zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The rest for beta-30 (sorry, I have a flight to catch). 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-09-02 09:04:23 +01:00
parent b909f2a482
commit 3ecbe6b903
2 changed files with 307 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

336
protocol/protocol.tex
View File

@ -135,6 +135,7 @@
\newcolumntype{S}{>{$}r<{\;$}}
\newcolumntype{T}{>{$}l<{\;$}}
\newcolumntype{U}{>{$}l<{$}}
\newcolumntype{C}{>{$}c<{$}}
\makeatletter
\renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or \mathsection\or \mathparagraph\else\@ctrerr\fi}}
@ -164,6 +165,7 @@
\newcommand{\footnotewithlabel}[2]{\hairspace\oldfootnote{\label{#1}{#2}}}
\newcommand{\crossref}[1]{\raisebox{0ex}{\autoref{#1}}\hspace{0.2em}\emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
\newcommand{\shortcrossref}[1]{\raisebox{0ex}{\autoref{#1}} on p.\,\pageref*{#1}}
\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}\vphantom{,}} on p.\,\pageref*{#1}}
\newcommand{\footnoteref}[1]{\hairspace\raisebox{0ex}{\cref{#1}}}
@ -403,6 +405,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\Bitcoin}{\termbf{Bitcoin}}
\newcommand{\CryptoNote}{\termbf{CryptoNote}}
\newcommand{\Mimblewimble}{\termbf{Mimblewimble}}
\newcommand{\Bulletproofs}{\termbf{Bulletproofs}}
\newcommand{\ZEC}{\termbf{ZEC}}
\newcommand{\zatoshi}{\term{zatoshi}}
\newcommand{\zcashd}{\textsf{zcashd}\,}
@ -756,9 +759,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}}
\newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}}
\newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}}
\newcommand{\pseudoRandomGenerator}{\term{Pseudo Random Generator}}
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}}
\newcommand{\PseudoRandomGenerators}{\titleterm{Pseudo Random Generators}}
\newcommand{\pseudoRandomPermutation}{\term{Pseudo Random Permutation}}
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in Change History
\newcommand{\expandedSeed}{\term{expanded seed}}
\newcommand{\shaHashFunction}{\term{SHA-256 hash function}}
\newcommand{\shaCompress}{\term{SHA-256 compression}}
@ -948,6 +950,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\InViewingKey}{\mathsf{ivk}}
\newcommand{\InViewingKeyLength}{\ell_{\InViewingKey}}
\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength}}
\newcommand{\InViewingKeyRepr}{{\InViewingKey\Repr}}
\newcommand{\InViewingKeyLeadByte}{\hexint{A8}}
\newcommand{\InViewingKeySecondByte}{\hexint{AB}}
\newcommand{\InViewingKeyThirdByte}{\hexint{D3}}
@ -1012,7 +1015,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
\newcommand{\AuthSignRandomizer}{\alpha}
\newcommand{\AuthSignRandomizerRepr}{{\AuthSignRandomizer\Repr}}
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
\newcommand{\AuthProvePrivateRepr}{{\AuthProvePrivate\Repr}}
\newcommand{\AuthProveBase}{\mathcal{H}}
\newcommand{\AuthProvePublic}{\mathsf{nk}}
\newcommand{\AuthProvePublicRepr}{{\AuthProvePublic\Repr}}
@ -1021,6 +1026,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
\newcommand{\OutCipherKey}{\mathsf{ock}}
\newcommand{\NotePosition}{\mathsf{pos}}
\newcommand{\NotePositionRepr}{{\NotePosition\Repr}}
\newcommand{\NotePositionBase}{\mathcal{J}}
\newcommand{\NotePositionTypeSprout}{\binaryrange{\MerkleDepthSprout}}
\newcommand{\NotePositionTypeSapling}{\binaryrange{\MerkleDepthSapling}}
@ -1033,6 +1039,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}}
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
\newcommand{\vOldRepr}{\MakeRepr{\mathsf{v}}{\mathsf{old}}}
% PRFs
@ -1186,7 +1193,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}}
\newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}}
\newcommand{\cm}{\mathsf{cm}}
\newcommand{\cmU}{\mathsf{cm}_{\kern -0.06em u}}
\newcommand{\cmU}{\cm_{\kern -0.06em u}}
\newcommand{\cmURepr}{\cm\Repr_{\kern -0.04em u}}
\newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}}
\newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}}
\newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
@ -1409,7 +1417,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\nullifiersField}{\mathtt{nullifiers}}
\newcommand{\rkField}{\mathtt{rk}}
\newcommand{\cvField}{\mathtt{cv}}
\newcommand{\cmField}{\mathtt{cmu}}
\newcommand{\cmuField}{\mathtt{cmu}}
\newcommand{\commitment}{\mathtt{commitment}}
\newcommand{\commitments}{\mathtt{commitments}}
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
@ -1821,6 +1829,8 @@ This specification is structured as follows:
\notsprout{
\item Appendix: Circuit Design — details of how the \Sapling circuit is defined
as a \quadraticConstraintProgram.
\item Appendix: Batching Optimizations — improvements to the efficiency of
verifying multiple signatures and proofs.
}
\end{itemize}
@ -1952,9 +1962,9 @@ Outside the \zkSNARK, it is \sprout{also} checked that the \nullifiers for the i
\notes had not already been revealed (i.e.\ they had not already been spent).
A \paymentAddress includes
\sprout{two public keys: a \payingKey matching that of \notes sent to the address, and}
a \transmissionKey for a key-private asymmetric encryption
scheme. \quotedterm{Key-private} means that ciphertexts do not reveal information
\sprout{two public keys: a \payingKey matching that of \notes sent to the address, and }a
\transmissionKey for a ``\keyPrivate'' asymmetric encryption
scheme. \mbox{\xKeyPrivate} means that ciphertexts do not reveal information
about which key they were encrypted to, except to a holder of the corresponding
private key, which in this context is called the \receivingKey. This facility is
used to communicate encrypted output \notes on the \blockchain to their
@ -3347,7 +3357,9 @@ $\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}.
\vspace{-2ex}
\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$.
However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not
checked to be in the subgroup when used in \spendDescriptions and \outputDescriptions.}
directly checked to be in the subgroup when $\ValueCommit{}$ outputs appear in \spendDescriptions
and \outputDescriptions, or when the $\cmuField$ field derived from a $\NoteCommitSapling{}$ appears
in an \outputDescription.}
} %sapling
@ -3799,6 +3811,8 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
indistinguishable from the uniform distribution on $\SubgroupReprJ$
which is the keyspace of $\PRFnfSapling{}$.
\item The zcashd wallet generates \diversifiers according to \cite{ZIP-32} rather than
using the default \diversifier specified above.
\end{nnotes}
\vspace{-2ex}
} %sapling
@ -4584,6 +4598,10 @@ other parties that are cooperating to create the \transaction. If all of the
\nnote{
The technique of checking signatures using a public key derived from a sum of
\xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}.
The private key $\BindingPrivate$ acts as a \quotedterm{synthetic blinding factor},
in the sense that it is synthesized from the other blinding factors (trapdoors)
$\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$; this technique is
also used in \Bulletproofs \cite{Dalek-notes}.
} %nnote
} %sapling
@ -4636,10 +4654,10 @@ The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescri
\vspace{-1ex}
\pnote{
If the spender is computationally or memory-limited, step 4 \MAY be delegated to a different
party that is capable of performing the \zkProof. In this case privacy will be lost to that
party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$; this allows
also deriving the $\AuthProvePublic$ component of the \fullViewingKey. Together
If the spender is computationally or memory-limited, step 4 (and only step 4) \MAY be delegated
to a different party that is capable of performing the \zkProof. In this case privacy will be
lost to that party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$;
this allows also deriving the $\AuthProvePublic$ component of the \fullViewingKey. Together
$\AuthSignPublic$ and $\AuthProvePublic$ are sufficient to recognize spent \notes and to
recognize and decrypt incoming \notes. However, the other party will not obtain spending
authority for other \transactions, since it is not able to create a \spendAuthSignature by itself.
@ -5193,9 +5211,9 @@ Then to encrypt:
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
\item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\cmuField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey)$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \vspace{-2ex}
\item let $\OutCiphertext = \SymEncrypt{\OutCipherKey}(\OutPlaintext)$
@ -5223,7 +5241,7 @@ Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$ be the recipient's \inco
as specified in \crossref{saplingkeycomponents}.
Let $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the
\outputDescription{}. Let $\cmField$ be that field of the \outputDescription (encoding the
\outputDescription{}. Let $\cmuField$ be that field of the \outputDescription (encoding the
$u$-coordinate of the \noteCommitment).
\introlist
@ -5244,7 +5262,7 @@ components of the \noteCiphertext as follows:
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
A received \Sapling{} \note is necessarily a \positionedNote, and so its
@ -5275,7 +5293,7 @@ in \crossref{saplingkeycomponents}, that is to be used for decryption.
this method.)
Let $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext,
and let $\cvField$, $\cmField$, and $\ephemeralKey$ be those
and let $\cvField$, $\cmuField$, and $\ephemeralKey$ be those
fields of the \outputDescription (encoding the \valueCommitment, the $u$-coordinate
of the \noteCommitment, and $\EphemeralPublic$).
@ -5285,7 +5303,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\introlist
\begin{algorithm}
\item let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey)$
\item let $\OutPlaintext = \SymDecrypt{\OutCipherKey}(\OutCiphertext)$
\item if $\OutPlaintext = \bot$, return $\bot$
\item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ,
@ -5307,7 +5325,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
} %sapling
@ -6307,7 +6325,7 @@ be necessary.})
\begin{bytefield}[bitwidth=0.038em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\OutViewingKey}$} &
\sbitbox{256}{$32$-byte $\cvField$}
\sbitbox{256}{$32$-byte $\cmField$} &
\sbitbox{256}{$32$-byte $\cmuField$} &
\sbitbox{264}{$32$-byte $\ephemeralKey$}
\end{bytefield}
\end{lrbox}
@ -6351,7 +6369,7 @@ It is instantiated using the $\BlakeTwobGeneric$ \hashFunction defined in
\crossref{concreteblake2}:
\begin{formulae}
\item $\PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey) := \BlakeTwobOf{256}{\ascii{Zcash\_Derive\_ock}, \ockInput}$
\item $\PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey) := \BlakeTwobOf{256}{\ascii{Zcash\_Derive\_ock}, \ockInput}$
\item where $\ockInput = \Justthebox{\ockbox}$.
\end{formulae}
@ -6359,7 +6377,7 @@ It is instantiated using the $\BlakeTwobGeneric$ \hashFunction defined in
\securityrequirement{
$\BlakeTwobOf{512}{\ascii{Zcash\_Derive\_ock}, \ockInput}$ must be a
PRF for output range $\Keyspace$ (defined in \crossref{concretesym}) when keyed by the bits corresponding
to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmField$, and $\ephemeralKey$.
to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmuField$, and $\ephemeralKey$.
} %securityrequirement
\vspace{2ex}
@ -6719,7 +6737,16 @@ at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonic
verification of batches of $\RedDSA$ signatures.
\end{pnotes}
\vspace{1ex}
\vspace{-2ex}
\nnote{The randomization used in $\RedDSARandomizePrivate$ and $\RedDSARandomizePublic$
may interact with other uses of additive properties of keys for Schnorr-based signature schemes.
In the \Zcash protocol, such properties are used for \bindingSignatures but not at the same time
as key randomization. They are also used in \cite{ZIP-32} when deriving child extended keys,
but this does not result in any practical security weakness as long as the security recommendations
of ZIP-32 are followed. If $\RedDSA$ is reused in other protocols making use of these additive
properties, careful analysis of potential interactions is required.}
\vspace{3ex}
\introlist
The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
as follows:
@ -6880,13 +6907,15 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
(They are in fact unconditionally hiding \commitmentSchemes.)
\vspace{-2ex}
\pnote{
The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
in $\range{0}{\MerkleDepthSapling-1}$, and so cannot collide with $\ones{6}$ because
$\MerkleDepthSapling < 64$.
} %pnote
\begin{pnotes}
\item The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
in $\range{0}{\MerkleDepthSapling-1}$; because $\MerkleDepthSapling < 64$, this
cannot collide with $\ones{6}$.
\item The arguments to $\NoteCommitSapling{}$ are in a different order to their encodings
in $\WindowedPedersenCommit{}$. There is no particularly good reason for this.
\end{pnotes}
} %sapling
@ -8084,7 +8113,7 @@ the \Sprout \joinSplitCircuit used after \Sapling activation, are respectively:
\texttt{d5054e371842b3f88fa1b9d7e8e075249b3ebabd167fa8b0f3161292d36c180a sprout-groth16.params}
\end{lines}
These parameters were obtained by a multi-party computation described in \todo{}.
These parameters were obtained by a multi-party computation described in \cite{BGM2018}.
} %sapling
@ -8516,7 +8545,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline
$32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
$32$ & $\cmuField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
@ -8539,7 +8568,7 @@ The $\ephemeralKey$, $\encCiphertext$, and $\outCiphertext$ fields together form
\noteCiphertext, which is computed as described in \crossref{saplinginband}.
\vspace{-4ex}
\consensusrule{$\LEOStoIPOf{256}{\cmField}$ \MUST be less than $\ParamJ{q}$.}
\consensusrule{$\LEOStoIPOf{256}{\cmuField}$ \MUST be less than $\ParamJ{q}$.}
\vspace{-0.5ex}
Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
@ -9529,7 +9558,7 @@ The motivations for this change were as follows:
--counting conservatively-- 576 possible combinations of options and
algorithms over the four standards (ANSI X9.63, IEEE Std 1363a-2004,
ISO/IEC 18033-2, and SEC 1) that define ECIES variants \cite{MAEA2010}.
\item Although the \Zerocash paper states that ECIES satisfies key privacy
\item Although the \Zerocash paper states that ECIES satisfies \keyPrivacy
(as defined in \cite{BBDP2001}), it is not clear that this holds for
all curve parameters and key distributions. For example, if a group of
non-prime order is used, the distribution of ciphertexts could be
@ -9579,7 +9608,7 @@ resulting scheme. Although DHAES as defined in that paper does not pass the
recipient public key or a public seed to the \hashFunction $H$, this does not
impair the proof because we can consider $H$ to be the specialization of our
KDF to a given recipient key and seed. (Passing the recipient public key to
the KDF could in principle compromise key privacy, but not confidentiality of
the KDF could in principle compromise \keyPrivacy, but not confidentiality of
encryption.) \sproutspecific{It is necessary to adapt the
``HDH independence'' assumptions and the proof slightly to take into account
that the ephemeral key is reused for two encryptions.}
@ -9737,12 +9766,34 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\section{Change History}
\subparagraph{2018.0-beta-30}
2018-09-02
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Give an informal security argument for Unlinkability of \diversifiedPaymentAddresses
based on to reduction to \keyPrivacy of ElGamal encryption, for which a security proof
is given in \cite{BBDP2001}. (This argument has gaps which will be addressed in a future
version.)
\item Add a reference to \cite{BGM2018} for the \Sapling \zkSNARK parameters.
\item Write \crossref{cctsaplingspend} (draft).
\item Add a reference to the ristretto\_bulletproofs design notes
\cite{Dalek-notes} for the synthetic blinding factor technique.
\item Ensure that the constraint costs in \crossref{cctedvalidate} and
\crossref{cctednonsmallorder} accurately reflect the sapling-crypto
implementation.
\item Minor correction to the non-normative note in \crossref{cctrange}.
\item Clarify the non-normative note in \crossref{abstractcommit} about
the definitions of $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$.
\item Clarify that the signer of a \spendAuthSignature is supposed to choose
the \spendAuthRandomizer, $\AuthSignRandomizer$, itself. Only step 4 in the
procedure in \crossref{spendauthsig} may securely be delegated.
\item Add a non-normative note to \crossref{concretereddsa} explaining that
$\RedDSA$ key randomization may interact with other uses of additive
properties of Schnorr keys.
} %sapling
\item Add dates to Change History entries. (These are the dates of the git tags
in local, i.e.\ UK, time.)
\end{itemize}
\introlist
@ -9905,9 +9956,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
$\GroupG{}$ and $\GroupJ$ where applicable.
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
faithful to the implementation.
\item Rename the $\texttt{cm}$ field of an \outputDescription to $\cmField$, reflecting the fact that
\item Rename the $\texttt{cm}$ field of an \outputDescription to $\cmuField$, reflecting the fact that
it is a \jubjubCurve $u$-coordinate.
\item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmField$
\item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmuField$
field of an \outputDescription{} must be canonical encodings.
\item Enforce that $\EphemeralPrivate$ in $\outCiphertext$ is a canonical encoding.
\item Add consensus rules that $\cv$ in a \spendDescription, and $\cv$ and $\EphemeralPublic$ in an
@ -9982,7 +10033,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.)
\item Change the notation $\RedDSAHash^{\star}$ to $\RedDSAHashToScalar$ in \crossref{concreteredjubjub},
to avoid confusion with the $^{\Repr}$ convention for representations of group elements.
\item $\cmField$ encodes only the $u$-coordinate of the \noteCommitment, not the full curve point.
\item $\cmuField$ encodes only the $u$-coordinate of the \noteCommitment, not the full curve point.
\item $\AuthSignRandomizedPublic$ is checked to be not of small order outside the \spendStatement,
not in the \spendStatement.
\item Change terminology describing constraint systems.
@ -11048,16 +11099,18 @@ sufficient to compute an \Nary{} AND of $a_{\barerange{m}{m+N-2}}$ and $\Pi_{m+N
$R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints for any
$N$; boolean-constrain the output $R$, and then add constraints
\vspace{1ex}
\newcommand{\NminusSumOfX}{\vphantom{\Big(}\smash{N - \ssum{i=0}{N-1}{X_i}}}
\vspace{0.5ex}
\begin{tabular}{@{\tab}l@{\;\;}l}
$\constraint{N - \ssum{i=0}{N-1}{X_i}}{\mathsf{inv}}{1-R}$ &to enforce that
$\constraint{\NminusSumOfX}{\mathsf{inv}}{1-R}$ &to enforce that
$\ssum{i=0}{N-1}{X_i} \neq N$ when $R = 0$; \\[2ex]
$\constraint{N - \ssum{i=0}{N-1}{X_i}}{R}{0}$ &to enforce that
$\constraint{\NminusSumOfX}{R}{0}$ &to enforce that
$\ssum{i=0}{N-1}{X_i} = N$ when $R = 1$. \\
\end{tabular}
\vspace{-1ex}
where $\mathsf{inv}$ is witnessed as $\Big(N - \ssum{i=0}{N-1}{X_i}\Big)^{\!-1}$ if $R = 0$
\vspace{1ex}
where $\mathsf{inv}$ is witnessed as $\smash{\Of{\NminusSumOfX}^{-1}}$ if $R = 0$
or is unconstrained otherwise. (Since $N < \ParamS{r}$, the sums cannot overflow.)
In fact the last constraint is not needed in this context because it is sufficient to
@ -11075,18 +11128,26 @@ These optimizations are not used in \Sapling.}
\subsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
To check that $(u, \varv)$ is a point on the Edwards curve, use:
To check that $(u, \varv)$ is a point on the Edwards curve, the \Sapling circuit uses
$4$ constraints:
\begin{formulae}
\item $\constraint{u}{u}{uu}$
\item $\constraint{\varv}{\varv}{\varvv}$
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
\item $\constraint{uu}{\varvv}{uu\varvv}$
\item $\constraint{\ParamJ{a} \smult uu + \varvv}{1}{1 + \ParamJ{d} \smult uu\varvv}$
\end{formulae}
\vspace{-4ex}
\nnote{The last two constraints can be combined into
$\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$.
The \Sapling circuit does not use this optimization.}
\introsection
\subsubsubsection{Edwards [de]compression and validation} \label{ccteddecompressvalidate}
\introlist
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
as follows:
@ -11099,17 +11160,17 @@ as follows:
\item \tab Check that $(u, \varv)$ is a point on the Edwards curve.
\vspace{1ex}
\item \tab // \crossref{cctmodpack}.
\item \tab Unpack $u$ to $\vsum{i=0}{254} u_i \mult 2^i$, equating $\tilde{u}$ with $u_0$.
\item \tab Unpack $u$ to $\ssum{i=0}{254} u_i \mult 2^i$, equating $\tilde{u}$ with $u_0$.
\vspace{1ex}
\item \tab // \crossref{cctrange}.
\item \tab Check that $\vsum{i=0}{254} u_i \mult 2^i \leq \ParamS{r}-1$.
\item \tab Check that $\ssum{i=0}{254} u_i \mult 2^i \leq \ParamS{r}-1$.
\vspace{1ex}
\item \tab Return $(u, \varv)$.
\end{algorithm}
This costs $3$ constraints for the curve equation check, $1$ constraint for the
This costs $4$ constraints for the curve equation check, $1$ constraint for the
unpacking, and $387$ constraints for the range check (as computed in \crossref{cctrange})
for a total of $391$ constraints. The cost of the range check includes
for a total of $392$ constraints. The cost of the range check includes
boolean-constraining $u_\barerange{0}{254}$.
The same \quadraticConstraintProgram is used for compression and decompression.
@ -11330,24 +11391,32 @@ in combination with a check that the coordinates are on the curve (\crossref{cct
so we combine the two operations.
The \jubjubCurve has a large prime-order subgroup with a cofactor of $8$.
To check for a point $P$ of order $8$ or less, we double twice (as in
\crossref{cctedarithmetic}) and check that the resulting $u$-coordinate
is not $0$ (as in \crossref{cctnonzero}).
To check for a point $P$ of order $8$ or less, the \Sapling circuit doubles
three times (as in \crossref{cctedarithmetic}) and checks that the resulting
$u$-coordinate is not $0$ (as in \crossref{cctnonzero}).
On a twisted Edwards curve, only the zero point $\ZeroJ$, and the unique point
of order $2$ at $(0, -1)$ have zero $u$-coordinate. So this $u$-coordinate check rejects
both $\ZeroJ$ and the point of order $2$, and no other points.
of order $2$ at $(0, -1)$ have zero $u$-coordinate. The point of order $2$ cannot
occur as the result of three doublings. So this $u$-coordinate check rejects
only $\ZeroJ$.
The total cost, including the curve check, is $3 + 2 \mult 5 + 1 = 14$ constraints.
The total cost, including the curve check, is $4 + 3 \mult 5 + 1 = 20$ constraints.
\vspace{-2ex}
\pnote{This \emph{does not} ensure that the point is in the prime-order subgroup.}
\vspace{-2ex}
\nnote{It is possible to reduce the cost to $8$ constraints by merging the first doubling
with the curve point check, and then optimizing the second doubling based on the fact that
we only need to check whether the resulting $u$-coordinate is zero. However, the \Sapling
circuit does not use these optimizations.}
\begin{nnotes}
\item It would have been sufficient to do two doublings rather than three, because
the check that the $u$-coordinate is nonzero would reject both $\ZeroJ$
and the point of order $2$.
\item It is possible to reduce the cost to $8$ constraints by eliminating the
redundant constraint in the curve point check mentioned in
\crossref{cctedvalidate}; merging the first doubling with the curve point check;
and then optimizing the second doubling based on the fact that we only need
to check whether the resulting $u$-coordinate is zero.
The \Sapling circuit does not use these optimizations.
\end{nnotes}
\introsection
@ -11664,7 +11733,18 @@ as follows:
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$
bits\footnote{It would be sufficient to use $51$ bits, which accomodates the range
$\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}.
This can be straightforwardly implemented in ... constraints.
This value is given as a bit representation, which does not need to be constrained
equal to an integer.
\introlist
$\ValueCommit{}$ can be implemented in:
\begin{itemize}
\item $64$ constraints to boolean-constrain the value bits;
\item $750$ constraints for the $252$-bit fixed-base multiplication by $\ValueCommitRand$;
\item $?$ constraints for the $64$-bit fixed-base multiplication by $\Value$;
\item $6$ constraints for the Edwards addition
\end{itemize}
for a total cost of $?$ constraints.
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
@ -11810,12 +11890,142 @@ final $\xor$ operations), but not the message bits.
\end{nnotes}
\introsection
\intropart
\subsection{The SaplingSpend circuit} \label{cctsaplingspend}
The \Sapling Spend \statement is defined in \crossref{spendstatement}.
The primary input is
\begin{formulae}
\item ...
\item $\oparen\rt \typecolon \MerkleHashSapling,\\
\hparen\cvOld{} \typecolon \ValueCommitOutput,\\
\hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
\end{formulae}
and the auxiliary input is
\begin{formulae}
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\
\hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\
\hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\
\hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\
\hparen\vOld{} \typecolon \ValueType,\\
\hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
\hparen\cmOld{} \typecolon \GroupJ,\\
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\
\hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
\hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$
\end{formulae}
$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have
$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$,
$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ which
represent \jubjubCurve points. However,
\begin{itemize}
\item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$;
\item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$;
\item $\AuthSignRandomizedPublic$ will be constrained to
$\scalarmult{\AuthSignRandomizer}{\AuthSignBase} + \AuthSignPublic$;
\item $\DiversifiedTransmitPublic$ will be constrained to
$\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
\end{itemize}
so $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, and $\DiversifiedTransmitPublic$
do not need to be explicitly checked to be on the curve.
In addition, $\AuthProvePublicRepr$ and $\NoteAddressRandRepr$ used in
\textbf{Nullifier integrity} are compressed representations of
\jubjubCurve points.
Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePublic$,
and $\NoteAddressRand$ which need to be constrained to valid \jubjubCurve points as
described in \crossref{ccteddecompressvalidate}.
\introsection
In order to aid in comparing the implementation with the specification,
we present the checks needed in the order in which they are implemented
in the sapling-crypto code:
\begin{center}
\begin{tabular}{|p{16em}|l|C|l|}
\hline
Check & Implements & \heading{Cost} & Reference \\
\hhline{|=|=|=|=|}
$\AuthSignPublic$ is on the curve
& $\AuthSignPublic \typecolon \SpendAuthSigPublic$ & 4 & \shortcrossref{cctedvalidate} \\ \hline
$\AuthSignPublic$ is not small order
& \textbf{Small order checks} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$
& \textbf{Spend authority} & 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4}
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
& & 6 & \shortcrossref{cctedarithmetic} \\ \hline
inputize $\AuthSignRandomizedPublic$
& $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ & 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline
$\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
& \textbf{Nullifier integrity} & 750 & \shortcrossref{cctfixedscalarmult} \\ \hline
$\AuthSignPublicRepr = \reprJ(\AuthSignPublic)$
& \textbf{Diversified address integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\AuthProvePublicRepr = \reprJ(\AuthProvePublic)$
& \textbf{Nullifier integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\big)\;\dagger$
& \textbf{Diversified address integrity} & 21262 & \shortcrossref{cctblake2s} \\ \hline
$\DiversifiedTransmitBase$ is on the curve
& $\DiversifiedTransmitBase \typecolon \GroupJ$ & 4 & \shortcrossref{cctedvalidate} \\ \hline
$\DiversifiedTransmitBase$ is not small order
& \textbf{Small order checks} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
& \textbf{Diversified address integrity} & 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
$\vOldRepr \typecolon \bitseq{64}$
& $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \cline{1-1}\cline{3-4}
$\vOldRepr = \ItoLEBSP{64}(\vOld{})$
& & 1 & \shortcrossref{cctmodpack} \\ \hline
$\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$
& \textbf{Value commitment integrity} & ? & \shortcrossref{ccthomomorphiccommit} ($\ell = 64$) \\ \cline{1-1}\cline{3-4}
inputize $\cv$
& & ? & \\ \hline
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr)
& \textbf{Note commitment integrity} & ? & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline
$\cmURepr = \ExtractJ(\cm)$
& \textbf{Merkle path validity} & 0 & \\ \cline{1-1}\cline{3-4}
$\rt'$ is the root of a Merkle tree with leaf $\cmU$ and authentication path $(\TreePath{}, \NotePositionRepr)$
& & 32 \mult 1369 & \shortcrossref{cctmerklepath} \\ \cline{1-1}\cline{3-4}
$\NotePositionRepr = \ItoLEBSPOf{\MerkleDepthSapling}{\NotePosition}$
& & 1 & \shortcrossref{cctmodpack} \\ \cline{1-1}\cline{3-4}
if $\vOld{} \neq 0$ then $\rt' = \rt$
& & 1 & \shortcrossref{cctcondeq} \\ \cline{1-1}\cline{3-4}
inputize $\rt$
& & ? & \\ \hline
$\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$
& \textbf{Nullifier integrity} & ? & \shortcrossref{cctmixinghash} \\ \cline{1-1}\cline{3-4}
$\NoteAddressRandRepr = \reprJ\Of{\NoteAddressRand}$
& & 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4}
$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$
& & 21262 & \shortcrossref{cctblake2s} \\ \hline
pack inputs
& & ? & \\ \hline %\shortcrossref{cctpackinputs}
\end{tabular}
\end{center}
\vspace{1ex}
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
\vspace{-2ex}
\begin{pnotes}
\item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$ and $\InViewingKeyRepr$
as bit sequences rather than integers.
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
above, the multiplication takes
$\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$.
\end{pnotes}
\introsection

34
protocol/zcash.bib
View File

@ -154,6 +154,16 @@ Proceedings of the 21st Annual International Cryptology Conference
urldate={2017-02-11}
}
@misc{BGM2018,
presort={BGM2018},
author={Sean Bowe and Ariel Gabizon and Ian Miers},
title={Scalable {M}ulti-party {C}omputation for zk-{SNARK} {P}arameters in the {R}andom {B}eacon {M}odel},
url={https://eprint.iacr.org/2017/1050},
urldate={2018-08-31},
howpublished={Cryptology ePrint Archive: Report 2017/1050.
Last revised November~5, 2017.}
}
@misc{Nakamoto2008,
presort={Nakamoto2008},
author={Satoshi Nakamoto},
@ -423,6 +433,22 @@ L. Hernández Encinas and C. Sánchez Ávila},
urldate={2016-08-14}
}
@article{ElGamal1985,
presort={ElGamal1985},
author={Taher ElGamal},
title={A public key cryptosystem and a signature scheme based on discrete logarithms},
journal={IEEE Transactions on Information Theory},
volume={31},
number={4},
date={1985-07},
issn={0018-9448},
pages={469--472},
publisher={IEEE},
doi={10.1109/TIT.1985.1057074},
url={https://people.csail.mit.edu/alinush/6.857-spring-2015/papers/elgamal.pdf},
urldate={2018-08-17}
}
@misc{ABR1999,
presort={ABR1999},
author={Michel Abdalla and Mihir Bellare and Phillip Rogaway},
@ -480,6 +506,14 @@ Last revised February~5, 2018.}
urldate={2018-04-03}
}
@misc{Dalek-notes,
presort={Dalek-notes},
author={Cathie Yun and Henry {de Valence} and Oleg Andreev and Dimitris Apostolou},
title={ristretto\_bulletproofs notes},
url={https://doc-internal.dalek.rs/ristretto_bulletproofs/notes/index.html},
urldate={2018-08-17}
}
@misc{Bitcoin-Base58,
presort={Bitcoin-Base58},
title={Base58{C}heck encoding --- {B}itcoin {W}iki},