diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 9812996e..b326b734 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1606,13 +1606,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteCommitRandOrSeedBytes}{\notcanopy{\NoteCommitRand}\canopy{\NoteSeedBytes}} \newcommand{\NoteCommitRandBytesOrSeedBytes}{\notcanopy{\NoteCommitRandBytes}\canopy{\NoteSeedBytes}} \newcommand{\NoteUniqueRand}{\mathsf{\uprho}} -\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}} \newcommand{\NoteUniqueRandRepr}{{\NoteUniqueRand\Repr}} \newcommand{\NoteUniqueRandOld}[1]{\NoteUniqueRand^\mathsf{old}_{#1}} \newcommand{\NoteUniqueRandNew}[1]{\NoteUniqueRand^\mathsf{new}_{#1}} +\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}} \newcommand{\NoteUniquePreRand}{\mathsf{\upvarphi}} \newcommand{\NoteUniquePreRandLength}{\mathsf{\ell^{Sprout}_{\NoteUniquePreRand}}} \newcommand{\NoteNullifierRand}{\mathsf{\uppsi}} +\newcommand{\NoteNullifierRandOld}{\mathsf{\uppsi^{old}}} +\newcommand{\NoteNullifierRandNew}{\mathsf{\uppsi^{new}}} \newcommand{\NoteNullifierRandType}{\GF{\ParamP{q}}} \newcommand{\NoteCommitS}{\mathsf{s}} \newcommand{\CommitIvkRand}{\mathsf{rivk}} @@ -3730,8 +3732,8 @@ to derive the unique $\NoteUniqueRand$ value for a \Sapling \note. It is also us in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$\nufive{ and -$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupP$}\notnufive{ is a +$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$\nufive{ and +$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$}\notnufive{ is a \hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash}, satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are} used to derive a \diversifiedBase from a \diversifier, which is specified in @@ -3804,8 +3806,15 @@ $\PRFexpand{}$ is used in the following places: \item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$; \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$ (the last of these is also specified in \cite{ZIP-32});} - \item in the processes of sending (\crossref{saplingandorchardsend}) and of receiving (\crossref{saplingandorchardinband}) - \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes, or $[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes; +\notnufive{ + \item sending (\crossref{saplingsend}) and receiving (\crossref{saplingandorchardinband}) \Sapling \notes, + with inputs $[4]$ and $[5]$; +} %notnufive +\notbeforenufive{ + \item in the processes of sending (\crossref{saplingsend}\nufive{ and \crossref{orchardsend}}) and of receiving + (\crossref{saplingandorchardinband}) \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes\nufive{, or + $[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes}; +} %notbeforenufive \item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}), $[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$. \end{itemize} @@ -4399,7 +4408,7 @@ Define: \item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and $\ValueCommitOutput{Orchard} := \GroupP$. \item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and - $\CommitIvkOutput := \GF{\ParamP{r}}$. + $\CommitIvkOutput := \InViewingKeyTypeOrchard$. \end{formulae} \introlist @@ -4889,13 +4898,13 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$, is computationally indistinguishable from $\SpendAuthSigGenPrivate{Sapling}()$ defined in \crossref{concretespendauthsig}. - \item Similarly, the distribution of $\AuthProvePrivate$, i.e.\ + \item The distribution of $\AuthProvePrivate$, i.e.\ $\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$, is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$. Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} {\reprJ\big(\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ\big)$ is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally - indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnf{Sapling}{}$). + indistinguishable from uniform on $\SubgroupReprJ$ (the keyspace of $\PRFnf{Sapling}{}$). \item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default \diversifier specified above. \end{nnotes} @@ -5290,7 +5299,7 @@ where \item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued outputs in this action; \item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput - $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend,$ $\enableOutput)$ + $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend,$ $\enableOutput)$ for the \actionStatement defined in \crossref{actionstatement}. \end{itemize} @@ -5311,8 +5320,8 @@ $\ProofAction$ is aggregated with other Action proofs and encoded in the $\proof As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component of the signature prohibits \nonCanonicalPoint encodings. \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput - $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput)$ --- - i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. + $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput)$ --- + i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. \end{consensusrules} \vspace{-3ex} @@ -5415,6 +5424,7 @@ Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. \vspace{1ex} +\introlist Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt this payment. This may be one of: \begin{itemize} @@ -5541,7 +5551,7 @@ and then performs the following steps: \reprP\Of{\DiversifiedTransmitPublic}, \Value, \NoteUniqueRand, \NoteNullifierRand)$. \vspace{0.5ex} - \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. + \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteSeedBytes, \Memo)$. \vspace{0.5ex} \item Encrypt $\NotePlaintext{}$ to the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with @@ -5919,11 +5929,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an \blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain, minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.} -\vspace{-1ex} +\vspace{-1.5ex} \consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} -\vspace{2ex} +\vspace{1.5ex} Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a \joinSplitDescription subsumes the functionality of both Mint and Pour. @@ -5968,12 +5978,12 @@ from that pool. \blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for \transactions in the \blockChain.} -\vspace{-1ex} +\vspace{-1.5ex} \consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} +\vspace{1.5ex} \introlist -\vspace{2ex} Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}. This signature has a dual rĂ´le in the \Sapling protocol: @@ -6447,7 +6457,7 @@ $\NoteUniqueRandRepr = \reprJ(\NoteUniqueRand)$. \nufive{ The derivation of \nullifiers for \Orchard \notes is a little more complicated. To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon -\GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GroupP$ +\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP$ as follows: \begin{formulae} @@ -6750,7 +6760,6 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g \item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular, see \crossref{ccteddecompressvalidate}, for required validity checks on compressed representations of \jubjubCurve points. - The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$. \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. @@ -6759,6 +6768,7 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g \nufive{ +\vspace{-3ex} \lsubsubsection{Action Statement (\OrchardText)}{actionstatement} \vspace{-1ex} @@ -6771,8 +6781,9 @@ Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}. \vspace{-0.5ex} -Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. +Let $\GroupP$, $\GroupPstar$, $\GroupPx$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. +\vspace{-0.5ex} Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. \intropart @@ -6785,9 +6796,8 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ - \hparen\cmX \typecolon \MerkleHash{Orchard},\\ - \hparen\EphemeralPublic \typecolon \KAPublic{Orchard},\\ - \hparen\enableSpend \typecolon \bit,\\ + \hparen\cmX \typecolon \GroupPx,\vspace{0.2ex}\\ + \hparen\enableSpend \typecolon \bit,\vspace{0.4ex}\\ \hparen\enableOutput \typecolon \bit\cparen$, \end{formulae} @@ -6797,20 +6807,25 @@ the prover knows an \auxiliaryInput: \vspace{-1ex} \begin{formulae} - \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\\ + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\vspace{-0.6ex}\\ \hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\ \hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\ - \hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\ + \hparen\DiversifiedTransmitPublicOld \typecolon \GroupP,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ - \hparen\cmOld{} \typecolon \GroupP,\\ + \hparen\NoteUniqueRandOld{} \typecolon \NoteUniqueRandTypeOrchard,\\ + \hparen\NoteNullifierRandOld \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\ \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\\ - \hparen\AuthSignPublic \typecolon \GroupPstarx,\\ - \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex] - \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\\ + \hparen\cmOld{} \typecolon \GroupP,\vspace{-0.6ex}\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\vspace{0.2ex}\\ + \hparen\AuthSignPublicPoint \typecolon \GroupP,\\ + \hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\ + \hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\ + \hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\ + \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\ \hparen\vNew{} \typecolon \ValueType,\\ + \hparen\NoteUniqueRandNew{} \typecolon \NoteUniqueRandTypeOrchard,\vspace{0.2ex}\\ + \hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\ \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$ \end{formulae} \vspace{-1.5ex} @@ -6820,68 +6835,61 @@ such that the following conditions hold: \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} $\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big), \reprP\big(\DiversifiedTransmitPublicOld), - \vOld{}, \NoteUniqueRand, \NoteNullifierRand)$. + \vOld{}, + \NoteUniqueRandOld{}, + \NoteNullifierRandOld)$. +\vspace{-0.5ex} \snarkcondition{Merkle path validity}{actionmerklepathvalidity} Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$, as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$. \snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} -$\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. +$\cvNet{} = \ValueCommit{Orchard}{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. +\vspace{-0.5ex} \snarkcondition{Nullifier integrity}{actionnullifierintegrity} -$\nfOld{} = \DeriveNullifier{\NullifierKeyRepr}(\NoteUniqueRand, \NoteNullifierRand, \cmOld{})$. +$\nfOld{} = \DeriveNullifier{\NullifierKey}(\NoteUniqueRandOld{}, \NoteNullifierRandOld, \cmOld{})$. \snarkcondition{Spend authority}{actionspendauthority} -$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$. +$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic)$. \snarkcondition{Diversified address integrity}{actionaddressintegrity} -$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where -\vspace{-1ex} -\begin{formulae} - \item $\InViewingKey = \CommitIvk{\CommitIvkRandom}(\AuthSignPublicRepr, \NullifierKeyRepr)$ - \vspace{-1ex} - \item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,. -\end{formulae} +$\DiversifiedTransmitPublicOld = \scalarmult{\InViewingKey}{\DiversifiedTransmitBaseOld}$ where +$\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$. -\vspace{1ex} \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} $\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, \DiversifiedTransmitPublicNewRepr, - \vNew{}, \NoteUniqueRand, \NoteNullifierRand)\kern-0.12em\big)$, - -where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,. - -\vspace{0.5ex} -\snarkcondition{Ephemeral public key integrity}{actionepkintegrity} -$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBaseNew}$. + \vNew{}, + \NoteUniqueRandNew{}, + \NoteNullifierRandNew)\kern-0.12em\big)$, +\vspace{-0.5ex} \snarkcondition{Enable spend flag}{actionenablespend} $\vOld{} = 0$ or $\enableSpend = 1$. \snarkcondition{Enable output flag}{actionenableoutput} $\vNew{} = 0$ or $\enableOutput = 1$. +\vspace{2ex} For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}. \begin{pnotes} - \item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular, - see \crossref{cctswdecompressvalidate}, for required validity checks on compressed - representations of \pallasCurve points. - - The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types also represent points, - i.e.\ $\GroupP$. + \item Public and \auxiliaryInputs \MUST be constrained to have the types specified. + In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$. + The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent + \pallasCurve points, i.e.\ $\GroupP$. \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer from the previous \merkleLayer. - \item Unlike \Sapling, it \emph{is} checked in the \actionStatement that $\AuthSignRandomizedPublic$ - is not the zero point. Similarly, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitBaseNew$, - and $\AuthSignPublic$ cannot be the zero point. \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ or that $\NoteCommitRandNew{} < \ParamP{r}$. - \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$. + \item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$. + ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) - \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. + \item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are + \emph{not} checked in this circuit. \end{pnotes} } %nufive @@ -7920,8 +7928,8 @@ the same effect as using that feature. \introlist \lsubsubsubsection{\DiversifyHashText{Sapling}\notbeforenufive{ and \DiversifyHashText{Orchard}} Hash Function\notbeforenufive{s}}{concretediversifyhash} -$\DiversifyHash{Sapling}$ is used to derive a \diversifiedBase from a \diversifier in -\crossref{saplingkeycomponents}. +$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$ +is used to derive a \diversifiedBase in \crossref{saplingkeycomponents}. Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}. @@ -7930,12 +7938,12 @@ Define \vspace{-1ex} \begin{formulae} \item $\DiversifyHash{Sapling}(\Diversifier) := - \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ + \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$. \end{formulae} \nufive{ -$\DiversifyHash{Orchard}$ is used to derive a \diversifiedBase from a \diversifier in -\crossref{orchardkeycomponents}. +$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$ +is used to derive a \diversifiedBase in \crossref{orchardkeycomponents}. Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}. @@ -7943,10 +7951,15 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHash{Orchard}(\Diversifier) := - \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ + \item $\DiversifyHash{Orchard}(\Diversifier) := \begin{cases} + \bot, &\caseif P = \ZeroP \\ + P, &\caseotherwise + \end{cases}$ \end{formulae} +\vspace{-2ex} +where $P = \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$. +\vspace{1ex} The following security property and notes apply to both \Sapling and \Orchard. } %nufive @@ -8365,7 +8378,7 @@ is specified as: \item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing). \end{formulae} -\todo{Specify the MDS matrix and number of rounds.} +\todo{Specify the MDS matrix.} \begin{nnotes} \item The choice of MDS matrix and the number of rounds take into account cryptanalytic @@ -8681,13 +8694,13 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi \introlist Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. -$\PRFnf{Orchard}{} \typecolon \GF{\ParamP{q}} \times \GF{\ParamP{q}} \rightarrow \GF{\ParamP{q}}$ is used as +$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as part of deriving the \nullifier for an \Orchard \note. It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}: \begin{formulae} - \item $\PRFnf{Orchard}{\NullifierKeyRepr}(\NoteUniqueRandRepr) := \Poseidon(\NullifierKeyRepr, \NoteUniqueRandRepr)$. + \item $\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRand) := \Poseidon(\NullifierKey, \NoteUniqueRand)$. \end{formulae} \vspace{-2ex} @@ -9106,11 +9119,7 @@ The \bindingSignatureScheme $\BindingSig{Orchard}$ is instantiated by $\RedPalla key re-randomization, using parameters defined in \crossref{concretebindingsig}. } %nufive -Let $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ -and $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ -and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ -and $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ -be as defined in \crossref{endian}. +Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}. \introlist \vspace{1ex} @@ -11282,7 +11291,7 @@ An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$. $\AuthSignPublic$ is the \authValidatingKey, a point on the \pallasCurve (see \crossref{pallasandvesta}). -$\NullifierKey$ is the \nullifierDerivingKey, a field element in $\GF{\ParamP{q}}$. +$\NullifierKey$ is the \nullifierDerivingKey, a field element in $\NullifierKeyTypeOrchard$. $\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$. They are derived as described in \crossref{orchardkeycomponents}.