Cosmetics and minor corrections.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-04-19 18:03:52 +01:00 · 2018-04-19 18:03:52 +01:00 · 2bb48c67eb
parent 34181a7701
commit 2bb48c67eb
1 changed files with 127 additions and 98 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -87,7 +87,7 @@
 \renewcommand{\@pnumwidth}{2em}
 \makeatother

-\newcommand{\pagenumfont}{\fontfamily{pnc}\selectfont\rule[-.2\baselineskip]{0pt}{1.35\baselineskip}}
+\newcommand{\pagenumfont}{\fontfamily{pnc}\selectfont\rule[-.2\baselineskip]{0pt}{1.3\baselineskip}}
 \renewcommand{\cftsecpagefont}{\pagenumfont}
 \renewcommand{\cftsubsecpagefont}{\pagenumfont}
 \renewcommand{\cftsubsubsecpagefont}{\pagenumfont}
@ -154,7 +154,7 @@
 \newcommand{\footnotewithlabel}[2]{\hairspace\oldfootnote{\label{#1}{#2}}}

 \newcommand{\crossref}[1]{\raisebox{0ex}{\autoref{#1}}\hspace{0.2em}\emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
-\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}} on p.\,\pageref*{#1}}
+\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}\vphantom{,}} on p.\,\pageref*{#1}}
 \newcommand{\footnoteref}[1]{\hairspace\raisebox{0ex}{\cref{#1}}}

 \newcommand{\autorefprefix}{\linkstrut\S\!}
@ -218,10 +218,10 @@

 % <https://tex.stackexchange.com/a/269020/78411>, with explicit size parameter
 \makeatletter
-\newcommand*{\bigboxplus}[1]{\DOTSB\mathop{\mathpalette\big@boxplus{#1}\relax}\slimits@}
-\newcommand*{\bigboxminus}[1]{\DOTSB\mathop{\mathpalette\big@boxminus{#1}\relax}\slimits@}
-\newcommand*{\bigdiamondplus}[1]{\DOTSB\mathop{\mathpalette\big@diamondplus{#1}\relax}\slimits@}
-\newcommand*{\bigdiamondminus}[1]{\DOTSB\mathop{\mathpalette\big@diamondminus{#1}\relax}\slimits@}
+\newcommand*{\bigboxplus}[1]{\mathop{\mathpalette\big@boxplus{#1}\relax}\slimits@}
+\newcommand*{\bigboxminus}[1]{\mathop{\mathpalette\big@boxminus{#1}\relax}\slimits@}
+\newcommand*{\bigdiamondplus}[1]{\mathop{\mathpalette\big@diamondplus{#1}\relax}\slimits@}
+\newcommand*{\bigdiamondminus}[1]{\mathop{\mathpalette\big@diamondminus{#1}\relax}\slimits@}

 \newcommand{\big@boxplus}[2]{%
  \vcenter{\m@th\bigbox@thickness{#1}\hbox{%
@ -294,6 +294,9 @@

 \newcommand{\raisedstrut}{\raisebox{0.3ex}{\strut}}

+% <https://tex.stackexchange.com/a/415155/78411>
+\newcommand{\clasp}[3][0pt]{\stackengine{0pt}{#3}{\kern#1#2}{O}{c}{F}{F}{L}}
+
 \newcommand{\plus}{\hairspace +\hairspace}
 \newcommand{\vv}{\hspace{0.071em}\varv\hspace{0.064em}}
 \newcommand{\varvv}{\varv\kern 0.02em\varv}
@ -474,7 +477,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\shieldedOutput}{\term{shielded output}}
 \newcommand{\shieldedOutputs}{\term{shielded outputs}}
 \newcommand{\statement}{\term{statement}}
-\newcommand{\ZkSNARKStatements}{\titleterm{Zk-SNARK Statements}}
+\newcommand{\ZkSNARKStatements}{\titleterm{Zk-SNARK Statement\notsprout{s}}}
 \newcommand{\zkProof}{\term{zk proof}}
 \newcommand{\zeroKnowledgeProof}{\term{zero-knowledge proof}}
 \newcommand{\zeroKnowledgeProofs}{\term{zero-knowledge proofs}}
@ -576,6 +579,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\xTransparentAddresses}{\term{Transparent addresses}}
 \newcommand{\TransparentAddresses}{\titleterm{Transparent Addresses}}
 \newcommand{\transparentTransfers}{\term{transparent transfers}}
+\newcommand{\transparentInput}{\term{transparent input}}
+\newcommand{\transparentInputs}{\term{transparent inputs}}
+\newcommand{\xTransparentInputs}{\term{Transparent inputs}}
+\newcommand{\transparentOutput}{\term{transparent output}}
+\newcommand{\transparentOutputs}{\term{transparent outputs}}
+\newcommand{\xTransparentOutputs}{\term{Transparent outputs}}
 \newcommand{\shielded}{\term{shielded}}
 \newcommand{\shieldedNote}{\term{shielded note}}
 \newcommand{\shieldedNotes}{\term{shielded notes}}
@ -729,7 +738,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\byteseq}[1]{\typeexp{\byte}{#1}}
 \newcommand{\byteseqs}{\byteseq{\Nat}}
 \newcommand{\concatbits}{\mathsf{concat}_\bit}
-\newcommand{\bconcat}{\,||\,}
+\newcommand{\bconcat}{\mathop{\kern 0.05em||}}
 \newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}}
 \newcommand{\fun}[2]{{#1} \mapsto {#2}}
 \newcommand{\first}{\mathsf{first}}
@ -781,17 +790,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\sproduct}[2]{\sop{#1}{#2}{\prod}}
 \newcommand{\vxor}[2]{\vop{#1}{#2}{\bigoplus}}
 \newcommand{\sxor}[2]{\sop{#1}{#2}{\bigoplus}}
-\newcommand{\vcombsum}[2]{\vop{#1}{#2}{\bigcombplus}}
+\newcommand{\vcombsum}[2]{\vop{#1}{#2}{\biggercombplus}}
 \newcommand{\scombsum}[2]{\sop{#1}{#2}{\bigcombplus}}
-\newcommand{\vgrpsum}[2]{\vop{#1}{#2}{\biggrpplus}}
+\newcommand{\vgrpsum}[2]{\vop{#1}{#2}{\biggergrpplus}}
 \newcommand{\sgrpsum}[2]{\sop{#1}{#2}{\biggrpplus}}
 \newcommand{\xor}{\oplus}
+\newcommand{\biggercombplus}{\bigdiamondplus{4.6ex}}
 \newcommand{\bigcombplus}{\bigdiamondplus{3.3ex}}
 \newcommand{\combplus}{\bigdiamondplus{1.8ex}\,}
 \newcommand{\subcombplus}{\bigdiamondplus{1.4ex}}
 \newcommand{\combzero}{\Zero_{\subcombplus}}
 \newcommand{\combminus}{\bigdiamondminus{1.8ex}\,}
 \newcommand{\combneg}{\bigdiamondminus{1.8ex}}
+\newcommand{\biggergrpplus}{\bigboxplus{4.6ex}}
 \newcommand{\biggrpplus}{\bigboxplus{3.3ex}}
 \newcommand{\grpplus}{\bigboxplus{1.8ex}\,}
 \newcommand{\subgrpplus}{\bigboxplus{1.4ex}}
@ -804,8 +815,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\mult}{\cdot}
 \newcommand{\smult}{\!\cdot\!}
 \newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}}
-\newcommand{\rightarrowR}{\phantom{(}\smash{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}\phantom{)}}
-\newcommand{\leftarrowR}{\phantom{(}\smash{\buildrel{\scriptstyle\mathrm{R}}\over\leftarrow}\phantom{)}}
+\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
+\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
 \newcommand{\union}{\cup}
 \newcommand{\intersection}{\cap}
 \newcommand{\difference}{\setminus}
@ -838,6 +849,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)}
 \newcommand{\DiversifyHash}{\mathsf{DiversifyHash}}
 \newcommand{\DiversifyHashText}{\texorpdfstring{$\DiversifyHash$}{DiversifyHash}}
+\newcommand{\NotUpMySleeve}{U}

 % Key pairs

@ -933,6 +945,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}}
 \newcommand{\PRFOutputLength}{\mathsf{\ell_{PRF}}}
 \newcommand{\PRFOutput}{\bitseq{\PRFOutputLength}}
+\newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}}
+\newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}}
 \newcommand{\PRFOutputLengthSapling}{\mathsf{\ell_{PRFSapling}}}
 \newcommand{\PRFOutputSapling}{\bitseq{\PRFOutputLengthSapling}}

@ -1030,7 +1044,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\Value}{\mathsf{v}}
 \newcommand{\ValueNew}[1]{\Value^\mathsf{new}_{#1}}
 \newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
-\newcommand{\ValueLength}{\ell_{\Value}}
+\newcommand{\ValueLength}{\ell_{\mathsf{value}}}
 \newcommand{\ValueType}{\binaryrange{\ValueLength}}
 \newcommand{\ValueCommitRand}{\mathsf{rcv}}
 \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
@ -1062,6 +1076,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\nf}{\mathsf{nf}}
 \newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
 \newcommand{\Memo}{\mathsf{memo}}
+\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}}
+\newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}}
 \newcommand{\DecryptNote}{\mathtt{DecryptNote}}
 \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}

@ -1509,7 +1525,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \Zcash is an implementation of the \term{Decentralized Anonymous Payment}
 scheme \Zerocash, with security fixes and adjustments
 to terminology, functionality and performance. It bridges the existing
-\emph{transparent} payment scheme used by \Bitcoin with a
+transparent payment scheme used by \Bitcoin with a
 \emph{shielded} payment scheme secured by zero-knowledge succinct
 non-interactive arguments of knowledge (\zkSNARKs). It attempts to
 address the problem of mining centralization by use of the Equihash
@ -1665,9 +1681,8 @@ It is also possible for value to be transferred between the \transparent and

 The \nullifiers of the input \notes are revealed (preventing them from being
 spent again) and the commitments of the output \notes are revealed (allowing
-them to be spent in future).
-\sprout{
-Each \joinSplitDescription also includes a computationally sound \zkSNARK proof,
+them to be spent in future).\sprout{ Each
+\joinSplitDescription also includes a computationally sound \zkSNARK proof,
 which proves that all of the following hold except with insignificant probability:

 \begin{itemize}
@ -1683,10 +1698,9 @@ which proves that all of the following hold except with insignificant probabilit
  \item Each output \note is generated in such a way that it is infeasible to
        cause its \nullifier to collide with the \nullifier of any other \note.
 \end{itemize}
-} %sprout
-\notsprout{
-A \transaction also includes computationally sound \zkSNARK proofs, which prove
-that all of the following hold except with insignificant probability:
+}\notsprout{ A
+\transaction also includes computationally sound \zkSNARK proofs and signatures,
+which prove that all of the following hold except with insignificant probability:

 For each \shieldedInput,

@ -1694,7 +1708,7 @@ For each \shieldedInput,
  \item \saplingonward{there is a revealed \valueCommitment to the same value as
        the input \note;}
  \item some revealed \noteCommitment exists for the input \note;
-  \item the prover knew the \authProvingKey of the input \note;
+  \item the prover knew the \authProvingKey of the \note;
  \item the \nullifier and \noteCommitment are computed correctly.
 \end{itemize}

@ -1704,8 +1718,8 @@ and for each \shieldedOutput,
  \item \saplingonward{there is a revealed \valueCommitment to the same value as
        the output \note;}
  \item the \noteCommitment is computed correctly;
-  \item the output \note is generated in such a way that it is infeasible to
-        cause its \nullifier to collide with the \nullifier of any other \note.
+  \item it is infeasible to cause the \nullifier of the output \note to collide
+        with the \nullifier of any other \note.
 \end{itemize}

 For \Sprout, the \joinSplitStatement also includes an explicit balance check.
@ -1980,9 +1994,9 @@ $\AuthPrivate$, as described in \crossref{sproutkeycomponents}.

 \saplingonward{
 The \authSigningKey $\AuthSignPrivate$,
-the \authProvingKey $(\AuthSignPublic, \AuthProvePrivate)$,
+\authProvingKey $(\AuthSignPublic, \AuthProvePrivate)$,
 the \fullViewingKey $(\AuthSignPublic, \AuthProvePublic)$,
-the \incomingViewingKey $\InViewingKey$, and
+\incomingViewingKey $\InViewingKey$, and
 each \diversifiedPaymentAddress $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$
 are derived from $\SpendingKey$, as described in \crossref{saplingkeycomponents}.
 } %saplingonward
@ -2045,12 +2059,12 @@ to a given \paymentAddress.
 A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
 \Value, \NoteAddressRand, \NoteCommitRand)}$, where:
 \begin{itemize}
-  \item $\AuthPublic \typecolon \PRFOutput$ is the \payingKey of the
+  \item $\AuthPublic \typecolon \PRFOutputSprout$ is the \payingKey of the
        recipient's \paymentAddress;
  \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
        representing the value of the \note in \zatoshi
        ($1$ \ZEC = $10^8$ \zatoshi);
-  \item $\NoteAddressRand \typecolon \PRFOutput$
+  \item $\NoteAddressRand \typecolon \PRFOutputSprout$
        is used as input to $\PRFnf{\AuthPrivate}$ to derive the
        \nullifier of the \note;
  \item $\NoteCommitRand \typecolon \NoteCommitSproutTrapdoor$
@ -2060,7 +2074,7 @@ A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
 \introlist
 Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note, i.e.
 \begin{formulae}
-  \item $\NoteTypeSprout := \changed{\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
+  \item $\NoteTypeSprout := \changed{\PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout
           \times \NoteCommitSproutTrapdoor}$.
 \end{formulae}

@ -2072,7 +2086,7 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
 \begin{itemize}
  \item $\Diversifier \typecolon \DiversifierType$
        is the \diversifier of the recipient's \paymentAddress;
-  \item $\DiversifiedTransmitPublic \typecolon \GroupJ$
+  \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$
        is the \diversifiedTransmissionKey of the recipient's \paymentAddress;
  \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
        representing the value of the \note in \zatoshi;
@ -2083,7 +2097,7 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
 \introlist
 Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
 \begin{formulae}
-  \item $\NoteTypeSapling := \DiversifierType \times \GroupJ \times \range{0}{\MAXMONEY}
+  \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublic \times \range{0}{\MAXMONEY}
           \times \NoteCommitSaplingTrapdoor$.
 \end{formulae}
 } %sapling
@ -2216,9 +2230,9 @@ up to that height.

 Each \block contains one or more \transactions.

-Inputs to a \transaction insert value into a \transparentValuePool, and outputs
-remove value from this pool. As in \Bitcoin, the remaining value in the pool is
-available to miners as a fee.
+\xTransparentInputs to a \transaction insert value into a \transparentValuePool,
+and \transparentOutputs remove value from this pool. As in \Bitcoin, the remaining
+value in the pool is available to miners as a fee.

 \vspace{-3ex}
 \consensusrule{
@ -2308,7 +2322,7 @@ it is not known where it will eventually appear in a mined \block. Therefore the
 \begin{consensusrules}
  \item The input and output values of each \joinSplitTransfer{} \MUST balance
        exactly.
-  \item For the first \joinSplitDescription of a \transaction, the \anchor \MUST
+  \item For the first \joinSplitDescription of a \transaction, the \anchor{} \MUST
        be the output \SproutOrNothing \treestate of a previous \block.
 \changed{
  \item The \anchor of each \joinSplitDescription in a \transaction{} \MUST refer
@ -2359,6 +2373,7 @@ A \spendDescription includes an \anchor, which refers to the output
 \Sapling \treestate of a previous \block. It also reveals a \nullifier,
 which allows detection of double-spends as described in \crossref{nullifierset}.

+\vspace{-2ex}
 \pnote{
 Interstitial \treestates are not necessary for \Sapling, because a \spendTransfer
 in a given \transaction cannot spend any of the \shieldedOutputs of the same
@ -2367,6 +2382,7 @@ each \joinSplitTransfer must balance individually, in \Sapling it is only necess
 for the whole \transaction to balance.
 }

+\vspace{3ex}
 \begin{consensusrules}
  \item The \transaction{} \MUST balance as specified in \crossref{saplingbalance}.
  \item The \anchor of each \spendDescription in a \transaction{} \MUST refer
@ -2383,14 +2399,14 @@ for the whole \transaction to balance.

 \sapling{\todo{The commitment indices in the above diagram should be zero-based to reflect the \notePosition{}.}}

-The \noteCommitmentTree is an \incrementalMerkleTree of fixed depth used to store
-\noteCommitments that \joinSplitTransfers\sapling{ and \spendTransfers} produce.
+A \noteCommitmentTree is an \incrementalMerkleTree of fixed depth used to store
+\noteCommitments that \joinSplitTransfers\sapling{ or \spendTransfers} produce.
 Just as the \term{unspent transaction output set} (UTXO set) used in \Bitcoin,
 it is used to express the existence of value and the capability to spend it.
 However, unlike the UTXO set, it is \emph{not} the job of this tree to protect
 against double-spending, as it is append-only.

-A \merkleRoot of this tree is associated with each \treestate, as described in
+A \merkleRoot of a \noteCommitmentTree is associated with each \treestate; see
 \crossref{transactions}.

 Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash of
@ -2517,10 +2533,10 @@ be as defined in \crossref{constants}.
 \notsprout{For \Sprout, \changed{four} \emph{independent} $\PRF{x}{}$ are needed:}

 \begin{tabular}{@{\hskip 2em}l@{\notsprout{\hskip 1.88em}}l@{\;}l@{\;}l@{\;}l}
-$\PRFaddr{}      $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutput $\\
-$\PRFnf{}        $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutput $& &$\rightarrow \PRFOutput $\\
-$\PRFpk{}        $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutput $\\
-$\PRFrho{}       $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \setofNew $&$\times\; \hSigType $&$\rightarrow \PRFOutput $
+$\PRFaddr{}      $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutputSprout $\\
+$\PRFnf{}        $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutputSprout $& &$\rightarrow \PRFOutputSprout $\\
+$\PRFpk{}        $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $\\
+$\PRFrho{}       $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \setofNew $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $
 \end{tabular}

 These are used in \crossref{joinsplitstatement}; $\PRFaddr{}$ is also used to
@ -2541,6 +2557,7 @@ $\PRFnfSapling{}$ is used in \crossref{spendstatement}.

 \sprout{They}\notsprout{All of these \pseudoRandomFunctions} are instantiated in \crossref{concreteprfs}.

+\vspace{-2ex}
 \begin{securityrequirements}
  \item Security definitions for \pseudoRandomFunctions are given in \cite[section 4]{BDJR2000}.
  \item In addition to being \pseudoRandomFunctions, it is required that
@ -2550,6 +2567,7 @@ $\PRFnfSapling{}$ is used in \crossref{spendstatement}.
        similarly for $\PRFaddr{}$ and $\PRFrho{}$\sapling{ and $\PRFnfSapling{}$}}.
 \end{securityrequirements}

+\vspace{-4ex}
 \pnote{$\PRFnf{}$ was called $\PRFsn{}$ in \Zerocash \cite{BCG+2014}.}


@ -2563,17 +2581,17 @@ $\SymEncrypt{} \typecolon \Keyspace \times \Plaintext \rightarrow \Ciphertext$
 is the encryption algorithm.

 $\SymDecrypt{} \typecolon \Keyspace \times \Ciphertext \rightarrow
-\Plaintext \union \setof{\bot}$ is the corresponding decryption algorithm, such that
+\Plaintext \union \setof{\bot}$ is the decryption algorithm, such that
 for any $\Key \in \Keyspace$ and $\Ptext \in \Plaintext$,
 $\SymDecrypt{\Key}(\SymEncrypt{\Key}(\Ptext)) = \Ptext$.
 $\bot$ is used to represent the decryption of an invalid ciphertext.

+\vspace{-3ex}
 \securityrequirement{
-$\Sym$ must be one-time (INT-CTXT $\wedge$ IND-CPA)-secure. \quotedterm{One-time} here
-means that an honest protocol participant will almost surely encrypt only one message
-with a given key; however, the attacker may make many adaptive chosen ciphertext
-queries for a given key. The security notions INT-CTXT and IND-CPA are as defined in
-\cite{BN2007}.
+$\Sym$ must be one-time (INT-CTXT $\wedge$ IND-CPA)-secure \cite{BN2007}.
+\quotedterm{One-time} here means that an honest protocol participant will almost
+surely encrypt only one message with a given key; however, the adversary may make
+many adaptive chosen ciphertext queries for a given key.
 }

 \subsubsection{\KeyAgreement} \label{abstractkeyagreement}
@ -2585,7 +2603,7 @@ A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type
 of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.

 Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function
-that converts a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
+to convert a bit string of length $\PRFOutputLength$ to a $\KA$ private key.

 Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$
 be a function that derives the $\KA$ public key corresponding to a given $\KA$
@ -2596,10 +2614,10 @@ be the agreement function.

 \sapling{Optional:} Let $\KABase \typecolon \KAPublic$ be a public base point.

-\pnote{
-The range of $\KADerivePublic$ may be a strict subset of $\KAPublic$.
-}
+\vspace{-2ex}
+\pnote{The range of $\KADerivePublic$ may be a strict subset of $\KAPublic$.}

+\vspace{-2ex}
 \begin{securityrequirements}
  \item $\KAFormatPrivate$ must preserve sufficient entropy from its input to be used
        as a secure $\KA$ private key.
@ -2619,9 +2637,10 @@ A \keyDerivationFunction is defined for a particular \keyAgreementScheme and
 agreement and additional arguments, and derives a key suitable for the encryption
 scheme.

-Let $\KDF \typecolon \setofNew \times \hSigType \times \KASharedSecret
+\sprout{
+Let $\KDFSprout \typecolon \setofNew \times \hSigType \times \KASharedSecret
 \times \KAPublic \times \KAPublic \rightarrow \Keyspace$ be a
-\keyDerivationFunction suitable for use with $\KA$, deriving keys
+\keyDerivationFunction suitable for use with $\KASprout$, deriving keys
 for $\SymEncrypt{}$.

 \securityrequirement{
@ -2636,7 +2655,7 @@ Let $\TransmitBase := \todo{?}$
 \sprout{Let $\TransmitBase := \KABase$.}

 Let $\TransmitPrivateSup{1}$ and $\TransmitPrivateSup{2}$ each be chosen uniformly and
-independently at random from $\KAPrivate$.
+independently at random from $\KASproutPrivate$.

 Let $\TransmitPublicSup{j} := \KADerivePublic(\TransmitPrivateSup{j}, \TransmitBase)$.

@ -2661,11 +2680,10 @@ constructed from $\KA$, $\KDF$ and $\Sym$ in \crossref{inband} will be key-priva
 as defined in \cite{BBDP2001}.

 \pnote{The given definition only requires ciphertexts to be indistinguishable
-between \transmissionKeys that are outputs of $\KADerivePublic$ (which
+between \transmissionKeys that are outputs of $\KASproutDerivePublic$ (which
 includes all keys generated as in \crossref{sproutkeycomponents}). If a
 \transmissionKey not in that range is used, it may be distinguishable.
-This is not considered to be a significant security weakness.
-}
+This is not considered to be a significant security weakness.}


 \introlist
@ -2700,7 +2718,7 @@ aspects of the definitions of \signatureSchemes with additional features in
 } %pnote
 } %notsprout

-\vspace{2ex}
+\vspace{3ex}
 \introlist
 \Zcash uses \sprout{two}\sapling{three} signature schemes:

@ -2711,8 +2729,8 @@ aspects of the definitions of \signatureSchemes with additional features in
        which is used to sign \transactions that contain at least one
        \joinSplitDescription\sprout{.}\notsprout{;}
  \saplingonwarditem{one called $\SpendAuthSig$ (instantiated in
-        \crossref{concretespendauthsig}), which is used to sign authorizations of
-        \spendDescriptions.}
+        \crossref{concretespendauthsig}) which is used to sign authorizations of
+        \spendTransfers;}
 \end{itemize}

 The following defines only the security properties needed for $\JoinSplitSig$.
@ -2727,6 +2745,7 @@ for the adversary to forge a previously unseen valid \mbox{(message, signature)}
 pair without access to the signing key.
 }

+\vspace{1ex}
 \todo{Reference a different paper for the security definition. \cite{BDEHR2011} has
 a flawed security proof; this doesn't affect \Zcash but it would be better to avoid
 confusion that it might.}
@ -2736,6 +2755,7 @@ confusion that it might.}
        a \joinSplitDescription{}.
        Since each key pair is only used for one signature (see \crossref{nonmalleability}),
        a one-time signature scheme would suffice for $\JoinSplitSig$.
+
        This is also the reason why only security against \emph{non-adaptive}
        chosen message attack is needed. In fact the instantiation of $\JoinSplitSig$
        uses a scheme designed for security under adaptive attack even when multiple
@ -2748,7 +2768,7 @@ confusion that it might.}


 \sapling{
-\introlist
+\introsection
 \subsubsubsection{Signature with Re-Randomizable Keys} \label{abstractsigrerand}

 A \rerandomizableSignatureScheme $\Sig$ is a \signatureScheme that
@ -2802,13 +2822,16 @@ that multiple \transactions spending the same \note are revealed to an adversary
 \introsection
 \securityrequirement{\textbf{Strong Unforgeability with Re-randomized Keys under adaptive Chosen Message Attack (SURK-CMA)}

-Let $\Oracle \typecolon \SigPrivate \times \SigMessage \times \SigRandom \rightarrow \SigSignature$
-be a generator of signing oracles.
-
-A signing oracle $\Oracle_{\sk}$ for private key $\sk$ has state
+For any $\sk \typecolon \SigPrivate$, let
+\begin{formulae}
+  \item $\Oracle_{\sk} \typecolon \SigMessage \times \SigRandom \rightarrow \SigSignature$
+\end{formulae}
+\vspace{-1ex}
+be a signing oracle with state
 $Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\setof{}$
 that records queried messages and corresponding signatures.

+\vspace{1ex}
 \begin{formulae}
  \item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$
  \item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\SigRandomizer, \sk)}(m)$
@ -2824,13 +2847,13 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
 }

 \begin{pnotes}
-  \item The requirement for $\SigRandomizerId$ simplifies the definition of SURK-CMA
-        by removing the need for two oracles (since the oracle for original keys,
-        called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the oracle for
-        randomized keys).
+  \item The requirement for the identity randomizer $\SigRandomizerId$ simplifies the
+        definition of SURK-CMA by removing the need for two oracles (because the oracle for
+        original keys, called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the
+        oracle for randomized keys).
  \item Since $\SigRandomizePrivate(\SigRandomizer, \sk) :
        \SigRandomizer \leftarrowR \SigRandom$ has an identical distribution to $\SigGenPrivate()$,
-        and $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
+        and since $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
        public key and signature(s) under that key do not reveal the key from which it was
        re-randomized.
  \item Since $\SigRandomizePrivate_{\SigRandomizer}$ is injective and
@ -2862,11 +2885,13 @@ $\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \S

 In other words, $\SigDerivePublic$ is a homomorphism from the private key group to the public key group.

+\vspace{1ex}
 For $\rmN \typecolon \PosInt$,
 \begin{itemize}
  \item $\sgrpsum{i=1}{\rmN} \sk_i$ means $\sk_1 \grpplus \sk_2 \grpplus \cdots\, \grpplus \sk_{\rmN}$;
  \item $\scombsum{i=1}{\rmN} \vk_i$ means $\vk_1 \combplus \vk_2 \combplus \cdots\, \combplus \vk_{\rmN}$.
 \end{itemize}
+\vspace{-2ex}
 When $\rmN = 0$ these yield the appropriate group identity, i.e. $\sgrpsum{i=1}{0} \sk_i = \grpzero$
 and $\scombsum{i=1}{0} \vk_i = \combzero$.

@ -2961,6 +2986,7 @@ $(-G) + G = \ZeroG{}$. We write $G - H$ for $G + (-H)$.

 We also extend the $\vsum{}{}$ notation to addition on group elements.

+\introlist
 For $G \typecolon \GroupG{}$ and $k \typecolon \Int$ we write $\scalarmult{k}{G}$
 for scalar multiplication on the group, i.e.

@ -2985,6 +3011,7 @@ $\ExtractG \typecolon \GroupG{} \rightarrow T$ for some type $T$,
 such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order
 $\ParamG{r}$.

+\vspace{-2ex}
 \pnote{
 Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
 efficiently computable left inverse.
@ -3002,9 +3029,8 @@ Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
 \begin{formulae}
  \item $\GroupGHash{} \typecolon \CRSType \times \bitseq{\ell} \rightarrow \GroupG{}$
 \end{formulae}
-\vspace{-1ex}
-with the following security requirement.

+\vspace{-2ex}
 \securityrequirement{\textbf{Discrete Logarithm Independence}

 For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
@ -3141,6 +3167,7 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
 \joinSplitParameters in \crossref{sproutparameters}.
 } %sprout
 \sapling{
+\introlist
 \Zcash uses two \provingSystems:
 \begin{itemize}
  \item $\PHGR$ (\crossref{phgr}) is used with the
@ -3241,7 +3268,7 @@ are derived as follows:

 \sapling{
 \introlist
-$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as follows:
+$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:

 \begin{tabular}{@{\hskip 1.7em}r@{\;}l}
  $\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
@ -3255,6 +3282,7 @@ creation of multiple \diversifiedPaymentAddresses with the same spending
 authority. A group of such addresses shares the same \fullViewingKey and
 \incomingViewingKey.

+\introlist
 To create a new \diversifiedPaymentAddress given an \incomingViewingKey
 $\InViewingKey$, repeatedly pick a \diversifier $\Diversifier$ uniformly at
 random from $\DiversifierType$ until
@ -3369,7 +3397,7 @@ where
 \begin{itemize}
  \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note;
  \item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in
-        \crossref{blockchain}, for the output \treestate of a previous \block.
+        \crossref{blockchain}, for the output \treestate of a previous \block;
  \item $\nf \typecolon \bitseq{\PRFOutputLengthSapling}$ is the \nullifier for the input \note;
  \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized public key
        that should be used to verify $\spendAuthSig$;
@ -4045,12 +4073,13 @@ Let $\KASprout$\sapling{ and $\KASapling$} be the \keyAgreementSchemes instantia
 } %notsprout


-\subsubsection{Encryption \pSproutOrNothing}
+\subsubsection{Encryption\pSproutOrNothing} \label{sproutencrypt}

 Let $\TransmitPublicNew{\allNew}$ be the \transmissionKeys
 for the intended recipient addresses of each new \note.

-Let $\NotePlaintext{\allNew}$ be the \notePlaintexts as defined in \crossref{notept}.
+Let $\NotePlaintext{\allNew}$ be the \SproutOrNothing \notePlaintexts as
+defined in \crossref{notept}.

 \introlist
 Then to encrypt:
@ -4102,12 +4131,12 @@ component as follows:
  \item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$
  \item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
 \TransmitPublic)$
-  \item return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
+  \item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
 \AuthPublic).$
 \end{formulae}

 \introlist
-$\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
+$\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
 is defined as follows:

 \begin{formulae}
@ -4116,7 +4145,7 @@ is defined as follows:
  \item if $\TransmitPlaintext{i} = \bot$, return $\bot$
  \item extract $\NotePlaintext{i} = (\ValueNew{i},
 \NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$
-  \item if $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
+  \item if $\NoteCommitmentSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
 \NoteCommitRandNew{i})) \neq \cmNew{i}$, return $\bot$, else return $\NotePlaintext{i}$.
 \end{formulae}
 }
@ -4515,12 +4544,12 @@ Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
 Define

 \begin{formulae}
-  \item $\DiversifyHash(\Diversifier) := \GroupJHash{U}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
+  \item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
 \end{formulae}

 \securityrequirement{
 $\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
-described in \crossref{abstractgrouphash}. \todo{make this more precise.}
+described in \crossref{abstractgrouphash}.
 }
 } %sapling

@ -5071,7 +5100,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.

 \subsubsection{\JoinSplitSignature} \label{concretejssig}

-$\JoinSplitSig$ is specified in \crossref{abstractsig}.
+$\JoinSplitSig$ is a \signatureScheme as specified in \crossref{abstractsig}.

 \changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDLSY2012},
 with the additional requirements that:
@ -5343,7 +5372,7 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
 \end{bytefield}
 \end{lrbox}

-Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow
+Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
 \bitseq{\ell}$ as in \crossref{endian}.

 \introlist
@ -5475,7 +5504,7 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$

 $\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively.

-Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow
+Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
 \bitseq{\ell}$ as in \crossref{endian}.

 \introlist
@ -5551,14 +5580,14 @@ $\GroupJ$ has order $8 \smult \ParamJ{r}$.

 Let $\ellJ := 256$.

-Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
+Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$
 as in \crossref{endian}.

-Define $\reprJ \typecolon \GroupJ \rightarrow \bitseq{\ellJ}$ such
+Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
 that $\reprJOf{u, \varv} = \ItoLEBSP{256}(\varv + 2^{255} \smult \tilde{u})$, where
 $\tilde{u} = u \bmod 2$.

-Let $\abstJ \typecolon \bitseq{\ellJ} \rightarrow \GroupJ \union \setof{\bot}$
+Let $\abstJ \typecolon \ReprJ \rightarrow \GroupJ \union \setof{\bot}$
 be the left inverse of $\reprJ$ such that if $S$ is not in the range of
 $\reprJ$, then $\abstJOf{S} = \bot$.

@ -5569,8 +5598,8 @@ $\reprJ$, then $\abstJOf{S} = \bot$.
  \item The encoding of a compressed twisted Edwards point used here is
        consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
        the $R$ element of a signature.
-  \item Algorithms for decompressing points from the encoding of
-        $\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}.
+  \item \cite[``Encoding and parsing curve points'']{BJLSY2015} gives algorithms
+        for decompressing points from the encoding of $\GroupJ$.
 \end{itemize}

 When computing square roots in $\GF{\ParamJ{q}}$ in order to decompress a point encoding,
@ -5666,7 +5695,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
 \end{formulae}

 Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T \union \setof{\bot}$
-so that $\first(f) = f(i)$ where $i$ is the least integer in $\range{0}{255}$
+so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
 such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.

 Let $\FindGroupJHashOf{D, M} =
@ -6441,11 +6470,13 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
  \sproutonlyitem{The \fOverwintered{} flag \MUSTNOT be set.}
  \nuzeroonwarditem{The \fOverwintered{} flag \MUST be set.}
  \nuzeroonwarditem{The \versionGroupID{} \MUST be recognized.}
-  \nuzeroonlyitem{The \transactionVersionNumber{} \MUST be $3$, and the \versionGroupID{} \MUST
+  \nuzeroonlyitem{The \transactionVersionNumber{} \MUST be $3$ and the \versionGroupID{} \MUST
        be $\hexint{03C48270}$.}
  \saplingonwarditem{The \transactionVersionNumber{} and \versionGroupID{} \MUST be
        either $(3, \hexint{03C48270})$ or $(4, \todo{\Sapling\, \versionGroupID{}})$.}
  \sproutonlyitem{If $\versionField = 1$ or $\nJoinSplit = 0$, then \txInCount{} \MUSTNOT be $0$.}
+  \presaplingitem{The encoded size of the \transaction{} \MUST be less than or equal to
+        $100000$ bytes.}
  \saplingonwarditem{At least one of \txInCount, \nShieldedSpend, and \nJoinSplit{} \MUST be nonzero.}
  \item A \transaction with one or more inputs from \coinbaseTransactions{} \MUST have no
        \transparent outputs (i.e.\ \txOutCount{} \MUST be $0$).
@ -6453,8 +6484,6 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
        over $\dataToBeSigned$ as defined in \crossref{nonmalleability}.
  \item If $\nJoinSplit > 0$, then \joinSplitPubKey{} \MUST represent a valid
        $\JoinSplitSigSpecific$ public key encoding as specified in \crossref{concretejssig}.
-  \sproutonlyitem{The encoded size of the \transaction{} \MUST be less than or equal to
-        $100000$ bytes.}
  \item A \coinbaseTransaction{} \MUSTNOT have any
        \joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}.
  \item A \transaction{} \MUSTNOT spend an output of a \coinbaseTransaction
@ -7751,8 +7780,8 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
          is it constrained by the \Zerocash \POUR{} \statement or the
          \Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
          \sapling{(The definition of \notes for \Sapling is different again.)}
-    \item The length of proof encodings given in the paper is $288$ bytes.
-          \sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
+    \item The length of proof encodings given in the paper is $288$
+          bytes.\sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
          because both the $x$-coordinate and compressed $y$-coordinate of each
          point need to be represented. Although it is possible to encode a proof
          in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
@ -7760,8 +7789,8 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
          defined in \cite{IEEE2004}. The fork of \libsnark used by \Zcash uses
          this standard encoding rather than the less efficient (uncompressed) one
          used by upstream \libsnark.}
-    \item The range of monetary values differs. In \Zcash, this range is
-          $\range{0}{\MAXMONEY}$; in \Zerocash it is $\ValueType$.
+    \item The range of monetary values differs. In \Zcash this range is
+          $\range{0}{\MAXMONEY}$, while in \Zerocash it is $\ValueType$.
          (The \joinSplitStatement still only directly enforces that the sum
          of amounts in a given \joinSplitTransfer is in the latter range;
          this enforcement is technically redundant given that the Balance