zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Mainly fixes to the Action statement. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-15 16:17:51 +00:00
parent d79de34b4a
commit 37d8221c4d
1 changed files with 85 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
protocol/protocol.tex
View File

@ -1606,13 +1606,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteCommitRandOrSeedBytes}{\notcanopy{\NoteCommitRand}\canopy{\NoteSeedBytes}} \newcommand{\NoteCommitRandOrSeedBytes}{\notcanopy{\NoteCommitRand}\canopy{\NoteSeedBytes}}
\newcommand{\NoteCommitRandBytesOrSeedBytes}{\notcanopy{\NoteCommitRandBytes}\canopy{\NoteSeedBytes}} \newcommand{\NoteCommitRandBytesOrSeedBytes}{\notcanopy{\NoteCommitRandBytes}\canopy{\NoteSeedBytes}}
\newcommand{\NoteUniqueRand}{\mathsf{\uprho}} \newcommand{\NoteUniqueRand}{\mathsf{\uprho}}
\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\NoteUniqueRandRepr}{{\NoteUniqueRand\Repr}} \newcommand{\NoteUniqueRandRepr}{{\NoteUniqueRand\Repr}}
\newcommand{\NoteUniqueRandOld}[1]{\NoteUniqueRand^\mathsf{old}_{#1}} \newcommand{\NoteUniqueRandOld}[1]{\NoteUniqueRand^\mathsf{old}_{#1}}
\newcommand{\NoteUniqueRandNew}[1]{\NoteUniqueRand^\mathsf{new}_{#1}} \newcommand{\NoteUniqueRandNew}[1]{\NoteUniqueRand^\mathsf{new}_{#1}}
\newcommand{\NoteUniqueRandTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\NoteUniquePreRand}{\mathsf{\upvarphi}} \newcommand{\NoteUniquePreRand}{\mathsf{\upvarphi}}
\newcommand{\NoteUniquePreRandLength}{\mathsf{\ell^{Sprout}_{\NoteUniquePreRand}}} \newcommand{\NoteUniquePreRandLength}{\mathsf{\ell^{Sprout}_{\NoteUniquePreRand}}}
\newcommand{\NoteNullifierRand}{\mathsf{\uppsi}} \newcommand{\NoteNullifierRand}{\mathsf{\uppsi}}
\newcommand{\NoteNullifierRandOld}{\mathsf{\uppsi^{old}}}
\newcommand{\NoteNullifierRandNew}{\mathsf{\uppsi^{new}}}
\newcommand{\NoteNullifierRandType}{\GF{\ParamP{q}}} \newcommand{\NoteNullifierRandType}{\GF{\ParamP{q}}}
\newcommand{\NoteCommitS}{\mathsf{s}} \newcommand{\NoteCommitS}{\mathsf{s}}
\newcommand{\CommitIvkRand}{\mathsf{rivk}} \newcommand{\CommitIvkRand}{\mathsf{rivk}}
@ -3730,8 +3732,8 @@ to derive the unique $\NoteUniqueRand$ value for a \Sapling \note. It is also us
in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$\nufive{ and $\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$\nufive{ and
$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupP$}\notnufive{ is a $\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$}\notnufive{ is a
\hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash}, \hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash},
satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are} satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are}
used to derive a \diversifiedBase from a \diversifier, which is specified in used to derive a \diversifiedBase from a \diversifier, which is specified in
@ -3804,8 +3806,15 @@ $\PRFexpand{}$ is used in the following places:
\item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$; \item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$;
\nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$ \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$
(the last of these is also specified in \cite{ZIP-32});} (the last of these is also specified in \cite{ZIP-32});}
\item in the processes of sending (\crossref{saplingandorchardsend}) and of receiving (\crossref{saplingandorchardinband}) \notnufive{
\notes, with inputs $[4]$ and $[5]$ for \Sapling \notes, or $[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes; \item sending (\crossref{saplingsend}) and receiving (\crossref{saplingandorchardinband}) \Sapling \notes,
with inputs $[4]$ and $[5]$;
} %notnufive
\notbeforenufive{
\item in the processes of sending (\crossref{saplingsend}\nufive{ and \crossref{orchardsend}}) and of receiving
(\crossref{saplingandorchardinband}) \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes\nufive{, or
$[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes};
} %notbeforenufive
\item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}), \item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}),
$[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$. $[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$.
\end{itemize} \end{itemize}
@ -4399,7 +4408,7 @@ Define:
\item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and \item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and
$\ValueCommitOutput{Orchard} := \GroupP$. $\ValueCommitOutput{Orchard} := \GroupP$.
\item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and \item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and
$\CommitIvkOutput := \GF{\ParamP{r}}$. $\CommitIvkOutput := \InViewingKeyTypeOrchard$.
\end{formulae} \end{formulae}
\introlist \introlist
@ -4889,13 +4898,13 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$, i.e.\ $\PRFexpand{\SpendingKey}([0]) : \SpendingKey \leftarrowR \SpendingKeyType$,
is computationally indistinguishable from $\SpendAuthSigGenPrivate{Sapling}()$ defined is computationally indistinguishable from $\SpendAuthSigGenPrivate{Sapling}()$ defined
in \crossref{concretespendauthsig}. in \crossref{concretespendauthsig}.
\item Similarly, the distribution of $\AuthProvePrivate$, i.e.\ \item The distribution of $\AuthProvePrivate$, i.e.\
$\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$, $\ToScalar{Sapling}(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$. is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
{\reprJ\big(\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ\big)$ {\reprJ\big(\scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}} \typecolon \SubgroupReprJ\big)$
is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally
indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnf{Sapling}{}$). indistinguishable from uniform on $\SubgroupReprJ$ (the keyspace of $\PRFnf{Sapling}{}$).
\item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default \item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default
\diversifier specified above. \diversifier specified above.
\end{nnotes} \end{nnotes}
@ -5290,7 +5299,7 @@ where
\item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued \item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued
outputs in this action; outputs in this action;
\item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput \item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend,$ $\enableOutput)$ $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend,$ $\enableOutput)$
for the \actionStatement defined in \crossref{actionstatement}. for the \actionStatement defined in \crossref{actionstatement}.
\end{itemize} \end{itemize}
@ -5311,8 +5320,8 @@ $\ProofAction$ is aggregated with other Action proofs and encoded in the $\proof
As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component
of the signature prohibits \nonCanonicalPoint encodings. of the signature prohibits \nonCanonicalPoint encodings.
\item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput)$ --- $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput)$ ---
i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$.
\end{consensusrules} \end{consensusrules}
\vspace{-3ex} \vspace{-3ex}
@ -5415,6 +5424,7 @@ Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. Let $\ItoLEOSP{}$ be as defined in \crossref{endian}.
\vspace{1ex} \vspace{1ex}
\introlist
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
this payment. This may be one of: this payment. This may be one of:
\begin{itemize} \begin{itemize}
@ -5541,7 +5551,7 @@ and then performs the following steps:
\reprP\Of{\DiversifiedTransmitPublic}, \reprP\Of{\DiversifiedTransmitPublic},
\Value, \NoteUniqueRand, \NoteNullifierRand)$. \Value, \NoteUniqueRand, \NoteNullifierRand)$.
\vspace{0.5ex} \vspace{0.5ex}
\item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteSeedBytes, \Memo)$.
\vspace{0.5ex} \vspace{0.5ex}
\item Encrypt $\NotePlaintext{}$ to the recipient \item Encrypt $\NotePlaintext{}$ to the recipient
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
@ -5919,11 +5929,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an
\blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain, \blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain,
minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.} minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.}
\vspace{-1ex} \vspace{-1.5ex}
\consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain \consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
\vspace{2ex} \vspace{1.5ex}
Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have
a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a
\joinSplitDescription subsumes the functionality of both Mint and Pour. \joinSplitDescription subsumes the functionality of both Mint and Pour.
@ -5968,12 +5978,12 @@ from that pool.
\blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for \blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for
\transactions in the \blockChain.} \transactions in the \blockChain.}
\vspace{-1ex} \vspace{-1.5ex}
\consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain \consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain
created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.}
\vspace{1.5ex}
\introlist \introlist
\vspace{2ex}
Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions
and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}. and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}.
This signature has a dual rôle in the \Sapling protocol: This signature has a dual rôle in the \Sapling protocol:
@ -6447,7 +6457,7 @@ $\NoteUniqueRandRepr = \reprJ(\NoteUniqueRand)$.
\nufive{ \nufive{
The derivation of \nullifiers for \Orchard \notes is a little more complicated. The derivation of \nullifiers for \Orchard \notes is a little more complicated.
To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon
\GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GroupP$ \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP$
as follows: as follows:
\begin{formulae} \begin{formulae}
@ -6750,7 +6760,6 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular, \item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
see \crossref{ccteddecompressvalidate}, for required validity checks on compressed see \crossref{ccteddecompressvalidate}, for required validity checks on compressed
representations of \jubjubCurve points. representations of \jubjubCurve points.
The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$. The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$.
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
\item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
@ -6759,6 +6768,7 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
\nufive{ \nufive{
\vspace{-3ex}
\lsubsubsection{Action Statement (\OrchardText)}{actionstatement} \lsubsubsection{Action Statement (\OrchardText)}{actionstatement}
\vspace{-1ex} \vspace{-1ex}
@ -6771,8 +6781,9 @@ Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}. Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
\vspace{-0.5ex} \vspace{-0.5ex}
Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\GroupP$, $\GroupPstar$, $\GroupPx$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\vspace{-0.5ex}
Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
\intropart \intropart
@ -6785,9 +6796,8 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
\hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
\hparen\cmX \typecolon \MerkleHash{Orchard},\\ \hparen\cmX \typecolon \GroupPx,\vspace{0.2ex}\\
\hparen\EphemeralPublic \typecolon \KAPublic{Orchard},\\ \hparen\enableSpend \typecolon \bit,\vspace{0.4ex}\\
\hparen\enableSpend \typecolon \bit,\\
\hparen\enableOutput \typecolon \bit\cparen$, \hparen\enableOutput \typecolon \bit\cparen$,
\end{formulae} \end{formulae}
@ -6797,20 +6807,25 @@ the prover knows an \auxiliaryInput:
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\\ \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\vspace{-0.6ex}\\
\hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\ \hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\
\hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\ \hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\
\hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\ \hparen\DiversifiedTransmitPublicOld \typecolon \GroupP,\vspace{0.6ex}\\
\hparen\vOld{} \typecolon \ValueType,\\ \hparen\vOld{} \typecolon \ValueType,\\
\hparen\cmOld{} \typecolon \GroupP,\\ \hparen\NoteUniqueRandOld{} \typecolon \NoteUniqueRandTypeOrchard,\\
\hparen\NoteNullifierRandOld \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\cmOld{} \typecolon \GroupP,\vspace{-0.6ex}\\
\hparen\AuthSignPublic \typecolon \GroupPstarx,\\ \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\vspace{0.2ex}\\
\hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex] \hparen\AuthSignPublicPoint \typecolon \GroupP,\\
\hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\\ \hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
\hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
\hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\
\hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\
\hparen\vNew{} \typecolon \ValueType,\\ \hparen\vNew{} \typecolon \ValueType,\\
\hparen\NoteUniqueRandNew{} \typecolon \NoteUniqueRandTypeOrchard,\vspace{0.2ex}\\
\hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
\hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Orchard}},\\
\hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$ \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$
\end{formulae} \end{formulae}
\vspace{-1.5ex} \vspace{-1.5ex}
@ -6820,68 +6835,61 @@ such that the following conditions hold:
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
$\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big), $\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big),
\reprP\big(\DiversifiedTransmitPublicOld), \reprP\big(\DiversifiedTransmitPublicOld),
\vOld{}, \NoteUniqueRand, \NoteNullifierRand)$. \vOld{},
\NoteUniqueRandOld{},
\NoteNullifierRandOld)$.
\vspace{-0.5ex}
\snarkcondition{Merkle path validity}{actionmerklepathvalidity} \snarkcondition{Merkle path validity}{actionmerklepathvalidity}
Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$, Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$,
as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$. as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$.
\snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} \snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity}
$\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. $\cvNet{} = \ValueCommit{Orchard}{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$.
\vspace{-0.5ex}
\snarkcondition{Nullifier integrity}{actionnullifierintegrity} \snarkcondition{Nullifier integrity}{actionnullifierintegrity}
$\nfOld{} = \DeriveNullifier{\NullifierKeyRepr}(\NoteUniqueRand, \NoteNullifierRand, \cmOld{})$. $\nfOld{} = \DeriveNullifier{\NullifierKey}(\NoteUniqueRandOld{}, \NoteNullifierRandOld, \cmOld{})$.
\snarkcondition{Spend authority}{actionspendauthority} \snarkcondition{Spend authority}{actionspendauthority}
$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$. $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic)$.
\snarkcondition{Diversified address integrity}{actionaddressintegrity} \snarkcondition{Diversified address integrity}{actionaddressintegrity}
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where $\DiversifiedTransmitPublicOld = \scalarmult{\InViewingKey}{\DiversifiedTransmitBaseOld}$ where
\vspace{-1ex} $\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$.
\begin{formulae}
\item $\InViewingKey = \CommitIvk{\CommitIvkRandom}(\AuthSignPublicRepr, \NullifierKeyRepr)$
\vspace{-1ex}
\item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
\end{formulae}
\vspace{1ex}
\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
$\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, $\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr,
\DiversifiedTransmitPublicNewRepr, \DiversifiedTransmitPublicNewRepr,
\vNew{}, \NoteUniqueRand, \NoteNullifierRand)\kern-0.12em\big)$, \vNew{},
\NoteUniqueRandNew{},
where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,. \NoteNullifierRandNew)\kern-0.12em\big)$,
\vspace{0.5ex}
\snarkcondition{Ephemeral public key integrity}{actionepkintegrity}
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBaseNew}$.
\vspace{-0.5ex}
\snarkcondition{Enable spend flag}{actionenablespend} \snarkcondition{Enable spend flag}{actionenablespend}
$\vOld{} = 0$ or $\enableSpend = 1$. $\vOld{} = 0$ or $\enableSpend = 1$.
\snarkcondition{Enable output flag}{actionenableoutput} \snarkcondition{Enable output flag}{actionenableoutput}
$\vNew{} = 0$ or $\enableOutput = 1$. $\vNew{} = 0$ or $\enableOutput = 1$.
\vspace{2ex}
For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}. For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}.
\begin{pnotes} \begin{pnotes}
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular, \item Public and \auxiliaryInputs \MUST be constrained to have the types specified.
see \crossref{cctswdecompressvalidate}, for required validity checks on compressed In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
representations of \pallasCurve points. The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
\pallasCurve points, i.e.\ $\GroupP$.
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types also represent points,
i.e.\ $\GroupP$.
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer
from the previous \merkleLayer. from the previous \merkleLayer.
\item Unlike \Sapling, it \emph{is} checked in the \actionStatement that $\AuthSignRandomizedPublic$
is not the zero point. Similarly, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitBaseNew$,
and $\AuthSignPublic$ cannot be the zero point.
\item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$
or that $\NoteCommitRandNew{} < \ParamP{r}$. or that $\NoteCommitRandNew{} < \ParamP{r}$.
\item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$. \item $\SpendAuthSigRandomizePublic{Orchard}(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$.
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. \item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
\emph{not} checked in this circuit.
\end{pnotes} \end{pnotes}
} %nufive } %nufive
@ -7920,8 +7928,8 @@ the same effect as using that feature.
\introlist \introlist
\lsubsubsubsection{\DiversifyHashText{Sapling}\notbeforenufive{ and \DiversifyHashText{Orchard}} Hash Function\notbeforenufive{s}}{concretediversifyhash} \lsubsubsubsection{\DiversifyHashText{Sapling}\notbeforenufive{ and \DiversifyHashText{Orchard}} Hash Function\notbeforenufive{s}}{concretediversifyhash}
$\DiversifyHash{Sapling}$ is used to derive a \diversifiedBase from a \diversifier in $\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \maybe{\SubgroupJstar}$
\crossref{saplingkeycomponents}. is used to derive a \diversifiedBase in \crossref{saplingkeycomponents}.
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}. Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
@ -7930,12 +7938,12 @@ Define
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\item $\DiversifyHash{Sapling}(\Diversifier) := \item $\DiversifyHash{Sapling}(\Diversifier) :=
\GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$.
\end{formulae} \end{formulae}
\nufive{ \nufive{
$\DiversifyHash{Orchard}$ is used to derive a \diversifiedBase from a \diversifier in $\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \maybe{\GroupPstar}$
\crossref{orchardkeycomponents}. is used to derive a \diversifiedBase in \crossref{orchardkeycomponents}.
Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}. Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}.
@ -7943,10 +7951,15 @@ Define
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\item $\DiversifyHash{Orchard}(\Diversifier) := \item $\DiversifyHash{Orchard}(\Diversifier) := \begin{cases}
\GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \bot, &\caseif P = \ZeroP \\
P, &\caseotherwise
\end{cases}$
\end{formulae} \end{formulae}
\vspace{-2ex}
where $P = \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$.
\vspace{1ex}
The following security property and notes apply to both \Sapling and \Orchard. The following security property and notes apply to both \Sapling and \Orchard.
} %nufive } %nufive
@ -8365,7 +8378,7 @@ is specified as:
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing). \item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
\end{formulae} \end{formulae}
\todo{Specify the MDS matrix and number of rounds.} \todo{Specify the MDS matrix.}
\begin{nnotes} \begin{nnotes}
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic \item The choice of MDS matrix and the number of rounds take into account cryptanalytic
@ -8681,13 +8694,13 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi
\introlist \introlist
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
$\PRFnf{Orchard}{} \typecolon \GF{\ParamP{q}} \times \GF{\ParamP{q}} \rightarrow \GF{\ParamP{q}}$ is used as $\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as
part of deriving the \nullifier for an \Orchard \note. part of deriving the \nullifier for an \Orchard \note.
It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}: It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}:
\begin{formulae} \begin{formulae}
\item $\PRFnf{Orchard}{\NullifierKeyRepr}(\NoteUniqueRandRepr) := \Poseidon(\NullifierKeyRepr, \NoteUniqueRandRepr)$. \item $\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRand) := \Poseidon(\NullifierKey, \NoteUniqueRand)$.
\end{formulae} \end{formulae}
\vspace{-2ex} \vspace{-2ex}
@ -9106,11 +9119,7 @@ The \bindingSignatureScheme $\BindingSig{Orchard}$ is instantiated by $\RedPalla
key re-randomization, using parameters defined in \crossref{concretebindingsig}. key re-randomization, using parameters defined in \crossref{concretebindingsig}.
} %nufive } %nufive
Let $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref{endian}.
and $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
and $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
be as defined in \crossref{endian}.
\introlist \introlist
\vspace{1ex} \vspace{1ex}
@ -11282,7 +11291,7 @@ An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$. $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$.
$\AuthSignPublic$ is the \authValidatingKey, a point on the \pallasCurve (see \crossref{pallasandvesta}). $\AuthSignPublic$ is the \authValidatingKey, a point on the \pallasCurve (see \crossref{pallasandvesta}).
$\NullifierKey$ is the \nullifierDerivingKey, a field element in $\GF{\ParamP{q}}$. $\NullifierKey$ is the \nullifierDerivingKey, a field element in $\NullifierKeyTypeOrchard$.
$\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$. $\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$.
They are derived as described in \crossref{orchardkeycomponents}. They are derived as described in \crossref{orchardkeycomponents}.