mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
ce35640ec0
commit
11163742b7
|
@ -396,7 +396,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ALLCAPS}{\conformance{ALL CAPS}}
|
||||
|
||||
\newcommand{\collisionResistant}{collision\hyp resistant }
|
||||
\newcommand{\collisionResistance}{collision\hyp resistance }
|
||||
\newcommand{\collisionResistance}{collision resistance }
|
||||
|
||||
\newcommand{\note}{\term{note}}
|
||||
\newcommand{\notes}{\term{notes}}
|
||||
|
@ -2874,11 +2874,11 @@ with $\KASapling$ and derives keys for $\SymEncrypt{}$.
|
|||
} %sapling
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item The asymmetric encryption scheme in \crossref{sproutinband} constructed
|
||||
\item The asymmetric encryption scheme in \crossref{sproutinband}, constructed
|
||||
from $\KASprout$, $\KDFSprout$ and $\Sym$, is required to be IND-CCA2-secure
|
||||
and key-private.
|
||||
\item \sapling{
|
||||
The asymmetric encryption scheme in \crossref{saplinginband} constructed
|
||||
The asymmetric encryption scheme in \crossref{saplinginband}, constructed
|
||||
from $\KASapling$, $\KDFSapling$ and $\Sym$, is required to be IND-CCA2-secure
|
||||
and key-private.
|
||||
} %sapling
|
||||
|
@ -3372,6 +3372,7 @@ the \statement;
|
|||
\item a verifying algorithm $\ZKVerify{} \typecolon \ZKVerifyingKey \times \ZKPrimary \times \ZKProof \rightarrow \bit$;
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
The security requirements below are supposed to hold with overwhelming
|
||||
probability for $(\pk, \vk) \leftarrowR \ZKGen()$.
|
||||
|
||||
|
@ -3471,6 +3472,7 @@ Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concretep
|
|||
|
||||
Let $\KASprout$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}.
|
||||
|
||||
\vspace{0.5ex}
|
||||
A new \SproutOrNothing \spendingKey $\AuthPrivate$ is generated by choosing a bit sequence
|
||||
uniformly at random from $\bitseq{\AuthPrivateLength}$.
|
||||
|
||||
|
@ -3480,6 +3482,7 @@ $\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from
|
|||
$\AuthPrivate$
|
||||
as follows:}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\AuthPublic$ &$:= \changed{\PRFaddr{\AuthPrivate}(0)}$ \\
|
||||
$\TransmitPrivate$ &$:= \changed{\KASproutFormatPrivate(\PRFaddr{\AuthPrivate}(1))}$ \\
|
||||
|
@ -3538,9 +3541,10 @@ are derived as follows:
|
|||
\end{lrbox}
|
||||
|
||||
\sapling{
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
|
||||
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
||||
|
@ -3647,8 +3651,7 @@ $\JoinSplitSig$ public verification key and signature.
|
|||
\introlist
|
||||
A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, \nfOld{\allOld},
|
||||
\cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit,
|
||||
\TransmitCiphertext{\allNew})$
|
||||
|
||||
\TransmitCiphertext{\allNew})$ \\
|
||||
where
|
||||
\begin{itemize}
|
||||
\item \changed{$\vpubOld \typecolon \range{0}{\MAXMONEY}$ is
|
||||
|
@ -3697,8 +3700,7 @@ $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
|
|||
above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$).
|
||||
\item Either $\vpubOld$ or $\vpubNew$ \MUST be zero.
|
||||
\item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed
|
||||
from the relevant other fields and $\hSig$.
|
||||
I.e.\ it must be the case that $\JoinSplitVerify{}((\rt, \nfOld{\allOld},
|
||||
from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}((\rt, \nfOld{\allOld},
|
||||
\cmNew{\allNew},\changed{\vpubOld,} \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}) = 1$.
|
||||
\end{consensusrules}
|
||||
|
||||
|
@ -3719,8 +3721,8 @@ Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}.
|
|||
|
||||
\introlist
|
||||
A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
|
||||
|
||||
where
|
||||
\vspace{1ex}
|
||||
\begin{itemize}
|
||||
\item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note;
|
||||
\item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in
|
||||
|
@ -3761,8 +3763,8 @@ There are no signatures associated with \outputDescriptions.
|
|||
|
||||
\introlist
|
||||
An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
|
||||
|
||||
where
|
||||
\vspace{1ex}
|
||||
\begin{itemize}
|
||||
\item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the output \note;
|
||||
\item $\cmU \typecolon \MerkleHashSapling$ is the result of applying $\ExtractJ$ (defined
|
||||
|
@ -3782,8 +3784,8 @@ where
|
|||
\begin{consensusrules}
|
||||
\item Elements of an \outputDescription{} \MUST have the types given above.
|
||||
\item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed
|
||||
from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$.
|
||||
I.e.\ it must be the case that $\SpendVerify{}((\cv, \cm, \EphemeralPublic), \Proof{\Output}) = 1$.
|
||||
from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ ---
|
||||
i.e.\ $\SpendVerify{}((\cv, \cm, \EphemeralPublic), \Proof{\Output}) = 1$.
|
||||
\end{consensusrules}
|
||||
} %sapling
|
||||
|
||||
|
@ -4081,6 +4083,7 @@ all of the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
|
|||
to $\joinSplitPubKey$ to sign this \transaction.
|
||||
|
||||
|
||||
\introsection
|
||||
\subsection{Balance\pSproutOrNothing} \label{joinsplitbalance}
|
||||
|
||||
In \Bitcoin, all inputs to and outputs from a \transaction are transparent.
|
||||
|
@ -4191,6 +4194,7 @@ Instead, validators calculate the \txBindingVerificationKey as:
|
|||
(This key is not encoded explicitly in the \transaction and must be recalculated.)
|
||||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
The signer knows $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$, and so can
|
||||
calculate the corresponding signing key as:
|
||||
\begin{formulae}
|
||||
|
@ -4249,6 +4253,7 @@ $\BindingPrivate'$ (as needed to create a valid \bindingSignature), then $(\vBad
|
|||
and $(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic$ to different values,
|
||||
breaking the binding property of the \valueCommitmentScheme.
|
||||
|
||||
\introlist
|
||||
The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that
|
||||
$\vSum = 0$, we also need to demonstrate that it does not overflow $\ValueCommitType$.
|
||||
|
||||
|
@ -4264,7 +4269,6 @@ the individual values of the \spendDescriptions and \outputDescriptions being re
|
|||
In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the \valueCommitment
|
||||
randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\SigHash$.
|
||||
|
||||
\vspace{-1ex}
|
||||
\pnote{
|
||||
The spender \MAY reveal any strict subset of the \valueCommitment randomnesses to
|
||||
other parties that are cooperating to create the \transaction. If all of the
|
||||
|
@ -4272,7 +4276,6 @@ other parties that are cooperating to create the \transaction. If all of the
|
|||
\outputDescriptions of the \transaction.
|
||||
} %pnote
|
||||
|
||||
\vspace{-1ex}
|
||||
\nnote{
|
||||
The technique of checking signatures using a public key derived from a sum of
|
||||
\xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}.
|
||||
|
@ -4292,6 +4295,7 @@ The motivation for a separate signature is to allow devices that are limited in
|
|||
and computational capacity, such as hardware wallets, to authorize a shielded spend.
|
||||
Typically such devices cannot create, and may not be able to verify, \zkSNARKProofs.
|
||||
|
||||
\vspace{2ex}
|
||||
The verifying key of the signature must be revealed in the \spendDescription so that
|
||||
the signature can be checked by validators. To ensure that the verifying key cannot
|
||||
be linked to the \paymentAddress or \spendingKey from which the \note was spent, we
|
||||
|
@ -4318,6 +4322,7 @@ For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthS
|
|||
\item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\SigHash)$.
|
||||
\end{enumerate}
|
||||
|
||||
\introlist
|
||||
The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
|
||||
|
||||
\pnote{
|
||||
|
@ -4343,9 +4348,11 @@ All of the constituent \nullifiers are also entered into the
|
|||
would have added a \nullifier to the \nullifierSet that already exists in the set
|
||||
(see \crossref{nullifierset}).
|
||||
|
||||
\vspace{2ex}
|
||||
\sprout{Each}\notsprout{In \Sprout, each} \note has a $\NoteAddressRand$ component.
|
||||
|
||||
\sapling{
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
In \Sapling, each \positionedNote has an associated $\NoteAddressRand$ value which
|
||||
is computed from its \noteCommitment $\cm$ and \notePosition $\NotePosition$
|
||||
|
@ -4358,8 +4365,10 @@ as follows:
|
|||
$\MixingPedersenHash$ is defined in \crossref{concretemixinghash}.
|
||||
} %sapling
|
||||
|
||||
\vspace{2ex}
|
||||
Let $\PRFnf{}{}$\sapling{ and $\PRFnfSapling{}{}$} be as instantiated in \crossref{concreteprfs}.
|
||||
|
||||
\vspace{2ex}
|
||||
\sprout{The \nullifier of a \note}\notsprout{For a \Sprout{} \note, the \nullifier}
|
||||
is derived as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$, where $\AuthPrivate$ is the
|
||||
\spendingKey associated with the \note.
|
||||
|
@ -4554,7 +4563,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
|
|||
\begin{formulae}
|
||||
\item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
|
||||
\vspace{-1ex}
|
||||
\item $\AuthSignPublicRepr = \reprJOf{\AuthSignPublic}$.
|
||||
\item $\AuthSignPublicRepr = \reprJOf{\AuthSignPublic}$\,.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{1ex}
|
||||
|
@ -5412,6 +5421,7 @@ Define
|
|||
\item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-2ex}
|
||||
\securityrequirement{
|
||||
$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
|
||||
described in \crossref{abstractgrouphash}.
|
||||
|
@ -5423,7 +5433,7 @@ described in \crossref{abstractgrouphash}.
|
|||
\introlist
|
||||
\subsubsubsection{\PedersenHashFunction} \label{concretepedersenhash}
|
||||
|
||||
$\PedersenHash$ is an algebraic hash function with collision resistance
|
||||
$\PedersenHash$ is an algebraic \hashFunction with \collisionResistance
|
||||
(for fixed input length) derived from assumed hardness of the
|
||||
Discrete Logarithm Problem on the \jubjubCurve.
|
||||
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
|
||||
|
@ -6181,7 +6191,7 @@ $\BindingSig$ and $\SpendAuthSig$.
|
|||
|
||||
Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}.
|
||||
|
||||
Let $\AuthSignBase = \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$.
|
||||
Define $\AuthSignBase := \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$.
|
||||
|
||||
$\SpendAuthSig$ is instantiated as $\RedJubjub$ with key re-randomization, and
|
||||
with generator $\GenG{} = \AuthSignBase$.
|
||||
|
@ -6645,6 +6655,7 @@ $\GroupJ$ has order $\ParamJ{h} \smult \ParamJ{r}$.
|
|||
|
||||
Let $\ellJ := 256$.
|
||||
|
||||
\introlist
|
||||
Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$
|
||||
as in \crossref{endian}.
|
||||
|
||||
|
@ -8359,7 +8370,7 @@ as its $\scriptPubKey$.
|
|||
\subsection{Changes to the Script System} \label{scripts}
|
||||
|
||||
The \ScriptOP{CODESEPARATOR} opcode has been disabled. This opcode also no longer
|
||||
affects the calculation of signature hashes.
|
||||
affects the calculation of \sighashTxHashes.
|
||||
|
||||
|
||||
\subsection{Bitcoin Improvement Proposals} \label{bips}
|
||||
|
@ -9484,7 +9495,7 @@ found by Brian Warner.
|
|||
and reencode the testnet \foundersReward addresses.
|
||||
\item Add a section on which BIPs apply to \Zcash.
|
||||
\item Specify that \ScriptOP{CODESEPARATOR} has been disabled, and
|
||||
no longer affects signature hashes.
|
||||
no longer affects \sighashTxHashes.
|
||||
\item Change the representation type of $\vpubOldField$ and $\vpubNewField$
|
||||
to \type{uint64}. (This is not a consensus change because the type of
|
||||
$\vpubOld$ and $\vpubNew$ was already specified to be $\range{0}{\MAXMONEY}$;
|
||||
|
|
Loading…
Reference in New Issue