zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

WIP: encryption and key derivation changes for viewing keys. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2016-02-25 17:13:31 +00:00
parent d33c441c91
commit 3576398cfb
5 changed files with 199 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
protocol/key_components.odg
View File

Binary file not shown.

BIN
protocol/key_components.pdf
View File

Binary file not shown.

BIN
protocol/protocol.pdf
View File

Binary file not shown.

281
protocol/protocol.tex
View File

@ -112,8 +112,9 @@
\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}} \newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
\newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}} \newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}}
\newcommand{\enc}{\mathsf{enc}} \newcommand{\enc}{\mathsf{enc}}
\newcommand{\alleged}{\mathsf{alleged}}
\newcommand{\disclose}{\mathsf{disclose}} \newcommand{\disclose}{\mathsf{disclose}}
\newcommand{\shared}{\mathsf{shared}}
\newcommand{\DHSecret}[1]{\mathsf{dhsecret}_{#1}}
\newcommand{\EphemeralPublic}{\mathsf{epk}} \newcommand{\EphemeralPublic}{\mathsf{epk}}
\newcommand{\EphemeralPrivate}{\mathsf{esk}} \newcommand{\EphemeralPrivate}{\mathsf{esk}}
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}} \newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
@ -122,7 +123,7 @@
\newcommand{\Value}{\mathsf{v}} \newcommand{\Value}{\mathsf{v}}
% Coins % Coins
\newcommand{\Coin}{\mathbf{c}} \newcommand{\Coin}[1]{\mathbf{c}_{#1}}
\newcommand{\CoinCommitRand}{\mathsf{r}} \newcommand{\CoinCommitRand}{\mathsf{r}}
\newcommand{\CoinCommitRandOld}[1]{\mathsf{r^{old}_\mathnormal{#1}}} \newcommand{\CoinCommitRandOld}[1]{\mathsf{r^{old}_\mathnormal{#1}}}
\newcommand{\CoinCommitRandNew}[1]{\mathsf{r^{new}_\mathnormal{#1}}} \newcommand{\CoinCommitRandNew}[1]{\mathsf{r^{new}_\mathnormal{#1}}}
@ -134,19 +135,30 @@
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}} \newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}}
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}} \newcommand{\hSigInputVersionByte}{\mathbf{0x00}}
\newcommand{\Memo}{\mathsf{memo}} \newcommand{\Memo}{\mathsf{memo}}
\newcommand{\CurveMultiply}{\mathsf{Curve25519}}
\newcommand{\CryptoBox}{\mathsf{crypto\_box}} \newcommand{\CryptoBox}{\mathsf{crypto\_box}}
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}} \newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}} \newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
\newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}} \newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
\newcommand{\Plaintext}[1]{\mathbf{P}^\enc_{#1}} \newcommand{\DecryptCoin}{\mathtt{DecryptCoin}}
\newcommand{\AllegedPlaintext}[1]{\mathbf{P}^\alleged_{#1}} \newcommand{\Plaintext}{\mathbf{P}}
\newcommand{\DisclosePlaintext}{\mathbf{P}^\disclose} \newcommand{\Ciphertext}{\mathbf{C}}
\newcommand{\TransmitCiphertext}[1]{\mathbf{C}^\enc_{#1}} \newcommand{\Key}{\mathsf{K}}
\newcommand{\DiscloseCiphertext}{\mathbf{C}^\disclose} \newcommand{\TransmitPlaintext}[1]{\Plaintext^\enc_{#1}}
\newcommand{\TransmitCiphertext}[1]{\Ciphertext^\enc_{#1}}
\newcommand{\TransmitKey}[1]{\Key^\enc_{#1}}
\newcommand{\DiscloseCiphertext}[1]{\Ciphertext^\disclose_{#1}}
\newcommand{\SharedPlaintext}[1]{\Plaintext^\shared_{#1}}
\newcommand{\SharedCiphertext}{\Ciphertext^\shared}
\newcommand{\SharedKey}[1]{\Key^\shared_{#1}}
\newcommand{\Tag}[1]{\mathsf{tag}_{#1}} \newcommand{\Tag}[1]{\mathsf{tag}_{#1}}
\newcommand{\Nonce}{\mathsf{nonce}} \newcommand{\KDF}{\mathsf{KDF}}
\newcommand{\Prenonce}{\mathsf{prenonce}} \newcommand{\Prenonce}{\mathsf{prenonce}}
\newcommand{\Encrypt}[1]{\mathsf{Encrypt}_{#1}} \newcommand{\PkEncrypt}[1]{\mathsf{PkEncrypt}_{#1}}
\newcommand{\SymEncrypt}[1]{\mathsf{SymEncrypt}_{#1}}
\newcommand{\SymDecrypt}[1]{\mathsf{SymDecrypt}_{#1}}
\newcommand{\SymSpecific}{\mathsf{AEAD\_CHACHA20\_POLY1305}}
\newcommand{\Clamp}{\mathsf{clamp_{Curve25519}}}
\newcommand{\CRH}{\mathsf{CRH}} \newcommand{\CRH}{\mathsf{CRH}}
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} \newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
\newcommand{\FullHash}{\mathtt{SHA256}} \newcommand{\FullHash}{\mathtt{SHA256}}
@ -186,7 +198,8 @@
\newcommand{\commitments}{\mathtt{commitments}} \newcommand{\commitments}{\mathtt{commitments}}
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}} \newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}} \newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
\newcommand{\discloseCiphertext}{\mathtt{discloseCiphertext}} \newcommand{\discloseCiphertexts}{\mathtt{discloseCiphertexts}}
\newcommand{\sharedCiphertext}{\mathtt{sharedCiphertext}}
\newcommand{\rt}{\mathsf{rt}} \newcommand{\rt}{\mathsf{rt}}
% pour % pour
@ -210,6 +223,7 @@
\newcommand{\COMM}[1]{\mathsf{COMM}_{#1}} \newcommand{\COMM}[1]{\mathsf{COMM}_{#1}}
\newcommand{\COMMtrapdoor}{\term{\textsf{COMM} trapdoor}} \newcommand{\COMMtrapdoor}{\term{\textsf{COMM} trapdoor}}
\newcommand{\CoinCommitment}[1]{\mathtt{CoinCommitment}(#1)} \newcommand{\CoinCommitment}[1]{\mathtt{CoinCommitment}(#1)}
\newcommand{\Receive}{\mathsf{Receive}}
\begin{document} \begin{document}
@ -252,12 +266,14 @@ please contact \todo{address}. While the production \Zcash network has yet
to be launched, please feel free to do so in public even if you believe the to be launched, please feel free to do so in public even if you believe the
mistake may indicate a security weakness. mistake may indicate a security weakness.
\section{Concepts} \section{Conventions}
\subsection{Integers, Bit Sequences, and Endianness} \subsection{Integers, Bit Sequences, and Endianness}
All integers visible in \Zcash-specific encodings are unsigned, have a fixed All integers visible in \Zcash-specific encodings are unsigned, have a fixed
bit length, and are encoded as big-endian. bit length, and are encoded as big-endian (except in the definition of
$\SymSpecific$ \cite{rfc7539} which internally uses length fields encoded as
little-endian).
In bit layout diagrams, each box of the diagram represents a sequence of bits. In bit layout diagrams, each box of the diagram represents a sequence of bits.
If the content of the box is a byte sequence, it is implicitly converted to If the content of the box is a byte sequence, it is implicitly converted to
@ -297,13 +313,42 @@ ensuring that the functions are independent.
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}} \newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
\newsavebox{\addrbox} \newsavebox{\addrboxa}
\begin{lrbox}{\addrbox} \begin{lrbox}{\addrboxa}
\setchanged
\begin{bytefield}[bitwidth=0.065em]{512} \begin{bytefield}[bitwidth=0.065em]{512}
\bitbox{242}{256 bit $\AuthPrivate$} & \bitbox{242}{256 bit $\AuthPrivate$} &
\bitbox{18}{0} & \bitbox{18}{0} &
\bitbox{18}{0} & \bitbox{18}{0} &
\bitbox{222}{$0^{254}$} & \bitbox{186}{$0^{252}$} &
\bitbox{18}{0} &
\bitbox{18}{0} &
\end{bytefield}
\end{lrbox}
\newsavebox{\addrboxb}
\begin{lrbox}{\addrboxb}
\setchanged
\begin{bytefield}[bitwidth=0.065em]{512}
\bitbox{242}{256 bit $\DiscloseKey$} &
\bitbox{18}{0} &
\bitbox{18}{0} &
\bitbox{186}{$0^{252}$} &
\bitbox{18}{0} &
\bitbox{18}{1} &
\end{bytefield}
\end{lrbox}
\newsavebox{\addrboxc}
\begin{lrbox}{\addrboxc}
\setchanged
\begin{bytefield}[bitwidth=0.065em]{512}
\bitbox{242}{256 bit $\AuthPrivate$} &
\bitbox{18}{0} &
\bitbox{18}{0} &
\bitbox{186}{$0^{252}$} &
\bitbox{18}{1} &
\bitbox{18}{0} &
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
@ -345,7 +390,13 @@ need to be aware of how it is associated with this bit-packing.}
\begin{equation*} \begin{equation*}
\begin{aligned} \begin{aligned}
\AuthPublic &:= \PRFaddr{\AuthPrivate}(0) &= \CRHbox{\addrbox} \\ \setchanged \DiscloseKey &\setchanged := \PRFaddr{\AuthPrivate}(0)
&\setchanged = \CRHbox{\addrboxa} \\
\setchanged \AuthPublic &\setchanged := \PRFaddr{\DiscloseKey}(1)
&\setchanged = \CRHbox{\addrboxb} \\
\setchanged \TransmitPrivate' &\setchanged := \PRFaddr{\AuthPrivate}(2)
&\setchanged = \CRHbox{\addrboxc} \\
\setchanged \TransmitPrivate &\setchanged := \Clamp(\TransmitPrivate') & \\
\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\ \sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\ \h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
\setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig) \setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
@ -358,7 +409,7 @@ need to be aware of how it is associated with this bit-packing.}
\subsection{Payment Addresses, Viewing Keys, and Spending Keys} \subsection{Payment Addresses, Viewing Keys, and Spending Keys}
A \keyTuple $(\SpendingKey, \changed{\ViewingKey, }\PaymentAddress)$ is A \keyTuple $(\SpendingKey, \changed{\ViewingKey,\;} \PaymentAddress)$ is
generated by users who wish to receive payments under this scheme. generated by users who wish to receive payments under this scheme.
\changed{The \viewingKey $\ViewingKey$ is derived from the \spendingKey \changed{The \viewingKey $\ViewingKey$ is derived from the \spendingKey
$\SpendingKey$, and the \paymentAddress $\PaymentAddress$ is derived from $\SpendingKey$, and the \paymentAddress $\PaymentAddress$ is derived from
@ -390,7 +441,26 @@ to:
\item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey. \item obtain a \paymentAddress\changed{ or \viewingKey} from a \spendingKey.
\end{itemize} \end{itemize}
\todo{Describe derivations.} Each key component, i.e. each of $\AuthPublic$, $\TransmitPublic$,
\changed{$\DiscloseKey$, }$\TransmitPrivate$, and $\AuthPrivate$, is a sequence of
32 bytes. \changed{$\AuthPublic$, $\DiscloseKey$, and $\TransmitPrivate$ are derived
as follows:}
\begin{equation*}
\begin{aligned}
\setchanged \DiscloseKey &\setchanged := \PRFaddr{\AuthPrivate}(0) & \hspace{30em} \\
\setchanged \AuthPublic &\setchanged := \PRFaddr{\DiscloseKey}(1) & \\
\setchanged \TransmitPrivate &\setchanged := \Clamp(\PRFaddr{\AuthPrivate}(2)) &
\end{aligned}
\end{equation*}
\changed{
$\Clamp$ performs the clamping of Curve25519 private key bits, and
$\CurveMultiply$ performs point multiplication, both as defined in \cite{Curve25519}.
Let $\TransmitPublic := \CurveMultiply(\TransmitPrivate)$, i.e. the public key
corresponding to the private key $\TransmitPrivate$.
}
Users can accept payment from multiple parties with a single Users can accept payment from multiple parties with a single
$\PaymentAddress$ and the fact that these payments are destined to $\PaymentAddress$ and the fact that these payments are destined to
@ -402,7 +472,7 @@ case that a payee wishes to prevent this they should create a distinct
\subsection{Coins} \subsection{Coins}
A \coin (denoted $\Coin$) is a tuple $\changed{(\AuthPublic, \Value, A \coin (denoted $\Coin{}$) is a tuple $\changed{(\AuthPublic, \Value,
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is \CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
spendable by the recipient who holds the $\authKeypair$ key pair spendable by the recipient who holds the $\authKeypair$ key pair
$(\AuthPublic, \AuthPrivate)$ such that $(\AuthPublic, \AuthPrivate)$ such that
@ -430,45 +500,30 @@ keys (to allow the \viewingKey holder to check whether the other encryptions
are valid).} All of these encryptions are combined to form a \coinsCiphertext. are valid).} All of these encryptions are combined to form a \coinsCiphertext.
\changed{ \changed{
The encryption algorithm is defined in terms of $\CryptoBox$ (specifically, Let $\SymEncrypt{\Key}(\Plaintext)$ be the $\SymSpecific$ encryption
$\CryptoBoxSpecific$) \cite{cryptobox} as follows. \cite{rfc7539} of plaintext $\Plaintext$ with empty ``additional data",
empty nonce, and key $\Key$.
} }
\newsavebox{\prenoncebox} \newsavebox{\kdfbox}
\begin{lrbox}{\prenoncebox} \begin{lrbox}{\kdfbox}
\setchanged \setchanged
\begin{bytefield}[bitwidth=0.05em]{520} \begin{bytefield}[bitwidth=0.032em]{832}
\bitbox{120}{64 bit $\Tag{i}$} & \bitbox{256}{256 bit $\DHSecret{i}$} &
\bitbox{256}{256 bit $\EphemeralPublic$} \bitbox{256}{256 bit $\EphemeralPublic$} &
\bitbox{256}{256 bit $\TransmitPublicNew{i}$} \bitbox{256}{256 bit $\TransmitPublicNew{i}$} &
\bitbox{160}{8 bit $i-1$}
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\newsavebox{\noncebox} \newsavebox{\sharedbox}
\begin{lrbox}{\noncebox} \begin{lrbox}{\sharedbox}
\setchanged \setchanged
\begin{bytefield}[bitwidth=0.085em]{192} \begin{bytefield}[bitwidth=0.045em]{768}
\bitbox{128}{$\Leading{128}(\Prenonce)$} & \bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
\bitbox{64}{64 bit $\Tag{i}$} \bitbox{40}{...}
\end{bytefield} \bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
\end{lrbox} \bitbox{256}{256 bit $\EphemeralPrivate$}
\newsavebox{\tagibox}
\begin{lrbox}{\tagibox}
\setchanged
\begin{bytefield}[bitwidth=0.09em]{64}
\bitbox{64}{64 bit $i-1$}
\end{bytefield}
\end{lrbox}
\newsavebox{\disclosebox}
\begin{lrbox}{\disclosebox}
\setchanged
\begin{bytefield}[bitwidth=0.05em]{768}
\bitbox{256}{256 bit $\EphemeralPrivate$}
\bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
\bitbox{40}{...}
\bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
@ -481,10 +536,8 @@ and let $\Plaintext{1..\NNew}$ be the \coinPlaintexts.
Define: Define:
\begin{equation*} \begin{equation*}
\begin{aligned} \begin{aligned}
\Prenonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}) &:= \FullHashbox{\prenoncebox} \\ \KDF(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i) &:= \FullHashbox{\kdfbox} \\
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}) &:= \Justthebox{\noncebox} \\ \SharedPlaintext{} &:= \Justthebox{\sharedbox}
\Tag{i} &:= \Justthebox{\tagibox} \\
\DisclosePlaintext &:= \Justthebox{\disclosebox}
\end{aligned} \end{aligned}
\end{equation*} \end{equation*}
} }
@ -495,28 +548,57 @@ Then to encrypt:
\changed{ \changed{
\item Generate a new Curve25519 (public, private) key pair: \item Generate a new Curve25519 (public, private) key pair:
$(\EphemeralPublic, \EphemeralPrivate)$. $(\EphemeralPublic, \EphemeralPrivate)$.
\item For $i$ in $\{1..\NNew\}$, let $\TransmitCiphertext{i} = \item For $i$ in $\{1..\NNew\}$,
\CryptoBox(\Plaintext{i}, \TransmitPublicNew{i}, \EphemeralPrivate, \begin{itemize}
\Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$ \item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i},
\item Let $\DiscloseCiphertext = ???_{\DiscloseKey}(\DisclosePlaintext)$ \EphemeralPrivate)$.
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$.
\item Let $\TransmitCiphertext{i} := \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
\end{itemize}
\item Let $\SharedKey{} := ...$.
\item Let $\SharedCiphertext := \SymEncrypt{\SharedKey{}}(\SharedPlaintext{})$.
\item For $i$ in $\{1..\NOld\}$,
\begin{itemize}
\item Let $\DiscloseCiphertext{i} := \SymEncrypt{\DiscloseKey{i}}(\SharedKey{})$.
\end{itemize}
} }
\end{itemize} \end{itemize}
The resulting \coinsCiphertext is $\changed{(\TransmitPublic,}\; The resulting \coinsCiphertext is $\changed{(\EphemeralPublic,
\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseCiphertext)}$. \TransmitCiphertext{\mathrm{1}..\NNew}, \DiscloseCiphertext{\mathrm{1}..\NOld},
\SharedCiphertext)}$.
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519} Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
(public, private) key pair. Then for each $i$ in $\{1..\NNew\}$, the recipient (public, private) key pair, and let $\cmNew{\mathrm{1}..\NNew}$ be the coin
commitments of each output coin. Then for each $i$ in $\{1..\NNew\}$, the recipient
will attempt to decrypt that ciphertext component as follows: will attempt to decrypt that ciphertext component as follows:
\begin{itemize}
\changed{ \changed{
\item $\AllegedPlaintext{i} := \CryptoBoxOpen(\TransmitCiphertext{i}, \begin{itemize}
\EphemeralPublic, \TransmitPrivate, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublic))$ \item Let $\DHSecret{i} := \CurveMultiply(\EphemeralPublic, \TransmitPrivate)$.
\item \todo{validation} \item Return $\DecryptCoin(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i,
} \TransmitCiphertext{i}, \cmNew{i}).$
\end{itemize} \end{itemize}
$\DecryptCoin(\DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}, i,
\TransmitCiphertext{i}, \cmNew{i})$ is defined as follows:
\begin{itemize}
\item Let $\TransmitKey{i} := \KDF(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i)$.
\item Let $\TransmitPlaintext{i} := \SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$.
\item If $\TransmitPlaintext{i} = \bot$, return $\bot$.
\item Extract $\Coin{i} := (\AuthPublic, \Value, \CoinAddressRand, \CoinCommitRand)$
and $\Memo_{i}$ from $\TransmitPlaintext{i}$.
\item If $\CoinCommitment{\Coin{i}} \neq \cmNew{i}$, return $\bot$, else
return ($\Coin{i}, \Memo_{i})$.
\end{itemize}
}
Note that this corresponds to step 3 (b) i. and ii. (first bullet point) of the
$\Receive$ algorithm shown in Figure 2 of \cite{ZerocashOakland}.
To test whether a \coin is unspent in a particular \blockchainview also requires To test whether a \coin is unspent in a particular \blockchainview also requires
the \authKeypair private key $\AuthPrivate$; the coin is unspent if and only if the \authKeypair private key $\AuthPrivate$; the coin is unspent if and only if
$\sn = \PRFsn{\AuthPrivate}(\CoinAddressRand)$ is not in the \spentSerials $\sn = \PRFsn{\AuthPrivate}(\CoinAddressRand)$ is not in the \spentSerials
@ -528,32 +610,47 @@ the transaction in which a coin was output to no longer be on the consensus
blockchain. blockchain.
\changed{ \changed{
Similarly, let $\DiscloseKey$ be a \viewingKey holder's \discloseKey. Let $\DiscloseKey{}$ be a \viewingKey holder's \discloseKey.
Then for each \PourDescription in its \blockchainview, the \viewingKey holder Then for each \PourDescription in its \blockchainview, the \viewingKey holder
will attempt to decrypt the corresponding \coinsCiphertext as follows: will attempt to decrypt the corresponding \coinsCiphertext as follows:
} }
\begin{itemize}
\changed{ \changed{
\item Let $\DisclosePlaintext := ???_{\DiscloseKey}(\DiscloseCiphertext)$ \begin{enumerate}
\item Extract $\EphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$ \item Set $\SharedPlaintext{} := \bot$.
from $\DisclosePlaintext$.
\item For $i$ in $\{1..\NNew\}$, \item For $i$ in $\{1..\NNew\}$,
\begin{itemize} \begin{itemize}
\item let $\AllegedPlaintext{i} := \item Let $\SharedKey{i} := \SymDecrypt{\DiscloseKey{}}(\DiscloseCiphertext{i}, \Tag{i})$.
\CryptoBoxOpen(\TransmitCiphertext{i}, \EphemeralPrivate, \item If $\SharedKey{i} = \bot$ then continue with the next $i$.
\TransmitPublicNew{i}, \Nonce(\Tag{i}, \EphemeralPublic, \TransmitPublicNew{i}))$ \item Let $\SharedPlaintext{i} := \SymDecrypt{\SharedKey{i}}(\SharedCiphertext)$.
\item \todo{validation} \item If $\SharedPlaintext{i} = \bot$ then continue with the next $i$.
\item Set $\SharedPlaintext{} := \SharedPlaintext{i}$ and exit the loop.
\end{itemize} \end{itemize}
\item If $\SharedPlaintext{} = \bot$ (i.e. it was not set in the loop), then this
transaction does not contain any information decryptable by the \viewingKey; return $\bot$.
\item Extract $\TransmitPublicNew{\mathrm{1}..\NNew}$ and $\EphemeralPrivate$
from $\SharedPlaintext{}$.
\item For $i$ in $\{1..\NNew\}$,
\begin{itemize}
\item Let $\DHSecret{i} := \CurveMultiply(\TransmitPublicNew{i}, \EphemeralPrivate)$.
\item Let $\Coin{i} := \DecryptCoin(\DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i}, i, \TransmitCiphertext{i}, \cmNew{i}).$
\end{itemize}
\item Return ($\Coin{\mathrm{1}..\NNew}, \Memo_{\mathrm{1}..\NNew})$.
\end{enumerate}
} }
\end{itemize}
Any ciphertext components that fail to decrypt \MUST be ignored. Once a component If a party holds more than one \viewingKey, it may optimize the above
has been decrypted, it \MUST be validated as described in section ``Coin Commitments''. procedure by performing the loop in step 2 for the $\DiscloseKey{}$ of each
\viewingKey. It may be assumed that the first $\SharedPlaintext{i}$ that
decrypts correctly is the one that should be used in step 4 onward.
(However, additional information is provided by which \viewingKey was able
to decrypt each $\DiscloseCiphertext{i}$.)
\changed{ \changed{
This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium The public key encryption used in this part of the protocol is based loosely on
\cite{cryptoboxseal}, but with the following differences: the $\CryptoBoxSeal$ algorithm defined in libsodium \cite{cryptoboxseal}, but
with the following differences:
\begin{itemize} \begin{itemize}
\item The same ephemeral key is used for all encryptions to the recipient keys \item The same ephemeral key is used for all encryptions to the recipient keys
in a given \PourDescription. in a given \PourDescription.
@ -565,12 +662,13 @@ This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
of $\mathsf{blake2b}$. of $\mathsf{blake2b}$.
\item The ephemeral secret $\EphemeralPrivate$ is included together with \item The ephemeral secret $\EphemeralPrivate$ is included together with
the \transmitKeypair public keys of the recipients, encrypted to the the \transmitKeypair public keys of the recipients, encrypted to the
\discloseKey. This allows a \viewingKey holder to decrypt \discloseKey. This allows a \viewingKey holder to check whether the
and validate these ciphertexts (if the sender constructs the \PourDescription indicated recipients would be able to decrypt a given component, and
honestly). It also ensures (without assuming honesty of the sender) that if if so to decrypt the memo field. (We do not rely on this to ensure
the \viewingKey holder can decrypt a given component, then the indicated that a \viewingKey holder can decrypt the other components of the
recipient also has enough information to decrypt it and will receive the output coins; instead, those are symmetrically encrypted to the
same \coinPlaintext. \viewingKey and the correctness of this encryption is checked by the
\PourCircuit.)
\end{itemize} \end{itemize}
} }
@ -746,10 +844,13 @@ $\cmNew{\mathrm{1}..\NNew}$.
\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext \item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
components, $\TransmitCiphertext{\mathrm{1}..\NNew}$. components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
\item $\discloseCiphertext$ which is the ciphertext component \item $\discloseCiphertexts$ which is a $\NOld$ size sequence of ciphertext
$\DiscloseCiphertext$. components, $\DiscloseCiphertext{\mathrm{1}..\NOld}$.
(The preceding three fields together form the \coinsCiphertext.) \item $\sharedCiphertext$ which is the ciphertext component
$\SharedCiphertext$.
(The preceding four fields together form the \coinsCiphertext.)
} }
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags \item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags

8
protocol/zcash.bib
View File

@ -54,3 +54,11 @@
note={DOI: 10.6028/NIST.FIPS.180-4}, note={DOI: 10.6028/NIST.FIPS.180-4},
howpublished={\url{http://csrc.nist.gov/publications/PubsFIPS.html#180-4}} howpublished={\url{http://csrc.nist.gov/publications/PubsFIPS.html#180-4}}
} }
@misc{rfc7539,
author={Yoav Nir and Adam Langley},
title={Request for {C}omments 7539: Cha{C}ha20 and {P}oly1305 for {IETF} {P}rotocols},
howpublished={Internet Research Task Force (IRTF).
\url{https://tools.ietf.org/html/rfc7539}. As modified by verified
errata at \url{https://www.rfc-editor.org/errata_search.php?rfc=7539}}
}