From 300df42bf33182eba901f64b1d7ac8f610bec8e7 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 15 Mar 2021 16:14:19 +0000 Subject: [PATCH] More WIP for Orchard Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 2073 ++++++++++++++++++++++++----------------- 1 file changed, 1209 insertions(+), 864 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 9ddd2e31..300686d8 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -614,7 +614,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\sapling}[1]{\texorpdfstring{{\setsapling{#1}}}{#1}} \newcommand{\setoverwinter}{\color{\overwintercolor}} \newcommand{\overwinter}[1]{\texorpdfstring{{\setoverwinter{#1}}}{#1}} - \newcommand{\optSprout}[1]{{#1}^\mathsf{Sprout}} } { \providecommand{\baseurl}{https://zips.z.cash/protocol/sprout.pdf} \newcommand{\sprout}[1]{#1} @@ -623,7 +622,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\sapling}[1]{} \newcommand{\setoverwinter}{} \newcommand{\overwinter}[1]{} - \newcommand{\optSprout}[1]{#1} } @@ -819,17 +817,22 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\outputProof}{\term{Output proof}} \newcommand{\actionDescription}{\term{Action description}} \newcommand{\actionDescriptions}{\terms{Action description}} -\newcommand{\action}{\term{Action}} -\newcommand{\actions}{\terms{Actions}} +\newcommand{\actionTransfer}{\term{Action transfer}} +\newcommand{\actionTransfers}{\terms{Action transfers}} \newcommand{\actionCircuit}{\term{Action circuit}} \newcommand{\actionStatement}{\term{Action statement}} \newcommand{\actionStatements}{\terms{Action statement}} \newcommand{\actionProof}{\term{Action proof}} +\newcommand{\saplingBindingSignature}{\termandindex{Sapling binding signature}{binding signature (Sapling)}} +\newcommand{\saplingBindingSignatures}{\termandindex{Sapling binding signatures}{binding signature (Sapling)}} +\newcommand{\orchardBindingSignature}{\termandindex{Orchard binding signature}{binding signature (Orchard)}} +\newcommand{\orchardBindingSignatures}{\termandindex{Orchard binding signatures}{binding signature (Orchard)}} \newcommand{\bindingSignature}{\term{binding signature}} \newcommand{\bindingSignatures}{\terms{binding signature}} \newcommand{\bindingSignatureScheme}{\term{binding signature scheme}} \newcommand{\txBindingValidatingKey}{\term{transaction binding validating key}} -\newcommand{\balancingValue}{\term{balancing value}} +\newcommand{\saplingBalancingValue}{\term{Sapling balancing value}} +\newcommand{\orchardBalancingValue}{\term{Orchard balancing value}} \newcommand{\shieldedOutput}{\term{shielded output}} \newcommand{\shieldedOutputs}{\terms{shielded output}} \newcommand{\statement}{\term{statement}} @@ -878,6 +881,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\VestaText}{\texorpdfstring{$\mathsf{Vesta}$}{Vesta}} \newcommand{\IsoVesta}{\termandindexx{$\mathsf{iso}\kern0.05em\mhyphen\kern-0.05em\mathsf{Vesta}$}{iso-Vesta}} \newcommand{\PallasAndVestaText}{\texorpdfstring{$\mathsf{Pallas}$ and $\mathsf{Vesta}$}{Pallas and Vesta}} +\newcommand{\secpCurve}{\indexlink{secp256k1 curve}{secp256k1}{$\mathsf{secp256k1}$}} \newcommand{\completeTwistedEdwardsEllipticCurve}{\term{complete twisted Edwards elliptic curve}} \newcommand{\completeTwistedEdwardsEllipticCurves}{\terms{complete twisted Edwards elliptic curve}} \newcommand{\xCtEdwards}{\term{ctEdwards}} @@ -1178,7 +1182,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\mantissa}{\mathsf{mantissa}} \newcommand{\ToCompact}{\mathsf{ToCompact}} \newcommand{\ToTarget}{\mathsf{ToTarget}} -\newcommand{\ToScalar}{\mathsf{ToScalar}} +\newcommand{\ToScalar}[1]{\mathsf{ToScalar^{#1}}} \newcommand{\hexint}[1]{\mathtt{0x{#1}}} \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} @@ -1286,12 +1290,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CRHivkText}{\texorpdfstring{$\CRHivk$}{CRHivk}} \newcommand{\CRHivkOutput}{\CRHivk\mathsf{.Output}} \newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)} -\newcommand{\CommitIvk}[1]{\mathsf{Commit}^{\InViewingKey}_{#1}} -\newcommand{\DiversifyHash}{\mathsf{DiversifyHash}} -\newcommand{\DiversifyHashSapling}{\DiversifyHash^\mathsf{Sapling}} -\newcommand{\DiversifyHashSaplingText}{\texorpdfstring{$\DiversifyHashSapling$}{DiversifyHashSapling}} -\newcommand{\DiversifyHashOrchard}{\DiversifyHash^\mathsf{Orchard}} -\newcommand{\DiversifyHashOrchardText}{\texorpdfstring{$\DiversifyHashOrchard$}{DiversifyHashOrchard}} +\newcommand{\DiversifyHash}[1]{\mathsf{DiversifyHash^{#1}}} +\newcommand{\DiversifyHashText}[1]{\texorpdfstring{$\DiversifyHash{#1}$}{DiversifyHash\^{#1}}} \newcommand{\DefaultDiversifier}{\mathsf{DefaultDiversifier}} \newcommand{\CheckDiversifier}{\mathsf{CheckDiversifier}} \newcommand{\NotUpMySleeve}{U} @@ -1309,10 +1309,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PaymentAddressSecondByte}{\hexint{9A}} \newcommand{\InViewingKey}{\mathsf{ivk}} \newcommand{\InViewingKeyRandom}{\mathsf{rivk}} -\newcommand{\InViewingKeyLengthSapling}{\ell^\mathsf{Sapling}_{\InViewingKey}\!} -\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLengthSapling}} -\newcommand{\InViewingKeyLengthOrchard}{\ell^\mathsf{Orchard}_{\InViewingKey}\!} -\newcommand{\InViewingKeyTypeOrchard}{\binaryrange{\InViewingKeyLengthOrchard}} +\newcommand{\InViewingKeyLength}[1]{\ell^\mathsf{#1}_{\InViewingKey}\!} +\newcommand{\InViewingKeyType}[1]{\binaryrange{\InViewingKeyLength{#1}}} \newcommand{\InViewingKeyRepr}{{\InViewingKey\Repr}} \newcommand{\InViewingKeyLeadByte}{\hexint{A8}} \newcommand{\InViewingKeySecondByte}{\hexint{AB}} @@ -1348,8 +1346,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}} \newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}} \newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}} -\newcommand{\ScalarLengthSapling}{\ell^{\mathsf{Sapling}}_{\mathsf{scalar}}} -\newcommand{\ScalarLengthOrchard}{\ell^{\mathsf{Orchard}}_{\mathsf{scalar}}} +\newcommand{\ScalarLength}[1]{\ell^{\mathsf{#1}\vphantom{p}}_{\mathsf{scalar}}} \newcommand{\enc}{\mathsf{enc}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\EphemeralPublic}{\mathsf{epk}} @@ -1374,10 +1371,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SpendingKeyLength}{\mathsf{\ell_{\SpendingKey}}} \newcommand{\SpendingKeyType}{\bitseq{\SpendingKeyLength}} \newcommand{\AuthSignPrivate}{\mathsf{ask}} -\newcommand{\AuthSignBaseSapling}{\mathcal{G}^\GroupJ} -\newcommand{\AuthSignBaseOrchard}{\mathcal{G}^\GroupP} +\newcommand{\AuthSignBase}[1]{\mathcal{G}^{#1}} \newcommand{\AuthSignPublic}{\mathsf{ak}} +\newcommand{\AuthSignPublicX}{\mathsf{ak}_x} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} +\newcommand{\AuthSignPublicXRepr}{\mathsf{ak}_x\Repr} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} \newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}} \newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}} @@ -1385,20 +1383,18 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthSignRandomizerRepr}{{\AuthSignRandomizer\Repr}} \newcommand{\AuthProvePrivate}{\mathsf{nsk}} \newcommand{\AuthProvePrivateRepr}{{\AuthProvePrivate\Repr}} -\newcommand{\AuthProveBase}{\mathcal{H}^\GroupJ} +\newcommand{\AuthProveBaseSapling}{\mathcal{H}^\mathsf{Sapling}} \newcommand{\NullifierKey}{\mathsf{nk}} \newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}} -\newcommand{\NullifierBaseOrchard}{\mathcal{K}^\GroupP} +\newcommand{\NullifierBaseOrchard}{\mathcal{K}^\mathsf{Orchard}} \newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} \newcommand{\OutCipherKey}{\mathsf{ock}} \newcommand{\NotePosition}{\mathsf{pos}} \newcommand{\NotePositionRepr}{{\NotePosition\Repr}} -\newcommand{\NotePositionBase}{\mathcal{J}^\GroupJ} -\newcommand{\NotePositionTypeSprout}{\binaryrange{\MerkleDepthSprout}} -\newcommand{\NotePositionTypeSapling}{\binaryrange{\MerkleDepthSapling}} -\newcommand{\NotePositionTypeOrchard}{\binaryrange{\MerkleDepthOrchard}} +\newcommand{\NotePositionBaseSapling}{\mathcal{J}^\mathsf{Sapling}} +\newcommand{\NotePositionType}[1]{\binaryrange{\MerkleDepth{#1}}} \newcommand{\Diversifier}{\mathsf{d}} \newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}} \newcommand{\DiversifierType}{\bitseq{\DiversifierLength}} @@ -1439,12 +1435,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Commitments -\newcommand{\UncommittedSprout}{\optSprout{\mathsf{Uncommitted}}} -\newcommand{\UncommittedSapling}{\mathsf{Uncommitted^{Sapling}}} -\newcommand{\UncommittedOrchard}{\mathsf{Uncommitted^{Orchard}}} -\newcommand{\NoteCommitmentSprout}{\optSprout{\mathsf{NoteCommitment}}} -\newcommand{\NoteCommitmentSapling}{\mathsf{NoteCommitment^{Sapling}}} -\newcommand{\NoteCommitmentOrchard}{\mathsf{NoteCommitment^{Orchard}}} +\newcommand{\Uncommitted}[1]{\mathsf{Uncommitted^{#1}}} +\newcommand{\NoteCommitment}[1]{\mathsf{NoteCommitment^{#1}}} \newcommand{\CommitAlg}{\mathsf{COMM}} \newcommand{\Commit}[1]{\CommitAlg_{#1}} @@ -1452,34 +1444,27 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CommitGenTrapdoor}{\CommitAlg\mathsf{.GenTrapdoor}} \newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}} \newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}} -\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}} -\newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{\vphantom{l}#1}} -\newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}} -\newcommand{\NoteCommitSproutGenTrapdoor}{\NoteCommitSproutAlg\mathsf{.GenTrapdoor}} -\newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}} -\newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}} -\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}} -\newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{\vphantom{l}#1}} -\newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}} -\newcommand{\NoteCommitSaplingTrapdoorBytes}{\byteseq{32}} -\newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}} -\newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}} -\newcommand{\NoteCommitSaplingOutput}{\NoteCommitSaplingAlg\mathsf{.Output}} -\newcommand{\NoteCommitOrchardAlg}{\mathsf{NoteCommit}^{\mathsf{Orchard}}} -\newcommand{\NoteCommitOrchard}[1]{\NoteCommitOrchardAlg_{\vphantom{l}#1}} -\newcommand{\NoteCommitOrchardTrapdoor}{\NoteCommitOrchardAlg\mathsf{.Trapdoor}} -\newcommand{\NoteCommitOrchardTrapdoorBytes}{\byteseq{32}} -\newcommand{\NoteCommitOrchardGenTrapdoor}{\NoteCommitOrchardAlg\mathsf{.GenTrapdoor}} -\newcommand{\NoteCommitOrchardInput}{\NoteCommitOrchardAlg\mathsf{.Input}} -\newcommand{\NoteCommitOrchardOutput}{\NoteCommitOrchardAlg\mathsf{.Output}} -\newcommand{\ValueCommitAlg}{\mathsf{ValueCommit}} -\newcommand{\ValueCommit}[1]{\ValueCommitAlg_{#1}} -\newcommand{\ValueCommitTrapdoor}{\ValueCommitAlg\mathsf{.Trapdoor}} -\newcommand{\ValueCommitGenTrapdoor}{\ValueCommitAlg\mathsf{.GenTrapdoor}} -\newcommand{\ValueCommitInput}{\ValueCommitAlg\mathsf{.Input}} -\newcommand{\ValueCommitOutput}{\ValueCommitAlg\mathsf{.Output}} -\newcommand{\ValueCommitValueBase}{\mathcal{V}} -\newcommand{\ValueCommitRandBase}{\mathcal{R}} +\newcommand{\NoteCommitAlg}[1]{\mathsf{NoteCommit^{#1}}} +\newcommand{\NoteCommit}[2]{\NoteCommitAlg{#1}_{\vphantom{l}#2}} +\newcommand{\NoteCommitTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.Trapdoor}} +\newcommand{\NoteCommitTrapdoorBytes}{\byteseq{32}} +\newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}} +\newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}} +\newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}} +\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit^{#1}}} +\newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}} +\newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}} +\newcommand{\ValueCommitGenTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.GenTrapdoor}} +\newcommand{\ValueCommitInput}[1]{\ValueCommitAlg{#1}\mathsf{.Input}} +\newcommand{\ValueCommitOutput}[1]{\ValueCommitAlg{#1}\mathsf{.Output}} +\newcommand{\ValueCommitValueBase}[1]{\mathcal{V}^{#1}} +\newcommand{\ValueCommitRandBase}[1]{\mathcal{R}^{#1}} +\newcommand{\CommitIvkAlg}{\mathsf{Commit}^{\InViewingKey}} +\newcommand{\CommitIvk}[1]{\CommitIvkAlg_{#1}} +\newcommand{\CommitIvkTrapdoor}{\CommitIvkAlg\mathsf{.Trapdoor}} +\newcommand{\CommitIvkGenTrapdoor}{\CommitIvkAlg\mathsf{.GenTrapdoor}} +\newcommand{\CommitIvkInput}{\CommitIvkAlg\mathsf{.Input}} +\newcommand{\CommitIvkOutput}{\CommitIvkAlg\mathsf{.Output}} % Symmetric encryption @@ -1506,51 +1491,24 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Key agreement -\newcommand{\KA}{\mathsf{KA}} -\newcommand{\KAPublic}{\KA\mathsf{.Public}} -\newcommand{\KAPublicPrimeSubgroup}{\KA\mathsf{.PublicPrimeSubgroup}} -\newcommand{\KAPrivate}{\KA\mathsf{.Private}} -\newcommand{\KASharedSecret}{\KA\mathsf{.SharedSecret}} -\newcommand{\KAFormatPrivate}{\KA\mathsf{.FormatPrivate}} -\newcommand{\KADerivePublic}{\KA\mathsf{.DerivePublic}} -\newcommand{\KAAgree}{\KA\mathsf{.Agree}} -\newcommand{\KABase}{\KA\mathsf{.Base}} - -\newcommand{\KASprout}{\mathsf{\optSprout{KA}}} -\newcommand{\KASproutPublic}{\KASprout\mathsf{.Public}} -\newcommand{\KASproutPrivate}{\KASprout\mathsf{.Private}} -\newcommand{\KASproutSharedSecret}{\KASprout\mathsf{.SharedSecret}} -\newcommand{\KASproutFormatPrivate}{\KASprout\mathsf{.FormatPrivate}} -\newcommand{\KASproutDerivePublic}{\KASprout\mathsf{.DerivePublic}} -\newcommand{\KASproutAgree}{\KASprout\mathsf{.Agree}} -\newcommand{\KASproutBase}{\KASprout\mathsf{.Base}} +\newcommand{\KA}[1]{\mathsf{KA^{#1}}} +\newcommand{\KAPublic}[1]{\KA{#1}\mathsf{.Public}} +\newcommand{\KAPublicPrimeSubgroup}[1]{\KA{#1}\mathsf{.PublicPrimeSubgroup}} +\newcommand{\KAPrivate}[1]{\KA{#1}\mathsf{.Private}} +\newcommand{\KASharedSecret}[1]{\KA{#1}\mathsf{.SharedSecret}} +\newcommand{\KAFormatPrivate}[1]{\KA{#1}\mathsf{.FormatPrivate}} +\newcommand{\KADerivePublic}[1]{\KA{#1}\mathsf{.DerivePublic}} +\newcommand{\KAAgree}[1]{\KA{#1}\mathsf{.Agree}} +\newcommand{\KABase}[1]{\KA{#1}\mathsf{.Base}} \newcommand{\KASproutCurve}{\mathsf{Curve25519}} \newcommand{\KASproutCurveMultiply}{\mathsf{Curve25519}} \newcommand{\KASproutCurveBase}{\bytes{9}} \newcommand{\KASproutCurveClamp}{\mathsf{clamp_{Curve25519}}} -\newcommand{\KASapling}{\mathsf{KA^{Sapling}}} -\newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}} -\newcommand{\KASaplingPublicPrimeSubgroup}{\KASapling\mathsf{.PublicPrimeSubgroup}} -\newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}} -\newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}} -\newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}} -\newcommand{\KASaplingAgree}{\KASapling\mathsf{.Agree}} - -\newcommand{\KAOrchard}{\mathsf{KA^{Orchard}}} -\newcommand{\KAOrchardPublic}{\KAOrchard\mathsf{.Public}} -\newcommand{\KAOrchardPrivate}{\KAOrchard\mathsf{.Private}} -\newcommand{\KAOrchardSharedSecret}{\KAOrchard\mathsf{.SharedSecret}} -\newcommand{\KAOrchardDerivePublic}{\KAOrchard\mathsf{.DerivePublic}} -\newcommand{\KAOrchardAgree}{\KAOrchard\mathsf{.Agree}} - % KDF -\newcommand{\KDF}{\mathsf{KDF}} -\newcommand{\KDFSprout}{\optSprout{\KDF}} -\newcommand{\KDFSapling}{\mathsf{KDF^{Sapling}}} -\newcommand{\KDFOrchard}{\mathsf{KDF^{Orchard}}} +\newcommand{\KDF}[1]{\mathsf{KDF^{#1}}} \newcommand{\kdftag}{\mathsf{kdftag}} \newcommand{\kdfinput}{\mathsf{kdfinput}} @@ -1559,18 +1517,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Value}{\mathsf{v}} \newcommand{\ValueNew}[1]{\Value^\mathsf{new}_{#1}} \newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}} +\newcommand{\ValueNet}[1]{\Value^\mathsf{net}_{#1}} \newcommand{\ValueLength}{\ell_{\mathsf{value}}} \newcommand{\ValueType}{\binaryrange{\ValueLength}} +\newcommand{\SignedValueType}{\range{-2^{63}}{2^{63}-1}} \newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} \newcommand{\ValueCommitRand}{\mathsf{rcv}} \newcommand{\ValueCommitRandRepr}{{\ValueCommitRand\Repr}} \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}} \newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}} \newcommand{\ValueCommitRandNew}[1]{\ValueCommitRand^\mathsf{new}_{#1}} +\newcommand{\ValueCommitRandNet}[1]{\ValueCommitRand^\mathsf{net}_{#1}} \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}} -\newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}} -\newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}} -\newcommand{\NoteTypeOrchard}{\mathsf{Note^{Orchard}}} +\newcommand{\NoteType}[1]{\mathsf{Note^{#1}}} \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}} \newcommand{\OutPlaintext}{\mathbf{op}} \newcommand{\NoteSeedBytes}{\mathsf{rseed}} @@ -1590,10 +1549,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}} \newcommand{\NoteAddressPreRandLength}{\mathsf{\ell_{\NoteAddressPreRand}}} \newcommand{\NoteCommitS}{\mathsf{s}} +\newcommand{\CommitIvkRand}{\mathsf{rivk}} \newcommand{\cv}{\mathsf{cv}} \newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}} \newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}} -\newcommand{\cvBalance}[1]{\cv^\mathsf{balance}_{#1}} +\newcommand{\cvNet}[1]{\cv^\mathsf{net}_{#1}} \newcommand{\cm}{\mathsf{cm}} \newcommand{\cmU}{\cm_{\kern -0.06em u}} \newcommand{\cmX}{\cm_{\kern -0.06em x}} @@ -1740,6 +1700,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\RedJubjub}{\mathsf{RedJubjub}} \newcommand{\RedJubjubText}{\texorpdfstring{$\RedJubjub$}{RedJubjub}} \newcommand{\RedJubjubHashName}{\BlakeTwob{512}} +\newcommand{\RedPallas}{\mathsf{RedPallas}} +\newcommand{\RedPallasText}{\texorpdfstring{$\RedPallas$}{RedPallas}} +\newcommand{\RedPallasHashName}{\BlakeTwob{512}} \newcommand{\EdSpecific}{\termsf{Ed25519}} \newcommand{\EdSpecificAlg}{\mathsf{Ed25519}} @@ -1764,6 +1727,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\abstBytesEdSpecific}{\abstBytes_{\GroupEdSpecific}} \newcommand{\ReprEdSpecificBytes}{\byteseq{32}} +\newcommand{\ECDSA}{\termsf{ECDSA}} + \newcommand{\JoinSplitSig}{\mathsf{JoinSplitSig}} \newcommand{\JoinSplitSigPublic}{\JoinSplitSig\mathsf{.Public}} \newcommand{\JoinSplitSigPrivate}{\JoinSplitSig\mathsf{.Private}} @@ -1774,33 +1739,31 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\JoinSplitSigSign}[1]{\JoinSplitSig\mathsf{.Sign}_{#1}} \newcommand{\JoinSplitSigValidate}[1]{\JoinSplitSig\mathsf{.Validate}_{#1}} -\newcommand{\SpendAuthSig}{\mathsf{SpendAuthSig}} -\newcommand{\SpendAuthSigPublic}{\SpendAuthSig\mathsf{.Public}} -\newcommand{\SpendAuthSigPrivate}{\SpendAuthSig\mathsf{.Private}} -\newcommand{\SpendAuthSigMessage}{\SpendAuthSig\mathsf{.Message}} -\newcommand{\SpendAuthSigSignature}{\SpendAuthSig\mathsf{.Signature}} -\newcommand{\SpendAuthSigGenPrivate}{\SpendAuthSig\mathsf{.GenPrivate}} -\newcommand{\SpendAuthSigDerivePublic}{\SpendAuthSig\mathsf{.DerivePublic}} -\newcommand{\SpendAuthSigSign}[1]{\SpendAuthSig\mathsf{.Sign}_{#1}} -\newcommand{\SpendAuthSigValidate}[1]{\SpendAuthSig\mathsf{.Validate}_{#1}} -\newcommand{\SpendAuthSigRandom}{\SpendAuthSig\mathsf{.Random}} -\newcommand{\SpendAuthSigGenRandom}{\SpendAuthSig\mathsf{.GenRandom}} -\newcommand{\SpendAuthSigRandomizePublic}{\SpendAuthSig\mathsf{.RandomizePublic}} -\newcommand{\SpendAuthSigRandomizePrivate}{\SpendAuthSig\mathsf{.RandomizePrivate}} -\newcommand{\SpendAuthSigRandomizerId}{\SpendAuthSig\mathsf{.Id}} +\newcommand{\SpendAuthSig}[1]{\mathsf{SpendAuthSig^{#1}}} +\newcommand{\SpendAuthSigPublic}[1]{\SpendAuthSig{#1}\mathsf{.Public}} +\newcommand{\SpendAuthSigPrivate}[1]{\SpendAuthSig{#1}\mathsf{.Private}} +\newcommand{\SpendAuthSigMessage}[1]{\SpendAuthSig{#1}\mathsf{.Message}} +\newcommand{\SpendAuthSigSignature}[1]{\SpendAuthSig{#1}\mathsf{.Signature}} +\newcommand{\SpendAuthSigGenPrivate}[1]{\SpendAuthSig{#1}\mathsf{.GenPrivate}} +\newcommand{\SpendAuthSigDerivePublic}[1]{\SpendAuthSig{#1}\mathsf{.DerivePublic}} +\newcommand{\SpendAuthSigSign}[2]{\SpendAuthSig{#1}\mathsf{.Sign}_{#2}} +\newcommand{\SpendAuthSigValidate}[2]{\SpendAuthSig{#1}\mathsf{.Validate}_{#2}} +\newcommand{\SpendAuthSigRandom}[1]{\SpendAuthSig{#1}\mathsf{.Random}} +\newcommand{\SpendAuthSigGenRandom}[1]{\SpendAuthSig{#1}\mathsf{.GenRandom}} +\newcommand{\SpendAuthSigRandomizePublic}[1]{\SpendAuthSig{#1}\mathsf{.RandomizePublic}} +\newcommand{\SpendAuthSigRandomizePrivate}[1]{\SpendAuthSig{#1}\mathsf{.RandomizePrivate}} +\newcommand{\SpendAuthSigRandomizerId}[1]{\SpendAuthSig{#1}\mathsf{.Id}} \newcommand{\SpendAuthSigRandomizer}{\alpha} -\newcommand{\SpendAuthSigSpecific}{\mathsf{RedJubjub}} -\newcommand{\BindingSig}{\mathsf{BindingSig}} -\newcommand{\BindingSigPublic}{\BindingSig\mathsf{.Public}} -\newcommand{\BindingSigPrivate}{\BindingSig\mathsf{.Private}} -\newcommand{\BindingSigMessage}{\BindingSig\mathsf{.Message}} -\newcommand{\BindingSigSignature}{\BindingSig\mathsf{.Signature}} -\newcommand{\BindingSigGenPrivate}{\BindingSig\mathsf{.GenPrivate}} -\newcommand{\BindingSigDerivePublic}{\BindingSig\mathsf{.DerivePublic}} -\newcommand{\BindingSigSign}[1]{\BindingSig\mathsf{.Sign}_{#1}} -\newcommand{\BindingSigValidate}[1]{\BindingSig\mathsf{.Validate}_{#1}} -\newcommand{\BindingSigSpecific}{\mathsf{RedJubjub}} +\newcommand{\BindingSig}[1]{\mathsf{BindingSig^{#1}}} +\newcommand{\BindingSigPublic}[1]{\BindingSig{#1}\mathsf{.Public}} +\newcommand{\BindingSigPrivate}[1]{\BindingSig{#1}\mathsf{.Private}} +\newcommand{\BindingSigMessage}[1]{\BindingSig{#1}\mathsf{.Message}} +\newcommand{\BindingSigSignature}[1]{\BindingSig{#1}\mathsf{.Signature}} +\newcommand{\BindingSigGenPrivate}[1]{\BindingSig{#1}\mathsf{.GenPrivate}} +\newcommand{\BindingSigDerivePublic}[1]{\BindingSig{#1}\mathsf{.DerivePublic}} +\newcommand{\BindingSigSign}[2]{\BindingSig{#1}\mathsf{.Sign}_{#2}} +\newcommand{\BindingSigValidate}[2]{\BindingSig{#1}\mathsf{.Validate}_{#2}} \newcommand{\BindingPublic}{\mathsf{bvk}} \newcommand{\BindingPrivate}{\mathsf{bsk}} @@ -1812,7 +1775,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\crhInput}{\mathsf{crhInput}} \newcommand{\ockInput}{\mathsf{ockInput}} \newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}} -\newcommand{\vBalance}{\mathsf{v^{balance}}} +\newcommand{\vBalance}[1]{\mathsf{v^{balance#1}}} \newcommand{\vBad}{\mathsf{v^{bad}}} \newcommand{\vSum}{\mathsf{v^{*}}} \newcommand{\OracleNewAddress}{\Oracle^{\mathsf{NewAddress}}} @@ -1820,29 +1783,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Merkle tree -\newcommand{\MerkleDepth}{\mathsf{MerkleDepth}} -\newcommand{\MerkleDepthSprout}{\optSprout{\MerkleDepth}} -\newcommand{\MerkleDepthSapling}{\MerkleDepth^\mathsf{Sapling}} -\newcommand{\MerkleDepthOrchard}{\MerkleDepth^\mathsf{Orchard}} -\newcommand{\MerkleDepthSproutOrSapling}{\MerkleDepth^\mathsf{Sprout\sapling{,Sapling}}} +\newcommand{\MerkleDepth}[1]{\mathsf{MerkleDepth^{#1}}} \newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}} \newcommand{\MerkleSibling}{\mathsf{sibling}} -\newcommand{\MerkleCRH}{\mathsf{MerkleCRH}} -\newcommand{\MerkleCRHSprout}{\optSprout{\MerkleCRH}} -\newcommand{\MerkleCRHSapling}{\MerkleCRH^\mathsf{Sapling}} -\newcommand{\MerkleCRHOrchard}{\MerkleCRH^\mathsf{Orchard}} -\newcommand{\MerkleHashLength}{\mathsf{\ell_{Merkle}}} -\newcommand{\MerkleHashLengthSprout}{\mathsf{\ell_{\sprout{Merkle}\notsprout{MerkleSprout}}}} -\newcommand{\MerkleHashLengthSapling}{\mathsf{\ell_{MerkleSapling}}} -\newcommand{\MerkleHashLengthOrchard}{\mathsf{\ell_{MerkleOrchard}}} -\newcommand{\MerkleHash}{\bitseq{\MerkleHashLength}} -\newcommand{\MerkleHashSprout}{\bitseq{\MerkleHashLengthSprout}} -\newcommand{\MerkleHashSapling}{\bitseq{\MerkleHashLengthSapling}} -\newcommand{\MerkleHashOrchard}{\bitseq{\MerkleHashLengthOrchard}} -\newcommand{\MerkleLayer}{\range{0}{\MerkleDepth-1}} -\newcommand{\MerkleLayerSprout}{\range{0}{\MerkleDepthSprout-1}} -\newcommand{\MerkleLayerSapling}{\range{0}{\MerkleDepthSapling-1}} -\newcommand{\MerkleLayerOrchard}{\range{0}{\MerkleDepthOrchard-1}} +\newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH^{#1}}} +\newcommand{\MerkleHashLength}[1]{\mathsf{\ell^{#1}_{Merkle}}} +\newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}} +\newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}} % Transactions @@ -1856,11 +1803,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\txOut}{\mathtt{tx\_out}} \newcommand{\lockTime}{\mathtt{lock\_time}} \newcommand{\nExpiryHeight}{\mathtt{nExpiryHeight}} -\newcommand{\valueBalance}{\mathtt{valueBalance}} +\newcommand{\valueBalance}[1]{\mathtt{valueBalance#1}} \newcommand{\nShieldedSpend}{\mathtt{nShieldedSpend}} \newcommand{\vShieldedSpend}{\mathtt{vShieldedSpend}} \newcommand{\nShieldedOutput}{\mathtt{nShieldedOutput}} \newcommand{\vShieldedOutput}{\mathtt{vShieldedOutput}} +\newcommand{\nShieldedAction}{\mathtt{nShieldedAction}} +\newcommand{\vShieldedAction}{\mathtt{vShieldedAction}} \newcommand{\nJoinSplit}{\mathtt{nJoinSplit}} \newcommand{\vJoinSplit}{\mathtt{vJoinSplit}} \newcommand{\vpubOldField}{\mathtt{vpub\_old}} @@ -1869,12 +1818,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\joinSplitSig}{\mathtt{joinSplitSig}} \newcommand{\joinSplitPrivKey}{\mathtt{joinSplitPrivKey}} \newcommand{\joinSplitPubKey}{\mathtt{joinSplitPubKey}} -\newcommand{\bindingSig}{\mathtt{bindingSig}} +\newcommand{\bindingSig}[1]{\mathtt{bindingSig#1}} \newcommand{\nullifierField}{\mathtt{nullifier}} \newcommand{\nullifiersField}{\mathtt{nullifiers}} \newcommand{\rkField}{\mathtt{rk}} \newcommand{\cvField}{\mathtt{cv}} \newcommand{\cmuField}{\mathtt{cmu}} +\newcommand{\cmxField}{\mathtt{cmx}} \newcommand{\commitmentsField}{\mathtt{commitments}} \newcommand{\ephemeralKey}{\mathtt{ephemeralKey}} \newcommand{\encCiphertext}{\mathtt{encCiphertext}} @@ -1988,6 +1938,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\nNew}[1]{\NoteTuple{#1}^\mathsf{new}} \newcommand{\vOld}[1]{\mathsf{v}_{#1}^\mathsf{old}} \newcommand{\vNew}[1]{\mathsf{v}_{#1}^\mathsf{new}} +\newcommand{\vNet}[1]{\mathsf{v}_{#1}^\mathsf{net}} \newcommand{\RandomSeed}{\mathsf{randomSeed}} \newcommand{\rt}{\mathsf{rt}} \newcommand{\TreePath}[1]{\mathsf{path}_{#1}} @@ -2085,7 +2036,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ReprJ}{\bitseq{\ellJ}} \newcommand{\ReprJBytes}{\byteseq{\ellJ/8}} \newcommand{\reprJ}{\repr_{\GroupJ}} +\newcommand{\reprMaybeJ}{\notorchard{\repr_{\GroupJ}}\orchard{\repr}} \newcommand{\abstJ}{\abst_{\GroupJ}} +\newcommand{\abstMaybeJ}{\notorchard{\abst_{\GroupJ}}\orchard{\abst}} \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}} \newcommand{\ExtractJ}{\Extract_{\SubgroupJ}} @@ -2151,6 +2104,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ExtractV}{\Extract_{\GroupVstar}} \newcommand{\GroupVHash}[1]{\GroupHash^{\GroupVstar}_{#1}} \newcommand{\GroupVHashInput}{\GroupVHash{}\mathsf{.Input}} +\newcommand{\GroupVHashURSType}{\GroupVHash{}\mathsf{.URSType}} \newcommand{\ctEdwards}[1]{E_{\kern 0.03em\mathsf{ctEdwards}({#1})}} \newcommand{\Edwards}[1]{E_{\kern 0.03em\mathsf{Edwards}({#1})}} % only in history @@ -2206,8 +2160,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AffineSWVesta}{\mathsf{AffineSWVesta}} \newcommand{\CompressedSWVesta}{\mathsf{CompressedSWVesta}} \newcommand{\PedersenHash}{\mathsf{PedersenHash}} -\newcommand{\PedersenGenAlg}{\mathcal{I}} -\newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}} +\newcommand{\PedersenGenAlg}[1]{\mathcal{I}^{\kern -0.05em\mathsf{#1}}} +\newcommand{\PedersenGen}[2]{\PedersenGenAlg{#1}_{\kern 0.1em {#2}}} \newcommand{\PedersenEncode}[1]{\langle{#1}\rangle} \newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}} \newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}} @@ -2821,13 +2775,13 @@ decryption or validity check. The following integer constants will be instantiated in \crossref{constants}: \begin{formulae} \item \begin{flushleft} - $\MerkleDepthSprout$,\sapling{ $\MerkleDepthSapling$,}\orchard{ $\MerkleDepthOrchard$,} $\NOld$, $\NNew$, - $\ValueLength$, $\MerkleHashLengthSprout$,\sapling{ $\MerkleHashLengthSapling$,}\orchard{ $\MerkleHashLengthOrchard$,} + $\MerkleDepth{Sprout}$,\sapling{ $\MerkleDepth{Sapling}$,}\orchard{ $\MerkleDepth{Orchard}$,} $\NOld$, $\NNew$, + $\ValueLength$, $\MerkleHashLength{Sprout}$,\sapling{ $\MerkleHashLength{Sapling}$,}\orchard{ $\MerkleHashLength{Orchard}$,} $\hSigLength$, $\PRFOutputLengthSprout$,\sapling{ $\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,} $\NoteCommitRandLength$, \changed{$\RandomSeedLength$,} $\AuthPrivateLength$, \changed{$\NoteAddressPreRandLength$,}\sapling{ $\SpendingKeyLength$, $\DiversifierLength$, - $\InViewingKeyLengthSapling$,\orchard{ $\InViewingKeyLengthOrchard$,} $\OutViewingKeyLength$, - $\ScalarLengthSapling$,\orchard{ $\ScalarLengthOrchard$,}} + $\InViewingKeyLength{Sapling}$,\orchard{ $\InViewingKeyLength{Orchard}$,} $\OutViewingKeyLength$, + $\ScalarLength{Sapling}$,\orchard{ $\ScalarLength{Orchard}$,}} $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$} $\SlowStartInterval$, $\PreBlossomHalvingInterval$, $\MaxBlockSubsidy$, $\NumFounderAddresses$, $\PoWLimit$, $\PoWAveragingWindow$, $\PoWMedianBlockSpan$, $\PoWDampingFactor$, @@ -2835,10 +2789,10 @@ The following integer constants will be instantiated in \crossref{constants}: \end{flushleft} \end{formulae} -\sprout{The bit sequence constant $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout}$,} -\notsprout{The bit sequence constants $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout}$, -\sapling{$\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling}$,} -\orchard{and $\UncommittedOrchard \typecolon$ $\bitseq{\MerkleHashLengthOrchard}$,} +\sprout{The bit sequence constant $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$,} +\notsprout{The bit sequence constants $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$, +\sapling{$\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}}$,} +\orchard{and $\Uncommitted{Orchard} \typecolon$ $\bitseq{\MerkleHashLength{Orchard}}$,} and the rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$ will also be defined in that section. @@ -2961,18 +2915,18 @@ Let \sprout{$\MAXMONEY$ and $\PRFOutputLengthSprout$} \notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$, and $\DiversifierLength$}} be as defined in \crossref{constants}. -Let $\NoteCommitSproutAlg$ be as defined in \crossref{concretesproutnotecommit}. +Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{concretesproutnotecommit}. \sapling{ -Let $\NoteCommitSaplingAlg$ be as defined in \crossref{concretesaplingnotecommit}. +Let $\NoteCommitAlg{Sapling}$ be as defined in \crossref{concretesaplingnotecommit}. -Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. } %sapling \orchard{ -Let $\NoteCommitOrchardAlg$ be as defined in \crossref{concreteorchardnotecommit}. +Let $\NoteCommitAlg{Orchard}$ be as defined in \crossref{concreteorchardnotecommit}. -Let $\KAOrchard$ be as defined in \crossref{concreteorchardkeyagreement}. +Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}. } %orchard \vspace{2ex} @@ -2988,15 +2942,15 @@ A \SproutOrNothing{} \note is a tuple $\changed{(\AuthPublic, \item $\NoteAddressRand \typecolon \PRFOutputSprout$ is used as input to $\PRFnf{\AuthPrivate}$ to derive the \nullifier of the \note; - \item $\NoteCommitRand \typecolon \NoteCommitSproutTrapdoor$ + \item $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Sprout}$ is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}. \end{itemize} \introlist -Let $\NoteTypeSprout$ be the type of a \SproutOrNothing{} \note, i.e. +Let $\NoteType{Sprout}$ be the type of a \SproutOrNothing{} \note, i.e. \begin{formulae} - \item $\NoteTypeSprout := \changed{\PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout - \times \NoteCommitSproutTrapdoor}$. + \item $\NoteType{Sprout} := \changed{\PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout + \times \NoteCommitTrapdoor{Sprout}}$. \end{formulae} \sapling{ @@ -3007,19 +2961,19 @@ A \Sapling{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \begin{itemize} \item $\Diversifier \typecolon \DiversifierType$ is the \diversifier of the recipient's \paymentAddress; - \item $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ + \item $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$ is the \diversifiedTransmissionKey of the recipient's \paymentAddress; \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer representing the value of the \note in \zatoshi; - \item $\NoteCommitRand \typecolon \NoteCommitSaplingTrapdoor$ + \item $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Sapling}$ is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}. \end{itemize} \introlist -Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e. +Let $\NoteType{Sapling}$ be the type of a \Sapling{} \note, i.e. \begin{formulae} - \item $\NoteTypeSapling := \DiversifierType \times \KASaplingPublicPrimeSubgroup \times \range{0}{\MAXMONEY} - \times \NoteCommitSaplingTrapdoor$. + \item $\NoteType{Sapling} := \DiversifierType \times \KAPublicPrimeSubgroup{Sapling} \times \range{0}{\MAXMONEY} + \times \NoteCommitTrapdoor{Sapling}$. \end{formulae} } %sapling @@ -3031,20 +2985,20 @@ An \Orchard{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \begin{itemize} \item $\Diversifier \typecolon \DiversifierType$ is the \diversifier of the recipient's \paymentAddress; - \item $\DiversifiedTransmitPublic \typecolon \KAOrchardPublic$ + \item $\DiversifiedTransmitPublic \typecolon \KAPublic{Orchard}$ is the \diversifiedTransmissionKey of the recipient's \paymentAddress; \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer representing the value of the \note in \zatoshi; - \item $\NoteCommitRand \typecolon \NoteCommitOrchardTrapdoor$ + \item $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Orchard}$ is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}. \item \todo{other fields} \end{itemize} \introlist -Let $\NoteTypeOrchard$ be the type of an \Orchard{} \note, i.e. +Let $\NoteType{Orchard}$ be the type of an \Orchard{} \note, i.e. \begin{formulae} - \item $\NoteTypeOrchard := \DiversifierType \times \KAOrchardPublic \times \range{0}{\MAXMONEY} - \times \NoteCommitOrchardTrapdoor \times \todo{...}$. + \item $\NoteType{Orchard} := \DiversifierType \times \KAPublic{Orchard} \times \range{0}{\MAXMONEY} + \times \NoteCommitTrapdoor{Orchard} \times \todo{...}$. \end{formulae} } %orchard @@ -3061,32 +3015,32 @@ A \SproutOrNothing{} \defining{\noteCommitment} on a \note $\NoteTuple{} = \changed{(\AuthPublic, \Value, \NoteAddressRand, \NoteCommitRand)}$ is computed as \begin{formulae} - \item $\NoteCommitmentSprout(\NoteTuple{}) = - \NoteCommitSprout{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand)$, + \item $\NoteCommitment{Sprout}(\NoteTuple{}) = + \NoteCommit{Sprout}{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand)$, \end{formulae} \vspace{-1.5ex} -where $\NoteCommitSprout{}$ is instantiated in \crossref{concretesproutnotecommit}. +where $\NoteCommit{Sprout}{}$ is instantiated in \crossref{concretesproutnotecommit}. \sapling{ \vspace{2ex} \introlist -Let $\DiversifyHashSapling$ be as defined in \crossref{concretediversifyhash}. +Let $\DiversifyHash{Sapling}$ be as defined in \crossref{concretediversifyhash}. A \Sapling{} \defining{\noteCommitment} on a \note $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ is computed as \begin{formulae} - \item $\DiversifiedTransmitBase := \DiversifyHashSapling(\Diversifier)$ + \item $\DiversifiedTransmitBase := \DiversifyHash{Sapling}(\Diversifier)$ \vspace{-1ex} - \item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases} + \item $\NoteCommitment{Sapling}(\NoteTuple{}) := \begin{cases} \bot, &\caseif \DiversifiedTransmitBase = \bot \\ - \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, - \reprJ\Of{\DiversifiedTransmitPublic}, - \Value), &\caseotherwise. + \NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, + \Value), &\caseotherwise. \end{cases}$ \end{formulae} \vspace{-1.5ex} -where $\NoteCommitSapling{}$ is instantiated in \crossref{concretewindowedcommit}. +where $\NoteCommitAlg{Sapling}$ is instantiated in \crossref{concretewindowedcommit}. Notice that the above definition of a \Sapling{} \note does not have a $\NoteAddressRand$ field. There is in fact a $\NoteAddressRand$ value associated @@ -3102,24 +3056,24 @@ $\NoteAddressRand$ as described in \crossref{commitmentsandnullifiers}. \orchard{ \vspace{2ex} \introlist -Let $\DiversifyHashOrchard$ be as defined in \crossref{concretediversifyhash}. +Let $\DiversifyHash{Orchard}$ be as defined in \crossref{concretediversifyhash}. An \Orchard{} \defining{\noteCommitment} on a \note $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand, \todo{...})$ is computed as \begin{formulae} - \item $\DiversifiedTransmitBase := \DiversifyHashOrchard(\Diversifier)$ + \item $\DiversifiedTransmitBase := \DiversifyHash{Orchard}(\Diversifier)$ \vspace{-1ex} - \item $\NoteCommitmentOrchard(\NoteTuple{}) := \begin{cases} + \item $\NoteCommitment{Orchard}(\NoteTuple{}) := \begin{cases} \bot, &\caseif \DiversifiedTransmitBase = \bot \\ - \NoteCommitOrchard{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \NoteCommit{Orchard}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \Value), &\caseotherwise. \end{cases}$ \end{formulae} \vspace{-1.5ex} -where $\NoteCommitOrchard{}$ is instantiated in \crossref{concretesinsemillacommit}. +where $\NoteCommitAlg{Orchard}$ is instantiated in \crossref{concretesinsemillacommit}. Unlike in \Sapling, the definition of an \Orchard{} \note includes the $\NoteAddressRand$ field; the \note's position in the \noteCommitmentTree does @@ -3169,7 +3123,7 @@ Each \SproutOrNothing{} \defining{\notePlaintext} (denoted $\NotePlaintext{}$) c \begin{formulae} \item $(\changed{\NotePlaintextLeadByte \typecolon \byte,\ } \Value \typecolon \ValueType, \NoteAddressRand \typecolon \PRFOutputSprout, - \NoteCommitRand \typecolon \NoteCommitSproutTrapdoor\changed{, \Memo \typecolon \MemoType})$. + \NoteCommitRand \typecolon \NoteCommitTrapdoor{Sprout}\changed{, \Memo \typecolon \MemoType})$. \end{formulae} \saplingonward{ @@ -3344,7 +3298,7 @@ it is not known where it will eventually appear in a mined \block. Therefore the separate \spendTransfer for each \shieldedInput, and a separate \outputTransfer for each \shieldedOutput.} -\defining{\spendDescriptions and \outputDescriptions} are data included in a transaction +\defining{\spendDescriptions and \outputDescriptions} are data included in a \transaction that describe \spendTransfers and \outputTransfers, respectively. A \spendTransfer spends a \note $\nOld{}$. Its \spendDescription includes a @@ -3368,7 +3322,7 @@ Subtraction works similarly. Therefore, balance can be enforced by adding all of the \defining{\valueCommitments} for \shieldedInputs, subtracting all of the \valueCommitments for \shieldedOutputs, -and proving by use of a \bindingSignature (as described in \crossref{bindingsig}) +and proving by use of a \saplingBindingSignature (as described in \crossref{saplingbalance}) that the result commits to a value consistent with the net \transparent value change. This approach allows all of the \zkSNARK \statements to be independent of each other, potentially increasing opportunities for precomputation. @@ -3387,13 +3341,59 @@ for the whole \transaction to balance. } \begin{consensusrules} - \item The \transaction{} \MUST balance as specified in \crossref{saplingbalance}. + \item The \spendTransfers and \outputTransfers of the \transaction{} \MUST balance as + specified in \crossref{saplingbalance}. \item The \anchor of each \spendDescription{} \MUST refer to some earlier \block's final \Sapling{} \treestate. \end{consensusrules} } %sapling +\orchard{ +\lsubsection{Action Transfers and their Descriptions}{actions} + +\Orchard introduces \defining{\actionTransfers}, each of which can optionally perform +a spend, and optionally perform an output. + +\defining{\actionDescriptions} are data included in a \transaction that describe +\actionTransfers. + +An \actionTransfer spends a \note $\nOld{}$, and creates a \note $\nNew{}$. Its +\actionDescription includes a \defining{\xPedersenValueCommitment} to the net value, +i.e.\ the value of the spent \note minus the value of the created \note. +It is associated with an instance of an \actionStatement (\crossref{actionstatement}) +for which it provides a \zkSNARKProof. + +Each version 5 \transaction has a sequence of \actionDescriptions. Version 4 \transactions +cannot contain \actionDescriptions. + +As in \Sapling, we use the homomorphic property of \xPedersenCommitments to enforce +balance: we add all of the \defining{\valueCommitments} and prove by use of an +\orchardBindingSignature (as described in \crossref{orchardbalance}) +that the result commits to a value consistent with the net \transparent value change. +This approach allows all of the \zkSNARK \statements to be independent of +each other, potentially increasing opportunities for precomputation. + +The fields of an \actionDescription are essentially a merger of the fields of a +\spendDescription and an \outputDescription, but with only a single \valueCommitment +and a signle \zkSNARKProof. + +\vspace{-1ex} +\nnote{ +As with \Sapling, interstitial \treestates are not necessary for \Orchard, because an +\actionTransfer in a given \transaction cannot spend any of the \shieldedOutputs of +the same \transaction. +} + +\begin{consensusrules} + \item The \actionTransfers of the \transaction{} \MUST balance as specified in + \crossref{orchardbalance}. + \item The \anchor of each \actionDescription{} \MUST refer to some earlier \block's + final \Orchard{} \treestate. +\end{consensusrules} +} %orchard + + \lsubsection{Note Commitment Trees}{merkletree} \vspace{-2ex} @@ -3413,28 +3413,29 @@ A \defining{\merkleRoot} of a \noteCommitmentTree is associated with each \trees (\crossref{transactions}). Each \defining{\merkleNode} in the \incrementalMerkleTree is associated with a -\defining{\merkleHash} of size $\MerkleHashLengthSprout$ \sapling{ or $\MerkleHashLengthSapling$} bits. +\defining{\merkleHash} of size $\MerkleHashLength{Sprout}$ \sapling{ or $\MerkleHashLength{Sapling}$} bits. The \defining{\merkleLayer} numbered $h$, counting from \merkleLayer $0$ at the \merkleRoot, has $2^h$ \merkleNodes with \defining{\merkleIndices} $0$ to $2^h-1$ inclusive. The \defining{\merkleHash} associated with the \merkleNode at \merkleIndex $i$ in \merkleLayer $h$ is denoted $\MerkleNode{h}{i}$. The \merkleIndex of a \notesCommitment at the leafmost layer -($\MerkleDepthSproutOrSapling$) is called its \defining{\notePosition}. +($\MerkleDepth{Sprout}OrSapling$) is called its \defining{\notePosition}. \lsubsection{Nullifier Sets}{nullifierset} -Each \fullValidator maintains a \defining{\nullifierSet} logically associated with each \treestate. -As valid \transactions containing \joinSplitTransfers \sapling{ or \spendTransfers} are -processed, the \defining{\nullifiers} revealed in \joinSplitDescriptions \sapling{ and \spendDescriptions} -are inserted into the \nullifierSet associated with the new \treestate. -\xNullifiers are enforced to be unique within a \validBlockChain, in order to -prevent double-spends. +Each \fullValidator maintains a \defining{\nullifierSet} logically associated with +each \treestate. As valid \transactions containing \joinSplitTransfers\sapling{ or +\spendTransfers}\orchard{ or \actionTransfers} are processed, the \defining{\nullifiers} +revealed in \joinSplitDescriptions\sapling{ and \spendDescriptions}\orchard{ and +\actionDescriptions} are inserted into the \nullifierSet associated with the new \treestate. +\xNullifiers are enforced to be unique within a \validBlockChain, in order to prevent +double-spends. \consensusrule{ -A \nullifier{} \MUSTNOT repeat either within a \transaction, or across -\transactions in a \validBlockChain. \sapling{\Sprout and \Sapling{} \nullifiers are +A \nullifier{} \MUSTNOT repeat either within a \transaction, or across \transactions +in a \validBlockChain. \sapling{\Sprout and \SaplingAndOrchard{} \nullifiers are considered disjoint, even if they have the same bit pattern.} } @@ -3507,8 +3508,8 @@ Other networks using variants of the \Zcash protocol may exist, but are not desc \lsubsubsection{Hash Functions}{abstracthashes} -Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$, -\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLengthSapling$, $\DiversifierLength$,} +Let $\MerkleDepth{Sprout}$, $\MerkleHashLength{Sprout}$, +\sapling{$\MerkleDepth{Sapling}$, $\MerkleHashLength{Sapling}$, $\InViewingKeyLength{Sapling}$, $\DiversifierLength$,} $\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}. \sapling{ @@ -3516,20 +3517,20 @@ Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, $\ParamJ{r}$, and $\ellJ$ be as d } %sapling \sprout{ -$\MerkleCRH \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$ +$\MerkleCRH \typecolon \MerkleHash{Sprout} \times \MerkleHash{Sprout} \rightarrow \MerkleHash{Sprout}$ is a \collisionResistant \hashFunction used in \crossref{merklepath}. It is instantiated in \crossref{merklecrh}. } %sprout \notsprout{ -The functions $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout -\rightarrow \MerkleHashSprout$ +The functions $\MerkleCRH{Sprout} \typecolon \MerkleLayer{Sprout} \times \MerkleHash{Sprout} \times \MerkleHash{Sprout} +\rightarrow \MerkleHash{Sprout}$ \sapling{and (for \Sapling), -$\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \times \MerkleHashSapling -\rightarrow \MerkleHashSapling$ +$\MerkleCRH{Sapling} \typecolon \MerkleLayer{Sapling} \times \MerkleHash{Sapling} \times \MerkleHash{Sapling} +\rightarrow \MerkleHash{Sapling}$ } are \hashFunctions used in \crossref{merklepath}. -\sapling{$\MerkleCRHSapling$ is \collisionResistant on all its arguments, and} -$\MerkleCRHSprout$ is \collisionResistant except on its first argument. +\sapling{$\MerkleCRH{Sapling}$ is \collisionResistant on all its arguments, and} +$\MerkleCRH{Sprout}$ is \collisionResistant except on its first argument. Both of these functions are instantiated in \crossref{merklecrh}. } %notsprout @@ -3547,7 +3548,7 @@ It is instantiated in \crossref{equihashgen}. } \sapling{ -$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \InViewingKeyTypeSapling$ +$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \InViewingKeyType{Sapling}$ is a \collisionResistant \hashFunction used in \crossref{saplingkeycomponents} to derive an \incomingViewingKey for a \Sapling{} \paymentAddress. It is also used in the \spendStatement (\crossref{spendstatement}) to confirm use of the correct @@ -3559,14 +3560,14 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling{} \note. It is also in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHashSapling \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction +$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability security property described in that section. It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. } %sapling \orchard{ -$\DiversifyHashOrchard \typecolon \DiversifierType \rightarrow \GroupPstar$ is a \hashFunction +$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupPstar$ is a \hashFunction instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability security property described in that section. It is used to derive a \diversifiedBase from a \diversifier in \crossref{orchardkeycomponents}. @@ -3669,27 +3670,27 @@ may make many adaptive chosen ciphertext queries for a given key. A \defining{\keyAgreementScheme} is a cryptographic protocol in which two parties agree a shared secret, each using their \defining{\privateKey} and the other party's \publicKey. -A \keyAgreementScheme $\KA$ defines a type of \publicKeys $\KAPublic$, a type -of \privateKeys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$. -\sapling{Optionally, it also defines a type $\KAPublicPrimeSubgroup \subseteq \KAPublic$.} +A \keyAgreementScheme $\KA{}$ defines a type of \publicKeys $\KAPublic{}$, a type +of \privateKeys $\KAPrivate{}$, and a type of shared secrets $\KASharedSecret{}$. +\sapling{Optionally, it also defines a type $\KAPublicPrimeSubgroup{} \subseteq \KAPublic{}$.} -\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$ -be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ \privateKey. +\sapling{Optional:} Let $\KAFormatPrivate{} \typecolon \PRFOutputSprout \rightarrow \KAPrivate{}$ +be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA{}$ \privateKey. -Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$ -be a function that derives the $\KA$ \publicKey corresponding to a given $\KA$ +Let $\KADerivePublic{} \typecolon \KAPrivate{} \times \KAPublic{} \rightarrow \KAPublic{}$ +be a function that derives the $\KA{}$ \publicKey corresponding to a given $\KA{}$ \privateKey and base point. -Let $\KAAgree \typecolon \KAPrivate \times \KAPublic \rightarrow \KASharedSecret$ +Let $\KAAgree{} \typecolon \KAPrivate{} \times \KAPublic{} \rightarrow \KASharedSecret{}$ be the agreement function. -\sapling{Optional:} Let $\KABase \typecolon \KAPublic$ be a public base point. +\sapling{Optional:} Let $\KABase{} \typecolon \KAPublic{}$ be a public base point. -\pnote{The range of $\KADerivePublic$ may be a strict subset of $\KAPublic$.} +\pnote{The range of $\KADerivePublic{}$ may be a strict subset of $\KAPublic{}$.} \begin{securityrequirements} - \item $\KAFormatPrivate$ must preserve sufficient entropy from its input to be used - as a secure $\KA$ \privateKey. + \item $\KAFormatPrivate{}$ must preserve sufficient entropy from its input to be used + as a secure $\KA{}$ \privateKey. \item The key agreement and the KDF defined in the next section must together satisfy a suitable adaptive security assumption along the lines of \cite[section 3]{Bernstein2006} or \cite[Definition 3]{ABR1999}. @@ -3707,31 +3708,31 @@ agreement and additional arguments, and derives a key suitable for the encryptio scheme. \sprout{ -Let $\KDFSprout \typecolon \setofNew \times \hSigType \times \KASharedSecret -\times \KAPublic \times \KAPublic \rightarrow \Keyspace$ be a -\keyDerivationFunction suitable for use with $\KASprout$, deriving keys +Let $\KDF{Sprout} \typecolon \setofNew \times \hSigType \times \KASharedSecret{Sprout} +\times \KAPublic{Sprout} \times \KAPublic{Sprout} \rightarrow \Keyspace$ be a +\keyDerivationFunction suitable for use with $\KA{Sprout}$, deriving keys for $\SymEncrypt{}$. \securityrequirement{ In addition to adaptive security of the key agreement and KDF, the following security property is required: -Let $\TransmitBase := \KABase$. +Let $\TransmitBase{Sprout} := \KABase{Sprout}$. Let $\TransmitPrivateSup{1}$ and $\TransmitPrivateSup{2}$ each be chosen uniformly and -independently at random from $\KASproutPrivate$. +independently at random from $\KAPrivate{Sprout}$. -Let $\TransmitPublicSup{j} := \KADerivePublic(\TransmitPrivateSup{j}, \TransmitBase)$. +Let $\TransmitPublicSup{j} := \KADerivePublic{Sprout}(\TransmitPrivateSup{j}, \TransmitBase{Sprout})$. \introlist An adversary can adaptively query a function $Q \typecolon \range{1}{2} \times \hSigType \rightarrow -\KAPublic \times \Keyspace_{\allNew}$ where $Q_j(\hSig)$ is defined as follows: +\KAPublic{Sprout} \times \Keyspace_{\allNew}$ where $Q_j(\hSig)$ is defined as follows: \begin{enumerate} - \item Choose $\EphemeralPrivate$ uniformly at random from $\KAPrivate$. - \item Let $\EphemeralPublic := \KADerivePublic(\EphemeralPrivate, \TransmitBase)$. + \item Choose $\EphemeralPrivate$ uniformly at random from $\KAPrivate{Sprout}$. + \item Let $\EphemeralPublic := \KADerivePublic{Sprout}(\EphemeralPrivate, \TransmitBase{Sprout})$. \item For $i \in \setofNew$, let $\Key_i := - \KDF(i, \hSig, \KAAgree(\EphemeralPrivate, \TransmitPublicSup{j}), \EphemeralPublic, \TransmitPublicSup{j}))$. + \KDF{}(i, \hSig, \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSup{j}), \EphemeralPublic, \TransmitPublicSup{j}))$. \item Return $(\EphemeralPublic, \Key_{\allNew})$. \end{enumerate} @@ -3740,7 +3741,7 @@ $j \in \range{1}{2}$, and guess $j$ with probability greater than chance. } %securityrequirement \pnote{The given definition only requires ciphertexts to be indistinguishable -between \transmissionKeys that are outputs of $\KASproutDerivePublic$ (which +between \transmissionKeys that are outputs of $\KADerivePublic{Sprout}$ (which includes all keys generated as in \crossref{sproutkeycomponents}). If a \transmissionKey not in that range is used, it may be distinguishable. This is not considered to be a significant security weakness.} @@ -3751,36 +3752,36 @@ This is not considered to be a significant security weakness.} The inputs to the \keyDerivationFunction differ between the \Sprout and \Sapling KDFs: -$\KDFSprout$ takes as input an output index in $\setofNew$, the +$\KDF{Sprout}$ takes as input an output index in $\setofNew$, the value $\hSig$, the shared Diffie-Hellman secret $\DHSecret{}$, the \ephemeralPublicKey $\EphemeralPublic$, and the recipient's public \transmissionKey $\TransmitPublic$. It is suitable for use -with $\KASprout$ and derives keys for $\SymEncrypt{}$. +with $\KA{Sprout}$ and derives keys for $\SymEncrypt{}$. \begin{formulae} - \item $\KDFSprout \typecolon \setofNew \times \hSigType \times \KASproutSharedSecret - \times \KASproutPublic \times \KASproutPublic \rightarrow \Keyspace$ + \item $\KDF{Sprout} \typecolon \setofNew \times \hSigType \times \KASharedSecret{Sprout} + \times \KAPublic{Sprout} \times \KAPublic{Sprout} \rightarrow \Keyspace$ \end{formulae} \sapling{ -$\KDFSapling$ takes as input the shared Diffie-Hellman secret $\DHSecret{}$ and +$\KDF{Sapling}$ takes as input the shared Diffie-Hellman secret $\DHSecret{}$ and the \ephemeralPublicKey $\EphemeralPublic$. (It does not have inputs taking the place of the output index, $\hSig$, or $\TransmitPublic$.) It is suitable for use -with $\KASapling$ and derives keys for $\SymEncrypt{}$. +with $\KA{Sapling}$ and derives keys for $\SymEncrypt{}$. \begin{formulae} - \item $\KDFSapling \typecolon \KASaplingSharedSecret \times \byteseq{\ellJ/8} \rightarrow \Keyspace$ + \item $\KDF{Sapling} \typecolon \KASharedSecret{Sapling} \times \byteseq{\ellJ/8} \rightarrow \Keyspace$ \end{formulae} } %sapling \begin{securityrequirements} \item The asymmetric encryption scheme in \crossref{sproutinband}, constructed - from $\KASprout$, $\KDFSprout$ and $\Sym$, is required to be IND-CCA2-secure + from $\KA{Sprout}$, $\KDF{Sprout}$ and $\Sym$, is required to be IND-CCA2-secure and \keyPrivate. \item \sapling{ - The asymmetric encryption scheme in \crossref{saplinginband}, constructed - from $\KASapling$, $\KDFSapling$ and $\Sym$, is required to be IND-CCA2-secure - and \keyPrivate. + The asymmetric encryption scheme in \crossref{saplingandorchardinband}, constructed + from $\KA{Sapling}$, $\KDF{Sapling}$ and $\Sym$\orchard{or from $\KA{Orchard}$, + $\KDF{Orchard}$ and $\Sym$}, is required to be IND-CCA2-secure and \keyPrivate. } %sapling \end{securityrequirements} @@ -3819,26 +3820,31 @@ $\SigValidate{\vk}(m, s) = 1$. \item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}), which is used to sign \transactions that contain at least one \joinSplitDescription\sprout{.}\notsprout{;} - \saplingonwarditem{one called $\SpendAuthSig$ (instantiated in + \saplingonwarditem{one called $\SpendAuthSig{}$ (instantiated in \crossref{concretespendauthsig}) which is used to sign authorizations of \spendTransfers;} - \saplingonwarditem{one called $\BindingSig$ (instantiated in + \saplingonwarditem{one called $\BindingSig{}$ (instantiated in \crossref{concretebindingsig}), which is used to enforce balance of \spendTransfers and \outputTransfers, and to prevent their replay across \transactions.} \end{itemize} +The signature scheme used in script operations is instantiated by \ECDSA on the \secpCurve. +\changed{$\JoinSplitSig$ is instantiated by \EdSpecific.} +\sapling{$\SpendAuthSig{}$ and $\BindingSig{}$ are instantiated by $\RedDSA$; on the +\jubjubCurve in \Sapling\orchard{, and on the \pallasCurve in \Orchard}.} + \notsprout{ -The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig$}. -\sapling{Security requirements for $\SpendAuthSig$ are defined in the next section, -\crossref{abstractsigrerand}. An additional requirement for $\BindingSig$ is defined +The following security property is needed for $\JoinSplitSig$\sapling{ and $\BindingSig{}$}. +\sapling{Security requirements for $\SpendAuthSig{}$ are defined in the next section, +\crossref{abstractsigrerand}. An additional requirement for $\BindingSig{}$ is defined in \crossref{abstractsigmono}.} } %notsprout \vspace{-1ex} \securityrequirement{ -$\JoinSplitSig$\sapling{ and $\BindingSig$} must be Strongly Unforgeable under (non-adaptive) -Chosen Message Attack (SU-CMA), as defined for example in +$\JoinSplitSig$\sapling{ and\orchard{ each instantiation of} $\BindingSig{}$} must be +Strongly Unforgeable under (non-adaptive) Chosen Message Attack (SU-CMA), as defined for example in \cite[Definition 6]{BDEHR2011}.\footnote{The scheme defined in that paper was attacked in \cite{LM2017}, but this has no impact on the applicability of the definition.} This allows an adversary to obtain signatures on chosen messages, and then requires it to be @@ -3865,13 +3871,15 @@ pair without access to the \signingKey. chosen message attack is needed. In fact the instantiation of $\JoinSplitSig$ uses a scheme designed for security under adaptive attack even when multiple signatures are signed under the same key. - \saplingonwarditem{The same remarks as above apply to $\BindingSig$, except that + \saplingonwarditem{The same remarks as above apply to $\BindingSig{}$, except that the key is derived from the randomness of \valueCommitments. This results in the same distribution as of freshly generated key pairs, for each - \transaction containing \spendDescriptions or \outputDescriptions{}.} + \transaction containing \spendDescriptions or \outputDescriptions\orchard{ or + \actionDescriptions}.} \item SU-CMA security requires it to be infeasible for the adversary, not - knowing the \defining{\privateKey}, to forge a distinct signature on a previously - seen message. That is, \joinSplitSignatures\sapling{ and \bindingSignatures} + knowing the \defining{\privateKey}, to forge a distinct signature on a + previously seen message. That is, \joinSplitSignatures\sapling{ and + \saplingBindingSignatures}\orchard{ and \orchardBindingSignatures} are intended to be \defining{\sigNonmalleable} in the sense of \cite{BIP-62}. \item The terminology used in this specification is that we ``validate'' signatures, and ``verify'' \zkSNARKProofs. @@ -4076,64 +4084,93 @@ the computational binding security requirement.} $r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and $\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict the computational binding security requirement. - \sapling{(In fact, this is feasible for $\NoteCommitSaplingAlg$ and $\ValueCommitAlg$ + \sapling{(In fact, this is feasible for $\NoteCommitAlg{Sapling}$ and $\ValueCommitAlg{Sapling}$ because \trapdoors are equivalent modulo $\ParamJ{r}$, and the range of a \trapdoor - for those algorithms is $\binaryrange{\ScalarLengthSapling}$ where - $2^{\ScalarLengthSapling} > \ParamJ{r}$.)} + for those algorithms is $\binaryrange{\ScalarLength{Sapling}}$ where + $2^{\ScalarLength{Sapling}} > \ParamJ{r}$.)} \end{pnotes} } %notsprout \vspace{1ex} -Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, +Let $\NoteCommitRandLength$, $\MerkleHashLength{Sprout}$, $\PRFOutputLengthSprout$, and $\ValueLength$ be as defined in \crossref{constants}. -Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and -$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$. +Define $\NoteCommitTrapdoor{Sprout} := \bitseq{\NoteCommitRandLength}$ and +$\NoteCommitOutput{Sprout} := \bitseq{\MerkleHashLength{Sprout}}$. \SproutOrZcash uses a \note{} \commitmentScheme \begin{tabular}{@{\hskip 1.5em}r@{\;}l} - $\NoteCommitSprout{} $&$\typecolon\; \NoteCommitSproutTrapdoor \times \PRFOutputSprout + $\NoteCommit{Sprout}{} $&$\typecolon\; \NoteCommitTrapdoor{Sprout} \times \PRFOutputSprout \times \ValueType \times \PRFOutputSprout$ - \notsprout{\\[-1ex]\hphantom{$\NoteCommitSapling{}$} &\hspace{26.7em}}$\rightarrow \NoteCommitSproutOutput$, + \notsprout{\\[-1ex]\hphantom{$\NoteCommitAlg{Sapling}$} &\hspace{26.7em}}$\rightarrow \NoteCommitOutput{Sprout}$, \end{tabular} instantiated in \crossref{concretesproutnotecommit}. \sapling{ \vspace{2ex} -Let $\ScalarLengthSapling$ be as defined in \crossref{constants}. +Let $\ScalarLength{Sapling}$ be as defined in \crossref{constants}. Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist Define: \begin{formulae} - \item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLengthSapling}$ and - $\NoteCommitSaplingOutput := \GroupJ$; - \item $\ValueCommitTrapdoor := \binaryrange{\ScalarLengthSapling}$ and - $\ValueCommitOutput := \GroupJ$. + \item $\NoteCommitTrapdoor{Sapling} := \binaryrange{\ScalarLength{Sapling}}$ and + $\NoteCommitOutput{Sapling} := \GroupJ$; + \item $\ValueCommitTrapdoor{Sapling} := \binaryrange{\ScalarLength{Sapling}}$ and + $\ValueCommitOutput{Sapling} := \GroupJ$. \end{formulae} \introlist \Sapling uses two additional commitment schemes: \begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l} - $\NoteCommitSapling{} $&$\typecolon\; \NoteCommitSaplingTrapdoor \times \ReprJ \times \ReprJ \times \ValueType - $&$\rightarrow \NoteCommitSaplingOutput$ \\ - $\ValueCommit{} $&$\typecolon\; \ValueCommitTrapdoor \times \ValueCommitType $&$\rightarrow \ValueCommitOutput$ + $\NoteCommitAlg{Sapling} $&$\typecolon\; \NoteCommitTrapdoor{Sapling} \times \ReprJ \times \ReprJ \times \ValueType + $&$\rightarrow \NoteCommitOutput{Sapling}$ \\ + $\ValueCommitAlg{Sapling} $&$\typecolon\; \ValueCommitTrapdoor{Sapling} \times \ValueCommitType{Sapling} $&$\rightarrow \ValueCommitOutput{Sapling}$ \end{tabular} -$\NoteCommitSapling{}$ is instantiated in \crossref{concretesaplingnotecommit}, and -$\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}. +$\NoteCommitAlg{Sapling}$ is instantiated in \crossref{concretesaplingnotecommit}, and +$\ValueCommitAlg{Sapling}$ is instantiated in \crossref{concretevaluecommit}. -\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$. +\nnote{$\NoteCommitAlg{Sapling}$ and $\ValueCommitAlg{Sapling}$ always return points in the subgroup $\SubgroupJ$. However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not -directly checked to be in the subgroup when $\ValueCommit{}$ outputs appear in \spendDescriptions -and \outputDescriptions, or when the $\cmuField$ field derived from a $\NoteCommitSapling{}$ appears +directly checked to be in the subgroup when $\ValueCommitAlg{Sapling}$ outputs appear in \spendDescriptions +and \outputDescriptions, or when the $\cmuField$ field derived from a $\NoteCommitAlg{Sapling}$ appears in an \outputDescription.} } %sapling +\orchard{ +\vspace{2ex} +Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}. + +Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. + +\introlist +Define: +\begin{formulae} + \item $\NoteCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and + $\NoteCommitOutput{Orchard} := \GroupP$; + \item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and + $\ValueCommitOutput{Orchard} := \GroupP$. +\end{formulae} + +\introlist +\Orchard uses three additional commitment schemes: + +\begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l} + $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprJ \times \ReprJ \times \ValueType + $&$\rightarrow \NoteCommitOutput{Orchard}$ \\ + $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitType{Orchard} $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ + $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GF{\ParamP{r}} \times \GF{\ParamP{r}} $&$\rightarrow \CommitIvkOutput$ +\end{tabular} + +$\NoteCommitAlg{Orchard}$ is instantiated in \crossref{concretesaplingnotecommit}; +$\ValueCommitAlg{Orchard}$ is instantiated in \crossref{concretevaluecommit}; and +$\CommitIvkAlg$ is instantiated in \crossref{concretecommitivk}. +} %orchard \introsection \lsubsubsection{Represented Group}{abstractgroup} @@ -4224,7 +4261,7 @@ not return $\bot$) as a random oracle. \begin{nnotes} \item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes: - the bases $\AuthSignBaseSapling$ and $\AuthProveBase$ used in \Sapling key generation, + the bases $\AuthSignBase{Sapling}$ and $\AuthProveBaseSapling$ used in \Sapling key generation, the \xPedersenHash defined in \crossref{concretepedersenhash}, and the commitment schemes defined in \crossref{concretewindowedcommit} and in \crossref{concretehomomorphiccommit}. @@ -4241,7 +4278,7 @@ not return $\bot$) as a random oracle. Discrete Logarithm Independence. Discrete Logarithm Independence implies \collisionResistance\!, since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. - \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHashSapling$ in \crossref{concretediversifyhash}. + \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash{Sapling}$ in \crossref{concretediversifyhash}. We do not know how to prove the Unlinkability property defined in that section in the standard model, but in a model where $\GroupJHash{}$ (restricted to inputs for which it does not return $\bot$) is taken as a random oracle, @@ -4418,7 +4455,7 @@ Let $\AuthPrivateLength$ be as defined in \crossref{constants}. Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concreteprfs}. -Let $\KASprout$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}. +Let $\KA{Sprout}$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}. \vspace{0.5ex} A new \SproutOrNothing{} \spendingKey $\AuthPrivate$ is generated by choosing a bit sequence @@ -4433,8 +4470,8 @@ as follows:} \vspace{-0.5ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} $\AuthPublic$ &$:= \changed{\PRFaddr{\AuthPrivate}(0)}$ \\ - $\TransmitPrivate$ &$:= \changed{\KASproutFormatPrivate(\PRFaddr{\AuthPrivate}(1))}$ \\ - $\TransmitPublic$ &$:= \changed{\KASproutDerivePublic(\TransmitPrivate, \KASproutBase)}$. + $\TransmitPrivate$ &$:= \changed{\KAFormatPrivate{Sprout}(\PRFaddr{\AuthPrivate}(1))}$ \\ + $\TransmitPublic$ &$:= \changed{\KADerivePublic{Sprout}(\TransmitPrivate, \KABase{Sprout})}$. \end{tabular} \sapling{ @@ -4445,13 +4482,13 @@ be as defined in \crossref{constants}. Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions instantiated in \crossref{concreteprfs}. -Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be a \keyAgreementScheme, instantiated in \crossref{concretesaplingkeyagreement}. Let $\CRHivk$ be a \hashFunction, instantiated in \crossref{concretecrhivk}. -Let $\DiversifyHashSapling$ be a \hashFunction, instantiated in \crossref{concretediversifyhash}. +Let $\DiversifyHash{Sapling}$ be a \hashFunction, instantiated in \crossref{concretediversifyhash}. -Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig}, +Let $\SpendAuthSig{Sapling}$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and @@ -4461,9 +4498,9 @@ Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \righta and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. -Define $\AuthProveBase := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$. +Define $\AuthProveBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$. -Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$. +Define $\ToScalar{Sapling}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$. \introlist A new \Sapling{} \spendingKey $\SpendingKey$ is generated by choosing a bit sequence @@ -4475,8 +4512,8 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the \vspace{-0.5ex} \begin{tabular}{@{\hskip 1.7em}r@{\;}l} - $\AuthSignPrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([0]))$ \\ - $\AuthProvePrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([1]))$ \\ + $\AuthSignPrivate$ &$:= \ToScalar{Sapling}(\PRFexpand{\SpendingKey}([0]))$ \\ + $\AuthProvePrivate$ &$:= \ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1]))$ \\ $\OutViewingKey$ &$:= \truncate{(\OutViewingKeyLength/8)}(\PRFexpand{\SpendingKey}([2]))$ \end{tabular} @@ -4484,12 +4521,12 @@ If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$ \vspace{1ex} $\AuthSignPublic \typecolon \SubgroupJstar$, $\NullifierKey \typecolon \SubgroupJ$, and -the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: +the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyType{Sapling}$ are then derived as: \vspace{-0.5ex} \begin{tabular}{@{\hskip 1.7em}r@{\;}l} - $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\ - $\NullifierKey$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\ + $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic{Sapling}(\AuthSignPrivate)$ \\ + $\NullifierKey$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}$ \\ \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\NullifierKey}\kern-0.08em\big)$. \end{tabular} @@ -4504,16 +4541,16 @@ authority. A group of such addresses shares the same \fullViewingKey and To create a new \diversifiedPaymentAddress given an \incomingViewingKey $\InViewingKey$, repeatedly pick a \defining{\diversifier} $\Diversifier$ uniformly at random from $\DiversifierType$ until the \defining{\diversifiedBase} -$\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ is not $\bot$. +$\DiversifiedTransmitBase = \DiversifyHash{Sapling}(\Diversifier)$ is not $\bot$. Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitPublic$: \begin{formulae} - \item $\DiversifiedTransmitPublic := \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$. + \item $\DiversifiedTransmitPublic := \KADerivePublic{Sapling}(\InViewingKey, \DiversifiedTransmitBase)$. \end{formulae} \vspace{-1ex} The resulting \diversifiedPaymentAddress is -$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup)$. +$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling})$. \vspace{1ex} For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress} @@ -4528,7 +4565,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define: \vspace{-0.5ex} \begin{formulae} \item $\CheckDiversifier(\Diversifier \typecolon \DiversifierType) := \begin{cases} - \bot, &\caseif \DiversifyHashSapling(\Diversifier) = \bot \\ + \bot, &\caseif \DiversifyHash{Sapling}(\Diversifier) = \bot \\ \Diversifier, &\caseotherwise \end{cases}$ \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) := @@ -4560,7 +4597,7 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. $2^{\PRFOutputLengthExpand}$ is large compared to $\ParamJ{r}$. Define $f \typecolon \SpendingKeyType \times \PRFInputExpand \rightarrow \GF{\ParamJ{r}}$ by - $f_{\sk}(t) := \ToScalar(\PRFexpand{\SpendingKey}(t))$. + $f_{\sk}(t) := \ToScalar{Sapling}(\PRFexpand{\SpendingKey}(t))$. Then $f$ is also a \xPRF, since $\LEOStoIP{\PRFOutputLengthExpand} \typecolon \PRFOutputExpand \rightarrow \binaryrange{\PRFOutputLengthExpand}$ @@ -4568,13 +4605,13 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. because \crossref{constants} defines $\PRFOutputLengthExpand$ as $512$, while $\ParamJ{r}$ has length $252$ bits. It follows that the distribution of $\AuthSignPrivate$, i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$, - is computationally indistinguishable from that of $\SpendAuthSigGenPrivate()$ defined + is computationally indistinguishable from that of $\SpendAuthSigGenPrivate{Sapling}()$ defined in \crossref{concretespendauthsig}. \item Similarly, the distribution of $\AuthProvePrivate$, i.e.\ - $\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$, + $\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$, is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$. Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} - {\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$ + {\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ}$ is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnfSapling{}$). \item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default @@ -4584,6 +4621,13 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. } %sapling +\orchard{ +\lsubsubsection{\OrchardText{} Key Components}{orchardkeycomponents} + +\todo{...} +} %orchard + + \lsubsection{JoinSplit Descriptions}{joinsplitdesc} A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in @@ -4593,14 +4637,14 @@ Each \transaction includes a sequence of zero or more \joinSplitDescriptions. When this sequence is non-empty, the \transaction also includes encodings of a $\JoinSplitSig$ public \validatingKey and signature. -Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$, +Let $\MerkleHashLength{Sprout}$, $\PRFOutputLengthSprout$, $\RandomSeedLength$, $\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}. Let $\hSigCRH$ be as defined in \crossref{abstracthashes}. -Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}. +Let $\NoteCommit{Sprout}{}$ be as defined in \crossref{abstractcommit}. -Let $\KASprout$ be as defined in \crossref{abstractkeyagreement}. +Let $\KA{Sprout}$ be as defined in \crossref{abstractkeyagreement}. Let $\Sym$ be as defined in \crossref{abstractsym}. @@ -4617,15 +4661,15 @@ where the value that the \joinSplitTransfer removes from the \transparentTxValuePool}; \item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is the value that the \joinSplitTransfer inserts into the \transparentTxValuePool; - \item $\rt \typecolon \MerkleHashSprout$ is an \anchor, as defined in + \item $\rt \typecolon \MerkleHash{Sprout}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of either a previous \block, or a previous \joinSplitTransfer in this \transaction. \item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is the sequence of \nullifiers for the input \notes; - \item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew}$ is + \item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew}$ is the sequence of \noteCommitments for the output \notes; - \item \changed{$\EphemeralPublic \typecolon \KASproutPublic$ is + \item \changed{$\EphemeralPublic \typecolon \KAPublic{Sprout}$ is a key agreement \publicKey, used to derive the key for encryption of the \notesCiphertextSprout (\crossref{sproutinband})}; \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is @@ -4675,11 +4719,11 @@ Each \transaction includes a sequence of zero or more \defining{\spendDescriptio Each \spendDescription is authorized by a signature, called the \defining{\spendAuthSignature}. -Let $\MerkleHashLengthSapling$ and $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. +Let $\MerkleHashLength{Sapling}$ and $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. -Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}. +Let $\ValueCommitOutput{Sapling}$ be as defined in \crossref{abstractcommit}. -Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}. +Let $\SpendAuthSig{Sapling}$ be as defined in \crossref{spendauthsig}. Let $\Spend$ be as defined in \crossref{abstractzk}. @@ -4689,16 +4733,16 @@ A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \Pro where \vspace{1ex} \begin{itemize} - \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note; - \item $\rt \typecolon \MerkleHashSapling$ is an \anchor, as defined in + \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the input \note; + \item $\rt \typecolon \MerkleHash{Sapling}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of a previous \block; \item $\nf \typecolon \PRFOutputNfSapling$ is the \nullifier for the input \note; - \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \validatingKey + \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; \item $\ProofSpend \typecolon \SpendProof$ is a \zkSNARKProof with \primaryInput $(\cv, \rt, \nf, \AuthSignRandomizedPublic)$ for the \spendStatement defined in \crossref{spendstatement}; - \item $\spendAuthSig \typecolon \SpendAuthSigSignature$ is + \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Sapling}$ is as specified in \crossref{spendauthsig}. \end{itemize} @@ -4712,7 +4756,7 @@ where \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, as defined in \crossref{sighash} using $\SIGHASHALL$. - The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$ + The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig{Sapling}$ signature over $\SigHash$ using $\AuthSignRandomizedPublic$ as the \validatingKey --- i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. \end{consensusrules} @@ -4732,11 +4776,11 @@ An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in Each \transaction includes a sequence of zero or more \outputDescriptions. There are no signatures associated with \outputDescriptions. -Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}. +Let $\ValueCommitOutput{Sapling}$ be as defined in \crossref{abstractcommit}. -Let $\MerkleHashLengthSapling$ be as defined in \crossref{constants}. +Let $\MerkleHashLength{Sapling}$ be as defined in \crossref{constants}. -Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{abstractkeyagreement}. Let $\Sym$ be as defined in \crossref{abstractsym}. @@ -4748,10 +4792,10 @@ An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCipher where \begin{itemize} \vspace{1ex} - \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the output \note; - \item $\cmU \typecolon \MerkleHashSapling$ is the result of applying $\ExtractJ$ (defined + \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note; + \item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note; - \item $\EphemeralPublic \typecolon \KASaplingPublic$ is + \item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is a key agreement \publicKey, used to derive the key for encryption of the \noteCiphertextSapling (\crossref{saplinginband}); \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is @@ -4777,20 +4821,21 @@ where \orchard{ \lsubsection{Action Descriptions}{actiondesc} -An \action, as specified in \crossref{actions}, is encoded in \transactions as an \defining{\actionDescription}. +An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an +\defining{\actionDescription}. Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}. (Version 4 \transactions cannot contain \actionDescriptions.) Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}. -Let $\MerkleHashLengthOrchard$ be as defined in \crossref{constants}. +Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}. -Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}. +Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. -Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}. +Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}. -Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}. +Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}. Let $\Sym$ be as defined in \crossref{abstractsym}. @@ -4798,23 +4843,23 @@ Let $\Action$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist -An \actionDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \spendAuthSig, +An \actionDescription consists of $(\cvNet, \rt, \nf, \AuthSignRandomizedPublic, \spendAuthSig, \cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$ where \vspace{1ex} \begin{itemize} - \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note - minus the value of the output \note \todo{check consistency with \valueBalance}; - \item $\rt \typecolon \MerkleHashOrchard$ is an \anchor, as defined in + \item $\cvNet \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the + input \note minus the value of the output \note; + \item $\rt \typecolon \MerkleHash{Orchard}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of a previous \block; \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; - \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \validatingKey + \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; - \item $\spendAuthSig \typecolon \SpendAuthSigSignature$ is + \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is as specified in \crossref{spendauthsig}. - \item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ (defined + \item $\cmX \typecolon \MerkleHash{Orchard}$ is the result of applying $\ExtractP$ (defined in \crossref{concreteextractorpallas}) to the \noteCommitment for the output \note; - \item $\EphemeralPublic \typecolon \KAOrchardPublic$ is + \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is a key agreement \publicKey, used to derive the key for encryption of the \noteCiphertextOrchard (\crossref{saplinginband}); \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is @@ -4829,18 +4874,19 @@ where \begin{consensusrules} \item Elements of an \actionDescription{} \MUST be canonical encodings of the types given above. - \item $\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ \MUSTNOT be $\ZeroP$. - \todo{is it even possible to represent $\ZeroP$ as a compressed point encoding?} \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, as defined in \crossref{sighash} using $\SIGHASHALL$. - The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$ + The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig{Orchard}$ signature over $\SigHash$ using $\AuthSignRandomizedPublic$ as the \validatingKey --- i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput formed from $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- i.e.\ $\ActionVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}) = 1$. \end{consensusrules} + +\nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ have type $\GroupPstar$, +and their \swCompressedEncodings in a \transaction cannot represent the zero point $\ZeroP$.} } %orchard @@ -4850,7 +4896,15 @@ where \notsprout{\lsubsubsection{Sending Notes (\SproutText)}{sproutsend}} In order to send \SproutOrNothing{} \shielded value, the sender constructs a -\transaction containing one or more \joinSplitDescriptions. This involves first +\transaction containing one or more \joinSplitDescriptions. + +Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}. + +Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}. + +Let $\RandomSeedLength and \NoteAddressPreRandLength$ be as specified in \crossref{constants}. + +Sending a \transaction containing \joinSplitDescriptions involves first generating a new $\JoinSplitSig$ key pair: \begin{formulae} @@ -4867,12 +4921,12 @@ uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.} Then it creates each output \note with index $i \typecolon \setofNew$: \begin{itemize} - \item Choose uniformly random $\NoteCommitRand_i \leftarrowR \NoteCommitSproutGenTrapdoor()$. + \item Choose uniformly random $\NoteCommitRand_i \leftarrowR \NoteCommitGenTrapdoor{Sprout}()$. \changed{ \item Compute $\NoteAddressRand_i = \PRFrho{\NoteAddressPreRand}(i, \hSig)$. } \item Compute $\cm_i = - \NoteCommitSprout{\NoteCommitRand_i}(\AuthPublicSub{i}, \Value_i, \NoteAddressRand_i)$. + \NoteCommit{Sprout}{\NoteCommitRand_i}(\AuthPublicSub{i}, \Value_i, \NoteAddressRand_i)$. \item Let $\NotePlaintext{i} = (\changed{\hexint{00},\ } \Value_i, \NoteAddressRand_i, \NoteCommitRand_i\changed{, \Memo_i})$. \end{itemize} @@ -4909,26 +4963,30 @@ node or wallet implementation. In order to send \SaplingOrOrchard{} \shielded value, the sender constructs a \transaction containing one or more \outputDescriptions. -Let $\ValueCommitAlg$, $\NoteCommitSaplingAlg$\orchard{, and $\NoteCommitOrchardAlg$} be as -specified in \crossref{abstractcommit}. +Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\orchard{, +$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as specified in +\crossref{abstractcommit}. + +Let $\KA{Sapling}$\orchard{ and $\KA{Orchard}$} be as specified in \crossref{abstractkeyagreement}. + +Let $\DiversifyHash{Sapling}$\orchard{ and $\DiversifyHash{Orchard}$} be as specified in +\crossref{abstracthashes}. + +Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}\orchard{ and +let $\ToScalar{Orchard}$ be as specified in \crossref{orchardkeycomponents}}. \orchard{ -Let $\KASapling$\orchard{ and $\KAOrchard$} be as defined in \crossref{abstractkeyagreement}. -} %orchard - -\notbeforeorchard{ -Let $\DiversifyHash$ be $\DiversifyHashSapling$ for a \Sapling{} \note, or -$\DiversifyHashOrchard$ for an \Orchard{} \note. These functions are defined in -\crossref{abstracthashes}. -} %notbeforeorchard -\notorchard{ -Let $\DiversifyHash$ be $\DiversifyHashSapling$ as defined in \crossref{abstracthashes}. -} %notorchard +When we use $\ValueCommitAlg{}$, $\NoteCommitAlg{}$, $\KA{}$, $\DiversifyHash{}$, or $\ToScalar{}$ +without the \textsf{Sapling} or \textsf{Orchard} suffix, we mean the corresponding \Sapling or \Orchard +instantiation according to the type of \note being sent. +} Let $\reprJ$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. \orchard{ Let $\reprPstar$ and $\ParamP{r}$ be as defined in \crossref{pallas}. + +Let $\repr$ be $\reprJ$ for a \Sapling{} \note, or $\reprPstar$ for an \Orchard{} \note. } %orchard \vspace{1ex} @@ -4950,8 +5008,8 @@ forward secrecy of the payment information with respect to compromise of its own \vspace{2ex} Let $\CanopyActivationHeight$ be as defined in \crossref{constants}. -Let $\NotePlaintextLeadByte$ be the \notePlaintextLeadByte\notcanopy{, i.e.\ \hexint{01}}. -This \MUST be $\hexint{01}$ if for the next \block, $\BlockHeight < \CanopyActivationHeight$, or $\hexint{02}$ +Let $\NotePlaintextLeadByte$ be the \notePlaintextLeadByte. This \MUST be $\hexint{01}$ +if for the next \block, $\BlockHeight < \CanopyActivationHeight$, or $\hexint{02}$ if $\BlockHeight \geq \CanopyActivationHeight$. } @@ -4964,37 +5022,37 @@ and then performs the following steps: \vspace{0.5ex} \begin{algorithm} \item Check that $\DiversifiedTransmitPublic$ is of the correct type. For $\Sapling$ this type - is $\KASaplingPublicPrimeSubgroup$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid + is $\KAPublicPrimeSubgroup{Sapling}$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. \orchard{For \Orchard - this type is $\KAOrchardPublic$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid - \swCurve point on the \pallasCurve (as defined in \crossref{pallas}).} + this type is $\KAPublic{Orchard}$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid + \swCurve point other than $\ZeroP$ on the \pallasCurve (as defined in \crossref{pallas}).} - \item Calculate $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ + \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$ and check that $\DiversifiedTransmitBase \neq \bot$. - \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor()$. + \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{}()$. \canopy{ \item If $\NotePlaintextLeadByte = \hexint{01}$: } - \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KASaplingPrivate \setminus \setof{0}$. - \item \canopy{\tab} Choose a uniformly random \commitmentTrapdoor $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$. + \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KAPrivate{Sapling} \setminus \setof{0}$. + \item \canopy{\tab} Choose a uniformly random \commitmentTrapdoor $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{}()$. \item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=\ } \NoteCommitRandBytes := \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRand)\kern-0.12em}$. \canopy{ \item else: \item \tab Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. - \item \tab Derive $\EphemeralPrivate = \ToScalar\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. - \item \tab Derive $\NoteCommitRandBytes = \ToScalar\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. + \item \tab Derive $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. + \item \tab Derive $\NoteCommitRandBytes = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. \item \blank } \item Calculate \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\cv$ &$:= \ValueCommit{\ValueCommitRand}(\Value)$ \\[1ex] - $\cm$ &$:= \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, - \reprJ\Of{\DiversifiedTransmitPublic}, - \Value)$ + $\cv$ &$:= \ValueCommit{}{\ValueCommitRand}(\Value)$ \\[1ex] + $\cm$ &$:= \NoteCommit{}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, + \reprMaybeJ\Of{\DiversifiedTransmitPublic}, + \Value)$ \end{tabular} \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. @@ -5008,14 +5066,15 @@ and then performs the following steps: $\cv$ and $\cm$ to derive the \outgoingCipherKey, and takes $\EphemeralPrivate$ as an input. - \item Generate a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}. + \item For a \Sapling{} \note, generate a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}. + \orchard{For an \Orchard{} \note, generate a proof $\ProofAction$ for the \actionStatement in \crossref{actionstatement}.} - \item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$. + \item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput\orchard{\text{ or }\ProofOutput})$. \end{algorithm} In order to minimize information leakage, the sender \SHOULD randomize the order -of \outputDescriptions in a \transaction. Other considerations relating to -information leakage from the structure of \transactions are beyond the +of \outputDescriptions\orchard{ or \actionDescriptions} in a \transaction. Other considerations +relating to information leakage from the structure of \transactions are beyond the scope of this specification. The encoded \transaction is submitted to the network. } %sapling @@ -5034,7 +5093,7 @@ Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref Let $\PRFnf{}$ be as defined in \crossref{abstractprfs}. -Let $\NoteCommitSproutAlg$ be as defined in \crossref{abstractcommit}. +Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{abstractcommit}. \introlist \vspace{0.5ex} @@ -5047,7 +5106,7 @@ is constructed as follows: and derive its \payingKey $\AuthPublicOld{i}$. \item \vspace{-0.5ex} Set $\vOld{i} = 0$. \item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$ - and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$. + and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitGenTrapdoor{Sprout}()$. \item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$. \item Let $\TreePath{i}$ be a \dummy \merklePath for the \auxiliaryInput to the \joinSplitStatement (this will not be checked). @@ -5063,21 +5122,23 @@ zero value, and sent to a random \paymentAddress. \introsection \lsubsubsection{Dummy Notes (\SaplingAndOrchardText)}{saplingdummynotes} -In \Sapling there is no need to use \dummyNotes simply in order to fill +In \SaplingAndOrchard there is no need to use \dummyNotes simply in order to fill otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless it may be useful for privacy to obscure the number of real \shieldedInputs from -\Sapling{} \notes{}. +\Sapling{} \notes\orchard{ and from \Orchard{} \notes}. + +\todo{generalize for \Orchard} \vspace{0.5ex} Let $\SpendingKeyLength$ be as defined in \crossref{constants}. Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}. -Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}. +Let $\AuthProveBaseSapling$ be as defined in \crossref{saplingkeycomponents}. Let $\PRFnfSapling{}$ be as defined in \crossref{abstractprfs}. -Let $\NoteCommitSaplingAlg$ be as defined in \crossref{abstractcommit}. +Let $\NoteCommitAlg{Sapling}$ be as defined in \crossref{abstractcommit}. \introlist \vspace{0.5ex} @@ -5088,12 +5149,12 @@ A \dummy{} \Sapling input \note is constructed as follows: \item Generate a new \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ for $\SpendingKey$ as described in \crossref{saplingkeycomponents}. \item Set $\vOld{} = 0$, and set $\NotePosition = 0$. - \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$. + \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{Sapling}()$. and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$. - \item Compute $\NullifierKey = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and + \item Compute $\NullifierKey = \scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}$ and $\NullifierKeyRepr = \reprJ\Of{\NullifierKey}$\,. \item Compute $\NoteAddressRand{} = \cmOld{} - = \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + = \NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \vOld{})$. \item Compute $\nfOld{} = \PRFnfSapling{\NullifierKeyRepr}(\reprJ(\NoteAddressRand))$. @@ -5110,17 +5171,19 @@ zero value, and sent to a random \paymentAddress. \lsubsection{Merkle Path Validity}{merklepath} \sprout{ -The depth of the \noteCommitmentTree is $\MerkleDepth$ (defined in \crossref{constants}). +The depth of the \noteCommitmentTree is $\MerkleDepth{}$ (defined in \crossref{constants}). } %sprout \notsprout{ -Let $\MerkleDepth$ be $\MerkleDepthSprout$ for the \Sprout{} \noteCommitmentTree\sapling{, -or $\MerkleDepthSapling$ for the \Sapling{} \noteCommitmentTree}. These constants are -defined in \crossref{constants}. +Let $\MerkleDepth{}$ be $\MerkleDepth{Sprout}$ for the \Sprout{} \noteCommitmentTree\sapling{, +or $\MerkleDepth{Sapling}$ for the \Sapling{} \noteCommitmentTree}\orchard{, +or $\MerkleDepth{Orchard}$ for the \Orchard{} \noteCommitmentTree}. +These constants are defined in \crossref{constants}. -Similarly, let $\MerkleCRH$ be $\MerkleCRHSprout$ for \Sprout\sapling{, or $\MerkleCRHSapling$ -for \Sapling}. +Similarly, let $\MerkleCRH{}$ be $\MerkleCRH{Sprout}$ for \Sprout\sapling{, +or $\MerkleCRH{Sapling}$ for \Sapling}\orchard{, or $\MerkleCRH{Orchard}$ for \Orchard}. -The following discussion applies independently to the \Sprout and \Sapling{} \noteCommitmentTrees. +The following discussion applies independently to the \Sprout and \Sapling\orchard{ and \Orchard} +\noteCommitmentTrees. } %notsprout Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash, @@ -5132,43 +5195,44 @@ has $2^h$ \merkleNodes with \merkleIndices $0$ to $2^h-1$ inclusive. Let $\MerkleNode{h}{i}$ be the \merkleHash associated with the \merkleNode at \merkleIndex $i$ in \merkleLayer $h$. -The \merkleNodes at \merkleLayer $\MerkleDepth$ are called \defining{\merkleLeafNodes}. +The \merkleNodes at \merkleLayer $\MerkleDepth{}$ are called \defining{\merkleLeafNodes}. When a \noteCommitment is added to the tree, it occupies the \merkleLeafNode -\merkleHash $\MerkleNode{\MerkleDepth}{i}$ for the next available $i$. +\merkleHash $\MerkleNode{\MerkleDepth{}}{i}$ for the next available $i$. As-yet unused \merkleLeafNodes are associated with a distinguished \merkleHash -$\UncommittedSprout$ \sapling{ or $\UncommittedSapling$}. +$\Uncommitted{Sprout}$\sapling{ or $\Uncommitted{Sapling}$}\orchard{ or $\Uncommitted{Orchard}$}. It is assumed to be infeasible to find a preimage \note $\NoteTuple{}$ such that -$\NoteCommitmentSprout(\NoteTuple{}) = \UncommittedSprout$. -\sapling{(No similar assumption is needed for \Sapling because we use a representation -for $\UncommittedSapling$ that cannot occur as an output of $\NoteCommitmentSapling$.)} +$\NoteCommitment{Sprout}(\NoteTuple{}) = \Uncommitted{Sprout}$. +\sapling{(No similar assumption is needed for \SaplingOrOrchard because we use a representation +for $\Uncommitted{Sapling}$ that cannot occur as an output of $\NoteCommitment{Sapling}$\orchard{, +and similarly for \Orchard}.)} \introlist -The \merkleNodes at \merkleLayers $0$ to $\MerkleDepth-1$ inclusive are called -\defining{\merkleInternalNodes}, and are associated with $\MerkleCRH$ outputs. +The \merkleNodes at \merkleLayers $0$ to $\MerkleDepth{}-1$ inclusive are called +\defining{\merkleInternalNodes}, and are associated with $\MerkleCRH{}$ outputs. \MerkleInternalNodes are computed from their children in the next \merkleLayer -as follows: for $0 \leq h < \MerkleDepth$ and $0 \leq i < 2^h$, +as follows: for $0 \leq h < \MerkleDepth{}$ and $0 \leq i < 2^h$, \begin{formulae} - \item $\MerkleNode{h}{i} := \MerkleCRH(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$. + \item $\MerkleNode{h}{i} := \MerkleCRH{}(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$. \end{formulae} \introlist -A \defining{\merklePath} from \merkleLeafNode $\MerkleNode{\MerkleDepth}{i}$ in the +A \defining{\merklePath} from \merkleLeafNode $\MerkleNode{\MerkleDepth{}}{i}$ in the \incrementalMerkleTree is the sequence \begin{formulae} \item $\listcomp{\MerkleNode{h}{\MerkleSibling(h, i)} \for - h \from \MerkleDepth \downto 1}$, + h \from \MerkleDepth{} \downto 1}$, \end{formulae} where \begin{formulae} - \item $\MerkleSibling(h, i) := \floor{\frac{i}{\strut 2^{\MerkleDepth-h}}} \xor 1$ + \item $\MerkleSibling(h, i) := \floor{\frac{i}{\strut 2^{\MerkleDepth{}-h}}} \xor 1$ \end{formulae} Given such a \merklePath, it is possible to verify that \merkleLeafNode -$\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \MerkleNode{0}{0}$. +$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt = \MerkleNode{0}{0}$. \lsubsection{SIGHASH Transaction Hashing}{sighash} @@ -5181,12 +5245,13 @@ about the \transaction and (where applicable) the specific input, to give a \defining{\sighashTxHash} which is then used for the Spend authorization. The means of authorization differs between \sprout{\transparentInputs and inputs to \Sprout{} \joinSplitTransfers,} -\notsprout{\transparentInputs, inputs to \Sprout{} \joinSplitTransfers,\sapling{ and \Sapling{} \spendTransfers,}} -but (for a given \transactionVersion) the same \sighashTxHash algorithm is used. +\notsprout{\transparentInputs, inputs to \Sprout{} \joinSplitTransfers,\sapling{ and +\Sapling{} \spendTransfers\orchard{ or \Orchard{} \actionTransfers,}}} +but for a given \transactionVersion the same \sighashTxHash algorithm is used. In the case of \Zcash, the \sprout{\BCTV proving system used is}% -\notsprout{\BCTV\sapling{ and \Groth} proving systems used are}% +\notsprout{\BCTV\sapling{ and \Groth}\orchard{ and \HaloTwo} proving systems used are}% \emph{malleable}, meaning that there is the potential for an adversary who does not know all of the \auxiliaryInputs to a proof, to malleate it in order to create a new proof involving related \auxiliaryInputs \cite{DSDCOPS2001}. This can be understood as similar @@ -5196,26 +5261,32 @@ original plaintext. \Zcash has been designed to mitigate malleability attacks, a in \crossref{sproutnonmalleability}\sapling{, \crossref{bindingsig}, and \crossref{spendauthsig}}. \introlist -To provide additional flexibility when combining Spend authorizations from different +To provide additional flexibility when combining spend authorizations from different sources, \Bitcoin defines several \defining{\sighashTypes} that cover various parts of a transaction \cite{Bitcoin-SigHash}. One of these types is $\SIGHASHALL$\changed{, which is used for \Zcash-specific signatures, i.e.\ \joinSplitSignatures\sapling{, \spendAuthSignatures, -and \bindingSignatures}}. \changed{In \sprout{this case}\notsprout{these cases} the -\sighashTxHash is not associated with a \transparentInput, and so the input -to hashing excludes \emph{all} of the $\scriptSig$ fields in the non-\Zcash-specific parts -of the \transaction.} +\notorchard{and} \saplingBindingSignatures}\orchard{, and \orchardBindingSignatures}}. +\changed{In \sprout{this case}\notsprout{these cases} the \sighashTxHash is not associated +with a \transparentInput, and so the input to hashing excludes \emph{all} of the $\scriptSig$ +fields in the non-\Zcash-specific parts of the \transaction.} \changed{In \Zcash, all \sighashTypes are extended to cover the \Zcash-specific fields $\nJoinSplit$, $\vJoinSplit$, and if present $\joinSplitPubKey$. These fields are described in \crossref{txnencoding}. The hash \emph{does not} cover the field $\joinSplitSig$.} \overwinter{After \Overwinter activation, all \sighashTypes are also extended to cover \transaction fields -introduced in that upgrade\sapling{, and similarly after \Sapling activation}. +introduced in that upgrade\sapling{, and similarly after \SaplingAndOrchard activation\notbeforeorchard{s}}. The original \defining{\sighashAlgorithm} defined by \Bitcoin suffered from some deficiencies as -described in \cite{ZIP-143}; in \Zcash these are to be addressed by changing this algorithm +described in \cite{ZIP-143}; in \Zcash these were addressed by changing this algorithm as part of the \Overwinter upgrade. } %overwinter +\orchard{ +\Orchard introduces \transaction version 5, which \MUST be used if any \actionTransfers +are present. This version also provides nonmalleable \transaction identifiers, and \MAY be +used for that reason whether or not \actionTransfers are present. +} %orchard + \preoverwinter{The \sighashAlgorithm used prior to \Overwinter activation, i.e.\ for version 1 and 2 \transactions, will be defined in \cite{ZIP-76} (to be written).} @@ -5327,31 +5398,32 @@ according to client implementation. \Sapling adds \spendTransfers and \outputTransfers to the transparent and \joinSplitTransfers present in \Sprout. The net value of \spendTransfers minus \outputTransfers in a \transaction is -called the \defining{\balancingValue}, measured in \zatoshi as a signed integer $\vBalance$. +called the \defining{\saplingBalancingValue}, measured in \zatoshi as a signed integer +$\vBalance{Sapling}$. -$\vBalance$ is encoded explicitly in a \transaction as the field \valueBalance{}. (Transaction -fields are described in \crossref{txnencoding}.) +$\vBalance{Sapling}$ is encoded explicitly in a \transaction as the field \valueBalance{Sapling}. +(Transaction fields are described in \crossref{txnencoding}.) -A positive $\balancingValue$ takes value from the \defining{\SaplingTxValuePool} -and adds it to the \transparentTxValuePool. A negative $\balancingValue$ does the reverse. -As a result, positive $\vBalance$ is treated like an \emph{input} to the -\transparentTxValuePool, whereas negative $\vBalance$ is treated like an \emph{output} +A positive $\saplingBalancingValue$ takes value from the \defining{\SaplingTxValuePool} +and adds it to the \transparentTxValuePool. A negative $\saplingBalancingValue$ does the +reverse. As a result, positive $\vBalance{Sapling}$ is treated like an \emph{input} to the +\transparentTxValuePool, whereas negative $\vBalance{Sapling}$ is treated like an \emph{output} from that pool. \defining{As defined in \cite{ZIP-209}, the \SaplingChainValuePoolBalance for a given -\blockChain is the negation of the sum of all $\valueBalance$ field values for \transactions -in the \blockChain.} +\blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for +\transactions in the \blockChain.} \consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} -Consistency of $\vBalance$ with the \valueCommitments in \spendDescriptions -and \outputDescriptions is enforced by the \defining{\bindingSignature}. This signature -has a dual rôle in the \Sapling protocol: +Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions +and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}. +This signature has a dual rôle in the \Sapling protocol: \begin{itemize} - \item To prove that the total value spent by \spendTransfers, minus that - produced by \outputTransfers, is consistent with the $\vBalance$ field + \item To prove that the total value spent by \spendTransfers, minus that produced + by \outputTransfers, is consistent with the $\vBalance{Sapling}$ field of the \transaction; \item To prove that the signer knew the randomness used for the Spend and Output \valueCommitments, in order to prevent \outputDescriptions from being @@ -5361,23 +5433,23 @@ has a dual rôle in the \Sapling protocol: Instead of generating a key pair at random, we generate it as a function of the \valueCommitments in the \spendDescriptions and \outputDescriptions of the \transaction, -and the \balancingValue. +and the \saplingBalancingValue. \vspace{2ex} Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist -Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$ +Let $\ValueCommitAlg{Sapling}$, $\ValueCommitValueBase{Sapling}$, and $\ValueCommitRandBase{Sapling}$ be as defined in \crossref{concretevaluecommit}: \vspace{-0.5ex} \begin{formulae} - \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$; + \item $\ValueCommitAlg{Sapling} \typecolon \ValueCommitTrapdoor{Sapling} \times \ValueCommitType{Sapling} \rightarrow \ValueCommitOutput{Sapling}$; \vspace{-1ex} - \item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$; - \item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$. + \item $\ValueCommitValueBase{Sapling} \typecolon \SubgroupJstar$ is the value base in $\ValueCommitAlg{Sapling}$; + \item $\ValueCommitRandBase{Sapling} \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommitAlg{Sapling}$. \end{formulae} -$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. +$\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and $\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}. @@ -5389,7 +5461,7 @@ Suppose that the \transaction has: committing to values $\vOld{\alln}$ with randomness $\ValueCommitRandOld{\alln}$; \item $m$ \outputDescriptions with \valueCommitments $\cvNew{\allm}$, committing to values $\vNew{\allm}$ with randomness $\ValueCommitRandNew{\allm}$; - \item \balancingValue $\vBalance$. + \item \saplingBalancingValue $\vBalance{Sapling}$. \end{itemize} \vspace{-0.5ex} @@ -5402,7 +5474,7 @@ Instead, validators calculate the \defining{\txBindingValidatingKey} as: % ¯\_(ツ)_/¯ \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\! \Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus - \ValueCommit{0}\big(\vBalance\big)$. + \ValueCommit{Sapling}{0}\big(\vBalance{Sapling}\big)$. \end{formulae} \vspace{-1ex} (This key is not encoded explicitly in the \transaction and must be recalculated.) @@ -5424,18 +5496,20 @@ In order to check for implementation faults, the signer \SHOULD also check that \end{formulae} \vspace{0.5ex} -Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input, -using the \sighashType $\SIGHASHALL$. +Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4 +\transaction\orchard{ or \cite{ZIP-244} for a version 5 \transaction}, not associated +with an input, using the \sighashType $\SIGHASHALL$. -A validator checks balance by validating that $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$. +A validator checks balance by validating that +$\BindingSigValidate{Sapling}{\BindingPublic}(\SigHash, \bindingSig{Sapling}) = 1$. \vspace{1ex} We now explain why this works. \vspace{1ex} -A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of -$\BindingPublic$ with respect to $\ValueCommitRandBase$. -That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$. +A \saplingBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of +$\BindingPublic$ with respect to $\ValueCommitRandBase{Sapling}$. +That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase{Sapling}}$. So the value $0$ and randomness $\BindingPrivate$ is an opening of the \xPedersenCommitment $\BindingPublic = \ValueCommit{\BindingPrivate}(0)$. By the binding property of the \xPedersenCommitment, it is infeasible to find another @@ -5450,53 +5524,54 @@ generated without knowing $\ValueCommitRandOld{\alln} \pmod{\ParamJ{r}}$, and th proofs could not have been generated without knowing $\ValueCommitRandNew{\allm} \pmod{\ParamJ{r}}$. \introlist -Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase}\, -\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase}$, the expression for $\BindingPublic$ above is +Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Sapling}}\, +\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Sapling}}$, the expression for $\BindingPublic$ above is equivalent to: \vspace{1ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus + \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance{Sapling}}{\ValueCommitValueBase{Sapling}}\, \combplus \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex] - &$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$. + \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase{Sapling}}$ \\[3.5ex] + &$= \ValueCommit{Sapling}{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance{Sapling}\Bigg)$. \end{tabular} \introlist -Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$. +Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance{Sapling}$. Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. -Then $\BindingPublic = \ValueCommit{\BindingPrivate}(\vBad)$. If the adversary were able to -find the discrete logarithm of this $\BindingPublic$ with respect to $\ValueCommitRandBase$, say -$\BindingPrivate'$ (as needed to create a valid \bindingSignature), then $(\vBad, \BindingPrivate)$ +Then $\BindingPublic = \ValueCommit{Sapling}{\BindingPrivate}(\vBad)$. If the adversary were able to +find the discrete logarithm of this $\BindingPublic$ with respect to $\ValueCommitRandBase{Sapling}$, say +$\BindingPrivate'$ (as needed to create a valid \saplingBindingSignature), then $(\vBad, \BindingPrivate)$ and $(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic$ to different values, breaking the binding property of the \valueCommitmentScheme. \introlist The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that -$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType$. +$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType{Sapling}$. The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$. Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$. -$\vBalance$ is encoded in the \transaction as a signed two's complement $64$-bit integer -in the range $\range{-2^{63}}{2^{63}-1}$. $\ValueLength$ is defined as 64, so $\vSum$ +$\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer +in the range $\SignedValueType$. $\ValueLength$ is defined as 64, so $\vSum$ is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$. The maximum \transaction size of $2$ MB limits $n$ to at most $\floor{\frac{2000000}{384}} = 5208$ and $m$ to at most $\floor{\frac{2000000}{948}} = 2109$, ensuring $\vSum \in \range{-38913406623490299131842}{96079866507916199586728}$ which is a subrange of $\ValueCommitType$. -Thus checking the \bindingSignature ensures that the \transaction balances, without -the individual values of the \spendDescriptions and \outputDescriptions being revealed. +Thus checking the \saplingBindingSignature ensures that the \spendTransfers and \outputTransfers +in the \transaction balance, without their individual values being revealed. -In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the \valueCommitment -randomnesses, authorized a \transaction with the given \sighashTxHash by signing $\SigHash$. +In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the +\Sapling{} \valueCommitment randomnesses, authorized a \transaction with the given \sighashTxHash +by signing $\SigHash$. \vspace{1ex} \pnote{ -The spender \MAY reveal any strict subset of the \valueCommitment randomnesses to -other parties that are cooperating to create the \transaction. If all of the +The spender \MAY reveal any strict subset of the \Sapling{} \valueCommitment randomnesses +to other parties that are cooperating to create the \transaction. If all of the \valueCommitment randomnesses are revealed, that could allow replaying the \outputDescriptions of the \transaction. } %pnote @@ -5512,16 +5587,192 @@ also used in \Bulletproofs \cite{Dalek-notes}. } %sapling -\sapling{ -\lsubsection{Spend Authorization Signature}{spendauthsig} +\orchard{ +\introsection +\lsubsection{Balance and Binding Signature (\OrchardText)}{orchardbalance} -$\SpendAuthSig$ is used in \Sapling to prove knowledge of the \spendingKey authorizing +\Orchard introduces \actionTransfers, each of which can optionally perform a spend, +and optionally perform an output. Similarly to \Sapling, the net value of \Orchard +spends minus outputs in a \transaction is called the \defining{\orchardBalancingValue}, +measured in \zatoshi as a signed integer $\vBalance{\Orchard}$. + +$\vBalance{Orchard}$ is encoded explicitly in a \transaction as the field \valueBalance{Orchard}. +(Transaction fields are described in \crossref{txnencoding}.) + +A positive $\orchardBalancingValue$ takes value from the \defining{\OrchardTxValuePool} +and adds it to the \transparentTxValuePool. A negative $\orchardBalancingValue$ does the +reverse. As a result, positive $\vBalance{Orchard}$ is treated like an \emph{input} to the +\transparentTxValuePool, whereas negative $\vBalance{Orchard}$ is treated like an \emph{output} +from that pool. + +\defining{Similarly to the \SaplingChainValuePoolBalance defined in \cite{ZIP-209}, the +\OrchardChainValuePoolBalance for a given \blockChain is the negation of the sum of all +$\valueBalance{Orchard}$ field values for \transactions in the \blockChain.} + +\consensusrule{If the \OrchardChainValuePoolBalance would become negative in the \blockChain +created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} + +Consistency of $\vBalance{Orchard}$ with the \valueCommitments in \actionDescriptions +is enforced by the \defining{\orchardBindingSignature}. The rôle of this signature in the +\Orchard protocol is to prove that the net value spent (i.e.\ the total value spent minus +the total value produced) by \actionTransfers is consistent with the $\vBalance{Orchard}$ +field of the \transaction{}. + +\nnote{The second rôle of \saplingBindingSignatures, to prove that the signer knew the +randomness used for commitments in order to prevent them from being replayed, is less +important in \Orchard because all \actionDescriptions have a \spendAuthSignature. Still, +an \orchardBindingSignature does prove that the signer knew this commitment randomness; +this provides defence in depth and reduces the differences of \Orchard from \Sapling, +which may simplify security analysis.} + +Instead of generating a key pair at random, we generate it as a function of the +\valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue. + +\vspace{2ex} +Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallas}. + +\introlist +Let $\ValueCommitAlg{Orchard}$, $\ValueCommitValueBase{Orchard}$, and $\ValueCommitRandBase{Orchard}$ +be as defined in \crossref{concretevaluecommit}: +\vspace{-0.5ex} +\begin{formulae} + \item $\ValueCommitAlg{Orchard} \typecolon \ValueCommitTrapdoor{Orchard} \times \ValueCommitType{Orchard} \rightarrow \ValueCommitOutput{Orchard}$; + \vspace{-1ex} + \item $\ValueCommitValueBase{Orchard} \typecolon \GroupPstar$ is the value base in $\ValueCommitAlg{Orchard}$; + \item $\ValueCommitRandBase{Orchard} \typecolon \GroupPstar$ is the randomness base in $\ValueCommitAlg{Orchard}$. +\end{formulae} + +$\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. +These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and +$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}. + +\vspace{1.5ex} +\introlist +Suppose that the \transaction has: +\begin{itemize} + \item $n$ \actionDescriptions with \valueCommitments $\cvNet{\alln}$, + committing to values $\vNet{\alln}$ with randomness $\ValueCommitRandNet{\alln}$; + \item \orchardBalancingValue $\vBalance{Orchard}$. +\end{itemize} + +\vspace{-0.5ex} +In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$, +but validators cannot check this directly because the values are hidden by the commitments. + +\introlist +Instead, validators calculate the \defining{\txBindingValidatingKey} as: +\begin{formulae} + \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvNet{i}\kern 0.05em\Bigg) \combminus + \ValueCommit{Orchard}{0}\big(\vBalance{Orchard}\big)$. +\end{formulae} +\vspace{-1ex} +(This key is not encoded explicitly in the \transaction and must be recalculated.) + +\introlist +\vspace{1ex} +The signer knows $\ValueCommitRandNet{\alln}$, and so can calculate the corresponding \signingKey as: +\begin{formulae} + \item $\BindingPrivate := \vgrpsum{i=1}{n} \ValueCommitRandNet{i}$. +\end{formulae} + +\introlist +\vspace{-1ex} +In order to check for implementation faults, the signer \SHOULD also check that +\begin{formulae} + \item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$. +\end{formulae} + +\vspace{0.5ex} +A \transaction containing \actionDescriptions is necessarily a version 5 \transaction. +Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244}, +not associated with an input, using the \sighashType $\SIGHASHALL$. + +A validator checks balance by validating that +$\BindingSigValidate{Orchard}{\BindingPublic}(\SigHash, \bindingSig{Orchard}) = 1$. + +\vspace{1ex} +The security argument is very similar to that for \saplingBindingSignatures, but +for completeness we spell it out, since there are minor differences due to the net +value commitments, and a different bound on the net value sum $\vSum$. + +\vspace{1ex} +An \orchardBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of +$\BindingPublic$ with respect to $\ValueCommitRandBase{Orchard}$. +That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase{Orchard}}$. +So the value $0$ and randomness $\BindingPrivate$ is an opening of the \xPedersenCommitment +$\BindingPublic = \ValueCommit{Orchard}{\BindingPrivate}(0)$. +By the binding property of the \xPedersenCommitment, it is infeasible to find another +opening of this commitment to a different value. + +Similarly, the binding property of the \valueCommitments in the \actionDescriptions +ensures that an adversary cannot find an opening to more than one value +for any of those commitments, i.e.\ we may assume that $\vNet{\alln}$ are determined by +$\cvNet{\alln}$. We may also assume, from Knowledge Soundness of \HaloTwo, that the Action +proofs could not have been generated without knowing $\ValueCommitRandNet{\alln} \pmod{\ParamP{r}}$. + +\introlist +Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Orchard}}\, +\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Orchard}}$, the expression for $\BindingPublic$ above is +equivalent to: + +\vspace{1ex} +\begin{tabular}{@{\hskip 2em}r@{\;}l} + $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vNet{i}\Bigg) \grpminus \vBalance{Orchard}}{\ValueCommitValueBase{Orchard}}\, \combplus + \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandNet{i}\Bigg)}{\ValueCommitRandBase{Orchard}}$ \\[3.5ex] + &$= \ValueCommit{Orchard}{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vNet{i} - \vBalance{Orchard}\Bigg)$. +\end{tabular} + +\introlist +Let $\vSum = \vsum{i=1}{n} \vNet{i} - \vBalance{Orchard}$. + +Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. +Then $\BindingPublic = \ValueCommit{Orchard}{\BindingPrivate}(\vBad)$. If the adversary were able to +find the discrete logarithm of this $\BindingPublic$ with respect to $\ValueCommitRandBase{Orchard}$, say +$\BindingPrivate'$ (as needed to create a valid \orchardBindingSignature), then $(\vBad, \BindingPrivate)$ +and $(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic$ to different values, +breaking the binding property of the \valueCommitmentScheme. + +\introlist +The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that +$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType{Orchard}$. + +The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly, +$\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer +in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$. +The maximum \transaction size of $2$ MB limits $n$ to at most \todo{$\floor{\frac{2000000}{?}} = ?$, +ensuring $\vSum \in ?$ which is a subrange of $\ValueCommitType{Orchard}$}. + +Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction +balance, without their individual net values being revealed. + +In addition this proves that the signer, knowing the $\biggrpplus$\kern-0.015em-sum of the +\Orchard{} \valueCommitment randomnesses, authorized a \transaction with the given \sighashTxHash +by signing $\SigHash$. + +\vspace{1ex} +\pnote{ +The spender \MAY reveal any strict subset of the \Orchard{} \valueCommitment randomnesses to +other parties that are cooperating to create the \transaction. +} %pnote +} %orchard + + +\sapling{ +\lsubsection{Spend Authorization Signature (\SaplingAndOrchardText)}{spendauthsig} + +$\SpendAuthSig{}$ is used in \SaplingAndOrchard to prove knowledge of the \spendingKey authorizing spending of an input \note. It is instantiated in \crossref{concretespendauthsig}. -Knowledge of the \spendingKey could have been proven directly in the \spendStatement, -similar to the check in \crossref{sproutspendauthority} that is part of the \joinSplitStatement. -The motivation for a separate signature is to allow devices that are limited in memory -and computational capacity, such as hardware wallets, to authorize a \Sapling shielded Spend. +We use $\SpendAuthSig{Sapling}$ to refer to the \spendAuthSignatureScheme for +\Sapling, which is instantiated on the \jubjubCurve. +\orchard{We use $\SpendAuthSig{Orchard}$ to refer to the \spendAuthSignatureScheme for +\Orchard, which is instantiated on the \pallasCurve. The following discussion applies to +both.} + +Knowledge of the \spendingKey could have been proven directly in the \spendStatement\orchard{ or +\actionStatement}, similar to the check in \crossref{sproutspendauthority} that is part of the +\joinSplitStatement. The motivation for a separate signature is to allow devices that are limited in +memory and computational capacity, such as hardware wallets, to authorize a \Sapling shielded Spend. Typically such devices cannot create, and may not be able to verify, \zkSNARKProofs for a \statement of the size needed using the \BCTV or \Groth proving systems. @@ -5541,6 +5792,8 @@ using the \sighashType $\SIGHASHALL$. Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in \crossref{saplingkeycomponents}. +\orchard{Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$ or $\SpendAuthSig{Orchard}$ as applicable.} + \vspace{2ex} For each \spendDescription, the signer chooses a fresh \defining{\spendAuthRandomizer} $\AuthSignRandomizer$: @@ -5548,21 +5801,23 @@ For each \spendDescription, the signer chooses a fresh \defining{\spendAuthRando \item Choose $\AuthSignRandomizer \leftarrowR \SpendAuthSigGenRandom()$. \item Let $\AuthSignRandomizedPrivate = \SpendAuthSigRandomizePrivate(\AuthSignRandomizer, \AuthSignPrivate)$. \item Let $\AuthSignRandomizedPublic = \SpendAuthSigDerivePublic(\AuthSignRandomizedPrivate)$. - \item Generate a proof $\ProofSpend$ of the \spendStatement (\crossref{spendstatement}), - with $\AuthSignRandomizer$ in the \auxiliaryInput and $\AuthSignRandomizedPublic$ - in the \primaryInput. - \item Let $\spendAuthSig = \SpendAuthSigSign{\AuthSignRandomizedPrivate}(\SigHash)$. + \item Generate a proof $\Proof{}$ of the \spendStatement (\crossref{spendstatement})\orchard{ or + \actionStatement (\crossref{actionstatement})}, with $\AuthSignRandomizer$ in the + \auxiliaryInput and $\AuthSignRandomizedPublic$ in the \primaryInput. + \item Let $\spendAuthSig = \SpendAuthSigSign{}{\AuthSignRandomizedPrivate}(\SigHash)$. \end{enumerate} \introlist -The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription. +The resulting $\spendAuthSig$ and $\Proof{}$ are included in the \spendDescription\orchard{ or +\actionDescription}. \vspace{1ex} \pnote{ If the spender is computationally or memory-limited, step 4 (and only step 4) \MAY be delegated to a different party that is capable of performing the \zkSNARKProof. In this case privacy will be lost to that party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$; -this allows also deriving the $\NullifierKey$ component of the \fullViewingKey. Together +this allows also deriving the $\NullifierKey$ component of the \fullViewingKey. \orchard{(In +\Orchard, that party needs the $\NullifierKey$ directly to make the \zkSNARKProof.)} Together $\AuthSignPublic$ and $\NullifierKey$ are sufficient to recognize spent \notes and to recognize and decrypt incoming \notes. However, the other party will not obtain spending authority for other \transactions, since it is not able to create a \spendAuthSignature by itself. @@ -5623,23 +5878,23 @@ is a representation of the \nullifierDerivingKey associated with the \note and $ \lsubsubsection{JoinSplit Statement\pSproutOrNothingText}{joinsplitstatement} \vspace{-2ex} -Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\MerkleDepthSprout$, $\ValueLength$, +Let $\MerkleHashLength{Sprout}$, $\PRFOutputLengthSprout$, $\MerkleDepth{Sprout}$, $\ValueLength$, $\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$, $\NOld$, $\NNew$ be as defined in \crossref{constants}. \vspace{-1ex} Let $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$, \changed{and $\PRFrho{}$} be as defined in \crossref{abstractprfs}. \vspace{-1ex} -Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}, and -let $\NoteTypeSprout$ and $\NoteCommitmentSprout$ be as defined in \crossref{notes}. +Let $\NoteCommit{Sprout}{}$ be as defined in \crossref{abstractcommit}, and +let $\NoteType{Sprout}$ and $\NoteCommitment{Sprout}$ be as defined in \crossref{notes}. A valid instance of a \defining{\joinSplitStatement}, $\ProofJoinSplit$, assures that given a \primaryInput: \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHashSprout,\\ + \item $\oparen\rt \typecolon \MerkleHash{Sprout},\\ \hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\ - \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew},\vspace{0.6ex}\\ + \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew},\vspace{0.6ex}\\ \hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\ \hparen\vpubNew \typecolon \ValueType,\\ \hparen\hSig \typecolon \hSigType,\\ @@ -5649,11 +5904,11 @@ A valid instance of a \defining{\joinSplitStatement}, $\ProofJoinSplit$, assures the prover knows an \auxiliaryInput: \vspace{-0.5ex} \begin{formulae} - \item $\oparen\TreePath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHashSprout}{\MerkleDepthSprout}}{\NOld},\\ - \hparen\NotePosition_{\allOld} \typecolon \typeexp{\NotePositionTypeSprout}{\NOld},\\ - \hparen\nOld{\allOld} \typecolon \typeexp{\NoteTypeSprout}{\NOld},\\ + \item $\oparen\TreePath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash{Sprout}}{\MerkleDepth{Sprout}}}{\NOld},\\ + \hparen\NotePosition_{\allOld} \typecolon \typeexp{\NotePositionType{Sprout}}{\NOld},\\ + \hparen\nOld{\allOld} \typecolon \typeexp{\NoteType{Sprout}}{\NOld},\\ \hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\ - \hparen\nNew{\allNew} \typecolon \typeexp{\NoteTypeSprout}{\NNew}\changed{,}\vspace{0.8ex}\\ + \hparen\nNew{\allNew} \typecolon \typeexp{\NoteType{Sprout}}{\NNew}\changed{,}\vspace{0.8ex}\\ \hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\vspace{-0.5ex}\\ \hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}}\cparen$, \end{formulae} @@ -5672,7 +5927,7 @@ such that the following conditions hold: \snarkcondition{Merkle path validity}{sproutmerklepathvalidity} for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}: $(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth -$\MerkleDepthSprout$ from $\NoteCommitmentSprout(\nOld{i})$ to the \anchor $\rt$. +$\MerkleDepth{Sprout}$ from $\NoteCommitment{Sprout}(\nOld{i})$ to the \anchor $\rt$. \pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement in \cite[section 4.2]{BCGGMTV2014}.} @@ -5700,7 +5955,7 @@ for each $i \in \setofNew$: $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.} \snarkcondition{Note commitment integrity}{sproutcommitmentintegrity} -for each $i \in \setofNew$: $\cmNew{i} = \NoteCommitmentSprout(\nNew{i})$. +for each $i \in \setofNew$: $\cmNew{i} = \NoteCommitment{Sprout}(\nNew{i})$. \vspace{1ex} For details of the form and encoding of proofs, see \crossref{bctv}. @@ -5710,23 +5965,23 @@ For details of the form and encoding of proofs, see \crossref{bctv}. \lsubsubsection{Spend Statement (\SaplingText)}{spendstatement} \vspace{-1ex} -Let $\MerkleHashLengthSapling$, $\PRFOutputLengthNfSapling$, and $\ScalarLengthSapling$ be +Let $\MerkleHashLength{Sapling}$, $\PRFOutputLengthNfSapling$, and $\ScalarLength{Sapling}$ be as defined in \crossref{constants}. \vspace{-0.5ex} -Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}. +Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in \crossref{abstractcommit}. \vspace{-0.5ex} -Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}. +Let $\SpendAuthSig{Sapling}$ be as defined in \crossref{concretespendauthsig}. \vspace{-0.5ex} Let $\GroupJ$, $\SubgroupJ$, $\reprJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. \vspace{-0.5ex} -Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ be as defined in \crossref{concreteextractorjubjub}. +Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHash{Sapling}$ be as defined in \crossref{concreteextractorjubjub}. \vspace{-0.5ex} -Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}. +Let $\AuthProveBaseSapling$ be as defined in \crossref{saplingkeycomponents}. \intropart \vspace{0.5ex} @@ -5734,10 +5989,10 @@ A valid instance of a \defining{\spendStatement}, $\ProofSpend$, assures that gi \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHashSapling,\\ - \hparen\cvOld{} \typecolon \ValueCommitOutput,\\ + \item $\oparen\rt \typecolon \MerkleHash{Sapling},\\ + \hparen\cvOld{} \typecolon \ValueCommitOutput{Sapling},\\ \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\ - \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$, + \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}\cparen$, \end{formulae} \vspace{-2ex} @@ -5746,29 +6001,29 @@ the prover knows an \auxiliaryInput: \vspace{-1ex} \begin{formulae} - \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\ - \hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\ + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Sapling}}{\MerkleDepth{Sapling}},\\ + \hparen\NotePosition \typecolon \NotePositionType{Sapling},\vspace{0.4ex}\\ \hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\ \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ \hparen\cmOld{} \typecolon \GroupJ,\\ - \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ - \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}\cparen$ + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic{Sapling},\\ + \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength{Sapling}}\cparen$ \end{formulae} \vspace{-1.5ex} such that the following conditions hold: \vspace{0.5ex} \snarkcondition{Note commitment integrity}{spendnotecommitmentintegrity} -$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase}, +$\cmOld{} = \NoteCommit{Sapling}{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \vOld{})$. \snarkcondition{Merkle path validity}{spendmerklepathvalidity} -Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthSapling$, +Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Sapling}$, as defined in \crossref{merklepath}, from $\cmU = \ExtractJ(\cmOld{})$ to the \anchor $\rt$. \snarkcondition{Value commitment integrity}{spendvaluecommitmentintegrity} @@ -5783,7 +6038,7 @@ and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$. $\nfOld{} = \PRFnfSapling{\NullifierKeyRepr}(\NoteAddressRandRepr)$ where \vspace{-1ex} \begin{formulae} - \item $\NullifierKeyRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$ + \item $\NullifierKeyRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}}$ \vspace{-1ex} \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. \end{formulae} @@ -5807,7 +6062,8 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr see \crossref{ccteddecompressvalidate}, for required validity checks on compressed representations of \jubjubCurve points. - The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupJ$. + The $\ValueCommitOutput{Sapling}$ and $\SpendAuthSigPublic{Sapling}$ types also represent points, + i.e.\ $\GroupJ$. \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its input bit sequence is a canonical encoding (in $\range{0}{\ParamS{r}-1}$) of the integer from the previous \merkleLayer. @@ -5815,8 +6071,8 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr small order. However, this \emph{is} checked outside the \spendStatement, as specified in \crossref{spenddesc}. \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. - \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling}$. - ($\AuthSignBaseSapling$ is as defined in \crossref{concretespendauthsig}.) + \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Sapling}}$. + ($\AuthSignBase{Sapling}$ is as defined in \crossref{concretespendauthsig}.) \end{pnotes} } %sapling @@ -5825,10 +6081,10 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr \introsection \lsubsubsection{Output Statement (\SaplingText)}{outputstatement} -Let $\MerkleHashLengthSapling$ and $\ScalarLengthSapling$ be +Let $\MerkleHashLength{Sapling}$ and $\ScalarLength{Sapling}$ be as defined in \crossref{constants}. -Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}. +Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in \crossref{abstractcommit}. Let $\GroupJ$, $\reprJ$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. @@ -5837,7 +6093,7 @@ A valid instance of an \defining{\outputStatement}, $\ProofOutput$, assures that \begin{formulae} \item $\oparen\cvNew{} \typecolon \ValueCommitOutput,\\ - \hparen\cmU \typecolon \MerkleHashSapling,\\ + \hparen\cmU \typecolon \MerkleHash{Sapling},\\ \hparen\EphemeralPublic \typecolon \GroupJ\cparen$, \end{formulae} @@ -5849,16 +6105,16 @@ the prover knows an \auxiliaryInput: \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex] \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling})$ + \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Sapling}})$ \end{formulae} \vspace{-1ex} such that the following conditions hold: \vspace{1ex} \snarkcondition{Note commitment integrity}{outputnotecommitmentintegrity} -$\cmU = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr, +$\cmU = \ExtractJ\big(\NoteCommit{Sapling}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \vNew{})\kern-0.12em\big)$, where $\DiversifiedTransmitBaseRepr = \reprJ\Of{\DiversifiedTransmitBase}$\,. @@ -5882,7 +6138,7 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g see \crossref{ccteddecompressvalidate}, for required validity checks on compressed representations of \jubjubCurve points. - The $\ValueCommitOutput$ type also represents points, i.e. $\GroupJ$. + The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$. \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. \end{pnotes} @@ -5893,13 +6149,13 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g \lsubsubsection{Action Statement (\OrchardText)}{actionstatement} \vspace{-1ex} -Let $\MerkleHashLengthOrchard$ and $\ScalarLengthOrchard$ be as defined in \crossref{constants}. +Let $\MerkleHashLength{Orchard}$ and $\ScalarLength{Orchard}$ be as defined in \crossref{constants}. \vspace{-0.5ex} -Let $\ValueCommitAlg$ and $\NoteCommitOrchardAlg$ be as specified in \crossref{abstractcommit}. +Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in \crossref{abstractcommit}. \vspace{-0.5ex} -Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}. +Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}. \vspace{-0.5ex} Let $\GroupP$, $\GroupPstar$, $\reprPstar$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. @@ -5910,11 +6166,11 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHashOrchard,\\ - \hparen\cvBalance{} \typecolon \ValueCommitOutput,\\ + \item $\oparen\rt \typecolon \MerkleHash{Orchard},\\ + \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ - \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic,\\ - \hparen\cmX \typecolon \MerkleHashOrchard,\\ + \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ + \hparen\cmX \typecolon \MerkleHash{Orchard},\\ \hparen\EphemeralPublic \typecolon \GroupPstar\cparen$, \end{formulae} @@ -5924,44 +6180,44 @@ the prover knows an \auxiliaryInput: \vspace{-1ex} \begin{formulae} - \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthOrchard},\\ - \hparen\NotePosition \typecolon \NotePositionTypeOrchard,\vspace{0.4ex}\\ + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\\ + \hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\ \hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\ \hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ \hparen\cmOld{} \typecolon \GroupPstar,\\ - \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthOrchard},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthOrchard},\\ - \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\\ + \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic{Orchard},\\ \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex] \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprPstar,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthOrchard},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthOrchard},\\ - \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLengthOrchard}\cparen$ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Orchard}},\\ + \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$ \end{formulae} \vspace{-1.5ex} such that the following conditions hold: \vspace{0.5ex} \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} -$\cmOld{} = \NoteCommitOrchard{\NoteCommitRandOld{}}(\reprPstar\Of{\DiversifiedTransmitBaseOld}, +$\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprPstar\Of{\DiversifiedTransmitBaseOld}, \reprPstar\Of{\DiversifiedTransmitPublicOld}, \vOld{})$. \snarkcondition{Merkle path validity}{actionmerklepathvalidity} -Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthOrchard$, +Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$, as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt$. \snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} -$\cvBalance{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. +$\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. \snarkcondition{Non-zero point checks}{actionnonzero} $\DiversifiedTransmitBaseOld$ and $\DiversifiedTransmitBaseNew$ and $\AuthSignPublic$ are not $\ZeroP$. \todo{express this in the type} \snarkcondition{Nullifier integrity}{actionnullifierintegrity} -$\nfOld{} = \scalarmult{(\PRFnfOrchard{\NullifierKeyRepr}(\NoteAddressRandRepr) + \psi) \bmod \ParamP{q}}{\NullifierBaseOrchard} + \cmOld{}$. +$\nfOld{} = \scalarmult{(\PRFnfOrchard{\NullifierKeyRepr}(\NoteAddressRandRepr) + \uppsi) \bmod \ParamP{q}}{\NullifierBaseOrchard} + \cmOld{}$. \snarkcondition{Spend authority}{actionspendauthority} $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$. @@ -5977,9 +6233,9 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas \vspace{1ex} \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} -$\cmU = \ExtractP\big(\NoteCommitOrchard{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, - \DiversifiedTransmitPublicNewRepr, - \vNew{})\kern-0.12em\big)$, +$\cmU = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, + \DiversifiedTransmitPublicNewRepr, + \vNew{})\kern-0.12em\big)$, where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,. @@ -5994,7 +6250,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h see \crossref{cctswdecompressvalidate}, for required validity checks on compressed representations of \pallasCurve points. - The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupP$. + The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types also represent points, + i.e.\ $\GroupP$. \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer from the previous \merkleLayer. @@ -6002,8 +6259,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h is not the zero point. \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ or that $\NoteCommitRandNew{} < \ParamP{r}$. - \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling}$. - ($\AuthSignBaseSapling$ is as defined in \crossref{concretespendauthsig}.) + \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$. + ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. \end{pnotes} } %orchard @@ -6031,8 +6288,8 @@ For both encryption and decryption, \begin{itemize} \item let $\Sym$ be the scheme instantiated in \crossref{concretesym}; - \item let $\KDFSprout$ be the \keyDerivationFunction instantiated in \crossref{concretesproutkdf}; - \item let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}; + \item let $\KDF{Sprout}$ be the \keyDerivationFunction instantiated in \crossref{concretesproutkdf}; + \item let $\KA{Sprout}$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}; \item let $\hSig$ be the value computed for this \joinSplitDescription in \crossref{joinsplitdesc}. \end{itemize} @@ -6040,7 +6297,7 @@ For both encryption and decryption, \vspace{-2ex} \lsubsubsection{Encryption\pSproutOrNothingText}{sproutencrypt} -Let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}. +Let $\KA{Sprout}$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}. Let $\TransmitPublicSub{\allNew}$ be the \transmissionKeys for the intended recipient addresses of each new \note. @@ -6054,14 +6311,14 @@ Then to encrypt: \begin{itemize} \changed{ - \item Generate a new $\KASprout$ (public, private) key pair + \item Generate a new $\KA{Sprout}$ (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$. \item For $i \in \setofNew$, \begin{itemize} \item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$. - \item Let $\DHSecret{i} := \KASproutAgree(\EphemeralPrivate, + \item Let $\DHSecret{i} := \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSub{i})$. - \item Let $\TransmitKey{i} := \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic, + \item Let $\TransmitKey{i} := \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicSub{i})$. \item Let $\TransmitCiphertext{i} := \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$. @@ -6099,8 +6356,8 @@ component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows: \changed{ \begin{formulae} \vspace{-0.5ex} - \item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$ - \item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic, + \item let $\DHSecret{i} = \KAAgree{Sprout}(\TransmitPrivate, \EphemeralPublic)$ + \item let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublic)$ \item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, \AuthPublic).$ @@ -6117,9 +6374,9 @@ is defined as follows: \item extract $\NotePlaintext{i} = (\NotePlaintextLeadByte_i \typecolon \byte, \Value_i \typecolon \ValueType, \NoteAddressRand_i \typecolon \PRFOutputSprout, -\NoteCommitRand_i \typecolon \NoteCommitSproutTrapdoor, +\NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout}, \Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$ - \item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitmentSprout((\AuthPublic, \Value_i, \NoteAddressRand_i, + \item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitment{Sprout}((\AuthPublic, \Value_i, \NoteAddressRand_i, \NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$. \end{formulae} } @@ -6167,8 +6424,8 @@ For both encryption and decryption, \begin{itemize} \item let $\OutViewingKeyLength$ be as defined in \crossref{constants}; \item let $\Sym$ be the scheme instantiated in \crossref{concretesym}; - \item let $\KDFSapling$ be the \keyDerivationFunction instantiated in \crossref{concretesaplingkdf}; - \item let $\KASapling$ be the \keyAgreementScheme instantiated in \crossref{concretesaplingkeyagreement}; + \item let $\KDF{Sapling}$ be the \keyDerivationFunction instantiated in \crossref{concretesaplingkdf}; + \item let $\KA{Sapling}$ be the \keyAgreementScheme instantiated in \crossref{concretesaplingkeyagreement}; \item let $\ellJ$ and $\reprJ$ be as defined in \crossref{jubjub}; \item let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}; \vspace{-0.5ex} @@ -6180,10 +6437,10 @@ For both encryption and decryption, \sapling{ \extralabel{saplingencrypt}{\lsubsubsection{Encryption (\SaplingAndOrchardText)}{saplingandorchardencrypt}} -Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ be the +Let $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$ be the \diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note, -and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeSubgroup$ be the corresponding -\diversifiedBase computed as $\DiversifyHashSapling(\Diversifier)$. +and let $\DiversifiedTransmitBase \typecolon \KAPublicPrimeSubgroup{Sapling}$ be the corresponding +\diversifiedBase computed as $\DiversifyHash{Sapling}(\Diversifier)$. Since \SaplingAndOrchard{} \note encryption is used only in the context of \crossref{saplingororchardsend}, we may assume that $\DiversifiedTransmitBase$ has already been @@ -6208,12 +6465,12 @@ Then to encrypt: \begin{algorithm} \vspace{-0.5ex} \item let $\TransmitPlaintext{}$ be the \rawEncoding of $\NotePlaintext{}$ - \item let $\EphemeralPublic = \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$ + \item let $\EphemeralPublic = \KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)$ \vspace{0.3ex} \item let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$ \vspace{-0.5ex} - \item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$ - \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \ephemeralKey)$ + \item let $\DHSecret{} = \KAAgree{Sapling}(\EphemeralPrivate, \DiversifiedTransmitPublic)$ + \item let $\TransmitKey{} = \KDF{Sapling}(\DHSecret{}, \ephemeralKey)$ \item let $\TransmitCiphertext{} = \SymEncrypt{\TransmitKey{}}(\TransmitPlaintext{})$ \item if $\OutViewingKey = \bot$: \item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$ @@ -6245,7 +6502,7 @@ received out-of-band, which are not addressed in this document. \sapling{ \lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{saplingdecryptivk} -Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$ be the recipient's \incomingViewingKey, +Let $\InViewingKey \typecolon \InViewingKeyType{Sapling}$ be the recipient's \incomingViewingKey, as specified in \crossref{saplingkeycomponents}. Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertextSapling from the @@ -6265,8 +6522,8 @@ components of the \noteCiphertextSapling as follows: \vspace{-0.5ex} \item let $\EphemeralPublic = \abstJ\Of{\ephemeralKey}$ \item if $\EphemeralPublic = \bot$, return $\bot$ - \item let $\DHSecret{} = \KASaplingAgree(\InViewingKey, \EphemeralPublic)$ - \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \ephemeralKey)$ + \item let $\DHSecret{} = \KAAgree{Sapling}(\InViewingKey, \EphemeralPublic)$ + \item let $\TransmitKey{} = \KDF{Sapling}(\DHSecret{}, \ephemeralKey)$ \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ \vspace{-0.25ex} \item if $\TransmitPlaintext{} = \bot$, return $\bot$ @@ -6280,20 +6537,20 @@ from $\TransmitPlaintext{}$ \vspace{-0.25ex} \canopyonwarditem{let $\NoteCommitRandBytes = \begin{cases} \NoteSeedBytes,&\caseif \NotePlaintextLeadByte = \hexint{01} \\ - \ToScalar\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise + \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ - and $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ + and $\DiversifiedTransmitBase = \DiversifyHash{Sapling}(\Diversifier)$ \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:} \canopy{ - \item \tab $\EphemeralPrivate = \ToScalar\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ - \item \tab if $\reprJ\big(\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, + \item \tab $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ + \item \tab if $\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, return $\bot$ \item \blank } - \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$ - \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \item let $\DiversifiedTransmitPublic = \KADerivePublic{Sapling}(\InViewingKey, \DiversifiedTransmitBase)$ + \item let $\cmU' = \ExtractJ\big(\NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \Value)\kern-0.12em\big)$. \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$ @@ -6304,9 +6561,9 @@ from $\TransmitPlaintext{}$ \item As explained in the note in \crossref{jubjub}, $\abstJ$ accepts non-canonical compressed encodings of \jubjubCurve points (specifically, point encodings with $\tilde{u} = 1$ and $v = 0$). Therefore, an implementation \MUST use the original $\ephemeralKey$ field as encoded in the - \transaction as input to $\KDFSapling$\canopy{, and (if \Canopy is active and + \transaction as input to $\KDF{Sapling}$\canopy{, and (if \Canopy is active and $\NotePlaintextLeadByte \neq \hexint{01}$) in the comparison against - $\reprJ\big(\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$}. + $\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$}. \item Normally only \noteCiphertextsSapling of \transactions in \blocks need to be decrypted. In that case, any received \Sapling{} \note is necessarily a \positionedNote, and so its $\NoteAddressRand$ value can immediately be calculated as described in \crossref{commitmentsandnullifiers}. @@ -6355,8 +6612,8 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertextSaplin \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$ and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$ \item if $\EphemeralPrivate \geq \ParamJ{r}$, return $\bot$ - \item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$ - \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \ephemeralKey)$ + \item let $\DHSecret{} = \KAAgree{Sapling}(\EphemeralPrivate, \DiversifiedTransmitPublic)$ + \item let $\TransmitKey{} = \KDF{Sapling}(\DHSecret{}, \ephemeralKey)$ \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ \vspace{-0.25ex} \item if $\TransmitPlaintext{} = \bot$, return $\bot$ @@ -6368,19 +6625,19 @@ from $\TransmitPlaintext{}$ \canopyonwarditem{if $\BlockHeight < \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \not\in \setof{\hexint{01}, \hexint{02}}$, return $\bot$} \canopyonwarditem{if $\BlockHeight \geq \CanopyActivationHeight + \ZIPTwoOneTwoGracePeriod \text{ and } \NotePlaintextLeadByte \neq \hexint{02}$, return $\bot$} \vspace{-0.25ex} - \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$ and $\ToScalar\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big) \neq \EphemeralPrivate$, return $\bot$} + \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$ and $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big) \neq \EphemeralPrivate$, return $\bot$} \canopyonwarditem{let $\NoteCommitRandBytes = \begin{cases} \NoteSeedBytes,&\caseif \NotePlaintextLeadByte = \hexint{01} \\ - \ToScalar\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise + \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ - and $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ + and $\DiversifiedTransmitBase = \DiversifyHash{Sapling}(\Diversifier)$ \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ - \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \item let $\cmU' = \ExtractJ\big(\NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \Value)\kern-0.12em\big)$ \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$ - \item if $\reprJ\big(\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, + \item if $\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$, return $\bot$ \item return $\NotePlaintext{}$. \end{algorithm} @@ -6389,8 +6646,8 @@ from $\TransmitPlaintext{}$ \item As explained in the note in \crossref{jubjub}, $\abstJ$ accepts non-canonical compressed encodings of \jubjubCurve points (specifically, point encodings with $\tilde{u} = 1$ and $v = 0$). Therefore, an implementation \MUST use the original $\ephemeralKey$ field as encoded in the - \transaction as input to $\PRFock{}$ and $\KDFSapling$, and in the comparison against - $\reprJ\big(\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$. + \transaction as input to $\PRFock{}$ and $\KDF{Sapling}$, and in the comparison against + $\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$. \vspace{-0.5ex} \item $\DiversifiedTransmitPublicRepr$ can also be non-canonical. The decoded point $\DiversifiedTransmitPublic$ is \emph{not} checked to be in the subgroup $\SubgroupJ$. @@ -6407,8 +6664,8 @@ and that in \crossref{saplingdecryptivk}. \canopy{In particular: \item in this procedure, the ephemeral \privateKey $\EphemeralPrivate'$ derived from $\NoteSeedBytes$ is checked to be identical to that obtained from $\OutPlaintext$ (when $\NotePlaintextLeadByte \neq \hexint{01}$); \item in this procedure, $\DiversifiedTransmitPublic$ is obtained from $\OutPlaintext$ - rather than being derived as $\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$; - \item in this procedure, the check that $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) = \EphemeralPublic$ + rather than being derived as $\KADerivePublic{Sapling}(\InViewingKey, \DiversifiedTransmitBase)$; + \item in this procedure, the check that $\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase) = \EphemeralPublic$ is unconditional rather than being dependent on $\NotePlaintextLeadByte \neq \hexint{01}$, and it uses the $\EphemeralPrivate$ obtained from $\OutPlaintext$. \end{itemize} @@ -6421,9 +6678,9 @@ and that in \crossref{saplingdecryptivk}. \canopy{In particular: Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}. -Let $\NoteTypeSprout$ be as defined in \crossref{notes}. +Let $\NoteType{Sprout}$ be as defined in \crossref{notes}. -Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}. +Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. \vspace{1ex} \introsection @@ -6433,15 +6690,15 @@ to the corresponding \paymentAddress, its \memo field, and its final status (spent or unspent). \vspace{1ex} -Let $\InViewingKey = (\AuthPublic \typecolon \PRFOutputSprout, \TransmitPrivate \typecolon \KASproutPrivate)$ +Let $\InViewingKey = (\AuthPublic \typecolon \PRFOutputSprout, \TransmitPrivate \typecolon \KAPrivate{Sprout})$ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPublic$ be the associated \transmissionKey, as specified in \crossref{sproutkeycomponents}. \vspace{1ex} \begin{algorithm} - \item let mutable $\ReceivedSet \typecolon \powerset{\NoteTypeSprout \times \MemoType} := \setof{}$ - \item let mutable $\SpentSet \typecolon \powerset{\NoteTypeSprout} := \setof{}$ - \item let mutable $\NullifierMap \typecolon \PRFOutputSprout \rightarrow \NoteTypeSprout :=$ the empty mapping + \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sprout} \times \MemoType} := \setof{}$ + \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sprout}} := \setof{}$ + \item let mutable $\NullifierMap \typecolon \PRFOutputSprout \rightarrow \NoteType{Sprout} :=$ the empty mapping \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \joinSplitDescription in $\tx$: @@ -6481,22 +6738,22 @@ Typically, these components are derived from a \fullViewingKey as described in \vspace{1ex} Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. -Let $\NoteTypeSapling$ be as defined in \crossref{notes}. +Let $\NoteType{Sapling}$ be as defined in \crossref{notes}. -Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. \introsection \vspace{1ex} The following algorithm can be used, given the \blockChain and -$(\NullifierKey \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$, +$(\NullifierKey \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyType{Sapling})$, to obtain each \note sent to the corresponding \paymentAddress, its \memo field, and its final status (spent or unspent). \vspace{1ex} \begin{algorithm} - \item let mutable $\ReceivedSet \typecolon \powerset{\NoteTypeSapling \times \MemoType} := \setof{}$ - \item let mutable $\SpentSet \typecolon \powerset{\NoteTypeSapling} := \setof{}$ - \item let mutable $\NullifierMap \typecolon \PRFOutputNfSapling \rightarrow \NoteTypeSapling :=$ the empty mapping + \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sapling} \times \MemoType} := \setof{}$ + \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sapling}} := \setof{}$ + \item let mutable $\NullifierMap \typecolon \PRFOutputNfSapling \rightarrow \NoteType{Sapling} :=$ the empty mapping \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \outputDescription in $\tx$ with \notePosition $\NotePosition$: @@ -6602,19 +6859,19 @@ used, the text will clarify their position in each case. Define: \begin{formulae}[itemsep=\sprout{1ex}\notsprout{0.2ex}] - \item $\MerkleDepthSprout \typecolon \Nat := \changed{29}$ + \item $\MerkleDepth{Sprout} \typecolon \Nat := \changed{29}$ \sapling{ - \item $\MerkleDepthSapling \typecolon \Nat := 32$ + \item $\MerkleDepth{Sapling} \typecolon \Nat := 32$ } %sapling \item $\NOld \typecolon \Nat := 2$ \item $\NNew \typecolon \Nat := 2$ \item $\ValueLength \typecolon \Nat := 64$ - \item $\MerkleHashLengthSprout \typecolon \Nat := 256$ + \item $\MerkleHashLength{Sprout} \typecolon \Nat := 256$ \sapling{ - \item $\MerkleHashLengthSapling \typecolon \Nat := 255$ + \item $\MerkleHashLength{Sapling} \typecolon \Nat := 255$ } %sapling \orchard{ - \item $\MerkleHashLengthOrchard \typecolon \Nat := 255$ + \item $\MerkleHashLength{Orchard} \typecolon \Nat := 255$ } %orchard \item $\hSigLength \typecolon \Nat := 256$ \item $\PRFOutputLengthSprout \typecolon \Nat := 256$ @@ -6629,19 +6886,19 @@ Define: \sapling{ \item $\SpendingKeyLength \typecolon \Nat := 256$ \item $\DiversifierLength \typecolon \Nat := 88$ - \item $\InViewingKeyLengthSapling \typecolon \Nat := 251$ + \item $\InViewingKeyLength{Sapling} \typecolon \Nat := 251$ \item $\OutViewingKeyLength \typecolon \Nat := 256$ - \item $\ScalarLengthSapling \typecolon \Nat := 252$ + \item $\ScalarLength{Sapling} \typecolon \Nat := 252$ } %sapling \orchard{ - \item $\ScalarLengthOrchard \typecolon \Nat := 254$ + \item $\ScalarLength{Orchard} \typecolon \Nat := 254$ } %orchard - \item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$ + \item $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}} := \zeros{\MerkleHashLength{Sprout}}$ \sapling{ - \item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ + \item $\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}} := \ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ } %sapling \orchard{ - \item $\UncommittedOrchard \typecolon \bitseq{\MerkleHashLengthOrchard} := \ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$ + \item $\Uncommitted{Orchard} \typecolon \bitseq{\MerkleHashLength{Orchard}} := \ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ } %orchard \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi) \blossom{ @@ -6687,7 +6944,7 @@ Define: SHA-256 and SHA-512 are defined by \cite{NIST2015}. -\Zcash uses the full \defining{\shaHash} \hashFunction to instantiate $\NoteCommitmentSprout$. +\Zcash uses the full \defining{\shaHash} \hashFunction to instantiate $\NoteCommitment{Sprout}$. \begin{formulae} \item $\SHAFull \typecolon \byteseqs \rightarrow \byteseq{32}$ @@ -6718,7 +6975,7 @@ The Initial Hash Value is the same as for full \shaHash. \introlist \shaCompress is used to instantiate several \pseudoRandomFunctions and -$\MerkleCRHSprout$. +$\MerkleCRH{Sprout}$. \begin{formulae} \item $\SHACompress \typecolon \bitseq{512} \rightarrow \bitseq{256}$ @@ -6754,13 +7011,13 @@ $16$-byte personalization string $p$, and input $x$. \introlist $\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$, -and $\KDFSprout$. +and $\KDF{Sprout}$. \overwinter{From \Overwinter onward, it is used to compute \sighashTxHashes as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after \Sapling activation}.} \sapling{For \Sapling, it is also used to instantiate $\PRFexpand{}$, -$\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme -which instantiates $\SpendAuthSig$ and $\BindingSig$.} +$\PRFock{}$, $\KDF{Sapling}$, and in the $\RedJubjub$ \signatureScheme +which instantiates $\SpendAuthSig{Sapling}$ and $\BindingSig{Sapling}$.} \begin{formulae} \item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$ @@ -6802,28 +7059,28 @@ and $\GroupJHash{}$. \vspace{-2ex} \sprout{ -$\MerkleCRHSprout$ is used to hash \incrementalMerkleTree \merkleHashes. +$\MerkleCRH{Sprout}$ is used to hash \incrementalMerkleTree \merkleHashes. -$\MerkleCRHSprout \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$ +$\MerkleCRH{Sprout} \typecolon \MerkleHash{Sprout} \times \MerkleHash{Sprout} \rightarrow \MerkleHash{Sprout}$ is defined as follows: \begin{formulae} - \item $\MerkleCRHSprout(\mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$. + \item $\MerkleCRH{Sprout}(\mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$. \end{formulae} } %sprout \notsprout{ -$\MerkleCRHSprout$ and $\MerkleCRHSapling$ are used to hash +$\MerkleCRH{Sprout}$ and $\MerkleCRH{Sapling}$ are used to hash \incrementalMerkleTree \merkleHashes for \Sprout and \Sapling respectively. \vspace{-2ex} -\lsubsubsubsubsection{$\MerkleCRHSprout$ Hash Function}{sproutmerklecrh} +\lsubsubsubsubsection{$\MerkleCRH{Sprout}$ Hash Function}{sproutmerklecrh} -$\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout -\rightarrow \MerkleHashSprout$ is defined as follows: +$\MerkleCRH{Sprout} \typecolon \MerkleLayer{Sprout} \times \MerkleHash{Sprout} \times \MerkleHash{Sprout} +\rightarrow \MerkleHash{Sprout}$ is defined as follows: \begin{formulae} - \item $\MerkleCRHSprout(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$. + \item $\MerkleCRH{Sprout}(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SHACompressBox{\merklebox}$. \end{formulae} } %notsprout @@ -6852,18 +7109,18 @@ byte sequences. \sapling{ \vspace{-2ex} -\lsubsubsubsubsection{$\MerkleCRHSapling$ Hash Function}{saplingmerklecrh} +\lsubsubsubsubsection{$\MerkleCRH{Sapling}$ Hash Function}{saplingmerklecrh} \vspace{-2ex} Let $\PedersenHash$ be as specified in \crossref{concretepedersenhash}. -$\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \times \MerkleHashSapling -\rightarrow \MerkleHashSapling$ is defined as follows: +$\MerkleCRH{Sapling} \typecolon \MerkleLayer{Sapling} \times \MerkleHash{Sapling} \times \MerkleHash{Sapling} +\rightarrow \MerkleHash{Sapling}$ is defined as follows: \begin{formulae} - \item $\MerkleCRHSapling(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \PedersenHash(\ascii{Zcash\_PH}, + \item $\MerkleCRH{Sapling}(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \PedersenHash(\ascii{Zcash\_PH}, l \bconcat \mathsf{left} \bconcat \mathsf{right})$ - \item where $l = \ItoLEBSP{6}\big(\MerkleDepthSapling - 1 - \mathsf{layer}\big)$. + \item where $l = \ItoLEBSP{6}\big(\MerkleDepth{Sapling} - 1 - \mathsf{layer}\big)$. \end{formulae} \vspace{-2ex} @@ -6871,7 +7128,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim \vspace{1ex} \pnote{The prefix $l$ provides domain separation between inputs at different layers of the -\noteCommitmentTree. $\NoteCommitSaplingAlg$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$, +\noteCommitmentTree. $\NoteCommitAlg{Sapling}$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$, but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.}} %sapling @@ -6935,7 +7192,7 @@ It is defined as follows: \begin{formulae} \item $\CRHivk(\AuthSignPublicRepr, \NullifierKeyRepr) := - \LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk},\; \crhInput}} \bmod 2^{\InViewingKeyLengthSapling}$ + \LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk},\; \crhInput}} \bmod 2^{\InViewingKeyLength{Sapling}}$ \end{formulae} \vspace{-2ex} @@ -6949,7 +7206,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. \vspace{-1ex} \securityrequirement{ -$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLengthSapling}$ +$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLength{Sapling}}$ must be \collisionResistant on a $64$-byte input $x$. Note that this does not follow from \collisionResistance of $\BlakeTwos{256}$ (and the best possible concrete security is that of a $251$-bit hash @@ -6968,11 +7225,11 @@ the same effect as using that feature. } %sapling -%\sapling{ +\sapling{ \introlist -\lsubsubsubsection{\DiversifyHashSaplingText\orchard{ and \DiversifyHashOrchardText} Hash Function\notbeforeorchard{s}}{concretediversifyhash} +\lsubsubsubsection{\DiversifyHashText{Sapling}\orchard{ and \DiversifyHashText{Orchard}} Hash Function\notbeforeorchard{s}}{concretediversifyhash} -$\DiversifyHashSapling$ is used to derive a \diversifiedBase from a \diversifier in +$\DiversifyHash{Sapling}$ is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}. @@ -6981,12 +7238,12 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHashSapling(\Diversifier) := + \item $\DiversifyHash{Sapling}(\Diversifier) := \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} -%\orchard{ -$\DiversifyHashOrchard$ is used to derive a \diversifiedBase from a \diversifier in +\orchard{ +$\DiversifyHash{Orchard}$ is used to derive a \diversifiedBase from a \diversifier in \crossref{orchardkeycomponents}. Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}. @@ -6995,12 +7252,12 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHashOrchard(\Diversifier) :=$ + \item $\DiversifyHash{Orchard}(\Diversifier) :=$ % \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} The following security property and notes apply to both \Sapling and \Orchard. -%} %orchard +} %orchard \vspace{-2ex} \securityrequirement{ @@ -7014,12 +7271,12 @@ the third address was derived from. %Consider the following experiment: %\begin{itemize} % \item Choose two \incomingViewingKeys -% $\InViewingKey_{1,2} \leftarrowR \InViewingKeyTypeSapling$. +% $\InViewingKey_{1,2} \leftarrowR \InViewingKeyType{Sapling}$. % \item An adversary chooses two (not necessarily distinct) \diversifiers % $\Diversifier_{1,2} \typecolon \DiversifierType$. % \item Define $\OracleNewAddress_i(\Diversifier' \typecolon \DiversifierType) := \begin{cases} -% \bot, &\caseif \DiversifyHashSapling(\Diversifier') = \bot \\ -% (\Diversifier', \scalarmult{\InViewingKey_i}{\DiversifyHashSapling(\Diversifier')}), &\caseotherwise +% \bot, &\caseif \DiversifyHash{Sapling}(\Diversifier') = \bot \\ +% (\Diversifier', \scalarmult{\InViewingKey_i}{\DiversifyHash{Sapling}(\Diversifier')}), &\caseotherwise % \end{cases}$. % \item Define $\OracleDH_i(\EphemeralPrivate \typecolon \GF{\ParamJ{r}}, % \DiversifiedTransmitBase \typecolon \GroupJ) := \begin{cases} @@ -7041,7 +7298,7 @@ the third address was derived from. \item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not return $\bot$) is modelled as a random oracle from \diversifiers to points of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability - of $\DiversifyHashSapling$ holds under the Decisional Diffie-Hellman assumption on the + of $\DiversifyHash{Sapling}$ holds under the Decisional Diffie-Hellman assumption on the prime-order subgroup of the \jubjubCurve. To prove this, consider the ElGamal encryption scheme \cite{ElGamal1985} @@ -7055,11 +7312,11 @@ the third address was derived from. distribution of ElGamal ciphertexts obtained by encrypting $\ZeroJ$ under $\pk$. \todo{check whether this is justified.} Then, the definition of \keyPrivacy (IK-CPA as defined in \cite[Definition 1]{BBDP2001}) - for ElGamal corresponds to the definition of Unlinkability for $\DiversifyHashSapling$. - (IK-CCA corresponds to the potentially stronger requirement that $\DiversifyHashSapling$ + for ElGamal corresponds to the definition of Unlinkability for $\DiversifyHash{Sapling}$. + (IK-CCA corresponds to the potentially stronger requirement that $\DiversifyHash{Sapling}$ remains Unlinkable when given Diffie-Hellman key agreement oracles for each of the candidate \diversifiedPaymentAddresses.) - So if ElGamal is \keyPrivate, then $\DiversifyHashSapling$ is Unlinkable under the + So if ElGamal is \keyPrivate, then $\DiversifyHash{Sapling}$ is Unlinkable under the same conditions. \cite[Appendix A]{BBDP2001} gives a security proof for \keyPrivacy (both IK-CPA and IK-CCA) of ElGamal under the Decisional Diffie-Hellman @@ -7117,7 +7374,7 @@ the third address was derived from. privacy properties). Implementations \SHOULD avoid providing such a ``chosen \diversifier'' oracle. \end{nnotes} -%} %sapling +} %sapling \sapling{ @@ -7140,12 +7397,12 @@ $\PedersenHash$ is used in the definitions of \xPedersenCommitments Let $\GroupJ$, $\SubgroupJ$, $\ZeroJ$, $\ParamJ{q}$, $\ParamJ{r}$, $\ParamJ{a}$, and $\ParamJ{d}$ be as defined in \crossref{jubjub}. -Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ be as defined in \crossref{concreteextractorjubjub}. +Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHash{Sapling}$ be as defined in \crossref{concreteextractorjubjub}. \vspace{-1ex} Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. -Let $\UncommittedSapling$ be as defined in \crossref{constants}. +Let $\Uncommitted{Sapling}$ be as defined in \crossref{constants}. Let $c$ be the largest integer such that $4 \mult \hfrac{2^{4 \mult c}-1}{15} \leq \hfrac{\ParamJ{r}-1}{2}$, i.e.\ $c := 63$. @@ -7159,7 +7416,7 @@ i.e.\ $c := 63$. \introlist \vspace{2ex} -Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by: +Define $\PedersenGenAlg{Sapling} \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by: \begin{formulae} \item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$. @@ -7196,7 +7453,7 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow \introlist \vspace{-1ex} -Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHashSapling$ by: +Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHash{Sapling}$ by: \begin{formulae} \item $\PedersenHash(D, M) := \ExtractJ\big(\PedersenHashToPoint\Of{D, M}\kern-0.1em\big)$. @@ -7262,12 +7519,12 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally \introlist \theoremlabel{thmnohashtouncommittedsapling} -\begin{theorem}[$\UncommittedSapling$ is not in the range of $\PedersenHash$]\end{theorem} +\begin{theorem}[$\Uncommitted{Sapling}$ is not in the range of $\PedersenHash$]\end{theorem} \begin{proof} -$\UncommittedSapling$ is defined as $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$. -By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and definitions of -$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ +$\Uncommitted{Sapling}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$. +By injectivity of $\ItoLEBSP{\MerkleHashLength{Sapling}}$ and definitions of +$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ can be in the range of $\PedersenHash$ only if there exist $D \typecolon \smash{\byteseq{8}}$ and $M \typecolon \smash{\bitseq{\PosInt}}$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$. The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$. @@ -7290,14 +7547,14 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as input a \xPedersenCommitment $P$, and hashes it with another input $x$. -Define $\NotePositionBase := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$. +Define $\NotePositionBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$. \vspace{1ex} We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1} \rightarrow \GroupJ$ by: \begin{formulae} - \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBase}$. + \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBaseSapling}$. \end{formulae} \vspace{-1ex} @@ -7334,12 +7591,12 @@ $\SinsemillaHash$ is used in the definition of $\SinsemillaCommit{}$ Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, $\ParamP{r}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}. -Let $\ExtractP \typecolon \GroupP \rightarrow \MerkleHashOrchard$ be as +Let $\ExtractP \typecolon \GroupP \rightarrow \MerkleHash{Orchard}$ be as defined in \crossref{concreteextractorpallas}. Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. -Let $\UncommittedOrchard$ be as defined in \crossref{constants}. +Let $\Uncommitted{Orchard}$ be as defined in \crossref{constants}. Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ @@ -7375,7 +7632,7 @@ Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\ran \introlist \vspace{-1ex} -Finally, define $\SinsemillaHash \typecolon \byteseqs \times \bitseq{\range{0}{k \mult c}} \rightarrow \MerkleHashOrchard$ by: +Finally, define $\SinsemillaHash \typecolon \byteseqs \times \bitseq{\range{0}{k \mult c}} \rightarrow \MerkleHash{Orchard}$ by: \begin{formulae} \item $\SinsemillaHash(D, M) := \ExtractP\big(\SinsemillaHashToPoint\Of{D, M}\kern-0.1em\big)$. @@ -7400,12 +7657,12 @@ No other security properties commonly associated with \hashFunctions are needed. \introlist \theoremlabel{thmnohashtouncommittedorchard} -\begin{theorem}[$\UncommittedOrchard$ is not in the range of $\SinsemillaHash$]\end{theorem} +\begin{theorem}[$\Uncommitted{Orchard}$ is not in the range of $\SinsemillaHash$]\end{theorem} \begin{proof} -$\UncommittedOrchard$ is defined as $\ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$. -By injectivity of $\ItoLEBSP{\MerkleHashLengthOrchard}$ and definitions of -$\SinsemillaHash$ and $\ExtractP$, $\ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$ +$\Uncommitted{Orchard}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$. +By injectivity of $\ItoLEBSP{\MerkleHashLength{Orchard}}$ and definitions of +$\SinsemillaHash$ and $\ExtractP$, $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ can be in the range of $\SinsemillaHash$ only if there exist $D \typecolon \byteseqs$ and $M \typecolon \bitseq{\smash{\PosInt}}$ such that $\Selectx\Of{\SinsemillaHashToPoint(D, M)} = 2$. $\Selectx\Of{\SinsemillaHashToPoint(D, M)}$ @@ -7416,7 +7673,7 @@ is not square in $\GF{\ParamP{q}}$. \end{proof} \nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$. -We do not choose $\UncommittedOrchard = 0$ because we define $\Selectx\Of{\ZeroP} = 0$, +We do not choose $\Uncommitted{Orchard} = 0$ because we define $\Selectx\Of{\ZeroP} = 0$, and it is technically possible (with negligible probability) that $\SinsemillaHashToPoint$ could return $\ZeroP$.} } %orchard @@ -7689,13 +7946,13 @@ block count and $64$-bit nonce as in the original definition of $\SymCipher$. \lsubsubsubsection{\SproutOrNothingText{} Key Agreement}{concretesproutkeyagreement} \changed{ -$\KASprout$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}. +$\KA{Sprout}$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}. It is instantiated as $\KASproutCurve$ key agreement, described in \cite{Bernstein2006}, as follows. -Let $\KASproutPublic$ and $\KASproutSharedSecret$ be the type of $\KASproutCurve$ \publicKeys -(i.e.\ $\byteseq{32}$), and let $\KASproutPrivate$ be the type of $\KASproutCurve$ +Let $\KAPublic{Sprout}$ and $\KASharedSecret{Sprout}$ be the type of $\KASproutCurve$ \publicKeys +(i.e.\ $\byteseq{32}$), and let $\KAPrivate{Sprout}$ be the type of $\KASproutCurve$ secret keys. Let $\KASproutCurveMultiply(\bytes{n}, \bytes{q})$ be the result of point @@ -7703,7 +7960,7 @@ multiplication of the $\KASproutCurve$ \publicKey represented by the byte sequence $\bytes{q}$ by the $\KASproutCurve$ secret key represented by the byte sequence $\bytes{n}$, as defined in \cite[section 2]{Bernstein2006}. -Let $\KASproutBase := \KASproutCurveBase$ be the public byte sequence representing +Let $\KABase{Sprout} := \KASproutCurveBase$ be the public byte sequence representing the $\KASproutCurve$ base point. Let $\KASproutCurveClamp(\bytes{x})$ take a 32-byte sequence $\bytes{x}$ as input @@ -7713,11 +7970,11 @@ bits ``clamped'' as described in \cite[section 3]{Bernstein2006}: and set bit $6$ of the last byte.'' Here the bits of a byte are numbered such that bit $b$ has numeric weight $2^b$. -Define $\KASproutFormatPrivate(x) := \KASproutCurveClamp(x)$. +Define $\KAFormatPrivate{Sprout}(x) := \KASproutCurveClamp(x)$. -Define $\KASproutDerivePublic(n, q) := \KASproutCurveMultiply(n, q)$. +Define $\KADerivePublic{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. -Define $\KASproutAgree(n, q) := \KASproutCurveMultiply(n, q)$. +Define $\KAAgree{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. } \introsection @@ -7745,12 +8002,12 @@ Define $\KASproutAgree(n, q) := \KASproutCurveMultiply(n, q)$. \end{lrbox} \changed{ -$\KDFSprout$ is a \keyDerivationFunction as specified in \crossref{abstractkdf}. +$\KDF{Sprout}$ is a \keyDerivationFunction as specified in \crossref{abstractkdf}. It is instantiated using $\BlakeTwob{256}$ as follows: \begin{formulae} - \item $\KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) := + \item $\KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) := \BlakeTwobOf{256}{\kdftag, \kdfinput}$ \end{formulae} \introlist @@ -7767,24 +8024,24 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. \sapling{ \lsubsubsubsection{\SaplingText{} Key Agreement}{concretesaplingkeyagreement} -$\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}. +$\KA{Sapling}$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}. It is instantiated as Diffie-Hellman with cofactor multiplication on \Jubjub as follows: Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}. -Define $\KASaplingPublic := \GroupJ$. +Define $\KAPublic{Sapling} := \GroupJ$. -Define $\KASaplingPublicPrimeSubgroup := \SubgroupJ$. +Define $\KAPublicPrimeSubgroup{Sapling} := \SubgroupJ$. -Define $\KASaplingSharedSecret := \SubgroupJ$. +Define $\KASharedSecret{Sapling} := \SubgroupJ$. -Define $\KASaplingPrivate := \GF{\ParamJ{r}}$. +Define $\KAPrivate{Sapling} := \GF{\ParamJ{r}}$. -Define $\KASaplingDerivePublic(\sk, B) := \scalarmult{\sk}{B}$. +Define $\KADerivePublic{Sapling}(\sk, B) := \scalarmult{\sk}{B}$. -Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$. +Define $\KAAgree{Sapling}(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$. } %sapling @@ -7802,13 +8059,13 @@ Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$. \lsubsubsubsection{\SaplingText{} Key Derivation}{concretesaplingkdf} \vspace{-1ex} -$\KDFSapling$ is a \keyDerivationFunction as specified in \crossref{abstractkdf}. +$\KDF{Sapling}$ is a \keyDerivationFunction as specified in \crossref{abstractkdf}. It is instantiated using $\BlakeTwob{256}$ as follows: \vspace{-0.5ex} \begin{formulae} - \item $\KDFSapling(\DHSecret{}, \ephemeralKey) := + \item $\KDF{Sapling}(\DHSecret{}, \ephemeralKey) := \BlakeTwobOf{256}{\ascii{Zcash\_SaplingKDF}, \kdfinput}$. \end{formulae} \vspace{-2.5ex} @@ -7968,10 +8225,15 @@ EdDSA \cite{BJLSY2015}. $\RedJubjub$ is a specialization of $\RedDSA$ to the \jubjubCurve (\crossref{jubjub}), using the $\BlakeTwob{512}$ hash function. -The \spendAuthSignatureScheme defined in \crossref{concretespendauthsig} is -instantiated by $\RedJubjub$. The \bindingSignatureScheme $\BindingSig$ defined in -\crossref{concretebindingsig} is instantiated by $\RedJubjub$ without use of -key re-randomization. +The \spendAuthSignatureScheme $\SpendAuthSig{Sapling}$ defined in \crossref{concretespendauthsig} +is instantiated by $\RedJubjub$. The \bindingSignatureScheme $\BindingSig{Sapling}$ defined in +\crossref{concretebindingsig} is instantiated by $\RedJubjub$ without use of key re-randomization. + +\orchard{ +The \spendAuthSignatureScheme $\SpendAuthSig{Orchard}$ defined in \crossref{concretespendauthsig} +is instantiated by $\RedPallas$. The \bindingSignatureScheme $\BindingSig{Orchard}$ defined in +\crossref{concretebindingsig} is instantiated by $\RedPallas$ without use of key re-randomization. +} %orchard \introlist \vspace{1ex} @@ -8127,53 +8389,73 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with: \vspace{-1ex} The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, different between -$\BindingSig$ and $\SpendAuthSig$. +$\BindingSig{Sapling}$\notbeforeorchard{,}\notorchard{ and} $\SpendAuthSig{Sapling}$\orchard{, $\BindingSig{Orchard}$, +and $\SpendAuthSig{Orchard}$}. } %sapling \sapling{ \vspace{-1ex} -\lsubsubsubsection{Spend Authorization Signature}{concretespendauthsig} +\lsubsubsubsection{Spend Authorization Signature (\SaplingAndOrchardText)}{concretespendauthsig} \vspace{-1ex} Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. -Define $\AuthSignBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. +Define $\AuthSignBase{Sapling} := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. -The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig$, is instantiated as $\RedJubjub$ -with key re-randomization, and with generator $\GenG{} = \AuthSignBaseSapling$. +The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig{Sapling}$, is instantiated as $\RedJubjub$ +with key re-randomization, and with generator $\GenG{} = \AuthSignBase{Sapling}$. + +\orchard{ +Let $\RedPallas$ be as defined in \crossref{concreteredpallas}. + +Define $\AuthSignBase{Orchard} := \GroupPHash\Of{\ascii{z.cash:Orchard}, \ascii{G}}$. + +The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig{Orchard}$, is instantiated as $\RedPallas$ +with key re-randomization, and with generator $\GenG{} = \AuthSignBase{Orchard}$. +} %orchard \vspace{0.5ex} See \crossref{spendauthsig} for details on the use of this \signatureScheme. \vspace{-1ex} \securityrequirement{ -$\SpendAuthSig$ must be a SURK-CMA secure \rerandomizableSignatureScheme as defined -in \crossref{abstractsigrerand}. +\orchard{Each instantiation of} $\SpendAuthSig{}$ must be a SURK-CMA secure \rerandomizableSignatureScheme +as defined in \crossref{abstractsigrerand}. } %securityrequirement } %sapling \sapling{ \vspace{-1ex} -\lsubsubsubsection{Binding Signature}{concretebindingsig} +\lsubsubsubsection{Binding Signature (\SaplingAndOrchardText)}{concretebindingsig} \vspace{-1ex} Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. -Let $\ValueCommitRandBase$ be the randomness base defined in \crossref{concretevaluecommit}. +Let $\ValueCommitRandBase{Sapling}$ be the randomness base defined in \crossref{concretevaluecommit}. -The \defining{\bindingSignatureScheme}, $\BindingSig$, is instantiated as $\RedJubjub$ without -use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase$. +The \defining{\bindingSignatureScheme}, $\BindingSig{Sapling}$, is instantiated as $\RedJubjub$ without +use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase{Sapling}$. + +\orchard{ +Let $\RedPallas$ be as defined in \crossref{concreteredjubjub}. + +Let $\ValueCommitRandBase{Orchard}$ be the randomness base defined in \crossref{concretevaluecommit}. + +The \defining{\bindingSignatureScheme}, $\BindingSig{Orchard}$, is instantiated as $\RedPallas$ without +use of key re-randomization, and with generator $\GenG{} = \ValueCommitRandBase{Orchard}$. +} %orchard \vspace{0.5ex} See \crossref{bindingsig} for details on the use of this \signatureScheme. \vspace{-1ex} \securityrequirement{ -$\BindingSig$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme as defined in -\crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of -the \validatingKey with respect to the base $\ValueCommitRandBase$. +\orchard{Each instantiation of} $\BindingSig{}$ must be a SUF-CMA secure \keyMonomorphicSignatureScheme +as defined in \crossref{abstractsigmono}. A signature must prove knowledge of the discrete logarithm of +the \validatingKey with respect to the base $\ValueCommitRandBase{Sapling}$\orchard{ or +$\ValueCommitRandBase{Orchard}$}. } %securityrequirement } %sapling @@ -8205,12 +8487,12 @@ the \validatingKey with respect to the base $\ValueCommitRandBase$. \end{lrbox} \vspace{-1ex} -The commitment scheme $\NoteCommitSprout{}$ specified in \crossref{abstractcommit} is +The commitment scheme $\NoteCommit{Sprout}{}$ specified in \crossref{abstractcommit} is instantiated using \shaHash as follows: \begin{formulae}[leftmargin=1em] - \item $\NoteCommitSprout{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand) := \SHAFullBox{\cmbox}$ - \item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$. + \item $\NoteCommit{Sprout}{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand) := \SHAFullBox{\cmbox}$ + \item $\NoteCommitGenTrapdoor{Sprout}()$ generates the uniform distribution on $\NoteCommitTrapdoor{Sprout}$. \end{formulae} \vspace{-1ex} @@ -8243,19 +8525,19 @@ and adding a randomized point on the \jubjubCurve (see \crossref{jubjub}): See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation of this function. -The commitment scheme $\NoteCommitSapling{}$ specified in \crossref{abstractcommit} is +The commitment scheme $\NoteCommitAlg{Sapling}$ specified in \crossref{abstractcommit} is instantiated as follows using $\WindowedPedersenCommitAlg$: \begin{formulae} - \item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := + \item $\NoteCommit{Sapling}{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := \WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$ - \item $\NoteCommitSaplingGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. + \item $\NoteCommitGenTrapdoor{Sapling}()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. \end{formulae} \vspace{-1ex} \begin{securityrequirements} - \item $\WindowedPedersenCommitAlg$, and hence $\NoteCommitSaplingAlg$, must be + \item $\WindowedPedersenCommitAlg$, and hence $\NoteCommitAlg{Sapling}$, must be computationally binding and at least computationally hiding \commitmentSchemes. \end{securityrequirements} @@ -8263,72 +8545,101 @@ instantiated as follows using $\WindowedPedersenCommitAlg$: (They are in fact unconditionally hiding \commitmentSchemes.) \begin{pnotes} - \item $\MerkleCRHSapling$ is also defined in terms of $\PedersenHashToPoint$ + \item $\MerkleCRH{Sapling}$ is also defined in terms of $\PedersenHashToPoint$ (see \crossref{merklecrh}). The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in - $\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$. + $\NoteCommitAlg{Sapling}$ from the layer prefix used in $\MerkleCRH{Sapling}$. That layer prefix is a $6$-bit little-endian encoding of an integer - in the range $\range{0}{\MerkleDepthSapling-1}$; because $\MerkleDepthSapling < 64$, + in the range $\range{0}{\MerkleDepth{Sapling}-1}$; because $\MerkleDepth{Sapling} < 64$, it cannot collide with $\ones{6}$. - \item The arguments to $\NoteCommitSapling{}$ are in a different order to their encodings + \item The arguments to $\NoteCommitAlg{Sapling}$ are in a different order to their encodings in $\WindowedPedersenCommit{}$. There is no particularly good reason for this. \end{pnotes} } %sapling \sapling{ -\extralabel{concretevaluecommit}{\lsubsubsubsection{Homomorphic Pedersen commitments}{concretehomomorphiccommit}} +\extralabel{concretevaluecommit}{\lsubsubsubsection{Homomorphic Pedersen commitments (\SaplingAndOrchardText)}{concretehomomorphiccommit}} The windowed Pedersen commitments defined in the preceding section are highly efficient, but they do not support the homomorphic property we -need when instantiating $\ValueCommit{}$. +need when instantiating $\ValueCommitAlg{}$. -For more details on the use of this property, see \crossref{saplingbalance} and \crossref{spendsandoutputs}. +For more details on the use of this property, see \crossref{saplingbalance}\orchard{, \crossref{orchardbalance},} and \crossref{spendsandoutputs}. -\defining{In order to support this property, we also define \homomorphicPedersenCommitments as follows:} +\defining{In order to support this property, we also define \homomorphicPedersenCommitments for \Sapling:} \begin{formulae} - \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) := + \item $\HomomorphicPedersenCommit{Sapling}{\ValueCommitRand}(D, \Value) := \scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$ - \item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. + \item $\ValueCommitGenTrapdoor{Sapling}()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. \end{formulae} See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation of this function. +\orchard{ +We also define \homomorphicPedersenCommitments for \Orchard: + +\begin{formulae} + \item $\HomomorphicPedersenCommit{Orchard}{\ValueCommitRand}(D, \Value) := + \scalarmult{\Value}{\GroupPHash\Of{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\GroupPHash\Of{D, \ascii{r}}}$ + \item $\ValueCommitGenTrapdoor{Orchard}()$ generates the uniform distribution on $\GF{\ParamP{r}}$. +\end{formulae} +} %orchard + \introlist \vspace{1ex} Define: -\begin{formulae} -\vspace{-0.5ex} - \item $\ValueCommitValueBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{v}}$ -\vspace{-0.5ex} - \item $\ValueCommitRandBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{r}}$. -\end{formulae} +\begin{tabular}{@{\hskip 1.5em}r@{}l} + $\ValueCommitValueBase{Sapling}$ &$:= \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{v}}$ \\ + $\ValueCommitRandBase{Sapling}$ &$:= \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{r}}$ \\ +%\orchard{ + $\ValueCommitValueBase{Orchard}$ &$:= \GroupPHash\Of{\ascii{z.cash:Orchard-cv}, \ascii{v}}$ \\ + $\ValueCommitRandBase{Orchard}$ &$:= \GroupPHash\Of{\ascii{z.cash:Orchard-cv}, \ascii{r}}$ \\ +%} %orchard +\end{tabular} \introlist -The commitment scheme $\ValueCommit{}$ specified in \crossref{abstractcommit} is -instantiated as follows using $\HomomorphicPedersenCommit{}$: +The commitment scheme $\ValueCommitAlg{Sapling}$ specified in \crossref{abstractcommit} is +instantiated as follows using $\HomomorphicPedersenCommit{}$ on the \jubjubCurve: \begin{formulae} - \item $\ValueCommit{\ValueCommitRand}(\Value) := + \item $\ValueCommitAlg{\ValueCommitRand}(\Value) := \HomomorphicPedersenCommit{\ValueCommitRand}(\ascii{Zcash\_cv}, \Value)$. \end{formulae} \vspace{-1ex} which is equivalent to: \begin{formulae} - \item $\ValueCommit{\ValueCommitRand}(\Value) := \scalarmult{\Value}{\ValueCommitValueBase} - + \scalarmult{\ValueCommitRand}{\ValueCommitRandBase}$. + \item $\ValueCommit{Sapling}{\ValueCommitRand}(\Value) := \scalarmult{\Value}{\ValueCommitValueBase{Sapling}} + + \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Sapling}}$. \end{formulae} +\orchard{ +\introlist +The commitment scheme $\ValueCommitAlg{Orchard}$ specified in \crossref{abstractcommit} is +instantiated as follows using $\HomomorphicPedersenCommit{}$ on the \pallasCurve: +\begin{formulae} + \item $\ValueCommit{Orchard}{\ValueCommitRand}(\Value) := + \HomomorphicPedersenCommit{\ValueCommitRand}(\ascii{z.cash:Orchard-cv}, \Value)$. +\end{formulae} +\vspace{-1ex} +which is equivalent to: +\begin{formulae} + \item $\ValueCommit{Orchard}{\ValueCommitRand}(\Value) := \scalarmult{\Value}{\ValueCommitValueBase{Orchard}} + + \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Orchard}}$. +\end{formulae} +} %orchard + \begin{securityrequirements} \item $\HomomorphicPedersenCommitAlg$ must be a computationally binding and at least - computationally hiding \commitmentScheme, for a given personalization input $D$. - \item $\ValueCommitAlg$ must be a computationally binding and at least - computationally hiding \commitmentScheme. + computationally hiding \commitmentScheme\orchard{ on both curves}, for a given personalization + input $D$. + \item $\ValueCommitAlg{Sapling}$\orchard{ and $\ValueCommitAlg{Orchard}$} must be\notorchard{ a} computationally + binding and at least computationally hiding \notorchard{\commitmentScheme}\notbeforeorchard{\commitmentSchemes}. \end{securityrequirements} (They are in fact unconditionally hiding \commitmentSchemes.) -} +} %sapling \orchard{ @@ -8346,19 +8657,29 @@ and adding a randomized point on the \pallasCurve (see \crossref{pallasandvesta} See \todo{...} for rationale and efficient circuit implementation of this function. -The commitment scheme $\NoteCommitOrchard{}$ specified in \crossref{abstractcommit} is +The commitment scheme $\NoteCommitAlg{Orchard}$ specified in \crossref{abstractcommit} is instantiated as follows using $\SinsemillaCommitAlg$: \begin{formulae} - \item $\NoteCommitOrchard{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := - \SinsemillaCommit{\NoteCommitRand}\left(\ascii{z.cash:NoteCommitOrchard}, + \item $\NoteCommit{Orchard}{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := + \SinsemillaCommit{\NoteCommitRand}\left(\ascii{z.cash:Orchard-NoteCommit}, \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr \bconcat \ItoLEBSPOf{64}{\Value}\right)$ - \item $\NoteCommitOrchardGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. + \item $\NoteCommitGenTrapdoor{Orchard}()$ generates the uniform distribution on $\GF{\ParamP{r}}$. +\end{formulae} + +The commitment scheme $\CommitIvkAlg$ specified in \crossref{abstractcommit} is +instantiated as follows using $\SinsemillaCommitAlg$: + +\begin{formulae} + \item $\CommitIvk{\CommitIvkRand}(\AuthSignPublicX, \NullifierKey) := + \SinsemillaCommit{\NoteCommitRand}\left(\ascii{z.cash:Orchard-CommitIvk}, + \AuthSignPublicXRepr \bconcat \NullifierKeyRepr\right)$ + \item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \end{formulae} \vspace{-1ex} \begin{securityrequirements} - \item $\SinsemillaCommitAlg$, and hence $\NoteCommitOrchardAlg$, must be + \item $\SinsemillaCommitAlg$, and hence $\NoteCommitAlg{Orchard}$ and $\CommitIvkAlg$, must be computationally binding and at least computationally hiding \commitmentSchemes. \end{securityrequirements} @@ -8366,10 +8687,10 @@ instantiated as follows using $\SinsemillaCommitAlg$: (They are in fact unconditionally hiding \commitmentSchemes.) \begin{pnotes} - \item $\MerkleCRHOrchard$ is also defined in terms of $\SinsemillaHashToPoint$ + \item $\MerkleCRH{Orchard}$ is also defined in terms of $\SinsemillaHashToPoint$ (see \crossref{merklecrh}). \todo{discuss layer prefix, if needed} - \item The arguments to $\NoteCommitOrchard{}$ are the same order as their encodings in - the input to $\SinsemillaCommit{}$; this is different to $\NoteCommitSapling{}$. + \item The arguments to $\NoteCommitAlg{Orchard}$ are the same order as their encodings in + the input to $\SinsemillaCommit{}$; this is different to $\NoteCommitAlg{Sapling}$. \end{pnotes} } %orchard @@ -8780,9 +9101,9 @@ other conditions on points, for example that they have order at least $\ParamJ{r \vspace{-2ex} Let $\Selectu\Of{(u, \varv)} = u$ and let $\Selectv\Of{(u, \varv)} = \varv$. -Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ by +Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHash{Sapling}$ by \begin{formulae} - \item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\Selectu\Of{P}}$. + \item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLength{Sapling}}{\Selectu\Of{P}}$. \end{formulae} \vspace{-2ex} @@ -8827,7 +9148,7 @@ $\Selectu$ is injective on points in $\SubgroupJ$. \end{proof} \vspace{-1ex} -Since $\ItoLEBSP{\MerkleHashLengthSapling}$ is injective, it follows that +Since $\ItoLEBSP{\MerkleHashLength{Sapling}}$ is injective, it follows that $\ExtractJ$ is injective on $\SubgroupJ$. } @@ -8870,7 +9191,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo \vspace{-1ex} \begin{pnotes} \vspace{-0.5ex} - \item The use of $\GroupJHash{\URS}$ for $\DiversifyHashSapling$ and to generate independent bases + \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash{Sapling}$ and to generate independent bases needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$); here we show that it is sufficient to employ a simpler random oracle instantiated by $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis. @@ -8989,9 +9310,9 @@ represents a point on the curve. \vspace{-2ex} Let $\Selectx\Of{(x, y)} = x$ and let $\Selectx\Of{\ZeroP} = 0$. -Define $\ExtractP \typecolon \GroupP \rightarrow \MerkleHashOrchard$ by +Define $\ExtractP \typecolon \GroupP \rightarrow \MerkleHash{Orchard}$ by \begin{formulae} - \item $\ExtractP(P) := \ItoLEBSPOf{\MerkleHashLengthOrchard}{\Selectx\Of{P}}$. + \item $\ExtractP(P) := \ItoLEBSPOf{\MerkleHashLength{Orchard}}{\Selectx\Of{P}}$. \end{formulae} @@ -9100,7 +9421,7 @@ The hash $\GroupPHash(D, M) \typecolon \GroupPstar$ is calculated as follows: \end{algorithm} \pnote{ -The use of $\GroupPHash$ for $\DiversifyHashOrchard$ and to generate independent bases +The use of $\GroupPHash$ for $\DiversifyHash{Orchard}$ and to generate independent bases needs a random oracle, which the \texttt{hash\_to\_curve} algorithm in \cite{ID-hashtocurve} is designed to provide given that the BLAKE2-based XOF satisfies the requirements of \cite[section 5.5.4]{ID-hashtocurve}. The security of the Brier et al.\ construction on @@ -9292,7 +9613,7 @@ Each \notsprout{\Sprout} \notePlaintext (denoted $\NotePlaintext{}$) consists of \begin{formulae} \item $(\changed{\NotePlaintextLeadByte \typecolon \byte,\ } \Value \typecolon \ValueType, \NoteAddressRand \typecolon \PRFOutputSprout, -\NoteCommitRand \typecolon \NoteCommitSproutOutput\changed{, \Memo \typecolon \MemoType})$ +\NoteCommitRand \typecolon \NoteCommitOutput{Sprout}\changed{, \Memo \typecolon \MemoType})$ \end{formulae} \saplingonward{ @@ -9451,7 +9772,7 @@ The \rawEncoding of a P2PKH address consists of: instead.) \item $20$ bytes specifying a \validatingKey hash, which is a RIPEMD-160 hash \cite{RIPEMD160} of a SHA-256 hash \cite{NIST2015} - of a compressed ECDSA key encoding. + of a compressed \ECDSA key encoding. \end{itemize} \vspace{-2ex} @@ -9476,13 +9797,13 @@ for both \Mainnet and \Testnet. \lsubsubsection{\SproutOrNothingText{} Payment Addresses}{sproutpaymentaddrencoding} -Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}. +Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. A \SproutOrNothing{} \defining{\paymentAddress} consists of $\AuthPublic \typecolon \PRFOutputSprout$ -and $\TransmitPublic \typecolon \KASproutPublic$. +and $\TransmitPublic \typecolon \KAPublic{Sprout}$. $\AuthPublic$ is a \shaCompress output. -$\TransmitPublic$ is a $\KASproutPublic$ key, for use with the encryption scheme defined in +$\TransmitPublic$ is a $\KAPublic{Sprout}$ key, for use with the encryption scheme defined in \crossref{sproutinband}. These components are derived from a \spendingKey as described in \crossref{sproutkeycomponents}. @@ -9523,13 +9844,13 @@ cause the first two characters of the Base58Check encoding to be fixed as \sapling{ \lsubsubsection{\SaplingText{} Payment Addresses}{saplingpaymentaddrencoding} -Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$ -and $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$. +and $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$. -$\DiversifiedTransmitPublic$ is an encoding of a $\KASapling$ \publicKey of type -$\KASaplingPublicPrimeSubgroup$, for use with the encryption scheme defined in +$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Sapling}$ \publicKey of type +$\KAPublicPrimeSubgroup{Sapling}$, for use with the encryption scheme defined in \crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes. These components are derived as described in \crossref{saplingkeycomponents}. @@ -9566,13 +9887,13 @@ For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}. \lsubsubsection{\SproutOrNothingText{} Incoming Viewing Keys}{sproutinviewingkeyencoding} \changed{ -Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}. +Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. \sprout{An}\notsprout{A \Sprout} \defining{\incomingViewingKey} consists of $\AuthPublic \typecolon \PRFOutputSprout$ and -$\TransmitPrivate \typecolon \KASproutPrivate$. +$\TransmitPrivate \typecolon \KAPrivate{Sprout}$. $\AuthPublic$ is a \shaCompress output. -$\TransmitPrivate$ is a $\KASproutPrivate$ key, for use with the encryption scheme defined in +$\TransmitPrivate$ is a $\KAPrivate{Sprout}$ key, for use with the encryption scheme defined in \crossref{sproutinband}. These components are derived from a \spendingKey as described in \crossref{sproutkeycomponents}. @@ -9605,11 +9926,11 @@ The \rawEncoding of \sprout{an}\notsprout{a \Sprout} \incomingViewingKey consist of a $\KASproutCurve$ \privateKey \cite{Bernstein2006}. \end{itemize} -$\TransmitPrivate$ \MUST be ``clamped'' using $\KASproutFormatPrivate$ as specified +$\TransmitPrivate$ \MUST be ``clamped'' using $\KAFormatPrivate{Sprout}$ as specified in \crossref{sproutkeycomponents}. That is, a decoded \incomingViewingKey{} \MUST be -considered invalid if $\TransmitPrivate \neq \KASproutFormatPrivate(\TransmitPrivate)$. +considered invalid if $\TransmitPrivate \neq \KAFormatPrivate{Sprout}(\TransmitPrivate)$. -$\KASproutFormatPrivate$ is defined in \crossref{concretesproutkeyagreement}. +$\KAFormatPrivate{Sprout}$ is defined in \crossref{concretesproutkeyagreement}. \pnote{ For addresses on \Mainnet, the lead bytes and encoded length @@ -9621,13 +9942,13 @@ cause the first four characters of the Base58Check encoding to be fixed as \sapling{ \lsubsubsection{\SaplingText{} Incoming Viewing Keys}{saplinginviewingkeyencoding} -Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. -Let $\InViewingKeyLengthSapling$ be as defined in \crossref{constants}. +Let $\InViewingKeyLength{Sapling}$ be as defined in \crossref{constants}. -A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeSapling$. +A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyType{Sapling}$. -$\InViewingKey$ is a $\KASaplingPrivate$ key (restricted to $\InViewingKeyLengthSapling$ bits), +$\InViewingKey$ is a $\KAPrivate{Sapling}$ key (restricted to $\InViewingKeyLength{Sapling}$ bits), derived as described in \crossref{saplingkeycomponents}. It is used with the encryption scheme defined in \crossref{saplinginband}. @@ -9646,7 +9967,7 @@ The \rawEncoding of a \Sapling{} \incomingViewingKey consists of: significant bits. \end{itemize} -$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeSapling$ as specified +$\InViewingKey$ \MUST be in the range $\InViewingKeyType{Sapling}$ as specified in \crossref{saplingkeycomponents}. That is, a decoded \incomingViewingKey{} \MUST be considered invalid if $\InViewingKey$ is not in this range. @@ -9658,7 +9979,7 @@ For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktests \sapling{ \lsubsubsection{\SaplingText{} Full Viewing Keys}{saplingfullviewingkeyencoding} -Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. A \Sapling{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \SubgroupJstar$, $\NullifierKey \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$. @@ -9960,7 +10281,7 @@ $\geq 1$ & $4$ & $\lockTime$ & \type{uint32} & A Unix epoch time (UTC) or \block $\geq 3$ & $4$ & $\nExpiryHeight$ & \type{uint32} & A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction will expire, or $0$ to disable expiry (\smash{\cite{ZIP-203}}). \\ \hline -$\geq 4$ & $8$ & $\valueBalance$ & \type{int64} & The net value of \Sapling{} \spendTransfers minus \outputTransfers. \\ \hline +$\geq 4$ & $8$ & $\valueBalance{Sapling}$ & \type{int64} & The net value of \Sapling{} \spendTransfers minus \outputTransfers. \\ \hline $\geq 4$ & \Varies & $\nShieldedSpend$ & \compactSize & The number of \spendDescriptions in $\vShieldedSpend$. \\ \hline @@ -9997,7 +10318,7 @@ $\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{char[64]} & A signature on a to be verified using $\joinSplitPubKey$. \\ \hline \notsprout{ -\setsapling $\geq 4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig$ &\textcolor{\saplingcolor}{\type{char[64]}} &\setsapling A signature on the \sighashTxHash, to be verified +\setsapling $\geq 4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig{Sapling}$ &\textcolor{\saplingcolor}{\type{char[64]}} &\setsapling A signature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline } %notsprout \end{tabularx} @@ -10010,7 +10331,7 @@ $\versionField \geq 2$ and $\nJoinSplit > 0$. The encoding of $\joinSplitPubKey$ the data to be signed are specified in \crossref{sproutnonmalleability}. \sapling{ -$\ddagger$ The \bindingSig{} field is present if and only if +$\ddagger$ The \bindingSig{Sapling} field is present if and only if $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. } %sapling \sprout{\vspace{3ex}} @@ -10024,6 +10345,9 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. be $\hexint{03C48270}$.} \saplingonwarditem{The \transactionVersionNumber{} \MUST be $4$ and the \versionGroupID{} \MUST be $\hexint{892F2085}$.} + \orchardonwarditem{The \transactionVersionNumber{} \MUST be $4$ or $5$. + If the \transactionVersionNumber{} is $4$ then the \versionGroupID{} \MUST be $\hexint{892F2085}$. + If the \transactionVersionNumber{} is $5$ then the \versionGroupID{} \MUST be \todo{}}. \presaplingitem{The encoded size of the \transaction{} \MUST be less than or equal to $100000$ bytes.} \presaplingitem{If $\versionField = 1$ or $\nJoinSplit = 0$, then both \txInCount{} and \txOutCount{} \MUST be nonzero.\!} @@ -10031,7 +10355,7 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. \saplingonwarditem{At least one of \txOutCount, \nShieldedOutput, and \nJoinSplit{} \MUST be nonzero.} \item A \transaction with one or more \transparent inputs from \coinbaseTransactions{} \MUST have no \transparent outputs (i.e.\ \txOutCount{} \MUST be $0$). Inputs from - \coinbaseTransactions include \foundersReward outputs. + \coinbaseTransactions include \foundersReward outputs and \fundingStream outputs. \item If $\versionField \geq 2$ and $\nJoinSplit > 0$, then: \begin{itemize} \item \joinSplitPubKey{} \MUST be a valid encoding (see \crossref{concretejssig}) of @@ -10043,16 +10367,28 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. \saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$, then: \begin{itemize} - \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{bindingsig}; - \item \bindingSig{} \MUST represent a valid signature under the \txBindingValidatingKey - $\BindingPublic$ of $\SigHash$ --- - i.e.\ $\BindingSigValidate{\BindingPublic}(\SigHash, \bindingSig) = 1$. + \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{saplingbalance}; + \item \bindingSig{Sapling} \MUST represent a valid signature under the \txBindingValidatingKey + $\BindingPublic{Sapling}$ of $\SigHash$ --- + i.e.\ $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. \end{itemize}} \vspace{-1ex} \saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput = 0$, - then $\valueBalance$ \MUST be $0$.} + then $\valueBalance{Sapling}$ \MUST be $0$.} + \orchardonwarditem{If $\versionField \geq 5$ and $\nShieldedAction > 0$, + then: + \begin{itemize} + \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{orchardbalance}; + \item \bindingSig{Orchard} \MUST represent a valid signature under the \txBindingValidatingKey + $\BindingPublic{Orchard}$ of $\SigHash$ --- + i.e.\ $\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. + \end{itemize}} + \vspace{-1ex} + \saplingonwarditem{If $\versionField \geq 5$ and $\nShieldedAction = 0$, + then $\valueBalance{Orchard}$ \MUST be $0$.} \item The total amount of \transparentOutputs from a \coinbaseTransaction,\heartwood{ minus - the amount of the $\valueBalance$ field if present,} \MUSTNOT be greater than the + the amount of the $\valueBalance{Sapling}$ field if present,}\orchard{ minus the amount + of the $\valueBalance{Orchard}$ field if present,} \MUSTNOT be greater than the amount of \minerSubsidy plus the total amount of \transactionFees paid by \transactions in this \block. \notheartwood{ @@ -10061,7 +10397,7 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. } \notbeforeheartwood{ \item A \coinbaseTransaction{} \MUSTNOT have any - \joinSplitDescriptions\sapling{ or \spendDescriptions}. + \joinSplitDescriptions\sapling{ or \spendDescriptions}\orchard{ or \actionDescriptions}. \preheartwooditem{\sapling{A \coinbaseTransaction also \MUSTNOT have any \outputDescriptions.}} } \item A \coinbaseTransaction for a \block at \blockHeight greater than $0$ \MUST have a script @@ -10133,10 +10469,12 @@ each \spendDescription (\crossref{spendencoding}), and each \outputDescription ( as specified in \cite{BIP-68}. \Zcash was forked from \Bitcoin v0.11.2 and does not currently support BIP 68. \saplingonwarditem{As a consequence of \coinbaseTransactions having no - \spendDescriptions\notheartwood{ or \outputDescriptions}, the $\valueBalance$ field of a - \coinbaseTransaction must have a\heartwood{ negative or} zero value. + \spendDescriptions\notheartwood{ or \outputDescriptions}, the $\valueBalance{Sapling}$ + field of a \coinbaseTransaction must have a\heartwood{ negative or} zero value. \heartwood{The negative case can only occur after \Heartwood activation, for \transactions with \cite{ZIP-213} \shieldedOutputs.}} + \orchardonwarditem{As a consequence of \todo{} (which has the effect of disabling \Orchard spends), + the $\valueBalance{Orchard}$ field of a \coinbaseTransaction must have a negative or zero value.} \heartwood{ \item Prior to the \Heartwood{} \networkUpgrade, it was not possible for \coinbaseTransactions to have \shielded outputs, and therefore the ``coinbase maturity'' rule and the requirement @@ -10161,15 +10499,17 @@ The changes relative to \Bitcoin version $1$ \transactions as described in \cite have been added. \overwinteronwarditem{The $\nVersionGroupId$ field has been added.} \saplingonwarditem{The $\nShieldedSpend$, $\vShieldedSpend$, $\nShieldedOutput$, $\vShieldedOutput$, - and $\bindingSig$ fields have been added.} + and $\bindingSig{Sapling}$ fields have been added.} + \orchardonwarditem{The $\nShieldedAction$, $\vShieldedAction$, and $\bindingSig{Orchard}$ fields + have been added.} \sprout{ \item In \Zcash it is permitted for a \transaction to have no \transparent inputs provided that $\nJoinSplit > 0$. } %sprout \notsprout{ \item In \Zcash it is permitted for a \transaction to have no \transparent inputs, provided - at least one of $\nJoinSplit$\sapling{, $\nShieldedSpend$, and $\nShieldedOutput$} - are nonzero. + at least one of $\nJoinSplit$\sapling{, $\nShieldedSpend$,\notorchard{ and} + $\nShieldedOutput$}\orchard{, and $\nShieldedAction$} are nonzero. } %notsprout \item A consensus rule limiting \transaction size has been added. In \Bitcoin there is a corresponding standard rule but no consensus rule. @@ -11093,7 +11433,7 @@ Stream & Numerator & Denominator & Start height & End height \ \begin{pnotes} \item The \blockHeights of \halvings are different between \Testnet and \Mainnet, as a result of different \activationHeights for the \Blossom \networkUpgrade (which - changed the \blockTargetSpacing). The end height of these funding streams + changed the \blockTargetSpacing). The end height of these \fundingStreams corresponds to the second \halving on each network. \item On \Testnet, the \activationHeight of \Canopy is before the first \halving. Therefore, the consequence of the above rules for \Testnet is that the amount sent @@ -11372,9 +11712,9 @@ who does not know these keys. In \Sapling, uniqueness of $\NoteAddressRand$ is ensured by making it dependent on the position of the \noteCommitment in the \Sapling{} \noteCommitmentTree. Specifically, -$\NoteAddressRand = \cm + \scalarmult{\NotePosition}{\NotePositionBase}$, -where $\NotePositionBase$ is a generator independent of the generators -used in $\NoteCommitSaplingAlg$. Therefore, $\NoteAddressRand$ commits uniquely +$\NoteAddressRand = \cm + \scalarmult{\NotePosition}{\NotePositionBaseSapling}$, +where $\NotePositionBaseSapling$ is a generator independent of the generators +used in $\NoteCommitAlg{Sapling}$. Therefore, $\NoteAddressRand$ commits uniquely to the \note and its position, and this commitment is \collisionResistant by the same argument used to prove \collisionResistance of \xPedersenHashes. Note that it is possible for two distinct \Sapling{} \positionedNotes (having @@ -11674,8 +12014,8 @@ distinct openings of the \noteCommitment when Condition I or II is violated. $(\AuthPublic, \Value, \NoteAddressRand, \NoteCommitRand)$. The instantiation of $\Commit{\NoteCommitS}$ in section 5.1 of the paper did not actually use $\NoteCommitS$, and neither does the new - instantiation of $\NoteCommitSprout{}$ in \SproutOrZcash. $\TransmitPublic$ is also - not needed as part of a \note: it is not an input to $\NoteCommitSprout{}$ nor + instantiation of $\NoteCommit{Sprout}{}$ in \SproutOrZcash. $\TransmitPublic$ is also + not needed as part of a \note: it is not an input to $\NoteCommit{Sprout}{}$ nor is it constrained by the \Zerocash \POUR{} \statement or the \Zcash{} \joinSplitStatement. $\cm$ can be computed from the other fields. \sapling{(The definition of \notes for \Sapling is different again.)} @@ -11794,7 +12134,12 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2021.1.17}{} \begin{itemize} +\orchard{ \item Work in progress for \Orchard specification. +} %orchard + \item In the consensus rule that a \transaction with one or more \transparent inputs from + \coinbaseTransactions{} \MUST have no \transparent outputs, explicitly say that inputs + from \coinbaseTransactions include \fundingStream outputs. \end{itemize} @@ -11868,12 +12213,12 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2020.1.13}{2020-08-11} \begin{itemize} \sapling{ - \item Rename the type of \Sapling \transmissionKeys from $\KASapling\mathsf{.PublicPrimeOrder}$ - to $\KASaplingPublicPrimeSubgroup$. This type is defined as $\SubgroupJ$, which reflects + \item Rename the type of \Sapling \transmissionKeys from $\KA{Sapling}\mathsf{.PublicPrimeOrder}$ + to $\KAPublicPrimeSubgroup{Sapling}$. This type is defined as $\SubgroupJ$, which reflects the implementation in \zcashd (subject to the next point below); it was never enforced that a \transmissionKey ($\DiversifiedTransmitPublic$) cannot be $\ZeroJ$. \item Add a non-normative note saying that \zcashd does not fully conform to the requirement - to treat \transmissionKeys not in $\KASaplingPublicPrimeSubgroup$ as invalid when importing + to treat \transmissionKeys not in $\KAPublicPrimeSubgroup{Sapling}$ as invalid when importing \paymentAddresses. } %sapling \canopy{ @@ -11952,7 +12297,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after \Canopy activation. \item Correct a bug in \crossref{saplingdecryptovk}: $\EphemeralPrivate$ is only to be checked - against $\ToScalar\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ + against $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ when $\NotePlaintextLeadByte \neq \hexint{01}$. } %canopy \end{itemize} @@ -12374,7 +12719,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. in sapling-crypto. \item Minor correction to the non-normative note in \crossref{cctrange}. \item Clarify the non-normative note in \crossref{abstractcommit} about - the definitions of $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$. + the definitions of $\ValueCommitOutput{Sapling}$ and $\NoteCommitOutput{Sapling}$. \item Clarify that the signer of a \spendAuthSignature is supposed to choose the \spendAuthRandomizer, $\AuthSignRandomizer$, itself. Only step 4 in the procedure in \crossref{spendauthsig} may securely be delegated. @@ -12459,7 +12804,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item No changes to \Sprout. \sapling{ \item Add a missing consensus rule for version 4 \transactions: if there are - no \Sapling Spends or Outputs, then $\valueBalance$ \MUST be $0$. + no \Sapling Spends or Outputs, then $\valueBalance{Sapling}$ \MUST be $0$. } %sapling \end{itemize} @@ -12512,7 +12857,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Briefly describe the changes to computation of \sighashTxHashes\notsprout{ in \Sprout}. \item Clarify that interstitial \treestates form a tree for each \transaction containing \joinSplitDescriptions. \item Correct the description of P2PKH addresses in \crossref{transparentaddrencoding} --- they - use a hash of a compressed, not an uncompressed ECDSA key representation. + use a hash of a compressed, not an uncompressed \ECDSA key representation. \item Clarify the wording of the caveat\footnoteref{securitycaveat} about the claimed security of shielded \transactions. \item Correct the definition of set difference ($S \setminus T$). @@ -12536,7 +12881,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Add consensus rules that $\cv$ in a \spendDescription, and $\cv$ and $\EphemeralPublic$ in an \outputDescription, are not of small order. Exclude $0$ from the range of $\EphemeralPrivate$ when encrypting \Sapling notes. - \item Add a consensus rule that $\valueBalance$ is in the range $\range{-\MAXMONEY}{\MAXMONEY}$. + \item Add a consensus rule that $\valueBalance{Sapling}$ is in the range $\range{-\MAXMONEY}{\MAXMONEY}$. \item Enforce stronger constraints on the types of key components $\DiversifiedTransmitPublic$, $\AuthSignPublic$, and $\NullifierKey$. \item Correct the conformance rule for \fOverwintered{} (it must not be set before \Overwinter has @@ -12558,7 +12903,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Clarify that the $\possqrt{a}$ notation refers to the positive square root. (This matters for the conversion in \crossref{cctconversion}.) \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow - proving unlinkability of $\DiversifyHashSapling$. Explain how this relates to the Discrete Logarithm + proving unlinkability of $\DiversifyHash{Sapling}$. Explain how this relates to the Discrete Logarithm Independence assumption used previously, and justify this modelling by showing that it follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of $\GroupJHash{}$. @@ -12590,15 +12935,15 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Correct the order of arguments to $\RedDSARandomizePrivate$ and $\RedDSARandomizePublic$. \item Correct a reference to $\RedDSARandomizePrivate$ that was intended to be $\RedDSARandomizePublic$. - \item Fix the description of the \balancingValue in \crossref{saplingbalance}. + \item Fix the description of the \saplingBalancingValue in \crossref{saplingbalance}. \item Correct a type error in \crossref{concretegrouphashjubjub}. \item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}. - \item Ensure $\AuthSignBaseSapling$ is defined in \crossref{concretespendauthsig}. + \item Ensure $\AuthSignBase{Sapling}$ is defined in \crossref{concretespendauthsig}. \item Make the \validatingKey prefix part of the input to the \hashFunction in $\RedDSA$, not part of the message. \item Correct the statement about $\FindGroupJHash$ never returning $\bot$. \item Correct an error in the computation of generators for \xPedersenHashes. - \item Change the order in which $\NoteCommitSapling{}$ commits to its inputs, to match the + \item Change the order in which $\NoteCommitAlg{Sapling}$ commits to its inputs, to match the sapling-crypto implementation. \item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.) \item Change the notation $\RedDSAHash^{\star}$ to $\RedDSAHashToScalar$ in \crossref{concreteredjubjub}, @@ -12626,9 +12971,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \sapling{ \item Clarify the security argument for balance in \Sapling. \item Correct a subtle problem with the type of the value input to - $\ValueCommit{}$: although it is only directly used to commit to + $\ValueCommitAlg{Sapling}$: although it is only directly used to commit to values in $\ValueType$, the security argument depends on a sum - of commitments being binding on $\ValueCommitType$. + of commitments being binding on $\ValueCommitType{Sapling}$. \item Fix the loss of tightness in the use of $\PRFnfSapling{}$ by specifying the keyspace more precisely. \item Correct type ambiguities for $\NoteAddressRand$. @@ -12657,7 +13002,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. in network protocol version $170004$. \item Give references \cite{Vercauter2009} and \cite{AKLGL2010} for the optimal ate pairing. \item Give references for\notsprout{ BLS \cite{BLS2002} and} BN \cite{BN2005} curves. - \item Define $\KASproutDerivePublic$ for $\KASproutCurve$. + \item Define $\KADerivePublic{Sprout}$ for $\KASproutCurve$. \item Caveat the claim about \noteTraceabilitySet in \crossref{overview} and link to \cite{Peterson2017} and \cite{Quesnelle2017}. \item Do not require a generator as part of the specification of a \representedGroup; @@ -12667,10 +13012,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \sapling{ \item Correct the explanation in \crossref{overview} to apply to \Sapling. \item Add the definition of a \signingKey to \validatingKey homomorphism for \signatureSchemes. - \item Remove the output index as an input to $\KDFSapling$. + \item Remove the output index as an input to $\KDF{Sapling}$. \item Allow dummy \Sapling input \notes. \item Specify $\RedDSA$ and $\RedJubjub$. - \item Specify \bindingSignatures and \spendAuthSignatures. + \item Specify \saplingBindingSignatures and \spendAuthSignatures. \item Specify the randomness beacon. \item Add \outputCiphertexts and $\OutCipherKey$. \item Define $\DefaultDiversifier$. @@ -12695,7 +13040,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. } %overwinter \sapling{ \item Add specification of the \outputStatement. - \item Change $\MerkleDepthSapling$ from $29$ to $32$. + \item Change $\MerkleDepth{Sapling}$ from $29$ to $32$. \item Updates to \Sapling construction, changing how the \nullifier is computed and separating it from the \authRandomizedValidatingKey ($\AuthSignRandomizedPublic$). @@ -12727,7 +13072,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. $\SpendingKey$ to ensure they are on the full range of $\GF{\ParamJ{r}}$. \item Change $\PRF{}{\mathsf{nr}}$ to produce output computationally indistinguishable from uniform on $\GF{\ParamJ{r}}$. - \item Change $\UncommittedSapling$ to be a $u$-coordinate for which there is no point on the curve. + \item Change $\Uncommitted{Sapling}$ to be a $u$-coordinate for which there is no point on the curve. \item Appendix A updates: \begin{itemize} \item categorize components into larger sections @@ -12969,7 +13314,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2017.0-beta-2.1}{2017-02-06} \begin{itemize} - \item $\MerkleHashLength$ is a bit length, not a byte length. + \item $\MerkleHashLength{}$ is a bit length, not a byte length. \item Specify the maximum \block size. \end{itemize} @@ -13965,7 +14310,7 @@ a total of $750$ constraints. Fixed-base scalar multiplication is also used in two places with shorter scalars: \begin{itemize} \item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the - $\Value$ input to $\ValueCommit{}$, requiring + $\Value$ input to $\ValueCommitAlg{Sapling}$, requiring $22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints; \item \crossref{cctmixinghash} uses a $32$-bit scalar for the $\NotePosition$ input to $\MixingPedersenHash$, requiring @@ -14040,10 +14385,10 @@ the Discrete Logarithm Problem was given in \cite{BGG1995}-- but tailored to allow several optimizations in the circuit implementation. \xPedersenHashes are the single most commonly used primitive in the -\Sapling circuits. $\MerkleDepthSapling$ \xPedersenHash instances are used +\Sapling circuits. $\MerkleDepth{Sapling}$ \xPedersenHash instances are used in the \spendCircuit to check a \merklePath to the \noteCommitment of the \note being spent. We also reuse the \xPedersenHash implementation to -construct the \commitmentScheme $\NoteCommitSaplingAlg$. +construct the \commitmentScheme $\NoteCommitAlg{Sapling}$. This motivates considerable attention to optimizing this circuit implementation of this primitive, even at the cost of complexity. @@ -14228,7 +14573,7 @@ In particular, \item for the Merkle tree hashes $\ell = 516$, so $c = 172$, $n = 3$, and the cost is $869$ constraints; \item when a Pedersen hash is used to implement part of a Pedersen commitment - for $\NoteCommitSapling{}$ (\crossref{concretesaplingnotecommit}), + for $\NoteCommitAlg{Sapling}$ (\crossref{concretesaplingnotecommit}), $\ell = 6 + \ValueLength + 2 \smult \ellJ = 582$, $c = 194$, and $n = 4$, so the cost of the hash alone is $984$ constraints. \end{itemize} @@ -14241,14 +14586,14 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as input a \xPedersenCommitment $P$, and hashes it with another input $x$. -Let $\NotePositionBase$ be as defined in \crossref{concretemixinghash}. +Let $\NotePositionBaseSapling$ be as defined in \crossref{concretemixinghash}. \introlist We define $\MixingPedersenHash \typecolon \range{0}{\ParamJ{r}-1} \times \GroupJ \rightarrow \GroupJ$ by: \begin{formulae} - \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBase}$. + \item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBaseSapling}$. \end{formulae} This costs $92$ constraints for a scalar multiplication @@ -14312,7 +14657,7 @@ This can be implemented in: \item $6$ constraints for the final ctEdwards addition. \end{itemize} -When $\WindowedPedersenCommit{}$ is used to instantiate $\NoteCommitSapling{}$, +When $\WindowedPedersenCommit{}$ is used to instantiate $\NoteCommitAlg{Sapling}$, the cost of the Pedersen hash is $984$ constraints as calculated in \crossref{cctpedersenhash}, and so the total cost in that case is $1740$ constraints. This does not include the cost of boolean-constraining the input $s$ or the @@ -14323,7 +14668,7 @@ randomness $r$. The \windowedPedersenCommitments defined in the preceding section are highly efficient, but they do not support the homomorphic property we -need when instantiating $\ValueCommit{}$. +need when instantiating $\ValueCommitAlg{}$. \introsection In order to support this property, we also define \homomorphicPedersenCommitments @@ -14334,14 +14679,14 @@ as follows: \scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}}\, + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$ \end{formulae} -In the case that we need for $\ValueCommit{}$, $\Value$ has $64$ +In the case that we need for $\ValueCommitAlg{}$, $\Value$ has $64$ bits\footnote{It would be sufficient to use $51$ bits, which accomodates the range $\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}. This value is given as a bit representation, which does not need to be constrained equal to an integer. \introlist -$\ValueCommit{}$ can be implemented in: +$\ValueCommitAlg{}$ can be implemented in: \vspace{1ex} \begin{itemize} \item $750$ constraints for the $252$-bit fixed-base multiplication by $\ValueCommitRand$; @@ -14511,7 +14856,7 @@ The \Sapling Spend \statement is defined in \crossref{spendstatement}. The primary input is \vspace{1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHashSapling,\\ + \item $\oparen\rt \typecolon \MerkleHash{Sapling},\\ \hparen\cvOld{} \typecolon \ValueCommitOutput,\\ \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$, @@ -14519,7 +14864,7 @@ The primary input is which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth): \begin{formulae} \item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic), - \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLengthSapling}{\rt}, + \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLength{Sapling}}{\rt}, \LEBStoIP{254}\big(\nfOldRepr{\!\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOldRepr{\!\barerange{254}{255}}\big)]$ \end{formulae} \vspace{-2ex} @@ -14530,30 +14875,30 @@ where $\nfOldRepr{} = \LEOStoBSP{\PRFOutputLengthNfSapling}(\nfOld{})$. The auxiliary input is \vspace{1ex} \begin{formulae} - \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\ - \hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\ + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Sapling}}{\MerkleDepth{Sapling}},\\ + \hparen\NotePosition \typecolon \NotePositionType{Sapling},\vspace{0.4ex}\\ \hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\ \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ \hparen\cmOld{} \typecolon \GroupJ,\\ - \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ - \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}\cparen$. + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic{Sapling},\\ + \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength{Sapling}}\cparen$. \end{formulae} \introlist -$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are of type $\GroupJ$, so we have -$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$, -$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that -represent \jubjubCurve points. However, +$\ValueCommitOutput{Sapling}$ and $\SpendAuthSigPublic{Sapling}$ are of type $\GroupJ$, +so we have $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$, +$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that represent \jubjubCurve points. +However, \vspace{1ex} \begin{itemize} - \item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$; - \item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$; + \item $\cvOld{}$ will be constrained to an output of $\ValueCommitAlg{Sapling}$; + \item $\cmOld{}$ will be constrained to an output of $\NoteCommitAlg{Sapling}$; \item $\AuthSignRandomizedPublic$ will be constrained to - $\scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling} + \AuthSignPublic$; + $\scalarmult{\AuthSignRandomizer}{\AuthSignBase{Sapling}} + \AuthSignPublic$; \item $\DiversifiedTransmitPublic$ will be constrained to $\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ \end{itemize} @@ -14583,27 +14928,27 @@ Check & Implements & \heading{Cost} & Reference \\ \hhline{|=|=|=|=|} $\AuthSignPublic$ is on the curve \small\todo{FIXME also decompressed below} - & $\AuthSignPublic \typecolon \SpendAuthSigPublic$ + & $\AuthSignPublic \typecolon \SpendAuthSigPublic{Sapling}$ & 4 & \shortcrossref{cctedvalidate} \\ \hline $\AuthSignPublic$ is not small order & \snarkref{Small order checks}{spendnonsmall} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline - $\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling}$ + $\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBaseSapling}$ + $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase{Sapling}}$ & \snarkref{Spend authority}{spendauthority} & 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4} $\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$ & & 6 & \shortcrossref{cctedarithmetic} \\ \hline inputize $\AuthSignRandomizedPublic$ \small\todo{not ccteddecompressvalidate => wrong count} - & $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ + & $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}$ & 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline - $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}$ + $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\NullifierKey = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$ + $\NullifierKey = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBaseSapling}$ & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 750 & \shortcrossref{cctfixedscalarmult} \\ \hline $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$ @@ -14628,8 +14973,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\vOldRepr \typecolon \bitseq{64}$ & $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \hline - $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\ValueCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ + $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\ValueCommitRand \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$ & \snarkref{Value commitment integrity}{spendvaluecommitmentintegrity} @@ -14637,10 +14982,10 @@ Check & Implements & \heading{Cost} & Reference \\ inputize $\cv$ & & ? & \\ \hline - $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\NoteCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ + $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\NoteCommitRand \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ + $\cm = \NoteCommit{Sapling}{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ % = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) & \snarkref{Note commitment integrity}{spendnotecommitmentintegrity} & 1740 & \shortcrossref{cctwindowedcommit} \\ \hline @@ -14650,7 +14995,7 @@ Check & Implements & \heading{Cost} & Reference \\ \raggedright $\rt'$ is the root of a Merkle tree with leaf $\cmU$, and authentication path $(\TreePath{}, \NotePositionRepr)$ & & 32 \mult 1380 & \shortcrossref{cctmerklepath} \\ \cline{1-1}\cline{3-4} - $\NotePositionRepr = \ItoLEBSPOf{\MerkleDepthSapling}{\NotePosition}$ + $\NotePositionRepr = \ItoLEBSPOf{\MerkleDepth{Sapling}}{\NotePosition}$ & & 1 & \shortcrossref{cctmodpack} \\ \cline{1-1}\cline{3-4} if $\vOld{} \neq 0$ then $\rt' = \rt$ @@ -14691,15 +15036,15 @@ The \Sapling Output \statement is defined in \crossref{outputstatement}. The primary input is \begin{formulae} - \item $\oparen\cvNew{} \typecolon \ValueCommitOutput,\\ - \hparen\cmU \typecolon \MerkleHashSapling,\\ + \item $\oparen\cvNew{} \typecolon \ValueCommitOutput{Sapling},\\ + \hparen\cmU \typecolon \MerkleHash{Sapling},\\ \hparen\EphemeralPublic \typecolon \GroupJ\cparen$, \end{formulae} which is encoded as $6$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth): \begin{formulae} \item $[1, \Selectu\Of{\cvNew{}}, \Selectv\Of{\cvNew{}}, - \Selectu\Of{\EphemeralPublic}, \Selectv\Of{\EphemeralPublic}, \LEBStoIPOf{\MerkleHashLengthSapling}{\cmU}]$ + \Selectu\Of{\EphemeralPublic}, \Selectv\Of{\EphemeralPublic}, \LEBStoIPOf{\MerkleHashLength{Sapling}}{\cmU}]$ \end{formulae} The auxiliary input is @@ -14707,16 +15052,16 @@ The auxiliary input is \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex] \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling})$ + \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Sapling}},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Sapling}})$ \end{formulae} -$\ValueCommitOutput$ is of type $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$, +$\ValueCommitOutput{Sapling}$ is of type $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$, and $\DiversifiedTransmitBase$ that represent \jubjubCurve points. However, \vspace{1ex} \begin{itemize} - \item $\cvNew{}$ will be constrained to an output of $\ValueCommit{}$; + \item $\cvNew{}$ will be constrained to an output of $\ValueCommitAlg{Sapling}$; \item $\EphemeralPublic$ will be constrained to $\scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ \end{itemize} @@ -14745,10 +15090,10 @@ Check & Implements & \heading{Cost} & Reference \\ $\vOldRepr \typecolon \bitseq{64}$ & $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \hline - $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\ValueCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ + $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\ValueCommitRand \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$ + $\cv = \ValueCommit{Sapling}{\ValueCommitRand}(\vOld{})$ & \snarkref{Value commitment integrity}{outputvaluecommitmentintegrity} & 947 & \shortcrossref{ccthomomorphiccommit} \\ \cline{1-1}\cline{3-4} inputize $\cv$ @@ -14760,8 +15105,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\DiversifiedTransmitBase$ is not small order & \snarkref{Small order checks}{outputnonsmall} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline - $\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling}$ + $\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$ & \snarkref{Ephemeral public key integrity}{outputepkintegrity} @@ -14772,10 +15117,10 @@ Check & Implements & \heading{Cost} & Reference \\ $\DiversifiedTransmitPublicRepr \typecolon \ReprJ$ & $\DiversifiedTransmitPublicRepr \typecolon \ReprJ$ & 256 & \shortcrossref{cctboolean} \\ \hline - $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ - & $\NoteCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ + $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLength{Sapling}}$ + & $\NoteCommitRand \typecolon \binaryrange{\ScalarLength{Sapling}}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ + $\cm = \NoteCommit{Sapling}{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ % = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) & \snarkref{Note commitment integrity}{outputnotecommitmentintegrity} & 1740 & \shortcrossref{cctwindowedcommit} \\ \hline