mirror of https://github.com/zcash/zips.git
Cosmetics and minor corrections.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
34181a7701
commit
2bb48c67eb
|
@ -87,7 +87,7 @@
|
|||
\renewcommand{\@pnumwidth}{2em}
|
||||
\makeatother
|
||||
|
||||
\newcommand{\pagenumfont}{\fontfamily{pnc}\selectfont\rule[-.2\baselineskip]{0pt}{1.35\baselineskip}}
|
||||
\newcommand{\pagenumfont}{\fontfamily{pnc}\selectfont\rule[-.2\baselineskip]{0pt}{1.3\baselineskip}}
|
||||
\renewcommand{\cftsecpagefont}{\pagenumfont}
|
||||
\renewcommand{\cftsubsecpagefont}{\pagenumfont}
|
||||
\renewcommand{\cftsubsubsecpagefont}{\pagenumfont}
|
||||
|
@ -154,7 +154,7 @@
|
|||
\newcommand{\footnotewithlabel}[2]{\hairspace\oldfootnote{\label{#1}{#2}}}
|
||||
|
||||
\newcommand{\crossref}[1]{\raisebox{0ex}{\autoref{#1}}\hspace{0.2em}\emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
|
||||
\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}} on p.\,\pageref*{#1}}
|
||||
\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}\vphantom{,}} on p.\,\pageref*{#1}}
|
||||
\newcommand{\footnoteref}[1]{\hairspace\raisebox{0ex}{\cref{#1}}}
|
||||
|
||||
\newcommand{\autorefprefix}{\linkstrut\S\!}
|
||||
|
@ -218,10 +218,10 @@
|
|||
|
||||
% <https://tex.stackexchange.com/a/269020/78411>, with explicit size parameter
|
||||
\makeatletter
|
||||
\newcommand*{\bigboxplus}[1]{\DOTSB\mathop{\mathpalette\big@boxplus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigboxminus}[1]{\DOTSB\mathop{\mathpalette\big@boxminus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigdiamondplus}[1]{\DOTSB\mathop{\mathpalette\big@diamondplus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigdiamondminus}[1]{\DOTSB\mathop{\mathpalette\big@diamondminus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigboxplus}[1]{\mathop{\mathpalette\big@boxplus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigboxminus}[1]{\mathop{\mathpalette\big@boxminus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigdiamondplus}[1]{\mathop{\mathpalette\big@diamondplus{#1}\relax}\slimits@}
|
||||
\newcommand*{\bigdiamondminus}[1]{\mathop{\mathpalette\big@diamondminus{#1}\relax}\slimits@}
|
||||
|
||||
\newcommand{\big@boxplus}[2]{%
|
||||
\vcenter{\m@th\bigbox@thickness{#1}\hbox{%
|
||||
|
@ -294,6 +294,9 @@
|
|||
|
||||
\newcommand{\raisedstrut}{\raisebox{0.3ex}{\strut}}
|
||||
|
||||
% <https://tex.stackexchange.com/a/415155/78411>
|
||||
\newcommand{\clasp}[3][0pt]{\stackengine{0pt}{#3}{\kern#1#2}{O}{c}{F}{F}{L}}
|
||||
|
||||
\newcommand{\plus}{\hairspace +\hairspace}
|
||||
\newcommand{\vv}{\hspace{0.071em}\varv\hspace{0.064em}}
|
||||
\newcommand{\varvv}{\varv\kern 0.02em\varv}
|
||||
|
@ -474,7 +477,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\shieldedOutput}{\term{shielded output}}
|
||||
\newcommand{\shieldedOutputs}{\term{shielded outputs}}
|
||||
\newcommand{\statement}{\term{statement}}
|
||||
\newcommand{\ZkSNARKStatements}{\titleterm{Zk-SNARK Statements}}
|
||||
\newcommand{\ZkSNARKStatements}{\titleterm{Zk-SNARK Statement\notsprout{s}}}
|
||||
\newcommand{\zkProof}{\term{zk proof}}
|
||||
\newcommand{\zeroKnowledgeProof}{\term{zero-knowledge proof}}
|
||||
\newcommand{\zeroKnowledgeProofs}{\term{zero-knowledge proofs}}
|
||||
|
@ -576,6 +579,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\xTransparentAddresses}{\term{Transparent addresses}}
|
||||
\newcommand{\TransparentAddresses}{\titleterm{Transparent Addresses}}
|
||||
\newcommand{\transparentTransfers}{\term{transparent transfers}}
|
||||
\newcommand{\transparentInput}{\term{transparent input}}
|
||||
\newcommand{\transparentInputs}{\term{transparent inputs}}
|
||||
\newcommand{\xTransparentInputs}{\term{Transparent inputs}}
|
||||
\newcommand{\transparentOutput}{\term{transparent output}}
|
||||
\newcommand{\transparentOutputs}{\term{transparent outputs}}
|
||||
\newcommand{\xTransparentOutputs}{\term{Transparent outputs}}
|
||||
\newcommand{\shielded}{\term{shielded}}
|
||||
\newcommand{\shieldedNote}{\term{shielded note}}
|
||||
\newcommand{\shieldedNotes}{\term{shielded notes}}
|
||||
|
@ -729,7 +738,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\byteseq}[1]{\typeexp{\byte}{#1}}
|
||||
\newcommand{\byteseqs}{\byteseq{\Nat}}
|
||||
\newcommand{\concatbits}{\mathsf{concat}_\bit}
|
||||
\newcommand{\bconcat}{\,||\,}
|
||||
\newcommand{\bconcat}{\mathop{\kern 0.05em||}}
|
||||
\newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}}
|
||||
\newcommand{\fun}[2]{{#1} \mapsto {#2}}
|
||||
\newcommand{\first}{\mathsf{first}}
|
||||
|
@ -781,17 +790,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\sproduct}[2]{\sop{#1}{#2}{\prod}}
|
||||
\newcommand{\vxor}[2]{\vop{#1}{#2}{\bigoplus}}
|
||||
\newcommand{\sxor}[2]{\sop{#1}{#2}{\bigoplus}}
|
||||
\newcommand{\vcombsum}[2]{\vop{#1}{#2}{\bigcombplus}}
|
||||
\newcommand{\vcombsum}[2]{\vop{#1}{#2}{\biggercombplus}}
|
||||
\newcommand{\scombsum}[2]{\sop{#1}{#2}{\bigcombplus}}
|
||||
\newcommand{\vgrpsum}[2]{\vop{#1}{#2}{\biggrpplus}}
|
||||
\newcommand{\vgrpsum}[2]{\vop{#1}{#2}{\biggergrpplus}}
|
||||
\newcommand{\sgrpsum}[2]{\sop{#1}{#2}{\biggrpplus}}
|
||||
\newcommand{\xor}{\oplus}
|
||||
\newcommand{\biggercombplus}{\bigdiamondplus{4.6ex}}
|
||||
\newcommand{\bigcombplus}{\bigdiamondplus{3.3ex}}
|
||||
\newcommand{\combplus}{\bigdiamondplus{1.8ex}\,}
|
||||
\newcommand{\subcombplus}{\bigdiamondplus{1.4ex}}
|
||||
\newcommand{\combzero}{\Zero_{\subcombplus}}
|
||||
\newcommand{\combminus}{\bigdiamondminus{1.8ex}\,}
|
||||
\newcommand{\combneg}{\bigdiamondminus{1.8ex}}
|
||||
\newcommand{\biggergrpplus}{\bigboxplus{4.6ex}}
|
||||
\newcommand{\biggrpplus}{\bigboxplus{3.3ex}}
|
||||
\newcommand{\grpplus}{\bigboxplus{1.8ex}\,}
|
||||
\newcommand{\subgrpplus}{\bigboxplus{1.4ex}}
|
||||
|
@ -804,8 +815,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\mult}{\cdot}
|
||||
\newcommand{\smult}{\!\cdot\!}
|
||||
\newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}}
|
||||
\newcommand{\rightarrowR}{\phantom{(}\smash{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}\phantom{)}}
|
||||
\newcommand{\leftarrowR}{\phantom{(}\smash{\buildrel{\scriptstyle\mathrm{R}}\over\leftarrow}\phantom{)}}
|
||||
\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
|
||||
\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
|
||||
\newcommand{\union}{\cup}
|
||||
\newcommand{\intersection}{\cap}
|
||||
\newcommand{\difference}{\setminus}
|
||||
|
@ -838,6 +849,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\DiversifyHash}{\mathsf{DiversifyHash}}
|
||||
\newcommand{\DiversifyHashText}{\texorpdfstring{$\DiversifyHash$}{DiversifyHash}}
|
||||
\newcommand{\NotUpMySleeve}{U}
|
||||
|
||||
% Key pairs
|
||||
|
||||
|
@ -933,6 +945,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}}
|
||||
\newcommand{\PRFOutputLength}{\mathsf{\ell_{PRF}}}
|
||||
\newcommand{\PRFOutput}{\bitseq{\PRFOutputLength}}
|
||||
\newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}}
|
||||
\newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}}
|
||||
\newcommand{\PRFOutputLengthSapling}{\mathsf{\ell_{PRFSapling}}}
|
||||
\newcommand{\PRFOutputSapling}{\bitseq{\PRFOutputLengthSapling}}
|
||||
|
||||
|
@ -1030,7 +1044,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Value}{\mathsf{v}}
|
||||
\newcommand{\ValueNew}[1]{\Value^\mathsf{new}_{#1}}
|
||||
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
|
||||
\newcommand{\ValueLength}{\ell_{\Value}}
|
||||
\newcommand{\ValueLength}{\ell_{\mathsf{value}}}
|
||||
\newcommand{\ValueType}{\binaryrange{\ValueLength}}
|
||||
\newcommand{\ValueCommitRand}{\mathsf{rcv}}
|
||||
\newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
|
||||
|
@ -1062,6 +1076,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\nf}{\mathsf{nf}}
|
||||
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
|
||||
\newcommand{\Memo}{\mathsf{memo}}
|
||||
\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}}
|
||||
\newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}}
|
||||
\newcommand{\DecryptNote}{\mathtt{DecryptNote}}
|
||||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||
|
||||
|
@ -1509,7 +1525,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\Zcash is an implementation of the \term{Decentralized Anonymous Payment}
|
||||
scheme \Zerocash, with security fixes and adjustments
|
||||
to terminology, functionality and performance. It bridges the existing
|
||||
\emph{transparent} payment scheme used by \Bitcoin with a
|
||||
transparent payment scheme used by \Bitcoin with a
|
||||
\emph{shielded} payment scheme secured by zero-knowledge succinct
|
||||
non-interactive arguments of knowledge (\zkSNARKs). It attempts to
|
||||
address the problem of mining centralization by use of the Equihash
|
||||
|
@ -1665,9 +1681,8 @@ It is also possible for value to be transferred between the \transparent and
|
|||
|
||||
The \nullifiers of the input \notes are revealed (preventing them from being
|
||||
spent again) and the commitments of the output \notes are revealed (allowing
|
||||
them to be spent in future).
|
||||
\sprout{
|
||||
Each \joinSplitDescription also includes a computationally sound \zkSNARK proof,
|
||||
them to be spent in future).\sprout{ Each
|
||||
\joinSplitDescription also includes a computationally sound \zkSNARK proof,
|
||||
which proves that all of the following hold except with insignificant probability:
|
||||
|
||||
\begin{itemize}
|
||||
|
@ -1683,10 +1698,9 @@ which proves that all of the following hold except with insignificant probabilit
|
|||
\item Each output \note is generated in such a way that it is infeasible to
|
||||
cause its \nullifier to collide with the \nullifier of any other \note.
|
||||
\end{itemize}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
A \transaction also includes computationally sound \zkSNARK proofs, which prove
|
||||
that all of the following hold except with insignificant probability:
|
||||
}\notsprout{ A
|
||||
\transaction also includes computationally sound \zkSNARK proofs and signatures,
|
||||
which prove that all of the following hold except with insignificant probability:
|
||||
|
||||
For each \shieldedInput,
|
||||
|
||||
|
@ -1694,7 +1708,7 @@ For each \shieldedInput,
|
|||
\item \saplingonward{there is a revealed \valueCommitment to the same value as
|
||||
the input \note;}
|
||||
\item some revealed \noteCommitment exists for the input \note;
|
||||
\item the prover knew the \authProvingKey of the input \note;
|
||||
\item the prover knew the \authProvingKey of the \note;
|
||||
\item the \nullifier and \noteCommitment are computed correctly.
|
||||
\end{itemize}
|
||||
|
||||
|
@ -1704,8 +1718,8 @@ and for each \shieldedOutput,
|
|||
\item \saplingonward{there is a revealed \valueCommitment to the same value as
|
||||
the output \note;}
|
||||
\item the \noteCommitment is computed correctly;
|
||||
\item the output \note is generated in such a way that it is infeasible to
|
||||
cause its \nullifier to collide with the \nullifier of any other \note.
|
||||
\item it is infeasible to cause the \nullifier of the output \note to collide
|
||||
with the \nullifier of any other \note.
|
||||
\end{itemize}
|
||||
|
||||
For \Sprout, the \joinSplitStatement also includes an explicit balance check.
|
||||
|
@ -1980,9 +1994,9 @@ $\AuthPrivate$, as described in \crossref{sproutkeycomponents}.
|
|||
|
||||
\saplingonward{
|
||||
The \authSigningKey $\AuthSignPrivate$,
|
||||
the \authProvingKey $(\AuthSignPublic, \AuthProvePrivate)$,
|
||||
\authProvingKey $(\AuthSignPublic, \AuthProvePrivate)$,
|
||||
the \fullViewingKey $(\AuthSignPublic, \AuthProvePublic)$,
|
||||
the \incomingViewingKey $\InViewingKey$, and
|
||||
\incomingViewingKey $\InViewingKey$, and
|
||||
each \diversifiedPaymentAddress $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$
|
||||
are derived from $\SpendingKey$, as described in \crossref{saplingkeycomponents}.
|
||||
} %saplingonward
|
||||
|
@ -2045,12 +2059,12 @@ to a given \paymentAddress.
|
|||
A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
|
||||
\Value, \NoteAddressRand, \NoteCommitRand)}$, where:
|
||||
\begin{itemize}
|
||||
\item $\AuthPublic \typecolon \PRFOutput$ is the \payingKey of the
|
||||
\item $\AuthPublic \typecolon \PRFOutputSprout$ is the \payingKey of the
|
||||
recipient's \paymentAddress;
|
||||
\item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
|
||||
representing the value of the \note in \zatoshi
|
||||
($1$ \ZEC = $10^8$ \zatoshi);
|
||||
\item $\NoteAddressRand \typecolon \PRFOutput$
|
||||
\item $\NoteAddressRand \typecolon \PRFOutputSprout$
|
||||
is used as input to $\PRFnf{\AuthPrivate}$ to derive the
|
||||
\nullifier of the \note;
|
||||
\item $\NoteCommitRand \typecolon \NoteCommitSproutTrapdoor$
|
||||
|
@ -2060,7 +2074,7 @@ A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
|
|||
\introlist
|
||||
Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note, i.e.
|
||||
\begin{formulae}
|
||||
\item $\NoteTypeSprout := \changed{\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
|
||||
\item $\NoteTypeSprout := \changed{\PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout
|
||||
\times \NoteCommitSproutTrapdoor}$.
|
||||
\end{formulae}
|
||||
|
||||
|
@ -2072,7 +2086,7 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
|
|||
\begin{itemize}
|
||||
\item $\Diversifier \typecolon \DiversifierType$
|
||||
is the \diversifier of the recipient's \paymentAddress;
|
||||
\item $\DiversifiedTransmitPublic \typecolon \GroupJ$
|
||||
\item $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$
|
||||
is the \diversifiedTransmissionKey of the recipient's \paymentAddress;
|
||||
\item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
|
||||
representing the value of the \note in \zatoshi;
|
||||
|
@ -2083,7 +2097,7 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
|
|||
\introlist
|
||||
Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
|
||||
\begin{formulae}
|
||||
\item $\NoteTypeSapling := \DiversifierType \times \GroupJ \times \range{0}{\MAXMONEY}
|
||||
\item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublic \times \range{0}{\MAXMONEY}
|
||||
\times \NoteCommitSaplingTrapdoor$.
|
||||
\end{formulae}
|
||||
} %sapling
|
||||
|
@ -2216,9 +2230,9 @@ up to that height.
|
|||
|
||||
Each \block contains one or more \transactions.
|
||||
|
||||
Inputs to a \transaction insert value into a \transparentValuePool, and outputs
|
||||
remove value from this pool. As in \Bitcoin, the remaining value in the pool is
|
||||
available to miners as a fee.
|
||||
\xTransparentInputs to a \transaction insert value into a \transparentValuePool,
|
||||
and \transparentOutputs remove value from this pool. As in \Bitcoin, the remaining
|
||||
value in the pool is available to miners as a fee.
|
||||
|
||||
\vspace{-3ex}
|
||||
\consensusrule{
|
||||
|
@ -2308,7 +2322,7 @@ it is not known where it will eventually appear in a mined \block. Therefore the
|
|||
\begin{consensusrules}
|
||||
\item The input and output values of each \joinSplitTransfer{} \MUST balance
|
||||
exactly.
|
||||
\item For the first \joinSplitDescription of a \transaction, the \anchor \MUST
|
||||
\item For the first \joinSplitDescription of a \transaction, the \anchor{} \MUST
|
||||
be the output \SproutOrNothing \treestate of a previous \block.
|
||||
\changed{
|
||||
\item The \anchor of each \joinSplitDescription in a \transaction{} \MUST refer
|
||||
|
@ -2359,6 +2373,7 @@ A \spendDescription includes an \anchor, which refers to the output
|
|||
\Sapling \treestate of a previous \block. It also reveals a \nullifier,
|
||||
which allows detection of double-spends as described in \crossref{nullifierset}.
|
||||
|
||||
\vspace{-2ex}
|
||||
\pnote{
|
||||
Interstitial \treestates are not necessary for \Sapling, because a \spendTransfer
|
||||
in a given \transaction cannot spend any of the \shieldedOutputs of the same
|
||||
|
@ -2367,6 +2382,7 @@ each \joinSplitTransfer must balance individually, in \Sapling it is only necess
|
|||
for the whole \transaction to balance.
|
||||
}
|
||||
|
||||
\vspace{3ex}
|
||||
\begin{consensusrules}
|
||||
\item The \transaction{} \MUST balance as specified in \crossref{saplingbalance}.
|
||||
\item The \anchor of each \spendDescription in a \transaction{} \MUST refer
|
||||
|
@ -2383,14 +2399,14 @@ for the whole \transaction to balance.
|
|||
|
||||
\sapling{\todo{The commitment indices in the above diagram should be zero-based to reflect the \notePosition{}.}}
|
||||
|
||||
The \noteCommitmentTree is an \incrementalMerkleTree of fixed depth used to store
|
||||
\noteCommitments that \joinSplitTransfers\sapling{ and \spendTransfers} produce.
|
||||
A \noteCommitmentTree is an \incrementalMerkleTree of fixed depth used to store
|
||||
\noteCommitments that \joinSplitTransfers\sapling{ or \spendTransfers} produce.
|
||||
Just as the \term{unspent transaction output set} (UTXO set) used in \Bitcoin,
|
||||
it is used to express the existence of value and the capability to spend it.
|
||||
However, unlike the UTXO set, it is \emph{not} the job of this tree to protect
|
||||
against double-spending, as it is append-only.
|
||||
|
||||
A \merkleRoot of this tree is associated with each \treestate, as described in
|
||||
A \merkleRoot of a \noteCommitmentTree is associated with each \treestate; see
|
||||
\crossref{transactions}.
|
||||
|
||||
Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash of
|
||||
|
@ -2517,10 +2533,10 @@ be as defined in \crossref{constants}.
|
|||
\notsprout{For \Sprout, \changed{four} \emph{independent} $\PRF{x}{}$ are needed:}
|
||||
|
||||
\begin{tabular}{@{\hskip 2em}l@{\notsprout{\hskip 1.88em}}l@{\;}l@{\;}l@{\;}l}
|
||||
$\PRFaddr{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutput $\\
|
||||
$\PRFnf{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutput $& &$\rightarrow \PRFOutput $\\
|
||||
$\PRFpk{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutput $\\
|
||||
$\PRFrho{} $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \setofNew $&$\times\; \hSigType $&$\rightarrow \PRFOutput $
|
||||
$\PRFaddr{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFnf{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutputSprout $& &$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFpk{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFrho{} $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \setofNew $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $
|
||||
\end{tabular}
|
||||
|
||||
These are used in \crossref{joinsplitstatement}; $\PRFaddr{}$ is also used to
|
||||
|
@ -2541,6 +2557,7 @@ $\PRFnfSapling{}$ is used in \crossref{spendstatement}.
|
|||
|
||||
\sprout{They}\notsprout{All of these \pseudoRandomFunctions} are instantiated in \crossref{concreteprfs}.
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{securityrequirements}
|
||||
\item Security definitions for \pseudoRandomFunctions are given in \cite[section 4]{BDJR2000}.
|
||||
\item In addition to being \pseudoRandomFunctions, it is required that
|
||||
|
@ -2550,6 +2567,7 @@ $\PRFnfSapling{}$ is used in \crossref{spendstatement}.
|
|||
similarly for $\PRFaddr{}$ and $\PRFrho{}$\sapling{ and $\PRFnfSapling{}$}}.
|
||||
\end{securityrequirements}
|
||||
|
||||
\vspace{-4ex}
|
||||
\pnote{$\PRFnf{}$ was called $\PRFsn{}$ in \Zerocash \cite{BCG+2014}.}
|
||||
|
||||
|
||||
|
@ -2563,17 +2581,17 @@ $\SymEncrypt{} \typecolon \Keyspace \times \Plaintext \rightarrow \Ciphertext$
|
|||
is the encryption algorithm.
|
||||
|
||||
$\SymDecrypt{} \typecolon \Keyspace \times \Ciphertext \rightarrow
|
||||
\Plaintext \union \setof{\bot}$ is the corresponding decryption algorithm, such that
|
||||
\Plaintext \union \setof{\bot}$ is the decryption algorithm, such that
|
||||
for any $\Key \in \Keyspace$ and $\Ptext \in \Plaintext$,
|
||||
$\SymDecrypt{\Key}(\SymEncrypt{\Key}(\Ptext)) = \Ptext$.
|
||||
$\bot$ is used to represent the decryption of an invalid ciphertext.
|
||||
|
||||
\vspace{-3ex}
|
||||
\securityrequirement{
|
||||
$\Sym$ must be one-time (INT-CTXT $\wedge$ IND-CPA)-secure. \quotedterm{One-time} here
|
||||
means that an honest protocol participant will almost surely encrypt only one message
|
||||
with a given key; however, the attacker may make many adaptive chosen ciphertext
|
||||
queries for a given key. The security notions INT-CTXT and IND-CPA are as defined in
|
||||
\cite{BN2007}.
|
||||
$\Sym$ must be one-time (INT-CTXT $\wedge$ IND-CPA)-secure \cite{BN2007}.
|
||||
\quotedterm{One-time} here means that an honest protocol participant will almost
|
||||
surely encrypt only one message with a given key; however, the adversary may make
|
||||
many adaptive chosen ciphertext queries for a given key.
|
||||
}
|
||||
|
||||
\subsubsection{\KeyAgreement} \label{abstractkeyagreement}
|
||||
|
@ -2585,7 +2603,7 @@ A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type
|
|||
of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
|
||||
|
||||
Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function
|
||||
that converts a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
|
||||
to convert a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
|
||||
|
||||
Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$
|
||||
be a function that derives the $\KA$ public key corresponding to a given $\KA$
|
||||
|
@ -2596,10 +2614,10 @@ be the agreement function.
|
|||
|
||||
\sapling{Optional:} Let $\KABase \typecolon \KAPublic$ be a public base point.
|
||||
|
||||
\pnote{
|
||||
The range of $\KADerivePublic$ may be a strict subset of $\KAPublic$.
|
||||
}
|
||||
\vspace{-2ex}
|
||||
\pnote{The range of $\KADerivePublic$ may be a strict subset of $\KAPublic$.}
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{securityrequirements}
|
||||
\item $\KAFormatPrivate$ must preserve sufficient entropy from its input to be used
|
||||
as a secure $\KA$ private key.
|
||||
|
@ -2619,9 +2637,10 @@ A \keyDerivationFunction is defined for a particular \keyAgreementScheme and
|
|||
agreement and additional arguments, and derives a key suitable for the encryption
|
||||
scheme.
|
||||
|
||||
Let $\KDF \typecolon \setofNew \times \hSigType \times \KASharedSecret
|
||||
\sprout{
|
||||
Let $\KDFSprout \typecolon \setofNew \times \hSigType \times \KASharedSecret
|
||||
\times \KAPublic \times \KAPublic \rightarrow \Keyspace$ be a
|
||||
\keyDerivationFunction suitable for use with $\KA$, deriving keys
|
||||
\keyDerivationFunction suitable for use with $\KASprout$, deriving keys
|
||||
for $\SymEncrypt{}$.
|
||||
|
||||
\securityrequirement{
|
||||
|
@ -2636,7 +2655,7 @@ Let $\TransmitBase := \todo{?}$
|
|||
\sprout{Let $\TransmitBase := \KABase$.}
|
||||
|
||||
Let $\TransmitPrivateSup{1}$ and $\TransmitPrivateSup{2}$ each be chosen uniformly and
|
||||
independently at random from $\KAPrivate$.
|
||||
independently at random from $\KASproutPrivate$.
|
||||
|
||||
Let $\TransmitPublicSup{j} := \KADerivePublic(\TransmitPrivateSup{j}, \TransmitBase)$.
|
||||
|
||||
|
@ -2661,11 +2680,10 @@ constructed from $\KA$, $\KDF$ and $\Sym$ in \crossref{inband} will be key-priva
|
|||
as defined in \cite{BBDP2001}.
|
||||
|
||||
\pnote{The given definition only requires ciphertexts to be indistinguishable
|
||||
between \transmissionKeys that are outputs of $\KADerivePublic$ (which
|
||||
between \transmissionKeys that are outputs of $\KASproutDerivePublic$ (which
|
||||
includes all keys generated as in \crossref{sproutkeycomponents}). If a
|
||||
\transmissionKey not in that range is used, it may be distinguishable.
|
||||
This is not considered to be a significant security weakness.
|
||||
}
|
||||
This is not considered to be a significant security weakness.}
|
||||
|
||||
|
||||
\introlist
|
||||
|
@ -2700,7 +2718,7 @@ aspects of the definitions of \signatureSchemes with additional features in
|
|||
} %pnote
|
||||
} %notsprout
|
||||
|
||||
\vspace{2ex}
|
||||
\vspace{3ex}
|
||||
\introlist
|
||||
\Zcash uses \sprout{two}\sapling{three} signature schemes:
|
||||
|
||||
|
@ -2711,8 +2729,8 @@ aspects of the definitions of \signatureSchemes with additional features in
|
|||
which is used to sign \transactions that contain at least one
|
||||
\joinSplitDescription\sprout{.}\notsprout{;}
|
||||
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated in
|
||||
\crossref{concretespendauthsig}), which is used to sign authorizations of
|
||||
\spendDescriptions.}
|
||||
\crossref{concretespendauthsig}) which is used to sign authorizations of
|
||||
\spendTransfers;}
|
||||
\end{itemize}
|
||||
|
||||
The following defines only the security properties needed for $\JoinSplitSig$.
|
||||
|
@ -2727,6 +2745,7 @@ for the adversary to forge a previously unseen valid \mbox{(message, signature)}
|
|||
pair without access to the signing key.
|
||||
}
|
||||
|
||||
\vspace{1ex}
|
||||
\todo{Reference a different paper for the security definition. \cite{BDEHR2011} has
|
||||
a flawed security proof; this doesn't affect \Zcash but it would be better to avoid
|
||||
confusion that it might.}
|
||||
|
@ -2736,6 +2755,7 @@ confusion that it might.}
|
|||
a \joinSplitDescription{}.
|
||||
Since each key pair is only used for one signature (see \crossref{nonmalleability}),
|
||||
a one-time signature scheme would suffice for $\JoinSplitSig$.
|
||||
|
||||
This is also the reason why only security against \emph{non-adaptive}
|
||||
chosen message attack is needed. In fact the instantiation of $\JoinSplitSig$
|
||||
uses a scheme designed for security under adaptive attack even when multiple
|
||||
|
@ -2748,7 +2768,7 @@ confusion that it might.}
|
|||
|
||||
|
||||
\sapling{
|
||||
\introlist
|
||||
\introsection
|
||||
\subsubsubsection{Signature with Re-Randomizable Keys} \label{abstractsigrerand}
|
||||
|
||||
A \rerandomizableSignatureScheme $\Sig$ is a \signatureScheme that
|
||||
|
@ -2802,13 +2822,16 @@ that multiple \transactions spending the same \note are revealed to an adversary
|
|||
\introsection
|
||||
\securityrequirement{\textbf{Strong Unforgeability with Re-randomized Keys under adaptive Chosen Message Attack (SURK-CMA)}
|
||||
|
||||
Let $\Oracle \typecolon \SigPrivate \times \SigMessage \times \SigRandom \rightarrow \SigSignature$
|
||||
be a generator of signing oracles.
|
||||
|
||||
A signing oracle $\Oracle_{\sk}$ for private key $\sk$ has state
|
||||
For any $\sk \typecolon \SigPrivate$, let
|
||||
\begin{formulae}
|
||||
\item $\Oracle_{\sk} \typecolon \SigMessage \times \SigRandom \rightarrow \SigSignature$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
be a signing oracle with state
|
||||
$Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\setof{}$
|
||||
that records queried messages and corresponding signatures.
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{formulae}
|
||||
\item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$
|
||||
\item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\SigRandomizer, \sk)}(m)$
|
||||
|
@ -2824,13 +2847,13 @@ $(m', \sigma') \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
|||
}
|
||||
|
||||
\begin{pnotes}
|
||||
\item The requirement for $\SigRandomizerId$ simplifies the definition of SURK-CMA
|
||||
by removing the need for two oracles (since the oracle for original keys,
|
||||
called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the oracle for
|
||||
randomized keys).
|
||||
\item The requirement for the identity randomizer $\SigRandomizerId$ simplifies the
|
||||
definition of SURK-CMA by removing the need for two oracles (because the oracle for
|
||||
original keys, called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the
|
||||
oracle for randomized keys).
|
||||
\item Since $\SigRandomizePrivate(\SigRandomizer, \sk) :
|
||||
\SigRandomizer \leftarrowR \SigRandom$ has an identical distribution to $\SigGenPrivate()$,
|
||||
and $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
|
||||
and since $\SigDerivePublic$ is a deterministic function, the combination of a re-randomized
|
||||
public key and signature(s) under that key do not reveal the key from which it was
|
||||
re-randomized.
|
||||
\item Since $\SigRandomizePrivate_{\SigRandomizer}$ is injective and
|
||||
|
@ -2862,11 +2885,13 @@ $\SigDerivePublic(\sk_1 \grpplus \sk_2) = \SigDerivePublic(\sk_1)\, \combplus \S
|
|||
|
||||
In other words, $\SigDerivePublic$ is a homomorphism from the private key group to the public key group.
|
||||
|
||||
\vspace{1ex}
|
||||
For $\rmN \typecolon \PosInt$,
|
||||
\begin{itemize}
|
||||
\item $\sgrpsum{i=1}{\rmN} \sk_i$ means $\sk_1 \grpplus \sk_2 \grpplus \cdots\, \grpplus \sk_{\rmN}$;
|
||||
\item $\scombsum{i=1}{\rmN} \vk_i$ means $\vk_1 \combplus \vk_2 \combplus \cdots\, \combplus \vk_{\rmN}$.
|
||||
\end{itemize}
|
||||
\vspace{-2ex}
|
||||
When $\rmN = 0$ these yield the appropriate group identity, i.e. $\sgrpsum{i=1}{0} \sk_i = \grpzero$
|
||||
and $\scombsum{i=1}{0} \vk_i = \combzero$.
|
||||
|
||||
|
@ -2961,6 +2986,7 @@ $(-G) + G = \ZeroG{}$. We write $G - H$ for $G + (-H)$.
|
|||
|
||||
We also extend the $\vsum{}{}$ notation to addition on group elements.
|
||||
|
||||
\introlist
|
||||
For $G \typecolon \GroupG{}$ and $k \typecolon \Int$ we write $\scalarmult{k}{G}$
|
||||
for scalar multiplication on the group, i.e.
|
||||
|
||||
|
@ -2985,6 +3011,7 @@ $\ExtractG \typecolon \GroupG{} \rightarrow T$ for some type $T$,
|
|||
such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order
|
||||
$\ParamG{r}$.
|
||||
|
||||
\vspace{-2ex}
|
||||
\pnote{
|
||||
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
|
||||
efficiently computable left inverse.
|
||||
|
@ -3002,9 +3029,8 @@ Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
|
|||
\begin{formulae}
|
||||
\item $\GroupGHash{} \typecolon \CRSType \times \bitseq{\ell} \rightarrow \GroupG{}$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
with the following security requirement.
|
||||
|
||||
\vspace{-2ex}
|
||||
\securityrequirement{\textbf{Discrete Logarithm Independence}
|
||||
|
||||
For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
|
||||
|
@ -3141,6 +3167,7 @@ taking them to be the particular \provingKey and \verifyingKey defined by the
|
|||
\joinSplitParameters in \crossref{sproutparameters}.
|
||||
} %sprout
|
||||
\sapling{
|
||||
\introlist
|
||||
\Zcash uses two \provingSystems:
|
||||
\begin{itemize}
|
||||
\item $\PHGR$ (\crossref{phgr}) is used with the
|
||||
|
@ -3241,7 +3268,7 @@ are derived as follows:
|
|||
|
||||
\sapling{
|
||||
\introlist
|
||||
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as follows:
|
||||
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
|
||||
|
||||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||
$\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
|
||||
|
@ -3255,6 +3282,7 @@ creation of multiple \diversifiedPaymentAddresses with the same spending
|
|||
authority. A group of such addresses shares the same \fullViewingKey and
|
||||
\incomingViewingKey.
|
||||
|
||||
\introlist
|
||||
To create a new \diversifiedPaymentAddress given an \incomingViewingKey
|
||||
$\InViewingKey$, repeatedly pick a \diversifier $\Diversifier$ uniformly at
|
||||
random from $\DiversifierType$ until
|
||||
|
@ -3369,7 +3397,7 @@ where
|
|||
\begin{itemize}
|
||||
\item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note;
|
||||
\item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in
|
||||
\crossref{blockchain}, for the output \treestate of a previous \block.
|
||||
\crossref{blockchain}, for the output \treestate of a previous \block;
|
||||
\item $\nf \typecolon \bitseq{\PRFOutputLengthSapling}$ is the \nullifier for the input \note;
|
||||
\item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized public key
|
||||
that should be used to verify $\spendAuthSig$;
|
||||
|
@ -4045,12 +4073,13 @@ Let $\KASprout$\sapling{ and $\KASapling$} be the \keyAgreementSchemes instantia
|
|||
} %notsprout
|
||||
|
||||
|
||||
\subsubsection{Encryption \pSproutOrNothing}
|
||||
\subsubsection{Encryption\pSproutOrNothing} \label{sproutencrypt}
|
||||
|
||||
Let $\TransmitPublicNew{\allNew}$ be the \transmissionKeys
|
||||
for the intended recipient addresses of each new \note.
|
||||
|
||||
Let $\NotePlaintext{\allNew}$ be the \notePlaintexts as defined in \crossref{notept}.
|
||||
Let $\NotePlaintext{\allNew}$ be the \SproutOrNothing \notePlaintexts as
|
||||
defined in \crossref{notept}.
|
||||
|
||||
\introlist
|
||||
Then to encrypt:
|
||||
|
@ -4102,12 +4131,12 @@ component as follows:
|
|||
\item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$
|
||||
\item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublic)$
|
||||
\item return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
|
||||
\item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
|
||||
\AuthPublic).$
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
$\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
|
||||
$\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
|
||||
is defined as follows:
|
||||
|
||||
\begin{formulae}
|
||||
|
@ -4116,7 +4145,7 @@ is defined as follows:
|
|||
\item if $\TransmitPlaintext{i} = \bot$, return $\bot$
|
||||
\item extract $\NotePlaintext{i} = (\ValueNew{i},
|
||||
\NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$
|
||||
\item if $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
|
||||
\item if $\NoteCommitmentSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
|
||||
\NoteCommitRandNew{i})) \neq \cmNew{i}$, return $\bot$, else return $\NotePlaintext{i}$.
|
||||
\end{formulae}
|
||||
}
|
||||
|
@ -4515,12 +4544,12 @@ Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
|||
Define
|
||||
|
||||
\begin{formulae}
|
||||
\item $\DiversifyHash(\Diversifier) := \GroupJHash{U}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
|
||||
\item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
|
||||
\end{formulae}
|
||||
|
||||
\securityrequirement{
|
||||
$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
|
||||
described in \crossref{abstractgrouphash}. \todo{make this more precise.}
|
||||
described in \crossref{abstractgrouphash}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
@ -5071,7 +5100,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
|
|||
|
||||
\subsubsection{\JoinSplitSignature} \label{concretejssig}
|
||||
|
||||
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
||||
$\JoinSplitSig$ is a \signatureScheme as specified in \crossref{abstractsig}.
|
||||
|
||||
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDLSY2012},
|
||||
with the additional requirements that:
|
||||
|
@ -5343,7 +5372,7 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow
|
||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
||||
\bitseq{\ell}$ as in \crossref{endian}.
|
||||
|
||||
\introlist
|
||||
|
@ -5475,7 +5504,7 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
|
|||
|
||||
$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively.
|
||||
|
||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow
|
||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
||||
\bitseq{\ell}$ as in \crossref{endian}.
|
||||
|
||||
\introlist
|
||||
|
@ -5551,14 +5580,14 @@ $\GroupJ$ has order $8 \smult \ParamJ{r}$.
|
|||
|
||||
Let $\ellJ := 256$.
|
||||
|
||||
Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
|
||||
Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$
|
||||
as in \crossref{endian}.
|
||||
|
||||
Define $\reprJ \typecolon \GroupJ \rightarrow \bitseq{\ellJ}$ such
|
||||
Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
|
||||
that $\reprJOf{u, \varv} = \ItoLEBSP{256}(\varv + 2^{255} \smult \tilde{u})$, where
|
||||
$\tilde{u} = u \bmod 2$.
|
||||
|
||||
Let $\abstJ \typecolon \bitseq{\ellJ} \rightarrow \GroupJ \union \setof{\bot}$
|
||||
Let $\abstJ \typecolon \ReprJ \rightarrow \GroupJ \union \setof{\bot}$
|
||||
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
||||
$\reprJ$, then $\abstJOf{S} = \bot$.
|
||||
|
||||
|
@ -5569,8 +5598,8 @@ $\reprJ$, then $\abstJOf{S} = \bot$.
|
|||
\item The encoding of a compressed twisted Edwards point used here is
|
||||
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
|
||||
the $R$ element of a signature.
|
||||
\item Algorithms for decompressing points from the encoding of
|
||||
$\GroupJ$ are given in \cite[``Encoding and parsing curve points'']{BJLSY2015}.
|
||||
\item \cite[``Encoding and parsing curve points'']{BJLSY2015} gives algorithms
|
||||
for decompressing points from the encoding of $\GroupJ$.
|
||||
\end{itemize}
|
||||
|
||||
When computing square roots in $\GF{\ParamJ{q}}$ in order to decompress a point encoding,
|
||||
|
@ -5666,7 +5695,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
|||
\end{formulae}
|
||||
|
||||
Define $\first \typecolon (\Nat \rightarrow T \union \setof{\bot}) \rightarrow T \union \setof{\bot}$
|
||||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\range{0}{255}$
|
||||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||
|
||||
Let $\FindGroupJHashOf{D, M} =
|
||||
|
@ -6441,11 +6470,13 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
|
|||
\sproutonlyitem{The \fOverwintered{} flag \MUSTNOT be set.}
|
||||
\nuzeroonwarditem{The \fOverwintered{} flag \MUST be set.}
|
||||
\nuzeroonwarditem{The \versionGroupID{} \MUST be recognized.}
|
||||
\nuzeroonlyitem{The \transactionVersionNumber{} \MUST be $3$, and the \versionGroupID{} \MUST
|
||||
\nuzeroonlyitem{The \transactionVersionNumber{} \MUST be $3$ and the \versionGroupID{} \MUST
|
||||
be $\hexint{03C48270}$.}
|
||||
\saplingonwarditem{The \transactionVersionNumber{} and \versionGroupID{} \MUST be
|
||||
either $(3, \hexint{03C48270})$ or $(4, \todo{\Sapling\, \versionGroupID{}})$.}
|
||||
\sproutonlyitem{If $\versionField = 1$ or $\nJoinSplit = 0$, then \txInCount{} \MUSTNOT be $0$.}
|
||||
\presaplingitem{The encoded size of the \transaction{} \MUST be less than or equal to
|
||||
$100000$ bytes.}
|
||||
\saplingonwarditem{At least one of \txInCount, \nShieldedSpend, and \nJoinSplit{} \MUST be nonzero.}
|
||||
\item A \transaction with one or more inputs from \coinbaseTransactions{} \MUST have no
|
||||
\transparent outputs (i.e.\ \txOutCount{} \MUST be $0$).
|
||||
|
@ -6453,8 +6484,6 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
|
|||
over $\dataToBeSigned$ as defined in \crossref{nonmalleability}.
|
||||
\item If $\nJoinSplit > 0$, then \joinSplitPubKey{} \MUST represent a valid
|
||||
$\JoinSplitSigSpecific$ public key encoding as specified in \crossref{concretejssig}.
|
||||
\sproutonlyitem{The encoded size of the \transaction{} \MUST be less than or equal to
|
||||
$100000$ bytes.}
|
||||
\item A \coinbaseTransaction{} \MUSTNOT have any
|
||||
\joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}.
|
||||
\item A \transaction{} \MUSTNOT spend an output of a \coinbaseTransaction
|
||||
|
@ -7751,8 +7780,8 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
|
|||
is it constrained by the \Zerocash \POUR{} \statement or the
|
||||
\Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
|
||||
\sapling{(The definition of \notes for \Sapling is different again.)}
|
||||
\item The length of proof encodings given in the paper is $288$ bytes.
|
||||
\sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
|
||||
\item The length of proof encodings given in the paper is $288$
|
||||
bytes.\sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
|
||||
because both the $x$-coordinate and compressed $y$-coordinate of each
|
||||
point need to be represented. Although it is possible to encode a proof
|
||||
in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
|
||||
|
@ -7760,8 +7789,8 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
|
|||
defined in \cite{IEEE2004}. The fork of \libsnark used by \Zcash uses
|
||||
this standard encoding rather than the less efficient (uncompressed) one
|
||||
used by upstream \libsnark.}
|
||||
\item The range of monetary values differs. In \Zcash, this range is
|
||||
$\range{0}{\MAXMONEY}$; in \Zerocash it is $\ValueType$.
|
||||
\item The range of monetary values differs. In \Zcash this range is
|
||||
$\range{0}{\MAXMONEY}$, while in \Zerocash it is $\ValueType$.
|
||||
(The \joinSplitStatement still only directly enforces that the sum
|
||||
of amounts in a given \joinSplitTransfer is in the latter range;
|
||||
this enforcement is technically redundant given that the Balance
|
||||
|
|
Loading…
Reference in New Issue