mirror of https://github.com/zcash/zips.git
Type corrections for Orchard.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
15d59f11c4
commit
3d230f8d26
|
|
@ -1364,7 +1364,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\InViewingKey}{\mathsf{ivk}}
|
||||
\newcommand{\InViewingKeyLength}[1]{\ell^\mathsf{#1\vphantom{p}}_{\InViewingKey}\!}
|
||||
\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength{Sapling}}}
|
||||
\newcommand{\InViewingKeyTypeOrchard}{\range{0}{\ParamP{q}-1}}
|
||||
\newcommand{\InViewingKeyTypeOrchard}{\range{1}{\ParamP{q}-1}}
|
||||
\newcommand{\InViewingKeyRepr}{{\InViewingKey\Repr}}
|
||||
\newcommand{\InViewingKeyLeadByte}{\hexint{A8}}
|
||||
\newcommand{\InViewingKeySecondByte}{\hexint{AB}}
|
||||
|
|
@ -5293,7 +5293,8 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
|
|||
\vspace{-1.5ex}
|
||||
\begin{nnotes}
|
||||
\vspace{-0.25ex}
|
||||
\item $\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.
|
||||
\item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot
|
||||
be $\ZeroP$.
|
||||
\vspace{-0.25ex}
|
||||
\item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked
|
||||
to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$.
|
||||
|
|
@ -5533,8 +5534,7 @@ performs the following steps:
|
|||
|
||||
\begin{algorithm}
|
||||
\vspace{-0.75ex}
|
||||
\item Check that $\DiversifiedTransmitPublic$ is of type $\KAPublic{Orchard}$, i.e.\ it
|
||||
\MUST be a valid \swCurve point on the \pallasCurve.
|
||||
\item Check that $\DiversifiedTransmitPublic$ is of type $\KAPublic{Orchard}$.
|
||||
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash{Orchard}(\Diversifier)$.
|
||||
\vspace{-0.25ex}
|
||||
\item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$.
|
||||
|
|
@ -6863,14 +6863,14 @@ the prover knows an \auxiliaryInput:
|
|||
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash{Orchard}}{\MerkleDepth{Orchard}},\vspace{-0.6ex}\\
|
||||
\hparen\NotePosition \typecolon \NotePositionType{Orchard},\vspace{0.4ex}\\
|
||||
\hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\
|
||||
\hparen\DiversifiedTransmitPublicOld \typecolon \GroupP,\vspace{0.6ex}\\
|
||||
\hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\
|
||||
\hparen\vOld{} \typecolon \ValueType,\\
|
||||
\hparen\NoteUniqueRandOld{} \typecolon \NoteUniqueRandTypeOrchard,\\
|
||||
\hparen\NoteNullifierRandOld \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
|
||||
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
||||
\hparen\cmOld{} \typecolon \GroupP,\vspace{-0.6ex}\\
|
||||
\hparen\cmOld{} \typecolon \GroupPstar,\vspace{-0.6ex}\\
|
||||
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\vspace{0.2ex}\\
|
||||
\hparen\AuthSignPublicPoint \typecolon \GroupP,\\
|
||||
\hparen\AuthSignPublicPoint \typecolon \GroupPstar,\\
|
||||
\hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
|
||||
\hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
|
||||
\hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\
|
||||
|
|
@ -7589,7 +7589,7 @@ Typically, these components are derived from a \fullViewingKey as described in
|
|||
Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
|
||||
|
||||
\nufive{
|
||||
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
|
||||
Let $\GroupPx$ be as defined in \crossref{pallasandvesta}.
|
||||
} %nufive
|
||||
|
||||
Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as defined in \crossref{notes}.
|
||||
|
|
@ -7597,7 +7597,7 @@ Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as de
|
|||
Let $\KA{}$ be\notbeforenufive{ either} $\KA{Sapling}$ as defined in \crossref{concretesaplingkeyagreement}\nufive{, or
|
||||
$\KA{Orchard}$ as defined in \crossref{concreteorchardkeyagreement}}.
|
||||
|
||||
Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\GF{\ParamP{q}}$ for \Orchard}.
|
||||
Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\GroupPx$ for \Orchard}.
|
||||
|
||||
\introsection
|
||||
\vspace{1ex}
|
||||
|
|
@ -9290,11 +9290,11 @@ It is instantiated as Diffie--Hellman on \Pallas as follows:
|
|||
|
||||
Let $\GroupP$ be as defined in \crossref{pallasandvesta}.
|
||||
|
||||
Define $\KAPublic{Orchard} := \GroupP$.
|
||||
Define $\KAPublic{Orchard} := \GroupPstar$.
|
||||
|
||||
Define $\KASharedSecret{Orchard} := \GroupP$.
|
||||
Define $\KASharedSecret{Orchard} := \GroupPstar$.
|
||||
|
||||
Define $\KAPrivate{Orchard} := \GF{\ParamP{r}}$.
|
||||
Define $\KAPrivate{Orchard} := \GFstar{\ParamP{r}}$.
|
||||
|
||||
Define $\KADerivePublic{Orchard}(\sk, B) := \scalarmult{\sk}{B}$.
|
||||
|
||||
|
|
@ -11771,12 +11771,12 @@ The \rawEncoding of an \Orchard \shieldedPaymentAddress consists of:
|
|||
\begin{itemize}
|
||||
\item $11$ bytes specifying $\Diversifier$.
|
||||
\item $32$ bytes specifying the \swCompressedEncoding of
|
||||
$\DiversifiedTransmitPublic$ (see \crossref{pallasandvesta}).
|
||||
$\DiversifiedTransmitPublic$ (see \crossref{pallasandvesta}).\!\!
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-2,5ex}
|
||||
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
|
||||
considered invalid if $\abstP$ returns $\bot$.
|
||||
considered invalid if $\abstP$ returns $\bot$ or $\ZeroP$.
|
||||
|
||||
There is no \Bech encoding defined for an individual \Orchard \shieldedPaymentAddress;
|
||||
instead use a \unifiedPaymentAddress as defined in \crossref{unifiedpaymentaddrencoding}.
|
||||
|
|
@ -14225,6 +14225,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\nufive{
|
||||
\item Correct errors in the definitions of $\ExtractP$ and $\ExtractPbot$ in \crossref{concreteextractorpallas}:
|
||||
$\ExtractP(\ZeroP)$ should be $0$, and $\ExtractPbot(\bot)$ should be $\bot$.
|
||||
\item Change the type of $\KA{Orchard}$ public keys and shared secrets to $\GroupPstar$ (i.e.\ exclude
|
||||
$\ZeroP$), and the type of $\KA{Orchard}$ private keys to $\GFstar{\ParamP{r}}$ (i.e.\ exclude $0$).
|
||||
\item Change the type of an \Orchard $\InViewingKey$ to $\InViewingKeyTypeOrchard$ (i.e.\ exclude $0$).
|
||||
\item Change the types of $\DiversifiedTransmitPublicOld$, $\cmOld{}$ and $\AuthSignPublicPoint$ to
|
||||
$\GroupPstar$ in the \auxiliaryInputs to the \actionStatement.
|
||||
\item Add a note in \crossref{orchardkeycomponents} about non-uniformity of $\InViewingKey$.
|
||||
}
|
||||
\item Fix some URLs in references.
|
||||
|
|
|
|||
Loading…
Reference in New Issue