mirror of https://github.com/zcash/zips.git
Refactoring/type changes for commitment randomness and outputs.
This also affects the type of Sapling note plaintexts. Includes potential consensus changes (which *should* match the implementation)! Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
cb730f241e
commit
57f16ea6da
|
@ -1035,21 +1035,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\CommitAlg}{\mathsf{COMM}}
|
||||
\newcommand{\Commit}[1]{\CommitAlg_{#1}}
|
||||
\newcommand{\CommitTrapdoor}{\CommitAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\CommitGenTrapdoor}{\CommitAlg\mathsf{.GenTrapdoor}}
|
||||
\newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}}
|
||||
\newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}}
|
||||
\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}}
|
||||
\newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}}
|
||||
\newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\NoteCommitSproutGenTrapdoor}{\NoteCommitSproutAlg\mathsf{.GenTrapdoor}}
|
||||
\newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}}
|
||||
\newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}}
|
||||
\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}}
|
||||
\newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}}
|
||||
\newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\NoteCommitSaplingTrapdoorBytes}{\byteseq{32}}
|
||||
\newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}}
|
||||
\newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}}
|
||||
\newcommand{\NoteCommitSaplingOutput}{\NoteCommitSaplingAlg\mathsf{.Output}}
|
||||
\newcommand{\ValueCommitAlg}{\mathsf{ValueCommit}}
|
||||
\newcommand{\ValueCommit}[1]{\ValueCommitAlg_{#1}}
|
||||
\newcommand{\ValueCommitTrapdoor}{\ValueCommitAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\ValueCommitGenTrapdoor}{\ValueCommitAlg\mathsf{.GenTrapdoor}}
|
||||
\newcommand{\ValueCommitInput}{\ValueCommitAlg\mathsf{.Input}}
|
||||
\newcommand{\ValueCommitOutput}{\ValueCommitAlg\mathsf{.Output}}
|
||||
\newcommand{\ValueCommitValueBase}{\mathcal{V}}
|
||||
|
@ -1135,6 +1140,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
|
||||
\newcommand{\OutPlaintext}{\mathbf{op}}
|
||||
\newcommand{\NoteCommitRand}{\mathsf{\sprout{r}\notsprout{rcm}}}
|
||||
\newcommand{\NoteCommitRandBytes}{\bytes{\NoteCommitRand}}
|
||||
\newcommand{\NoteCommitRandBytesType}{\byteseq{32}}
|
||||
\newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}}
|
||||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||
|
@ -1550,6 +1557,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
||||
\newcommand{\ellJ}{\ell_{\GroupJ}}
|
||||
\newcommand{\ReprJ}{\bitseq{\ellJ}}
|
||||
\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}}
|
||||
\newcommand{\reprJ}{\repr_{\GroupJ}}
|
||||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
|
||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||
|
@ -2389,8 +2397,14 @@ Each \SproutOrNothing{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
|
|||
The \notePlaintext in each \outputDescription is encrypted to the
|
||||
\diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$.
|
||||
|
||||
\introlist
|
||||
Each \Sapling{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
|
||||
$(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
|
||||
|
||||
\vspace{-1ex}
|
||||
\begin{formulae}
|
||||
\item $(\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
|
||||
\NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$.
|
||||
\end{formulae}
|
||||
} %saplingonward
|
||||
|
||||
\changed{
|
||||
|
@ -3190,8 +3204,8 @@ random and an input, can be used to commit to the input in such a way that:
|
|||
|
||||
\vspace{-3ex}
|
||||
A \commitmentScheme $\CommitAlg$ defines a type of inputs $\CommitInput$,
|
||||
a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors
|
||||
$\CommitTrapdoor$.
|
||||
a type of commitments $\CommitOutput$, a type of \commitmentTrapdoors
|
||||
$\CommitTrapdoor$, and a trapdoor generator $\CommitGenTrapdoor \typecolon () \rightarrowR \CommitTrapdoor$.
|
||||
|
||||
\vspace{2ex}
|
||||
Let $\CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$
|
||||
|
@ -3200,8 +3214,8 @@ be a function satisfying the following security requirements.
|
|||
\vspace{-2ex}
|
||||
\begin{securityrequirements}[leftmargin=2em]
|
||||
\item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
|
||||
the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
|
||||
and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
|
||||
the distributions $\{\, \Commit{r}(x) \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$
|
||||
and $\{\, \Commit{r}(x') \;|\; r \leftarrowR \CommitGenTrapdoor() \,\}$ are
|
||||
computationally indistinguishable.
|
||||
\item \textbf{Computational binding:} It is infeasible to find
|
||||
$x, x' \typecolon \CommitInput$ and
|
||||
|
@ -3210,40 +3224,33 @@ be a function satisfying the following security requirements.
|
|||
\end{securityrequirements}
|
||||
|
||||
\vspace{-3ex}
|
||||
\pnote{
|
||||
If it were only feasible to find $x \typecolon \CommitInput$ and
|
||||
$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
|
||||
$\Commit{r}(x) = \Commit{r'}(x)$, this would not by itself contradict
|
||||
the computational binding security requirement.
|
||||
}
|
||||
|
||||
\vspace{3ex}
|
||||
Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, and
|
||||
$\ValueLength$ be as defined in \crossref{constants}.
|
||||
|
||||
\sapling{
|
||||
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||
} %sapling
|
||||
|
||||
\sprout{
|
||||
Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
|
||||
$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$.
|
||||
\pnote{If it were only feasible to find $x \typecolon \CommitInput$ and
|
||||
$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
|
||||
$\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict
|
||||
the computational binding security requirement.}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
Define:
|
||||
\begin{formulae}
|
||||
\item $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
|
||||
$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$;
|
||||
\sapling{
|
||||
\item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and
|
||||
$\NoteCommitSaplingOutput := \SubgroupJ$;
|
||||
\item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and
|
||||
$\ValueCommitOutput := \SubgroupJ$.
|
||||
} %sapling
|
||||
\end{formulae}
|
||||
\begin{pnotes}[leftmargin=2em]
|
||||
\item $\CommitGenTrapdoor$ need not produce the uniform distribution on $\CommitTrapdoor$.
|
||||
In that case, it is incorrect to choose a trapdoor from the latter distribution.
|
||||
\item If it were only feasible to find $x \typecolon \CommitInput$ and
|
||||
$r, r' \typecolon \CommitTrapdoor$ such that $r \neq r'$ and
|
||||
$\Commit{r}(x) = \Commit{r'}(x)$, this would not contradict
|
||||
the computational binding security requirement.
|
||||
\sapling{(In fact, this is feasible for $\NoteCommitSaplingAlg$ and $\ValueCommitAlg$
|
||||
because trapdoors are equivalent modulo $\ParamJ{r}$, and the range of a trapdoor
|
||||
for those algorithms is $\binaryrange{\ScalarLength}$ where $2^{\ScalarLength} > \ParamJ{r}$.)}
|
||||
\end{pnotes}
|
||||
} %notsprout
|
||||
|
||||
\vspace{1ex}
|
||||
Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$,
|
||||
and $\ValueLength$ be as defined in \crossref{constants}.
|
||||
|
||||
Define $\NoteCommitSproutTrapdoor := \bitseq{\NoteCommitRandLength}$ and
|
||||
$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$.
|
||||
|
||||
\SproutOrZcash uses a \note{} \commitmentScheme
|
||||
|
||||
\begin{tabular}{@{\hskip 1.5em}r@{\;}l}
|
||||
|
@ -3256,6 +3263,19 @@ instantiated in \crossref{concretesproutnotecommit}.
|
|||
|
||||
\sapling{
|
||||
\vspace{2ex}
|
||||
Let $\ScalarLength$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
\introlist
|
||||
Define:
|
||||
\begin{formulae}
|
||||
\item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLength}$ and
|
||||
$\NoteCommitSaplingOutput := \GroupJ$;
|
||||
\item $\ValueCommitTrapdoor := \binaryrange{\ScalarLength}$ and
|
||||
$\ValueCommitOutput := \GroupJ$.
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
\Sapling uses two additional commitment schemes:
|
||||
|
||||
|
@ -3267,6 +3287,11 @@ instantiated in \crossref{concretesproutnotecommit}.
|
|||
|
||||
$\NoteCommitSapling{}$ is instantiated in \crossref{concretesaplingnotecommit}, and
|
||||
$\ValueCommit{}$ is instantiated in \crossref{concretevaluecommit}.
|
||||
|
||||
\vspace{-2ex}
|
||||
\nnote{$\NoteCommitSapling{}$ and $\ValueCommit{}$ always return points in the subgroup $\SubgroupJ$.
|
||||
However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not
|
||||
checked to be in the subgroup when used in \spendDescriptions and \outputDescriptions.}
|
||||
} %sapling
|
||||
|
||||
|
||||
|
@ -3839,7 +3864,7 @@ where
|
|||
|
||||
\vspace{2ex}
|
||||
\begin{consensusrules}
|
||||
\item Elements of a \spendDescription{} \MUST have the types given above.
|
||||
\item Elements of a \spendDescription{} \MUST be canonical encodings of the types given above.
|
||||
\item $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$
|
||||
\MUSTNOT be $\ZeroJ$.
|
||||
\item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed
|
||||
|
@ -3890,7 +3915,7 @@ where
|
|||
\end{itemize}
|
||||
|
||||
\begin{consensusrules}
|
||||
\item Elements of an \outputDescription{} \MUST have the types given above.
|
||||
\item Elements of an \outputDescription{} \MUST be canonical encodings of the types given above.
|
||||
\vspace{-0.5ex}
|
||||
\item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed
|
||||
from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ ---
|
||||
|
@ -3924,7 +3949,7 @@ uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
|
|||
Then it creates each output \note with index $i \typecolon \setofNew$:
|
||||
|
||||
\begin{itemize}
|
||||
\item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutTrapdoor$.
|
||||
\item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$.
|
||||
\changed{
|
||||
\item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
|
||||
\vspace{-0.5ex}
|
||||
|
@ -3986,8 +4011,8 @@ the following steps:
|
|||
\vspace{-0.5ex}
|
||||
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitTrapdoor$ \\
|
||||
$\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingTrapdoor$
|
||||
$\ValueCommitRandNew{}$ &$\leftarrowR \ValueCommitGenTrapdoor()$ \\
|
||||
$\NoteCommitRandNew{}$ &$\leftarrowR \NoteCommitSaplingGenTrapdoor()$
|
||||
\end{tabular}
|
||||
|
||||
\item Calculate
|
||||
|
@ -3999,7 +4024,8 @@ the following steps:
|
|||
\ValueNew{})$
|
||||
\end{tabular}
|
||||
|
||||
\item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandNew{}, \Memo)$.
|
||||
\item Let $\NotePlaintext{} = (\Diversifier, \ValueNew{}, \NoteCommitRandBytes, \Memo)$, where
|
||||
$\NoteCommitRandBytes = \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRandNew{})\kern-0.12em}$.
|
||||
|
||||
\item Encrypt $\NotePlaintext{}$, $\cvNew{}$, and $\cmNew{}$ to the recipient
|
||||
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
|
||||
|
@ -4047,7 +4073,7 @@ is constructed as follows:
|
|||
and derive its \payingKey $\AuthPublicOld{i}$.
|
||||
\item \vspace{-0.5ex} Set $\vOld{i} = 0$.
|
||||
\item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$
|
||||
and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$.
|
||||
and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$.
|
||||
\item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
|
||||
\item Let $\TreePath{i}$ be a \dummy \merklePath for the
|
||||
\auxiliaryInput to the \joinSplitStatement (this will not be checked).
|
||||
|
@ -4088,7 +4114,7 @@ A \dummy{} \Sapling input \note is constructed as follows:
|
|||
\item Generate a new \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$
|
||||
for $\SpendingKey$ as described in \crossref{saplingkeycomponents}.
|
||||
\item Set $\vOld{} = 0$, and set $\NotePosition = 0$.
|
||||
\item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingTrapdoor$.
|
||||
\item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
|
||||
and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$.
|
||||
\item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and
|
||||
$\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,.
|
||||
|
@ -4661,7 +4687,7 @@ the prover knows an \auxiliaryInput:
|
|||
\hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\
|
||||
\hparen\vOld{} \typecolon \ValueType,\\
|
||||
\hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\cmOld{} \typecolon \NoteCommitSaplingOutput,\\
|
||||
\hparen\cmOld{} \typecolon \GroupJ,\\
|
||||
\hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
|
||||
|
@ -4727,14 +4753,14 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr
|
|||
see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed
|
||||
representations of \jubjubCurve points.
|
||||
|
||||
The $\ValueCommitOutput$, $\NoteCommitSaplingOutput$, and $\SpendAuthSigPublic$ types also
|
||||
represent points.
|
||||
The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupJ$.
|
||||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamJ{r}-1}$) of the integer
|
||||
from the previous \merkleLayer.
|
||||
\item It is \emph{not} checked in the \spendStatement that $\AuthSignRandomizedPublic$ is not of
|
||||
small order. However, this \emph{is} checked outside the \spendStatement, as specified in
|
||||
\crossref{spenddesc}.
|
||||
\item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
|
||||
\item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$.
|
||||
($\AuthSignBase$ is as defined in \crossref{concretespendauthsig}.)
|
||||
\end{pnotes}
|
||||
|
@ -4768,8 +4794,8 @@ the prover knows an \auxiliaryInput:
|
|||
\item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex]
|
||||
\hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\
|
||||
\hparen\vNew{} \typecolon \ValueType,\\
|
||||
\hparen\ValueCommitRandNew{} \typecolon \ValueCommitTrapdoor,\\
|
||||
\hparen\NoteCommitRandNew{} \typecolon \NoteCommitSaplingTrapdoor,\\
|
||||
\hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\
|
||||
\hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
|
@ -4806,8 +4832,9 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
|
|||
see \crossref{ccteddecompressvalidate} for implementation of validity checks on compressed
|
||||
representations of \jubjubCurve points.
|
||||
|
||||
The $\ValueCommitOutput$ and $\NoteCommitSaplingOutput$ types also represent points.
|
||||
The $\ValueCommitOutput$ type also represents points, i.e. $\GroupJ$.
|
||||
\item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit.
|
||||
\item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$.
|
||||
\end{pnotes}
|
||||
} %sapling
|
||||
|
||||
|
@ -4987,7 +5014,7 @@ Since \Sapling \note encryption is used only in the context of \crossref{sapling
|
|||
$\DiversifiedTransmitBaseNew$ has already been calculated and is not $\bot$.
|
||||
|
||||
\introsection
|
||||
Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ be the \Sapling{} \notePlaintext.
|
||||
Let $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRandBytes, \Memo)$ be the \Sapling{} \notePlaintext.
|
||||
|
||||
$\NotePlaintext{}$ is encoded as defined in \crossref{notept}.
|
||||
|
||||
|
@ -5043,8 +5070,9 @@ components of the \noteCiphertext as follows:
|
|||
\item if $\TransmitPlaintext{} = \bot$, return $\bot$
|
||||
\item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
|
||||
\NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$
|
||||
\item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
\item if $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||
\item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
|
||||
and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||
\item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
|
||||
\item if $\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
||||
\reprJOf{\DiversifiedTransmitPublic},
|
||||
|
@ -5097,9 +5125,11 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
|||
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
|
||||
\item let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$
|
||||
\item if $\TransmitPlaintext{} = \bot$, return $\bot$
|
||||
\item extract $\NotePlaintext{} = (\Diversifier, \Value, \NoteCommitRand, \Memo)$ from $\TransmitPlaintext{}$
|
||||
\item let $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
\item if $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||
\item extract $\NotePlaintext{} = (\Diversifier \typecolon \DiversifierType, \Value \typecolon \ValueType,
|
||||
\NoteCommitRandBytes \typecolon \NoteCommitSaplingTrapdoorBytes, \Memo \typecolon \MemoType)$ from $\TransmitPlaintext{}$
|
||||
\item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
|
||||
and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||
\item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
|
||||
return $\bot$
|
||||
\item if $\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
|
||||
|
@ -6480,6 +6510,7 @@ instantiated using $\SHAFull$ as follows:
|
|||
|
||||
\begin{formulae}[leftmargin=1em]
|
||||
\item $\NoteCommitSprout{\NoteCommitRand}(\AuthPublic, \Value, \NoteAddressRand) := \SHAFullBox{\cmbox}$
|
||||
\item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$.
|
||||
\end{formulae}
|
||||
|
||||
\pnote{
|
||||
|
@ -6517,7 +6548,8 @@ instantiated as follows using $\WindowedPedersenCommitAlg$:
|
|||
\begin{formulae}
|
||||
\item $\NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) :=
|
||||
\WindowedPedersenCommit{\NoteCommitRand}\left(\ones{6} \bconcat \ItoLEBSPOf{64}{\Value} \bconcat
|
||||
\DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$.
|
||||
\DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr\right)$
|
||||
\item $\NoteCommitSaplingGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-3ex}
|
||||
|
@ -6555,6 +6587,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
|
|||
\begin{formulae}
|
||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
|
||||
\item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||
\end{formulae}
|
||||
|
||||
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||
|
@ -8084,8 +8117,11 @@ $64$ & $\spendAuthSig$ & \type{char[64]} & A signature authorizing this spend. \
|
|||
\end{tabularx}
|
||||
\end{center}
|
||||
|
||||
Consensus rules applying to a \spendDescription are given in \crossref{spenddesc}.
|
||||
\vspace{-5.5ex}
|
||||
\consensusrule{$\LEOStoIPOf{256}{\anchorField}$ \MUST be less than $\ParamJ{q}$.}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Other consensus rules applying to a \spendDescription are given in \crossref{spenddesc}.
|
||||
|
||||
\introsection
|
||||
\subsection{Encoding of \OutputDescriptions} \label{outputencoding}
|
||||
|
@ -8132,7 +8168,11 @@ $\ProofOutput$ (see \crossref{groth}). \\ \hline
|
|||
The $\ephemeralKey$ and $\encCiphertext$ fields together form the \noteCiphertext,
|
||||
which is computed as described in \crossref{saplinginband}.
|
||||
|
||||
Consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
|
||||
\vspace{-4ex}
|
||||
\consensusrule{$\LEOStoIPOf{256}{\cmField}$ \MUST be less than $\ParamJ{q}$.}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}.
|
||||
}
|
||||
|
||||
|
||||
|
@ -9316,7 +9356,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\sapling{
|
||||
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
|
||||
$\GroupG{}$ and $\GroupJ$ where applicable.
|
||||
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
|
||||
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
|
||||
faithful to the implementation.
|
||||
\item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmField$
|
||||
field of an \outputDescription{} must be canonical encodings.
|
||||
\item Change the syntax of a \commitmentScheme to add $\CommitGenTrapdoor$. This is necessary
|
||||
because the intended distribution of \commitmentTrapdoors may not be uniform on all values
|
||||
that are acceptable trapdoor inputs.
|
||||
\item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
|
||||
\item Improve cross-referencing.
|
||||
\item Clarify the use of $\PHGR$ vs $\Groth$ proofs in \joinSplitStatements.
|
||||
|
|
Loading…
Reference in New Issue