Refactoring/type changes for commitment randomness and outputs.

This also affects the type of Sapling note plaintexts. Includes potential consensus changes (which *should* match the implementation)! Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-06-22 22:14:16 +01:00 · 2018-06-22 22:14:16 +01:00 · 57f16ea6da
parent cb730f241e
commit 57f16ea6da
1 changed files with 103 additions and 57 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -1035,21 +1035,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\CommitAlg}{\mathsf{COMM}}
 \newcommand{\Commit}[1]{\CommitAlg_{#1}}
 \newcommand{\CommitTrapdoor}{\CommitAlg\mathsf{.Trapdoor}}
+\newcommand{\CommitGenTrapdoor}{\CommitAlg\mathsf{.GenTrapdoor}}
 \newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}}
 \newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}}
 \newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}}
 \newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}}
 \newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}}
+\newcommand{\NoteCommitSproutGenTrapdoor}{\NoteCommitSproutAlg\mathsf{.GenTrapdoor}}
 \newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}}
 \newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}}
 \newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}}
 \newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}}
 \newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}}
+\newcommand{\NoteCommitSaplingTrapdoorBytes}{\byteseq{32}}
+\newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}}
 \newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}}
 \newcommand{\NoteCommitSaplingOutput}{\NoteCommitSaplingAlg\mathsf{.Output}}
 \newcommand{\ValueCommitAlg}{\mathsf{ValueCommit}}
 \newcommand{\ValueCommit}[1]{\ValueCommitAlg_{#1}}
 \newcommand{\ValueCommitTrapdoor}{\ValueCommitAlg\mathsf{.Trapdoor}}
+\newcommand{\ValueCommitGenTrapdoor}{\ValueCommitAlg\mathsf{.GenTrapdoor}}
 \newcommand{\ValueCommitInput}{\ValueCommitAlg\mathsf{.Input}}
 \newcommand{\ValueCommitOutput}{\ValueCommitAlg\mathsf{.Output}}
 \newcommand{\ValueCommitValueBase}{\mathcal{V}}
@ -1135,6 +1140,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
 \newcommand{\OutPlaintext}{\mathbf{op}}
 \newcommand{\NoteCommitRand}{\mathsf{\sprout{r}\notsprout{rcm}}}
+\newcommand{\NoteCommitRandBytes}{\bytes{\NoteCommitRand}}
+\newcommand{\NoteCommitRandBytesType}{\byteseq{32}}
 \newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}}
 \newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
 \newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
@ -1550,6 +1557,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\GenJ}{\Generator_{\GroupJ}}
 \newcommand{\ellJ}{\ell_{\GroupJ}}
 \newcommand{\ReprJ}{\bitseq{\ellJ}}
+\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}}
 \newcommand{\reprJ}{\repr_{\GroupJ}}
 \newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
 \newcommand{\abstJ}{\abst_{\GroupJ}}
@ -2389,8 +2397,14 @@ Each \SproutOrNothing{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
 The \notePlaintext in each \outputDescription is encrypted to the
 \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$.

+\introlist
 Each \Sapling{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
-$(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
+
+\vspace{-1ex}
+\begin{formulae}
+  \item $(\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
+          \NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$.
+\end{formulae}
 } %saplingonward

 \changed{
@ -3190,8 +3204,8 @@ random and an input, can be used to commit to the input in such a way that:

 \vspace{-3ex}
 A \commitmentScheme $\CommitAlg$ defines a type of inputs $\CommitInput$,
-a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors
-$\CommitTrapdoor$.
+a type of commitments $\CommitOutput$, a type of \commitmentTrapdoors
+$\CommitTrapdoor$, and a trapdoor generator $\CommitGenTrapdoor \typecolon () \rightarrowR \CommitTrapdoor$.

 \vspace{2ex}
 Let $\CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$
@ -3200,8 +3214,8 @@ be a function satisfying the following security requirements.
 \vspace{-2ex}
 \begin{securityrequirements}[leftmargin=2em]
  \item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
-        the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
-        and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
+        the distributions $\{\, \Commit{r}(x) \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$
+        and $\{\, \Commit{r}(x') \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$ are
        computationally indistinguishable.
  \item \textbf{Computational binding:} It is infeasible to find
        $x, x' \typecolon \CommitInput$ and
@ -3210,40 +3224,33 @@ be a function satisfying the following security requirements.
 \end{securityrequirements}

 \vspace{-3ex}
-\pnote{
-If it were only feasible to find $x \typecolon \CommitInput$ and
-$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
-$\Commit{r}(x) = \Commit{r'}(x)$, this would not by itself contradict
-the computational binding security requirement.
-}
-
-\vspace{3ex}
-Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, and
-$\ValueLength$ be as defined in \crossref{constants}.
-
-\sapling{
-Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
-} %sapling
-
 \sprout{
-Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
-$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$.
+\pnote{If it were only feasible to find $x \typecolon \CommitInput$ and
+$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
+$\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict
+the computational binding security requirement.}
 } %sprout
 \notsprout{
-Define:
-\begin{formulae}
-  \item $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
-        $\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$;
-\sapling{
-  \item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and
-        $\NoteCommitSaplingOutput := \SubgroupJ$;
-  \item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and
-        $\ValueCommitOutput := \SubgroupJ$.
-} %sapling
-\end{formulae}
+\begin{pnotes}[leftmargin=2em]
+  \item $\CommitGenTrapdoor$ need not produce the uniform distribution on $\CommitTrapdoor$.
+        In that case, it is incorrect to choose a trapdoor from the latter distribution.
+  \item If it were only feasible to find $x \typecolon \CommitInput$ and
+        $r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
+        $\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict
+        the computational binding security requirement.
+        \sapling{(In fact, this is feasible for $\NoteCommitSaplingAlg$ and $\ValueCommitAlg$
+        because trapdoors are equivalent modulo $\ParamJ{r}$, and the range of a trapdoor
+        for those algorithms is $\binaryrange{\ScalarLength}$ where $2^{\ScalarLength} > \ParamJ{r}$.)}
+\end{pnotes}
 } %notsprout

 \vspace{1ex}
+Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$,
+and $\ValueLength$ be as defined in \crossref{constants}.
+
+Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
+$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$.
+
 \SproutOrZcash uses a \note{} \commitmentScheme

 \begin{tabular}{@{\hskip 1.5em}r@{\;}l}
@ -3256,6 +3263,19 @@ instantiated in \crossref{concretesproutnotecommit}.

 \sapling{
 \vspace{2ex}
+Let $\ScalarLength$ be as defined in \crossref{constants}.
+
+Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
+
+\introlist
+Define:
+\begin{formulae}
+  \item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLength}$ and
+        $\NoteCommitSaplingOutput := \GroupJ$;
+  \item $\ValueCommitTrapdoor := \binaryrange{\ScalarLength}$ and
+        $\ValueCommitOutput := \GroupJ$.
+\end{formulae}
+
 \introlist
 \Sapling uses two additional commitment schemes:

@ -3267,6 +3287,11 @@ instantiated in \crossref{concretesproutnotecommit}.

 $\NoteCommitSapling{}$ is instantiated in \crossref{concretesaplingnotecommit}, and
 $\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}.
+
+\vspace{-2ex}
+\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$.
+However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not
+checked to be in the subgroup when used in \spendDescriptions and \outputDescriptions.}
 } %sapling


@ -3839,7 +3864,7 @@ where

 \vspace{2ex}
 \begin{consensusrules}
-  \item Elements of a \spendDescription{} \MUST have the types given above.
+  \item Elements of a \spendDescription{} \MUST be canonical encodings of the types given above.
  \item $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$
        \MUSTNOT be $\ZeroJ$.
  \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed
@ -3890,7 +3915,7 @@ where
 \end{itemize}

 \begin{consensusrules}
-  \item Elements of an \outputDescription{} \MUST have the types given above.
+  \item Elements of an \outputDescription{} \MUST be canonical encodings of the types given above.
        \vspace{-0.5ex}
  \item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed
        from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ ---
@ -3924,7 +3949,7 @@ uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
 Then it creates each output \note with index $i \typecolon \setofNew$:

 \begin{itemize}
-  \item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutTrapdoor$.
+  \item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$.
 \changed{
  \item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
        \vspace{-0.5ex}
@ -3986,8 +4011,8 @@ the following steps:
        \vspace{-0.5ex}

        \begin{tabular}{@{\hskip 2em}r@{\;}l}
-          $\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitTrapdoor$ \\
-          $\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingTrapdoor$
+          $\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitGenTrapdoor()$ \\
+          $\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingGenTrapdoor()$
        \end{tabular}

  \item Calculate
@ -3999,7 +4024,8 @@ the following steps:
                                                                   \ValueNew{})$
        \end{tabular}

-  \item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandNew{}, \Memo)$.
+  \item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandBytes, \Memo)$, where
+        $\NoteCommitRandBytes = \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRandNew{})\kern-0.12em}$.

  \item Encrypt $\NotePlaintext{}$, $\cvNew{}$, and $\cmNew{}$ to the recipient
        \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
@ -4047,7 +4073,7 @@ is constructed as follows:
        and derive its \payingKey $\AuthPublicOld{i}$.
  \item \vspace{-0.5ex} Set $\vOld{i} = 0$.
  \item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$
-        and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$.
+        and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$.
  \item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
  \item Let $\TreePath{i}$ be a \dummy \merklePath for the
        \auxiliaryInput to the \joinSplitStatement (this will not be checked).
@ -4088,7 +4114,7 @@ A \dummy{} \Sapling input \note is constructed as follows:
  \item Generate a new \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$
        for $\SpendingKey$ as described in \crossref{saplingkeycomponents}.
  \item Set $\vOld{} = 0$, and set $\NotePosition = 0$.
-  \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingTrapdoor$.
+  \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
        and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$.
  \item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and
        $\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,.
@ -4661,7 +4687,7 @@ the prover knows an \auxiliaryInput:
         \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\
         \hparen\vOld{} \typecolon \ValueType,\\
         \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
-         \hparen\cmOld{} \typecolon \NoteCommitSaplingOutput,\\
+         \hparen\cmOld{} \typecolon \GroupJ,\\
         \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
         \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\
         \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
@ -4727,14 +4753,14 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr
        see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed
        representations of \jubjubCurve points.

-        The $\ValueCommitOutput$, $\NoteCommitSaplingOutput$, and $\SpendAuthSigPublic$ types also
-        represent points.
+        The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupJ$.
  \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
        input bit sequence is a canonical encoding (in $\range{0}{\ParamJ{r}-1}$) of the integer
        from the previous \merkleLayer.
  \item It is \emph{not} checked in the \spendStatement that $\AuthSignRandomizedPublic$ is not of
        small order. However, this \emph{is} checked outside the \spendStatement, as specified in
        \crossref{spenddesc}.
+  \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
  \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$.
        ($\AuthSignBase$ is as defined in \crossref{concretespendauthsig}.)
 \end{pnotes}
@ -4768,8 +4794,8 @@ the prover knows an \auxiliaryInput:
  \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex]
   \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\
   \hparen\vNew{} \typecolon \ValueType,\\
-   \hparen\ValueCommitRandNew{} \typecolon \ValueCommitTrapdoor,\\
-   \hparen\NoteCommitRandNew{} \typecolon \NoteCommitSaplingTrapdoor,\\
+   \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\
+   \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\
   \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$
 \end{formulae}
 \vspace{-1ex}
@ -4806,8 +4832,9 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
        see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed
        representations of \jubjubCurve points.

-        The $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$ types also represent points.
+        The $\ValueCommitOutput$ type also represents points, i.e. $\GroupJ$.
  \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
+  \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
 \end{pnotes}
 } %sapling

@ -4987,7 +5014,7 @@ Since \Sapling \note encryption is used only in the context of \crossref{sapling
 $\DiversifiedTransmitBaseNew$ has already been calculated and is not $\bot$.

 \introsection
-Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ be the \Sapling{} \notePlaintext.
+Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRandBytes, \Memo)$ be the \Sapling{} \notePlaintext.

 $\NotePlaintext{}$ is encoded as defined in \crossref{notept}.

@ -5043,8 +5070,9 @@ components of the \noteCiphertext as follows:
  \item if $\TransmitPlaintext{} = \bot$, return $\bot$
  \item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
 \NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$
-  \item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
-  \item if $\DiversifiedTransmitBase = \bot$, return $\bot$
+  \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
+        and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
+  \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
  \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
  \item if $\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
                                                \reprJOf{\DiversifiedTransmitPublic},
@ -5097,9 +5125,11 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
  \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
  \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$
  \item if $\TransmitPlaintext{} = \bot$, return $\bot$
-  \item extract $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ from $\TransmitPlaintext{}$
-  \item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
-  \item if $\DiversifiedTransmitBase = \bot$, return $\bot$
+  \item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
+\NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$
+  \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
+        and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
+  \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
  \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
        return $\bot$
  \item if $\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
@ -6480,6 +6510,7 @@ instantiated using $\SHAFull$ as follows:

 \begin{formulae}[leftmargin=1em]
  \item $\NoteCommitSprout{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand) := \SHAFullBox{\cmbox}$
+  \item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$.
 \end{formulae}

 \pnote{
@ -6517,7 +6548,8 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
 \begin{formulae}
  \item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) :=
           \WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat
-             \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$.
+             \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$
+  \item $\NoteCommitSaplingGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
 \end{formulae}

 \vspace{-3ex}
@ -6555,6 +6587,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
 \begin{formulae}
  \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
           \scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
+  \item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
 \end{formulae}

 See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
@ -8084,8 +8117,11 @@ $64$ & $\spendAuthSig$ & \type{char[64]} & A signature authorizing this spend. \
 \end{tabularx}
 \end{center}

-Consensus rules applying to a \spendDescription are given in \crossref{spenddesc}.
+\vspace{-5.5ex}
+\consensusrule{$\LEOStoIPOf{256}{\anchorField}$ \MUST be less than $\ParamJ{q}$.}

+\vspace{-0.5ex}
+Other consensus rules applying to a \spendDescription are given in \crossref{spenddesc}.

 \introsection
 \subsection{Encoding of \OutputDescriptions} \label{outputencoding}
@ -8132,7 +8168,11 @@ $\ProofOutput$ (see \crossref{groth}). \\ \hline
 The $\ephemeralKey$ and $\encCiphertext$ fields together form the \noteCiphertext,
 which is computed as described in \crossref{saplinginband}.

-Consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
+\vspace{-4ex}
+\consensusrule{$\LEOStoIPOf{256}{\cmField}$ \MUST be less than $\ParamJ{q}$.}
+
+\vspace{-0.5ex}
+Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
 }


@ -9316,7 +9356,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \sapling{
    \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
          $\GroupG{}$ and $\GroupJ$ where applicable.
-    \item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
+    \item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
+          faithful to the implementation.
+    \item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmField$
+          field of an \outputDescription{} must be canonical encodings.
+    \item Change the syntax of a \commitmentScheme to add $\CommitGenTrapdoor$. This is necessary
+          because the intended distribution of \commitmentTrapdoors may not be uniform on all values
+          that are acceptable trapdoor inputs.
    \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
    \item Improve cross-referencing.
    \item Clarify the use of $\PHGR$ vs $\Groth$ proofs in \joinSplitStatements.