in \crossref { cctboolean} .
\end { itemize}
Note that the constraints corresponding to zero bits of $ c $ are \emph { in place of}
boolean constraints on bits of $ a _ i $ .
This costs $ n + k - 1 - t $ constraints.
\todo { Explain why this works (see \url { https://github.com/zcash/zcash/issues/2234\# issuecomment-338930637} ).}
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { Elliptic curve operations} \label { cctelliptic}
2018-03-11 10:42:49 -07:00
2018-03-12 15:51:20 -07:00
\subsubsubsection { Checking that affine Edwards coordinates are on the curve} \label { cctedvalidate}
2018-01-30 16:58:58 -08:00
To check that $ ( u, \varv ) $ is a point on the Edwards curve, use:
\begin { formulae}
\item $ \constraint { u } { u } { uu } $
\item $ \constraint { \varv } { \varv } { \varvv } $
\item $ \constraint { \ParamJ { d } \smult uu } { \varvv } { \ParamJ { a } \smult uu + \varvv - 1 } $
\end { formulae}
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Edwards [de]compression and validation} \label { ccteddecompressvalidate}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
Define $ \DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub $
2018-01-22 10:24:16 -08:00
as follows:
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-03-11 10:42:49 -07:00
\item $ \DecompressValidate ( \tilde { u } , \varv ) : $
\item \tab // Prover supplies the $ u $ -coordinate.
\item \tab Let $ u \typecolon \GF { \ParamS { r } } $ .
\vspace { 1ex}
\item \tab // \crossref { cctedvalidate} .
\item \tab Check that $ ( u, \varv ) $ is a point on the Edwards curve.
\vspace { 1ex}
\item \tab // \crossref { cctmodpack} .
\item \tab Unpack $ u $ to $ \vsum { i = 0 } { 254 } u _ i \mult 2 ^ i $ , equating $ \tilde { u } $ with $ u _ 0 $ .
\vspace { 1ex}
\item \tab // \crossref { cctrange} .
\item \tab Check that $ \vsum { i = 0 } { 254 } u _ i \mult 2 ^ i \leq \ParamS { r } - 1 $ .
\vspace { 1ex}
\item \tab Return $ ( u, \varv ) $ .
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-03-11 10:42:49 -07:00
This costs $ 3 $ constraints for the curve equation check, $ 1 $ constraint for the
unpacking, and $ 255 + 133 - 1 $ constraints for the range check (which includes
boolean-constraining $ u _ \barerange { 0 } { 254 } $ ), for a total of $ 391 $ constraints.
The same \quadraticArithmeticProgram be used for compression and decompression.
\pnote {
The point-on-curve check could be omitted if $ ( u, \varv ) $ were already known to be on the curve.
However, the \Sapling circuit never omits it; this provides a redundant consistency check
on the elliptic curve arithmetic in some cases.
}
2018-01-29 15:08:08 -08:00
2018-02-23 19:15:09 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Edwards \lrarrow \ Montgomery conversion} \label { cctconversion}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
Define $ \EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub $
as follows:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \EdwardsToMont ( u, \varv ) = \left ( \hfrac { 1 + \varv } { 1 - \varv } ,
\scalebox { 0.8} { $ \ssqrt { - 40964 } $ } \mult \hfrac { 1 + \varv } { (1 - \varv ) \mult u} \right )
\sidecondition { 1 - \varv \neq 0 \tand u \neq 0} $
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
\introlist
2018-01-29 15:08:08 -08:00
Define $ \MontToEdwards \typecolon \AffineMontJubjub \rightarrow \AffineEdwardsJubjub $
as follows:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \MontToEdwards ( x, y ) = \left ( \scalebox { 0 . 8 } { $ \ssqrt { -40964} $ } \mult \hfrac { x } { y } ,
\hfrac { x - 1} { x + 1} \right )
\sidecondition { x + 1 \neq 0 \tand y \neq 0} $
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
\introlist
2018-01-29 15:08:08 -08:00
Either of these conversions can be implemented by the same \quadraticArithmeticProgram :
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \constraint { y } { u } { \ssqrt { - 40964 } \mult x } $
2018-01-30 16:48:43 -08:00
\item $ \constraint { x + 1 } { \varv } { x - 1 } $
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
The above conversions should only be used if the input is guaranteed to be
a point on the relevant curve. If that is the case, the theorems below
enumerate all exceptional inputs that may violate the side-conditions.
\vspace { 1ex}
\begin { theorem} \label { thmconversiontomontnoexcept}
Let $ ( u, \varv ) $ be an affine point on a complete twisted Edwards curve.
Then the only points with $ u \neq 0 $ or $ \varv \neq 0 $
are $ ( 0 , 1 ) = \ZeroJ $ ; $ ( 0 , - 1 ) $ of order $ 2 $ ; and
$ \left ( \pm \, 1 / \! \ssqrt { \ParamJ { a } } , 0 \right ) $ of order $ 4 $ .
\end { theorem}
\begin { proof}
Straightforward from the curve equation. (The fact that the points
$ \left ( \pm \, 1 / \! \ssqrt { \ParamJ { a } } , 0 \right ) $ are of order $ 4 $
can be inferred by applying the doubling formula.)
\end { proof}
\vspace { 0.5ex}
\begin { theorem} \label { thmconversiontoedwardsnoexcept}
Let $ ( x, y ) $ be an affine point on a Montgomery curve over $ \GF { r } $
with parameter $ A $ such that $ A ^ 2 - 4 $ is a nonsquare in $ \GF { r } $ ,
that is birationally equivalent to a complete twisted Edwards curve.
Then $ x + 1 \neq 0 $ , and the only point $ ( x, y ) $ with $ y = 0 $ is
$ ( 0 , 0 ) $ of order 2.
\end { theorem}
\begin { proof}
That the only point with $ y = 0 $ is $ ( 0 , 0 ) $ is proven by \theoremref { thmmontynotzero} .
If $ x + 1 = 0 $ , then subtituting $ x = - 1 $ into the Montgomery curve equation gives
$ \ParamM { B } \mult y ^ 2 = x ^ 3 + \ParamM { A } .x ^ 2 + x = \ParamM { A } - 2 $ .
So in that case $ y ^ 2 = ( \ParamM { A } - 2 ) / \ParamM { B } $ . The right-hand-side is equal
to the parameter $ d $ of a particular complete twisted Edwards curve birationally
equivalent to the Montgomery curve (see \cite [section 4.3.5] { BL2017} ).
For all complete twisted Edwards curves, $ d $ is nonsquare, so this equation
has no solutions for $ y $ , hence $ x + 1 \neq 0 $ .
\end { proof}
(The complete twisted Edwards curve referred to in the proof is an
2018-03-11 07:00:00 -07:00
isomorphic $ y $ -coordinate rescaling of the \jubjubCurve .)
2018-02-26 01:44:19 -08:00
2018-01-22 10:24:16 -08:00
2018-02-23 19:15:09 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Affine-Montgomery arithmetic} \label { cctmontarithmetic}
2018-01-22 10:24:16 -08:00
2018-02-07 02:55:53 -08:00
The incomplete affine-Montgomery addition formulae given in
2018-01-29 15:08:08 -08:00
\cite [section 4.3.2] { BL2017} are:
\begin { formulae}
2018-01-30 16:52:59 -08:00
\item $ x _ 3 = \ParamM { B } \smult \lambda ^ 2 - \ParamM { A } - x _ 1 - x _ 2 $
2018-01-29 15:08:08 -08:00
\item $ y _ 3 = ( x _ 1 - x _ 3 ) \smult \lambda ^ 2 - y _ 1 $
\item where $ \lambda = \begin { cases }
\hfrac { 3 \smult x_ 1^ 2 + 2 \smult \ParamM { A} \smult x_ 1 + 1} { 2 \smult \ParamM { B} \smult y_ 1} ,
& \caseif x_ 1 = x_ 2 \\ [1.4ex]
\hfrac { y_ 2 - y_ 1} { x_ 2 - x_ 1} , & \caseotherwise .
\end { cases} $
\end { formulae}
2018-02-23 19:15:09 -08:00
\introlist
2018-01-29 15:08:08 -08:00
The following theorem helps to determine when these incomplete addition formulae
can be safely used:
2018-02-12 04:56:07 -08:00
\newcommand { \halfs } { \frac { s-1} { 2} }
2018-02-14 00:02:10 -08:00
\begin { theorem} \label { thmdistinctxcriterion}
2018-01-29 15:08:08 -08:00
Let $ Q $ be a point of odd-prime order $ s $ on a Montgomery curve $ E _ { \ParamM { A } , \ParamM { B } } / \GF { \ParamS { r } } $ .
2018-03-06 14:16:55 -08:00
Let $ k _ \barerange { 1 } { 2 } $ be integers in $ \rangenozero { - \halfs } { \halfs } $ .
2018-01-29 15:08:08 -08:00
Let $ P _ i = \scalarmult { k _ i } { Q } = ( x _ i, y _ i ) $ for $ i \in \range { 1 } { 2 } $ , with
2018-02-12 04:56:07 -08:00
$ k _ 1 \neq \pm k _ 2 $ . Then the non-unified addition constraints
2018-01-29 15:08:08 -08:00
\begin { formulae}
\item $ \constraint { x _ 2 - x _ 1 } { \lambda } { y _ 2 - y _ 1 } $
\item $ \constraint { \ParamM { B } \smult \lambda } { \lambda } { \ParamM { A } + x _ 1 + x _ 2 + x _ 3 } $
\item $ \constraint { x _ 1 - x _ 3 } { \lambda } { y _ 3 + y _ 1 } $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
implement the affine-Montgomery addition $ P _ 1 + P _ 2 = ( x _ 3 , y _ 3 ) $ for all such $ P _ \barerange { 1 } { 2 } $ .
2018-01-29 15:08:08 -08:00
\end { theorem}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { proof}
The given constraints are equivalent to the Montgomery addition formulae
under the side condition $ x _ 1 \neq x _ 2 $ . (Note that neither $ P _ i $ can be
2018-03-06 14:16:55 -08:00
the zero point since $ k _ \barerange { 1 } { 2 } \neq 0 \pmod s $ .)
2018-02-12 04:56:07 -08:00
Assume for a contradiction that $ x _ 1 = x _ 2 $ . For any
$ P _ 1 = \scalarmult { k _ 1 } { Q } $ , there can be only one other point $ - P _ 1 $ with
2018-01-29 15:08:08 -08:00
the same $ x $ -coordinate. (This follows from the fact that the curve equation
determines $ \pm y $ as a function of $ x $ .)
2018-02-12 04:56:07 -08:00
But $ - P _ 1 = \scalarmult { - 1 } { \scalarmult { k _ 1 } { Q } } = \scalarmult { - k _ 1 } { Q } $ .
Since $ \fun { k \typecolon \range { - \halfs } { \halfs } } { \scalarmult { k } { Q } \typecolon \GroupJ } $
2018-03-06 14:16:55 -08:00
is injective and $ k _ \barerange { 1 } { 2 } $ are in $ \range { - \halfs } { \halfs } $ ,
2018-02-12 04:56:07 -08:00
then $ k _ 2 = \pm k _ 1 $ (contradiction).
2018-01-29 15:08:08 -08:00
\end { proof}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
The conditions of this theorem are called the \distinctXCriterion .
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
In particular, if $ k _ \barerange { 1 } { 2 } $ are integers in $ \range { 1 } { \halfs } $
2018-02-12 04:56:07 -08:00
then it is sufficient to require $ k _ 1 \neq k _ 2 $ , since that implies
$ k _ 1 \neq \pm k _ 2 $ .
2018-02-23 19:15:09 -08:00
\vspace { 2ex}
2018-01-29 15:08:08 -08:00
\introlist
Affine-Montgomery doubling can be implemented as:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
\item $ \constraint { x } { x } { xx } $
\item $ \constraint { 2 \smult \ParamM { B } \smult y } { \lambda } { 3 \smult xx + 2 \smult \ParamM { A } \smult x + 1 } $
\item $ \constraint { \ParamM { B } \smult \lambda } { \lambda } { \ParamM { A } + 2 \smult x + x _ 3 } $
\item $ \constraint { x - x _ 3 } { \lambda } { y _ 3 + y } $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
This doubling formula is valid when $ y \neq 0 $ , which is the case when $ ( x, y ) $
is not the point $ ( 0 , 0 ) $ (the only point of order $ 2 $ ), as proven in
\theoremref { thmmontynotzero} .
2018-01-22 10:24:16 -08:00
2018-02-07 02:55:53 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Affine-Edwards arithmetic} \label { cctedarithmetic}
2018-02-26 01:44:19 -08:00
2018-02-07 02:55:53 -08:00
Formulae for affine-Edwards addition are given in \cite [section 6] { BBJLP2008} .
2018-02-07 03:53:07 -08:00
With a change of variable names to match our convention, the formulae for
$ ( u _ 1 , \varv _ 1 ) + ( u _ 2 , \varv _ 2 ) = ( u _ 3 , \varv _ 3 ) $ are:
\begin { formulae}
\item $ u _ 3 = \cfrac { u _ 1 \smult \varv _ 2 + \varv _ 1 \smult u _ 2 } { 1 + \ParamJ { d } \smult u _ 1 \smult u _ 2 \smult \varv _ 1 \smult \varv _ 2 } $
\item $ \varv _ 3 = \cfrac { \varv _ 1 \smult \varv _ 2 - \ParamJ { a } \smult u _ 1 \smult u _ 2 } { 1 - \ParamJ { d } \smult u _ 1 \smult u _ 2 \smult \varv _ 1 \smult \varv _ 2 } $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
\introlist
We use an optimized implementation found by Daira Hopwood making use of an
observation by Bernstein and Lange in \cite [last paragraph of section 4.5.2] { BL2017} :
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-02-07 03:53:07 -08:00
\item $ \constraint { u _ 1 + \varv _ 1 } { \varv _ 2 - \ParamJ { a } \smult u _ 2 } { T } $
2018-01-30 16:48:43 -08:00
\item $ \constraint { u _ 1 } { \varv _ 2 } { A } $
\item $ \constraint { \varv _ 1 } { u _ 2 } { B } $
2018-02-07 03:53:07 -08:00
\item $ \constraint { \ParamJ { d } \smult A } { B } { C } $
2018-01-29 15:08:08 -08:00
\item $ \constraint { 1 + C } { u _ 3 } { A + B } $
2018-02-07 03:53:07 -08:00
\item $ \constraint { 1 - C } { \varv _ 3 } { T - A + \ParamJ { a } \smult B } $
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
\introlist
The correctness of this implementation can be seen by expanding $ T - A + \ParamJ { a } \smult B $ :
\begin { tabular} { @{ \hskip 2em} r@{ \; } l}
$ T - A + \ParamJ { a } \smult B $
& $ = ( u _ 1 + \varv _ 1 ) \mult ( \varv _ 2 - \ParamJ { a } \smult u _ 2 ) - u _ 1 \smult \varv _ 2 + \ParamJ { a } \smult \varv _ 1 \smult u _ 2 $ \\
& $ = \varv _ 1 \smult \varv _ 2 - \ParamJ { a } \smult u _ 1 \smult u _ 2 + u _ 1 \smult \varv _ 2 - \ParamJ { a } \smult \varv _ 1 \smult u _ 2
- u_ 1 \smult \varv _ 2 + \ParamJ { a} \smult \varv _ 1 \smult u_ 2$ \\
& $ = \varv _ 1 \smult \varv _ 2 - \ParamJ { a } \smult u _ 1 \smult u _ 2 $
\end { tabular}
\vspace { 2ex}
\introlist
2018-01-29 15:08:08 -08:00
The above addition formulae are ``unified'', that is, they can also be
2018-01-30 16:48:43 -08:00
used for doubling. Affine-Edwards doubling $ \scalarmult { 2 } { ( u, \varv ) } = ( u _ 3 , \varv _ 3 ) $
2018-01-29 15:08:08 -08:00
can also be implemented slightly more efficiently as:
\begin { formulae}
2018-02-07 03:53:07 -08:00
\item $ \constraint { u + \varv } { \varv - \ParamJ { a } \smult u } { T } $
2018-01-30 16:48:43 -08:00
\item $ \constraint { u } { \varv } { A } $
2018-02-07 03:53:07 -08:00
\item $ \constraint { \ParamJ { d } \smult A } { A } { C } $
2018-01-29 15:08:08 -08:00
\item $ \constraint { 1 + C } { u _ 3 } { 2 \smult A } $
2018-02-07 03:53:07 -08:00
\item $ \constraint { 1 - C } { \varv _ 3 } { T + ( \ParamJ { a } - 1 ) \smult A } $
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-02-07 03:53:07 -08:00
This implementation is obtained by specializing the addition formulae to
$ ( u, \varv ) = ( u _ 1 , \varv _ 1 ) = ( u _ 2 , \varv _ 2 ) $ and observing that $ u \mult \varv = A = B $ .
2018-01-29 15:08:08 -08:00
2018-03-11 10:42:49 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Affine-Edwards nonsmall-order check} \label { cctednonsmallorder}
2018-02-07 03:53:07 -08:00
2018-03-11 10:42:49 -07:00
In order to avoid small-subgroup attacks, we check that certain points used in the
circuit are not of small order. In practice the \Sapling circuit uses this
2018-03-18 13:57:20 -07:00
in combination with a check that the coordinates are on the curve (\crossref { cctedvalidate} ),
2018-03-11 10:42:49 -07:00
so we combine the two operations.
2018-01-29 15:08:08 -08:00
2018-03-11 10:42:49 -07:00
The \jubjubCurve has a large prime-order subgroup with a cofactor of $ 8 $ .
To check for a point $ P $ of order $ 8 $ or less, we double twice (as in
\crossref { cctedarithmetic} ) and check that the resulting $ u $ -coordinate
is not $ 0 $ (as in \crossref { cctnonzero} ).
2018-01-29 15:08:08 -08:00
2018-02-07 03:53:07 -08:00
On a twisted Edwards curve, only the zero point $ \ZeroJ $ , and the unique point
2018-03-18 13:57:20 -07:00
of order $ 2 $ at $ ( 0 , - 1 ) $ have zero $ u $ -coordinate. So this $ u $ -coordinate check rejects
2018-03-11 10:42:49 -07:00
both $ \ZeroJ $ and the point of order $ 2 $ , and no other points.
2018-02-07 03:53:07 -08:00
2018-03-11 10:42:49 -07:00
The first doubling can be merged with the curve point check to avoid recomputing $ C $ or $ T $ .
The second doubling does not need to compute $ T $ or the $ \varv $ -coordinate of the result;
also, the $ u $ -coordinate of the result is zero if-and-only-if the intermediate value
$ A $ is zero.
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
\begin { formulae}
2018-03-16 08:58:23 -07:00
\item // Curve equation check.
2018-03-11 10:42:49 -07:00
\item $ \constraint { u } { u } { uu } $
\item $ \constraint { \varv } { \varv } { \varvv } $
\item $ \constraint { \ParamJ { d } \smult uu } { \varvv } { \ParamJ { a } \smult uu + \varvv - 1 } $
\vspace { 1ex}
\item // First doubling; subsitute $ C = \ParamJ { d } \smult uu \smult \varvv = \ParamJ { a } \smult uu + \varvv - 1 $ and
$ T + ( \ParamJ { a } - 1 ) \smult A = \varvv - \ParamJ { a } \smult uu $ .
\item $ \constraint { u } { \varv } { A _ 1 } $
\item $ \constraint { \ParamJ { a } \smult uu + \varvv } { u _ 1 } { 2 \smult A _ 1 } $
\item $ \constraint { 2 - \ParamJ { a } \smult uu - \varvv } { \varv _ 1 } { \varvv - \ParamJ { a } \smult uu } $
\vspace { 1ex}
\item // Second doubling and non-zero check.
\item $ \constraint { u _ 1 } { \varv _ 1 } { A _ 2 } $
\item // $ u $ -coordinate is zero if-and-only-if $ A _ 2 $ is zero.
\item $ \constraint { \Ainv } { A _ 2 } { 1 } $
\end { formulae}
2018-02-07 03:53:07 -08:00
2018-03-11 10:42:49 -07:00
The total cost, including the curve check, is $ 3 + 3 + 2 = 8 $ constraints.
\begin { pnotes}
\item This \emph { does not} ensure that the point is in the prime-order subgroup.
\item If the point $ P $ is used as the base of a variable-base scalar
multiplication using the algorithm of \crossref { cctvarscalarmult} , then
$ \scalarmult { 4 } { P } $ will be calculated as $ \Base _ 2 $ . Then $ \SelectuOf { \Base _ 2 } \neq 0 $
can be checked using a single constraint (saving $ 4 $ constraints).
The \Sapling circuit does not use this optimization.
\end { pnotes}
2018-01-22 10:24:16 -08:00
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Fixed-base affine-Edwards scalar multiplication} \label { cctfixedscalarmult}
2018-01-22 10:24:16 -08:00
If the base point $ B $ is fixed for a given scalar multiplication $ \scalarmult { k } { B } $ ,
2018-01-29 15:08:08 -08:00
we can fully precompute window tables for each window position.
2018-01-22 10:24:16 -08:00
2018-01-30 16:52:59 -08:00
It is most efficient to use $ 3 $ -bit fixed windows. Since the length of
2018-02-07 03:05:39 -08:00
$ \ParamJ { r } $ is $ 252 $ bits, we need $ 84 $ windows.
2018-01-22 10:24:16 -08:00
2018-02-07 03:05:39 -08:00
Express $ k $ in base $ 8 $ , i.e.\ $ k = \vsum { i = 0 } { 83 } k _ i \smult 8 ^ i $ .
2018-01-29 15:08:08 -08:00
2018-02-07 03:05:39 -08:00
Then $ \scalarmult { k } { B } = \vsum { i = 0 } { 83 } w _ { ( B, \, i, \, k _ i ) } $ , where
$ w _ { ( B, \, i, \, k _ i ) } = \scalarmult { k _ i \smult 8 ^ i } { B } $ .
2018-01-29 15:08:08 -08:00
2018-02-07 03:05:39 -08:00
We precompute all of $ w _ { ( B, \, i, \, s ) } $ for $ i \in \range { 0 } { 83 } , s \in \range { 0 } { 7 } $ .
2018-01-29 15:08:08 -08:00
2018-02-23 19:15:09 -08:00
\introlist
2018-02-07 03:05:39 -08:00
To look up a given window entry $ w _ { ( B, \, i, \, s ) } = ( u _ s, \varv _ s ) $ , where
2018-01-29 15:08:08 -08:00
$ s = 4 \smult s _ 2 + 2 \smult s _ 1 + s _ 0 $ , we use:
\begin { formulae}
\item $ \lincomb { s _ 1 } \times \lincomb { s _ 0 } = \lincomb { s \suband } $
2018-02-23 19:15:09 -08:00
\item $ \lincomb { s _ 2 } \times \big ( \! - u _ 0 \smult s \suband \plus u _ 0 \smult s _ 1 \plus u _ 0 \smult s _ 0 - u _ 0 \plus u _ 1 \smult s \suband
- u_ 1 \smult s_ 0 \plus u_ 2 \smult s\suband - u_ 2 \smult s_ 1 - u_ 3 \smult s\suband \\
\mhspace { 3.28em} \plus u_ 4 \smult s\suband - u_ 4 \smult s_ 1 - u_ 4 \smult s_ 0 \plus u_ 4 - u_ 5 \smult s\suband
\plus u_ 5 \smult s_ 0 - u_ 6 \smult s\suband \plus u_ 6 \smult s_ 1 \plus u_ 7 \smult s\suband \big ) = \\
\mhspace { 1.68em} \lincomb { u_ s - u_ 0 \smult s\suband \plus u_ 0 \smult s_ 1 \plus u_ 0 \smult s_ 0 - u_ 0 \plus u_ 1 \smult s\suband
2018-01-29 15:08:08 -08:00
- u_ 1 \smult s_ 0 \plus u_ 2 \smult s\suband - u_ 2 \smult s_ 1 - u_ 3 \smult s\suband } $
2018-02-23 19:15:09 -08:00
\item $ \lincomb { s _ 2 } \times \big ( \! - \vv _ 0 \smult s \suband \plus \vv _ 0 \smult s _ 1 \plus \vv _ 0 \smult s _ 0 - \vv _ 0 \plus \vv _ 1 \smult s \suband
- \vv _ 1 \smult s_ 0 \plus \vv _ 2 \smult s\suband - \vv _ 2 \smult s_ 1 - \vv _ 3 \smult s\suband \\
\mhspace { 3.27em} \plus \vv _ 4 \smult s\suband - \vv _ 4 \smult s_ 1 - \vv _ 4 \smult s_ 0 \plus \vv _ 4 - \vv _ 5 \smult s\suband
\plus \vv _ 5 \smult s_ 0 - \vv _ 6 \smult s\suband \plus \vv _ 6 \smult s_ 1 \plus \vv _ 7 \smult s\suband \big ) = \\
\mhspace { 1.66em} \lincomb { \vv _ s - \vv _ 0 \smult s\suband \plus \vv _ 0 \smult s_ 1 \plus \vv _ 0 \smult s_ 0 - \vv _ 0 \plus \vv _ 1 \smult s\suband
2018-01-29 15:08:08 -08:00
- \vv _ 1 \smult s_ 0 \plus \vv _ 2 \smult s\suband - \vv _ 2 \smult s_ 1 - \vv _ 3 \smult s\suband } $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
This costs $ 3 $ constraints for each of $ 84 $ window lookups, plus $ 6 $ constraints for
each of $ 83 $ Edwards additions (as in \crossref { cctedarithmetic} ), for a total of
$ 750 $ constraints.
2018-01-22 10:24:16 -08:00
2018-03-06 14:45:51 -08:00
\pnote {
It would be more efficient to use arithmetic on the Montgomery curve, as in
\crossref { cctpedersenhash} . However since there are only three instances of
2018-03-16 08:58:23 -07:00
fixed-base scalar multiplication in the \spendCircuit and two in the
\outputCircuit \footnote { A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.} ,
2018-03-06 14:45:51 -08:00
the additional complexity was not considered justified for \Sapling .
}
2018-01-29 15:08:08 -08:00
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Variable-base affine-Edwards scalar multiplication} \label { cctvarscalarmult}
2018-01-22 10:24:16 -08:00
When the base point $ B $ is not fixed, the method in the preceding section
2018-01-29 15:08:08 -08:00
cannot be used. Instead we use a naïve double-and-add method.
2018-01-22 10:24:16 -08:00
2018-03-06 14:31:35 -08:00
\introlist
2018-01-29 15:08:08 -08:00
Given $ k = \vsum { i = 0 } { 250 } k _ i \smult 2 ^ i $ , we calculate $ R = \scalarmult { k } { B } $ using:
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
\begin { formulae}
2018-03-11 10:42:49 -07:00
\item // $ \Base _ i = \scalarmult { 2 ^ i } { B } $
\item let $ \Base ^ u _ 0 = \SelectuOf { B } $
\item let $ \Base ^ { \vv } _ 0 \hairspace = B _ { \vv } $
\item let $ \Acc ^ u _ 0 = k _ 0 \bchoose B ^ u : 0 $
2018-03-16 08:58:23 -07:00
\item let $ \Acc ^ { \vv } _ 0 \hairspace = k _ 0 \bchoose B ^ { \vv } : 1 $
2018-03-06 14:31:35 -08:00
\vspace { 1ex}
\item for $ i $ from $ 1 $ up to $ 250 $ :
2018-03-11 10:42:49 -07:00
\item \tab let $ \Base _ i = \scalarmult { 2 } { \Base _ { i - 1 } } $
2018-03-06 14:31:35 -08:00
\vspace { 1ex}
2018-03-11 10:42:49 -07:00
\item \tab // select $ \Base _ i $ or $ \ZeroJ $ depending on the bit $ k _ i $
\item \tab let $ \Addend ^ u _ i = k _ i \bchoose \Base ^ u _ i : 0 $
\item \tab let $ \Addend ^ { \vv } _ i \hairspace = k _ i \bchoose \Base ^ { \vv } _ i : 1 $
\item \tab let $ \Acc _ i = \Acc _ { i - 1 } + \Addend ^ i $
\item let $ R = \Acc _ { 250 } $ .
2018-01-29 15:08:08 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
This costs $ 5 $ constraints for each of $ 250 $ Edwards doublings, $ 6 $ constraints for each
of $ 250 $ Edwards additions, and $ 2 $ constraints for each of $ 251 $ point selections,
for a total of $ 3252 $ constraints.
2018-01-22 10:24:16 -08:00
\pnote {
2018-03-06 14:45:51 -08:00
It would be more efficient to use $ 2 $ -bit fixed windows, and/or to use arithmetic
on the Montgomery curve in a similar way to \crossref { cctpedersenhash} . However
since there are only two instances of variable-base scalar multiplication in the
\spendCircuit and one in the \outputCircuit , the additional complexity was not
considered justified for \Sapling .
2018-01-22 10:24:16 -08:00
}
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsubsection { Pedersen hash} \label { cctpedersenhash}
2018-01-22 10:24:16 -08:00
2018-02-12 05:13:12 -08:00
The specification of the \xPedersenHashes used in \Sapling is given in
2018-02-26 01:44:19 -08:00
\crossref { concretepedersenhash} . It is based on the scheme from
\cite [section 5.2] { CvHP1991} --for which a tighter security reduction to
the Discrete Logarithm Problem was given in \cite { BGG1995} -- but tailored
to allow several optimizations in the circuit implementation.
2018-02-12 05:13:12 -08:00
\xPedersenHashes are the single most commonly used primitive in the
\Sapling circuits. $ \MerkleDepthSapling $ \xPedersenHash instances are used
in the \spendCircuit to check a Merkle path to the \noteCommitment of the
\note being spent. We also reuse the \xPedersenHash implementation to
2018-02-26 01:44:19 -08:00
construct the \commitmentScheme $ \NoteCommitSaplingAlg $ .
2018-02-12 05:13:12 -08:00
This motivates considerable attention to optimizing this circuit
implementation of this primitive, even at the cost of complexity.
First, we use a windowed scalar multiplication algorithm with signed digits.
Each $ 3 $ -bit message chunk corresponds to a window; the chunk is encoded
as an integer from the set $ \Digits = \rangenozero { - 4 } { 4 } $ .
This allows a more efficient lookup of the window entry for each chunk than
if the set $ \range { 1 } { 8 } $ had been used, because a point can be conditionally
negated using only a single constraint.
Next, we optimize the cost of point addition by allowing as many additions
as possible to be performed on the Montgomery curve. An incomplete
Montgomery addition costs $ 3 $ constraints, in comparison with an
Edwards addition which costs $ 6 $ constraints.
2018-03-06 14:16:55 -08:00
\introlist
2018-02-12 05:13:12 -08:00
However, we cannot do all additions on the Montgomery curve because the
Montgomery addition is incomplete. In order to be able to prove that
exceptional cases do not occur, we need to ensure that the \distinctXCriterion
from \crossref { cctmontarithmetic} is met. This requires splitting the
input into segments (each using an independent generator), calculating
an intermediate result for each segment, and then converting to the
Edwards curve and summing the intermediate results using Edwards addition.
2018-02-26 01:44:19 -08:00
If the resulting point is $ R $ , then (abstracting away the changes of curve)
this calculation can be written as:
2018-02-12 05:13:12 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \PedersenHashToPoint ( D, M ) = \vsum { j = 1 } { N } \scalarmult { \PedersenEncode { M _ j } } { \PedersenGen { D } { j } } $
2018-02-12 05:13:12 -08:00
\end { formulae}
2018-02-26 01:44:19 -08:00
where $ \PedersenEncode { \paramdot } $ and $ \PedersenGen { D } { j } $
are defined as in \crossref { concretepedersenhash} .
2018-02-12 05:13:12 -08:00
2018-03-06 14:16:55 -08:00
\introlist
2018-02-26 01:44:19 -08:00
We have to prove that:
\begin { itemize}
\item the \distinctXCriterion is met for all Montgomery additions within
a segment;
\item the Montgomery-to-Edwards conversions can be implemented without
exceptional cases.
\end { itemize}
2018-02-12 05:13:12 -08:00
2018-02-26 01:44:19 -08:00
The proof of \theoremref { thmpedersenencodeinjective} showed that
all indices of addition inputs are in the range
$ \rangenozero { - \hfrac { \ParamJ { r } - 1 } { 2 } } { \hfrac { \ParamJ { r } - 1 } { 2 } } $ .
Because the $ \PedersenGen { D } { j } $ (which are outputs of $ \GroupJHash { } $ )
are all of prime order, and $ \PedersenEncode { M _ j } \neq 0 \pmod { \ParamJ { r } } $ ,
it is guaranteed that all of the terms
$ \scalarmult { \PedersenEncode { M _ j } } { \PedersenGen { D } { j } } $
to be converted to Edwards form are of prime order.
From \theoremref { thmconversiontoedwardsnoexcept} , we can infer that
the conversions will not encounter exceptional cases.
We also need to show that the indices of addition inputs are
all distinct disregarding sign.
2018-02-12 05:13:12 -08:00
2018-02-26 01:44:19 -08:00
\begin { theorem} \label { thmpedersendistinctabsindices}
For all disjoint nonempty subsets $ S $ and $ S' $ of $ \range { 1 } { c } $ , and for all
$ m \in \typeexp { \bitseq { 3 } } { c } $ ,
2018-02-12 05:13:12 -08:00
\begin { formulae}
2018-02-26 01:44:19 -08:00
\item $ \vsum { j \in S \vphantom { S' } } { } \enc ( m _ j ) \mult 2 ^ { 4 \mult ( j - 1 ) }
\neq \pm \! \! \vsum { j' \in S'} { } \enc (m_ { \kern -0.1em j'} ) \mult 2^ { 4 \mult (j'-1)} $
2018-02-12 05:13:12 -08:00
\end { formulae}
\end { theorem}
\begin { proof}
2018-02-26 01:44:19 -08:00
\todo { ...}
%Since $\PedersenEncode{\paramdot}$ is injective, the given condition is
%equivalent to:
2018-02-12 05:13:12 -08:00
2018-02-26 01:44:19 -08:00
%\begin{formulae}
% \item for all disjoint subsets $S$ and $S'$ of $\range{1}{c}$, and for all
% $M \in \bitseq{3 \mult c},\; \PedersenEncodeSub{S}{M} \neq \pm \PedersenEncodeSub{S'}{M}$
%\end{formulae}
2018-02-12 05:13:12 -08:00
2018-02-26 01:44:19 -08:00
%where $\PedersenEncodeSub{S}{M} = \vsum{j \in S}{} \enc(m_j) \mult 2^{4 \mult (j-1)}$.
2018-02-12 05:13:12 -08:00
2018-02-26 01:44:19 -08:00
%This is in turn equivalent to:
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
%\begin{formulae}
% \item for all disjoint subsets $S$ and $S'$ of $\range{1}{c}$, and for all
% $M \in \bitseq{3 \mult c},\;
% \PedersenEncodeSub{S}{M \band \Mask} \neq \PedersenEncodeSub{S'}{M \band \Mask}$
%\end{formulae}
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
%where $\Mask = \vsum{j=1}{c} 3 \mult 2^{4 \mult (j-1)}$.
2018-01-29 15:08:08 -08:00
2018-02-26 01:44:19 -08:00
%(This masks off the bit controlling the sign of each digit, which effectively
%takes the absolute value of each digit.)
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
%Since $S$ and $S'$ are disjoint and each term of the RHS is separated,
%it follows that $\Mask_S \band \Mask_{S'} = 0$ and so ...
2018-02-10 03:30:37 -08:00
2018-02-26 01:44:19 -08:00
%Suppose this were not
%the case, then there would exist disjoint subsets of windows $S$ and $S'$
%such that ..., the space of indices spanned by ...
%does not overlap the space spanned by $S'$.
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
%is met because all of the terms in the Montgomery addition, as well as any
%intermediate result formed from adding a subset of terms, have distinct indices
2018-02-07 03:53:07 -08:00
2018-02-26 01:44:19 -08:00
%(this bound makes no assumption about the order of additions; the actual
%maximum will be smaller).
\end { proof}
2018-01-22 10:24:16 -08:00
When these hashes are used in the circuit, the first two windows of the input
are fixed and can be optimized (for example, in the Merkle tree hashes they
represent the layer number).
This is done by precomputing the sum of the relevant two points, and adding them
to the intermediate result for the remainder of the first segment.
This requires 3 constraints for a single Montgomery addition rather than
.. constraints for 2 window lookups and 2 additions.
Taking into account this optimization, the cost of a Pedersen hash over
$ \ell $ bits, with the first 6 bits fixed, is ... constraints. In particular,
for the Merkle tree hashes $ \ell = 516 $ , so the cost is ... constraints.
2018-03-10 13:06:47 -08:00
\introlist
2018-03-12 15:51:20 -07:00
\subsubsubsection { Mixing Pedersen hash} \label { cctmixinghash}
2018-02-26 01:44:19 -08:00
A mixing \xPedersenHash is used to compute $ \NoteAddressRand $ from
$ \cm $ and $ \NotePosition $ in \crossref { commitmentsandnullifiers} . It takes as
input a \xPedersenCommitment $ P $ , and hashes it with another input $ x $ .
2018-03-18 14:43:57 -07:00
Let $ \NotePositionBase $ be as defined in \crossref { concretemixinghash} .
2018-03-06 14:16:55 -08:00
\introlist
2018-03-11 14:31:18 -07:00
We define $ \MixingPedersenHash \typecolon \range { 0 } { \ParamJ { r } - 1 }
2018-02-26 01:44:19 -08:00
\times \GroupJ \rightarrow \GroupJ $ by:
\begin { formulae}
2018-03-18 14:43:57 -07:00
\item $ \MixingPedersenHash ( P, x ) : = P + \scalarmult { x } { \NotePositionBase } $ .
2018-02-26 01:44:19 -08:00
\end { formulae}
This costs \todo { ...} for the scalar multiplication, and $ 6 $ constraints for the
Edwards addition, for a total of \todo { ...} constraints.
2018-03-06 14:16:55 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { Merkle path check} \label { cctmerklepath}
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
Checking a Merkle authentication path, as described in \crossref { merklepath} ,
2018-02-26 01:44:19 -08:00
requires to:
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
\begin { itemize}
\item boolean-constrain the path bit specifying whether the previous node
is a left or right child;
\item conditionally swap the previous-layer and sibling hashes
(as $ \GF { r } $ elements) depending on the path bit;
\item unpack the previous-layer and sibling hashes to $ 255 $ -bit sequences;
\item compute the Merkle hash.
\end { itemize}
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
The unpacking need not be canonical in the sense discussed in \crossref { cctmodpack} ;
2018-02-26 01:44:19 -08:00
that is, it is \emph { not} necessary to ensure that the previous-layer or sibling
bit-sequence inputs represent integers in the range $ \range { 0 } { \ParamS { r } - 1 } $ .
Since the root of the Merkle tree is calculated outside the circuit using the
2018-03-16 08:58:23 -07:00
canonical representations, and since the \xPedersenHashes are \collisionResistant
2018-02-26 01:44:19 -08:00
on arbitrary bit-sequence inputs, an attempt by an adversarial prover to use a
non-canonical input would result in the wrong root being calculated, and the
overall path check would fail.
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
Note that the leaf node input of the authentication path is given as a bit sequence,
not as a field element.
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
For each layer, the cost is $ 1 + 2 \smult 255 $ boolean constraints,
$ 2 $ constraints for the conditional swap (implemented as two selection
constraints), and todo{ ...} for the Merkle hash, for a total of \todo { ...}
constraints.
\pnote { The conditional swap $ ( a _ 0 , a _ 1 ) \mapsto ( c _ 0 , c _ 1 ) $ could be implemented
in only one constraint by substituting $ c _ 1 = a _ 0 + a _ 1 - c _ 0 $ into the
uses of $ c _ 1 $ . The \Sapling circuit does not use this optimization.}
2018-03-06 14:16:55 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { \WindowedPedersenCommitment } \label { cctwindowedcommit}
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
We construct \windowedPedersenCommitments by reusing the Pedersen hash
2018-01-22 10:24:16 -08:00
implementation, and adding a randomized point:
2018-01-30 16:58:58 -08:00
\begin { formulae}
2018-03-11 14:31:18 -07:00
\item $ \WindowedPedersenCommit { r } ( s ) =
\PedersenHashToPoint (\ascii { Zcash\_ PH} , s) + \scalarmult { r} { \FindGroupJHashOf { \ascii { Zcash\_ PH} , \ascii { r} } } $
2018-01-30 16:58:58 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
\introlist
2018-01-22 10:24:16 -08:00
This can be implemented in:
\begin { itemize}
2018-01-30 16:58:58 -08:00
\item $ ... \smult \ell + ... $ constraints for the Pedersen hash on
$ \ell = \length ( s ) $ bits (again assuming that the first $ 6 $ bits are fixed);
\item $ 750 $ constraints for the fixed-base scalar multiplication;
2018-02-26 01:44:19 -08:00
\item $ 6 $ constraints for the final Edwards addition
2018-01-22 10:24:16 -08:00
\end { itemize}
2018-02-26 01:44:19 -08:00
for a total of $ ... \smult \ell + 756 $ constraints.
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
2018-03-12 15:51:20 -07:00
\subsubsection { \HomomorphicPedersenCommitment } \label { ccthomomorphiccommit}
2018-01-22 10:24:16 -08:00
2018-03-06 14:16:55 -08:00
The \windowedPedersenCommitments defined in the preceding section are
2018-02-26 01:44:19 -08:00
highly efficient, but they do not support the homomorphic property we
2018-03-06 14:34:18 -08:00
need when instantiating $ \ValueCommit { } $ (see \crossref { saplingbalance}
and \crossref { spendsandoutputs} ).
2018-01-22 10:24:16 -08:00
2018-03-06 14:34:18 -08:00
\introlist
In order to support this property, we also define \homomorphicPedersenCommitments
as follows:
2018-01-22 10:24:16 -08:00
2018-02-26 01:44:19 -08:00
\begin { formulae}
2018-03-06 14:34:18 -08:00
\item $ \HomomorphicPedersenCommit { \ValueCommitRand } ( D, \Value ) =
2018-03-16 08:58:23 -07:00
\scalarmult { \Value } { \FindGroupJHashOf { D, \ascii { v} } } + \scalarmult { \ValueCommitRand } { \FindGroupJHashOf { D, \ascii { r} } } $
2018-02-26 01:44:19 -08:00
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-03-16 08:58:23 -07:00
In the case that we need for $ \ValueCommit { } $ , $ \Value $ has $ 64 $
bits\footnote { It would be sufficient to use $ 51 $ bits, which accomodates the range
2018-03-06 14:45:51 -08:00
$ \range { 0 } { \MAXMONEY } $ , but the \Sapling circuit uses $ 64 $ .} .
2018-02-26 01:44:19 -08:00
This can be straightforwardly implemented in ... constraints.
2018-01-22 10:24:16 -08:00
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsubsection { BLAKE2s hashes} \label { cctblake2s}
2018-01-22 10:24:16 -08:00
$ \BlakeTwosGeneric $ is defined in \cite { ANWW2013} . Its main subcomponent is a
``$ G $ function'', defined as follows:
2018-02-23 19:15:09 -08:00
\begin { formulae}
\item $ G \typecolon ... \rightarrow ... $
\item $ G ( ... ) = ... $
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
A 32-bit exclusive-or can be implemented in $ 32 $ constraints, one for each bit position
2018-03-11 10:42:49 -07:00
$ a \xor b = c $ as in \crossref { cctxor} .
2018-01-22 10:24:16 -08:00
2018-02-07 03:53:07 -08:00
Additions not involving a message word require $ 33 $ constraints:
2018-01-22 10:24:16 -08:00
...
2018-01-30 16:52:59 -08:00
Additions of message words require one extra constraint each, i.e.\ $ a + b + m = c $
2018-03-10 13:06:47 -08:00
is implemented by declaring $ 34 $ boolean variables, and ...
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
There are $ 10 \smult 4 \smult 2 $ such message word additions.
2018-01-22 10:24:16 -08:00
2018-01-29 15:08:08 -08:00
Each $ G $ evaluation requires 260 constraints. There are $ 10 \smult 8 $ instances
2018-01-22 10:24:16 -08:00
of $ G $ :
$ ... $
There are also 8 output exclusive-ors.
The total cost is 21136 constraints. This includes boolean-constraining the hash
output bits, but not the input bits.
\pnote {
It should be clear that $ \BlakeTwosGeneric $ is very expensive in the circuit compared
to elliptic curve operations. This is primarily because it is inefficient to
2018-02-26 01:44:19 -08:00
use $ \GF { \ParamS { r } } $ elements to represent single bits.
However Pedersen hashes do not have the necessary cryptographic
properties for the two cases where the \spendCircuit uses $ \BlakeTwosGeneric $ .
2018-01-22 10:24:16 -08:00
While it might be possible to use variants of functions with low circuit cost
such as MiMC \cite { AGRRT2017} , it was felt that they had not yet received sufficient
cryptanalytic attention to confidently use them for \Sapling .
}
2018-03-10 13:06:47 -08:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { The SaplingSpend circuit} \label { cctsaplingspend}
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
\begin { formulae}
\item ...
\end { formulae}
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
\introsection
2018-03-12 15:51:20 -07:00
\subsection { The SaplingOutput circuit} \label { cctsaplingoutput}
2018-01-22 10:24:16 -08:00
2018-03-11 10:42:49 -07:00
\begin { formulae}
\item ...
\end { formulae}
2018-01-29 16:42:35 -08:00
} %notsprout
2018-01-22 10:24:16 -08:00
2015-12-14 09:03:59 -08:00
\end { document}