diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 89525049..fc27e549 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1389,7 +1389,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\KA}{\mathsf{KA}} \newcommand{\KAPublic}{\KA\mathsf{.Public}} -\newcommand{\KAPublicPrimeOrder}{\KA\mathsf{.PublicPrimeOrder}} +\newcommand{\KAPublicPrimeSubgroup}{\KA\mathsf{.PublicPrimeSubgroup}} \newcommand{\KAPrivate}{\KA\mathsf{.Private}} \newcommand{\KASharedSecret}{\KA\mathsf{.SharedSecret}} \newcommand{\KAFormatPrivate}{\KA\mathsf{.FormatPrivate}} @@ -1413,7 +1413,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\KASapling}{\mathsf{KA^{Sapling}}} \newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}} -\newcommand{\KASaplingPublicPrimeOrder}{\KASapling\mathsf{.PublicPrimeOrder}} +\newcommand{\KASaplingPublicPrimeSubgroup}{\KASapling\mathsf{.PublicPrimeSubgroup}} \newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}} \newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}} \newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}} @@ -2768,7 +2768,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \begin{itemize} \item $\Diversifier \typecolon \DiversifierType$ is the \diversifier of the recipient's \paymentAddress; - \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$ + \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ is the \diversifiedTransmissionKey of the recipient's \paymentAddress; \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer representing the value of the \note in \zatoshi; @@ -2779,7 +2779,7 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \introlist Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e. \begin{formulae} - \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeOrder \times \range{0}{\MAXMONEY} + \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeSubgroup \times \range{0}{\MAXMONEY} \times \NoteCommitSaplingTrapdoor$. \end{formulae} } %sapling @@ -3354,7 +3354,7 @@ a shared secret, each using their \defining{\privateKey} and the other party's \ A \keyAgreementScheme $\KA$ defines a type of \publicKeys $\KAPublic$, a type of \privateKeys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$. -\sapling{Optionally, it also defines a type $\KAPublicPrimeOrder \subseteq \KAPublic$.} +\sapling{Optionally, it also defines a type $\KAPublicPrimeSubgroup \subseteq \KAPublic$.} \sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$ be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ \privateKey. @@ -4192,7 +4192,7 @@ Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitP \vspace{-1ex} The resulting \diversifiedPaymentAddress is -$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder)$. +$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup)$. \vspace{1ex} For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress} @@ -4554,9 +4554,9 @@ performs the following steps: \vspace{0.5ex} \begin{algorithm} - \item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeOrder$, i.e.\ it - is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}) - not equal to $\ZeroJ$, and $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. + \item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeSubgroup$, i.e.\ it + is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and + $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. \item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ and check that $\DiversifiedTransmitBase \neq \bot$. @@ -5630,9 +5630,9 @@ For both encryption and decryption, \sapling{ \lsubsubsection{Encryption (\SaplingText)}{saplingencrypt} -Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$ be the +Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ be the \diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note, -and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeOrder$ be the corresponding +and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeSubgroup$ be the corresponding \diversifiedBase computed as $\DiversifyHash(\Diversifier)$. Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that @@ -5801,7 +5801,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$ \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$ and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$ - \item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$ + \item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeSubgroup$, return $\bot$ \item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$ \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$ \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ @@ -7087,7 +7087,7 @@ Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be Define $\KASaplingPublic := \GroupJ$. -Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$. +Define $\KASaplingPublicPrimeSubgroup := \SubgroupJ$. Define $\KASaplingSharedSecret := \SubgroupJ$. @@ -8593,12 +8593,11 @@ cause the first two characters of the Base58Check encoding to be fixed as Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$ -and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$. +and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$. $\DiversifiedTransmitPublic$ is an encoding of a $\KASapling$ \publicKey of type -$\KASaplingPublicPrimeOrder$ (see \crossref{concretesaplingkeyagreement}), -for use with the encryption scheme defined in \crossref{saplinginband}. -$\Diversifier$~is a sequence of $11$ bytes. +$\KASaplingPublicPrimeSubgroup$, for use with the encryption scheme defined in +\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes. These components are derived as described in \crossref{saplingkeycomponents}. \introlist @@ -8617,10 +8616,15 @@ The \rawEncoding of a \Sapling{} \paymentAddress consists of: $\DiversifiedTransmitPublic$ (see \crossref{jubjub}). \end{itemize} -When decoding the representation of $\DiversifiedTransmitPublic$, the address is -not valid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$ -is not of prime order. +When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be +considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$ +is not in the prime-order subgroup $\SubgroupJ$. +\vspace{-2ex} +\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on +address validation when importing \paymentAddresses.} + +\vspace{1ex} For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}. For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}. } %sapling @@ -8748,7 +8752,7 @@ The \rawEncoding of a \Sapling{} \fullViewingKey consists of: \item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$. \end{itemize} -When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$ +When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$ for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$, or if $\AuthProvePublic \notin \SubgroupJ$. @@ -10816,6 +10820,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2020.1.13}{2020-08-11} \begin{itemize} +\sapling{ + \item Rename the type of \Sapling \transmissionKeys from $\KASapling\mathsf{.PublicPrimeOrder}$ + to $\KASaplingPublicPrimeSubgroup$. This type is defined as $\SubgroupJ$, which reflects + the implementation in \zcashd (subject to the next point below); it was never enforced that a + \transmissionKey ($\DiversifiedTransmitPublic$) cannot be $\ZeroJ$. + \item Add a non-normative note saying that \zcashd does not fully conform to the requirement + to treat \transmissionKeys not in $\KASaplingPublicPrimeSubgroup$ as invalid when importing + \paymentAddresses. +} %sapling \canopy{ \item Set $\CanopyActivationHeight$ for \Testnet. \item Modify the tables and notes in \crossref{zip214fundingstreams} to reflect changes in