mirror of https://github.com/zcash/zips.git
The rest for beta-30 (sorry, I have a flight to catch).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
b909f2a482
commit
3ecbe6b903
|
@ -135,6 +135,7 @@
|
|||
\newcolumntype{S}{>{$}r<{\;$}}
|
||||
\newcolumntype{T}{>{$}l<{\;$}}
|
||||
\newcolumntype{U}{>{$}l<{$}}
|
||||
\newcolumntype{C}{>{$}c<{$}}
|
||||
|
||||
\makeatletter
|
||||
\renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or \mathsection\or \mathparagraph\else\@ctrerr\fi}}
|
||||
|
@ -164,6 +165,7 @@
|
|||
\newcommand{\footnotewithlabel}[2]{\hairspace\oldfootnote{\label{#1}{#2}}}
|
||||
|
||||
\newcommand{\crossref}[1]{\raisebox{0ex}{\autoref{#1}}\hspace{0.2em}\emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
|
||||
\newcommand{\shortcrossref}[1]{\raisebox{0ex}{\autoref{#1}} on p.\,\pageref*{#1}}
|
||||
\newcommand{\theoremref}[1]{\raisebox{0ex}{\autoref{#1}\vphantom{,}} on p.\,\pageref*{#1}}
|
||||
\newcommand{\footnoteref}[1]{\hairspace\raisebox{0ex}{\cref{#1}}}
|
||||
|
||||
|
@ -403,6 +405,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Bitcoin}{\termbf{Bitcoin}}
|
||||
\newcommand{\CryptoNote}{\termbf{CryptoNote}}
|
||||
\newcommand{\Mimblewimble}{\termbf{Mimblewimble}}
|
||||
\newcommand{\Bulletproofs}{\termbf{Bulletproofs}}
|
||||
\newcommand{\ZEC}{\termbf{ZEC}}
|
||||
\newcommand{\zatoshi}{\term{zatoshi}}
|
||||
\newcommand{\zcashd}{\textsf{zcashd}\,}
|
||||
|
@ -756,9 +759,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}}
|
||||
\newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}}
|
||||
\newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}}
|
||||
\newcommand{\pseudoRandomGenerator}{\term{Pseudo Random Generator}}
|
||||
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}}
|
||||
\newcommand{\PseudoRandomGenerators}{\titleterm{Pseudo Random Generators}}
|
||||
\newcommand{\pseudoRandomPermutation}{\term{Pseudo Random Permutation}}
|
||||
\newcommand{\pseudoRandomGenerators}{\term{Pseudo Random Generators}} % only in Change History
|
||||
\newcommand{\expandedSeed}{\term{expanded seed}}
|
||||
\newcommand{\shaHashFunction}{\term{SHA-256 hash function}}
|
||||
\newcommand{\shaCompress}{\term{SHA-256 compression}}
|
||||
|
@ -948,6 +950,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\InViewingKey}{\mathsf{ivk}}
|
||||
\newcommand{\InViewingKeyLength}{\ell_{\InViewingKey}}
|
||||
\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength}}
|
||||
\newcommand{\InViewingKeyRepr}{{\InViewingKey\Repr}}
|
||||
\newcommand{\InViewingKeyLeadByte}{\hexint{A8}}
|
||||
\newcommand{\InViewingKeySecondByte}{\hexint{AB}}
|
||||
\newcommand{\InViewingKeyThirdByte}{\hexint{D3}}
|
||||
|
@ -1012,7 +1015,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
|
||||
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
||||
\newcommand{\AuthSignRandomizer}{\alpha}
|
||||
\newcommand{\AuthSignRandomizerRepr}{{\AuthSignRandomizer\Repr}}
|
||||
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
||||
\newcommand{\AuthProvePrivateRepr}{{\AuthProvePrivate\Repr}}
|
||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
||||
\newcommand{\AuthProvePublicRepr}{{\AuthProvePublic\Repr}}
|
||||
|
@ -1021,6 +1026,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
||||
\newcommand{\OutCipherKey}{\mathsf{ock}}
|
||||
\newcommand{\NotePosition}{\mathsf{pos}}
|
||||
\newcommand{\NotePositionRepr}{{\NotePosition\Repr}}
|
||||
\newcommand{\NotePositionBase}{\mathcal{J}}
|
||||
\newcommand{\NotePositionTypeSprout}{\binaryrange{\MerkleDepthSprout}}
|
||||
\newcommand{\NotePositionTypeSapling}{\binaryrange{\MerkleDepthSapling}}
|
||||
|
@ -1033,6 +1039,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
|
||||
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}}
|
||||
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
|
||||
\newcommand{\vOldRepr}{\MakeRepr{\mathsf{v}}{\mathsf{old}}}
|
||||
|
||||
% PRFs
|
||||
|
||||
|
@ -1186,7 +1193,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}}
|
||||
\newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}}
|
||||
\newcommand{\cm}{\mathsf{cm}}
|
||||
\newcommand{\cmU}{\mathsf{cm}_{\kern -0.06em u}}
|
||||
\newcommand{\cmU}{\cm_{\kern -0.06em u}}
|
||||
\newcommand{\cmURepr}{\cm\Repr_{\kern -0.04em u}}
|
||||
\newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}}
|
||||
\newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}}
|
||||
\newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
|
||||
|
@ -1409,7 +1417,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\nullifiersField}{\mathtt{nullifiers}}
|
||||
\newcommand{\rkField}{\mathtt{rk}}
|
||||
\newcommand{\cvField}{\mathtt{cv}}
|
||||
\newcommand{\cmField}{\mathtt{cmu}}
|
||||
\newcommand{\cmuField}{\mathtt{cmu}}
|
||||
\newcommand{\commitment}{\mathtt{commitment}}
|
||||
\newcommand{\commitments}{\mathtt{commitments}}
|
||||
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
|
||||
|
@ -1821,6 +1829,8 @@ This specification is structured as follows:
|
|||
\notsprout{
|
||||
\item Appendix: Circuit Design — details of how the \Sapling circuit is defined
|
||||
as a \quadraticConstraintProgram.
|
||||
\item Appendix: Batching Optimizations — improvements to the efficiency of
|
||||
verifying multiple signatures and proofs.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
|
@ -1952,9 +1962,9 @@ Outside the \zkSNARK, it is \sprout{also} checked that the \nullifiers for the i
|
|||
\notes had not already been revealed (i.e.\ they had not already been spent).
|
||||
|
||||
A \paymentAddress includes
|
||||
\sprout{two public keys: a \payingKey matching that of \notes sent to the address, and}
|
||||
a \transmissionKey for a key-private asymmetric encryption
|
||||
scheme. \quotedterm{Key-private} means that ciphertexts do not reveal information
|
||||
\sprout{two public keys: a \payingKey matching that of \notes sent to the address, and }a
|
||||
\transmissionKey for a ``\keyPrivate'' asymmetric encryption
|
||||
scheme. \mbox{\xKeyPrivate} means that ciphertexts do not reveal information
|
||||
about which key they were encrypted to, except to a holder of the corresponding
|
||||
private key, which in this context is called the \receivingKey. This facility is
|
||||
used to communicate encrypted output \notes on the \blockchain to their
|
||||
|
@ -3347,7 +3357,9 @@ $\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}.
|
|||
\vspace{-2ex}
|
||||
\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$.
|
||||
However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not
|
||||
checked to be in the subgroup when used in \spendDescriptions and \outputDescriptions.}
|
||||
directly checked to be in the subgroup when $\ValueCommit{}$ outputs appear in \spendDescriptions
|
||||
and \outputDescriptions, or when the $\cmuField$ field derived from a $\NoteCommitSapling{}$ appears
|
||||
in an \outputDescription.}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -3799,6 +3811,8 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
|||
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
|
||||
indistinguishable from the uniform distribution on $\SubgroupReprJ$
|
||||
which is the keyspace of $\PRFnfSapling{}$.
|
||||
\item The zcashd wallet generates \diversifiers according to \cite{ZIP-32} rather than
|
||||
using the default \diversifier specified above.
|
||||
\end{nnotes}
|
||||
\vspace{-2ex}
|
||||
} %sapling
|
||||
|
@ -4584,6 +4598,10 @@ other parties that are cooperating to create the \transaction. If all of the
|
|||
\nnote{
|
||||
The technique of checking signatures using a public key derived from a sum of
|
||||
\xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}.
|
||||
The private key $\BindingPrivate$ acts as a \quotedterm{synthetic blinding factor},
|
||||
in the sense that it is synthesized from the other blinding factors (trapdoors)
|
||||
$\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$; this technique is
|
||||
also used in \Bulletproofs \cite{Dalek-notes}.
|
||||
} %nnote
|
||||
} %sapling
|
||||
|
||||
|
@ -4636,10 +4654,10 @@ The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescri
|
|||
|
||||
\vspace{-1ex}
|
||||
\pnote{
|
||||
If the spender is computationally or memory-limited, step 4 \MAY be delegated to a different
|
||||
party that is capable of performing the \zkProof. In this case privacy will be lost to that
|
||||
party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$; this allows
|
||||
also deriving the $\AuthProvePublic$ component of the \fullViewingKey. Together
|
||||
If the spender is computationally or memory-limited, step 4 (and only step 4) \MAY be delegated
|
||||
to a different party that is capable of performing the \zkProof. In this case privacy will be
|
||||
lost to that party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$;
|
||||
this allows also deriving the $\AuthProvePublic$ component of the \fullViewingKey. Together
|
||||
$\AuthSignPublic$ and $\AuthProvePublic$ are sufficient to recognize spent \notes and to
|
||||
recognize and decrypt incoming \notes. However, the other party will not obtain spending
|
||||
authority for other \transactions, since it is not able to create a \spendAuthSignature by itself.
|
||||
|
@ -5193,9 +5211,9 @@ Then to encrypt:
|
|||
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
|
||||
\item else:
|
||||
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
|
||||
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
|
||||
\item \tab let $\cmuField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
|
||||
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
|
||||
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
|
||||
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey)$
|
||||
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
|
||||
\item \vspace{-2ex}
|
||||
\item let $\OutCiphertext = \SymEncrypt{\OutCipherKey}(\OutPlaintext)$
|
||||
|
@ -5223,7 +5241,7 @@ Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$ be the recipient's \inco
|
|||
as specified in \crossref{saplingkeycomponents}.
|
||||
|
||||
Let $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the
|
||||
\outputDescription{}. Let $\cmField$ be that field of the \outputDescription (encoding the
|
||||
\outputDescription{}. Let $\cmuField$ be that field of the \outputDescription (encoding the
|
||||
$u$-coordinate of the \noteCommitment).
|
||||
|
||||
\introlist
|
||||
|
@ -5244,7 +5262,7 @@ components of the \noteCiphertext as follows:
|
|||
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||
\Value)\kern-0.12em\big)$.
|
||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||
\end{algorithm}
|
||||
|
||||
A received \Sapling{} \note is necessarily a \positionedNote, and so its
|
||||
|
@ -5275,7 +5293,7 @@ in \crossref{saplingkeycomponents}, that is to be used for decryption.
|
|||
this method.)
|
||||
|
||||
Let $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext,
|
||||
and let $\cvField$, $\cmField$, and $\ephemeralKey$ be those
|
||||
and let $\cvField$, $\cmuField$, and $\ephemeralKey$ be those
|
||||
fields of the \outputDescription (encoding the \valueCommitment, the $u$-coordinate
|
||||
of the \noteCommitment, and $\EphemeralPublic$).
|
||||
|
||||
|
@ -5285,7 +5303,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
|||
|
||||
\introlist
|
||||
\begin{algorithm}
|
||||
\item let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
|
||||
\item let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey)$
|
||||
\item let $\OutPlaintext = \SymDecrypt{\OutCipherKey}(\OutCiphertext)$
|
||||
\item if $\OutPlaintext = \bot$, return $\bot$
|
||||
\item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ,
|
||||
|
@ -5307,7 +5325,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
|||
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||
\Value)\kern-0.12em\big)$.
|
||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||
\end{algorithm}
|
||||
} %sapling
|
||||
|
||||
|
@ -6307,7 +6325,7 @@ be necessary.})
|
|||
\begin{bytefield}[bitwidth=0.038em]{512}
|
||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\OutViewingKey}$} &
|
||||
\sbitbox{256}{$32$-byte $\cvField$}
|
||||
\sbitbox{256}{$32$-byte $\cmField$} &
|
||||
\sbitbox{256}{$32$-byte $\cmuField$} &
|
||||
\sbitbox{264}{$32$-byte $\ephemeralKey$}
|
||||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
@ -6351,7 +6369,7 @@ It is instantiated using the $\BlakeTwobGeneric$ \hashFunction defined in
|
|||
\crossref{concreteblake2}:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey) := \BlakeTwobOf{256}{\ascii{Zcash\_Derive\_ock}, \ockInput}$
|
||||
\item $\PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey) := \BlakeTwobOf{256}{\ascii{Zcash\_Derive\_ock}, \ockInput}$
|
||||
\item where $\ockInput = \Justthebox{\ockbox}$.
|
||||
\end{formulae}
|
||||
|
||||
|
@ -6359,7 +6377,7 @@ It is instantiated using the $\BlakeTwobGeneric$ \hashFunction defined in
|
|||
\securityrequirement{
|
||||
$\BlakeTwobOf{512}{\ascii{Zcash\_Derive\_ock}, \ockInput}$ must be a
|
||||
PRF for output range $\Keyspace$ (defined in \crossref{concretesym}) when keyed by the bits corresponding
|
||||
to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmField$, and $\ephemeralKey$.
|
||||
to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmuField$, and $\ephemeralKey$.
|
||||
} %securityrequirement
|
||||
|
||||
\vspace{2ex}
|
||||
|
@ -6719,7 +6737,16 @@ at least $\ParamG{r}$. It \emph{does} check that $\RedDSAReprR{}$ is the canonic
|
|||
verification of batches of $\RedDSA$ signatures.
|
||||
\end{pnotes}
|
||||
|
||||
\vspace{1ex}
|
||||
\vspace{-2ex}
|
||||
\nnote{The randomization used in $\RedDSARandomizePrivate$ and $\RedDSARandomizePublic$
|
||||
may interact with other uses of additive properties of keys for Schnorr-based signature schemes.
|
||||
In the \Zcash protocol, such properties are used for \bindingSignatures but not at the same time
|
||||
as key randomization. They are also used in \cite{ZIP-32} when deriving child extended keys,
|
||||
but this does not result in any practical security weakness as long as the security recommendations
|
||||
of ZIP-32 are followed. If $\RedDSA$ is reused in other protocols making use of these additive
|
||||
properties, careful analysis of potential interactions is required.}
|
||||
|
||||
\vspace{3ex}
|
||||
\introlist
|
||||
The two abelian groups specified in \crossref{abstractsighom} are instantiated for $\RedDSA$
|
||||
as follows:
|
||||
|
@ -6880,13 +6907,15 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
|
|||
(They are in fact unconditionally hiding \commitmentSchemes.)
|
||||
|
||||
\vspace{-2ex}
|
||||
\pnote{
|
||||
The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
|
||||
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
|
||||
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
|
||||
in $\range{0}{\MerkleDepthSapling-1}$, and so cannot collide with $\ones{6}$ because
|
||||
$\MerkleDepthSapling < 64$.
|
||||
} %pnote
|
||||
\begin{pnotes}
|
||||
\item The prefix $\ones{6}$ distinguishes the use of $\WindowedPedersenCommitAlg$ in
|
||||
$\NoteCommitSaplingAlg$ from the layer prefix used in $\MerkleCRHSapling$ (see
|
||||
\crossref{merklecrh}). The latter is a $6$-bit little-endian encoding of an integer
|
||||
in $\range{0}{\MerkleDepthSapling-1}$; because $\MerkleDepthSapling < 64$, this
|
||||
cannot collide with $\ones{6}$.
|
||||
\item The arguments to $\NoteCommitSapling{}$ are in a different order to their encodings
|
||||
in $\WindowedPedersenCommit{}$. There is no particularly good reason for this.
|
||||
\end{pnotes}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -8084,7 +8113,7 @@ the \Sprout \joinSplitCircuit used after \Sapling activation, are respectively:
|
|||
\texttt{d5054e371842b3f88fa1b9d7e8e075249b3ebabd167fa8b0f3161292d36c180a sprout-groth16.params}
|
||||
\end{lines}
|
||||
|
||||
These parameters were obtained by a multi-party computation described in \todo{}.
|
||||
These parameters were obtained by a multi-party computation described in \cite{BGM2018}.
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -8516,7 +8545,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
|
|||
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
|
||||
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline
|
||||
|
||||
$32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
|
||||
$32$ & $\cmuField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
|
||||
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline
|
||||
|
||||
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
|
||||
|
@ -8539,7 +8568,7 @@ The $\ephemeralKey$, $\encCiphertext$, and $\outCiphertext$ fields together form
|
|||
\noteCiphertext, which is computed as described in \crossref{saplinginband}.
|
||||
|
||||
\vspace{-4ex}
|
||||
\consensusrule{$\LEOStoIPOf{256}{\cmField}$ \MUST be less than $\ParamJ{q}$.}
|
||||
\consensusrule{$\LEOStoIPOf{256}{\cmuField}$ \MUST be less than $\ParamJ{q}$.}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
|
||||
|
@ -9529,7 +9558,7 @@ The motivations for this change were as follows:
|
|||
--counting conservatively-- 576 possible combinations of options and
|
||||
algorithms over the four standards (ANSI X9.63, IEEE Std 1363a-2004,
|
||||
ISO/IEC 18033-2, and SEC 1) that define ECIES variants \cite{MAEA2010}.
|
||||
\item Although the \Zerocash paper states that ECIES satisfies key privacy
|
||||
\item Although the \Zerocash paper states that ECIES satisfies \keyPrivacy
|
||||
(as defined in \cite{BBDP2001}), it is not clear that this holds for
|
||||
all curve parameters and key distributions. For example, if a group of
|
||||
non-prime order is used, the distribution of ciphertexts could be
|
||||
|
@ -9579,7 +9608,7 @@ resulting scheme. Although DHAES as defined in that paper does not pass the
|
|||
recipient public key or a public seed to the \hashFunction $H$, this does not
|
||||
impair the proof because we can consider $H$ to be the specialization of our
|
||||
KDF to a given recipient key and seed. (Passing the recipient public key to
|
||||
the KDF could in principle compromise key privacy, but not confidentiality of
|
||||
the KDF could in principle compromise \keyPrivacy, but not confidentiality of
|
||||
encryption.) \sproutspecific{It is necessary to adapt the
|
||||
``HDH independence'' assumptions and the proof slightly to take into account
|
||||
that the ephemeral key is reused for two encryptions.}
|
||||
|
@ -9737,12 +9766,34 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\section{Change History}
|
||||
|
||||
\subparagraph{2018.0-beta-30}
|
||||
2018-09-02
|
||||
|
||||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Give an informal security argument for Unlinkability of \diversifiedPaymentAddresses
|
||||
based on to reduction to \keyPrivacy of ElGamal encryption, for which a security proof
|
||||
is given in \cite{BBDP2001}. (This argument has gaps which will be addressed in a future
|
||||
version.)
|
||||
\item Add a reference to \cite{BGM2018} for the \Sapling \zkSNARK parameters.
|
||||
\item Write \crossref{cctsaplingspend} (draft).
|
||||
\item Add a reference to the ristretto\_bulletproofs design notes
|
||||
\cite{Dalek-notes} for the synthetic blinding factor technique.
|
||||
\item Ensure that the constraint costs in \crossref{cctedvalidate} and
|
||||
\crossref{cctednonsmallorder} accurately reflect the sapling-crypto
|
||||
implementation.
|
||||
\item Minor correction to the non-normative note in \crossref{cctrange}.
|
||||
\item Clarify the non-normative note in \crossref{abstractcommit} about
|
||||
the definitions of $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$.
|
||||
\item Clarify that the signer of a \spendAuthSignature is supposed to choose
|
||||
the \spendAuthRandomizer, $\AuthSignRandomizer$, itself. Only step 4 in the
|
||||
procedure in \crossref{spendauthsig} may securely be delegated.
|
||||
\item Add a non-normative note to \crossref{concretereddsa} explaining that
|
||||
$\RedDSA$ key randomization may interact with other uses of additive
|
||||
properties of Schnorr keys.
|
||||
} %sapling
|
||||
\item Add dates to Change History entries. (These are the dates of the git tags
|
||||
in local, i.e.\ UK, time.)
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
|
@ -9905,9 +9956,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
$\GroupG{}$ and $\GroupJ$ where applicable.
|
||||
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
|
||||
faithful to the implementation.
|
||||
\item Rename the $\texttt{cm}$ field of an \outputDescription to $\cmField$, reflecting the fact that
|
||||
\item Rename the $\texttt{cm}$ field of an \outputDescription to $\cmuField$, reflecting the fact that
|
||||
it is a \jubjubCurve $u$-coordinate.
|
||||
\item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmField$
|
||||
\item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmuField$
|
||||
field of an \outputDescription{} must be canonical encodings.
|
||||
\item Enforce that $\EphemeralPrivate$ in $\outCiphertext$ is a canonical encoding.
|
||||
\item Add consensus rules that $\cv$ in a \spendDescription, and $\cv$ and $\EphemeralPublic$ in an
|
||||
|
@ -9982,7 +10033,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.)
|
||||
\item Change the notation $\RedDSAHash^{\star}$ to $\RedDSAHashToScalar$ in \crossref{concreteredjubjub},
|
||||
to avoid confusion with the $^{\Repr}$ convention for representations of group elements.
|
||||
\item $\cmField$ encodes only the $u$-coordinate of the \noteCommitment, not the full curve point.
|
||||
\item $\cmuField$ encodes only the $u$-coordinate of the \noteCommitment, not the full curve point.
|
||||
\item $\AuthSignRandomizedPublic$ is checked to be not of small order outside the \spendStatement,
|
||||
not in the \spendStatement.
|
||||
\item Change terminology describing constraint systems.
|
||||
|
@ -11048,16 +11099,18 @@ sufficient to compute an \Nary{} AND of $a_{\barerange{m}{m+N-2}}$ and $\Pi_{m+N
|
|||
$R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints for any
|
||||
$N$; boolean-constrain the output $R$, and then add constraints
|
||||
|
||||
\vspace{1ex}
|
||||
\newcommand{\NminusSumOfX}{\vphantom{\Big(}\smash{N - \ssum{i=0}{N-1}{X_i}}}
|
||||
|
||||
\vspace{0.5ex}
|
||||
\begin{tabular}{@{\tab}l@{\;\;}l}
|
||||
$\constraint{N - \ssum{i=0}{N-1}{X_i}}{\mathsf{inv}}{1-R}$ &to enforce that
|
||||
$\constraint{\NminusSumOfX}{\mathsf{inv}}{1-R}$ &to enforce that
|
||||
$\ssum{i=0}{N-1}{X_i} \neq N$ when $R = 0$; \\[2ex]
|
||||
$\constraint{N - \ssum{i=0}{N-1}{X_i}}{R}{0}$ &to enforce that
|
||||
$\constraint{\NminusSumOfX}{R}{0}$ &to enforce that
|
||||
$\ssum{i=0}{N-1}{X_i} = N$ when $R = 1$. \\
|
||||
\end{tabular}
|
||||
|
||||
\vspace{-1ex}
|
||||
where $\mathsf{inv}$ is witnessed as $\Big(N - \ssum{i=0}{N-1}{X_i}\Big)^{\!-1}$ if $R = 0$
|
||||
\vspace{1ex}
|
||||
where $\mathsf{inv}$ is witnessed as $\smash{\Of{\NminusSumOfX}^{-1}}$ if $R = 0$
|
||||
or is unconstrained otherwise. (Since $N < \ParamS{r}$, the sums cannot overflow.)
|
||||
|
||||
In fact the last constraint is not needed in this context because it is sufficient to
|
||||
|
@ -11075,18 +11128,26 @@ These optimizations are not used in \Sapling.}
|
|||
|
||||
\subsubsubsection{Checking that affine Edwards coordinates are on the curve} \label{cctedvalidate}
|
||||
|
||||
To check that $(u, \varv)$ is a point on the Edwards curve, use:
|
||||
To check that $(u, \varv)$ is a point on the Edwards curve, the \Sapling circuit uses
|
||||
$4$ constraints:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\constraint{u}{u}{uu}$
|
||||
\item $\constraint{\varv}{\varv}{\varvv}$
|
||||
\item $\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$
|
||||
\item $\constraint{uu}{\varvv}{uu\varvv}$
|
||||
\item $\constraint{\ParamJ{a} \smult uu + \varvv}{1}{1 + \ParamJ{d} \smult uu\varvv}$
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-4ex}
|
||||
\nnote{The last two constraints can be combined into
|
||||
$\constraint{\ParamJ{d} \smult uu}{\varvv}{\ParamJ{a} \smult uu + \varvv - 1}$.
|
||||
The \Sapling circuit does not use this optimization.}
|
||||
|
||||
|
||||
\introsection
|
||||
\subsubsubsection{Edwards [de]compression and validation} \label{ccteddecompressvalidate}
|
||||
|
||||
\introlist
|
||||
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
|
||||
as follows:
|
||||
|
||||
|
@ -11099,17 +11160,17 @@ as follows:
|
|||
\item \tab Check that $(u, \varv)$ is a point on the Edwards curve.
|
||||
\vspace{1ex}
|
||||
\item \tab // \crossref{cctmodpack}.
|
||||
\item \tab Unpack $u$ to $\vsum{i=0}{254} u_i \mult 2^i$, equating $\tilde{u}$ with $u_0$.
|
||||
\item \tab Unpack $u$ to $\ssum{i=0}{254} u_i \mult 2^i$, equating $\tilde{u}$ with $u_0$.
|
||||
\vspace{1ex}
|
||||
\item \tab // \crossref{cctrange}.
|
||||
\item \tab Check that $\vsum{i=0}{254} u_i \mult 2^i \leq \ParamS{r}-1$.
|
||||
\item \tab Check that $\ssum{i=0}{254} u_i \mult 2^i \leq \ParamS{r}-1$.
|
||||
\vspace{1ex}
|
||||
\item \tab Return $(u, \varv)$.
|
||||
\end{algorithm}
|
||||
|
||||
This costs $3$ constraints for the curve equation check, $1$ constraint for the
|
||||
This costs $4$ constraints for the curve equation check, $1$ constraint for the
|
||||
unpacking, and $387$ constraints for the range check (as computed in \crossref{cctrange})
|
||||
for a total of $391$ constraints. The cost of the range check includes
|
||||
for a total of $392$ constraints. The cost of the range check includes
|
||||
boolean-constraining $u_\barerange{0}{254}$.
|
||||
|
||||
The same \quadraticConstraintProgram is used for compression and decompression.
|
||||
|
@ -11330,24 +11391,32 @@ in combination with a check that the coordinates are on the curve (\crossref{cct
|
|||
so we combine the two operations.
|
||||
|
||||
The \jubjubCurve has a large prime-order subgroup with a cofactor of $8$.
|
||||
To check for a point $P$ of order $8$ or less, we double twice (as in
|
||||
\crossref{cctedarithmetic}) and check that the resulting $u$-coordinate
|
||||
is not $0$ (as in \crossref{cctnonzero}).
|
||||
To check for a point $P$ of order $8$ or less, the \Sapling circuit doubles
|
||||
three times (as in \crossref{cctedarithmetic}) and checks that the resulting
|
||||
$u$-coordinate is not $0$ (as in \crossref{cctnonzero}).
|
||||
|
||||
On a twisted Edwards curve, only the zero point $\ZeroJ$, and the unique point
|
||||
of order $2$ at $(0, -1)$ have zero $u$-coordinate. So this $u$-coordinate check rejects
|
||||
both $\ZeroJ$ and the point of order $2$, and no other points.
|
||||
of order $2$ at $(0, -1)$ have zero $u$-coordinate. The point of order $2$ cannot
|
||||
occur as the result of three doublings. So this $u$-coordinate check rejects
|
||||
only $\ZeroJ$.
|
||||
|
||||
The total cost, including the curve check, is $3 + 2 \mult 5 + 1 = 14$ constraints.
|
||||
The total cost, including the curve check, is $4 + 3 \mult 5 + 1 = 20$ constraints.
|
||||
|
||||
\vspace{-2ex}
|
||||
\pnote{This \emph{does not} ensure that the point is in the prime-order subgroup.}
|
||||
|
||||
\vspace{-2ex}
|
||||
\nnote{It is possible to reduce the cost to $8$ constraints by merging the first doubling
|
||||
with the curve point check, and then optimizing the second doubling based on the fact that
|
||||
we only need to check whether the resulting $u$-coordinate is zero. However, the \Sapling
|
||||
circuit does not use these optimizations.}
|
||||
\begin{nnotes}
|
||||
\item It would have been sufficient to do two doublings rather than three, because
|
||||
the check that the $u$-coordinate is nonzero would reject both $\ZeroJ$
|
||||
and the point of order $2$.
|
||||
\item It is possible to reduce the cost to $8$ constraints by eliminating the
|
||||
redundant constraint in the curve point check mentioned in
|
||||
\crossref{cctedvalidate}; merging the first doubling with the curve point check;
|
||||
and then optimizing the second doubling based on the fact that we only need
|
||||
to check whether the resulting $u$-coordinate is zero.
|
||||
The \Sapling circuit does not use these optimizations.
|
||||
\end{nnotes}
|
||||
|
||||
|
||||
\introsection
|
||||
|
@ -11664,7 +11733,18 @@ as follows:
|
|||
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$
|
||||
bits\footnote{It would be sufficient to use $51$ bits, which accomodates the range
|
||||
$\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}.
|
||||
This can be straightforwardly implemented in ... constraints.
|
||||
This value is given as a bit representation, which does not need to be constrained
|
||||
equal to an integer.
|
||||
|
||||
\introlist
|
||||
$\ValueCommit{}$ can be implemented in:
|
||||
\begin{itemize}
|
||||
\item $64$ constraints to boolean-constrain the value bits;
|
||||
\item $750$ constraints for the $252$-bit fixed-base multiplication by $\ValueCommitRand$;
|
||||
\item $?$ constraints for the $64$-bit fixed-base multiplication by $\Value$;
|
||||
\item $6$ constraints for the Edwards addition
|
||||
\end{itemize}
|
||||
for a total cost of $?$ constraints.
|
||||
|
||||
|
||||
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
|
||||
|
@ -11810,12 +11890,142 @@ final $\xor$ operations), but not the message bits.
|
|||
\end{nnotes}
|
||||
|
||||
|
||||
\introsection
|
||||
\intropart
|
||||
\subsection{The SaplingSpend circuit} \label{cctsaplingspend}
|
||||
|
||||
The \Sapling Spend \statement is defined in \crossref{spendstatement}.
|
||||
|
||||
The primary input is
|
||||
\begin{formulae}
|
||||
\item ...
|
||||
\item $\oparen\rt \typecolon \MerkleHashSapling,\\
|
||||
\hparen\cvOld{} \typecolon \ValueCommitOutput,\\
|
||||
\hparen\nfOld{} \typecolon \bitseq{\PRFOutputLengthNfSapling},\\
|
||||
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
|
||||
\end{formulae}
|
||||
and the auxiliary input is
|
||||
\begin{formulae}
|
||||
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\
|
||||
\hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\
|
||||
\hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\
|
||||
\hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\
|
||||
\hparen\vOld{} \typecolon \ValueType,\\
|
||||
\hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\cmOld{} \typecolon \GroupJ,\\
|
||||
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
|
||||
\hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$
|
||||
\end{formulae}
|
||||
|
||||
$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have
|
||||
$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$,
|
||||
$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ which
|
||||
represent \jubjubCurve points. However,
|
||||
\begin{itemize}
|
||||
\item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$;
|
||||
\item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$;
|
||||
\item $\AuthSignRandomizedPublic$ will be constrained to
|
||||
$\scalarmult{\AuthSignRandomizer}{\AuthSignBase} + \AuthSignPublic$;
|
||||
\item $\DiversifiedTransmitPublic$ will be constrained to
|
||||
$\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
\end{itemize}
|
||||
so $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, and $\DiversifiedTransmitPublic$
|
||||
do not need to be explicitly checked to be on the curve.
|
||||
|
||||
In addition, $\AuthProvePublicRepr$ and $\NoteAddressRandRepr$ used in
|
||||
\textbf{Nullifier integrity} are compressed representations of
|
||||
\jubjubCurve points.
|
||||
|
||||
Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePublic$,
|
||||
and $\NoteAddressRand$ which need to be constrained to valid \jubjubCurve points as
|
||||
described in \crossref{ccteddecompressvalidate}.
|
||||
|
||||
\introsection
|
||||
In order to aid in comparing the implementation with the specification,
|
||||
we present the checks needed in the order in which they are implemented
|
||||
in the sapling-crypto code:
|
||||
|
||||
\begin{center}
|
||||
\begin{tabular}{|p{16em}|l|C|l|}
|
||||
\hline
|
||||
Check & Implements & \heading{Cost} & Reference \\
|
||||
\hhline{|=|=|=|=|}
|
||||
|
||||
$\AuthSignPublic$ is on the curve
|
||||
& $\AuthSignPublic \typecolon \SpendAuthSigPublic$ & 4 & \shortcrossref{cctedvalidate} \\ \hline
|
||||
$\AuthSignPublic$ is not small order
|
||||
& \textbf{Small order checks} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline
|
||||
$\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$
|
||||
& $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$
|
||||
& \textbf{Spend authority} & 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4}
|
||||
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
|
||||
& & 6 & \shortcrossref{cctedarithmetic} \\ \hline
|
||||
inputize $\AuthSignRandomizedPublic$
|
||||
& $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ & 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||
& $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$ & 252 & \shortcrossref{cctboolean} \\ \hline
|
||||
$\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
|
||||
& \textbf{Nullifier integrity} & 750 & \shortcrossref{cctfixedscalarmult} \\ \hline
|
||||
$\AuthSignPublicRepr = \reprJ(\AuthSignPublic)$
|
||||
& \textbf{Diversified address integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\AuthProvePublicRepr = \reprJ(\AuthProvePublic)$
|
||||
& \textbf{Nullifier integrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\big)\;\dagger$
|
||||
& \textbf{Diversified address integrity} & 21262 & \shortcrossref{cctblake2s} \\ \hline
|
||||
$\DiversifiedTransmitBase$ is on the curve
|
||||
& $\DiversifiedTransmitBase \typecolon \GroupJ$ & 4 & \shortcrossref{cctedvalidate} \\ \hline
|
||||
$\DiversifiedTransmitBase$ is not small order
|
||||
& \textbf{Small order checks} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
& \textbf{Diversified address integrity} & 3252 & \shortcrossref{cctvarscalarmult} \\ \hline
|
||||
$\vOldRepr \typecolon \bitseq{64}$
|
||||
& $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \cline{1-1}\cline{3-4}
|
||||
$\vOldRepr = \ItoLEBSP{64}(\vOld{})$
|
||||
& & 1 & \shortcrossref{cctmodpack} \\ \hline
|
||||
$\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$
|
||||
& \textbf{Value commitment integrity} & ? & \shortcrossref{ccthomomorphiccommit} ($\ell = 64$) \\ \cline{1-1}\cline{3-4}
|
||||
inputize $\cv$
|
||||
& & ? & \\ \hline
|
||||
$\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$
|
||||
% = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr)
|
||||
& \textbf{Note commitment integrity} & ? & \shortcrossref{cctwindowedcommit} ($\ell = 576$) \\ \hline
|
||||
$\cmURepr = \ExtractJ(\cm)$
|
||||
& \textbf{Merkle path validity} & 0 & \\ \cline{1-1}\cline{3-4}
|
||||
$\rt'$ is the root of a Merkle tree with leaf $\cmU$ and authentication path $(\TreePath{}, \NotePositionRepr)$
|
||||
& & 32 \mult 1369 & \shortcrossref{cctmerklepath} \\ \cline{1-1}\cline{3-4}
|
||||
$\NotePositionRepr = \ItoLEBSPOf{\MerkleDepthSapling}{\NotePosition}$
|
||||
& & 1 & \shortcrossref{cctmodpack} \\ \cline{1-1}\cline{3-4}
|
||||
if $\vOld{} \neq 0$ then $\rt' = \rt$
|
||||
& & 1 & \shortcrossref{cctcondeq} \\ \cline{1-1}\cline{3-4}
|
||||
inputize $\rt$
|
||||
& & ? & \\ \hline
|
||||
$\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$
|
||||
& \textbf{Nullifier integrity} & ? & \shortcrossref{cctmixinghash} \\ \cline{1-1}\cline{3-4}
|
||||
$\NoteAddressRandRepr = \reprJ\Of{\NoteAddressRand}$
|
||||
& & 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4}
|
||||
$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$
|
||||
& & 21262 & \shortcrossref{cctblake2s} \\ \hline
|
||||
pack inputs
|
||||
& & ? & \\ \hline %\shortcrossref{cctpackinputs}
|
||||
\end{tabular}
|
||||
\end{center}
|
||||
|
||||
\vspace{1ex}
|
||||
$\dagger$ This is implemented by taking the output of $\BlakeTwos{256}$ as a bit sequence and dropping the most
|
||||
significant $5$~bits, not by converting to an integer and back to a bit sequence as literally specified.
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{pnotes}
|
||||
\item The implementation represents $\AuthSignRandomizerRepr$, $\AuthProvePrivateRepr$ and $\InViewingKeyRepr$
|
||||
as bit sequences rather than integers.
|
||||
\item The scalar multiplication circuits take the scalar as a bit sequence. For example,
|
||||
in $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
above, the multiplication takes
|
||||
$\InViewingKeyRepr$ and $\DiversifiedTransmitBase$ as inputs and constrains
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
where $\InViewingKeyRepr = \ItoLEBSPOf{251}{\InViewingKey}$.
|
||||
\end{pnotes}
|
||||
|
||||
|
||||
\introsection
|
||||
|
|
|
@ -154,6 +154,16 @@ Proceedings of the 21st Annual International Cryptology Conference
|
|||
urldate={2017-02-11}
|
||||
}
|
||||
|
||||
@misc{BGM2018,
|
||||
presort={BGM2018},
|
||||
author={Sean Bowe and Ariel Gabizon and Ian Miers},
|
||||
title={Scalable {M}ulti-party {C}omputation for zk-{SNARK} {P}arameters in the {R}andom {B}eacon {M}odel},
|
||||
url={https://eprint.iacr.org/2017/1050},
|
||||
urldate={2018-08-31},
|
||||
howpublished={Cryptology ePrint Archive: Report 2017/1050.
|
||||
Last revised November~5, 2017.}
|
||||
}
|
||||
|
||||
@misc{Nakamoto2008,
|
||||
presort={Nakamoto2008},
|
||||
author={Satoshi Nakamoto},
|
||||
|
@ -423,6 +433,22 @@ L. Hernández Encinas and C. Sánchez Ávila},
|
|||
urldate={2016-08-14}
|
||||
}
|
||||
|
||||
@article{ElGamal1985,
|
||||
presort={ElGamal1985},
|
||||
author={Taher ElGamal},
|
||||
title={A public key cryptosystem and a signature scheme based on discrete logarithms},
|
||||
journal={IEEE Transactions on Information Theory},
|
||||
volume={31},
|
||||
number={4},
|
||||
date={1985-07},
|
||||
issn={0018-9448},
|
||||
pages={469--472},
|
||||
publisher={IEEE},
|
||||
doi={10.1109/TIT.1985.1057074},
|
||||
url={https://people.csail.mit.edu/alinush/6.857-spring-2015/papers/elgamal.pdf},
|
||||
urldate={2018-08-17}
|
||||
}
|
||||
|
||||
@misc{ABR1999,
|
||||
presort={ABR1999},
|
||||
author={Michel Abdalla and Mihir Bellare and Phillip Rogaway},
|
||||
|
@ -480,6 +506,14 @@ Last revised February~5, 2018.}
|
|||
urldate={2018-04-03}
|
||||
}
|
||||
|
||||
@misc{Dalek-notes,
|
||||
presort={Dalek-notes},
|
||||
author={Cathie Yun and Henry {de Valence} and Oleg Andreev and Dimitris Apostolou},
|
||||
title={ristretto\_bulletproofs notes},
|
||||
url={https://doc-internal.dalek.rs/ristretto_bulletproofs/notes/index.html},
|
||||
urldate={2018-08-17}
|
||||
}
|
||||
|
||||
@misc{Bitcoin-Base58,
|
||||
presort={Bitcoin-Base58},
|
||||
title={Base58{C}heck encoding --- {B}itcoin {W}iki},
|
||||
|
|
Loading…
Reference in New Issue