From 02db9650361472c233f43c86e70a3027ebcd5153 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 26 Mar 2021 18:22:36 +0000 Subject: [PATCH] Cosmetics and trivial changes. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 314 ++++++++++++++++++++++++++---------------- 1 file changed, 194 insertions(+), 120 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 25916ada..863732ed 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -490,7 +490,7 @@ % \newcommand{\clasp}[3][0pt]{\stackengine{0pt}{#3}{\kern#1#2}{O}{c}{F}{F}{L}} -\newcommand{\plus}{\hairspace +\hairspace} +\newcommand{\plus}{\hspace{0.01em}+\hspace{0.01em}} \newcommand{\spv}{\hspace{0.071em}\varv\hspace{0.064em}} \newcommand{\varvv}{\varv\kern 0.02em\varv} \newcommand{\yy}{\hspace{0.022em}y\hspace{0.021em}} @@ -1187,6 +1187,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\concatbits}{\mathsf{concat}_\bit} \newcommand{\bconcat}{\mathop{\kern 0.05em||}} \newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}} +\newcommand{\biglistcomp}[1]{\overlap{0.06em}{\ensuremath{\bigg[}}{#1}\overlap{0.06em}{\ensuremath{\bigg]}}} \newcommand{\fun}[2]{{#1} \mapsto {#2}} \newcommand{\exclusivefun}[3]{{#1} \mapsto_{\not\in\kern 0.05em{#3}\!} {#2}} \newcommand{\first}{\mathsf{first}} @@ -1219,7 +1220,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} \newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}} \newcommand{\setof}[1]{\{{#1}\}} -\newcommand{\bigsetof}[1]{\left\{{#1}\right\}} +\newcommand{\bigsetof}[1]{\big\{{#1}\big\}} \newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)} \newcommand{\barerange}[2]{{{#1}\,..\,{#2}}} \newcommand{\range}[2]{\setof{\barerange{#1}{#2}}} @@ -1343,6 +1344,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ReceivedSet}{\mathsf{ReceivedSet}} \newcommand{\SpentSet}{\mathsf{SpentSet}} \newcommand{\NullifierMap}{\mathsf{NullifierMap}} +\newcommand{\NullifierType}{\mathsf{NullifierType}} % Key pairs @@ -1621,7 +1623,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\cv}{\mathsf{cv}} \newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}} \newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}} -\newcommand{\cvNet}{\cv^\mathsf{net}} +\newcommand{\cvNet}[1]{\cv^\mathsf{net}_{#1}} \newcommand{\cm}{\mathsf{cm}} \newcommand{\cmU}{\cm_{\kern -0.06em u}} \newcommand{\cmX}{\cm_{\kern -0.06em x}} @@ -2278,11 +2280,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AffineSWVesta}{\mathsf{AffineSWVesta}} \newcommand{\CompressedSWVesta}{\mathsf{CompressedSWVesta}} \newcommand{\PedersenHash}{\mathsf{PedersenHash}} -\newcommand{\PedersenGenAlg}[1]{\mathcal{I}^{\kern -0.05em\mathsf{#1}}} -\newcommand{\PedersenGen}[2]{\PedersenGenAlg{#1}_{\kern 0.1em {#2}}} +\newcommand{\PedersenGenAlg}[1]{\mathcal{I}^{\kern-0.05em{#1}}} +\newcommand{\PedersenGen}[2]{\PedersenGenAlg{#1}_{\kern0.1em{#2}}} \newcommand{\PedersenEncode}[1]{\langle{#1}\rangle} -\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}} -\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}} +\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern-0.1em{#1}\vphantom{S'}}} +\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern-0.1em\PedersenRangeOffset}} \newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}} \newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}} \newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}} @@ -2450,6 +2452,7 @@ transparent payment scheme used by \defining{\Bitcoin \cite{Nakamoto2008}} with \emph{shielded} payment scheme secured by zero-knowledge succinct non-interactive arguments of knowledge (\zkSNARKs). +\vspace{1ex} The most significant changes from the original \Zerocash are explained in \crossref{differences}. Changes specific to the \Overwinter upgrade @@ -2807,7 +2810,7 @@ $\sxor{i=1}{0} a_i = 0$ or the all-zero bit sequence of length given by the type of $a$. $\possqrt{a}$, where $a \typecolon \GF{q}$, means the positive square root -of $a$ in $\GF{q}$, i.e.\ in the range $\bigrange{0}{\hfrac{q-1}{2}}$. +of $a$ in $\GF{q}$, i.e.\ in the range $\bigrange{0}{\frac{q-1}{2}}$. It is only used in cases where the square root must exist. $\optsqrt{a}$, where $a \typecolon \GF{q}$, means an arbitrary @@ -2871,7 +2874,7 @@ We use the abbreviation ``\defining{\xCtEdwards}'' to refer to \completeTwistedE coordinates (see \crossref{jubjub}). -\intropart +\pagebreak \lsection{Concepts}{concepts} \lsubsection{Payment Addresses and Keys}{addressesandkeys} @@ -3262,6 +3265,7 @@ the vast majority of nodes should eventually agree on their \bestValidBlockChain up to that height. +\vspace{-1ex} \lsubsection{Transactions and Treestates}{transactions} Each \block contains one or more \defining{\transactions}. @@ -3274,7 +3278,7 @@ As in \Bitcoin, the remaining value in the pool is available to miners as a fee. \consensusrule{ The remaining value in the \transparentTxValuePool \MUST be nonnegative. } -\vspace{2ex} +\vspace{1ex} \introlist To each \transaction there are associated initial \defining{\treestates} @@ -3286,6 +3290,7 @@ for \Sprout\sapling{ and for \Sapling}\nufive{ and for \Orchard}. \sapling{Each} \item a \nullifierSet (\crossref{nullifierset}). \end{itemize} +\vspace{-1ex} Validation state associated with \transparent inputs and outputs, such as the UTXO (Unspent Transaction Output) set, is not described in this document; it is used in essentially the same way as in \Bitcoin. @@ -3311,6 +3316,7 @@ In a given \blockChain, \sapling{for each of \Sprout and \SaplingAndOrchard,} \transaction. \end{itemize} +\vspace{-1ex} \joinSplitDescriptions also have interstitial input and output \treestates for \Sprout, explained in the following section. \sapling{There is no equivalent of interstitial \treestates for \Sapling\nufive{ or @@ -5029,7 +5035,7 @@ where \item The check that $\AuthSignRandomizedPublic$ is not of small order is technically redundant with a check in the \spendCircuit, but it is simple and cheap to also check this outside the circuit. \item The rule that $\cv$ and $\AuthSignRandomizedPublic$ \MUST not be small-order has the effect - of also preventing non-canonical encodings of these fields\nufive{, as required by \cite{ZIP-216}}. + of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}. That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and $\reprJ\Of{\abstJ\Of{\AuthSignRandomizedPublic}\kern0.05em} = \AuthSignRandomizedPublic$. \end{nnotes} @@ -5104,7 +5110,7 @@ where \vspace{-2.5ex} \nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect -of also preventing non-canonical encodings of these fields\nufive{, as required by \cite{ZIP-216}}. +of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}. That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and $\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.} } %sapling @@ -5147,15 +5153,16 @@ Let $\Action$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist -An \actionDescription comprises $(\cvNet, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, -\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpend, \enableOutput, \Proof{})$ +An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, +\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$ where \begin{itemize} - \item $\cvNet \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the + \item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the input \note minus the value of the output \note; \vspace{-0.5ex} - \item $\rt{Orchard} \typecolon \MerkleHash{Orchard}$ is an \anchor, as defined in - \crossref{blockchain}, for the output \treestate of a previous \block; + \item $\rt{Orchard} \typecolon \MerkleHash{Orchard}$ is an \anchor (\crossref{blockchain}) for the + output \treestate of a previous \block; + \vspace{-0.25ex} \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; \vspace{-0.25ex} \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey @@ -5189,7 +5196,7 @@ where \vspace{-1ex} \pnote{The $\rt{Orchard}$, $\enableSpend$, and $\enableOutput$ components are the same for all -\actionTransfers in a \transaction. They are encoded once in the \transaction body (specified in +\actionTransfers in a \transaction. They are encoded once in the \transaction body (see \crossref{txnencodingandconsensus}), not in the $\type{ActionDescription}$ structure. $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field of a \transaction.} @@ -5213,7 +5220,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. \end{consensusrules} -\vspace{-3ex} +\vspace{-1.5ex} \nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.} } %nufive @@ -6077,6 +6084,7 @@ is enforced by the \defining{\orchardBindingSignature}. The rôle of this signat the total value produced) by \actionTransfers is consistent with the $\vBalance{Orchard}$ field of the \transaction{}. +\vspace{-1ex} \nnote{The other rôle of \saplingBindingSignatures, to prove that the signer knew the randomness used for commitments in order to prevent them from being replayed, is less important in \Orchard because all \actionDescriptions have a \spendAuthSignature. Still, @@ -6084,10 +6092,11 @@ an \orchardBindingSignature does prove that the signer knew this commitment rand this provides defence in depth and reduces the differences of \Orchard from \Sapling, which may simplify security analysis.} +\vspace{2ex} Instead of generating a key pair at random, we generate it as a function of the \valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue. -\vspace{2ex} +\vspace{1ex} Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \introlist @@ -6199,7 +6208,7 @@ $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTyp The $\actionStatements$ (\crossref{actionstatement}) prove that all $\vNet{\alln}$ are in $\SignedValueDifferenceType$. $\vBalance{Orchard}$ is encoded in the \transaction as a -signed two's complement $64$-bit integer in the range $\SignedValueFieldType$. Therefore, $\vSum$ is +\strut signed two's complement $64$-bit integer in the range $\SignedValueFieldType$. Therefore, $\vSum$ is in the range $\range{-n \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$. $n$ is limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due to the $2$ MB \transaction size limit, but it suffices here). @@ -6896,7 +6905,7 @@ $\TransmitPrivate$ as specified in \crossref{sproutkeycomponents}. Let $\cm_{\allNew}$ be the \noteCommitments of each output coin. -\introsection +\introlist \vspace{0.5ex} Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciphertext component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows: @@ -6915,9 +6924,10 @@ $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, \AuthPublic) is defined as follows: \begin{formulae} + \vspace{-0.4ex} \item let $\TransmitPlaintext{i} = \SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item if $\TransmitPlaintext{i} = \bot$, return $\bot$ \vspace{-1.5ex} \item extract $\NotePlaintext{i} = (\NotePlaintextLeadByte_i \typecolon \byte, @@ -6925,34 +6935,35 @@ is defined as follows: \NoteUniqueRand_i \typecolon \PRFOutputSprout, \NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout}, \Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$ - \vspace{-0.2ex} + \vspace{-0.4ex} \item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitment{Sprout}((\AuthPublic, \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$. \end{formulae} -\vspace{-0.5ex} \introlist -To test whether a \note is unspent in a particular \blockChain also requires -the \spendingKey $\AuthPrivate$; the coin is unspent if and only if -$\nf = \PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$ is not in the \nullifierSet -for that \blockChain. - -\vspace{0.5ex} +\vspace{-0.5ex} \begin{pnotes} \item The decryption algorithm corresponds to step 3 (b) i. and ii. (first bullet point) of the $\Receive$ algorithm shown in \cite[Figure 2]{BCGGMTV2014}. \vspace{-0.5ex} + \item To test whether a \note is unspent in a particular \blockChain also requires + the \spendingKey $\AuthPrivate$; the coin is unspent if and only if + $\nf = \PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$ is not in the \nullifierSet + for that \blockChain. + \vspace{-0.5ex} \item A \note can change from being unspent to spent as a node's view of the \bestValidBlockChain is extended by new \transactions. Also, \blockChainReorganizations can cause a node to switch to a different \bestValidBlockChain that does not contain the \transaction in which a \note was output. \end{pnotes} +\vspace{-0.25ex} See \crossref{inbandrationale} for further discussion of the security and engineering rationale behind this encryption scheme. \sapling{ +\vspace{-1ex} \extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}} \vspace{-1ex} @@ -6972,23 +6983,33 @@ is encrypted by a fresh \ephemeralPublicKey. \vspace{0.5ex} \introlist For both encryption and decryption, -\vspace{0.5ex} +\vspace{0.25ex} \begin{itemize} \item let $\OutViewingKeyLength$ be as defined in \crossref{constants}; + \vspace{-0.25ex} \item let $\Sym$ be the encryption scheme instantiated in \crossref{concretesym}; + \vspace{-0.25ex} \item let $\KA{}$ be the \keyAgreementScheme $\KA{Sapling}$\nufive{ or $\KA{Orchard}$} instantiated in \crossref{concretesaplingkeyagreement}\nufive{ or \crossref{concreteorchardkeyagreement}}; + \vspace{-0.25ex} \item let $\KDF{}$ be the \keyDerivationFunction $\KDF{Sapling}$\nufive{ or $\KDF{Orchard}$} instantiated in \crossref{concretesaplingkdf}\nufive{ or \crossref{concreteorchardkdf}}; + \vspace{-0.25ex} \item let $\GroupG{}, \ellG{}$, and $\reprG{}$ be instantiated as $\GroupJ$, $\ellJ$, and $\reprJ$ defined in \crossref{jubjub}\nufive{, or $\GroupP$, $\ellP$, and $\reprP$ defined in \crossref{pallasandvesta}}; + \vspace{-0.25ex} \item let $\ExtractG$ be $\ExtractJ$ as defined in \crossref{concreteextractorjubjub}\nufive{ or $\ExtractP$ as defined in \crossref{concreteextractorpallas}}; \vspace{-0.5ex} \item let $\PRFock{}{}$ be $\PRFock{Sapling}{}$\nufive{ or $\PRFock{Orchard}{}$} instantiated in \crossref{concreteprfs}; + \vspace{-0.25ex} \item let $\DiversifyHash{}$ be $\DiversifyHash{Sapling}$ in \crossref{concretediversifyhash}\nufive{, or $\DiversifyHash{Orchard}$ in the same section}; + \vspace{-0.25ex} + \item let $\NoteCommitment{}$ be $\NoteCommitment{Sapling}$\nufive{ or $\NoteCommitment{Orchard}$} + instantiated in \crossref{notes}; + \vspace{-0.25ex} \item let $\ToScalar{}$ be $\ToScalar{Sapling}$ defined in \crossref{saplingkeycomponents}\nufive{ or $\ToScalar{Orchard}$ defined in \crossref{orchardkeycomponents}}. \end{itemize} @@ -7070,10 +7091,10 @@ received out-of-band, which are not addressed in this document. \sapling{ -\vspace{-2ex} +\vspace{-1.5ex} \extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}} -\vspace{-1ex} +\vspace{-1.5ex} Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\notbeforenufive{ (in \Sapling)\nufive{ or $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's \incomingViewingKey, specified in \crossref{saplingkeycomponents}\nufive{ or \crossref{orchardkeycomponents}}. @@ -7097,19 +7118,21 @@ components of the \noteCiphertext: \begin{algorithm} \vspace{-0.5ex} \item let $\EphemeralPublic = \abstG{}\Of{\ephemeralKey}$ - \vspace{-0.2ex} + \vspace{-0.3ex} \item if $\EphemeralPublic = \bot$, return $\bot$ - \vspace{-0.2ex} + \vspace{-0.3ex} \item let $\DHSecret{} = \KAAgree{}(\InViewingKey, \EphemeralPublic)$ \item let $\TransmitKey{} = \KDF{}(\DHSecret{}, \ephemeralKey)$ + \vspace{-0.2ex} \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ \vspace{-0.4ex} \item if $\TransmitPlaintext{} = \bot$, return $\bot$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item extract $\NotePlaintext{} = (\NotePlaintextLeadByte \typecolon \byte, \Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, \NoteCommitRandBytesOrSeedBytes \typecolon \NoteSeedBytesType, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$ \precanopyitem{if $\NotePlaintextLeadByte \neq \hexint{01}$, return $\bot$} + \vspace{-0.2ex} \precanopyitem{let $\NoteCommitRandBytes = \NoteSeedBytes$} \canopyonwarditem{if $\BlockHeight < \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \not\in \setof{\hexint{01}, \hexint{02}}$, return $\bot$} \canopyonwarditem{if $\BlockHeight \geq \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \neq \hexint{02}$, return $\bot$} @@ -7123,7 +7146,9 @@ from $\TransmitPlaintext{}$ \item if $\NoteCommitRand \geq \ParamG{r}$ or\notbeforenufive{ (for \Sapling)} $\DiversifiedTransmitBase = \bot$, return $\bot$ \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:} \canopy{ + \vspace{-0.2ex} \item \tab $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ + \vspace{-0.2ex} \item \tab if $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, return $\bot$ \item \blank @@ -7135,10 +7160,11 @@ from $\TransmitPlaintext{}$ \Value)\kern-0.1em\big)$. \nufive{ \item for \Orchard: - \vspace{-0.25ex} + \vspace{-0.3ex} \item \tab let $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item \tab let $\NoteUniqueRand$ be equal to $\nfOld{}$ from the same \actionDescription. + \vspace{-0.2ex} \item \tab let $\cmstar' = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase}, \reprP\Of{\DiversifiedTransmitPublic}, \Value, @@ -7151,7 +7177,7 @@ from $\TransmitPlaintext{}$ \item return $\NotePlaintext{}$. \end{algorithm} -\vspace{-1ex} +\vspace{-1.5ex} \begin{pnotes} \vspace{-0.5ex} \item For \Sapling, as explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint @@ -7161,19 +7187,19 @@ from $\TransmitPlaintext{}$ $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.1em\big)$}. \nufive{For consistency this is also what is specified for \Orchard.} \introlist - \vspace{-0.25ex} + \vspace{-0.5ex} \item Normally only \noteCiphertextsSapling of \transactions in \blocks need to be decrypted. In that case, any received \Sapling \note is necessarily a \positionedNote, so its $\NoteUniqueRand$ - value can immediately be calculated as in \crossref{commitmentsandnullifiers}. + value can immediately be calculated per \crossref{commitmentsandnullifiers}. To test whether a \SaplingOrOrchard \note is unspent in a particular \blockChain also requires the \nullifierDerivingKey $\NullifierKey$; the coin is unspent if and only if the \nullifier - computed as described in \crossref{commitmentsandnullifiers} is not in the \nullifierSet for + computed as in \shortcrossref{commitmentsandnullifiers} is not in the \nullifierSet for that \blockChain. - \vspace{-0.25ex} + \vspace{-0.5ex} \item A \note can change from being unspent to spent as a node's view of the \bestValidBlockChain is extended by new \transactions. Also, \blockChainReorganizations can cause a node to switch to a different \bestValidBlockChain that does not contain the \transaction in which a \note was output. - \vspace{-0.25ex} + \vspace{-0.5ex} \item A client \MAY attempt to decrypt a \noteCiphertextSapling of a \transaction in the \mempool\canopy{, using the next \blockHeight for $\BlockHeight$}. However, in that case it \MUSTNOT assume that the \transaction will be mined and \MUST treat the decrypted information as provisional. It @@ -7200,7 +7226,7 @@ For a \Sapling \noteCiphertextSapling, let $\cvField$ and $\cmstarField$ be the fields of the \outputDescription. \nufive{ -\vspace{-0.25ex} +\vspace{-0.5ex} For an \Orchard \noteCiphertextOrchard, let $\cvField$ and $\cmstarField$ be the $\cvField$ and $\cmxField$ fields of the \actionDescription. } %nufive @@ -7213,23 +7239,27 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \vspace{-1.25ex} \begin{algorithm} \item let $\OutCipherKey = \PRFock{}{\OutViewingKey}(\cvField, \cmstarField, \ephemeralKey)$ - \vspace{-0.2ex} + \vspace{-0.4ex} \item let $\OutPlaintext = \SymDecrypt{\OutCipherKey}(\OutCiphertext)$ \vspace{-0.5ex} \item if $\OutPlaintext = \bot$, return $\bot$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprG{}, \EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$ \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$ and $\DiversifiedTransmitPublic = \abstG{}\Of{\DiversifiedTransmitPublicRepr}$ + \vspace{-0.3ex} \item if $\EphemeralPrivate \geq \ParamG{r}$ or $\DiversifiedTransmitPublic = \bot$, return $\bot$ \nufiveonwarditem{if $\reprP\big(\DiversifiedTransmitPublic\big) \neq \DiversifiedTransmitPublicRepr$, return $\bot$} + \vspace{-0.3ex} \item let $\DHSecret{} = \KAAgree{}(\EphemeralPrivate, \DiversifiedTransmitPublic)$ + \vspace{-0.3ex} \item let $\TransmitKey{} = \KDF{}(\DHSecret{}, \ephemeralKey)$ + \vspace{-0.3ex} \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item if $\TransmitPlaintext{} = \bot$, return $\bot$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item extract $\NotePlaintext{} = (\NotePlaintextLeadByte \typecolon \byte, \Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, \NoteCommitRandBytesOrSeedBytes \typecolon \NoteSeedBytesType, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$ @@ -7237,16 +7267,16 @@ from $\TransmitPlaintext{}$ \precanopyitem{let $\NoteCommitRandBytes = \NoteSeedBytes$} \canopyonwarditem{if $\BlockHeight < \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \not\in \setof{\hexint{01}, \hexint{02}}$, return $\bot$} \canopyonwarditem{if $\BlockHeight \geq \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \neq \hexint{02}$, return $\bot$} - \vspace{-0.25ex} + \vspace{-0.4ex} \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$ and $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big) \neq \EphemeralPrivate$, return $\bot$} - \vspace{-0.25ex} + \vspace{-0.4ex} \canopyonwarditem{let $\NoteCommitRandBytes = \begin{cases} \NoteSeedBytes,&\caseif \NotePlaintextLeadByte = \hexint{01} \\ \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ and $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$ - \vspace{-0.5ex} + \vspace{-0.6ex} \item if $\NoteCommitRand \geq \ParamG{r}$, return $\bot$ \notbeforenufive{ \item for \Sapling: @@ -7257,10 +7287,11 @@ from $\TransmitPlaintext{}$ \Value)\kern-0.1em\big)$. \nufive{ \item for \Orchard: - \vspace{-0.25ex} + \vspace{-0.4ex} \item \tab let $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$ - \vspace{-0.6ex} + \vspace{-0.75ex} \item \tab let $\NoteUniqueRand$ be equal to $\nfOld{}$ from the same \actionDescription. + \vspace{-0.4ex} \item \tab let $\cmstar' = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase}, \reprP\Of{\DiversifiedTransmitPublic}, \Value, @@ -7269,10 +7300,10 @@ from $\TransmitPlaintext{}$ \item \vspace{-3.5ex} } %nufive \item if $\LEBStoOSPOf{256}{\cmstar'} \neq \cmstarField$, return $\bot$ - \vspace{-0.75ex} + \vspace{-1ex} \item if $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, return $\bot$ - \vspace{-0.2ex} + \vspace{-0.4ex} \item return $\NotePlaintext{}$. \end{algorithm} @@ -7288,10 +7319,10 @@ from $\TransmitPlaintext{}$ \prenufiveitem{$\DiversifiedTransmitPublicRepr$ can also be \nonCanonicalPoint. Since $\bot$ is returned if $\DiversifiedTransmitBase \not\in \SubgroupJ$, the only accepted \nonCanonicalPoint encoding for $\DiversifiedTransmitPublicRepr$ of a \Sapling \note is $\ItoLEBSP{256}\big(2^{255} + 1\big)$.} - \vspace{-0.25ex} + \vspace{-0.5ex} \nufiveonwarditem{This procedure returns $\bot$ if $\DiversifiedTransmitPublicRepr$ is \nonCanonicalPoint (which can only occur for \Sapling \notes), as specified in \cite{ZIP-216}.} - \vspace{-0.25ex} + \vspace{-0.5ex} \item A previous version of this specification did not have the requirement for the decoded point $\DiversifiedTransmitPublic$ of a \Sapling \note to be in the subgroup $\SubgroupJ$ (i.e.\ the condition ``if ... $\DiversifiedTransmitPublic \not\in \SubgroupJ$, return $\bot$``). That did not match the @@ -7790,10 +7821,8 @@ $\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHash{Orchard \item where $l = \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \mathsf{layer}\big)$. \end{formulae} -\vspace{-2ex} \securityrequirement{$\SinsemillaHash$ must be \collisionResistant\!.} -\vspace{1ex} \pnote{The prefix $l$ provides domain separation between inputs at different layers of the \noteCommitmentTree.} } %nufive @@ -8159,21 +8188,21 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally \sapling{ \lsubsubsubsection{Mixing Pedersen Hash Function}{concretemixinghash} +\vspace{-1ex} A mixing \xPedersenHash is used to compute $\NoteUniqueRand$ from $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as input a \xPedersenCommitment $P$, and hashes it with another input $x$. Define $\NotePositionBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$. -\vspace{1ex} +\vspace{0.5ex} We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1} \rightarrow \GroupJ$ by: - \begin{formulae} \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBaseSapling}$. \end{formulae} -\vspace{-1ex} +\vspace{-3ex} \securityrequirement{ The function \begin{formulae} @@ -8184,15 +8213,17 @@ The function must be \collisionResistant on $(r, M, x)$. } -\vspace{2ex} +\vspace{1.5ex} See \crossref{cctmixinghash} for efficient circuit implementation of this function. } %sapling \nufive{ \introlist +\vspace{-2ex} \lsubsubsubsection{Sinsemilla Hash Function}{concretesinsemillahash} +\vspace{-1ex} \defining{$\SinsemillaHash$} is an algebraic \hashFunction with \collisionResistance (for fixed input length) derived from assumed hardness of the Discrete Logarithm Problem. It is designed by Sean Bowe and Daira Hopwood. @@ -8207,20 +8238,25 @@ $\SinsemillaHash$ is used in the definition of $\SinsemillaCommitAlg$ Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, $\ParamP{r}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}. +\vspace{-0.25ex} Let $\ExtractP \typecolon \GroupP \rightarrow \MerkleHash{Orchard}$ be as defined in \crossref{concreteextractorpallas}. +\vspace{-0.25ex} Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. +\vspace{-0.25ex} Let $\Uncommitted{Orchard}$ be as defined in \crossref{constants}. +\vspace{-0.25ex} Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. -\vspace{1ex} +\vspace{0.5ex} Let $k := 10$. +\vspace{-0.25ex} Let $c$ be the largest integer such that $2^n \leq \hfrac{\ParamP{r}-1}{2}$, i.e.\ $c := 253$. @@ -8229,8 +8265,8 @@ Define $\SinsemillaGenInit \typecolon \byteseqs \rightarrow \GroupPstar$ and $\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by: \begin{tabular}{@{\hskip 1.5em}r@{\;}l} - $\SinsemillaGenInit(D)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)$ \\ - $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \ItoLEOSPOf{32}{j}\big)$. + $\SinsemillaGenInit(D)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)$ \\[-0.25ex] + $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \ItoLEOSP{32}(j)\kern-0.1em\big)$. \end{tabular} \vspace{1ex} @@ -8239,9 +8275,9 @@ Define $\incompleteadd \typecolon \GroupP \times \GroupP \rightarrow \maybe{\Gro \vspace{-1ex} \begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l@{\;}l} - $\ZeroP$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\[-0.25ex] - $\ZeroP$ &$\incompleteadd$ &$(x', y')$ &$= \bot$ \\[-0.5ex] - $(x, y)$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\[-0.25ex] + $\ZeroP$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\[-0.3ex] + $\ZeroP$ &$\incompleteadd$ &$(x', y')$ &$= \bot$ \\[-0.6ex] + $(x, y)$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\[-0.3ex] $(x, y)$ &$\incompleteadd$ &$(x', y')$ &$= \begin{cases} \bot, &\caseif x = x' \\ (x, y) + (x', y'), &\caseotherwise\text{.} @@ -8259,7 +8295,7 @@ Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\ran each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$. \item let mutable $\Acc \leftarrow \SinsemillaGenInit(D)$ \item for $i$ from $1$ up to $n$: - \vspace{-1ex} + \vspace{-0.5ex} \item \tab set $\Acc \leftarrow \Big(\Acc \incompleteadd \SinsemillaGenBase\big(\LEBStoIP{k}(M_i)\kern-0.1em\big)\kern-0.15em\Big) \incompleteadd \Acc$ \item \blank \item return $\Acc$. @@ -8284,6 +8320,7 @@ No other security properties commonly associated with \hashFunctions are needed. \begin{nnotes} \item These \hashFunctions are \emph{not} \collisionResistant across variable-length inputs for the same $D$ (that is, it is assumed that a single input length will be used for any given $D$). + \vspace{-0.5ex} \item The intermediate value $\scalarmult{2}{\GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)}$ for the first iteration of the loop can be precomputed, if $D$ is known in advance. \end{nnotes} @@ -8956,7 +8993,7 @@ $\abstBytesEdSpecific\Of{\bytes{P}}$ is computed as follows: \item let ${y\Repr} \typecolon \bitseq{255}$ be the first $255$ bits of $\LEOStoBSPOf{256}{\bytes{P}}$ and let $\tilde{x} \typecolon \bit$ be the last bit. \item let $y \typecolon \GF{p} = \LEBStoIPOf{255}{y\Repr} \pmod{p}$. \item let $x = \optsqrt{\hfrac{1 - y^2}{a - d \smult y^2}}$.\; - (The denominator $a - d \smult y^2$ cannot be zero, since $\hfrac{a}{d}$ is not square in $\GF{p}$.) + (The denominator $a - d \smult y^2$ cannot be zero, since $\hfrac{a}{d}$ is not square in $\GF{p}$.) \item if $x = \bot$, return $\bot$. \item if $x \bmod 2 = \tilde{x}$ then return $(x, y)$ else return $(p - x, y)$. \end{formulae} @@ -9144,11 +9181,11 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type \begin{algorithm} \item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$. \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$. - \vspace{-0.5ex} + \vspace{-0.75ex} \item Let $r = \RedDSAHashToScalar(T \bconcat \vkBytes{} \bconcat M)$. \item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$. \item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$. - \vspace{-0.5ex} + \vspace{-0.75ex} \item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$. \item Let $\RedDSAReprS{} = \ItoLEOSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}$. \item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$. @@ -9160,33 +9197,40 @@ Define $\RedDSAValidate{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \t \begin{algorithm} \item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. + \vspace{-0.25ex} \item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.15em\big)$, and let $\RedDSASigS{} = \LEOStoIP{8 \mult \length(\RedDSAReprS{})}(\RedDSAReprS{})$. + \vspace{-1ex} \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}\kern 0.03em}$. - \vspace{-0.5ex} + \vspace{-1ex} \item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$. - \vspace{0.5ex} \nufiveonwarditem{If $\reprG{}\Of{\RedDSASigR{}} \neq \RedDSAReprR{}$, return $0$.} + \vspace{-0.25ex} \item Return $1$ if $\RedDSASigR{} \neq \bot$ and $\RedDSASigS{} < \ParamG{r}$ and $\scalarmult{\ParamG{h}}{\big(\!\!-\!\scalarmult{\RedDSASigS{}}{\GenG{}} + \RedDSASigR{} + \scalarmult{\RedDSASigc{}}{\vk}\big)} = \ZeroG{}$, otherwise $0$. \end{algorithm} \vspace{-2ex} \begin{pnotes} + \vspace{-0.25ex} \item The validation algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order at least $\ParamG{r}$. \nufive{ + \vspace{-0.5ex} \item After activation of \cite{ZIP-216}, validation returns $0$ if $\RedDSAReprR{}$ is a \nonCanonicalPoint compressed point encoding. } + \vspace{-0.5ex} \item The value $\RedDSAReprR{}$ used as part of the input to $\RedDSAHashToScalar$ \MUST be exactly as encoded in the signature. + \vspace{-0.5ex} \item Appendix \crossref{reddsabatchvalidate} describes an optimization that \MAY be used to speed up validation of batches of $\RedDSA$ signatures. \end{pnotes} \vspace{-2ex} \begin{nnotes} + \vspace{-0.25ex} \item The randomization used in $\RedDSARandomizePrivate$ and $\RedDSARandomizePublic$ may interact with other uses of additive properties of keys for Schnorr-based signature schemes. In the \Zcash protocol, such properties are used for \bindingSignatures but not at the same time @@ -9194,6 +9238,7 @@ at least $\ParamG{r}$. but this does not result in any practical security weakness as long as the security recommendations of ZIP-32 are followed. If $\RedDSA$ is reused in other protocols making use of these additive properties, careful analysis of potential interactions is required. + \vspace{-0.25ex} \item It is \RECOMMENDED that, for deployments of $\RedDSA$ in other protocols than \Zcash, the requirement for $\RedDSAReprR{}$ to be canonically encoded is always enforced (which was the original intent of the design). @@ -9204,8 +9249,11 @@ The two abelian groups specified in \crossref{abstractsigmono} are instantiated as follows: \begin{itemize} \item $\grpzero := 0 \pmod{\ParamG{r}}$ + \vspace{-0.5ex} \item $\sk_1 \grpplus \sk_2 := \sk_1 + \sk_2 \pmod{\ParamG{r}}$ + \vspace{-0.5ex} \item $\combzero := \ZeroG{}$ + \vspace{-0.5ex} \item $\vk_1 \combplus \vk_2 := \vk_1 + \vk_2$. \end{itemize} @@ -9227,8 +9275,11 @@ length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then \introlist The scheme $\RedJubjub$ specializes $\RedDSA$ with: \begin{itemize} + \vspace{-0.25ex} \item $\GroupG{} := \GroupJ$ as defined in \crossref{jubjub}; + \vspace{-0.75ex} \item $\RedDSAHashLength := 512$; + \vspace{-0.75ex} \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}. \end{itemize} @@ -9236,13 +9287,17 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with: \introlist The scheme $\RedPallas$ specializes $\RedDSA$ with: \begin{itemize} + \vspace{-0.25ex} \item $\GroupG{} := \GroupP$ as defined in \crossref{pallasandvesta}; + \vspace{-0.75ex} \item $\RedDSAHashLength := 512$; + \vspace{-0.75ex} \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedPallasH}, x}$ as defined in \crossref{concreteblake2}. \end{itemize} } %nufive \vspace{-1ex} +\introlist The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, different between $\BindingSig{Sapling}$\notbeforenufive{,}\notnufive{ and} $\SpendAuthSig{Sapling}$\nufive{, $\BindingSig{Orchard}$, and $\SpendAuthSig{Orchard}$}. @@ -9273,7 +9328,7 @@ with key re-randomization and with generator $\GenG{} = \AuthSignBase{Orchard}$. \vspace{0.5ex} See \crossref{spendauthsig} for details on the use of this \signatureScheme. -\vspace{-1ex} +\vspace{-2ex} \securityrequirement{ \nufive{Each instantiation of} $\SpendAuthSig{}$ must be a SURK-CMA secure \rerandomizableSignatureScheme as defined in \crossref{abstractsigrerand}. @@ -9298,6 +9353,7 @@ without key re-randomization, using generator $\GenG{} = \ValueCommitRandBase{Or \crossref{concretevaluecommit}. See \crossref{orchardbalance} for details on the use of this \signatureScheme. } %nufive +\vspace{-2ex} \securityrequirement{ \nufive{Each instantiation of} $\BindingSig{}$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in \crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of @@ -9308,7 +9364,7 @@ $\ValueCommitRandBase{Orchard}$}. \introlist -\vspace{-1ex} +\vspace{-2ex} \lsubsubsection{Commitment schemes}{concretecommit} \vspace{-1ex} @@ -9333,7 +9389,7 @@ $\ValueCommitRandBase{Orchard}$}. \end{lrbox} \vspace{-1ex} -The commitment scheme $\NoteCommit{Sprout}{}$ specified in \crossref{abstractcommit} is +The \commitmentScheme $\NoteCommit{Sprout}{}$ specified in \crossref{abstractcommit} is instantiated using \shaHash as follows: \begin{formulae}[leftmargin=1em] @@ -9469,7 +9525,7 @@ Define: \introlist The commitment scheme $\ValueCommitAlg{Sapling}$ specified in \crossref{abstractcommit} is -instantiated as follows using $\HomomorphicPedersenCommit{Sapling}{}$ on the \jubjubCurve: +instantiated as follows using $\HomomorphicPedersenCommitAlg{Sapling}$ on the \jubjubCurve: \begin{formulae} \item $\ValueCommitAlg{\ValueCommitRand}(\Value) := \HomomorphicPedersenCommit{Sapling}{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$. @@ -9484,7 +9540,7 @@ which is equivalent to: \nufive{ \introlist The commitment scheme $\ValueCommitAlg{Orchard}$ specified in \crossref{abstractcommit} is -instantiated as follows using $\HomomorphicPedersenCommit{Orchard}{}$ on the \pallasCurve: +instantiated as follows using $\HomomorphicPedersenCommitAlg{Orchard}$ on the \pallasCurve: \begin{formulae} \item $\ValueCommit{Orchard}{\ValueCommitRand}(\Value) := \HomomorphicPedersenCommit{Orchard}{\ValueCommitRand}(\ascii{z.cash:Orchard-cv}, \Value)$. @@ -9531,6 +9587,7 @@ and adding a randomized point on the \pallasCurve (see \crossref{pallasandvesta} \ExtractP\big(\SinsemillaCommit{r}(D, M)\kern-0.1em\big)$. \end{formulae} +\vspace{-1ex} See \cite[section TODO]{Zcash-Orchard} for rationale and efficient circuit implementation of this function. \vspace{0.5ex} @@ -9964,7 +10021,7 @@ $\abstJ\Of{P\Repr}$ is computed as follows: \item if $\LEBStoIPOf{255}{\varv\Repr} \geq \ParamJ{q}$ then return $\bot$, otherwise let $\varv \typecolon \GF{\ParamJ{q}} = \LEBStoIPOf{255}{\varv\Repr} \pmod{\ParamJ{q}}$. \item let $u = \optsqrt{\hfrac{1 - \varv^2}{\ParamJ{a} - \ParamJ{d} \mult \varv^2}}$.\; - (The denominator $\ParamJ{a} - \ParamJ{d} \smult \varv^2$ cannot be zero, since $\hfrac{\ParamJ{a}}{\ParamJ{d}}$ is not square in $\GF{\ParamJ{q}}$.) + (The denominator $\ParamJ{a} - \ParamJ{d} \smult \varv^2$ cannot be zero, since $\hfrac{\ParamJ{a}}{\ParamJ{d}}$ is not square in $\GF{\ParamJ{q}}$.) \item if $u = \bot$, return $\bot$. \item if $u \bmod 2 = \tilde{u}$ then return $(u, \varv)$ else return $(\ParamJ{q} - u, \varv)$. \end{formulae} @@ -10027,6 +10084,7 @@ $\SubgroupJ$ is of odd-prime order.} \theoremlabel{lemmasubgroupnegation} \begin{lemma}[Let $P = (u, \varv) \in \SubgroupJ$. Then $(u, -\varv) \notin \SubgroupJ$]\end{lemma} +\vspace{-1ex} \begin{proof} If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin \SubgroupJ$. Else, $P$ is of odd-prime order. Note that $\varv \neq 0$. @@ -10047,6 +10105,7 @@ since $\SubgroupJ$ is of odd order \cite{KvE2013}). \theoremlabel{thmselectuinjective} \begin{theorem}[$\Selectu$ is injective on $\SubgroupJ$]\end{theorem} +\vspace{-1ex} \begin{proof} By writing the curve equation as $\varv^2 = (1 - a \smult u^2) / (1 - d \smult u^2)$, and noting that the @@ -10066,6 +10125,7 @@ $\ExtractJ$ is injective on $\SubgroupJ$. \sapling{ \introlist +\vspace{-1ex} \lsubsubsubsection{Group Hash into \JubjubText}{concretegrouphashjubjub} \vspace{-1ex} @@ -10078,13 +10138,15 @@ different purposes.) Let $\URS$ be the MPC randomness beacon defined in \crossref{beacon}. +\vspace{-0.25ex} Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. +\vspace{-0.25ex} Let $\LEOStoIP{}$ be as defined in \crossref{endian}. +\vspace{-0.25ex} Let $\SubgroupJ$, $\SubgroupJstar$, and $\abstJ$ be as defined in \crossref{jubjub}. -\vspace{1ex} Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and let $M \typecolon \byteseqs$ be the hash input. @@ -10099,7 +10161,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo \item if $Q = \ZeroJ$ then return $\bot$, else return $Q$. \end{algorithm} -\vspace{-2ex} +\vspace{-1ex} \begin{pnotes} \vspace{-0.5ex} \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash{Sapling}$ and to generate independent bases @@ -10123,6 +10185,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo \end{pnotes} \vspace{0.5ex} +\introlist Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. @@ -10226,6 +10289,7 @@ Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, and $\ParamP{b}$ be as defined in \crossr Define $\GroupPstarx$ be the set of $x$-coordinates of points on the \pallasCurve, i.e.\ $\setof{x \typecolon \GF{\ParamP{q}} \suchthat x^3 + \ParamP{b}\text{ is square in }\GF{\ParamP{q}}}$. +\vspace{-0.5ex} Define $\GroupPx := \GroupPstarx \union \setof{0}$. \vspace{1ex} @@ -10418,10 +10482,12 @@ Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \Grou \item let $\mathsf{ta} = \mathsf{Zuu}^2 + \mathsf{Zuu}$ \item let $\mathsf{x1}_\num = \ParamIsoG{b} \mult (\mathsf{ta} + 1)$ \item let $\mathsf{x}_\xdiv = \ParamIsoG{a} \mult \big(\kern-0.1em(\mathsf{ta} = 0) \bchoose \ParamIsoG{Z} : -\mathsf{ta}\big)$ + \vspace{-0.25ex} \item compute $\mathsf{x}_\xdiv^2$ and $\mathsf{x}_\xdiv^3$ \item let $\mathsf{U} = (\mathsf{x1}_\num^2 + \ParamIsoG{a} \mult \mathsf{x}_\xdiv^2) \mult \mathsf{x1}_\num + \ParamIsoG{b} \mult \mathsf{x}_\xdiv^3$ \item let $\mathsf{x2}_\num = \mathsf{Zuu} \mult \mathsf{x1}_\num$ \item let $(\mathsf{y1},\, \mathsf{is\_gx1\_square}) = \sqrtratioG(\mathsf{U},\, \mathsf{x}_\xdiv^3)$ + \vspace{-0.5ex} \item let $\mathsf{y2} = \ParamIsoG{\theta} \mult \mathsf{Zuu} \mult u \mult \mathsf{y1}$ \item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$ \item let $\mathsf{y}' = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$ @@ -11029,7 +11095,7 @@ considered invalid if $\abstJ$ returns $\bot$. \nufive{\cite{ZIP-216} specifies that the address \MUST also be considered invalid if the resulting $\DiversifiedTransmitPublic$ is not in the prime-order subgroup $\SubgroupJ$, or -if it is a non-canonical encoding as defined in \crossref{abstractgroup}. This \MAY be +if it is a \nonCanonicalPoint encoding as defined in \crossref{abstractgroup}. This \MAY be enforced in advance of activation of \NUFive.} \vspace{1ex} @@ -11733,12 +11799,12 @@ An \orchardBindingSignature on the \sighashTxHash, validated per \crossref{concr } %scalebox \vspace{-0.3ex} -\scalebox{0.86}{ -\begin{tabularx}{1.16\textwidth}{@{\!\!}l@{\hskip 1em}X@{}} $\ddagger$ & The fields \valueBalance{Sapling}, \anchorField{Sapling}, \vSpendProofsSapling, \vSpendAuthSigs{Sapling}, \vOutputProofsSapling, and \bindingSig{Sapling} are present if and only if $\nSpendsSapling + \nOutputsSapling > 0$. If \valueBalance{Sapling} is not present, then $\vBalance{Sapling}$ is defined to be $0$. \\[-0.5ex] +\scalebox{0.87}{ +\begin{tabularx}{1.14\textwidth}{@{\!\!}l@{\hskip 1em}X@{}} $\mathsection$ & The fields \flagsOrchard, \valueBalance{Orchard}, \anchorField{Orchard}, \sizeProofsOrchard, \proofsOrchard, \vSpendAuthSigs{Orchard}, and \bindingSig{Orchard} @@ -11748,8 +11814,8 @@ then $\vBalance{Orchard}$ is defined to be $0$. } %scalebox \end{center} \vspace{-2ex} -\scalebox{0.86}{ -\!\!\Transactionversion 5 does not support \joinSplitTransfers. +\scalebox{0.87}{ +\raggedright\!\!\Transactionversion 5 does not support \joinSplitTransfers. Several fields are reordered and/or renamed relative to prior versions. } %scalebox } %nufive @@ -11904,7 +11970,7 @@ each \spendDescription\, (\crossref{spendencodingandconsensus}),\,\notnufive{ an \nufive{ \item The flags in \flagsOrchard{} allow a version 5 \transaction to declare that no funds are spent from \Orchard \notes (by setting \enableSpendsOrchard{} to $0$), or that no new \Orchard \notes - with non-zero values are created (by setting \enableOutputsOrchard{} to $0$). This has two primary + with nonzero values are created (by setting \enableOutputsOrchard{} to $0$). This has two primary purposes. First, the \enableSpendsOrchard{} flag is set to $0$ in version 5 \coinbaseTransactions to ensure that they cannot spend from existing \Orchard outputs. This maintains a restriction present in \coinbaseTransactions for \transparent, \Sprout, or \Sapling funds, which would not otherwise @@ -13271,7 +13337,7 @@ amounts of currency for themself \cite{HW2016}. commitment: \shaHash for \Sprout\sapling{, and $\PedersenHash$ for \Sapling}. The motivation for the nested construction in \Zerocash was to allow Mint transactions to be publically verified without requiring -a \zkSNARKProof (\cite[section 1.3, under step 3]{BCGGMTV2014}). +\zkSNARKProofs (\cite[section 1.3, under step 3]{BCGGMTV2014}). Since \Zcash combines ``Mint'' and ``Pour'' transactions into generalized \joinSplitTransfers (for \Sprout), \sapling{or \spendTransfers and \outputTransfers (for \Sapling)}, and each @@ -13314,7 +13380,7 @@ These truncations are not taken into account in the security proofs. Both truncations affect the validity of the proof sketch for Lemma D.2 in the proof of Ledger Indistinguishability in \cite[Appendix D]{BCGGMTV2014}. -\introlist +\introsection In more detail: \begin{itemize} @@ -13522,6 +13588,7 @@ constraint 1(b) of the \joinSplitStatement (see \crossref{sproutspendauthority}) implies distinctness of $\AuthPublicOldX{1}$ and $\AuthPublicOldX{2}$, therefore distinct openings of the \noteCommitment when Condition I or II is violated. +\introlist \lsubsection{Miscellaneous}{miscdiffs} \begin{itemize} @@ -13555,12 +13622,11 @@ distinct openings of the \noteCommitment when Condition I or II is violated. \end{itemize} -\introsection +\introlist \lsection{Acknowledgements}{acknowledgements} The inventors of \Zerocash are Eli Ben-Sasson, Alessandro Chiesa, -Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars -Virza. +Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. The designers of the \Zcash protocol are the \Zerocash inventors and also Daira Hopwood, Sean Bowe, Jack Grigg, Simon Liu, Taylor Hornby, @@ -13604,7 +13670,7 @@ linking \diversifiedPaymentAddresses, avoided in the adopted design, was found by Brian Warner. The design of \Orchard is primarily due to Daira Hopwood, Sean Bowe, Jack Grigg, -Kris Nuttycombe, Ying Tong Lai, and Steven Smith. +Kris Nuttycombe, Ying~Tong Lai, and Steven Smith. The observation in \crossref{concretediversifyhash} that \diversifiedPaymentAddress unlinkability can be proven in the same way @@ -13632,7 +13698,7 @@ to resolve the tension between privacy and auditability, Merkle trees over note commitments (using Pedersen hashes as in \Sapling), and the use of ``serial numbers'' or \nullifiers to detect or prevent double-spends--- were first applied to privacy-preserving digital currencies -by Tomas Sander and Amnon Ta–Shma. To a large extent \Zcash is a refinement +by Tomas Sander and Amnon Ta-Shma. To a large extent \Zcash is a refinement of their ``Auditable, Anonymous Electronic Cash'' proposal in \cite{ST1999}. We thank Alexandra Elbakyan for her tireless work in dismantling barriers @@ -13717,7 +13783,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Correct \theoremref{thmuncommittedsapling}, which was proving the wrong thing. It needs to prove that $\NoteCommitAlg{Sapling}$ does not return $\Uncommitted{Sapling}$, but was previously proving that $\PedersenHash$ does not return that value. - \item The note about non-canonical encodings in \crossref{jubjub} gave incorrect values + \item The note about \nonCanonicalPoint encodings in \crossref{jubjub} gave incorrect values for the encodings of the point of order $2$, by omitting a $\ParamJ{q}$ term. \item The specification of decryption in \crossref{decryptovk} differed from its implementation in \zcashd, in two respects: @@ -14307,11 +14373,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \crossref{cctednonsmallorder} accurately reflect the implementation in sapling-crypto. \item Minor correction to the non-normative note in \crossref{cctrange}. - \item Clarify the non-normative note in \crossref{abstractcommit} about + \item Clarify non-normative note in \crossref{abstractcommit} about the definitions of $\ValueCommitOutput{Sapling}$ and $\NoteCommitOutput{Sapling}$. \item Clarify that the signer of a \spendAuthSignature is supposed to choose - the \spendAuthRandomizer, $\AuthSignRandomizer$, itself. Only step 4 in the - procedure in \crossref{spendauthsig} may securely be delegated. + the \spendAuthRandomizer, $\AuthSignRandomizer$, itself. Only step 4 in + \crossref{spendauthsig} may securely be delegated. \item Add a non-normative note to \crossref{concretereddsa} explaining that $\RedDSA$ key randomization may interact with other uses of additive properties of Schnorr keys. @@ -15437,7 +15503,7 @@ $c_{\barerange{n-2}{0}}$. Assume $c_{\barerange{0}{n-1}} \typecolon \bitseq{n}$ and $c_{n-1} = 1$. Define $A_m := \ssum{i=m}{n-1} a_i \mult 2^i$ and $C_m := \ssum{i=m}{n-1} c_i \mult 2^i$. -For any\, $m \in \range{0}{n-1}$, $A_m \leq C_m$ iff the restriction of the above +For any\, $m \in \range{0}{n-1}$, $A_m \leq C_m$ if and only if the restriction of the above constraint system to $i \in \range{m}{n-1}$ is satisfied. Furthermore the system at least boolean-constrains $a_{\barerange{0}{n-1}}$. \end{theorem} @@ -15471,7 +15537,7 @@ Inductive case $m < n-1$: \begin{itemize} \item If $A_{m+1} = C_{m+1}$, then $a_i = c_i$ for all $i \in \range{m+1}{n-1}$ and so $\Pi_{m+1} = 1$. - Also $A_m \leq C_m$ iff $a_m \leq c_m$. \\ + Also $A_m \leq C_m$ if and only if $a_m \leq c_m$. \\ When $c_m = 1$, only a boolean constraint is added for $a_m$ which fulfils the theorem. \\ When $c_m = 0$, $a_m$ is constrained to be $0$ which fulfils the theorem. \item If $A_{m+1} < C_{m+1}$, then it cannot be the case that $a_i \geq c_i$ @@ -15876,10 +15942,11 @@ a total of $750$ constraints. Fixed-base scalar multiplication is also used in two places with shorter scalars: \begin{itemize} - \item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the + \item \crossref{ccthomomorphiccommit} uses $64$ bits for the $\Value$ input to $\ValueCommitAlg{Sapling}$, requiring $22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints; - \item \crossref{cctmixinghash} uses a $32$-bit scalar for the + \vspace{-0.25ex} + \item \crossref{cctmixinghash} uses $32$ bits for the $\NotePosition$ input to $\MixingPedersenHash$, requiring $11$ windows at a cost of $3 \smult 11 - 1 + 6 \smult 10 = 92$ constraints. \end{itemize} @@ -15894,13 +15961,14 @@ None of these costs include the cost of boolean-constraining the scalar. fixed-base scalar multiplication in the \spendCircuit and two in the \outputCircuit\footnote{A \xPedersenCommitment uses fixed-base scalar multiplication as a subcomponent.}, the additional complexity was not considered justified for \Sapling. + \vspace{-0.25ex} \item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is padded to a multiple of $3$ bits with zeros. This causes the computation of $s\suband$ in the lookup for the most significant window to be optimized out, which is where the ``$-\;1$'' comes from in the above cost calculations. No further optimization is done for this lookup. \end{nnotes} -\vspace{-2ex} +\vspace{-2.5ex} \introsection @@ -15920,12 +15988,15 @@ Given $k = \ssum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ \item let $\Acc^{\spv}_0\hairspace = k_0 \bchoose \Base^{\spv}_0 : 1$ \vspace{1ex} \item for $i$ from $1$ up to $250$: + \vspace{-0.25ex} \item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$ - \vspace{1ex} + \vspace{0.5ex} \item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$ \item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$ \item \tab let $\Addend^{\spv}_i\hairspace = k_i \bchoose \Base^{\spv}_i : 1$ + \vspace{-0.25ex} \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ + \vspace{1ex} \item let $R = \Acc_{250}$. \end{algorithm} @@ -16003,7 +16074,7 @@ We have to prove that: The proof of \theoremref{thmpedersenencodeinjective} showed that all indices of addition inputs are in the range -$\bigrangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$. +$\bigrangenozero{-\frac{\ParamJ{r}-1}{2}}{\frac{\ParamJ{r}-1}{2}}$. Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$) are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$, @@ -16016,6 +16087,7 @@ the conversions will not encounter exceptional cases. We also need to show that the indices of addition inputs are all distinct disregarding sign. +\introlist \theoremlabel{thmpedersendistinctabsindices} \begin{theorem}[Concerning addition inputs in the Pedersen circuit] @@ -16242,7 +16314,7 @@ In order to support this property, we also define \homomorphicPedersenCommitment as follows: \begin{formulae} - \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) = + \item $\HomomorphicPedersenCommit{Sapling}{\ValueCommitRand}(D, \Value) = \scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}}\, + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$ \end{formulae} @@ -16424,18 +16496,18 @@ The primary input is \vspace{1ex} \begin{formulae} \item $\oparen\rt{Sapling} \typecolon \MerkleHash{Sapling},\\ - \hparen\cvOld{} \typecolon \ValueCommitOutput,\\ + \hparen\cvOld{} \typecolon \ValueCommitOutput{Sapling},\\ \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\ - \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$, + \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}\cparen$, \end{formulae} which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth): \begin{formulae} - \item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic), - \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLength{Sapling}}{\rt{Sapling}}, - \LEBStoIP{254}\big(\nfOldRepr{\!\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOldRepr{\!\barerange{254}{255}}\big)]$ + \item $\big[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic), + \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIP{\MerkleHashLength{Sapling}}\big(\rt{Sapling}\big), + \LEBStoIP{254}\big(\nfOldRepr{\!\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOldRepr{\!\barerange{254}{255}}\big)\big]$ \end{formulae} \vspace{-2ex} -where $\nfOldRepr{} = \LEOStoBSP{\PRFOutputLengthNfSapling}(\nfOld{})$. +where $\nfOldRepr{} = \LEOStoBSP{\PRFOutputLengthNfSapling}\big(\nfOld{}\big)$. \introlist \vspace{1ex} @@ -16610,8 +16682,8 @@ The primary input is which is encoded as $6$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth): \begin{formulae} - \item $[1, \Selectu\Of{\cvNew{}}, \Selectv\Of{\cvNew{}}, - \Selectu\Of{\EphemeralPublic}, \Selectv\Of{\EphemeralPublic}, \LEBStoIPOf{\MerkleHashLength{Sapling}}{\cmU}]$ + \item $\big[1, \Selectu\Of{\cvNew{}}, \Selectv\Of{\cvNew{}}, + \Selectu\Of{\EphemeralPublic}, \Selectv\Of{\EphemeralPublic}, \LEBStoIPOf{\MerkleHashLength{Sapling}}{\cmU}\big]$ \end{formulae} The auxiliary input is @@ -16735,9 +16807,10 @@ Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ let $\RedDSAReprS{j}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. \item \tab Let $\RedDSASigR{j} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{j})\kern-0.12em\big)$, and let $\RedDSASigS{j} = \LEOStoIP{8 \mult \length(\RedDSAReprS{j})}(\RedDSAReprS{j})$. + \vspace{-0.5ex} \item \tab Let $\vkBytes{j} = \LEBStoOSPOf{\ellG{}}{\reprG{}(\vk_j)\kern-0.1em}$. + \vspace{-1ex} \item \tab Let $\RedDSASigc{j} = \RedDSAHashToScalar(\RedDSAReprR{j} \bconcat \vkBytes{j} \bconcat M_j)$. - \vspace{1ex} \item \tab Choose random $z_j \typecolon \GFstar{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$. \item \blank \item Return $1$ if @@ -16875,8 +16948,10 @@ the cost of batched verification is therefore \item for each proof: the cost of decoding the proof representation to the form $\GrothSProof$, which requires three point decompressions and three subgroup checks (two for $\SubgroupSstar{1}$ and one for $\SubgroupSstar{2}$); + \vspace{-0.25ex} \item for each successfully decoded proof: a Miller loop; and a $128$-bit scalar multiplication by $z_j$ in $\SubgroupS{1}$; + \vspace{-0.25ex} \item for each verification key: two Miller loops; an exponentiation in $\SubgroupS{T}$; a multiscalar multiplication in $\SubgroupS{1}$ with $N$ $128$-bit scalars to compute $\Accum{\Delta}$; and a multiscalar multiplication in $\SubgroupS{1}$ with $\ell+1$ $255$-bit scalars to compute @@ -16920,7 +16995,6 @@ Define $\EdSpecificBatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecol let $\EdDSASigS{j} = \LEOStoIP{256}(\EdDSAReprS{j})$. \item \tab Let $\EdDSAReprA{j} = \reprBytesEdSpecific(\EdDSASigA{j})$. \item \tab Let $\EdDSASigc{j} = \LEOStoIP{512}\big(\BigSHAFull(\EdDSAReprR{j} \bconcat \EdDSAReprA{j} \bconcat M_j)\kern-0.12em\big)$. - \vspace{1ex} \item \tab Choose random $z_j \typecolon \GFstar{\ell} \leftarrowR \range{1}{2^{128}-1}$. \item \blank \item Return $1$ if