mirror of https://github.com/zcash/zips.git
Mainly fixes to the Action statement.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
d79de34b4a
commit
37d8221c4d
|
@ -1606,13 +1606,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitRandOrSeedBytes}{\notcanopy{\NoteCommitRand}\canopy{\NoteSeedBytes}}
|
\newcommand{\NoteCommitRandOrSeedBytes}{\notcanopy{\NoteCommitRand}\canopy{\NoteSeedBytes}}
|
||||||
\newcommand{\NoteCommitRandBytesOrSeedBytes}{\notcanopy{\NoteCommitRandBytes}\canopy{\NoteSeedBytes}}
|
\newcommand{\NoteCommitRandBytesOrSeedBytes}{\notcanopy{\NoteCommitRandBytes}\canopy{\NoteSeedBytes}}
|
||||||
\newcommand{\NoteUniqueRand}{\mathsf{\uprho}}
|
\newcommand{\NoteUniqueRand}{\mathsf{\uprho}}
|
||||||
\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}}
|
|
||||||
\newcommand{\NoteUniqueRandRepr}{{\NoteUniqueRand\Repr}}
|
\newcommand{\NoteUniqueRandRepr}{{\NoteUniqueRand\Repr}}
|
||||||
\newcommand{\NoteUniqueRandOld}[1]{\NoteUniqueRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteUniqueRandOld}[1]{\NoteUniqueRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteUniqueRandNew}[1]{\NoteUniqueRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteUniqueRandNew}[1]{\NoteUniqueRand^\mathsf{new}_{#1}}
|
||||||
|
\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}}
|
||||||
\newcommand{\NoteUniquePreRand}{\mathsf{\upvarphi}}
|
\newcommand{\NoteUniquePreRand}{\mathsf{\upvarphi}}
|
||||||
\newcommand{\NoteUniquePreRandLength}{\mathsf{\ell^{Sprout}_{\NoteUniquePreRand}}}
|
\newcommand{\NoteUniquePreRandLength}{\mathsf{\ell^{Sprout}_{\NoteUniquePreRand}}}
|
||||||
\newcommand{\NoteNullifierRand}{\mathsf{\uppsi}}
|
\newcommand{\NoteNullifierRand}{\mathsf{\uppsi}}
|
||||||
|
\newcommand{\NoteNullifierRandOld}{\mathsf{\uppsi^{old}}}
|
||||||
|
\newcommand{\NoteNullifierRandNew}{\mathsf{\uppsi^{new}}}
|
||||||
\newcommand{\NoteNullifierRandType}{\GF{\ParamP{q}}}
|
\newcommand{\NoteNullifierRandType}{\GF{\ParamP{q}}}
|
||||||
\newcommand{\NoteCommitS}{\mathsf{s}}
|
\newcommand{\NoteCommitS}{\mathsf{s}}
|
||||||
\newcommand{\CommitIvkRand}{\mathsf{rivk}}
|
\newcommand{\CommitIvkRand}{\mathsf{rivk}}
|
||||||
|
@ -3730,8 +3732,8 @@ to derive the unique $\NoteUniqueRand$ value for a \Sapling \note. It is also us
|
||||||
in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an
|
in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an
|
||||||
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
|
||||||
|
|
||||||
$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$\nufive{ and
|
$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$\nufive{ and
|
||||||
$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupP$}\notnufive{ is a
|
$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$}\notnufive{ is a
|
||||||
\hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash},
|
\hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash},
|
||||||
satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are}
|
satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are}
|
||||||
used to derive a \diversifiedBase from a \diversifier, which is specified in
|
used to derive a \diversifiedBase from a \diversifier, which is specified in
|
||||||
|
@ -3804,8 +3806,15 @@ $\PRFexpand{}$ is used in the following places:
|
||||||
\item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$;
|
\item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$;
|
||||||
\nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$
|
\nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$
|
||||||
(the last of these is also specified in \cite{ZIP-32});}
|
(the last of these is also specified in \cite{ZIP-32});}
|
||||||
\item in the processes of sending (\crossref{saplingandorchardsend}) and of receiving (\crossref{saplingandorchardinband})
|
\notnufive{
|
||||||
\notes, with inputs $[4]$ and $[5]$ for \Sapling \notes, or $[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes;
|
\item sending (\crossref{saplingsend}) and receiving (\crossref{saplingandorchardinband}) \Sapling \notes,
|
||||||
|
with inputs $[4]$ and $[5]$;
|
||||||
|
} %notnufive
|
||||||
|
\notbeforenufive{
|
||||||
|
\item in the processes of sending (\crossref{saplingsend}\nufive{ and \crossref{orchardsend}}) and of receiving
|
||||||
|
(\crossref{saplingandorchardinband}) \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes\nufive{, or
|
||||||
|
$[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes};
|
||||||
|
} %notbeforenufive
|
||||||
\item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}),
|
\item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}),
|
||||||
$[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$.
|
$[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -4399,7 +4408,7 @@ Define:
|
||||||
\item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and
|
\item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and
|
||||||
$\ValueCommitOutput{Orchard} := \GroupP$.
|
$\ValueCommitOutput{Orchard} := \GroupP$.
|
||||||
\item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and
|
\item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and
|
||||||
$\CommitIvkOutput := \GF{\ParamP{r}}$.
|
$\CommitIvkOutput := \InViewingKeyTypeOrchard$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -4889,13 +4898,13 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
||||||
i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
||||||
is computationally indistinguishable from $\SpendAuthSigGenPrivate{Sapling}()$ defined
|
is computationally indistinguishable from $\SpendAuthSigGenPrivate{Sapling}()$ defined
|
||||||
in \crossref{concretespendauthsig}.
|
in \crossref{concretespendauthsig}.
|
||||||
\item Similarly, the distribution of $\AuthProvePrivate$, i.e.\
|
\item The distribution of $\AuthProvePrivate$, i.e.\
|
||||||
$\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
$\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
||||||
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
|
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||||
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
||||||
{\reprJ\big(\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ\big)$
|
{\reprJ\big(\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ\big)$
|
||||||
is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally
|
is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally
|
||||||
indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnf{Sapling}{}$).
|
indistinguishable from uniform on $\SubgroupReprJ$ (the keyspace of $\PRFnf{Sapling}{}$).
|
||||||
\item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default
|
\item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default
|
||||||
\diversifier specified above.
|
\diversifier specified above.
|
||||||
\end{nnotes}
|
\end{nnotes}
|
||||||
|
@ -5290,7 +5299,7 @@ where
|
||||||
\item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued
|
\item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued
|
||||||
outputs in this action;
|
outputs in this action;
|
||||||
\item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
|
\item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
|
||||||
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend,$ $\enableOutput)$
|
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend,$ $\enableOutput)$
|
||||||
for the \actionStatement defined in \crossref{actionstatement}.
|
for the \actionStatement defined in \crossref{actionstatement}.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -5311,8 +5320,8 @@ $\ProofAction$ is aggregated with other Action proofs and encoded in the $\proof
|
||||||
As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component
|
As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component
|
||||||
of the signature prohibits \nonCanonicalPoint encodings.
|
of the signature prohibits \nonCanonicalPoint encodings.
|
||||||
\item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput
|
\item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput
|
||||||
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput)$ ---
|
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput)$ ---
|
||||||
i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$.
|
i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$.
|
||||||
\end{consensusrules}
|
\end{consensusrules}
|
||||||
|
|
||||||
\vspace{-3ex}
|
\vspace{-3ex}
|
||||||
|
@ -5415,6 +5424,7 @@ Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||||
Let $\ItoLEOSP{}$ be as defined in \crossref{endian}.
|
Let $\ItoLEOSP{}$ be as defined in \crossref{endian}.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
|
\introlist
|
||||||
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
|
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
|
||||||
this payment. This may be one of:
|
this payment. This may be one of:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -5541,7 +5551,7 @@ and then performs the following steps:
|
||||||
\reprP\Of{\DiversifiedTransmitPublic},
|
\reprP\Of{\DiversifiedTransmitPublic},
|
||||||
\Value, \NoteUniqueRand, \NoteNullifierRand)$.
|
\Value, \NoteUniqueRand, \NoteNullifierRand)$.
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
\item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$.
|
\item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteSeedBytes, \Memo)$.
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
\item Encrypt $\NotePlaintext{}$ to the recipient
|
\item Encrypt $\NotePlaintext{}$ to the recipient
|
||||||
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
|
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
|
||||||
|
@ -5919,11 +5929,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an
|
||||||
\blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain,
|
\blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain,
|
||||||
minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.}
|
minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.}
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1.5ex}
|
||||||
\consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain
|
\consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain
|
||||||
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
|
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{1.5ex}
|
||||||
Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have
|
Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have
|
||||||
a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a
|
a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a
|
||||||
\joinSplitDescription subsumes the functionality of both Mint and Pour.
|
\joinSplitDescription subsumes the functionality of both Mint and Pour.
|
||||||
|
@ -5968,12 +5978,12 @@ from that pool.
|
||||||
\blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for
|
\blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for
|
||||||
\transactions in the \blockChain.}
|
\transactions in the \blockChain.}
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1.5ex}
|
||||||
\consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain
|
\consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain
|
||||||
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
|
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
|
||||||
|
|
||||||
|
\vspace{1.5ex}
|
||||||
\introlist
|
\introlist
|
||||||
\vspace{2ex}
|
|
||||||
Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions
|
Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions
|
||||||
and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}.
|
and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}.
|
||||||
This signature has a dual rôle in the \Sapling protocol:
|
This signature has a dual rôle in the \Sapling protocol:
|
||||||
|
@ -6447,7 +6457,7 @@ $\NoteUniqueRandRepr = \reprJ(\NoteUniqueRand)$.
|
||||||
\nufive{
|
\nufive{
|
||||||
The derivation of \nullifiers for \Orchard \notes is a little more complicated.
|
The derivation of \nullifiers for \Orchard \notes is a little more complicated.
|
||||||
To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon
|
To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon
|
||||||
\GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GroupP$
|
\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP$
|
||||||
as follows:
|
as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
|
@ -6750,7 +6760,6 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
|
||||||
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
|
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
|
||||||
see \crossref{ccteddecompressvalidate}, for required validity checks on compressed
|
see \crossref{ccteddecompressvalidate}, for required validity checks on compressed
|
||||||
representations of \jubjubCurve points.
|
representations of \jubjubCurve points.
|
||||||
|
|
||||||
The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$.
|
The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$.
|
||||||
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
|
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
|
||||||
\item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
|
\item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
|
||||||
|
@ -6759,6 +6768,7 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
|
||||||
|
|
||||||
|
|
||||||
\nufive{
|
\nufive{
|
||||||
|
\vspace{-3ex}
|
||||||
\lsubsubsection{Action Statement (\OrchardText)}{actionstatement}
|
\lsubsubsection{Action Statement (\OrchardText)}{actionstatement}
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
|
@ -6771,8 +6781,9 @@ Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in
|
||||||
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
|
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
|
Let $\GroupP$, $\GroupPstar$, $\GroupPx$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
|
||||||
|
|
||||||
|
\vspace{-0.5ex}
|
||||||
Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
|
Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
|
||||||
|
|
||||||
\intropart
|
\intropart
|
||||||
|
@ -6785,9 +6796,8 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that
|
||||||
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
|
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
|
||||||
\hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\
|
\hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\
|
||||||
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
|
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
|
||||||
\hparen\cmX \typecolon \MerkleHash{Orchard},\\
|
\hparen\cmX \typecolon \GroupPx,\vspace{0.2ex}\\
|
||||||
\hparen\EphemeralPublic \typecolon \KAPublic{Orchard},\\
|
\hparen\enableSpend \typecolon \bit,\vspace{0.4ex}\\
|
||||||
\hparen\enableSpend \typecolon \bit,\\
|
|
||||||
\hparen\enableOutput \typecolon \bit\cparen$,
|
\hparen\enableOutput \typecolon \bit\cparen$,
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
@ -6797,20 +6807,25 @@ the prover knows an \auxiliaryInput:
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\\
|
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\vspace{-0.6ex}\\
|
||||||
\hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\
|
\hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\
|
||||||
\hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\
|
\hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\
|
||||||
\hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\
|
\hparen\DiversifiedTransmitPublicOld \typecolon \GroupP,\vspace{0.6ex}\\
|
||||||
\hparen\vOld{} \typecolon \ValueType,\\
|
\hparen\vOld{} \typecolon \ValueType,\\
|
||||||
\hparen\cmOld{} \typecolon \GroupP,\\
|
\hparen\NoteUniqueRandOld{} \typecolon \NoteUniqueRandTypeOrchard,\\
|
||||||
|
\hparen\NoteNullifierRandOld \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
|
||||||
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
||||||
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
\hparen\cmOld{} \typecolon \GroupP,\vspace{-0.6ex}\\
|
||||||
\hparen\AuthSignPublic \typecolon \GroupPstarx,\\
|
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\vspace{0.2ex}\\
|
||||||
\hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex]
|
\hparen\AuthSignPublicPoint \typecolon \GroupP,\\
|
||||||
\hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\\
|
\hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
|
||||||
|
\hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
|
||||||
|
\hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\
|
||||||
|
\hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\
|
||||||
\hparen\vNew{} \typecolon \ValueType,\\
|
\hparen\vNew{} \typecolon \ValueType,\\
|
||||||
|
\hparen\NoteUniqueRandNew{} \typecolon \NoteUniqueRandTypeOrchard,\vspace{0.2ex}\\
|
||||||
|
\hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
|
||||||
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
||||||
\hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
|
||||||
\hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$
|
\hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
\vspace{-1.5ex}
|
\vspace{-1.5ex}
|
||||||
|
@ -6820,68 +6835,61 @@ such that the following conditions hold:
|
||||||
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
|
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
|
||||||
$\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big),
|
$\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big),
|
||||||
\reprP\big(\DiversifiedTransmitPublicOld),
|
\reprP\big(\DiversifiedTransmitPublicOld),
|
||||||
\vOld{}, \NoteUniqueRand, \NoteNullifierRand)$.
|
\vOld{},
|
||||||
|
\NoteUniqueRandOld{},
|
||||||
|
\NoteNullifierRandOld)$.
|
||||||
|
|
||||||
|
\vspace{-0.5ex}
|
||||||
\snarkcondition{Merkle path validity}{actionmerklepathvalidity}
|
\snarkcondition{Merkle path validity}{actionmerklepathvalidity}
|
||||||
Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$,
|
Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$,
|
||||||
as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$.
|
as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$.
|
||||||
|
|
||||||
\snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity}
|
\snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity}
|
||||||
$\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$.
|
$\cvNet{} = \ValueCommit{Orchard}{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$.
|
||||||
|
|
||||||
|
\vspace{-0.5ex}
|
||||||
\snarkcondition{Nullifier integrity}{actionnullifierintegrity}
|
\snarkcondition{Nullifier integrity}{actionnullifierintegrity}
|
||||||
$\nfOld{} = \DeriveNullifier{\NullifierKeyRepr}(\NoteUniqueRand, \NoteNullifierRand, \cmOld{})$.
|
$\nfOld{} = \DeriveNullifier{\NullifierKey}(\NoteUniqueRandOld{}, \NoteNullifierRandOld, \cmOld{})$.
|
||||||
|
|
||||||
\snarkcondition{Spend authority}{actionspendauthority}
|
\snarkcondition{Spend authority}{actionspendauthority}
|
||||||
$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$.
|
$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic)$.
|
||||||
|
|
||||||
\snarkcondition{Diversified address integrity}{actionaddressintegrity}
|
\snarkcondition{Diversified address integrity}{actionaddressintegrity}
|
||||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where
|
$\DiversifiedTransmitPublicOld = \scalarmult{\InViewingKey}{\DiversifiedTransmitBaseOld}$ where
|
||||||
\vspace{-1ex}
|
$\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$.
|
||||||
\begin{formulae}
|
|
||||||
\item $\InViewingKey = \CommitIvk{\CommitIvkRandom}(\AuthSignPublicRepr, \NullifierKeyRepr)$
|
|
||||||
\vspace{-1ex}
|
|
||||||
\item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
|
|
||||||
\end{formulae}
|
|
||||||
|
|
||||||
\vspace{1ex}
|
|
||||||
\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
|
\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
|
||||||
$\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr,
|
$\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr,
|
||||||
\DiversifiedTransmitPublicNewRepr,
|
\DiversifiedTransmitPublicNewRepr,
|
||||||
\vNew{}, \NoteUniqueRand, \NoteNullifierRand)\kern-0.12em\big)$,
|
\vNew{},
|
||||||
|
\NoteUniqueRandNew{},
|
||||||
where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,.
|
\NoteNullifierRandNew)\kern-0.12em\big)$,
|
||||||
|
|
||||||
\vspace{0.5ex}
|
|
||||||
\snarkcondition{Ephemeral public key integrity}{actionepkintegrity}
|
|
||||||
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBaseNew}$.
|
|
||||||
|
|
||||||
|
\vspace{-0.5ex}
|
||||||
\snarkcondition{Enable spend flag}{actionenablespend}
|
\snarkcondition{Enable spend flag}{actionenablespend}
|
||||||
$\vOld{} = 0$ or $\enableSpend = 1$.
|
$\vOld{} = 0$ or $\enableSpend = 1$.
|
||||||
|
|
||||||
\snarkcondition{Enable output flag}{actionenableoutput}
|
\snarkcondition{Enable output flag}{actionenableoutput}
|
||||||
$\vNew{} = 0$ or $\enableOutput = 1$.
|
$\vNew{} = 0$ or $\enableOutput = 1$.
|
||||||
|
|
||||||
|
\vspace{2ex}
|
||||||
For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}.
|
For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}.
|
||||||
|
|
||||||
\begin{pnotes}
|
\begin{pnotes}
|
||||||
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
|
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified.
|
||||||
see \crossref{cctswdecompressvalidate}, for required validity checks on compressed
|
In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
|
||||||
representations of \pallasCurve points.
|
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
|
||||||
|
\pallasCurve points, i.e.\ $\GroupP$.
|
||||||
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types also represent points,
|
|
||||||
i.e.\ $\GroupP$.
|
|
||||||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer
|
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer
|
||||||
from the previous \merkleLayer.
|
from the previous \merkleLayer.
|
||||||
\item Unlike \Sapling, it \emph{is} checked in the \actionStatement that $\AuthSignRandomizedPublic$
|
|
||||||
is not the zero point. Similarly, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitBaseNew$,
|
|
||||||
and $\AuthSignPublic$ cannot be the zero point.
|
|
||||||
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
|
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
|
||||||
or that $\NoteCommitRandNew{} < \ParamP{r}$.
|
or that $\NoteCommitRandNew{} < \ParamP{r}$.
|
||||||
\item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$.
|
\item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$.
|
||||||
|
|
||||||
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
|
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
|
||||||
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
|
\item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
|
||||||
|
\emph{not} checked in this circuit.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
} %nufive
|
} %nufive
|
||||||
|
|
||||||
|
@ -7920,8 +7928,8 @@ the same effect as using that feature.
|
||||||
\introlist
|
\introlist
|
||||||
\lsubsubsubsection{\DiversifyHashText{Sapling}\notbeforenufive{ and \DiversifyHashText{Orchard}} Hash Function\notbeforenufive{s}}{concretediversifyhash}
|
\lsubsubsubsection{\DiversifyHashText{Sapling}\notbeforenufive{ and \DiversifyHashText{Orchard}} Hash Function\notbeforenufive{s}}{concretediversifyhash}
|
||||||
|
|
||||||
$\DiversifyHash{Sapling}$ is used to derive a \diversifiedBase from a \diversifier in
|
$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$
|
||||||
\crossref{saplingkeycomponents}.
|
is used to derive a \diversifiedBase in \crossref{saplingkeycomponents}.
|
||||||
|
|
||||||
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||||
|
|
||||||
|
@ -7930,12 +7938,12 @@ Define
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\DiversifyHash{Sapling}(\Diversifier) :=
|
\item $\DiversifyHash{Sapling}(\Diversifier) :=
|
||||||
\GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$
|
\GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\nufive{
|
\nufive{
|
||||||
$\DiversifyHash{Orchard}$ is used to derive a \diversifiedBase from a \diversifier in
|
$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$
|
||||||
\crossref{orchardkeycomponents}.
|
is used to derive a \diversifiedBase in \crossref{orchardkeycomponents}.
|
||||||
|
|
||||||
Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}.
|
Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}.
|
||||||
|
|
||||||
|
@ -7943,10 +7951,15 @@ Define
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\DiversifyHash{Orchard}(\Diversifier) :=
|
\item $\DiversifyHash{Orchard}(\Diversifier) := \begin{cases}
|
||||||
\GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$
|
\bot, &\caseif P = \ZeroP \\
|
||||||
|
P, &\caseotherwise
|
||||||
|
\end{cases}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
\vspace{-2ex}
|
||||||
|
where $P = \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$.
|
||||||
|
|
||||||
|
\vspace{1ex}
|
||||||
The following security property and notes apply to both \Sapling and \Orchard.
|
The following security property and notes apply to both \Sapling and \Orchard.
|
||||||
} %nufive
|
} %nufive
|
||||||
|
|
||||||
|
@ -8365,7 +8378,7 @@ is specified as:
|
||||||
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
|
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\todo{Specify the MDS matrix and number of rounds.}
|
\todo{Specify the MDS matrix.}
|
||||||
|
|
||||||
\begin{nnotes}
|
\begin{nnotes}
|
||||||
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic
|
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic
|
||||||
|
@ -8681,13 +8694,13 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi
|
||||||
\introlist
|
\introlist
|
||||||
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
|
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
|
||||||
|
|
||||||
$\PRFnf{Orchard}{} \typecolon \GF{\ParamP{q}} \times \GF{\ParamP{q}} \rightarrow \GF{\ParamP{q}}$ is used as
|
$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as
|
||||||
part of deriving the \nullifier for an \Orchard \note.
|
part of deriving the \nullifier for an \Orchard \note.
|
||||||
|
|
||||||
It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}:
|
It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PRFnf{Orchard}{\NullifierKeyRepr}(\NoteUniqueRandRepr) := \Poseidon(\NullifierKeyRepr, \NoteUniqueRandRepr)$.
|
\item $\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRand) := \Poseidon(\NullifierKey, \NoteUniqueRand)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
@ -9106,11 +9119,7 @@ The \bindingSignatureScheme $\BindingSig{Orchard}$ is instantiated by $\RedPalla
|
||||||
key re-randomization, using parameters defined in \crossref{concretebindingsig}.
|
key re-randomization, using parameters defined in \crossref{concretebindingsig}.
|
||||||
} %nufive
|
} %nufive
|
||||||
|
|
||||||
Let $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$
|
Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
|
||||||
and $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
|
||||||
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
|
|
||||||
and $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
|
|
||||||
be as defined in \crossref{endian}.
|
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
|
@ -11282,7 +11291,7 @@ An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon
|
||||||
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$.
|
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$.
|
||||||
|
|
||||||
$\AuthSignPublic$ is the \authValidatingKey, a point on the \pallasCurve (see \crossref{pallasandvesta}).
|
$\AuthSignPublic$ is the \authValidatingKey, a point on the \pallasCurve (see \crossref{pallasandvesta}).
|
||||||
$\NullifierKey$ is the \nullifierDerivingKey, a field element in $\GF{\ParamP{q}}$.
|
$\NullifierKey$ is the \nullifierDerivingKey, a field element in $\NullifierKeyTypeOrchard$.
|
||||||
$\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$.
|
$\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$.
|
||||||
They are derived as described in \crossref{orchardkeycomponents}.
|
They are derived as described in \crossref{orchardkeycomponents}.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue