zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Consistently use "signing key" and "validating key" for signatures. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2020-06-15 14:34:44 +01:00
parent 1f0052d62e
commit 1a24d6232c
2 changed files with 120 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
protocol/protocol.tex
View File

@ -708,7 +708,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
\newcommand{\joinSplitSignatures}{\terms{JoinSplit signature}}
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
\newcommand{\joinSplitValidatingKey}{\term{JoinSplit validating key}}
\newcommand{\joinSplitCircuit}{\term{JoinSplit circuit}}
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
\newcommand{\joinSplitStatements}{\terms{JoinSplit statement}}
@ -747,7 +747,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\bindingSignature}{\term{binding signature}}
\newcommand{\bindingSignatures}{\terms{binding signature}}
\newcommand{\bindingSignatureScheme}{\term{binding signature scheme}}
\newcommand{\txBindingVerificationKey}{\term{transaction binding verification key}}
\newcommand{\txBindingValidatingKey}{\term{transaction binding validating key}}
\newcommand{\balancingValue}{\term{balancing value}}
\newcommand{\shieldedOutput}{\term{shielded output}}
\newcommand{\shieldedOutputs}{\terms{shielded output}}
@ -915,8 +915,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\diversifiedTransmissionKeys}{\terms{diversified transmission key}}
\newcommand{\authSigningKey}{\term{Spend authorizing key}}
\newcommand{\authSigningKeys}{\terms{Spend authorizing key}}
\newcommand{\authRandomizedVerifyingKey}{\term{randomized Spend verifying key}}
\newcommand{\authRandomizedVerifyingKeys}{\terms{randomized Spend verifying key}}
\newcommand{\authRandomizedValidatingKey}{\term{randomized Spend validating key}}
\newcommand{\authRandomizedValidatingKeys}{\terms{randomized Spend validating key}}
\newcommand{\authProvingKey}{\term{proof authorizing key}}
\newcommand{\authProvingKeys}{\terms{proof authorizing key}}
\newcommand{\authNullifierKey}{\term{nullifier private key}}
@ -978,6 +978,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\monomorphism}{\term{monomorphism}}
\newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}}
\newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}}
\newcommand{\signingKey}{\term{signing key}}
\newcommand{\signingKeys}{\terms{signing key}}
\newcommand{\validatingKey}{\termandindex{validating key}{validating key (for a signature scheme)}}
\newcommand{\validatingKeys}{\termandindex{validating keys}{validating key (for a signature scheme)}}
\newcommand{\randomizer}{\term{randomizer}}
\newcommand{\randomizers}{\terms{randomizer}}
\newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}}
\newcommand{\xPRFs}{\termandindex{PRFs}{Pseudo Random Function}}
\newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}}
@ -1504,7 +1510,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SigGen}{\Sig\mathsf{.Gen}}
\newcommand{\SigDerivePublic}{\Sig\mathsf{.DerivePublic}}
\newcommand{\SigSign}[1]{\Sig\mathsf{.Sign}_{#1}}
\newcommand{\SigVerify}[1]{\Sig\mathsf{.Verify}_{#1}}
\newcommand{\SigValidate}[1]{\Sig\mathsf{.Validate}_{#1}}
\newcommand{\SigRandom}{\Sig\mathsf{.Random}}
\newcommand{\SigGenRandom}{\Sig\mathsf{.GenRandom}}
\newcommand{\SigRandomizePublic}{\Sig\mathsf{.RandomizePublic}}
@ -1524,8 +1530,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\RedDSAGenPrivate}{\RedDSA\mathsf{.GenPrivate}}
\newcommand{\RedDSADerivePublic}{\RedDSA\mathsf{.DerivePublic}}
\newcommand{\RedDSASign}[1]{\RedDSA\mathsf{.Sign}_{#1}}
\newcommand{\RedDSAVerify}[1]{\RedDSA\mathsf{.Verify}_{#1}}
\newcommand{\RedDSABatchVerify}{\RedDSA\mathsf{.BatchVerify}}
\newcommand{\RedDSAValidate}[1]{\RedDSA\mathsf{.Validate}_{#1}}
\newcommand{\RedDSABatchValidate}{\RedDSA\mathsf{.BatchValidate}}
\newcommand{\RedDSABatchEntry}{\RedDSA\mathsf{.BatchEntry}}
\newcommand{\RedDSARandom}{\RedDSA\mathsf{.Random}}
\newcommand{\RedDSAGenRandom}{\RedDSA\mathsf{.GenRandom}}
@ -1556,7 +1562,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\JoinSplitSigGenPrivate}{\JoinSplitSig\mathsf{.GenPrivate}}
\newcommand{\JoinSplitSigDerivePublic}{\JoinSplitSig\mathsf{.DerivePublic}}
\newcommand{\JoinSplitSigSign}[1]{\JoinSplitSig\mathsf{.Sign}_{#1}}
\newcommand{\JoinSplitSigVerify}[1]{\JoinSplitSig\mathsf{.Verify}_{#1}}
\newcommand{\JoinSplitSigValidate}[1]{\JoinSplitSig\mathsf{.Validate}_{#1}}
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
\newcommand{\ExcludedPointEncodings}{\mathsf{ExcludedPointEncodings}}
@ -1569,7 +1575,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SpendAuthSigGenPrivate}{\SpendAuthSig\mathsf{.GenPrivate}}
\newcommand{\SpendAuthSigDerivePublic}{\SpendAuthSig\mathsf{.DerivePublic}}
\newcommand{\SpendAuthSigSign}[1]{\SpendAuthSig\mathsf{.Sign}_{#1}}
\newcommand{\SpendAuthSigVerify}[1]{\SpendAuthSig\mathsf{.Verify}_{#1}}
\newcommand{\SpendAuthSigValidate}[1]{\SpendAuthSig\mathsf{.Validate}_{#1}}
\newcommand{\SpendAuthSigRandom}{\SpendAuthSig\mathsf{.Random}}
\newcommand{\SpendAuthSigGenRandom}{\SpendAuthSig\mathsf{.GenRandom}}
\newcommand{\SpendAuthSigRandomizePublic}{\SpendAuthSig\mathsf{.RandomizePublic}}
@ -1586,7 +1592,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\BindingSigGenPrivate}{\BindingSig\mathsf{.GenPrivate}}
\newcommand{\BindingSigDerivePublic}{\BindingSig\mathsf{.DerivePublic}}
\newcommand{\BindingSigSign}[1]{\BindingSig\mathsf{.Sign}_{#1}}
\newcommand{\BindingSigVerify}[1]{\BindingSig\mathsf{.Verify}_{#1}}
\newcommand{\BindingSigValidate}[1]{\BindingSig\mathsf{.Validate}_{#1}}
\newcommand{\BindingSigSpecific}{\mathsf{RedJubjub}}
\newcommand{\BindingPublic}{\mathsf{bvk}}
\newcommand{\BindingPrivate}{\mathsf{bsk}}
@ -2142,7 +2148,7 @@ This specification is structured as follows:
\item Appendix: Circuit Design — details of how the \Sapling circuit is defined
as a \quadraticConstraintProgram.
\item Appendix: Batching Optimizations — improvements to the efficiency of
verifying multiple signatures and proofs.
validating multiple signatures and verifying multiple proofs.
}
\end{itemize}
@ -3352,27 +3358,27 @@ with $\KASapling$ and derives keys for $\SymEncrypt{}$.
A \defining{\signatureScheme} $\Sig$ defines:
\begin{itemize}
\item a type of signing keys $\SigPrivate$;
\item a type of verifying keys $\SigPublic$;
\item a type of \defining{\signingKeys} $\SigPrivate$;
\item a type of \defining{\validatingKeys} $\SigPublic$;
\item a type of messages $\SigMessage$;
\item a type of signatures $\SigSignature$;
\item a randomized signing key generation algorithm $\SigGenPrivate \typecolon () \rightarrowR \SigPrivate$;
\item an injective verifying key derivation algorithm $\SigDerivePublic \typecolon \SigPrivate \rightarrow \SigPublic$;
\item a randomized \signingKey generation algorithm $\SigGenPrivate \typecolon () \rightarrowR \SigPrivate$;
\item an injective \validatingKey derivation algorithm $\SigDerivePublic \typecolon \SigPrivate \rightarrow \SigPublic$;
\item a randomized signing algorithm $\SigSign{} \typecolon \SigPrivate \times \SigMessage \rightarrowR \SigSignature$;
\item a verifying algorithm $\SigVerify{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
\item a validating algorithm $\SigValidate{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
\end{itemize}
\vspace{-2ex}
such that for any signing key $\sk \leftarrowR \SigGenPrivate()$ and corresponding
verifying key $\vk = \SigDerivePublic(\sk)$, and
such that for any \signingKey $\sk \leftarrowR \SigGenPrivate()$ and corresponding
\validatingKey $\vk = \SigDerivePublic(\sk)$, and
any $m \typecolon \SigMessage$ and $s \typecolon \SigSignature \leftarrowR \SigSign{\sk}(m)$,
$\SigVerify{\vk}(m, s) = 1$.
$\SigValidate{\vk}(m, s) = 1$.
\vspace{1ex}\sprout{\vspace{2ex}}
\introlist
\Zcash uses \sprout{two}\sapling{four} signature schemes:
\Zcash uses \sprout{two}\sapling{four} \signatureSchemes:
\begin{itemize}
\item one used for signatures that can be verified by script operations such as
\item one used for signatures that can be validated by script operations such as
\ScriptOP{CHECKSIG} and \ScriptOP{CHECKMULTISIG} as in \Bitcoin;
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
which is used to sign \transactions that contain at least one
@ -3401,14 +3407,14 @@ Chosen Message Attack (SU-CMA), as defined for example in
but this has no impact on the applicability of the definition.}
This allows an adversary to obtain signatures on chosen messages, and then requires it to be
infeasible for the adversary to forge a previously unseen valid \mbox{(message, signature)}
pair without access to the signing key.
pair without access to the \signingKey.
}
\vspace{1ex}
\begin{nnotes}
\notsprout{
% Sprout *doesn't* need this, so it wouldn't make sense to include this explanation in the Sprout-only spec.
\item We need separate signing key generation and verifying key derivation algorithms,
\item We need separate \signingKey generation and \validatingKey derivation algorithms,
rather than the more conventional combined key pair generation algorithm
$\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support
the key derivation in \crossref{saplingkeycomponents}. This also simplifies some
@ -3431,6 +3437,8 @@ pair without access to the signing key.
knowing the \defining{\privateKey}, to forge a distinct signature on a previously
seen message. That is, \joinSplitSignatures\sapling{ and \bindingSignatures}
are intended to be \defining{\sigNonmalleable} in the sense of \cite{BIP-62}.
\item The terminology used in this specification is that we ``validate'' signatures, and
``verify'' \zkSNARKProofs.
\end{nnotes}
@ -3442,11 +3450,11 @@ A \defining{\rerandomizableSignatureScheme} $\Sig$ is a \signatureScheme that
additionally defines:
\begin{itemize}
\item a type of randomizers $\SigRandom$;
\item a randomizer generator $\SigGenRandom \typecolon () \rightarrowR \SigRandom$;
\item a \privateKey randomization algorithm $\SigRandomizePrivate \typecolon \SigRandom \times \SigPrivate \rightarrow \SigPrivate$;
\item a \publicKey randomization algorithm $\SigRandomizePublic \typecolon \SigRandom \times \SigPublic \rightarrow \SigPublic$;
\item a distinguished ``identity'' randomizer $\SigRandomizerId \typecolon \SigRandom$
\item a type of \defining{\randomizers} $\SigRandom$;
\item a \randomizer generator $\SigGenRandom \typecolon () \rightarrowR \SigRandom$;
\item a \signingKey randomization algorithm $\SigRandomizePrivate \typecolon \SigRandom \times \SigPrivate \rightarrow \SigPrivate$;
\item a \validatingKey randomization algorithm $\SigRandomizePublic \typecolon \SigRandom \times \SigPublic \rightarrow \SigPublic$;
\item a distinguished ``identity'' \randomizer $\SigRandomizerId \typecolon \SigRandom$
\end{itemize}
\vspace{-1.2ex}
@ -3503,21 +3511,21 @@ that records queried messages and corresponding signatures.
For random $\sk \leftarrowR \SigGenPrivate()$ and $\vk = \SigDerivePublic(\sk)$, it must be
infeasible for an adversary given $\vk$ and a new instance of $\Oracle_{\sk}$ to find
$(m', \sigma', \SigRandomizer')$ such that
$\SigVerify{\SigRandomizePublic(\SigRandomizer', \vk)}(m', \sigma') = 1$ and
$\SigValidate{\SigRandomizePublic(\SigRandomizer', \vk)}(m', \sigma') = 1$ and
$(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
}
\begin{nnotes}
\item The randomizer and key arguments to $\SigRandomizePrivate$ and $\SigRandomizePublic$
\item The \randomizer and key arguments to $\SigRandomizePrivate$ and $\SigRandomizePublic$
are swapped relative to \cite[section 3]{FKMSSS2016}.
\item The requirement for the identity randomizer $\SigRandomizerId$ simplifies the
\item The requirement for the identity \randomizer $\SigRandomizerId$ simplifies the
definition of SURK-CMA by removing the need for two oracles (because the oracle for
original keys, called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the
oracle for randomized keys).
\item Since $\SigRandomizePrivate(\SigRandomizer, \sk) :
\SigRandomizer \leftarrowR \SigRandom$ has an identical distribution to $\SigGenPrivate()$,
and since $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
\publicKey and signature(s) under that key do not reveal the key from which it was
\validatingKey and signature(s) under that key do not reveal the key from which it was
re-randomized.
\item Since $\SigRandomizePrivate_{\SigRandomizer}$ is injective and
easily invertible, knowledge of $\SigRandomizePrivate(\SigRandomizer, \sk)$
@ -3528,16 +3536,16 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
\sapling{
\introlist
\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono}
\lsubsubsubsection{Signature with Signing Key to Validating Key Monomorphism}{abstractsigmono}
A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
additionally defines:
\begin{itemize}
\item an abelian group on \privateKeys, with operation
\item an abelian group on \signingKeys, with operation
$\grpplus\!\! \typecolon \SigPrivate \times \SigPrivate \rightarrow \SigPrivate$ and
identity $\grpzero$;
\item an abelian group on \publicKeys, with operation
\item an abelian group on \validatingKeys, with operation
$\combplus\!\! \typecolon \SigPublic \times \SigPublic \rightarrow \SigPublic$ and
identity $\combzero$.
\end{itemize}
@ -3547,7 +3555,7 @@ such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$,
$\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$.
In other words, $\SigDerivePublic$ is a \defining{\monomorphism (that is, an injective homomorphism)} from the
\privateKey group to the \publicKey group.
\signingKey group to the \validatingKey group.
\vspace{1ex}
\introlist
@ -3560,10 +3568,10 @@ For $\rmN \typecolon \PosInt$,
When $\rmN = 0$ these yield the appropriate group identity, i.e. $\sgrpsum{i=1}{0} \sk_i = \grpzero$
and $\scombsum{i=1}{0} \vk_i = \combzero$.
$\grpneg \sk$ means the \privateKey such that $(\grpneg \sk) \grpplus \sk = \grpzero$,
$\grpneg \sk$ means the \signingKey such that $(\grpneg \sk) \grpplus \sk = \grpzero$,
and $\sk_1 \grpminus \sk_2$ means $\sk_1 \grpplus\, (\grpneg \sk_2)$.
$\combneg \vk$ means the \publicKey such that $(\combneg \vk) \combplus \vk = \combzero$,
$\combneg \vk$ means the \validatingKey such that $(\combneg \vk) \combplus \vk = \combzero$,
and $\vk_1 \combminus \vk_2$ means $\vk_1 \combplus\, (\combneg \vk_2)$.
\vspace{2ex}
@ -3910,10 +3918,13 @@ Note that Knowledge Soundness implies Soundness --- i.e.\ the property that it i
infeasible to find a new proof $\Proof{}$ where $\ZKVerify{\vk}(x, \Proof{}) = 1$ without
\emph{there existing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
\nnote{The above properties do not include \defining{\proofNonmalleability} \cite{DSDCOPS2001},
and the design of the protocol using the \zeroKnowledgeProvingSystem must take this
into account.}
\vspace{2ex}
\begin{nnotes}
\item The above properties do not include \defining{\proofNonmalleability} \cite{DSDCOPS2001},
and the design of the protocol using the \zeroKnowledgeProvingSystem must take this
into account.
\item The terminology used in this specification is that we ``validate'' signatures, and
``verify'' \zkSNARKProofs.
\end{nnotes}
\sprout{
The \provingSystem is instantiated in \crossref{bctv}.
@ -4142,7 +4153,7 @@ A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in
Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
When this sequence is non-empty, the \transaction also includes encodings of a
$\JoinSplitSig$ public verification key and signature.
$\JoinSplitSig$ public \validatingKey and signature.
Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$,
$\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}.
@ -4243,8 +4254,8 @@ where
\item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in
\crossref{blockchain}, for the output \treestate of a previous \block;
\item $\nf \typecolon \PRFOutputNfSapling$ is the \nullifier for the input \note;
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \publicKey
that should be used to verify $\spendAuthSig$;
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \validatingKey
that should be used to validate $\spendAuthSig$;
\item $\ProofSpend \typecolon \SpendProof$ is a \zkSNARKProof with \primaryInput
$(\cv, \rt, \nf, \AuthSignRandomizedPublic)$ for the \spendStatement defined in
\crossref{spendstatement};
@ -4263,8 +4274,8 @@ where
as defined in \crossref{sighash} using $\SIGHASHALL$.
The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$
using $\AuthSignRandomizedPublic$ as the \publicKey ---
i.e.\ $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
using $\AuthSignRandomizedPublic$ as the \validatingKey ---
i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
\end{consensusrules}
\vspace{-1ex}
@ -4688,15 +4699,15 @@ In order to ensure that a \joinSplitDescription is cryptographically bound to th
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSig$
key pair is generated for each \transaction, and the $\dataToBeSigned$ is
signed with the private signing key of this key pair. The corresponding public
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
signed with the private \signingKey of this key pair. The corresponding public
\validatingKey is included in the \transaction encoding as $\joinSplitPubKey$.
$\JoinSplitSig$ is instantiated in \crossref{concretejssig}.
\changed{
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
omitted. Otherwise, a \transaction has a correct \defining{\joinSplitSignature} if and only if
$\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
$\JoinSplitSigValidate{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
% FIXME: distinguish pubkey and signature from their encodings.
}
@ -4711,7 +4722,7 @@ $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
given in \crossref{sproutnonmalleablejs}. This ensures that a holder of
all of the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
\transaction has authorized the use of the private signing key corresponding
\transaction has authorized the use of the private \signingKey corresponding
to $\joinSplitPubKey$ to sign this \transaction.
@ -4820,7 +4831,7 @@ In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \
but validators cannot check this directly because the values are hidden by the commitments.
\introlist
Instead, validators calculate the \defining{\txBindingVerificationKey} as:
Instead, validators calculate the \defining{\txBindingValidatingKey} as:
\begin{formulae}
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
@ -4833,7 +4844,7 @@ Instead, validators calculate the \defining{\txBindingVerificationKey} as:
\introlist
\vspace{1ex}
The signer knows $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$, and so can
calculate the corresponding signing key as:
calculate the corresponding \signingKey as:
\begin{formulae}
\item $\BindingPrivate := \Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)$.
@ -4850,7 +4861,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$.
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
A validator checks balance by validating that $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$.
\vspace{1ex}
We now explain why this works.
@ -4925,7 +4936,7 @@ other parties that are cooperating to create the \transaction. If all of the
} %pnote
\nnote{
The technique of checking signatures using a \publicKey derived from a sum of
The technique of checking signatures using a \validatingKey derived from a sum of
\xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}.
The \privateKey $\BindingPrivate$ acts as a \definingquotedterm{synthetic blinding factor},
in the sense that it is synthesized from the other blinding factors (\trapdoors)
@ -4949,11 +4960,11 @@ Typically such devices cannot create, and may not be able to verify, \zkSNARKPro
a \statement of the size needed using the \BCTV or \Groth proving systems.
\vspace{1ex}
The verifying key of the signature must be revealed in the \spendDescription so that
the signature can be checked by validators. To ensure that the verifying key cannot
The \validatingKey of the signature must be revealed in the \spendDescription so that
the signature can be checked by validators. To ensure that the \validatingKey cannot
be linked to the \paymentAddress or \spendingKey from which the \note was spent, we
use a \rerandomizableSignatureScheme. The \spendStatement proves that this verifying
key is a re-randomization of the \defining{\spendAuthAddressKey} $\AuthSignPublic$ with a randomizer
use a \rerandomizableSignatureScheme. The \spendStatement proves that this \validatingKey
is a re-randomization of the \defining{\spendAuthAddressKey} $\AuthSignPublic$ with a \randomizer
known to the signer. The \defining{\spendAuthSignature} is over the \sighashTxHash, so that it cannot be
replayed in other \transactions.
@ -5294,7 +5305,7 @@ $\DiversifiedTransmitBase$ is not of small order,
i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$.
\vspace{0.5ex}
\snarkcondition{Ephemeral \publicKey integrity}{outputepkintegrity}
\snarkcondition{Ephemeral public key integrity}{outputepkintegrity}
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$.
\vspace{2ex}
@ -7078,7 +7089,7 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
\end{algorithm}
\introlist
Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typecolon \RedDSAMessage) \times
Define $\RedDSAValidate{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typecolon \RedDSAMessage) \times
(\sigma \typecolon \RedDSASignature) \rightarrow \bit$ as:
\begin{algorithm}
\item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
@ -7095,12 +7106,12 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
\vspace{-2ex}
\begin{pnotes}
\item The verification algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
\item The validation algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonical representation
(as output by $\reprG{}$) of a point on the curve. This is different to $\JoinSplitSigSpecific$ as specified in
\crossref{concretejssig}.
\item Appendix \crossref{reddsabatchverify} describes an optimization that \MAY be used to speed up
verification of batches of $\RedDSA$ signatures.
\item Appendix \crossref{reddsabatchvalidate} describes an optimization that \MAY be used to speed up
validation of batches of $\RedDSA$ signatures.
\end{pnotes}
\vspace{-2ex}
@ -7134,7 +7145,7 @@ As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injectiv
\end{tabular}
\vspace{1ex}
A $\RedDSA$ \publicKey $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
A $\RedDSA$ \validatingKey $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
\vspace{1ex}
@ -7187,7 +7198,7 @@ See \crossref{bindingsig} for details on the use of this \signatureScheme.
\securityrequirement{
$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in
\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of
the \publicKey with respect to the base $\ValueCommitRandBase$.
the \validatingKey with respect to the base $\ValueCommitRandBase$.
} %securityrequirement
} %sapling
@ -7704,7 +7715,7 @@ Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \Su
\begin{nnotes}
\item The \defining{\ctEdwardsCompressedEncoding} used here is
consistent with that used in EdDSA \cite{BJLSY2015} for \publicKeys and
consistent with that used in EdDSA \cite{BJLSY2015} for \validatingKeys and
the $R$ element of a signature.
\item \cite[``Encoding and parsing curve points'']{BJLSY2015} gives algorithms
for decompressing points from the encoding of $\GroupJ$.
@ -7886,7 +7897,7 @@ the bug found by Bryan Parno was fixed in \libsnark in 2015, but that fix was
incompletely described in the May 2015 update \cite[Theorem 2.4]{BCTV2014a-old}.
It is described completely in \cite[Theorem 2.4]{BCTV2014a} and in
\cite{Gabizon2019}.} \cite{WCBTV2015} \cite{Parno2015} \cite[Remark 2.5]{BCTV2014a}.
In practice it will be necessary to use the specific proving and verification keys
In practice it will be necessary to use the specific proving and verifying keys
that were generated for the \Zcash production \blockChain, given in
\crossref{bctvparameters}, together with a \provingSystem implementation that is
interoperable with the \Zcash fork of \defining{\libsnark}, to ensure compatibility.
@ -7988,7 +7999,7 @@ The \quadraticConstraintPrograms verifying the \spendStatement and
other details of the \provingSystem are beyond the scope of this protocol
document. For example, certain details of the translations of the \spendStatement and
\outputStatement to \quadraticArithmeticPrograms are not specified in this document.
In practice it will be necessary to use the specific proving and verification keys
In practice it will be necessary to use the specific proving and verifying keys
generated for the \Zcash production \blockChain\notsprout{ (see \crossref{grothparameters})},
and a \provingSystem implementation that is interoperable with the \bellman
library used by \Zcash, to ensure compatibility.
@ -8183,7 +8194,7 @@ The \rawEncoding of a P2PKH address consists of:
\begin{bytefield}[bitwidth=0.1em]{176}
\sbitbox{80}{$8$-bit $\PtoPKHAddressLeadByte$}
\sbitbox{80}{$8$-bit $\PtoPKHAddressSecondByte$}
\sbitbox{160}{$160$-bit \publicKey hash}
\sbitbox{160}{$160$-bit \validatingKey hash}
\end{bytefield}
\end{equation*}
@ -8193,7 +8204,7 @@ The \rawEncoding of a P2PKH address consists of:
on the production network. (Addresses on the test network use
$[\PtoPKHAddressTestnetLeadByte, \PtoPKHAddressTestnetSecondByte]$
instead.)
\item $20$ bytes specifying a \publicKey hash, which is a RIPEMD-160
\item $20$ bytes specifying a \validatingKey hash, which is a RIPEMD-160
hash \cite{RIPEMD160} of a SHA-256 hash \cite{NIST2015}
of a compressed ECDSA key encoding.
\end{itemize}
@ -8714,7 +8725,7 @@ A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, each encoded as in \cro
} %notsprout
$\geq 2\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{char[32]} & An encoding of a $\JoinSplitSig$
public verification key. \\ \hline
public \validatingKey. \\ \hline
$\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{char[64]} & A signature on a prefix of the \transaction encoding,
to be verified using $\joinSplitPubKey$. \\ \hline
@ -8756,7 +8767,7 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.
\coinbaseTransactions include \foundersReward outputs.
\item If $\versionField \geq 2$ and $\nJoinSplit > 0$, then:
\begin{itemize}
\item \joinSplitPubKey{} \MUST represent a valid $\JoinSplitSigSpecific$ \publicKey
\item \joinSplitPubKey{} \MUST represent a valid $\JoinSplitSigSpecific$ \validatingKey
encoding (\crossref{concretejssig}).
\item \joinSplitSig{} \MUST represent a valid signature under \joinSplitPubKey{} of
$\dataToBeSigned$, as defined in \crossref{sproutnonmalleability}.
@ -8765,9 +8776,9 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.
then:
\begin{itemize}
\item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{bindingsig};
\item \bindingSig{} \MUST represent a valid signature under the \txBindingVerificationKey
\item \bindingSig{} \MUST represent a valid signature under the \txBindingValidatingKey
$\BindingPublic$ of $\SigHash$ ---
i.e.\ $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
i.e.\ $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$.
\end{itemize}}
\saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput = 0$,
then $\valueBalance$ \MUST be $0$.}
@ -8966,7 +8977,7 @@ at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
$32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note,
$\LEBStoOSPOf{256}{\nf}$. \\ \hline
$32$ & $\rkField$ & \type{char[32]} & The randomized \publicKey for $\spendAuthSig$,
$32$ & $\rkField$ & \type{char[32]} & The randomized \validatingKey for $\spendAuthSig$,
$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zkSNARKProof
@ -10339,6 +10350,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\intropart
\lsection{Change History}{changehistory}
\historyentry{2020.1.6}{2020-06-15}
\begin{itemize}
\item Consistently use ``validating'' for signatures and ``verifying'' for proofs.
\end{itemize}
\historyentry{2020.1.5}{2020-06-02}
\begin{itemize}
@ -10378,7 +10396,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2020.1.2}{2020-03-20}
\begin{itemize}
\item The implementation of \Sprout $\JoinSplitSigSpecific$ signature verification
\item The implementation of \Sprout $\JoinSplitSigSpecific$ signature validation
in \zcashd differed from what was specified in \crossref{concretejssig}.
The specification has been changed to match the implementation.
\heartwood{
@ -10677,7 +10695,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item No changes to \Sprout.
\sapling{
\item Correct some uses of $\ParamJ{r}$ that should have been $\ParamS{r}$ or $q$.
\item Correct uses of $\LEOStoIP{\ell}$ in $\RedDSAVerify{}$ and $\RedDSABatchVerify{}$
\item Correct uses of $\LEOStoIP{\ell}$ in $\RedDSAValidate{}$ and $\RedDSABatchValidate{}$
to ensure that $\ell$ is a multiple of $8$ as required.
\item Minor changes to avoid clashing notation for
Edwards curves $\Edwards{a,d}$, \MontgomeryCurves $\Montgomery{A,B}$, and
@ -10789,7 +10807,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item No changes to \Sprout.
\sapling{
\item Add the hashes of parameter files for \Sapling.
\item Add cross references for parameters and functions used in $\RedDSA$ batch verification.
\item Add cross references for parameters and functions used in $\RedDSA$ batch validation.
} %sapling
\item \Makefile changes: name the PDF file for the \Sprout version of the specification as \texttt{sprout.pdf},
and make \texttt{protocol.pdf} link to the \Sapling version.
@ -10810,10 +10828,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Update $\RedDSA$ verification to use cofactor multiplication.
This is necessary in order for the output of batch verification to match
that of unbatched verification in all cases.
\item Add \crossref{reddsabatchverify}.
\item Update $\RedDSA$ validation to use cofactor multiplication.
This is necessary in order for the output of batch validation to match
that of unbatched validation in all cases.
\item Add \crossref{reddsabatchvalidate}.
} %sapling
\end{itemize}
@ -10884,8 +10902,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Correct the conformance rule for \fOverwintered{} (it must not be set before \Overwinter has
activated, not before \Sapling has activated).
\item Correct the argument that $\vSum$ is in range in \crossref{saplingbalance}.
\item Correct an error in the algorithm for $\RedDSAVerify{}$: the \publicKey $\vk$ is given directly
to this algorithm and should not be computed from the unknown \privateKey $\sk$.
\item Correct an error in the algorithm for $\RedDSAValidate{}$: the \validatingKey $\vk$ is given directly
to this algorithm and should not be computed from the unknown \signingKey $\sk$.
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$,
$\PRFock{}$, and $\CRHivk$.
\item Instantiate $\PRFock{}$ using $\BlakeTwob{256}$.
@ -10936,7 +10954,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Correct a type error in \crossref{concretegrouphashjubjub}.
\item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}.
\item Ensure $\AuthSignBase$ is defined in \crossref{concretespendauthsig}.
\item Make the \publicKey prefix part of the input to the \hashFunction in $\RedDSA$,
\item Make the \validatingKey prefix part of the input to the \hashFunction in $\RedDSA$,
not part of the message.
\item Correct the statement about $\FindGroupJHash$ never returning $\bot$.
\item Correct an error in the computation of generators for \xPedersenHashes.
@ -11005,10 +11023,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Do not require a generator as part of the specification of a \representedGroup;
instead, define it in the \representedPairing or scheme using the group.
\item Refactor the abstract definition of a \signatureScheme to allow derivation
of verifying keys independent of key pair generation.
of \validatingKeys independent of key pair generation.
\sapling{
\item Correct the explanation in \crossref{overview} to apply to \Sapling.
\item Add the definition of a \privateKey to \publicKey homomorphism for \signatureSchemes.
\item Add the definition of a \signingKey to \validatingKey homomorphism for \signatureSchemes.
\item Remove the output index as an input to $\KDFSapling$.
\item Allow dummy \Sapling input \notes.
\item Specify $\RedDSA$ and $\RedJubjub$.
@ -11039,7 +11057,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Add specification of the \outputStatement.
\item Change $\MerkleDepthSapling$ from $29$ to $32$.
\item Updates to \Sapling construction, changing how the \nullifier is
computed and separating it from the \authRandomizedVerifyingKey
computed and separating it from the \authRandomizedValidatingKey
($\AuthSignRandomizedPublic$).
\item Clarify conversions between bit and byte sequences for
$\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$.
@ -11202,7 +11220,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\begin{itemize}
\item Specify more precisely the requirements on $\JoinSplitSigSpecific$
\publicKeys and signatures.
\validatingKeys and signatures.
\sapling{
\item \Sapling work in progress.
}
@ -11563,7 +11581,7 @@ At the next lower level, each circuit is defined in terms of a
as detailed in this section. In the \BCTV or \Groth proving systems, this program is
translated to a \defining{\quadraticArithmeticProgram} \cite[section 2.3]{BCTV2014a}
\cite{WCBTV2015}. The circuit descriptions given here are necessary to compute
witness elements for each circuit, as well as the proving and verification keys.
witness elements for each circuit, as well as the proving and verifying keys.
\vspace{1.5ex}
Let $\GF{\ParamS{r}}$ be the finite field over which \Jubjub is defined, as
@ -13102,7 +13120,7 @@ Check & Implements & \heading{Cost} & Reference \\
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$
& 252 & \shortcrossref{cctboolean} \\ \hline
$\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$
& \snarkref{Ephemeral \publicKey integrity}{outputepkintegrity}
& \snarkref{Ephemeral public key integrity}{outputepkintegrity}
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
inputize $\EphemeralPublic$
&
@ -13130,9 +13148,9 @@ $\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences
\notsprout{
\lsection{Batching Optimizations}{batching}
\lsubsection{\RedDSAText{} batch verification}{reddsabatchverify}
\lsubsection{\RedDSAText{} batch validation}{reddsabatchvalidate} \label{reddsabatchverify}
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
The reference validation algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$,
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
@ -13143,9 +13161,9 @@ be as defined in that section.
\vspace{2ex}
Implementations \MAY alternatively use the optimized procedure described in this section to perform
faster verification of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
faster validation of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
Its input is a sequence of $N$ \defining{\sigBatchEntries}, each of which is a
(\publicKey, message, signature) triple.
(\validatingKey, message, signature) triple.
\vspace{2ex}
Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
@ -13153,8 +13171,8 @@ Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref
Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
\introsection
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
\rightarrow \bit$ as:
Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
\rightarrow \bit$ as:
\begin{algorithm}
\item For each $j \in \range{0}{N-1}$:
\item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$.

8
protocol/zcash.bib
View File

@ -833,14 +833,14 @@ Last revised February~5, 2018.}
@misc{ZIP-76,
presort={ZIP-0076},
author={Jack Grigg and Daira Hopwood},
title={Transaction Signature Verification before Overwinter},
title={Transaction Signature Validation before {O}verwinter},
howpublished={Zcash Improvement Proposal 76 (in progress).},
}
@misc{ZIP-143,
presort={ZIP-0143},
author={Jack Grigg and Daira Hopwood},
title={Transaction Signature Verification for Overwinter},
title={Transaction Signature Validation for {O}verwinter},
howpublished={Zcash Improvement Proposal 143. Created December~27, 2017.},
url={https://zips.z.cash/zip-0143},
urldate={2019-08-28}
@ -966,7 +966,7 @@ Last revised February~5, 2018.}
@misc{ZIP-215,
presort={ZIP-0215},
author={Henry de Valance},
title={Modifying Ed25519 validation rules to allow batch verification},
title={Explicitly Defining and Modifying {Ed25519} Validation Rules},
howpublished={Draft Zcash Improvement Proposal 215. Created April~27, 2020.},
url={https://github.com/zcash/zips/pull/355},
urldate={2020-05-27}
@ -984,7 +984,7 @@ Last revised February~5, 2018.}
@misc{ZIP-243,
presort={ZIP-0243},
author={Jack Grigg and Daira Hopwood},
title={Transaction Signature Verification for Sapling},
title={Transaction Signature Validation for {S}apling},
howpublished={Zcash Improvement Proposal 243. Created April~10, 2018.},
url={https://zips.z.cash/zip-0243},
urldate={2019-08-28}