zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Terminology and notation changes. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-02-07 11:05:39 +00:00
parent d4cf9d501e
commit 137121cf30
1 changed files with 49 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
protocol/protocol.tex
View File

@ -384,8 +384,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\primaryInputs}{\term{primary inputs}}
\newcommand{\auxiliaryInput}{\term{auxiliary input}}
\newcommand{\auxiliaryInputs}{\term{auxiliary inputs}}
\newcommand{\fullnode}{\term{full node}}
\newcommand{\fullnodes}{\term{full nodes}}
\newcommand{\fullValidator}{\term{full validator}}
\newcommand{\fullValidators}{\term{full validators}}
\newcommand{\anchor}{\term{anchor}}
\newcommand{\anchors}{\term{anchors}}
\newcommand{\block}{\term{block}}
@ -448,9 +448,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\outputUniqueValues}{\term{$\OutputUnique$-values}}
\newcommand{\outputUniquenessSet}{\term{$\OutputUnique$-uniqueness set}}
\newcommand{\OutputUniquenessSet}{\titleterm{\titlemu-Uniqueness Set}}
% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
\newcommand{\paymentAddress}{\term{payment address}}
\newcommand{\paymentAddresses}{\term{payment addresses}}
\newcommand{\paymentAddress}{\term{shielded payment address}}
\newcommand{\paymentAddresses}{\term{shielded payment addresses}}
\newcommand{\PaymentAddresses}{\titleterm{Shielded Payment Addresses}}
\newcommand{\diversifiedPaymentAddress}{\term{diversified payment address}}
\newcommand{\diversifiedPaymentAddresses}{\term{diversified payment addresses}}
\newcommand{\diversifier}{\term{diversifier}}
@ -471,8 +471,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\transmissionKeys}{\term{transmission keys}}
\newcommand{\diversifiedTransmissionKey}{\term{diversified transmission key}}
\newcommand{\diversifiedTransmissionKeys}{\term{diversified transmission keys}}
\newcommand{\authSigningKey}{\term{spend authorization key}}
\newcommand{\authSigningKeys}{\term{spend authorization keys}}
\newcommand{\authSigningKey}{\term{spend authorizing key}}
\newcommand{\authSigningKeys}{\term{spend authorizing keys}}
\newcommand{\delegatedProvingKey}{\term{delegated proving key}}
\newcommand{\delegatedProvingKeys}{\term{delegated proving keys}}
\newcommand{\humanReadablePart}{\term{Human-Readable Part}}
@ -558,7 +558,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\length}{\mathsf{length}}
\newcommand{\mean}{\mathsf{mean}}
\newcommand{\median}{\mathsf{median}}
\newcommand{\clamp}[2]{\mathsf{clamp\,}_{#1}^{#2}}
\newcommand{\bound}[2]{\mathsf{bound\,}_{#1}^{#2}}
\newcommand{\Lower}{\mathsf{lower}}
\newcommand{\Upper}{\mathsf{upper}}
\newcommand{\bitlength}{\mathsf{bitlength}}
@ -805,7 +805,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
\newcommand{\NoteType}{\mathsf{Note}}
\newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
\newcommand{\NoteCommitRand}{\mathsf{r}}
\newcommand{\NoteCommitRand}{\mathsf{\sprout{r}\notsprout{rcm}}}
\newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}}
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
@ -871,7 +871,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\MaxActualTimespan}{\mathsf{MaxActualTimespan}}
\newcommand{\ActualTimespan}{\mathsf{ActualTimespan}}
\newcommand{\ActualTimespanDamped}{\mathsf{ActualTimespanDamped}}
\newcommand{\ActualTimespanClamped}{\mathsf{ActualTimespanClamped}}
\newcommand{\ActualTimespanBounded}{\mathsf{ActualTimespanBounded}}
\newcommand{\Threshold}{\mathsf{Threshold}}
\newcommand{\ThresholdBits}{\mathsf{ThresholdBits}}
@ -934,7 +934,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
% Merkle tree
\newcommand{\MerkleDepth}{\mathsf{d_{Merkle}}}
\newcommand{\MerkleDepth}{\mathsf{MerkleDepth}}
\newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}}
\newcommand{\MerkleSibling}{\mathsf{sibling}}
\newcommand{\MerkleCRH}{\mathsf{MerkleCRH}}
@ -1062,7 +1063,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}}
\newcommand{\GroupPHash}[1]{\mathsf{GH}^\mathbb{P}_{#1}}
\newcommand{\GroupPHash}[1]{\mathsf{GroupHash}^\GroupP{#1}}
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
@ -1076,7 +1077,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
\newcommand{\GroupGHash}[1]{\mathsf{GH}^\mathbb{G}_{#1}}
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^\GroupG{#1}}
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
@ -1090,7 +1091,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
\newcommand{\GroupSHash}[1]{\mathsf{GH}^\mathbb{S}_{#1}}
\newcommand{\GroupSHash}[1]{\mathsf{GroupHash}^\mathbb{S}_{#1}}
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
@ -1103,7 +1104,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
\newcommand{\GroupJ}{\mathbb{J}}
\newcommand{\GroupJHash}{\mathsf{GH}^\mathbb{J}}
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^\mathbb{J}_{#1}}
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
\newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1661,7 +1662,7 @@ $\Memo$ represents a \memo associated with this \note. The usage of the
\nsubsection{The Block Chain} \label{blockchain}
At a given point in time, each \fullnode is aware of a set of candidate
At a given point in time, each \fullValidator is aware of a set of candidate
\blocks. These form a tree rooted at the \genesisBlock, where each node
in the tree refers to its parent via the $\hashPrevBlock$ \blockHeader field
(see \crossref{blockheader}).
@ -1812,7 +1813,7 @@ is denoted $\MerkleNode{h}{i}$.
\nsubsection{\NullifierSets} \label{nullifierset}
Each \fullnode maintains a \nullifierSet logically associated with each \treestate.
Each \fullValidator maintains a \nullifierSet logically associated with each \treestate.
As valid \transactions containing \joinSplitTransfers are processed, the \nullifiers
revealed in \joinSplitDescriptions are inserted into this \nullifierSet.
@ -4463,7 +4464,7 @@ be the constant defined in \crossref{constants}.
\item \todo{Other rules inherited from \Bitcoin.}
\end{consensusrules}
In addition, a \fullnode{} \MUSTNOT accept \blocks with $\nTimeField$ more than two hours
In addition, a \fullValidator{} \MUSTNOT accept \blocks with $\nTimeField$ more than two hours
in the future according to its clock. This is not strictly a consensus rule because it is
nondeterministic, and clock time varies between nodes. Also note that a \block that is
rejected by this rule at a given point in time may later be accepted.
@ -4691,7 +4692,7 @@ Define:
\hfuzz=10pt
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$.
\item $\median(S) := \sorted(S)_{\ceiling{\length(S) / 2}}$
\item $\clamp{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\trunc{x} := \begin{cases}
\floor{x},&\caseif x \geq 0 \\
-\floor{-x},&\caseotherwise
@ -4704,7 +4705,7 @@ Define:
\maximum(0, \BlockHeight - \PoWMedianBlockSpan) \upto \BlockHeight - 1})$
\item $\ActualTimespan(\BlockHeight) := \MedianTime(\BlockHeight) - \MedianTime(\BlockHeight - \PoWAveragingWindow)$
\item $\ActualTimespanDamped(\BlockHeight) := \AveragingWindowTimespan + \trunc{\scalebox{0.98}{\hfrac{\ActualTimespan(\BlockHeight) - \AveragingWindowTimespan}{\PoWDampingFactor}}}$
\item $\ActualTimespanClamped(\BlockHeight) := \clamp{\MinActualTimespan}{\MaxActualTimespan}(\ActualTimespanDamped(\BlockHeight))$
\item $\ActualTimespanBounded(\BlockHeight) := \bound{\MinActualTimespan}{\MaxActualTimespan}(\ActualTimespanDamped(\BlockHeight))$
\item $\MeanTarget(\BlockHeight) := \begin{cases}
\PoWLimit, \hspace{16em}\text{if } \BlockHeight \leq \PoWAveragingWindow \\
\mean(\listcomp{\ToTarget(\nBits(i)) \for i \from \BlockHeight - \PoWAveragingWindow \upto \BlockHeight - 1}),\\
@ -4720,7 +4721,7 @@ The \targetThreshold for a given \blockHeight $\BlockHeight$ is then calculated
\item $\Threshold(\BlockHeight) \hspace{0.43em} := \hspace{0.43em} \begin{cases}
\PoWLimit, \hspace{16em}\text{if } \BlockHeight = 0 \\
\minimum(\PoWLimit, \floor{\hfrac{\MeanTarget(\BlockHeight)}{\AveragingWindowTimespan}}
\mult \ActualTimespanClamped(\BlockHeight)),\\
\mult \ActualTimespanBounded(\BlockHeight)),\\
\hspace{20.7em}\text{otherwise}
\end{cases}$
\item $\ThresholdBits(\BlockHeight) := \ToCompact(\Threshold(\BlockHeight))$.
@ -4728,7 +4729,7 @@ The \targetThreshold for a given \blockHeight $\BlockHeight$ is then calculated
\pnote{
The convention used for the height parameters to $\MedianTime$, $\ActualTimespan$,
$\ActualTimespanDamped$, $\ActualTimespanClamped$, $\MeanTarget$, $\Threshold$, and
$\ActualTimespanDamped$, $\ActualTimespanBounded$, $\MeanTarget$, $\Threshold$, and
$\ThresholdBits$ is that these functions use only information from \blocks \emph{preceding}
the given \blockHeight.
}
@ -4777,9 +4778,9 @@ $\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{consta
\item $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$
\item $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$
\item $\BlockSubsidy(\BlockHeight) := \begin{cases}
\SlowStartRate \mult \BlockHeight,&\!\!\text{if } \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),&\!\!\text{if } \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
\floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\!\!\text{otherwise}
\SlowStartRate \mult \BlockHeight,&\caseif \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),&\caseif \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
\floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\caseotherwise
\end{cases}$
\item $\FoundersReward(\BlockHeight) := \begin{cases}
@ -5493,6 +5494,21 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introsection
\nsection{Change History}
\subparagraph{2018.0-beta-7}
\begin{itemize}
\item Rename $\mathsf{clamp}$ to $\mathsf{bound}$ and
$\mathsf{ActualTimespanClamped}$ to $\ActualTimespanBounded$
in the difficulty adjustment algorithm, to avoid a name
collision with Curve25519 scalar ``clamping''.
\item Change uses of the term \term{full node} to \fullValidator.
A \term{full node} by definition participates in the
peer-to-peer network, whereas a \fullValidator just needs a copy
of the \blockchain from somewhere. The latter is what was meant.
\end{itemize}
\introlist
\subparagraph{2018.0-beta-6}
\begin{itemize}
@ -6165,16 +6181,16 @@ If the base point $B$ is fixed for a given scalar multiplication $\scalarmult{k}
we can fully precompute window tables for each window position.
It is most efficient to use $3$-bit fixed windows. Since the length of
$\ParamG{s}$ is $252$ bits, we need $84$ windows.
$\ParamJ{r}$ is $252$ bits, we need $84$ windows.
Let $k = \vsum{i=0}{83} k_i \smult 8^i$.
Express $k$ in base $8$, i.e.\ $k = \vsum{i=0}{83} k_i \smult 8^i$.
Then $\scalarmult{k}{B} = \vsum{i=0}{83} w_{i,\,k_i}$, where
$w_{i,\,k_i} = \scalarmult{k_i \smult 8^i}{B}$.
Then $\scalarmult{k}{B} = \vsum{i=0}{83} w_{(B,\,i,\,k_i)}$, where
$w_{(B,\,i,\,k_i)} = \scalarmult{k_i \smult 8^i}{B}$.
We precompute all of $w_{i,\,s}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
We precompute all of $w_{(B,\,i,\,s)}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
To look up a given window entry $w_{i,\,s} = (u_s, \varv_s)$, where
To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
\begin{formulae}
@ -6183,13 +6199,13 @@ $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
\mhspace{2.91em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{u_r - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
\mhspace{1.52em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
\item $\lincomb{s_2} \times (-\hairspace \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
\mhspace{2.91em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{\vv_r - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
\mhspace{1.52em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
\end{formulae}