zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Change the types of cm_x, Uncommitted^Orchard, and ak in Orchard to { 0 .. q_P-1 }, 

avoiding type errors and reflecting the implementation in zcashd. This eliminates all uses of P_x
(except that ak in an Orchard full viewing key is still required to be a valid Pallas affine
x-coordinate). Also clarify the coordinate system whenever we refer to coordinates.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2022-01-03 17:55:01 +00:00
parent b6e00e0d41
commit 59a220d59e
1 changed files with 52 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
protocol/protocol.tex
View File

@ -1456,6 +1456,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublic}{\mathsf{ak}}
\newcommand{\AuthSignPublicPoint}{\mathsf{ak}^\GroupP} \newcommand{\AuthSignPublicPoint}{\mathsf{ak}^\GroupP}
\newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}}
\newcommand{\AuthSignPublicTypeOrchard}{\range{0}{\ParamP{q}-1}}
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}} \newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}} \newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
@ -1468,6 +1469,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}} \newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}}
\newcommand{\NullifierKeyTypeOrchard}{\GF{\ParamP{q}}} \newcommand{\NullifierKeyTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\NullifierBaseOrchard}{\mathcal{K}^\mathsf{Orchard}} \newcommand{\NullifierBaseOrchard}{\mathcal{K}^\mathsf{Orchard}}
\newcommand{\NullifierTypeOrchard}{\GF{\ParamP{q}}}
\newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKey}{\mathsf{ovk}}
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
@ -1900,7 +1902,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH}^\mathsf{#1\kern-0.1em}} \newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH}^\mathsf{#1\kern-0.1em}}
\newcommand{\MerkleHashLength}[1]{\mathsf{\ell}^\mathsf{#1\vphantom{p}}_\mathsf{Merkle}} \newcommand{\MerkleHashLength}[1]{\mathsf{\ell}^\mathsf{#1\vphantom{p}}_\mathsf{Merkle}}
\newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}} \newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}}
\newcommand{\MerkleHashOrchard}{\GroupPx} \newcommand{\MerkleHashOrchard}{\range{0}{\ParamP{q}-1}}
\newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}} \newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}}
\newcommand{\hash}{\mathsf{hash}} \newcommand{\hash}{\mathsf{hash}}
\newcommand{\layerInput}{\mathsf{layer}} \newcommand{\layerInput}{\mathsf{layer}}
@ -2209,9 +2211,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}} \newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}}
\newcommand{\GroupP}{\mathbb{P}} \newcommand{\GroupP}{\mathbb{P}}
\newcommand{\GroupPx}{\GroupP_{\!x}}
\newcommand{\GroupPstar}{\GroupP^{\ast}} \newcommand{\GroupPstar}{\GroupP^{\ast}}
\newcommand{\GroupPstarx}{\GroupP^{\ast}_{\!x}}
\newcommand{\CurveP}{\Curve_{\GroupP}} \newcommand{\CurveP}{\Curve_{\GroupP}}
\newcommand{\ZeroP}{\Zero_{\GroupP}} \newcommand{\ZeroP}{\Zero_{\GroupP}}
\newcommand{\ellP}{\ell_{\GroupP}} \newcommand{\ellP}{\ell_{\GroupP}}
@ -2928,7 +2928,7 @@ The following integer constants will be instantiated in \crossref{constants}:
The rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$, and The rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$, and
the bit sequence constants $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$, the bit sequence constants $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}}$,
\sapling{$\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}}$,} \sapling{$\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}}$,}
\nufive{and $\Uncommitted{Orchard} \typecolon$ $\GroupPx$,} will also be defined in that section. \nufive{and $\Uncommitted{Orchard} \typecolon$ $\MerkleHashOrchard$,} will also be defined in that section.
We use the abbreviation ``\defining{\xCtEdwards}'' to refer to \completeTwistedEdwardsEllipticCurves and We use the abbreviation ``\defining{\xCtEdwards}'' to refer to \completeTwistedEdwardsEllipticCurves and
coordinates (see \crossref{jubjub}). coordinates (see \crossref{jubjub}).
@ -4434,7 +4434,7 @@ in an \outputDescription.}
\vspace{2ex} \vspace{2ex}
Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}. Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}.
Let $\GroupP$, $\GroupPx$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\GroupP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\introlist \introlist
Define: Define:
@ -4454,7 +4454,7 @@ Define:
$\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprP \times \ReprP \times \ValueType$ \\[-1ex] $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprP \times \ReprP \times \ValueType$ \\[-1ex]
&\hspace{21.2em}$\times\; \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\ &\hspace{21.2em}$\times\; \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\
$\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\
$\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GroupPx \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$ $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \AuthSignPublicTypeOrchard \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$
\end{tabular} \end{tabular}
\vspace{-1ex} \vspace{-1ex}
@ -4947,7 +4947,7 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$, Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$,
and $\DiversifierKeyLength$ be as defined in \crossref{constants}. and $\DiversifierKeyLength$ be as defined in \crossref{constants}.
Let $\GroupP$, $\GroupPx$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in Let $\GroupP$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in
\crossref{pallasandvesta}. \crossref{pallasandvesta}.
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
@ -4991,7 +4991,7 @@ A new \Orchard \spendingKey $\SpendingKey$ is generated by choosing a bit sequen
uniformly at random from $\SpendingKeyType$. uniformly at random from $\SpendingKeyType$.
From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamP{r}}$, From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamP{r}}$,
the \authValidatingKey $\AuthSignPublic \typecolon \GroupPx$, the \authValidatingKey $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$,
the \nullifierDerivingKey $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, the \nullifierDerivingKey $\NullifierKey \typecolon \NullifierKeyTypeOrchard$,
the \commitIvkRandomness $\CommitIvkRand \typecolon \CommitIvkRandType$, the \commitIvkRandomness $\CommitIvkRand \typecolon \CommitIvkRandType$,
the \diversifierKey $\DiversifierKey \typecolon \DiversifierKeyType$, the \diversifierKey $\DiversifierKey \typecolon \DiversifierKeyType$,
@ -5076,8 +5076,8 @@ The \diversifiedPaymentAddress with \diversifierIndex $0$ is called the \definin
\item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is \item The uses of $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ produce output that is
uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to uniform on $\GF{\ParamP{r}}$ and $\GF{\ParamP{q}}$ respectively when applied to
random input, by a similar argument to that used in \crossref{saplingkeycomponents}. random input, by a similar argument to that used in \crossref{saplingkeycomponents}.
\item The output of $\CommitIvk{}$ is the $x$-coordinate of a \pallasCurve point, which \item The output of $\CommitIvk{}$ is the \affineSW $x$-coordinate of a \pallasCurve point,
we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption. which we then use as a $\KA{Orchard}$ private key $\InViewingKey$ for \note encryption.
The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can The fact that $\InViewingKey$ is non-uniform on $\GF{\ParamP{r}}$ (since it can
only take on roughly half of the possible values) is not expected to cause any only take on roughly half of the possible values) is not expected to cause any
security issue. security issue.
@ -5325,7 +5325,7 @@ Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
@ -5346,7 +5346,7 @@ where
\item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the \item $\cvNet{} \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the
input \note minus the value of the output \note; input \note minus the value of the output \note;
\vspace{-0.5ex} \vspace{-0.5ex}
\item $\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1}$ is an \anchor (\crossref{blockchain}) for the \item $\rt{Orchard} \typecolon \MerkleHashOrchard$ is an \anchor (\crossref{blockchain}) for the
output \treestate of a previous \block; output \treestate of a previous \block;
\vspace{-0.25ex} \vspace{-0.25ex}
\item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note; \item $\nf \typecolon \range{0}{\ParamP{q}-1}$ is the \nullifier for the input \note;
@ -5357,7 +5357,7 @@ where
\item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature, \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature,
validated as specified in \crossref{spendauthsig}; validated as specified in \crossref{spendauthsig};
\vspace{-0.25ex} \vspace{-0.25ex}
\item $\cmX \typecolon \range{0}{\ParamP{q}-1}$ is the result of applying $\ExtractP$ to the \noteCommitment for \item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ to the \noteCommitment for
the output \note; the output \note;
\vspace{-0.25ex} \vspace{-0.25ex}
\item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is
@ -5412,8 +5412,8 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
\item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot \item $\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$. $\EphemeralPublic$ cannot
be $\ZeroP$. be $\ZeroP$.
\vspace{-0.25ex} \vspace{-0.25ex}
\item Despite the return type of $\ExtractP$ being $\GroupPx$, $\nf$ and $\cmX$ are \emph{not} checked \item $\nf$ and $\cmX$ are \emph{not} checked to be valid \affineSW $x$-coordinates on the \pallasCurve;
to be in $\GroupPx$; they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$. they are only checked to encode integers in $\range{0}{\ParamP{q}-1}$.
\end{nnotes} \end{nnotes}
} %nufive } %nufive
@ -5959,8 +5959,8 @@ $\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} =
\item The \actionCircuit is permitted to be implemented in such a way that the \merklePath \item The \actionCircuit is permitted to be implemented in such a way that the \merklePath
validity check can pass if any \merkleHash on the path, including the \merkleRoot, is validity check can pass if any \merkleHash on the path, including the \merkleRoot, is
$0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because $0$. This can only happen if $\SinsemillaHash$ returned $\bot$ for that hash, because
$0$ is not the $x$-coordinate of any point on the \pallasCurve (as shown in a note at $0$ is not the \affineSW $x$-coordinate of any point on the \pallasCurve (as shown in a
\crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return note at \crossref{concreteextractorpallas}), and $\SinsemillaHashToPoint$ cannot return
$\ZeroP$. Allowing the validity check to pass in that case models the fact that $\ZeroP$. Allowing the validity check to pass in that case models the fact that
incomplete addition is used to implement Sinsemilla in the circuit. As proven in incomplete addition is used to implement Sinsemilla in the circuit. As proven in
\theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a \theoremref{thmsinsemillaex}, a $\bot$ output from $\SinsemillaHash$ yields a
@ -6654,7 +6654,7 @@ Define $\NullifierBaseOrchard := \GroupPHash\Of{\ascii{z.cash:Orchard}, \ascii{K
\introlist \introlist
To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon
\NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \GF{\ParamP{q}}$ \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \GroupP \rightarrow \NullifierTypeOrchard$
as follows: as follows:
\begin{formulae} \begin{formulae}
@ -6996,7 +6996,7 @@ Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\vspace{-0.25ex} \vspace{-0.25ex}
Let $\Selectx$, $\Selecty$, $\GroupPx$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}. Let $\Selectx$, $\Selecty$, $\ExtractP$, and $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}.
\vspace{-0.25ex} \vspace{-0.25ex}
Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
@ -7007,11 +7007,11 @@ A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that give
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\item $\oparen\rt{Orchard} \typecolon \range{0}{\ParamP{q}-1},\\ \item $\oparen\rt{Orchard} \typecolon \MerkleHashOrchard,\\
\hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\
\hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\ \hparen\nfOld{} \typecolon \range{0}{\ParamP{q}-1},\\
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\
\hparen\cmX \typecolon \range{0}{\ParamP{q}-1},\vspace{0.2ex}\\ \hparen\cmX \typecolon \MerkleHashOrchard,\vspace{0.2ex}\\
\hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\ \hparen\enableSpends \typecolon \bit,\vspace{0.4ex}\\
\hparen\enableOutputs \typecolon \bit\cparen$, \hparen\enableOutputs \typecolon \bit\cparen$,
\end{formulae} \end{formulae}
@ -7107,7 +7107,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$ range $\SignedValueDifferenceType$, which is different to the range $\SignedValueFieldType$
of $\vBalance{Orchard}$. of $\vBalance{Orchard}$.
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
input bit sequence is a canonical encoding (in $\range{0}{\ParamP{q}-1}$) of the integer input bit sequence is a canonical encoding (in $\MerkleHashOrchard$) of the integer
from the previous \merkleLayer. from the previous \merkleLayer.
\item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in \item As specified in \crossref{merklepath}, the validity check is permitted to be implemented in
such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$. such a way that it can pass if any $\MerkleCRH{Orchard}$ hash on the \merklePath outputs $0$.
@ -7120,7 +7120,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.) ($\AuthSignBase{Orchard}$ is as defined in \crossref{concretespendauthsig}.)
\item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are \item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
\emph{not} checked in this circuit. Also, $\rt{Orchard}$ and $\cmX$ are \emph{not} checked \emph{not} checked in this circuit. Also, $\rt{Orchard}$ and $\cmX$ are \emph{not} checked
to be in $\GroupPx$. to be \Pallas \affineSW $x$-coordinates or $0$.
\item When a value given as a field element in the \actionCircuit is used as a scalar for scalar \item When a value given as a field element in the \actionCircuit is used as a scalar for scalar
multiplication, it involves witnessing the scalar as a sequence of bits or window indices, multiplication, it involves witnessing the scalar as a sequence of bits or window indices,
typically for a total of $255$ bits (except in the case of multiplying by the value typically for a total of $255$ bits (except in the case of multiplying by the value
@ -7462,8 +7462,8 @@ $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's $\KA{Sapling}$\nuf
\vspace{-0.25ex} \vspace{-0.25ex}
Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the
\outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of \outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of
the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the \affineCtEdwards
$u$-coordinate\nufive{ or $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.) $u$-coordinate\nufive{ or \affineSW $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.)
\canopy{ \canopy{
\vspace{-0.25ex} \vspace{-0.25ex}
@ -7790,16 +7790,12 @@ Typically, these components are derived from a \fullViewingKey as described in
\vspace{1ex} \vspace{1ex}
Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
\nufive{
Let $\GroupPx$ be as defined in \crossref{pallasandvesta}.
} %nufive
Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as defined in \crossref{notes}. Let $\NoteType{}$ be $\NoteType{Sapling}$\nufive{ or $\NoteType{Orchard}$} as defined in \crossref{notes}.
Let $\KA{}$ be\notbeforenufive{ either} $\KA{Sapling}$ as defined in \crossref{concretesaplingkeyagreement}\nufive{, or Let $\KA{}$ be\notbeforenufive{ either} $\KA{Sapling}$ as defined in \crossref{concretesaplingkeyagreement}\nufive{, or
$\KA{Orchard}$ as defined in \crossref{concreteorchardkeyagreement}}. $\KA{Orchard}$ as defined in \crossref{concreteorchardkeyagreement}}.
Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\GroupPx$ for \Orchard}. Let $\NullifierType$ be $\PRFOutputNfSapling$\notbeforenufive{ for \Sapling}\nufive{, or $\NullifierTypeOrchard$ for \Orchard}.
\introsection \introsection
\vspace{1ex} \vspace{1ex}
@ -7914,10 +7910,6 @@ are used, the text will clarify their position in each case.
\introsection \introsection
\lsubsection{Constants}{constants} \lsubsection{Constants}{constants}
\nufive{
Let $\GroupPx$ be as defined in \crossref{concreteextractorpallas}.
} %nufive
Define: Define:
\begin{formulae}[itemsep=0.2ex] \begin{formulae}[itemsep=0.2ex]
@ -7969,7 +7961,7 @@ Define:
} %sapling } %sapling
\nufive{ \nufive{
\vspace{-1ex} \vspace{-1ex}
\item $\Uncommitted{Orchard} \typecolon \GroupPx := 2$ \item $\Uncommitted{Orchard} \typecolon \MerkleHashOrchard := 2$
} %nufive } %nufive
\vspace{0.25ex} \vspace{0.25ex}
\item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi) \item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi)
@ -8953,10 +8945,10 @@ by \texttt{calc\_round\_numbers.py} in that implementation, for a $128$-bit secu
Also note that the use of $\Poseidon$ in \Orchard is very conservative. First, the Also note that the use of $\Poseidon$ in \Orchard is very conservative. First, the
sponge mode limits an adversary to only being able to influence part of the $\Poseidon$ sponge mode limits an adversary to only being able to influence part of the $\Poseidon$
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described
\crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$, in \crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$ known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$ comes
comes from a previous \nullifier which is effectively a random $x$-coordinate on the from a previous \nullifier which is effectively a random \affineSW $x$-coordinate on the
\pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based \pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based
nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard}) nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard})
against a potential discrete-log-breaking adversary. Given the weak assumption against a potential discrete-log-breaking adversary. Given the weak assumption
@ -9241,7 +9233,7 @@ to $\OutViewingKey$, with input in the bits corresponding to $\cvField$, $\cmxFi
\introlist \introlist
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
$\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \GF{\ParamP{q}}$ is used as $\PRFnf{Orchard}{} \typecolon \NullifierKeyTypeOrchard \times \NoteUniqueRandTypeOrchard \rightarrow \PRFOutputNfOrchard$ is used as
part of deriving the \nullifier for an \Orchard \note. part of deriving the \nullifier for an \Orchard \note.
It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}: It is instantiated using the $\PoseidonHash$ \hashFunction \cite{GKRRS2019} defined in \crossref{poseidonhash}:
@ -10908,19 +10900,9 @@ Define $\Selectx \typecolon \GroupP \rightarrow \GF{\ParamP{q}}$ and $\Selecty \
\item $\Selecty\big((x, y)\big) = y$. \item $\Selecty\big((x, y)\big) = y$.
\end{formulae} \end{formulae}
Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on the \pallasCurve, i.e.
\vspace{-1ex}
\begin{formulae}
\item $\GroupPstarx := \bigsetof{x \typecolon \range{0}{\ParamP{q}-1} \suchthat x^3 + \ParamP{b} \pmod{\ParamP{q}} \text{ is square in }\GF{\ParamP{q}}}$.
\end{formulae}
\vspace{-0.5ex}
Define $\GroupPx := \GroupPstarx \union \setof{0}$.
\introlist \introlist
\vspace{1ex} \vspace{1ex}
Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that Define $\ExtractP \typecolon \GroupP \rightarrow \range{0}{\ParamP{q}-1}$ such that
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
@ -10928,7 +10910,7 @@ Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that
\end{formulae} \end{formulae}
\vspace{-1ex} \vspace{-1ex}
We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\GroupPx}$ such that We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\range{0}{\ParamP{q}-1}}$ such that
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
@ -10937,12 +10919,8 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou
\end{formulae} \end{formulae}
\vspace{-2ex} \vspace{-2ex}
\begin{pnotes} \pnote{There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$
\item There is no solution to $y^2 = 0^3 + 5$ in $\GF{\ParamP{q}}$, and so $\ExtractP(P)$ can only be $0$ when $P = \ZeroP$.}
can only be $0$ when $P = \ZeroP$.
\item $\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
which returns a bit sequence.
\end{pnotes}
} %nufive } %nufive
\nufive{ \nufive{
@ -11143,7 +11121,7 @@ Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \Grou
\item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$ \item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$
\item let $\mathsf{y}' = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$ \item let $\mathsf{y}' = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$
\item let $\mathsf{y} = (u \bmod 2 = y \bmod 2) \bchoose \mathsf{y}' : -\mathsf{y}'$ \item let $\mathsf{y} = (u \bmod 2 = y \bmod 2) \bchoose \mathsf{y}' : -\mathsf{y}'$
\item return the $\CurveIsoG$ point with affine coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$. \item return the $\CurveIsoG$ point with \affineSW coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv,\, \mathsf{y}\right)$.
\end{algorithm} \end{algorithm}
Let $\GroupGHashInput := \byteseqs \times \byteseqs$. Let $\GroupGHashInput := \byteseqs \times \byteseqs$.
@ -11181,7 +11159,7 @@ is calculated as follows:
In order to fully avoid inversions, the output of $\maptocurvesimpleswuIsoG$ can be In order to fully avoid inversions, the output of $\maptocurvesimpleswuIsoG$ can be
expressed in Jacobian coordinates, as can the input and output of $\IsoMapG$. expressed in Jacobian coordinates, as can the input and output of $\IsoMapG$.
It is outside the scope of this document to describe Jacobian coordinates, but It is outside the scope of this document to describe Jacobian coordinates, but
for example, the $\CurveIsoG$ point with affine coordinates for example, the $\CurveIsoG$ point with \affineSW coordinates
$\big(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\big)$, has Jacobian coordinates $\big(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\big)$, has Jacobian coordinates
$\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$. $\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$.
\end{nnotes} \end{nnotes}
@ -12020,7 +11998,7 @@ Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \GroupPx$, An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$,
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$. $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\CommitIvkRandom \typecolon \GF{\ParamP{r}}$.
$\AuthSignPublic$ is the \authValidatingKey, a result of applying $\ExtractP$ to a $\AuthSignPublic$ is the \authValidatingKey, a result of applying $\ExtractP$ to a
@ -12054,7 +12032,7 @@ The \rawEncoding of an \Orchard \fullViewingKey consists of:
\vspace{-1ex} \vspace{-1ex}
When decoding this representation, the key \MUST be considered invalid if $\AuthSignPublic$, When decoding this representation, the key \MUST be considered invalid if $\AuthSignPublic$,
$\NullifierKey$, or $\CommitIvkRandom$ are not canonically encoded elements of their respective $\NullifierKey$, or $\CommitIvkRandom$ are not canonically encoded elements of their respective
fields, or if $\AuthSignPublic \not\in \GroupPx$. fields, or if $\AuthSignPublic$ is not a valid \Pallas $x$-coordinate.
There is no \BechOptm encoding defined for an individual \Orchard \fullViewingKey; There is no \BechOptm encoding defined for an individual \Orchard \fullViewingKey;
instead use a \unifiedFullViewingKey as defined in \cite{ZIP-316}. instead use a \unifiedFullViewingKey as defined in \cite{ZIP-316}.
@ -14541,6 +14519,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2021.2.18}{} \historyentry{2021.2.18}{}
\begin{itemize} \begin{itemize}
\nufive{
\item Change the types of $\cmX$, $\Uncommitted{Orchard}$, and $\AuthSignPublic$ in
\Orchard to $\range{0}{\ParamP{q}-1}$, avoiding type errors and reflecting the
implementation in \zcashd. This eliminates all uses of $\GroupP_{\!x}$ (except
that $\AuthSignPublic$ in an \Orchard \fullViewingKey is still required to be a
valid \Pallas \affineSW $x$-coordinate).
} %nufive
\item Refine the security argument about \partitioningOracleAttacks in \item Refine the security argument about \partitioningOracleAttacks in
\crossref{inbandrationale}:\!\! \crossref{inbandrationale}:\!\!
\begin{itemize} \begin{itemize}
@ -14578,9 +14563,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Correct the proof of \theoremref{thmuncommittedorchard}. \item Correct the proof of \theoremref{thmuncommittedorchard}.
\item Change the type of $\cmOld{}$ in \Orchard to $\GroupP$ rather than $\GroupPstar$, \item Change the type of $\cmOld{}$ in \Orchard to $\GroupP$ rather than $\GroupPstar$,
i.e.\ allow the identity point. i.e.\ allow the identity point.
\item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$. \item Change the type of $\rt{Orchard}$ from $\GroupP_{\!x}$ (i.e.\ a \Pallas $x$-coordinate
or $0$) to $\range{0}{\ParamP{q}-1}$.
This reflects the existing \zcashd implementation; also checking This reflects the existing \zcashd implementation; also checking
$\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary. $\rt{Orchard} \in \GroupP_{\!x}$ would require a square root and is unnecessary.
\item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in \item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in
the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points, the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points,
rather than witnessing their representations as bit sequences. This reflects rather than witnessing their representations as bit sequences. This reflects
@ -14730,7 +14716,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\historyentry{2021.2.7}{2021-06-28} \historyentry{2021.2.7}{2021-06-28}
\begin{itemize} \begin{itemize}
\nufive{ \nufive{
\item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupPx$ rather than a \item Correct the type of $\Uncommitted{Orchard}$, which should be $\GroupP_{\!x}$ rather than a
bit sequence. bit sequence.
\item Explicitly say that padding in \crossref{concretesinsemillahash} is by appending zero bits. \item Explicitly say that padding in \crossref{concretesinsemillahash} is by appending zero bits.
\item Add a step to the algorithm for generating an \Orchard \note in \crossref{orchardsend}, \item Add a step to the algorithm for generating an \Orchard \note in \crossref{orchardsend},
@ -14770,7 +14756,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
least one output from a v5 or later \transaction, to take into account least one output from a v5 or later \transaction, to take into account
the \enableSpendsOrchard{} and \enableOutputsOrchard{} flags. the \enableSpendsOrchard{} and \enableOutputsOrchard{} flags.
\item Correct the type of $\ExtractPbot$ imported in \crossref{concretesinsemillahash}\, \item Correct the type of $\ExtractPbot$ imported in \crossref{concretesinsemillahash}\,
(from $\GroupP \rightarrow \GroupPx$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupPx}$}). (from $\GroupP \rightarrow \GroupP_{\!x}$ to \mbox{$\maybe{\GroupP} \rightarrow \maybe{\GroupP_{\!x}}$}).
\item Add \cite{ZIP-209} to the list of ZIPs updated for \NUFive. \item Add \cite{ZIP-209} to the list of ZIPs updated for \NUFive.
} % nufive } % nufive
\item No changes before \NUFive. \item No changes before \NUFive.