diff --git a/protocol/protocol.tex b/protocol/protocol.tex index d469d5a2..39cc4300 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -7366,11 +7366,11 @@ As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injectiv &$= \RedDSADerivePublic(\sk_1)\, \combplus \RedDSADerivePublic(\sk_2)$. \end{tabular} -\vspace{1ex} +\vspace{0.5ex} A $\RedDSA$ \validatingKey $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$). -\vspace{1ex} +\vspace{0.5ex} \introlist The scheme $\RedJubjub$ specializes $\RedDSA$ with: \begin{itemize} @@ -7379,14 +7379,17 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with: \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}. \end{itemize} -The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, which is different between +\vspace{-1ex} +The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, different between $\BindingSig$ and $\SpendAuthSig$. } %sapling \sapling{ +\vspace{-1ex} \lsubsubsubsection{Spend Authorization Signature}{concretespendauthsig} +\vspace{-1ex} Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. @@ -7394,9 +7397,10 @@ Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig$, is instantiated as $\RedJubjub$ with key re-randomization, and with generator $\GenG{} = \AuthSignBase$. -\vspace{1ex} +\vspace{0.5ex} See \crossref{spendauthsig} for details on the use of this \signatureScheme. +\vspace{-1ex} \securityrequirement{ $\SpendAuthSig$ must be a SURK-CMA secure \rerandomizableSignatureScheme as defined in \crossref{abstractsigrerand}. @@ -7405,8 +7409,10 @@ in \crossref{abstractsigrerand}. \sapling{ +\vspace{-1ex} \lsubsubsubsection{Binding Signature}{concretebindingsig} +\vspace{-1ex} Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. Let $\ValueCommitRandBase$ be the randomness base defined in \crossref{concretevaluecommit}. @@ -7414,9 +7420,10 @@ Let $\ValueCommitRandBase$ be the randomness base defined in \crossref{concretev The \defining{\bindingSignatureScheme}, $\BindingSig$, is instantiated as $\RedJubjub$ without use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$. -\vspace{1ex} +\vspace{0.5ex} See \crossref{bindingsig} for details on the use of this \signatureScheme. +\vspace{-1ex} \securityrequirement{ $\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in \crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of @@ -7426,8 +7433,10 @@ the \validatingKey with respect to the base $\ValueCommitRandBase$. \introlist +\vspace{-1ex} \lsubsubsection{Commitment schemes}{concretecommit} +\vspace{-1ex} \lsubsubsubsection{\SproutOrNothingText{} Note Commitments}{concretesproutnotecommit} \newsavebox{\cmbox} @@ -7449,6 +7458,7 @@ the \validatingKey with respect to the base $\ValueCommitRandBase$. \end{bytefield} \end{lrbox} +\vspace{-1ex} The commitment scheme $\NoteCommitSprout{}$ specified in \crossref{abstractcommit} is instantiated using \shaHash as follows: @@ -7457,6 +7467,7 @@ instantiated using \shaHash as follows: \item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$. \end{formulae} +\vspace{-1ex} \changed{\pnote{ The leading byte of the \shaHash input is $\hexint{B0}$. }} @@ -10656,7 +10667,6 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2020.1.6}{2020-06-17} \begin{itemize} - \item No changes to \Sprout. \canopy{ \item Incorporate changes to \Sapling{} \note encryption from \cite{ZIP-212}. } %canopy @@ -13002,7 +13012,7 @@ The \windowedPedersenCommitments defined in the preceding section are highly efficient, but they do not support the homomorphic property we need when instantiating $\ValueCommit{}$. -\introlist +\introsection In order to support this property, we also define \homomorphicPedersenCommitments as follows: