zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improve macros for list comprehensions, case expressions, and formula blocks. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2017-01-19 22:46:40 +00:00
parent 90563ab376
commit 1982700426
1 changed files with 122 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

211
protocol/protocol.tex
View File

@ -64,6 +64,9 @@
\setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,after=\vspace{1.5ex}} \setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,after=\vspace{1.5ex}}
\newlist{formulae}{itemize}{3}
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,before=\vspace{-1ex},after=\vspace{1.5ex}}
\newcommand{\docversion}{Version unavailable (check protocol.ver)} \newcommand{\docversion}{Version unavailable (check protocol.ver)}
\InputIfFileExists{protocol.ver}{}{} \InputIfFileExists{protocol.ver}{}{}
@ -299,6 +302,14 @@
\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}} \newcommand{\bitseq}[1]{\typeexp{\bit}{#1}}
\newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}} \newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}}
\newcommand{\concatbits}{\mathsf{concat}_\bit} \newcommand{\concatbits}{\mathsf{concat}_\bit}
\newcommand{\listcomp}[1]{[~{#1}~]}
\newcommand{\for}{\text{ for }}
\newcommand{\from}{\text{ from }}
\newcommand{\upto}{\text{ up to }}
\newcommand{\downto}{\text{ down to }}
\newcommand{\squash}{\!\!\!}
\newcommand{\caseif}{\squash\text{if }}
\newcommand{\caseotherwise}{\squash\text{otherwise}}
\newcommand{\hexint}[1]{\mathbf{0x{#1}}} \newcommand{\hexint}[1]{\mathbf{0x{#1}}}
\newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}}
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}}
@ -832,9 +843,9 @@ notwithstanding the compelling arguments to the contrary made in
The notation $\range{a}{b}$ means the set or type of integers from $a$ through The notation $\range{a}{b}$ means the set or type of integers from $a$ through
$b$ inclusive. $b$ inclusive.
The notation $[f(x)$ for $x$ from $a$ up to $b\,]$ means the sequence The notation $\listcomp{f(x) \for x \from a \upto b}$ means the sequence
formed by evaluating $f$ on each integer from $a$ to $b$ inclusive, in formed by evaluating $f$ on each integer from $a$ to $b$ inclusive, in
ascending order. Similarly, $[f(x)$ for $x$ from $a$ down to $b\,]$ means ascending order. Similarly, $\listcomp{f(x) \for x \from a \downto b}$ means
the sequence formed by evaluating $f$ on each integer from $a$ to $b$ the sequence formed by evaluating $f$ on each integer from $a$ to $b$
inclusive, in descending order. inclusive, in descending order.
@ -1464,9 +1475,9 @@ The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphert
The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the
$\joinSplitPubKey$ of the containing \transaction: $\joinSplitPubKey$ of the containing \transaction:
\begin{itemize} \begin{formulae}
\item[] $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$. \item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$.
\end{itemize} \end{formulae}
$\hSigCRH$ is instantiated in \crossref{hsigcrh}. $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
@ -1486,7 +1497,9 @@ In order to send \shielded value, the sender constructs a \transaction
containing one or more \joinSplitDescriptions. This involves first generating containing one or more \joinSplitDescriptions. This involves first generating
a new $\JoinSplitSig$ key pair: a new $\JoinSplitSig$ key pair:
\hskip 1.5em $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrowR \JoinSplitSigGen()$. \begin{formulae}
\item $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrowR \JoinSplitSigGen()$.
\end{formulae}
For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at
random on $\bitseq{\RandomSeedLength}$, and selects random on $\bitseq{\RandomSeedLength}$, and selects
@ -1513,7 +1526,9 @@ After generating all of the \joinSplitDescriptions, the sender obtains the
$\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with $\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with
the private \joinSplitSigningKey: the private \joinSplitSigningKey:
\hskip 1.5em $\joinSplitSig \leftarrowR \JoinSplitSigSign{\text{\small\joinSplitPrivKey}}(\dataToBeSigned)$ \begin{formulae}
\item $\joinSplitSig \leftarrowR \JoinSplitSigSign{\text{\small\joinSplitPrivKey}}(\dataToBeSigned)$
\end{formulae}
Then the encoded \transaction including $\joinSplitSig$ is submitted to the network. Then the encoded \transaction including $\joinSplitSig$ is submitted to the network.
@ -1568,17 +1583,22 @@ The \merkleNodes at \merkleLayers $0$ to $\MerkleDepth-1$ inclusive are called
\MerkleInternalNodes are computed from their children in the next \merkleLayer \MerkleInternalNodes are computed from their children in the next \merkleLayer
as follows: for $0 \leq h < \MerkleDepth$ and $0 \leq i < 2^h$, as follows: for $0 \leq h < \MerkleDepth$ and $0 \leq i < 2^h$,
\hskip 2em $\MerkleNode{h}{i} := \MerkleCRH(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$. \begin{formulae}
\item $\MerkleNode{h}{i} := \MerkleCRH(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$.
\end{formulae}
A \merklePath from \merkleLeafNode $\MerkleNode{\MerkleDepth}{i}$ in the A \merklePath from \merkleLeafNode $\MerkleNode{\MerkleDepth}{i}$ in the
\incrementalMerkleTree is the sequence \incrementalMerkleTree is the sequence
\hskip 2em $[\hairspace\MerkleNode{h}{\MerkleSibling(h, i)} \text{ for } \begin{formulae}
h \text{ from } \MerkleDepth \text{ down to } 1\hairspace]$, \item $\listcomp{\MerkleNode{h}{\MerkleSibling(h, i)} \for
h \from \MerkleDepth \downto 1}$,
\end{formulae}
where where
\begin{formulae}
\hskip 2em $\MerkleSibling(h, i) = \floor{\frac{i}{2^{\MerkleDepth-h}}} \xor 1$ \item $\MerkleSibling(h, i) := \floor{\frac{i}{2^{\MerkleDepth-h}}} \xor 1$
\end{formulae}
Given such a \merklePath, it is possible to verify that \merkleLeafNode Given such a \merklePath, it is possible to verify that \merkleLeafNode
$\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \MerkleNode{0}{0}$. $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \MerkleNode{0}{0}$.
@ -1661,8 +1681,8 @@ exists in the set.
A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}: A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}:
\begin{itemize} \begin{formulae}
\item[] $(\rt \typecolon \MerkleHash, \item $(\rt \typecolon \MerkleHash,
\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}, \nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},
\cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew}, \cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew},
\changed{\vpubOld \typecolon \range{0}{2^{64}-1},}\, \changed{\vpubOld \typecolon \range{0}{2^{64}-1},}\,
@ -1670,28 +1690,28 @@ A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}:
\hphantom{(} \hphantom{(}
\hSig \typecolon \hSigType, \hSig \typecolon \hSigType,
\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$, \h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$,
\end{itemize} \end{formulae}
the prover knows an \term{auxiliary input}: the prover knows an \term{auxiliary input}:
\begin{itemize} \begin{formulae}
\item[] $(\treepath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash}{\MerkleDepth}}{\NOld}, \item $(\treepath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash}{\MerkleDepth}}{\NOld},
\nOld{\allOld} \typecolon \typeexp{\NoteType}{\NOld}, \nOld{\allOld} \typecolon \typeexp{\NoteType}{\NOld},
\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld}, \AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},
\nNew{\allNew} \typecolon \typeexp{\NoteType}{\NOld}\changed{,}\\ \nNew{\allNew} \typecolon \typeexp{\NoteType}{\NOld}\changed{,}\\
\hphantom{(} \hphantom{(}
\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength}, \changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},
\EnforceCommit{\allOld} \typecolon \bitseq{\NOld}})$, \EnforceCommit{\allOld} \typecolon \bitseq{\NOld}})$,
\end{itemize} \end{formulae}
where: where:
\begin{itemize} \begin{formulae}
\item[] for each $i \in \setofOld$: $\nOld{i} = (\AuthPublicOld{i}, \item for each $i \in \setofOld$: $\nOld{i} = (\AuthPublicOld{i},
\vOld{i}, \NoteAddressRandOld{i}, \NoteCommitRandOld{i})$; \vOld{i}, \NoteAddressRandOld{i}, \NoteCommitRandOld{i})$;
\item[] for each $i \in \setofNew$: $\nNew{i} = (\AuthPublicNew{i}, \item for each $i \in \setofNew$: $\nNew{i} = (\AuthPublicNew{i},
\vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$ \vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$
\end{itemize} \end{formulae}
such that the following conditions hold: such that the following conditions hold:
@ -1922,11 +1942,11 @@ clarify their position in each case.
\end{lrbox} \end{lrbox}
For example, the following diagrams are all equivalent: For example, the following diagrams are all equivalent:
\begin{itemize} \begin{formulae}
\item[] $\Justthebox{\exampleabox}$ \item $\Justthebox{\exampleabox}$
\item[] $\Justthebox{\examplebbox}$ \item $\Justthebox{\examplebbox}$
\item[] $\Justthebox{\examplecbox}$ \item $\Justthebox{\examplecbox}$
\end{itemize} \end{formulae}
and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint{12}]$. and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint{12}]$.
\end{comment} \end{comment}
@ -1935,25 +1955,25 @@ and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint
Define: Define:
\begin{itemize} \begin{formulae}
\item[] $\MerkleDepth \typecolon \Nat := \changed{29}$ \item $\MerkleDepth \typecolon \Nat := \changed{29}$
\item[] $\NOld \typecolon \Nat := 2$ \item $\NOld \typecolon \Nat := 2$
\item[] $\NNew \typecolon \Nat := 2$ \item $\NNew \typecolon \Nat := 2$
\item[] $\MerkleHashLength \typecolon \Nat := 256$ \item $\MerkleHashLength \typecolon \Nat := 256$
\item[] $\hSigLength \typecolon \Nat := 256$ \item $\hSigLength \typecolon \Nat := 256$
\item[] $\PRFOutputLength \typecolon \Nat := 256$ \item $\PRFOutputLength \typecolon \Nat := 256$
\item[] $\NoteCommitRandLength \typecolon \Nat := \changed{256}$ \item $\NoteCommitRandLength \typecolon \Nat := \changed{256}$
\item[] $\changed{\RandomSeedLength \typecolon \Nat := 256}$ \item $\changed{\RandomSeedLength \typecolon \Nat := 256}$
\item[] $\AuthPrivateLength \typecolon \Nat := \changed{252}$ \item $\AuthPrivateLength \typecolon \Nat := \changed{252}$
\item[] $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$ \item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
\item[] $\Uncommitted \typecolon \bitseq{\MerkleHashLength} := \zeros{\MerkleHashLength}$ \item $\Uncommitted \typecolon \bitseq{\MerkleHashLength} := \zeros{\MerkleHashLength}$
\item[] $\MAXMONEY \typecolon \Nat := \changed{2.1 \mult 10^{15}}$ (\zatoshi) \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \mult 10^{15}}$ (\zatoshi)
\item[] $\SlowStartInterval \typecolon \Nat := 20000$ \item $\SlowStartInterval \typecolon \Nat := 20000$
\item[] $\HalvingInterval \typecolon \Nat := 840000$ \item $\HalvingInterval \typecolon \Nat := 840000$
\item[] $\MaxBlockSubsidy \typecolon \Nat := 1.25 \mult 10^9$ (\zatoshi) \item $\MaxBlockSubsidy \typecolon \Nat := 1.25 \mult 10^9$ (\zatoshi)
\item[] $\NumFounderAddresses \typecolon \Nat := 48$ \item $\NumFounderAddresses \typecolon \Nat := 48$
\item[] $\FoundersFraction \typecolon \Rat := \frac{1}{5}$. \item $\FoundersFraction \typecolon \Rat := \frac{1}{5}$
\end{itemize} \end{formulae}
\nsubsection{Concrete Cryptographic Functions} \nsubsection{Concrete Cryptographic Functions}
@ -1972,7 +1992,9 @@ and produces a 256-bit hash. \cite{NIST2015}
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\hskip 2em $\MerkleCRH(\mathsf{left}, \mathsf{right}) := \CRHbox{\merklebox}$. \begin{formulae}
\item $\MerkleCRH(\mathsf{left}, \mathsf{right}) := \CRHbox{\merklebox}$.
\end{formulae}
\pnote{ \pnote{
$\SHA$ is not the same as the $\FullHashName$ function, which hashes arbitrary-length $\SHA$ is not the same as the $\FullHashName$ function, which hashes arbitrary-length
@ -2000,11 +2022,14 @@ such that $\SHA(x) = \zeros{256}$.
$\hSigCRH$ is used to compute the value $\hSig$ in \crossref{joinsplitdesc}. $\hSigCRH$ is used to compute the value $\hSig$ in \crossref{joinsplitdesc}.
\changed{ \changed{
\hskip 1.5em $\hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey) := \Blake{256}(\ascii{ZcashComputehSig},\; \hSigInput)$ \begin{formulae}
\item $\hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey) := \Blake{256}(\ascii{ZcashComputehSig},\; \hSigInput)$
\end{formulae}
where where
\begin{formulae}
\hskip 1.5em $\hSigInput := \Justthebox{\hsigbox}$. \item $\hSigInput := \Justthebox{\hsigbox}$.
\end{formulae}
} }
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$ $\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
@ -2046,11 +2071,11 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
\vspace{2ex} \vspace{2ex}
% Blech. Dijkstra was right \cite{EWD831}. % Blech. Dijkstra was right \cite{EWD831}.
Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where
\begin{itemize} \begin{formulae}
\item $m := \floor{\frac{512}{n}}$; \item $m := \floor{\frac{512}{n}}$;
\item $h := (i-1 \bmod m) \mult n$; \item $h := (i-1 \bmod m) \mult n$;
\item $T := \Blake{(\mathnormal{n \mult m})}(\powtag,\, S \,||\, \powcount(\floor{\frac{i-1}{m}}))$. \item $T := \Blake{(\mathnormal{n \mult m})}(\powtag,\, S \,||\, \powcount(\floor{\frac{i-1}{m}}))$.
\end{itemize} \end{formulae}
Indices of bits in $T$ are 1-based. Indices of bits in $T$ are 1-based.
@ -2244,14 +2269,16 @@ Define $\KAAgree(n, q) := \CurveMultiply(n, q)$.
The \keyDerivationFunction specified in \crossref{abstractkdf} is instantiated The \keyDerivationFunction specified in \crossref{abstractkdf} is instantiated
using $\Blake{256}$ as follows: using $\Blake{256}$ as follows:
\hskip 1.5em $\KDF(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) := \begin{formulae}
\item $\KDF(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) :=
\Blake{256}(\kdftag, \kdfinput)$ \Blake{256}(\kdftag, \kdfinput)$
\end{formulae}
where: where:
\begin{formulae}
\hskip 1.5em $\kdftag := \Justthebox{\kdftagbox}$ \item $\kdftag := \Justthebox{\kdftagbox}$
\item $\kdfinput := \Justthebox{\kdfinputbox}$.
\hskip 1.5em $\kdfinput := \Justthebox{\kdfinputbox}$. \end{formulae}
} }
$\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$ $\Blake{256}(p, x)$ refers to unkeyed $\Blake{256}$
@ -2285,9 +2312,9 @@ $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
\changed{ \changed{
The encoding of a signature is: The encoding of a signature is:
} }
\begin{itemize} \begin{formulae}
\item[] $\Justthebox{\sigbox}$ \item $\Justthebox{\sigbox}$
\end{itemize} \end{formulae}
\changed{ \changed{
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}. where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
@ -2319,7 +2346,9 @@ The encoding of a public key is as defined in \cite{BDL+2012}.
The commitment scheme $\Commit{}$ specified in \crossref{abstractcomm} is The commitment scheme $\Commit{}$ specified in \crossref{abstractcomm} is
instantiated using $\FullHashName$ as follows: instantiated using $\FullHashName$ as follows:
\hskip 1em $\Commit{\NoteCommitRand}(\Value, \AuthPublic, \NoteAddressRand) := \FullHashbox{\cmbox}$. \begin{formulae}[leftmargin=1em]
\item $\Commit{\NoteCommitRand}(\Value, \AuthPublic, \NoteAddressRand) := \FullHashbox{\cmbox}$.
\end{formulae}
\pnote{ \pnote{
The leading byte of the $\FullHash$ input is $\hexint{B0}$. The leading byte of the $\FullHash$ input is $\hexint{B0}$.
@ -2667,7 +2696,10 @@ For a point $P \typecolon \GroupG{2} = (x_P, y_P)$:
Define $\FEtoIP \typecolon \GF{q^2} \rightarrow \range{0}{q^2\!-\!1}$ such that Define $\FEtoIP \typecolon \GF{q^2} \rightarrow \range{0}{q^2\!-\!1}$ such that
$\FEtoIP(w) = a_{w,1} \mult q + a_{w,0}$. $\FEtoIP(w) = a_{w,1} \mult q + a_{w,0}$.
\item Let $x = \FEtoIP(x_P)$, $y = \FEtoIP(y_P)$, and $y' = \FEtoIP(-y_P)$. \item Let $x = \FEtoIP(x_P)$, $y = \FEtoIP(y_P)$, and $y' = \FEtoIP(-y_P)$.
\item Let $\tilde{y} = \begin{cases} 1, &\text{if } y > y' \\0, &\text{otherwise.} \end{cases}$ \item Let $\tilde{y} = \begin{cases}
1, &\caseif y > y' \\
0, &\caseotherwise.
\end{cases}$
\item $P$ is encoded as $\Justthebox{\gtwobox}$. \item $P$ is encoded as $\Justthebox{\gtwobox}$.
\end{itemize} \end{itemize}
@ -2709,9 +2741,9 @@ exists, or that the encoding represents a point on the curve.
A proof is encoded by concatenating the encodings of its elements: A proof is encoded by concatenating the encodings of its elements:
\vspace{1.5ex} \begin{formulae}[leftmargin=0.2em]
\hskip 0.2em $\Justthebox{\proofbox}$ \item $\Justthebox{\proofbox}$
\vspace{1ex} \end{formulae}
The resulting proof size is 296 bytes. The resulting proof size is 296 bytes.
@ -3031,7 +3063,9 @@ field of a \blockHeader as follows:
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\hskip 1.5em $\Justthebox{\solutionbox}$ \begin{formulae}
\item $\Justthebox{\solutionbox}$
\end{formulae}
\vspace{1ex} \vspace{1ex}
Recall from \crossref{boxnotation} that bits in the above diagram are Recall from \crossref{boxnotation} that bits in the above diagram are
@ -3039,7 +3073,9 @@ ordered from most to least significant in each byte.
For example, if the first 3 elements of $i$ are $[69, 42, 2^{21}]$, For example, if the first 3 elements of $i$ are $[69, 42, 2^{21}]$,
then the corresponding bit array is: then the corresponding bit array is:
\hskip 1.5em $\Justthebox{\eqexamplebox}$ \begin{formulae}
\item $\Justthebox{\eqexamplebox}$
\end{formulae}
and so the first 7 bytes of $\solution$ would be and so the first 7 bytes of $\solution$ would be
$[0, 2, 32, 0, 10, 127, 255]$. $[0, 2, 32, 0, 10, 127, 255]$.
@ -3075,26 +3111,23 @@ Their amounts in \zatoshi are calculated from the \blockHeight using
the formulae below. The constants $\SlowStartInterval$, $\HalvingInterval$, the formulae below. The constants $\SlowStartInterval$, $\HalvingInterval$,
$\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{constants}. $\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{constants}.
\vspace{2ex} \begin{formulae}
\hskip 1em $\SlowStartShift \typecolon \Nat := \hfrac{\SlowStartInterval}{2}$ \item $\SlowStartShift \typecolon \Nat := \hfrac{\SlowStartInterval}{2}$
\item $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$
\item $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$
\item $\BlockSubsidy(\BlockHeight) := \begin{cases}
\SlowStartRate \mult \BlockHeight,&\!\!\text{if } \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),&\!\!\text{if } \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
\floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\!\!\text{otherwise}
\end{cases}$
\hskip 1em $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$ \item $\FoundersReward(\BlockHeight) := \begin{cases}
\BlockSubsidy(\BlockHeight) \mult \FoundersFraction,&\caseif \BlockHeight < \SlowStartShift + \HalvingInterval \\
\hskip 1em $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$ 0,&\caseotherwise
\end{cases}$
\hskip 1em $\BlockSubsidy(\BlockHeight) := \begin{cases}
\SlowStartRate \mult \BlockHeight,&\!\!\text{if } \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),&\!\!\text{if } \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
\floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\!\!\text{otherwise}
\end{cases}$
\hskip 1em $\FoundersReward(\BlockHeight) := \begin{cases}
\BlockSubsidy(\BlockHeight) \mult \FoundersFraction,&\!\!\!\text{if } \BlockHeight < \SlowStartShift + \HalvingInterval \\
0,&\!\!\!\text{otherwise}
\end{cases}$
\hskip 1em $\MinerSubsidy(\BlockHeight) := \BlockSubsidy(\BlockHeight) - \FoundersReward(\BlockHeight)$.
\item $\MinerSubsidy(\BlockHeight) := \BlockSubsidy(\BlockHeight) - \FoundersReward(\BlockHeight)$.
\end{formulae}
\nsubsection{Coinbase outputs} \label{coinbases} \nsubsection{Coinbase outputs} \label{coinbases}
@ -3170,10 +3203,10 @@ Let $\SlowStartShift$ be defined as in the previous section.
Define: Define:
\begin{itemize} \begin{formulae}
\item[] $\FounderAddressChangeInterval := \ceiling{\hfrac{\SlowStartShift + \HalvingInterval}{\NumFounderAddresses}}$ \item $\FounderAddressChangeInterval := \ceiling{\hfrac{\SlowStartShift + \HalvingInterval}{\NumFounderAddresses}}$
\item[] $\FounderAddressIndex(\BlockHeight) := 1 + \floor{\hfrac{\BlockHeight}{\FounderAddressChangeInterval}}$. \item $\FounderAddressIndex(\BlockHeight) := 1 + \floor{\hfrac{\BlockHeight}{\FounderAddressChangeInterval}}$.
\end{itemize} \end{formulae}
Let $\RedeemScriptHash(\BlockHeight)$ be the standard redeem script hash, as defined in Let $\RedeemScriptHash(\BlockHeight)$ be the standard redeem script hash, as defined in
\cite{Bitcoin-Multisig}, for the P2SH multisig address with Base58Check representation \cite{Bitcoin-Multisig}, for the P2SH multisig address with Base58Check representation