From 49ab63e322307eca19eaf6bb5e3e548eee38a0fd Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 20 Apr 2018 04:01:09 +0100 Subject: [PATCH] Correct explanation of commitments in overview to apply to Sapling. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 6178032a..3dfda317 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1739,16 +1739,16 @@ a \paymentAddress, which is a destination to which \notes can be sent. As in \Bitcoin, this is associated with a private key that can be used to spend \notes sent to the address; in \Zcash this is called a \spendingKey. -To each \note there is cryptographically associated a \noteCommitment, and -a \nullifier\footnoteref{notesandnullifiers} (so that there is a 1:1:1 relation -between \notes, \noteCommitments, and \nullifiers). Computing the \nullifier -requires the associated private \spendingKey\sapling{ (or the \nullifierKey for \Sapling \notes)}. -It is infeasible to correlate the \noteCommitment with the corresponding -\nullifier without knowledge of at least this \sprout{\spendingKey}\notsprout{key}. -An unspent valid \note, at a given point on the \blockchain, -is one for which the \noteCommitment has been publically revealed on the -\blockchain prior to that point, but the \nullifier has not. -\notsprout{\todo{The ``1:1:1'' part isn't correct for \Sapling.}} +To each \note there is cryptographically associated a \noteCommitment. Once the +\transaction creating the \note has been mined, it is associated with a fixed +\notePosition in a tree of \noteCommitments, and with a \nullifier\footnoteref{notesandnullifiers} +unique to that \note. Computing the \nullifier requires the associated private +\spendingKey\sapling{ (or the \nullifierKey for \Sapling \notes)}. +It is infeasible to correlate the \noteCommitment or \notePosition with the +corresponding \nullifier without knowledge of at least this +\sprout{\spendingKey}\notsprout{key}. An unspent valid \note, at a given point +on the \blockchain, is one for which the \noteCommitment has been publically +revealed on the \blockchain prior to that point, but the \nullifier has not. \introlist A \transaction can contain \transparent inputs, outputs, and scripts, which all @@ -8775,6 +8775,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg. \item Refactor the abstract definition of a \signatureScheme to allow derivation of verifying keys independent of key pair generation. \sapling{ + \item Correct the explanation in \crossref{overview} to apply to \Sapling. \item Add the definition of a private key to public key homomorphism for \signatureSchemes. \item Remove the output index as an input to $\KDFSapling$. \item Allow dummy \Sapling input \notes.