zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Change the types of cm_x, Uncommitted^Orchard, and ak in Orchard to { 0 .. q_P-1 }, 

avoiding type errors and reflecting the implementation in zcashd. This eliminates all uses of P_x
(except that ak in an Orchard full viewing key is still required to be a valid Pallas affine
x-coordinate). Also clarify the coordinate system whenever we refer to coordinates.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2022-01-03 17:55:01 +00:00
parent b6e00e0d41
commit 59a220d59e
1 changed files with 52 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
protocol/protocol.tex
View File

@ -1456,6 +1456,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\AuthSignPublic}{\mathsf{ak}}
\newcommand{\AuthSignPublicPoint}{\mathsf{ak}^\GroupP}
\newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}}
\newcommand{\AuthSignPublicTypeOrchard}{\range{0}{\ParamP{q}-1}}
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
@ -1468,6 +1469,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}}
\newcommand{\NullifierKeyTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\NullifierBaseOrchard}{\mathcal{K}^\mathsf{Orchard}}
\newcommand{\NullifierTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\OutViewingKey}{\mathsf{ovk}}
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
@ -1900,7 +1902,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH}^\mathsf{#1\kern-0.1em}}
\newcommand{\MerkleHashLength}[1]{\mathsf{\ell}^\mathsf{#1\vphantom{p}}_\mathsf{Merkle}}
\newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}}
\newcommand{\MerkleHashOrchard}{\GroupPx}
\newcommand{\MerkleHashOrchard}{\range{0}{\ParamP{q}-1}}
\newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}}
\newcommand{\hash}{\mathsf{hash}}
\newcommand{\layerInput}{\mathsf{layer}}
@ -2209,9 +2211,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}}
\newcommand{\GroupP}{\mathbb{P}}
\newcommand{\GroupPx}{\GroupP_{\!x}}
\newcommand{\GroupPstar}{\GroupP^{\ast}}
\newcommand{\GroupPstarx}{\GroupP^{\ast}_{\!x}}
\newcommand{\CurveP}{\Curve_{\GroupP}}
\newcommand{\ZeroP}{\Zero_{\GroupP}}
\newcommand{\ellP}{\ell_{\GroupP}}
@ -2928,7 +2928,7 @@ The following integer constants will be instantiated in \crossref{constants}:
The rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$, and
the bit sequence constants $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$,
\sapling{$\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}}$,}
\nufive{and $\Uncommitted{Orchard} \typecolon$ $\GroupPx$,} will also be defined in that section.
\nufive{and $\Uncommitted{Orchard} \typecolon$ $\MerkleHashOrchard$,} will also be defined in that section.
We use the abbreviation ``\defining{\xCtEdwards}'' to refer to \completeTwistedEdwardsEllipticCurves and
coordinates (see \crossref{jubjub}).
@ -4434,7 +4434,7 @@ in an \outputDescription.}
\vspace{2ex}
Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}.
Let $\GroupP$, $\GroupPx$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
Let $\GroupP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\introlist
Define:
@ -4454,7 +4454,7 @@ Define:
$\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprP \times \ReprP \times \ValueType$ \\[-1ex]
&\hspace{21.2em}$\times\; \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\
$\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\
$\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GroupPx \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$
$\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \AuthSignPublicTypeOrchard \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$
\end{tabular}
\vspace{-1ex}
@ -4947,7 +4947,7 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$,
and $\DiversifierKeyLength$ be as defined in \crossref{constants}.
Let $\GroupP$, $\GroupPx$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in
Let $\GroupP$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in
\crossref{pallasandvesta}.
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
@ -4991,7 +4991,7 @@ A new \Orchard \spendingKey $\SpendingKey$ is generated by choosing a bit sequen
uniformly at random from $\SpendingKeyType$.
From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamP{r}}$,
the \authValidatingKey $\AuthSignPublic \typecolon \GroupPx$,
the \authValidatingKey $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$,
the \nullifierDerivingKey $\NullifierKey \typecolon \NullifierKeyTypeOrchard$,
the \commitIvkRandomness $\CommitIvkRand \typecolon \CommitIvkRandType$,
the \diversifierKey $\DiversifierKey \typecolon \DiversifierKeyType$,
@ -5076,8 +5076,8 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
\item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is
uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to
random input, by a similar argument to that used in \crossref{saplingkeycomponents}.
\item The output of $\CommitIvk{}$ is the $x$-coordinate of a \pallasCurve point, which
we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption.
\item The output of $\CommitIvk{}$ is the \affineSW $x$-coordinate of a \pallasCurve point,
which we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption.
The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can
only take on roughly half of the possible values) is not expected to cause any
security issue.
@ -5325,7 +5325,7 @@ Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
@ -5346,7 +5346,7 @@ where
\item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the
input \note minus the value of the output \note;
\vspace{-0.5ex}
\item $\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1}$ is an \anchor (\crossref{blockchain}) for the
\item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor (\crossref{blockchain}) for the
output \treestate of a previous \block;
\vspace{-0.25ex}
\item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note;
@ -5357,7 +5357,7 @@ where
\item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature,
validated as specified in \crossref{spendauthsig};
\vspace{-0.25ex}
\item $\cmX \typecolon \range{0}{\ParamP{q}-1}$ is the result of applying $\ExtractP$ to the \noteCommitment for
\item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ to the \noteCommitment for
the output \note;
\vspace{-0.25ex}
\item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is
@ -5412,8 +5412,8 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
\item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot
be $\ZeroP$.
\vspace{-0.25ex}
\item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked
to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$.
\item $\nf$ and $\cmX$ are \emph{not} checked to be valid \affineSW $x$-coordinates on the \pallasCurve;
they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$.
\end{nnotes}
} %nufive
@ -5959,8 +5959,8 @@ $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} =
\item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
$0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
$0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at
\crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
$0$ is not the \affineSW $x$-coordinate of any point on the \pallasCurve (as shown in a
note at \crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
$\ZeroP$. Allowing the validity check to pass in that case models the fact that
incomplete addition is used to implement Sinsemilla in the circuit. As proven in
\theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
@ -6654,7 +6654,7 @@ Define $\NullifierBaseOrchard := \GroupPHash\Of{\ascii{z.cash:Orchard}, \ascii{K
\introlist
To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon
\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \GF{\ParamP{q}}$
\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \NullifierTypeOrchard$
as follows:
\begin{formulae}
@ -6996,7 +6996,7 @@ Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\vspace{-0.25ex}
Let $\Selectx$, $\Selecty$, $\GroupPx$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}.
Let $\Selectx$, $\Selecty$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}.
\vspace{-0.25ex}
Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
@ -7007,11 +7007,11 @@ A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that give
\vspace{-1ex}
\begin{formulae}
\item $\oparen\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1},\\
\item $\oparen\rt{Orchard} \typecolon \MerkleHashOrchard,\\
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
\hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
\hparen\cmX \typecolon \range{0}{\ParamP{q}-1},\vspace{0.2ex}\\
\hparen\cmX \typecolon \MerkleHashOrchard,\vspace{0.2ex}\\
\hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\
\hparen\enableOutputs \typecolon \bit\cparen$,
\end{formulae}
@ -7107,7 +7107,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$
of $\vBalance{Orchard}$.
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer
input bit sequence is a canonical encoding (in $\MerkleHashOrchard$) of the integer
from the previous \merkleLayer.
\item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
@ -7120,7 +7120,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
\item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
\emph{not} checked in this circuit. Also, $\rt{Orchard}$ and $\cmX$ are \emph{not} checked
to be in $\GroupPx$.
to be \Pallas \affineSW $x$-coordinates or $0$.
\item When a value given as a field element in the \actionCircuit is used as a scalar for scalar
multiplication, it involves witnessing the scalar as a sequence of bits or window indices,
typically for a total of $255$ bits (except in the case of multiplying by the value
@ -7462,8 +7462,8 @@ $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's $\KA{Sapling}$\nuf
\vspace{-0.25ex}
Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the
\outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of
the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the
$u$-coordinate\nufive{ or $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.)
the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the \affineCtEdwards
$u$-coordinate\nufive{ or \affineSW $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.)
\canopy{
\vspace{-0.25ex}
@ -7790,16 +7790,12 @@ Typically, these components are derived from a \fullViewingKey as described in
\vspace{1ex}
Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
\nufive{
Let $\GroupPx$ be as defined in \crossref{pallasandvesta}.
} %nufive
Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as defined in \crossref{notes}.
Let $\KA{}$ be\notbeforenufive{ either} $\KA{Sapling}$ as defined in \crossref{concretesaplingkeyagreement}\nufive{, or
$\KA{Orchard}$ as defined in \crossref{concreteorchardkeyagreement}}.
Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\GroupPx$ for \Orchard}.
Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\NullifierTypeOrchard$ for \Orchard}.
\introsection
\vspace{1ex}
@ -7914,10 +7910,6 @@ are used, the text will clarify their position in each case.
\introsection
\lsubsection{Constants}{constants}
\nufive{
Let $\GroupPx$ be as defined in \crossref{concreteextractorpallas}.
} %nufive
Define:
\begin{formulae}[itemsep=0.2ex]
@ -7969,7 +7961,7 @@ Define:
} %sapling
\nufive{
\vspace{-1ex}
\item $\Uncommitted{Orchard} \typecolon \GroupPx := 2$
\item $\Uncommitted{Orchard} \typecolon \MerkleHashOrchard := 2$
} %nufive
\vspace{0.25ex}
\item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi)
@ -8953,10 +8945,10 @@ by \texttt{calc\_round\_numbers.py} in that implementation, for a $128$-bit secu
Also note that the use of $\Poseidon$ in \Orchard is very conservative. First, the
sponge mode limits an adversary to only being able to influence part of the $\Poseidon$
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in
\crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$
comes from a previous \nullifier which is effectively a random $x$-coordinate on the
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described
in \crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$ comes
from a previous \nullifier which is effectively a random \affineSW $x$-coordinate on the
\pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based
nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard})
against a potential discrete-log-breaking adversary. Given the weak assumption
@ -9241,7 +9233,7 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi
\introlist
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as
$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \PRFOutputNfOrchard$ is used as
part of deriving the \nullifier for an \Orchard \note.
It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}:
@ -10908,19 +10900,9 @@ Define $\Selectx \typecolon \GroupP \rightarrow \GF{\ParamP{q}}$ and $\Selecty \
\item $\Selecty\big((x, y)\big) = y$.
\end{formulae}
Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on the \pallasCurve, i.e.
\vspace{-1ex}
\begin{formulae}
\item $\GroupPstarx := \bigsetof{x \typecolon \range{0}{\ParamP{q}-1} \suchthat x^3 + \ParamP{b} \pmod{\ParamP{q}} \text{ is square in }\GF{\ParamP{q}}}$.
\end{formulae}
\vspace{-0.5ex}
Define $\GroupPx := \GroupPstarx \union \setof{0}$.
\introlist
\vspace{1ex}
Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that
Define $\ExtractP \typecolon \GroupP \rightarrow \range{0}{\ParamP{q}-1}$ such that
\vspace{-1ex}
\begin{formulae}
@ -10928,7 +10910,7 @@ Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that
\end{formulae}
\vspace{-1ex}
We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\GroupPx}$ such that
We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\range{0}{\ParamP{q}-1}}$ such that
\vspace{-1ex}
\begin{formulae}
@ -10937,12 +10919,8 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou
\end{formulae}
\vspace{-2ex}
\begin{pnotes}
\item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$
can only be $0$ when $P = \ZeroP$.
\item $\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
which returns a bit sequence.
\end{pnotes}
\pnote{There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$
can only be $0$ when $P = \ZeroP$.}
} %nufive
\nufive{
@ -11143,7 +11121,7 @@ Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \Grou
\item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$
\item let $\mathsf{y}' = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$
\item let $\mathsf{y} = (u \bmod 2 = y \bmod 2) \bchoose \mathsf{y}' : -\mathsf{y}'$
\item return the $\CurveIsoG$ point with affine coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$.
\item return the $\CurveIsoG$ point with \affineSW coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$.
\end{algorithm}
Let $\GroupGHashInput := \byteseqs \times \byteseqs$.
@ -11181,7 +11159,7 @@ is calculated as follows:
In order to fully avoid inversions, the output of $\maptocurvesimpleswuIsoG$ can be
expressed in Jacobian coordinates, as can the input and output of $\IsoMapG$.
It is outside the scope of this document to describe Jacobian coordinates, but
for example, the $\CurveIsoG$ point with affine coordinates
for example, the $\CurveIsoG$ point with \affineSW coordinates
$\big(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\big)$, has Jacobian coordinates
$\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$.
\end{nnotes}
@ -12020,7 +11998,7 @@ Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \GroupPx$,
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$,
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$.
$\AuthSignPublic$ is the \authValidatingKey, a result of applying $\ExtractP$ to a
@ -12054,7 +12032,7 @@ The \rawEncoding of an \Orchard \fullViewingKey consists of:
\vspace{-1ex}
When decoding this representation, the key \MUST be considered invalid if $\AuthSignPublic$,
$\NullifierKey$, or $\CommitIvkRandom$ are not canonically encoded elements of their respective
fields, or if $\AuthSignPublic \not\in \GroupPx$.
fields, or if $\AuthSignPublic$ is not a valid \Pallas $x$-coordinate.
There is no \BechOptm encoding defined for an individual \Orchard \fullViewingKey;
instead use a \unifiedFullViewingKey as defined in \cite{ZIP-316}.
@ -14541,6 +14519,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2021.2.18}{}
\begin{itemize}
\nufive{
\item Change the types of $\cmX$, $\Uncommitted{Orchard}$, and $\AuthSignPublic$ in
\Orchard to $\range{0}{\ParamP{q}-1}$, avoiding type errors and reflecting the
implementation in \zcashd. This eliminates all uses of $\GroupP_{\!x}$ (except
that $\AuthSignPublic$ in an \Orchard \fullViewingKey is still required to be a
valid \Pallas \affineSW $x$-coordinate).
} %nufive
\item Refine the security argument about \partitioningOracleAttacks in
\crossref{inbandrationale}:\!\!
\begin{itemize}
@ -14578,9 +14563,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Correct the proof of \theoremref{thmuncommittedorchard}.
\item Change the type of $\cmOld{}$ in \Orchard to $\GroupP$ rather than $\GroupPstar$,
i.e.\ allow the identity point.
\item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$.
\item Change the type of $\rt{Orchard}$ from $\GroupP_{\!x}$ (i.e.\ a \Pallas $x$-coordinate
or $0$) to $\range{0}{\ParamP{q}-1}$.
This reflects the existing \zcashd implementation; also checking
$\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary.
$\rt{Orchard} \in \GroupP_{\!x}$ would require a square root and is unnecessary.
\item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in
the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points,
rather than witnessing their representations as bit sequences. This reflects
@ -14730,7 +14716,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2021.2.7}{2021-06-28}
\begin{itemize}
\nufive{
\item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupPx$ rather than a
\item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupP_{\!x}$ rather than a
bit sequence.
\item Explicitly say that padding in \crossref{concretesinsemillahash} is by appending zero bits.
\item Add a step to the algorithm for generating an \Orchard \note in \crossref{orchardsend},
@ -14770,7 +14756,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
least one output from a v5 or later \transaction, to take into account
the \enableSpendsOrchard{} and \enableOutputsOrchard{} flags.
\item Correct the type of $\ExtractPbot$ imported in \crossref{concretesinsemillahash}\,
(from $\GroupP \rightarrow \GroupPx$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupPx}$}).
(from $\GroupP \rightarrow \GroupP_{\!x}$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupP_{\!x}}$}).
\item Add \cite{ZIP-209} to the list of ZIPs updated for \NUFive.
} % nufive
\item No changes before \NUFive.