\Zcash is an implementation of the \emph{decentralized anonymous payment} (DAP) scheme \Zerocash with minor adjustments to terminology, functionality and performance. It bridges the existing value transfer scheme used by Bitcoin with an anonymous payment scheme protected by zero-knowledge succinct non-interactive arguments of knowledge (\textbf{zk-SNARK}s). \sean{I want to make sure we add citations here for the original paper}
$\CRH$ is a collision-resistant hash function. In \Zcash, the $\SHAName$ function is used which takes a 512-bit block and produces a 256-bit hash. This is different from the $\SHAOrig$ function, which hashes arbitrary-length strings.
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \textit{independent}$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}{i}$. It is required that $\PRFsn{x}$ be collision-resistant in order to prevent a double-spending attack \eli{I don't see how to use a collision to double spend. If anything, a collision in $\PRFpk{x}{i}$ seems more usable to double spend}\sean{If you could create two $\BucketAddressRand$ such that there is a collision you could spend the same bucket twice. The original paper makes the claim that this must be collision resistant}. In \Zcash, the $\SHAName$ function is used to seed all three of these functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included (respectively) within the blocks that are hashed, ensuring that the functions are independent.
A key pair $(\PublicAddress, \PrivateAddress)$ is generated by users who wish to receive coins under this scheme. The public $\PublicAddress$ is called a $\PublicAddressName$ and is a tuple $(\SpendAuthorityPublic, \TransmitPublic)$ which are the public components of a $\SpendAuthorityName$ key pair $(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ and a $\TransmitPublicName$ key pair $(\TransmitPublic, \TransmitPrivate)$. The private $\PrivateAddress$ is called a $\PrivateAddressName$ and is a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$ which are the respective \textit{private} components of the aforementioned $\SpendAuthorityName$ and $\TransmitPublicName$ key pairs.
Although users can accept payment from multiple parties with a single $\PublicAddress$ without either party being aware, it is still recommended to generate a new address for each expected transaction to maximize privacy in the event that multiple sending parties are compromised or collude.
A bucket (denoted $\Bucket$) is a tuple $(\Value, \SpendAuthorityPublic, \BucketRand, \BucketAddressRand)$ which represents that a value $\Value$ is spendable by the recipient who holds the $\SpendAuthorityName$ key pair $(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that $\SpendAuthorityPublic=\PRFaddr{\SpendAuthorityPrivate}(0)$. $\BucketRand$ and $\BucketAddressRand$ are randomly generated tokens by the sender. Only a hash of these values is disclosed publicly, which allows these random tokens to blind the value and recipient \textit{except} to those who possess these tokens.
In order to send the secret $\Value$, $\BucketRand$ and $\BucketAddressRand$ to the recipient (necessary for the recipient to later spend) \textit{without} requiring an out-of-band communication channel, the $\TransmitPublicName$ public key $\TransmitPublic$ is used to encrypt these secrets to form an \BucketCiphertextName. The recipient's possession of the associated $(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and $\TransmitPrivate$) is used to reconstruct the original bucket.
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\BucketRand$ and $\BucketAddressRand$ using the collision-resistant hash function $\CRH$ in a multi-layered process. The resulting hash $\bm=\BucketCommitment{\Bucket}$.
A serial number (denoted $\sn$) equals $\PRFsn{\SpendAuthorityPrivate}(\BucketAddressRand)$. Buckets are spent by proving knowledge of $\BucketAddressRand$ and $\SpendAuthorityPrivate$ in zero-knowledge while disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.
The bucket commitment tree is an \textit{incremental merkle tree} of depth $\MerkleDepth$ used to store bucket commitments that transactions produce. Just as the \textit{unspent transaction output set} (UTXO) used in Bitcoin proper, it is used to express the existence of value and the capability to spend it. However, unlike the UTXO, it is \textit{not} the job of this tree to protect against double-spending, as it is append-only.
\subparagraph{}
Blocks in the blockchain are associated (by all nodes) with the root of this tree after all of its constituent transactions' bucket commitments have been entered into the tree associated with the previous block.
\eli{Would be good to formally define the structure of a transaction, similar to the way a bucket is defined (as a quadruple).}
Transactions insert \eli{a tx is just a string, so it doesn't insert anything. Rather, nodes process tx's and the ``good'' ones lead to the addition of serials to the spent serials map.} serials into a \textit{spent serials map} which is maintained alongside the UTXO by all nodes. Transactions that attempt to insert a serial into this map that already exists within it are invalid as they are attempting to double-spend. \eli{After defining \emph{transaction}, one should define what a \emph{legal tx} is (this definition depends on a particular blockchain) and only then can one talk about ``attempts'' of transactions, and insertions of serial numbers into the spent serials map.}
\eli{Please formally define what a tx is. I don't think it's merely a sequence of inputs and outputs. The outputs are probably buckets (as defined above) and maybe the inputs are, too. Perhaps one should talk about a tx-bucket (which is unhidden) and a tx which is mostly hashed-stuff + a SNARK)}
Bitcoin transactions consist of a vector \eli{sequence? vector implies ``vector space'' which doens't exist here} of inputs ($\mathtt{vin}$) and a vector of outputs ($\mathtt{vout}$). Inputs and outputs are associated with a value \eli{assuing a tx-bucket is a pair of sequences --- an input-sequence and an output-sequence, and each sequence is a sequence of buckets, one should define the in-value of the tx-bucket as the sum of values in the in-buckets (ditto for out-value) and the remaining value is their difference}. The total value of the outputs must not exceed the total value of the inputs.
Transaction inputs insert value into a \textit{value pool}, and transaction outputs remove value from this pool. The remaining value in the pool is available to miners as a fee.
\eli{Hmm, I think things are starting to get confused here, let's try to clarify the theory/crypto. Informally, buckets and transactions are \emph{data}, whereas Pour is best thought of as a \emph{circuit} that outputs either $1$ (``true'') or $0$ (``false''). The theory of SNARKs (as supported by libsnark) is such that if the circuit outputs ``true'' then you can generate a SNARK for that set of inputs, and otherwise you can't (its cryptographically infeasible to do so). So we should describe formally what the \emph{inputs} to the Pour circuit are, and then define the \emph{computation preformed} by the Pour circuit, i.e., describe how it decides whether to output $0$ or $1$. More below}
$\PourTx$s are the primary operations \eli{In the academic paper, a Pour is a circuit (that defines an NP-language), and that circuit is the most crucial part of the construction. So if you want to use ``Pour'' to describe the algorithm that generates a tx, you'll be (i) deviating from the academic paper in a rather confusing way and (ii) you still need to define the ``Pour-circuit'' which is at the heart of the construction} performed by transactions that interact with our scheme. In principle, it is the action of spending $\Nold$ buckets $\bOld{}$ and creating $\Nnew$ buckets $\bNew{}$. \Zcash transactions have an additional field $\vpour$, which is a vector of $\PourTx$s. Each $\PourTx$ consists of:
\item$\anchor$ which is a merkle root $\rt$ of the bucket commitment tree at some block height in the past, or the merkle root produced by a previous pour in this transaction. \sean{We need to be more specific here.}
\item$\scriptSig$ which is a Bitcoin script which creates conditions for acceptance of a $\PourTx$ in a transaction. The $\SHA$ hash of this value is $\hSig$.
A $\PourTx$ is valid if $\rt$ is a bucket commitment tree root found in either the blockchain or a merkle root produced by inserting the bucket commitments of a previous $\PourTx$ in the transaction to the bucket commitment tree identified by that previous $\PourTx$'s $\anchor$.
A $\PourTx$ is valid if the script formed by appending $\scriptPubKey$ to $\scriptSig$ returns $true$. The $\scriptSig$ is cryptographically bound to $\PourProof$.
A $\PourTx$ can be seen, from the perspective of the transaction, as an input and an output simultaneously. $\vpubOld$ takes value from the value pool and $\vpubNew$ adds value to the value pool. As a result, $\vpubOld$ is treated like an \textit{output} value, whereas $\vpubNew$ is treated like an \textit{input} value.
Transactions which contain $\PourTx$s, when entered into the blockchain, append to the bucket commitment tree with all constituent bucket commitments. All of the constituent serials are also entered into the spent serials map of the blockchain \textit{and} mempool. Transactions are not valid if they attempt to add a serial to the spent serials map that already exists.
A valid instance of $\PourProof$ assures that given a \textit{primary input} ($\rt$, $\sn^{old}_{1}$, $\sn^{old}_{2}$, $\bm^{new}_{1}$, $\bm^{new}_{2}$, $\vpubold$, $\vpubnew$, $\hSig$, $h_1$, $h_2$), a witness of \textit{auxiliary input} ($\path{1}$, $\path{2}$, $\bOld{1}$, $\bOld{2}$, $\SpendAuthorityPrivate^{old}_1$, $\SpendAuthorityPrivate^{old}_2$, $\bNew{1}$, $\bNew{2}$) exists, where:
\begin{list}{}{}
\item for each $i \in\{1, 2\}$: $\bOld{i}$ = $(\vOld{i}, \SpendAuthorityPublic^{old}_i, \BucketRand^{old}_i, \BucketAddressRand^{old}_i)$
\item for each $i \in\{1, 2\}$: $\bNew{i}$ = $(\vNew{i}, \SpendAuthorityPublic^{new}_i, \BucketRand^{new}_i, \BucketAddressRand^{new}_i)$.
\item The following conditions hold:
\end{list}
\subparagraph{Merkle path validity}
for each $i \in\{1, 2\}$$\mid$$\vOld{i}\neq0$: $\path{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak$\BucketCommitment{\bOld{i}}$ to bucket commitment merkle tree root $\rt$.
