mirror of https://github.com/zcash/zips.git
Consistently use "signing key" and "validating key" for signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
1f0052d62e
commit
1a24d6232c
|
@ -708,7 +708,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}}
|
||||
\newcommand{\joinSplitSignatures}{\terms{JoinSplit signature}}
|
||||
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}}
|
||||
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}}
|
||||
\newcommand{\joinSplitValidatingKey}{\term{JoinSplit validating key}}
|
||||
\newcommand{\joinSplitCircuit}{\term{JoinSplit circuit}}
|
||||
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}}
|
||||
\newcommand{\joinSplitStatements}{\terms{JoinSplit statement}}
|
||||
|
@ -747,7 +747,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\bindingSignature}{\term{binding signature}}
|
||||
\newcommand{\bindingSignatures}{\terms{binding signature}}
|
||||
\newcommand{\bindingSignatureScheme}{\term{binding signature scheme}}
|
||||
\newcommand{\txBindingVerificationKey}{\term{transaction binding verification key}}
|
||||
\newcommand{\txBindingValidatingKey}{\term{transaction binding validating key}}
|
||||
\newcommand{\balancingValue}{\term{balancing value}}
|
||||
\newcommand{\shieldedOutput}{\term{shielded output}}
|
||||
\newcommand{\shieldedOutputs}{\terms{shielded output}}
|
||||
|
@ -915,8 +915,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\diversifiedTransmissionKeys}{\terms{diversified transmission key}}
|
||||
\newcommand{\authSigningKey}{\term{Spend authorizing key}}
|
||||
\newcommand{\authSigningKeys}{\terms{Spend authorizing key}}
|
||||
\newcommand{\authRandomizedVerifyingKey}{\term{randomized Spend verifying key}}
|
||||
\newcommand{\authRandomizedVerifyingKeys}{\terms{randomized Spend verifying key}}
|
||||
\newcommand{\authRandomizedValidatingKey}{\term{randomized Spend validating key}}
|
||||
\newcommand{\authRandomizedValidatingKeys}{\terms{randomized Spend validating key}}
|
||||
\newcommand{\authProvingKey}{\term{proof authorizing key}}
|
||||
\newcommand{\authProvingKeys}{\terms{proof authorizing key}}
|
||||
\newcommand{\authNullifierKey}{\term{nullifier private key}}
|
||||
|
@ -978,6 +978,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\monomorphism}{\term{monomorphism}}
|
||||
\newcommand{\sigNonmalleable}{\termandindex{nonmalleable}{nonmalleability (of signatures)}}
|
||||
\newcommand{\sigBatchEntries}{\termandindex{signature batch entries}{signature batch entry}}
|
||||
\newcommand{\signingKey}{\term{signing key}}
|
||||
\newcommand{\signingKeys}{\terms{signing key}}
|
||||
\newcommand{\validatingKey}{\termandindex{validating key}{validating key (for a signature scheme)}}
|
||||
\newcommand{\validatingKeys}{\termandindex{validating keys}{validating key (for a signature scheme)}}
|
||||
\newcommand{\randomizer}{\term{randomizer}}
|
||||
\newcommand{\randomizers}{\terms{randomizer}}
|
||||
\newcommand{\xPRF}{\termandindex{PRF}{Pseudo Random Function}}
|
||||
\newcommand{\xPRFs}{\termandindex{PRFs}{Pseudo Random Function}}
|
||||
\newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}}
|
||||
|
@ -1504,7 +1510,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SigGen}{\Sig\mathsf{.Gen}}
|
||||
\newcommand{\SigDerivePublic}{\Sig\mathsf{.DerivePublic}}
|
||||
\newcommand{\SigSign}[1]{\Sig\mathsf{.Sign}_{#1}}
|
||||
\newcommand{\SigVerify}[1]{\Sig\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\SigValidate}[1]{\Sig\mathsf{.Validate}_{#1}}
|
||||
\newcommand{\SigRandom}{\Sig\mathsf{.Random}}
|
||||
\newcommand{\SigGenRandom}{\Sig\mathsf{.GenRandom}}
|
||||
\newcommand{\SigRandomizePublic}{\Sig\mathsf{.RandomizePublic}}
|
||||
|
@ -1524,8 +1530,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\RedDSAGenPrivate}{\RedDSA\mathsf{.GenPrivate}}
|
||||
\newcommand{\RedDSADerivePublic}{\RedDSA\mathsf{.DerivePublic}}
|
||||
\newcommand{\RedDSASign}[1]{\RedDSA\mathsf{.Sign}_{#1}}
|
||||
\newcommand{\RedDSAVerify}[1]{\RedDSA\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\RedDSABatchVerify}{\RedDSA\mathsf{.BatchVerify}}
|
||||
\newcommand{\RedDSAValidate}[1]{\RedDSA\mathsf{.Validate}_{#1}}
|
||||
\newcommand{\RedDSABatchValidate}{\RedDSA\mathsf{.BatchValidate}}
|
||||
\newcommand{\RedDSABatchEntry}{\RedDSA\mathsf{.BatchEntry}}
|
||||
\newcommand{\RedDSARandom}{\RedDSA\mathsf{.Random}}
|
||||
\newcommand{\RedDSAGenRandom}{\RedDSA\mathsf{.GenRandom}}
|
||||
|
@ -1556,7 +1562,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\JoinSplitSigGenPrivate}{\JoinSplitSig\mathsf{.GenPrivate}}
|
||||
\newcommand{\JoinSplitSigDerivePublic}{\JoinSplitSig\mathsf{.DerivePublic}}
|
||||
\newcommand{\JoinSplitSigSign}[1]{\JoinSplitSig\mathsf{.Sign}_{#1}}
|
||||
\newcommand{\JoinSplitSigVerify}[1]{\JoinSplitSig\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\JoinSplitSigValidate}[1]{\JoinSplitSig\mathsf{.Validate}_{#1}}
|
||||
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}}
|
||||
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}}
|
||||
\newcommand{\ExcludedPointEncodings}{\mathsf{ExcludedPointEncodings}}
|
||||
|
@ -1569,7 +1575,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SpendAuthSigGenPrivate}{\SpendAuthSig\mathsf{.GenPrivate}}
|
||||
\newcommand{\SpendAuthSigDerivePublic}{\SpendAuthSig\mathsf{.DerivePublic}}
|
||||
\newcommand{\SpendAuthSigSign}[1]{\SpendAuthSig\mathsf{.Sign}_{#1}}
|
||||
\newcommand{\SpendAuthSigVerify}[1]{\SpendAuthSig\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\SpendAuthSigValidate}[1]{\SpendAuthSig\mathsf{.Validate}_{#1}}
|
||||
\newcommand{\SpendAuthSigRandom}{\SpendAuthSig\mathsf{.Random}}
|
||||
\newcommand{\SpendAuthSigGenRandom}{\SpendAuthSig\mathsf{.GenRandom}}
|
||||
\newcommand{\SpendAuthSigRandomizePublic}{\SpendAuthSig\mathsf{.RandomizePublic}}
|
||||
|
@ -1586,7 +1592,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\BindingSigGenPrivate}{\BindingSig\mathsf{.GenPrivate}}
|
||||
\newcommand{\BindingSigDerivePublic}{\BindingSig\mathsf{.DerivePublic}}
|
||||
\newcommand{\BindingSigSign}[1]{\BindingSig\mathsf{.Sign}_{#1}}
|
||||
\newcommand{\BindingSigVerify}[1]{\BindingSig\mathsf{.Verify}_{#1}}
|
||||
\newcommand{\BindingSigValidate}[1]{\BindingSig\mathsf{.Validate}_{#1}}
|
||||
\newcommand{\BindingSigSpecific}{\mathsf{RedJubjub}}
|
||||
\newcommand{\BindingPublic}{\mathsf{bvk}}
|
||||
\newcommand{\BindingPrivate}{\mathsf{bsk}}
|
||||
|
@ -2142,7 +2148,7 @@ This specification is structured as follows:
|
|||
\item Appendix: Circuit Design — details of how the \Sapling circuit is defined
|
||||
as a \quadraticConstraintProgram.
|
||||
\item Appendix: Batching Optimizations — improvements to the efficiency of
|
||||
verifying multiple signatures and proofs.
|
||||
validating multiple signatures and verifying multiple proofs.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
|
@ -3352,27 +3358,27 @@ with $\KASapling$ and derives keys for $\SymEncrypt{}$.
|
|||
A \defining{\signatureScheme} $\Sig$ defines:
|
||||
|
||||
\begin{itemize}
|
||||
\item a type of signing keys $\SigPrivate$;
|
||||
\item a type of verifying keys $\SigPublic$;
|
||||
\item a type of \defining{\signingKeys} $\SigPrivate$;
|
||||
\item a type of \defining{\validatingKeys} $\SigPublic$;
|
||||
\item a type of messages $\SigMessage$;
|
||||
\item a type of signatures $\SigSignature$;
|
||||
\item a randomized signing key generation algorithm $\SigGenPrivate \typecolon () \rightarrowR \SigPrivate$;
|
||||
\item an injective verifying key derivation algorithm $\SigDerivePublic \typecolon \SigPrivate \rightarrow \SigPublic$;
|
||||
\item a randomized \signingKey generation algorithm $\SigGenPrivate \typecolon () \rightarrowR \SigPrivate$;
|
||||
\item an injective \validatingKey derivation algorithm $\SigDerivePublic \typecolon \SigPrivate \rightarrow \SigPublic$;
|
||||
\item a randomized signing algorithm $\SigSign{} \typecolon \SigPrivate \times \SigMessage \rightarrowR \SigSignature$;
|
||||
\item a verifying algorithm $\SigVerify{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
|
||||
\item a validating algorithm $\SigValidate{} \typecolon \SigPublic \times \SigMessage \times \SigSignature \rightarrow \bit$;
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-2ex}
|
||||
such that for any signing key $\sk \leftarrowR \SigGenPrivate()$ and corresponding
|
||||
verifying key $\vk = \SigDerivePublic(\sk)$, and
|
||||
such that for any \signingKey $\sk \leftarrowR \SigGenPrivate()$ and corresponding
|
||||
\validatingKey $\vk = \SigDerivePublic(\sk)$, and
|
||||
any $m \typecolon \SigMessage$ and $s \typecolon \SigSignature \leftarrowR \SigSign{\sk}(m)$,
|
||||
$\SigVerify{\vk}(m, s) = 1$.
|
||||
$\SigValidate{\vk}(m, s) = 1$.
|
||||
|
||||
\vspace{1ex}\sprout{\vspace{2ex}}
|
||||
\introlist
|
||||
\Zcash uses \sprout{two}\sapling{four} signature schemes:
|
||||
\Zcash uses \sprout{two}\sapling{four} \signatureSchemes:
|
||||
\begin{itemize}
|
||||
\item one used for signatures that can be verified by script operations such as
|
||||
\item one used for signatures that can be validated by script operations such as
|
||||
\ScriptOP{CHECKSIG} and \ScriptOP{CHECKMULTISIG} as in \Bitcoin;
|
||||
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
|
||||
which is used to sign \transactions that contain at least one
|
||||
|
@ -3401,14 +3407,14 @@ Chosen Message Attack (SU-CMA), as defined for example in
|
|||
but this has no impact on the applicability of the definition.}
|
||||
This allows an adversary to obtain signatures on chosen messages, and then requires it to be
|
||||
infeasible for the adversary to forge a previously unseen valid \mbox{(message, signature)}
|
||||
pair without access to the signing key.
|
||||
pair without access to the \signingKey.
|
||||
}
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{nnotes}
|
||||
\notsprout{
|
||||
% Sprout *doesn't* need this, so it wouldn't make sense to include this explanation in the Sprout-only spec.
|
||||
\item We need separate signing key generation and verifying key derivation algorithms,
|
||||
\item We need separate \signingKey generation and \validatingKey derivation algorithms,
|
||||
rather than the more conventional combined key pair generation algorithm
|
||||
$\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support
|
||||
the key derivation in \crossref{saplingkeycomponents}. This also simplifies some
|
||||
|
@ -3431,6 +3437,8 @@ pair without access to the signing key.
|
|||
knowing the \defining{\privateKey}, to forge a distinct signature on a previously
|
||||
seen message. That is, \joinSplitSignatures\sapling{ and \bindingSignatures}
|
||||
are intended to be \defining{\sigNonmalleable} in the sense of \cite{BIP-62}.
|
||||
\item The terminology used in this specification is that we ``validate'' signatures, and
|
||||
``verify'' \zkSNARKProofs.
|
||||
\end{nnotes}
|
||||
|
||||
|
||||
|
@ -3442,11 +3450,11 @@ A \defining{\rerandomizableSignatureScheme} $\Sig$ is a \signatureScheme that
|
|||
additionally defines:
|
||||
|
||||
\begin{itemize}
|
||||
\item a type of randomizers $\SigRandom$;
|
||||
\item a randomizer generator $\SigGenRandom \typecolon () \rightarrowR \SigRandom$;
|
||||
\item a \privateKey randomization algorithm $\SigRandomizePrivate \typecolon \SigRandom \times \SigPrivate \rightarrow \SigPrivate$;
|
||||
\item a \publicKey randomization algorithm $\SigRandomizePublic \typecolon \SigRandom \times \SigPublic \rightarrow \SigPublic$;
|
||||
\item a distinguished ``identity'' randomizer $\SigRandomizerId \typecolon \SigRandom$
|
||||
\item a type of \defining{\randomizers} $\SigRandom$;
|
||||
\item a \randomizer generator $\SigGenRandom \typecolon () \rightarrowR \SigRandom$;
|
||||
\item a \signingKey randomization algorithm $\SigRandomizePrivate \typecolon \SigRandom \times \SigPrivate \rightarrow \SigPrivate$;
|
||||
\item a \validatingKey randomization algorithm $\SigRandomizePublic \typecolon \SigRandom \times \SigPublic \rightarrow \SigPublic$;
|
||||
\item a distinguished ``identity'' \randomizer $\SigRandomizerId \typecolon \SigRandom$
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-1.2ex}
|
||||
|
@ -3503,21 +3511,21 @@ that records queried messages and corresponding signatures.
|
|||
For random $\sk \leftarrowR \SigGenPrivate()$ and $\vk = \SigDerivePublic(\sk)$, it must be
|
||||
infeasible for an adversary given $\vk$ and a new instance of $\Oracle_{\sk}$ to find
|
||||
$(m', \sigma', \SigRandomizer')$ such that
|
||||
$\SigVerify{\SigRandomizePublic(\SigRandomizer', \vk)}(m', \sigma') = 1$ and
|
||||
$\SigValidate{\SigRandomizePublic(\SigRandomizer', \vk)}(m', \sigma') = 1$ and
|
||||
$(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
||||
}
|
||||
|
||||
\begin{nnotes}
|
||||
\item The randomizer and key arguments to $\SigRandomizePrivate$ and $\SigRandomizePublic$
|
||||
\item The \randomizer and key arguments to $\SigRandomizePrivate$ and $\SigRandomizePublic$
|
||||
are swapped relative to \cite[section 3]{FKMSSS2016}.
|
||||
\item The requirement for the identity randomizer $\SigRandomizerId$ simplifies the
|
||||
\item The requirement for the identity \randomizer $\SigRandomizerId$ simplifies the
|
||||
definition of SURK-CMA by removing the need for two oracles (because the oracle for
|
||||
original keys, called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the
|
||||
oracle for randomized keys).
|
||||
\item Since $\SigRandomizePrivate(\SigRandomizer, \sk) :
|
||||
\SigRandomizer \leftarrowR \SigRandom$ has an identical distribution to $\SigGenPrivate()$,
|
||||
and since $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
|
||||
\publicKey and signature(s) under that key do not reveal the key from which it was
|
||||
\validatingKey and signature(s) under that key do not reveal the key from which it was
|
||||
re-randomized.
|
||||
\item Since $\SigRandomizePrivate_{\SigRandomizer}$ is injective and
|
||||
easily invertible, knowledge of $\SigRandomizePrivate(\SigRandomizer, \sk)$
|
||||
|
@ -3528,16 +3536,16 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
|||
|
||||
\sapling{
|
||||
\introlist
|
||||
\lsubsubsubsection{Signature with Private Key to Public Key Monomorphism}{abstractsigmono}
|
||||
\lsubsubsubsection{Signature with Signing Key to Validating Key Monomorphism}{abstractsigmono}
|
||||
|
||||
A \defining{\keyMonomorphicSignatureScheme} $\Sig$ is a \signatureScheme that
|
||||
additionally defines:
|
||||
|
||||
\begin{itemize}
|
||||
\item an abelian group on \privateKeys, with operation
|
||||
\item an abelian group on \signingKeys, with operation
|
||||
$\grpplus\!\! \typecolon \SigPrivate \times \SigPrivate \rightarrow \SigPrivate$ and
|
||||
identity $\grpzero$;
|
||||
\item an abelian group on \publicKeys, with operation
|
||||
\item an abelian group on \validatingKeys, with operation
|
||||
$\combplus\!\! \typecolon \SigPublic \times \SigPublic \rightarrow \SigPublic$ and
|
||||
identity $\combzero$.
|
||||
\end{itemize}
|
||||
|
@ -3547,7 +3555,7 @@ such that for any $\sk_{\oneto{2}} \typecolon \SigPrivate$,
|
|||
$\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \SigDerivePublic(\sk_2)$.
|
||||
|
||||
In other words, $\SigDerivePublic$ is a \defining{\monomorphism (that is, an injective homomorphism)} from the
|
||||
\privateKey group to the \publicKey group.
|
||||
\signingKey group to the \validatingKey group.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
|
@ -3560,10 +3568,10 @@ For $\rmN \typecolon \PosInt$,
|
|||
When $\rmN = 0$ these yield the appropriate group identity, i.e. $\sgrpsum{i=1}{0} \sk_i = \grpzero$
|
||||
and $\scombsum{i=1}{0} \vk_i = \combzero$.
|
||||
|
||||
$\grpneg \sk$ means the \privateKey such that $(\grpneg \sk) \grpplus \sk = \grpzero$,
|
||||
$\grpneg \sk$ means the \signingKey such that $(\grpneg \sk) \grpplus \sk = \grpzero$,
|
||||
and $\sk_1 \grpminus \sk_2$ means $\sk_1 \grpplus\, (\grpneg \sk_2)$.
|
||||
|
||||
$\combneg \vk$ means the \publicKey such that $(\combneg \vk) \combplus \vk = \combzero$,
|
||||
$\combneg \vk$ means the \validatingKey such that $(\combneg \vk) \combplus \vk = \combzero$,
|
||||
and $\vk_1 \combminus \vk_2$ means $\vk_1 \combplus\, (\combneg \vk_2)$.
|
||||
|
||||
\vspace{2ex}
|
||||
|
@ -3910,10 +3918,13 @@ Note that Knowledge Soundness implies Soundness --- i.e.\ the property that it i
|
|||
infeasible to find a new proof $\Proof{}$ where $\ZKVerify{\vk}(x, \Proof{}) = 1$ without
|
||||
\emph{there existing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$.
|
||||
|
||||
\nnote{The above properties do not include \defining{\proofNonmalleability} \cite{DSDCOPS2001},
|
||||
and the design of the protocol using the \zeroKnowledgeProvingSystem must take this
|
||||
into account.}
|
||||
\vspace{2ex}
|
||||
\begin{nnotes}
|
||||
\item The above properties do not include \defining{\proofNonmalleability} \cite{DSDCOPS2001},
|
||||
and the design of the protocol using the \zeroKnowledgeProvingSystem must take this
|
||||
into account.
|
||||
\item The terminology used in this specification is that we ``validate'' signatures, and
|
||||
``verify'' \zkSNARKProofs.
|
||||
\end{nnotes}
|
||||
|
||||
\sprout{
|
||||
The \provingSystem is instantiated in \crossref{bctv}.
|
||||
|
@ -4142,7 +4153,7 @@ A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in
|
|||
|
||||
Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
|
||||
When this sequence is non-empty, the \transaction also includes encodings of a
|
||||
$\JoinSplitSig$ public verification key and signature.
|
||||
$\JoinSplitSig$ public \validatingKey and signature.
|
||||
|
||||
Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$,
|
||||
$\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}.
|
||||
|
@ -4243,8 +4254,8 @@ where
|
|||
\item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in
|
||||
\crossref{blockchain}, for the output \treestate of a previous \block;
|
||||
\item $\nf \typecolon \PRFOutputNfSapling$ is the \nullifier for the input \note;
|
||||
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \publicKey
|
||||
that should be used to verify $\spendAuthSig$;
|
||||
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \validatingKey
|
||||
that should be used to validate $\spendAuthSig$;
|
||||
\item $\ProofSpend \typecolon \SpendProof$ is a \zkSNARKProof with \primaryInput
|
||||
$(\cv, \rt, \nf, \AuthSignRandomizedPublic)$ for the \spendStatement defined in
|
||||
\crossref{spendstatement};
|
||||
|
@ -4263,8 +4274,8 @@ where
|
|||
as defined in \crossref{sighash} using $\SIGHASHALL$.
|
||||
|
||||
The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$
|
||||
using $\AuthSignRandomizedPublic$ as the \publicKey ---
|
||||
i.e.\ $\SpendAuthSigVerify{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
|
||||
using $\AuthSignRandomizedPublic$ as the \validatingKey ---
|
||||
i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$.
|
||||
\end{consensusrules}
|
||||
|
||||
\vspace{-1ex}
|
||||
|
@ -4688,15 +4699,15 @@ In order to ensure that a \joinSplitDescription is cryptographically bound to th
|
|||
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and
|
||||
to the other \joinSplitDescriptions in the same \transaction, an ephemeral $\JoinSplitSig$
|
||||
key pair is generated for each \transaction, and the $\dataToBeSigned$ is
|
||||
signed with the private signing key of this key pair. The corresponding public
|
||||
verification key is included in the \transaction encoding as $\joinSplitPubKey$.
|
||||
signed with the private \signingKey of this key pair. The corresponding public
|
||||
\validatingKey is included in the \transaction encoding as $\joinSplitPubKey$.
|
||||
|
||||
$\JoinSplitSig$ is instantiated in \crossref{concretejssig}.
|
||||
|
||||
\changed{
|
||||
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are
|
||||
omitted. Otherwise, a \transaction has a correct \defining{\joinSplitSignature} if and only if
|
||||
$\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
|
||||
$\JoinSplitSigValidate{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$.
|
||||
% FIXME: distinguish pubkey and signature from their encodings.
|
||||
}
|
||||
|
||||
|
@ -4711,7 +4722,7 @@ $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
|
|||
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
|
||||
given in \crossref{sproutnonmalleablejs}. This ensures that a holder of
|
||||
all of the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
|
||||
\transaction has authorized the use of the private signing key corresponding
|
||||
\transaction has authorized the use of the private \signingKey corresponding
|
||||
to $\joinSplitPubKey$ to sign this \transaction.
|
||||
|
||||
|
||||
|
@ -4820,7 +4831,7 @@ In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \
|
|||
but validators cannot check this directly because the values are hidden by the commitments.
|
||||
|
||||
\introlist
|
||||
Instead, validators calculate the \defining{\txBindingVerificationKey} as:
|
||||
Instead, validators calculate the \defining{\txBindingValidatingKey} as:
|
||||
\begin{formulae}
|
||||
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_/¯
|
||||
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
|
||||
|
@ -4833,7 +4844,7 @@ Instead, validators calculate the \defining{\txBindingVerificationKey} as:
|
|||
\introlist
|
||||
\vspace{1ex}
|
||||
The signer knows $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$, and so can
|
||||
calculate the corresponding signing key as:
|
||||
calculate the corresponding \signingKey as:
|
||||
\begin{formulae}
|
||||
\item $\BindingPrivate := \Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
|
||||
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)$.
|
||||
|
@ -4850,7 +4861,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
|
|||
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
|
||||
using the \sighashType $\SIGHASHALL$.
|
||||
|
||||
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
A validator checks balance by validating that $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
|
||||
\vspace{1ex}
|
||||
We now explain why this works.
|
||||
|
@ -4925,7 +4936,7 @@ other parties that are cooperating to create the \transaction. If all of the
|
|||
} %pnote
|
||||
|
||||
\nnote{
|
||||
The technique of checking signatures using a \publicKey derived from a sum of
|
||||
The technique of checking signatures using a \validatingKey derived from a sum of
|
||||
\xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}.
|
||||
The \privateKey $\BindingPrivate$ acts as a \definingquotedterm{synthetic blinding factor},
|
||||
in the sense that it is synthesized from the other blinding factors (\trapdoors)
|
||||
|
@ -4949,11 +4960,11 @@ Typically such devices cannot create, and may not be able to verify, \zkSNARKPro
|
|||
a \statement of the size needed using the \BCTV or \Groth proving systems.
|
||||
|
||||
\vspace{1ex}
|
||||
The verifying key of the signature must be revealed in the \spendDescription so that
|
||||
the signature can be checked by validators. To ensure that the verifying key cannot
|
||||
The \validatingKey of the signature must be revealed in the \spendDescription so that
|
||||
the signature can be checked by validators. To ensure that the \validatingKey cannot
|
||||
be linked to the \paymentAddress or \spendingKey from which the \note was spent, we
|
||||
use a \rerandomizableSignatureScheme. The \spendStatement proves that this verifying
|
||||
key is a re-randomization of the \defining{\spendAuthAddressKey} $\AuthSignPublic$ with a randomizer
|
||||
use a \rerandomizableSignatureScheme. The \spendStatement proves that this \validatingKey
|
||||
is a re-randomization of the \defining{\spendAuthAddressKey} $\AuthSignPublic$ with a \randomizer
|
||||
known to the signer. The \defining{\spendAuthSignature} is over the \sighashTxHash, so that it cannot be
|
||||
replayed in other \transactions.
|
||||
|
||||
|
@ -5294,7 +5305,7 @@ $\DiversifiedTransmitBase$ is not of small order,
|
|||
i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$.
|
||||
|
||||
\vspace{0.5ex}
|
||||
\snarkcondition{Ephemeral \publicKey integrity}{outputepkintegrity}
|
||||
\snarkcondition{Ephemeral public key integrity}{outputepkintegrity}
|
||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$.
|
||||
|
||||
\vspace{2ex}
|
||||
|
@ -7078,7 +7089,7 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
|
|||
\end{algorithm}
|
||||
|
||||
\introlist
|
||||
Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typecolon \RedDSAMessage) \times
|
||||
Define $\RedDSAValidate{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typecolon \RedDSAMessage) \times
|
||||
(\sigma \typecolon \RedDSASignature) \rightarrow \bit$ as:
|
||||
\begin{algorithm}
|
||||
\item Let $\RedDSAReprR{}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma$, and
|
||||
|
@ -7095,12 +7106,12 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
|
|||
|
||||
\vspace{-2ex}
|
||||
\begin{pnotes}
|
||||
\item The verification algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
|
||||
\item The validation algorithm \emph{does not} check that $\RedDSASigR{}$ is a point of order
|
||||
at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonical representation
|
||||
(as output by $\reprG{}$) of a point on the curve. This is different to $\JoinSplitSigSpecific$ as specified in
|
||||
\crossref{concretejssig}.
|
||||
\item Appendix \crossref{reddsabatchverify} describes an optimization that \MAY be used to speed up
|
||||
verification of batches of $\RedDSA$ signatures.
|
||||
\item Appendix \crossref{reddsabatchvalidate} describes an optimization that \MAY be used to speed up
|
||||
validation of batches of $\RedDSA$ signatures.
|
||||
\end{pnotes}
|
||||
|
||||
\vspace{-2ex}
|
||||
|
@ -7134,7 +7145,7 @@ As required, $\RedDSADerivePublic$ is a group monomorphism, since it is injectiv
|
|||
\end{tabular}
|
||||
|
||||
\vspace{1ex}
|
||||
A $\RedDSA$ \publicKey $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
|
||||
A $\RedDSA$ \validatingKey $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
|
||||
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
|
||||
|
||||
\vspace{1ex}
|
||||
|
@ -7187,7 +7198,7 @@ See \crossref{bindingsig} for details on the use of this \signatureScheme.
|
|||
\securityrequirement{
|
||||
$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in
|
||||
\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of
|
||||
the \publicKey with respect to the base $\ValueCommitRandBase$.
|
||||
the \validatingKey with respect to the base $\ValueCommitRandBase$.
|
||||
} %securityrequirement
|
||||
} %sapling
|
||||
|
||||
|
@ -7704,7 +7715,7 @@ Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \Su
|
|||
|
||||
\begin{nnotes}
|
||||
\item The \defining{\ctEdwardsCompressedEncoding} used here is
|
||||
consistent with that used in EdDSA \cite{BJLSY2015} for \publicKeys and
|
||||
consistent with that used in EdDSA \cite{BJLSY2015} for \validatingKeys and
|
||||
the $R$ element of a signature.
|
||||
\item \cite[``Encoding and parsing curve points'']{BJLSY2015} gives algorithms
|
||||
for decompressing points from the encoding of $\GroupJ$.
|
||||
|
@ -7886,7 +7897,7 @@ the bug found by Bryan Parno was fixed in \libsnark in 2015, but that fix was
|
|||
incompletely described in the May 2015 update \cite[Theorem 2.4]{BCTV2014a-old}.
|
||||
It is described completely in \cite[Theorem 2.4]{BCTV2014a} and in
|
||||
\cite{Gabizon2019}.} \cite{WCBTV2015} \cite{Parno2015} \cite[Remark 2.5]{BCTV2014a}.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
In practice it will be necessary to use the specific proving and verifying keys
|
||||
that were generated for the \Zcash production \blockChain, given in
|
||||
\crossref{bctvparameters}, together with a \provingSystem implementation that is
|
||||
interoperable with the \Zcash fork of \defining{\libsnark}, to ensure compatibility.
|
||||
|
@ -7988,7 +7999,7 @@ The \quadraticConstraintPrograms verifying the \spendStatement and
|
|||
other details of the \provingSystem are beyond the scope of this protocol
|
||||
document. For example, certain details of the translations of the \spendStatement and
|
||||
\outputStatement to \quadraticArithmeticPrograms are not specified in this document.
|
||||
In practice it will be necessary to use the specific proving and verification keys
|
||||
In practice it will be necessary to use the specific proving and verifying keys
|
||||
generated for the \Zcash production \blockChain\notsprout{ (see \crossref{grothparameters})},
|
||||
and a \provingSystem implementation that is interoperable with the \bellman
|
||||
library used by \Zcash, to ensure compatibility.
|
||||
|
@ -8183,7 +8194,7 @@ The \rawEncoding of a P2PKH address consists of:
|
|||
\begin{bytefield}[bitwidth=0.1em]{176}
|
||||
\sbitbox{80}{$8$-bit $\PtoPKHAddressLeadByte$}
|
||||
\sbitbox{80}{$8$-bit $\PtoPKHAddressSecondByte$}
|
||||
\sbitbox{160}{$160$-bit \publicKey hash}
|
||||
\sbitbox{160}{$160$-bit \validatingKey hash}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
@ -8193,7 +8204,7 @@ The \rawEncoding of a P2PKH address consists of:
|
|||
on the production network. (Addresses on the test network use
|
||||
$[\PtoPKHAddressTestnetLeadByte, \PtoPKHAddressTestnetSecondByte]$
|
||||
instead.)
|
||||
\item $20$ bytes specifying a \publicKey hash, which is a RIPEMD-160
|
||||
\item $20$ bytes specifying a \validatingKey hash, which is a RIPEMD-160
|
||||
hash \cite{RIPEMD160} of a SHA-256 hash \cite{NIST2015}
|
||||
of a compressed ECDSA key encoding.
|
||||
\end{itemize}
|
||||
|
@ -8714,7 +8725,7 @@ A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, each encoded as in \cro
|
|||
} %notsprout
|
||||
|
||||
$\geq 2\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{char[32]} & An encoding of a $\JoinSplitSig$
|
||||
public verification key. \\ \hline
|
||||
public \validatingKey. \\ \hline
|
||||
|
||||
$\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{char[64]} & A signature on a prefix of the \transaction encoding,
|
||||
to be verified using $\joinSplitPubKey$. \\ \hline
|
||||
|
@ -8756,7 +8767,7 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.
|
|||
\coinbaseTransactions include \foundersReward outputs.
|
||||
\item If $\versionField \geq 2$ and $\nJoinSplit > 0$, then:
|
||||
\begin{itemize}
|
||||
\item \joinSplitPubKey{} \MUST represent a valid $\JoinSplitSigSpecific$ \publicKey
|
||||
\item \joinSplitPubKey{} \MUST represent a valid $\JoinSplitSigSpecific$ \validatingKey
|
||||
encoding (\crossref{concretejssig}).
|
||||
\item \joinSplitSig{} \MUST represent a valid signature under \joinSplitPubKey{} of
|
||||
$\dataToBeSigned$, as defined in \crossref{sproutnonmalleability}.
|
||||
|
@ -8765,9 +8776,9 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.
|
|||
then:
|
||||
\begin{itemize}
|
||||
\item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{bindingsig};
|
||||
\item \bindingSig{} \MUST represent a valid signature under the \txBindingVerificationKey
|
||||
\item \bindingSig{} \MUST represent a valid signature under the \txBindingValidatingKey
|
||||
$\BindingPublic$ of $\SigHash$ ---
|
||||
i.e.\ $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
i.e.\ $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$.
|
||||
\end{itemize}}
|
||||
\saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput = 0$,
|
||||
then $\valueBalance$ \MUST be $0$.}
|
||||
|
@ -8966,7 +8977,7 @@ at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
|
|||
$32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note,
|
||||
$\LEBStoOSPOf{256}{\nf}$. \\ \hline
|
||||
|
||||
$32$ & $\rkField$ & \type{char[32]} & The randomized \publicKey for $\spendAuthSig$,
|
||||
$32$ & $\rkField$ & \type{char[32]} & The randomized \validatingKey for $\spendAuthSig$,
|
||||
$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
|
||||
|
||||
$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zkSNARKProof
|
||||
|
@ -10339,6 +10350,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\intropart
|
||||
\lsection{Change History}{changehistory}
|
||||
|
||||
\historyentry{2020.1.6}{2020-06-15}
|
||||
|
||||
\begin{itemize}
|
||||
\item Consistently use ``validating'' for signatures and ``verifying'' for proofs.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\historyentry{2020.1.5}{2020-06-02}
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -10378,7 +10396,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\historyentry{2020.1.2}{2020-03-20}
|
||||
|
||||
\begin{itemize}
|
||||
\item The implementation of \Sprout $\JoinSplitSigSpecific$ signature verification
|
||||
\item The implementation of \Sprout $\JoinSplitSigSpecific$ signature validation
|
||||
in \zcashd differed from what was specified in \crossref{concretejssig}.
|
||||
The specification has been changed to match the implementation.
|
||||
\heartwood{
|
||||
|
@ -10677,7 +10695,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Correct some uses of $\ParamJ{r}$ that should have been $\ParamS{r}$ or $q$.
|
||||
\item Correct uses of $\LEOStoIP{\ell}$ in $\RedDSAVerify{}$ and $\RedDSABatchVerify{}$
|
||||
\item Correct uses of $\LEOStoIP{\ell}$ in $\RedDSAValidate{}$ and $\RedDSABatchValidate{}$
|
||||
to ensure that $\ell$ is a multiple of $8$ as required.
|
||||
\item Minor changes to avoid clashing notation for
|
||||
Edwards curves $\Edwards{a,d}$, \MontgomeryCurves $\Montgomery{A,B}$, and
|
||||
|
@ -10789,7 +10807,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Add the hashes of parameter files for \Sapling.
|
||||
\item Add cross references for parameters and functions used in $\RedDSA$ batch verification.
|
||||
\item Add cross references for parameters and functions used in $\RedDSA$ batch validation.
|
||||
} %sapling
|
||||
\item \Makefile changes: name the PDF file for the \Sprout version of the specification as \texttt{sprout.pdf},
|
||||
and make \texttt{protocol.pdf} link to the \Sapling version.
|
||||
|
@ -10810,10 +10828,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Update $\RedDSA$ verification to use cofactor multiplication.
|
||||
This is necessary in order for the output of batch verification to match
|
||||
that of unbatched verification in all cases.
|
||||
\item Add \crossref{reddsabatchverify}.
|
||||
\item Update $\RedDSA$ validation to use cofactor multiplication.
|
||||
This is necessary in order for the output of batch validation to match
|
||||
that of unbatched validation in all cases.
|
||||
\item Add \crossref{reddsabatchvalidate}.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
@ -10884,8 +10902,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Correct the conformance rule for \fOverwintered{} (it must not be set before \Overwinter has
|
||||
activated, not before \Sapling has activated).
|
||||
\item Correct the argument that $\vSum$ is in range in \crossref{saplingbalance}.
|
||||
\item Correct an error in the algorithm for $\RedDSAVerify{}$: the \publicKey $\vk$ is given directly
|
||||
to this algorithm and should not be computed from the unknown \privateKey $\sk$.
|
||||
\item Correct an error in the algorithm for $\RedDSAValidate{}$: the \validatingKey $\vk$ is given directly
|
||||
to this algorithm and should not be computed from the unknown \signingKey $\sk$.
|
||||
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$,
|
||||
$\PRFock{}$, and $\CRHivk$.
|
||||
\item Instantiate $\PRFock{}$ using $\BlakeTwob{256}$.
|
||||
|
@ -10936,7 +10954,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Correct a type error in \crossref{concretegrouphashjubjub}.
|
||||
\item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}.
|
||||
\item Ensure $\AuthSignBase$ is defined in \crossref{concretespendauthsig}.
|
||||
\item Make the \publicKey prefix part of the input to the \hashFunction in $\RedDSA$,
|
||||
\item Make the \validatingKey prefix part of the input to the \hashFunction in $\RedDSA$,
|
||||
not part of the message.
|
||||
\item Correct the statement about $\FindGroupJHash$ never returning $\bot$.
|
||||
\item Correct an error in the computation of generators for \xPedersenHashes.
|
||||
|
@ -11005,10 +11023,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Do not require a generator as part of the specification of a \representedGroup;
|
||||
instead, define it in the \representedPairing or scheme using the group.
|
||||
\item Refactor the abstract definition of a \signatureScheme to allow derivation
|
||||
of verifying keys independent of key pair generation.
|
||||
of \validatingKeys independent of key pair generation.
|
||||
\sapling{
|
||||
\item Correct the explanation in \crossref{overview} to apply to \Sapling.
|
||||
\item Add the definition of a \privateKey to \publicKey homomorphism for \signatureSchemes.
|
||||
\item Add the definition of a \signingKey to \validatingKey homomorphism for \signatureSchemes.
|
||||
\item Remove the output index as an input to $\KDFSapling$.
|
||||
\item Allow dummy \Sapling input \notes.
|
||||
\item Specify $\RedDSA$ and $\RedJubjub$.
|
||||
|
@ -11039,7 +11057,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Add specification of the \outputStatement.
|
||||
\item Change $\MerkleDepthSapling$ from $29$ to $32$.
|
||||
\item Updates to \Sapling construction, changing how the \nullifier is
|
||||
computed and separating it from the \authRandomizedVerifyingKey
|
||||
computed and separating it from the \authRandomizedValidatingKey
|
||||
($\AuthSignRandomizedPublic$).
|
||||
\item Clarify conversions between bit and byte sequences for
|
||||
$\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$.
|
||||
|
@ -11202,7 +11220,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
|
||||
\begin{itemize}
|
||||
\item Specify more precisely the requirements on $\JoinSplitSigSpecific$
|
||||
\publicKeys and signatures.
|
||||
\validatingKeys and signatures.
|
||||
\sapling{
|
||||
\item \Sapling work in progress.
|
||||
}
|
||||
|
@ -11563,7 +11581,7 @@ At the next lower level, each circuit is defined in terms of a
|
|||
as detailed in this section. In the \BCTV or \Groth proving systems, this program is
|
||||
translated to a \defining{\quadraticArithmeticProgram} \cite[section 2.3]{BCTV2014a}
|
||||
\cite{WCBTV2015}. The circuit descriptions given here are necessary to compute
|
||||
witness elements for each circuit, as well as the proving and verification keys.
|
||||
witness elements for each circuit, as well as the proving and verifying keys.
|
||||
|
||||
\vspace{1.5ex}
|
||||
Let $\GF{\ParamS{r}}$ be the finite field over which \Jubjub is defined, as
|
||||
|
@ -13102,7 +13120,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
& $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$
|
||||
& 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$
|
||||
& \snarkref{Ephemeral \publicKey integrity}{outputepkintegrity}
|
||||
& \snarkref{Ephemeral public key integrity}{outputepkintegrity}
|
||||
& 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||
inputize $\EphemeralPublic$
|
||||
&
|
||||
|
@ -13130,9 +13148,9 @@ $\NoteCommitRandRepr$, $\ValueCommitRandRepr$, and $\vOldRepr$ as bit sequences
|
|||
\notsprout{
|
||||
\lsection{Batching Optimizations}{batching}
|
||||
|
||||
\lsubsection{\RedDSAText{} batch verification}{reddsabatchverify}
|
||||
\lsubsection{\RedDSAText{} batch validation}{reddsabatchvalidate} \label{reddsabatchverify}
|
||||
|
||||
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
|
||||
The reference validation algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
|
||||
|
||||
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$,
|
||||
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
|
||||
|
@ -13143,9 +13161,9 @@ be as defined in that section.
|
|||
|
||||
\vspace{2ex}
|
||||
Implementations \MAY alternatively use the optimized procedure described in this section to perform
|
||||
faster verification of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
|
||||
faster validation of a batch of signatures, i.e.\ to determine whether all signatures in a batch are valid.
|
||||
Its input is a sequence of $N$ \defining{\sigBatchEntries}, each of which is a
|
||||
(\publicKey, message, signature) triple.
|
||||
(\validatingKey, message, signature) triple.
|
||||
|
||||
\vspace{2ex}
|
||||
Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
|
||||
|
@ -13153,8 +13171,8 @@ Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref
|
|||
Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
|
||||
|
||||
\introsection
|
||||
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
|
||||
\rightarrow \bit$ as:
|
||||
Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
|
||||
\rightarrow \bit$ as:
|
||||
\begin{algorithm}
|
||||
\item For each $j \in \range{0}{N-1}$:
|
||||
\item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$.
|
||||
|
|
|
@ -833,14 +833,14 @@ Last revised February~5, 2018.}
|
|||
@misc{ZIP-76,
|
||||
presort={ZIP-0076},
|
||||
author={Jack Grigg and Daira Hopwood},
|
||||
title={Transaction Signature Verification before Overwinter},
|
||||
title={Transaction Signature Validation before {O}verwinter},
|
||||
howpublished={Zcash Improvement Proposal 76 (in progress).},
|
||||
}
|
||||
|
||||
@misc{ZIP-143,
|
||||
presort={ZIP-0143},
|
||||
author={Jack Grigg and Daira Hopwood},
|
||||
title={Transaction Signature Verification for Overwinter},
|
||||
title={Transaction Signature Validation for {O}verwinter},
|
||||
howpublished={Zcash Improvement Proposal 143. Created December~27, 2017.},
|
||||
url={https://zips.z.cash/zip-0143},
|
||||
urldate={2019-08-28}
|
||||
|
@ -966,7 +966,7 @@ Last revised February~5, 2018.}
|
|||
@misc{ZIP-215,
|
||||
presort={ZIP-0215},
|
||||
author={Henry de Valance},
|
||||
title={Modifying Ed25519 validation rules to allow batch verification},
|
||||
title={Explicitly Defining and Modifying {Ed25519} Validation Rules},
|
||||
howpublished={Draft Zcash Improvement Proposal 215. Created April~27, 2020.},
|
||||
url={https://github.com/zcash/zips/pull/355},
|
||||
urldate={2020-05-27}
|
||||
|
@ -984,7 +984,7 @@ Last revised February~5, 2018.}
|
|||
@misc{ZIP-243,
|
||||
presort={ZIP-0243},
|
||||
author={Jack Grigg and Daira Hopwood},
|
||||
title={Transaction Signature Verification for Sapling},
|
||||
title={Transaction Signature Validation for {S}apling},
|
||||
howpublished={Zcash Improvement Proposal 243. Created April~10, 2018.},
|
||||
url={https://zips.z.cash/zip-0243},
|
||||
urldate={2019-08-28}
|
||||
|
|
Loading…
Reference in New Issue