mirror of https://github.com/zcash/zips.git
Updates to notes and commitments.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
4fc9bc21aa
commit
45edaca45f
|
|
@ -402,6 +402,7 @@
|
|||
\newcommand{\ValueNew}[1]{\mathsf{v^{new}_\mathnormal{#1}}}
|
||||
\newcommand{\MAXMONEY}{\mathsf{MAX\_MONEY}}
|
||||
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
|
||||
\newcommand{\NoteType}{\mathsf{Note}}
|
||||
\newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
|
||||
\newcommand{\NoteCommitRand}{\mathsf{r}}
|
||||
\newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}}
|
||||
|
|
@ -627,7 +628,9 @@ behind the protocol, for an audience already familiar with \blockchain-based
|
|||
cryptocurrencies such as \Bitcoin. It is imprecise in some aspects and is not
|
||||
part of the normative protocol specification.
|
||||
|
||||
Value in \Zcash is carried by \notes\hairspace\footnote{\label{notesandnullifiers}
|
||||
Value in \Zcash is either \transparent or \xprotected. Transfers of \transparent
|
||||
value work essentially as in \Bitcoin and have the same privacy properties.
|
||||
\xProtected value is carried by \notes\hairspace\footnote{\label{notesandnullifiers}
|
||||
In \Zerocash \cite{BCG+2014}, \notes were called ``coins'', and \nullifiers
|
||||
were called ``serial numbers''.},
|
||||
which specify an amount and a \payingKey. The \payingKey is part of
|
||||
|
|
@ -841,22 +844,18 @@ to $\AuthPublic$, as described in the previous section.
|
|||
defined in \crossref{abstractcomm}.
|
||||
\end{itemize}
|
||||
|
||||
$\NoteCommitRand$ is randomly generated by the sender. \changed{$\NoteAddressRand$
|
||||
is generated from a random seed $\NoteAddressPreRand$ using
|
||||
$\PRFrho{\NoteAddressPreRand}$.} Only a commitment to these values is disclosed
|
||||
publicly, which allows the tokens $\NoteCommitRand$ and $\NoteAddressRand$ to blind
|
||||
the value and recipient \emph{except} to those who possess these tokens.
|
||||
Let $\NoteType$ be the type of a \note, i.e.
|
||||
$\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput \times \bitseq{\NoteCommitRandLength}$.
|
||||
|
||||
\nsubsubsection{\NoteCommitments} \label{notecommitment}
|
||||
Creation of new \notes is described in \crossref{send}. When \notes are sent,
|
||||
only a commitment (see \crossref{abstractcomm}) to the above values is disclosed
|
||||
publically. This allows the value and recipient to be kept private, while the
|
||||
commitment is used by the \zeroKnowledgeProof when the \note is spent, to check
|
||||
that it exists on the \blockchain.
|
||||
|
||||
The underlying $\Value$ and $\AuthPublic$ are blinded with $\NoteAddressRand$
|
||||
and $\NoteCommitRand$. The resulting hash
|
||||
$\cm = \NoteCommit(\NoteTuple{}) = \Commit{\NoteCommitRand}(\Value, \AuthPublic, \NoteAddressRand)$.
|
||||
|
||||
$\Commit{}$ is required to be a computationally binding and hiding commitment
|
||||
scheme.
|
||||
|
||||
\nsubsubsection{\Nullifiers}
|
||||
The \noteCommitment is computed as
|
||||
$\NoteCommit(\NoteTuple{}) = \Commit{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand)$,
|
||||
where $\Commit{}$ is instantiated in \crossref{concretecomm}.
|
||||
|
||||
A \nullifier (denoted $\nf$) is derived from the $\NoteAddressRand$ component
|
||||
of a \note and the recipient's \spendingKey, as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$.
|
||||
|
|
@ -1174,13 +1173,8 @@ a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors
|
|||
$\CommitTrapdoor$.
|
||||
|
||||
Let $\Commit{} \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$
|
||||
be a function satisfying the following requirements, adapted from
|
||||
...
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item \textbf{Computational Hiding:} ...
|
||||
\item \textbf{Computational Binding:} ...
|
||||
\end{securityrequirements}
|
||||
be a function satisfying the security requirements of computational hiding
|
||||
and computational binding, as defined in \todo{need reference}.
|
||||
|
||||
|
||||
\nsubsubsection{\ZeroKnowledgeProvingSystem}
|
||||
|
|
@ -1257,23 +1251,6 @@ as follows:}
|
|||
\end{equation*}
|
||||
}
|
||||
|
||||
\nsubsection{Note Components}
|
||||
|
||||
A \note consists of $(\AuthPublic, \Value, \NoteAddressRand, \NoteCommitRand)$ where
|
||||
\begin{itemize}
|
||||
\item $\AuthPublic \typecolon \PRFOutput$ is the
|
||||
\payingKey of the recipient;
|
||||
\item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer
|
||||
representing the value of the \note in \zatoshi
|
||||
($1$ \ZEC = $10^8$ \zatoshi);
|
||||
\item $\NoteAddressRand \typecolon \PRFOutput$
|
||||
is used as input to $\PRFnf{\AuthPrivate}$ to derive the
|
||||
\nullifier of the \note;
|
||||
\item $\NoteCommitRand \typecolon \bitseq{\NoteCommitRandLength}$
|
||||
is a random bit sequence used as a \commitmentTrapdoor as
|
||||
defined in \crossref{abstractcomm}.
|
||||
\end{itemize}
|
||||
|
||||
\nsubsection{\JoinSplitDescriptions} \label{joinsplitdesc}
|
||||
|
||||
A \joinSplitTransfer, as specified in \crossref{joinsplit}, is encoded in
|
||||
|
|
@ -2096,26 +2073,12 @@ where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
|
|||
The encoding of a public key is as defined in \cite{BDL+2012}.
|
||||
}
|
||||
|
||||
\nsubsection{Note Components}
|
||||
|
||||
\begin{itemize}
|
||||
\item $\AuthPublic$ is a 32-byte \payingKey of the recipient.
|
||||
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
||||
\note in \zatoshi ($1$ \ZEC = $10^8$ \zatoshi).
|
||||
\item $\NoteAddressRand$ is a 32-byte $\PRFnf{\AuthPrivate}$ preimage.
|
||||
\item $\NoteCommitRand$ is a 32-byte \commitmentTrapdoor.
|
||||
\end{itemize}
|
||||
|
||||
\nsubsection{\NoteCommitments} \label{concretecomm}
|
||||
|
||||
The underlying $\Value$ and $\AuthPublic$ are blinded with $\NoteAddressRand$
|
||||
and $\NoteCommitRand$ \changed{using the collision-resistant hash function $\FullHash$}.
|
||||
The resulting hash $\cm = \NoteCommit(\NoteTuple{})$. \todo{separate concrete}
|
||||
\nsubsubsection{Commitment} \label{concretecomm}
|
||||
|
||||
\newsavebox{\cmbox}
|
||||
\begin{lrbox}{\cmbox}
|
||||
\setchanged
|
||||
\begin{bytefield}[bitwidth=0.036em]{840}
|
||||
\begin{bytefield}[bitwidth=0.032em]{840}
|
||||
\bitbox{24}{$1$} &
|
||||
\bitbox{24}{$0$} &
|
||||
\bitbox{24}{$1$} &
|
||||
|
|
@ -2131,12 +2094,16 @@ The resulting hash $\cm = \NoteCommit(\NoteTuple{})$. \todo{separate concrete}
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\hskip 1em $\cm := \FullHashbox{\cmbox}$
|
||||
The commitment scheme $\Commit{}$ specified in \crossref{abstractcomm} is
|
||||
instantiated using $\FullHashName$ as follows:
|
||||
|
||||
\hskip 1em $\Commit{\NoteCommitRand}(\Value, \AuthPublic, \NoteAddressRand) := \FullHashbox{\cmbox}$.
|
||||
|
||||
\pnote{
|
||||
The leading byte of the $\FullHash$ input is $\hexint{B0}$.
|
||||
}
|
||||
|
||||
\todo{Security requirements on $\FullHashName$.}
|
||||
|
||||
\nsubsection{\NotePlaintexts{} and \Memos} \label{notept}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue