zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add specification of Output statement. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-03-19 00:01:25 +00:00
parent d029d67779
commit 40ec72bb46
1 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
protocol/protocol.tex
View File

@ -788,6 +788,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\enc}{\mathsf{enc}} \newcommand{\enc}{\mathsf{enc}}
\newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}}
\newcommand{\EphemeralPublic}{\mathsf{epk}} \newcommand{\EphemeralPublic}{\mathsf{epk}}
\newcommand{\EphemeralPublicRepr}{\Repr{\EphemeralPublic}}
\newcommand{\EphemeralPrivate}{\mathsf{esk}} \newcommand{\EphemeralPrivate}{\mathsf{esk}}
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}} \newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
\newcommand{\TransmitPublicSup}[1]{\mathsf{pk}^{#1}_\mathsf{enc}} \newcommand{\TransmitPublicSup}[1]{\mathsf{pk}^{#1}_\mathsf{enc}}
@ -3751,8 +3752,60 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr
\introsection \introsection
\subsubsection{\OutputStatement{} (\Sapling)} \label{outputstatement} \subsubsection{\OutputStatement{} (\Sapling)} \label{outputstatement}
\todo{} A valid instance of $\ProofOutput$ assures that given a \primaryInput:
\begin{formulae}
\item $(\cvNew{} \typecolon \ValueCommitOutput,\\
\hparen\cmNew{} \typecolon \NoteCommitSaplingOutput,\\
\hparen\EphemeralPublic \typecolon \GroupJ)$,
\end{formulae}
\introlist
the prover knows an \auxiliaryInput:
\begin{formulae}
\item $(\DiversifiedTransmitBaseRepr \typecolon \bitseq{\ellJ},\\
\hparen\DiversifiedTransmitPublicRepr \typecolon \bitseq{\ellJ},\\
\hparen\vNew{} \typecolon \range{0}{2^{64}-1},\\
\hparen\ValueCommitRandNew{} \typecolon \ValueCommitTrapdoor,\\
\hparen\NoteCommitRandNew{} \typecolon \NoteCommitSaplingTrapdoor,\\
\hparen\EphemeralPrivate \typecolon \range{0}{2^{252}-1})$
\end{formulae}
\introlist
such that the following conditions hold:
\snarkcondition{Note commitment integrity} \label{outputnotecommitmentintegrity}
$\pack(\cmNew{}) = \NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr,
\DiversifiedTransmitPublicRepr,
\vNew{})$.
\todo{define $\pack$.}
\snarkcondition{Value commitment integrity} \label{outputvaluecommitmentintegrity}
$\cvNew{} = \ValueCommit{\ValueCommitRandNew{}}(\vNew{})$.
\snarkcondition{Point validity checks} \label{outputpointvalidity}
$\DiversifiedTransmitBase \in \GroupJ$ and is not of small order,
i.e.\ $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$, where
\begin{formulae}
\item $\DiversifiedTransmitBase = \abstJOf{\DiversifiedTransmitBaseRepr}$.
\end{formulae}
\snarkcondition{Ephemeral public key integrity} \label{outputepkintegrity}
$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$ where
\begin{formulae}
\item $\EphemeralPublic = \abstJOf{\EphemeralPublicRepr}$.
\end{formulae}
\vspace{2.5ex}
For details of the form and encoding of \outputStatement proofs, see \crossref{groth}. For details of the form and encoding of \outputStatement proofs, see \crossref{groth}.
} %sapling } %sapling
@ -7556,6 +7609,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
\item Updates to transaction format and consensus rules for Overwinter and Sapling. \item Updates to transaction format and consensus rules for Overwinter and Sapling.
} %nuzero } %nuzero
\sapling{ \sapling{
\item Add specification of the \outputStatement.
\item Change $\MerkleDepthSapling$ from $29$ to $32$. \item Change $\MerkleDepthSapling$ from $29$ to $32$.
\item Updates to \Sapling construction, changing how the \nullifier is \item Updates to \Sapling construction, changing how the \nullifier is
computed and separating it from the \authRandomizedVerifyingKey computed and separating it from the \authRandomizedVerifyingKey