From 57f16ea6da0be5fd7905a810b497620faff17d57 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 22 Jun 2018 22:14:16 +0100 Subject: [PATCH] Refactoring/type changes for commitment randomness and outputs. This also affects the type of Sapling note plaintexts. Includes potential consensus changes (which *should* match the implementation)! Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 160 +++++++++++++++++++++++++++--------------- 1 file changed, 103 insertions(+), 57 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index c044e688..43b85123 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1035,21 +1035,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CommitAlg}{\mathsf{COMM}} \newcommand{\Commit}[1]{\CommitAlg_{#1}} \newcommand{\CommitTrapdoor}{\CommitAlg\mathsf{.Trapdoor}} +\newcommand{\CommitGenTrapdoor}{\CommitAlg\mathsf{.GenTrapdoor}} \newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}} \newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}} \newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}} \newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}} \newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}} +\newcommand{\NoteCommitSproutGenTrapdoor}{\NoteCommitSproutAlg\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}} \newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}} \newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}} \newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}} \newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}} +\newcommand{\NoteCommitSaplingTrapdoorBytes}{\byteseq{32}} +\newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}} \newcommand{\NoteCommitSaplingOutput}{\NoteCommitSaplingAlg\mathsf{.Output}} \newcommand{\ValueCommitAlg}{\mathsf{ValueCommit}} \newcommand{\ValueCommit}[1]{\ValueCommitAlg_{#1}} \newcommand{\ValueCommitTrapdoor}{\ValueCommitAlg\mathsf{.Trapdoor}} +\newcommand{\ValueCommitGenTrapdoor}{\ValueCommitAlg\mathsf{.GenTrapdoor}} \newcommand{\ValueCommitInput}{\ValueCommitAlg\mathsf{.Input}} \newcommand{\ValueCommitOutput}{\ValueCommitAlg\mathsf{.Output}} \newcommand{\ValueCommitValueBase}{\mathcal{V}} @@ -1135,6 +1140,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}} \newcommand{\OutPlaintext}{\mathbf{op}} \newcommand{\NoteCommitRand}{\mathsf{\sprout{r}\notsprout{rcm}}} +\newcommand{\NoteCommitRandBytes}{\bytes{\NoteCommitRand}} +\newcommand{\NoteCommitRandBytesType}{\byteseq{32}} \newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}} \newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}} \newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}} @@ -1550,6 +1557,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\GenJ}{\Generator_{\GroupJ}} \newcommand{\ellJ}{\ell_{\GroupJ}} \newcommand{\ReprJ}{\bitseq{\ellJ}} +\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}} \newcommand{\reprJ}{\repr_{\GroupJ}} \newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!} \newcommand{\abstJ}{\abst_{\GroupJ}} @@ -2389,8 +2397,14 @@ Each \SproutOrNothing{} \notePlaintext (denoted $\NotePlaintext{}$) consists of The \notePlaintext in each \outputDescription is encrypted to the \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$. +\introlist Each \Sapling{} \notePlaintext (denoted $\NotePlaintext{}$) consists of -$(\Diversifier, \Value, \NoteCommitRand, \Memo)$. + +\vspace{-1ex} +\begin{formulae} + \item $(\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, + \NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$. +\end{formulae} } %saplingonward \changed{ @@ -3190,8 +3204,8 @@ random and an input, can be used to commit to the input in such a way that: \vspace{-3ex} A \commitmentScheme $\CommitAlg$ defines a type of inputs $\CommitInput$, -a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors -$\CommitTrapdoor$. +a type of commitments $\CommitOutput$, a type of \commitmentTrapdoors +$\CommitTrapdoor$, and a trapdoor generator $\CommitGenTrapdoor \typecolon () \rightarrowR \CommitTrapdoor$. \vspace{2ex} Let $\CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$ @@ -3200,8 +3214,8 @@ be a function satisfying the following security requirements. \vspace{-2ex} \begin{securityrequirements}[leftmargin=2em] \item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$, - the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$ - and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are + the distributions $\{\, \Commit{r}(x) \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$ + and $\{\, \Commit{r}(x') \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$ are computationally indistinguishable. \item \textbf{Computational binding:} It is infeasible to find $x, x' \typecolon \CommitInput$ and @@ -3210,40 +3224,33 @@ be a function satisfying the following security requirements. \end{securityrequirements} \vspace{-3ex} -\pnote{ -If it were only feasible to find $x \typecolon \CommitInput$ and -$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and -$\Commit{r}(x) = \Commit{r'}(x)$, this would not by itself contradict -the computational binding security requirement. -} - -\vspace{3ex} -Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, and -$\ValueLength$ be as defined in \crossref{constants}. - -\sapling{ -Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. -} %sapling - \sprout{ -Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and -$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$. +\pnote{If it were only feasible to find $x \typecolon \CommitInput$ and +$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and +$\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict +the computational binding security requirement.} } %sprout \notsprout{ -Define: -\begin{formulae} - \item $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and - $\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$; -\sapling{ - \item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and - $\NoteCommitSaplingOutput := \SubgroupJ$; - \item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and - $\ValueCommitOutput := \SubgroupJ$. -} %sapling -\end{formulae} +\begin{pnotes}[leftmargin=2em] + \item $\CommitGenTrapdoor$ need not produce the uniform distribution on $\CommitTrapdoor$. + In that case, it is incorrect to choose a trapdoor from the latter distribution. + \item If it were only feasible to find $x \typecolon \CommitInput$ and + $r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and + $\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict + the computational binding security requirement. + \sapling{(In fact, this is feasible for $\NoteCommitSaplingAlg$ and $\ValueCommitAlg$ + because trapdoors are equivalent modulo $\ParamJ{r}$, and the range of a trapdoor + for those algorithms is $\binaryrange{\ScalarLength}$ where $2^{\ScalarLength} > \ParamJ{r}$.)} +\end{pnotes} } %notsprout \vspace{1ex} +Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, +and $\ValueLength$ be as defined in \crossref{constants}. + +Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and +$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$. + \SproutOrZcash uses a \note{} \commitmentScheme \begin{tabular}{@{\hskip 1.5em}r@{\;}l} @@ -3256,6 +3263,19 @@ instantiated in \crossref{concretesproutnotecommit}. \sapling{ \vspace{2ex} +Let $\ScalarLength$ be as defined in \crossref{constants}. + +Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. + +\introlist +Define: +\begin{formulae} + \item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLength}$ and + $\NoteCommitSaplingOutput := \GroupJ$; + \item $\ValueCommitTrapdoor := \binaryrange{\ScalarLength}$ and + $\ValueCommitOutput := \GroupJ$. +\end{formulae} + \introlist \Sapling uses two additional commitment schemes: @@ -3267,6 +3287,11 @@ instantiated in \crossref{concretesproutnotecommit}. $\NoteCommitSapling{}$ is instantiated in \crossref{concretesaplingnotecommit}, and $\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}. + +\vspace{-2ex} +\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$. +However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not +checked to be in the subgroup when used in \spendDescriptions and \outputDescriptions.} } %sapling @@ -3839,7 +3864,7 @@ where \vspace{2ex} \begin{consensusrules} - \item Elements of a \spendDescription{} \MUST have the types given above. + \item Elements of a \spendDescription{} \MUST be canonical encodings of the types given above. \item $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed @@ -3890,7 +3915,7 @@ where \end{itemize} \begin{consensusrules} - \item Elements of an \outputDescription{} \MUST have the types given above. + \item Elements of an \outputDescription{} \MUST be canonical encodings of the types given above. \vspace{-0.5ex} \item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ --- @@ -3924,7 +3949,7 @@ uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.} Then it creates each output \note with index $i \typecolon \setofNew$: \begin{itemize} - \item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutTrapdoor$. + \item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$. \changed{ \item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$. \vspace{-0.5ex} @@ -3986,8 +4011,8 @@ the following steps: \vspace{-0.5ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitTrapdoor$ \\ - $\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingTrapdoor$ + $\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitGenTrapdoor()$ \\ + $\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingGenTrapdoor()$ \end{tabular} \item Calculate @@ -3999,7 +4024,8 @@ the following steps: \ValueNew{})$ \end{tabular} - \item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandNew{}, \Memo)$. + \item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandBytes, \Memo)$, where + $\NoteCommitRandBytes = \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRandNew{})\kern-0.12em}$. \item Encrypt $\NotePlaintext{}$, $\cvNew{}$, and $\cmNew{}$ to the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with @@ -4047,7 +4073,7 @@ is constructed as follows: and derive its \payingKey $\AuthPublicOld{i}$. \item \vspace{-0.5ex} Set $\vOld{i} = 0$. \item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$ - and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$. + and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$. \item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$. \item Let $\TreePath{i}$ be a \dummy \merklePath for the \auxiliaryInput to the \joinSplitStatement (this will not be checked). @@ -4088,7 +4114,7 @@ A \dummy{} \Sapling input \note is constructed as follows: \item Generate a new \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ for $\SpendingKey$ as described in \crossref{saplingkeycomponents}. \item Set $\vOld{} = 0$, and set $\NotePosition = 0$. - \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingTrapdoor$. + \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$. and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$. \item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and $\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,. @@ -4661,7 +4687,7 @@ the prover knows an \auxiliaryInput: \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\cmOld{} \typecolon \NoteCommitSaplingOutput,\\ + \hparen\cmOld{} \typecolon \GroupJ,\\ \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\ \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ @@ -4727,14 +4753,14 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed representations of \jubjubCurve points. - The $\ValueCommitOutput$, $\NoteCommitSaplingOutput$, and $\SpendAuthSigPublic$ types also - represent points. + The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupJ$. \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its input bit sequence is a canonical encoding (in $\range{0}{\ParamJ{r}-1}$) of the integer from the previous \merkleLayer. \item It is \emph{not} checked in the \spendStatement that $\AuthSignRandomizedPublic$ is not of small order. However, this \emph{is} checked outside the \spendStatement, as specified in \crossref{spenddesc}. + \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$. ($\AuthSignBase$ is as defined in \crossref{concretespendauthsig}.) \end{pnotes} @@ -4768,8 +4794,8 @@ the prover knows an \auxiliaryInput: \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex] \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandNew{} \typecolon \ValueCommitTrapdoor,\\ - \hparen\NoteCommitRandNew{} \typecolon \NoteCommitSaplingTrapdoor,\\ + \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$ \end{formulae} \vspace{-1ex} @@ -4806,8 +4832,9 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed representations of \jubjubCurve points. - The $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$ types also represent points. + The $\ValueCommitOutput$ type also represents points, i.e. $\GroupJ$. \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. + \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. \end{pnotes} } %sapling @@ -4987,7 +5014,7 @@ Since \Sapling \note encryption is used only in the context of \crossref{sapling $\DiversifiedTransmitBaseNew$ has already been calculated and is not $\bot$. \introsection -Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ be the \Sapling{} \notePlaintext. +Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRandBytes, \Memo)$ be the \Sapling{} \notePlaintext. $\NotePlaintext{}$ is encoded as defined in \crossref{notept}. @@ -5043,8 +5070,9 @@ components of the \noteCiphertext as follows: \item if $\TransmitPlaintext{} = \bot$, return $\bot$ \item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, \NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$ - \item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ - \item if $\DiversifiedTransmitBase = \bot$, return $\bot$ + \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ + and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ + \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$ \item if $\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \reprJOf{\DiversifiedTransmitPublic}, @@ -5097,9 +5125,11 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$ \item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$ \item if $\TransmitPlaintext{} = \bot$, return $\bot$ - \item extract $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ from $\TransmitPlaintext{}$ - \item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ - \item if $\DiversifiedTransmitBase = \bot$, return $\bot$ + \item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType, +\NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$ + \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ + and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ + \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$, return $\bot$ \item if $\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase}, @@ -6480,6 +6510,7 @@ instantiated using $\SHAFull$ as follows: \begin{formulae}[leftmargin=1em] \item $\NoteCommitSprout{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand) := \SHAFullBox{\cmbox}$ + \item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$. \end{formulae} \pnote{ @@ -6517,7 +6548,8 @@ instantiated as follows using $\WindowedPedersenCommitAlg$: \begin{formulae} \item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := \WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat - \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$. + \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$ + \item $\NoteCommitSaplingGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. \end{formulae} \vspace{-3ex} @@ -6555,6 +6587,7 @@ In order to support this property, we also define \quotedterm{homomorphic} \begin{formulae} \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) := \scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$ + \item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. \end{formulae} See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation @@ -8084,8 +8117,11 @@ $64$ & $\spendAuthSig$ & \type{char[64]} & A signature authorizing this spend. \ \end{tabularx} \end{center} -Consensus rules applying to a \spendDescription are given in \crossref{spenddesc}. +\vspace{-5.5ex} +\consensusrule{$\LEOStoIPOf{256}{\anchorField}$ \MUST be less than $\ParamJ{q}$.} +\vspace{-0.5ex} +Other consensus rules applying to a \spendDescription are given in \crossref{spenddesc}. \introsection \subsection{Encoding of \OutputDescriptions} \label{outputencoding} @@ -8132,7 +8168,11 @@ $\ProofOutput$ (see \crossref{groth}). \\ \hline The $\ephemeralKey$ and $\encCiphertext$ fields together form the \noteCiphertext, which is computed as described in \crossref{saplinginband}. -Consensus rules applying to an \outputDescription are given in \crossref{outputdesc}. +\vspace{-4ex} +\consensusrule{$\LEOStoIPOf{256}{\cmField}$ \MUST be less than $\ParamJ{q}$.} + +\vspace{-0.5ex} +Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}. } @@ -9316,7 +9356,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \sapling{ \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to $\GroupG{}$ and $\GroupJ$ where applicable. - \item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$. + \item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more + faithful to the implementation. + \item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmField$ + field of an \outputDescription{} must be canonical encodings. + \item Change the syntax of a \commitmentScheme to add $\CommitGenTrapdoor$. This is necessary + because the intended distribution of \commitmentTrapdoors may not be uniform on all values + that are acceptable trapdoor inputs. \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate. \item Improve cross-referencing. \item Clarify the use of $\PHGR$ vs $\Groth$ proofs in \joinSplitStatements.