diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 58fe6e50..90835e26 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1456,6 +1456,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublicPoint}{\mathsf{ak}^\GroupP} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} +\newcommand{\AuthSignPublicTypeOrchard}{\range{0}{\ParamP{q}-1}} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} \newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}} \newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}} @@ -1468,6 +1469,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}} \newcommand{\NullifierKeyTypeOrchard}{\GF{\ParamP{q}}} \newcommand{\NullifierBaseOrchard}{\mathcal{K}^\mathsf{Orchard}} +\newcommand{\NullifierTypeOrchard}{\GF{\ParamP{q}}} \newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} @@ -1900,7 +1902,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH}^\mathsf{#1\kern-0.1em}} \newcommand{\MerkleHashLength}[1]{\mathsf{\ell}^\mathsf{#1\vphantom{p}}_\mathsf{Merkle}} \newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}} -\newcommand{\MerkleHashOrchard}{\GroupPx} +\newcommand{\MerkleHashOrchard}{\range{0}{\ParamP{q}-1}} \newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}} \newcommand{\hash}{\mathsf{hash}} \newcommand{\layerInput}{\mathsf{layer}} @@ -2209,9 +2211,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}} \newcommand{\GroupP}{\mathbb{P}} -\newcommand{\GroupPx}{\GroupP_{\!x}} \newcommand{\GroupPstar}{\GroupP^{\ast}} -\newcommand{\GroupPstarx}{\GroupP^{\ast}_{\!x}} \newcommand{\CurveP}{\Curve_{\GroupP}} \newcommand{\ZeroP}{\Zero_{\GroupP}} \newcommand{\ellP}{\ell_{\GroupP}} @@ -2928,7 +2928,7 @@ The following integer constants will be instantiated in \crossref{constants}: The rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$, and the bit sequence constants $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$, \sapling{$\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}}$,} -\nufive{and $\Uncommitted{Orchard} \typecolon$ $\GroupPx$,} will also be defined in that section. +\nufive{and $\Uncommitted{Orchard} \typecolon$ $\MerkleHashOrchard$,} will also be defined in that section. We use the abbreviation ``\defining{\xCtEdwards}'' to refer to \completeTwistedEdwardsEllipticCurves and coordinates (see \crossref{jubjub}). @@ -4434,7 +4434,7 @@ in an \outputDescription.} \vspace{2ex} Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}. -Let $\GroupP$, $\GroupPx$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. +Let $\GroupP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \introlist Define: @@ -4454,7 +4454,7 @@ Define: $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprP \times \ReprP \times \ValueType$ \\[-1ex] &\hspace{21.2em}$\times\; \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\ $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ - $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GroupPx \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$ + $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \AuthSignPublicTypeOrchard \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$ \end{tabular} \vspace{-1ex} @@ -4947,7 +4947,7 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$, and $\DiversifierKeyLength$ be as defined in \crossref{constants}. -Let $\GroupP$, $\GroupPx$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in +Let $\GroupP$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. @@ -4991,7 +4991,7 @@ A new \Orchard \spendingKey $\SpendingKey$ is generated by choosing a bit sequen uniformly at random from $\SpendingKeyType$. From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamP{r}}$, -the \authValidatingKey $\AuthSignPublic \typecolon \GroupPx$, +the \authValidatingKey $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$, the \nullifierDerivingKey $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, the \commitIvkRandomness $\CommitIvkRand \typecolon \CommitIvkRandType$, the \diversifierKey $\DiversifierKey \typecolon \DiversifierKeyType$, @@ -5076,8 +5076,8 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin \item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to random input, by a similar argument to that used in \crossref{saplingkeycomponents}. - \item The output of $\CommitIvk{}$ is the $x$-coordinate of a \pallasCurve point, which - we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption. + \item The output of $\CommitIvk{}$ is the \affineSW $x$-coordinate of a \pallasCurve point, + which we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption. The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can only take on roughly half of the possible values) is not expected to cause any security issue. @@ -5325,7 +5325,7 @@ Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}. Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. -Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. +Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. @@ -5346,7 +5346,7 @@ where \item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the input \note minus the value of the output \note; \vspace{-0.5ex} - \item $\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1}$ is an \anchor (\crossref{blockchain}) for the + \item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor (\crossref{blockchain}) for the output \treestate of a previous \block; \vspace{-0.25ex} \item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note; @@ -5357,7 +5357,7 @@ where \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature, validated as specified in \crossref{spendauthsig}; \vspace{-0.25ex} - \item $\cmX \typecolon \range{0}{\ParamP{q}-1}$ is the result of applying $\ExtractP$ to the \noteCommitment for + \item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ to the \noteCommitment for the output \note; \vspace{-0.25ex} \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is @@ -5412,8 +5412,8 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc \item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot be $\ZeroP$. \vspace{-0.25ex} - \item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked - to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$. + \item $\nf$ and $\cmX$ are \emph{not} checked to be valid \affineSW $x$-coordinates on the \pallasCurve; + they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$. \end{nnotes} } %nufive @@ -5959,8 +5959,8 @@ $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \item The \actionCircuit is permitted to be implemented in such a way that the \merklePath validity check can pass if any \merkleHash on the path, including the \merkleRoot, is $0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because - $0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at - \crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return + $0$ is not the \affineSW $x$-coordinate of any point on the \pallasCurve (as shown in a + note at \crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return $\ZeroP$. Allowing the validity check to pass in that case models the fact that incomplete addition is used to implement Sinsemilla in the circuit. As proven in \theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a @@ -6654,7 +6654,7 @@ Define $\NullifierBaseOrchard := \GroupPHash\Of{\ascii{z.cash:Orchard}, \ascii{K \introlist To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon -\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \GF{\ParamP{q}}$ +\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \NullifierTypeOrchard$ as follows: \begin{formulae} @@ -6996,7 +6996,7 @@ Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}. Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \vspace{-0.25ex} -Let $\Selectx$, $\Selecty$, $\GroupPx$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}. +Let $\Selectx$, $\Selecty$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}. \vspace{-0.25ex} Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. @@ -7007,11 +7007,11 @@ A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that give \vspace{-1ex} \begin{formulae} - \item $\oparen\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1},\\ + \item $\oparen\rt{Orchard} \typecolon \MerkleHashOrchard,\\ \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ - \hparen\cmX \typecolon \range{0}{\ParamP{q}-1},\vspace{0.2ex}\\ + \hparen\cmX \typecolon \MerkleHashOrchard,\vspace{0.2ex}\\ \hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\ \hparen\enableOutputs \typecolon \bit\cparen$, \end{formulae} @@ -7107,7 +7107,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$ of $\vBalance{Orchard}$. \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its - input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer + input bit sequence is a canonical encoding (in $\MerkleHashOrchard$) of the integer from the previous \merkleLayer. \item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$. @@ -7120,7 +7120,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) \item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are \emph{not} checked in this circuit. Also, $\rt{Orchard}$ and $\cmX$ are \emph{not} checked - to be in $\GroupPx$. + to be \Pallas \affineSW $x$-coordinates or $0$. \item When a value given as a field element in the \actionCircuit is used as a scalar for scalar multiplication, it involves witnessing the scalar as a sequence of bits or window indices, typically for a total of $255$ bits (except in the case of multiplying by the value @@ -7462,8 +7462,8 @@ $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's $\KA{Sapling}$\nuf \vspace{-0.25ex} Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the \outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of -the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the -$u$-coordinate\nufive{ or $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.) +the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the \affineCtEdwards +$u$-coordinate\nufive{ or \affineSW $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.) \canopy{ \vspace{-0.25ex} @@ -7790,16 +7790,12 @@ Typically, these components are derived from a \fullViewingKey as described in \vspace{1ex} Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. -\nufive{ -Let $\GroupPx$ be as defined in \crossref{pallasandvesta}. -} %nufive - Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as defined in \crossref{notes}. Let $\KA{}$ be\notbeforenufive{ either} $\KA{Sapling}$ as defined in \crossref{concretesaplingkeyagreement}\nufive{, or $\KA{Orchard}$ as defined in \crossref{concreteorchardkeyagreement}}. -Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\GroupPx$ for \Orchard}. +Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\NullifierTypeOrchard$ for \Orchard}. \introsection \vspace{1ex} @@ -7914,10 +7910,6 @@ are used, the text will clarify their position in each case. \introsection \lsubsection{Constants}{constants} -\nufive{ -Let $\GroupPx$ be as defined in \crossref{concreteextractorpallas}. -} %nufive - Define: \begin{formulae}[itemsep=0.2ex] @@ -7969,7 +7961,7 @@ Define: } %sapling \nufive{ \vspace{-1ex} - \item $\Uncommitted{Orchard} \typecolon \GroupPx := 2$ + \item $\Uncommitted{Orchard} \typecolon \MerkleHashOrchard := 2$ } %nufive \vspace{0.25ex} \item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi) @@ -8953,10 +8945,10 @@ by \texttt{calc\_round\_numbers.py} in that implementation, for a $128$-bit secu Also note that the use of $\Poseidon$ in \Orchard is very conservative. First, the sponge mode limits an adversary to only being able to influence part of the $\Poseidon$ - permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in - \crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$, - known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$ - comes from a previous \nullifier which is effectively a random $x$-coordinate on the + permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described + in \crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$, + known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$ comes + from a previous \nullifier which is effectively a random \affineSW $x$-coordinate on the \pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard}) against a potential discrete-log-breaking adversary. Given the weak assumption @@ -9241,7 +9233,7 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi \introlist Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. -$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as +$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \PRFOutputNfOrchard$ is used as part of deriving the \nullifier for an \Orchard \note. It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}: @@ -10908,19 +10900,9 @@ Define $\Selectx \typecolon \GroupP \rightarrow \GF{\ParamP{q}}$ and $\Selecty \ \item $\Selecty\big((x, y)\big) = y$. \end{formulae} -Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on the \pallasCurve, i.e. - -\vspace{-1ex} -\begin{formulae} - \item $\GroupPstarx := \bigsetof{x \typecolon \range{0}{\ParamP{q}-1} \suchthat x^3 + \ParamP{b} \pmod{\ParamP{q}} \text{ is square in }\GF{\ParamP{q}}}$. -\end{formulae} - -\vspace{-0.5ex} -Define $\GroupPx := \GroupPstarx \union \setof{0}$. - \introlist \vspace{1ex} -Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that +Define $\ExtractP \typecolon \GroupP \rightarrow \range{0}{\ParamP{q}-1}$ such that \vspace{-1ex} \begin{formulae} @@ -10928,7 +10910,7 @@ Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that \end{formulae} \vspace{-1ex} -We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\GroupPx}$ such that +We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\range{0}{\ParamP{q}-1}}$ such that \vspace{-1ex} \begin{formulae} @@ -10937,12 +10919,8 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou \end{formulae} \vspace{-2ex} -\begin{pnotes} - \item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$ - can only be $0$ when $P = \ZeroP$. - \item $\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$ - which returns a bit sequence. -\end{pnotes} +\pnote{There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$ +can only be $0$ when $P = \ZeroP$.} } %nufive \nufive{ @@ -11143,7 +11121,7 @@ Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \Grou \item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$ \item let $\mathsf{y}' = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$ \item let $\mathsf{y} = (u \bmod 2 = y \bmod 2) \bchoose \mathsf{y}' : -\mathsf{y}'$ - \item return the $\CurveIsoG$ point with affine coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$. + \item return the $\CurveIsoG$ point with \affineSW coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$. \end{algorithm} Let $\GroupGHashInput := \byteseqs \times \byteseqs$. @@ -11181,7 +11159,7 @@ is calculated as follows: In order to fully avoid inversions, the output of $\maptocurvesimpleswuIsoG$ can be expressed in Jacobian coordinates, as can the input and output of $\IsoMapG$. It is outside the scope of this document to describe Jacobian coordinates, but - for example, the $\CurveIsoG$ point with affine coordinates + for example, the $\CurveIsoG$ point with \affineSW coordinates $\big(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\big)$, has Jacobian coordinates $\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$. \end{nnotes} @@ -12020,7 +11998,7 @@ Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}. Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. -An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \GroupPx$, +An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$, $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$. $\AuthSignPublic$ is the \authValidatingKey, a result of applying $\ExtractP$ to a @@ -12054,7 +12032,7 @@ The \rawEncoding of an \Orchard \fullViewingKey consists of: \vspace{-1ex} When decoding this representation, the key \MUST be considered invalid if $\AuthSignPublic$, $\NullifierKey$, or $\CommitIvkRandom$ are not canonically encoded elements of their respective -fields, or if $\AuthSignPublic \not\in \GroupPx$. +fields, or if $\AuthSignPublic$ is not a valid \Pallas $x$-coordinate. There is no \BechOptm encoding defined for an individual \Orchard \fullViewingKey; instead use a \unifiedFullViewingKey as defined in \cite{ZIP-316}. @@ -14541,6 +14519,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2021.2.18}{} \begin{itemize} +\nufive{ + \item Change the types of $\cmX$, $\Uncommitted{Orchard}$, and $\AuthSignPublic$ in + \Orchard to $\range{0}{\ParamP{q}-1}$, avoiding type errors and reflecting the + implementation in \zcashd. This eliminates all uses of $\GroupP_{\!x}$ (except + that $\AuthSignPublic$ in an \Orchard \fullViewingKey is still required to be a + valid \Pallas \affineSW $x$-coordinate). +} %nufive \item Refine the security argument about \partitioningOracleAttacks in \crossref{inbandrationale}:\!\! \begin{itemize} @@ -14578,9 +14563,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Correct the proof of \theoremref{thmuncommittedorchard}. \item Change the type of $\cmOld{}$ in \Orchard to $\GroupP$ rather than $\GroupPstar$, i.e.\ allow the identity point. - \item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$. + \item Change the type of $\rt{Orchard}$ from $\GroupP_{\!x}$ (i.e.\ a \Pallas $x$-coordinate + or $0$) to $\range{0}{\ParamP{q}-1}$. This reflects the existing \zcashd implementation; also checking - $\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary. + $\rt{Orchard} \in \GroupP_{\!x}$ would require a square root and is unnecessary. \item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points, rather than witnessing their representations as bit sequences. This reflects @@ -14730,7 +14716,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2021.2.7}{2021-06-28} \begin{itemize} \nufive{ - \item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupPx$ rather than a + \item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupP_{\!x}$ rather than a bit sequence. \item Explicitly say that padding in \crossref{concretesinsemillahash} is by appending zero bits. \item Add a step to the algorithm for generating an \Orchard \note in \crossref{orchardsend}, @@ -14770,7 +14756,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. least one output from a v5 or later \transaction, to take into account the \enableSpendsOrchard{} and \enableOutputsOrchard{} flags. \item Correct the type of $\ExtractPbot$ imported in \crossref{concretesinsemillahash}\, - (from $\GroupP \rightarrow \GroupPx$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupPx}$}). + (from $\GroupP \rightarrow \GroupP_{\!x}$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupP_{\!x}}$}). \item Add \cite{ZIP-209} to the list of ZIPs updated for \NUFive. } % nufive \item No changes before \NUFive.