From 6215dce5773451cde0cb04fe7e92e6cca06bb91c Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 15 Mar 2021 16:14:57 +0000 Subject: [PATCH] More WIP Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 554 ++++++++++++++++++++++++++---------------- 1 file changed, 349 insertions(+), 205 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 759f8fc7..fb653596 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -218,6 +218,7 @@ \makeatletter \renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or \mathsection\or \mathparagraph\else\@ctrerr\fi}} \makeatother +\newcommand{\footnotestar}{\raisebox{0.25ex}{\kern0.04em *}} \newcommand{\cedilla}[1]{#1\!\!ΒΈ\kern0.088em} @@ -668,7 +669,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\termx}[1]{\termandindex{\MakeUppercase #1}{#1}} \newcommand{\termxs}[1]{\termandindex{\MakeUppercase #1s}{#1}} \newcommand{\termxes}[1]{\termandindex{\MakeUppercase #1es}{#1}} -\newcommand{\termbfnoindex}[1]{\textbf{#1}} +\newcommand{\termbfnoindex}[1]{\textbf{#1}\xspace} \newcommand{\termbf}[1]{\termandindexx{\textbf{#1}}{#1}} \newcommand{\termsf}[1]{\termandindexx{$\mathsf{#1}$}{#1}} \newcommand{\conformance}[1]{\termandindexx{\textbf{#1}}{#1}} @@ -682,10 +683,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ZerocashText}{\textbf{Zerocash}} \newcommand{\Sprout}{\termbf{Sprout}} \newcommand{\SproutText}{\textbf{Sprout}} -\newcommand{\SproutOrZcash}{\notsprout{\Sprout}\sprout{\Zcash}} -\newcommand{\SproutOrNothing}{\notsprout{\Sprout}} +\newcommand{\SproutOrZcash}{\notsprout{\Sprout}\sprout{\Zcash}\xspace} +\newcommand{\SproutOrNothing}{\notsprout{\Sprout}\xspace} \newcommand{\SproutOrNothingText}{\notsprout{\SproutText}} -\newcommand{\pSproutOrNothing}{\notsprout{ (\Sprout)}} +\newcommand{\pSproutOrNothing}{\notsprout{ (\Sprout)}\xspace} \newcommand{\pSproutOrNothingText}{\notsprout{ (\SproutText)}} \newcommand{\Overwinter}{\termbf{Overwinter}} \newcommand{\OverwinterText}{\textbf{Overwinter}} @@ -699,8 +700,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CanopyText}{\textbf{Canopy}} \newcommand{\Orchard}{\termbf{Orchard}} \newcommand{\OrchardText}{\textbf{Orchard}} -\newcommand{\SaplingOrOrchard}{\Sapling\orchard{ or \Orchard}} -\newcommand{\SaplingAndOrchard}{\Sapling\orchard{ and \Orchard}} +\newcommand{\SaplingOrOrchard}{\Sapling\orchard{ or \Orchard}\xspace} +\newcommand{\SaplingAndOrchard}{\Sapling\orchard{ and \Orchard}\xspace} \newcommand{\SaplingAndOrchardText}{\SaplingText\notbeforeorchard{ and \OrchardText}} \newcommand{\Bitcoin}{\termbf{Bitcoin}} \newcommand{\BitcoinText}{\textbf{Bitcoin}} @@ -1182,7 +1183,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\mantissa}{\mathsf{mantissa}} \newcommand{\ToCompact}{\mathsf{ToCompact}} \newcommand{\ToTarget}{\mathsf{ToTarget}} -\newcommand{\ToScalar}[1]{\mathsf{ToScalar^{#1}}} +\newcommand{\ToScalar}[1]{\mathsf{ToScalar^{#1\!}}} \newcommand{\hexint}[1]{\mathtt{0x{#1}}} \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} @@ -1290,7 +1291,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CRHivkText}{\texorpdfstring{$\CRHivk$}{CRHivk}} \newcommand{\CRHivkOutput}{\CRHivk\mathsf{.Output}} \newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)} -\newcommand{\DiversifyHash}[1]{\mathsf{DiversifyHash^{#1}}} +\newcommand{\DiversifyHash}[1]{\mathsf{DiversifyHash^{#1\!}}} \newcommand{\DiversifyHashText}[1]{\texorpdfstring{$\DiversifyHash{#1}$}{DiversifyHash\^{#1}}} \newcommand{\DefaultDiversifier}{\mathsf{DefaultDiversifier}} \newcommand{\CheckDiversifier}{\mathsf{CheckDiversifier}} @@ -1371,7 +1372,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SpendingKeyLength}{\mathsf{\ell_{\SpendingKey}}} \newcommand{\SpendingKeyType}{\bitseq{\SpendingKeyLength}} \newcommand{\AuthSignPrivate}{\mathsf{ask}} -\newcommand{\AuthSignBase}[1]{\mathcal{G}^{#1}} +\newcommand{\AuthSignBase}[1]{\mathcal{G}^{#1\!}} \newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublicX}{\mathsf{ak}_x} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} @@ -1435,8 +1436,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Commitments -\newcommand{\Uncommitted}[1]{\mathsf{Uncommitted^{#1}}} -\newcommand{\NoteCommitment}[1]{\mathsf{NoteCommitment^{#1}}} +\newcommand{\Uncommitted}[1]{\mathsf{Uncommitted^{#1\!}}} +\newcommand{\NoteCommitment}[1]{\mathsf{NoteCommitment^{#1\!}}} \newcommand{\CommitAlg}{\mathsf{COMM}} \newcommand{\Commit}[1]{\CommitAlg_{#1}} @@ -1444,21 +1445,21 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CommitGenTrapdoor}{\CommitAlg\mathsf{.GenTrapdoor}} \newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}} \newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}} -\newcommand{\NoteCommitAlg}[1]{\mathsf{NoteCommit^{#1}}} +\newcommand{\NoteCommitAlg}[1]{\mathsf{NoteCommit^{#1\!}}} \newcommand{\NoteCommit}[2]{\NoteCommitAlg{#1}_{\vphantom{l}#2}} \newcommand{\NoteCommitTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.Trapdoor}} \newcommand{\NoteCommitTrapdoorBytes}{\byteseq{32}} \newcommand{\NoteCommitGenTrapdoor}[1]{\NoteCommitAlg{#1}\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitInput}[1]{\NoteCommitAlg{#1}\mathsf{.Input}} \newcommand{\NoteCommitOutput}[1]{\NoteCommitAlg{#1}\mathsf{.Output}} -\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit^{#1}}} +\newcommand{\ValueCommitAlg}[1]{\mathsf{ValueCommit^{#1\!}}} \newcommand{\ValueCommit}[2]{\ValueCommitAlg{#1}_{#2}} \newcommand{\ValueCommitTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.Trapdoor}} \newcommand{\ValueCommitGenTrapdoor}[1]{\ValueCommitAlg{#1}\mathsf{.GenTrapdoor}} \newcommand{\ValueCommitInput}[1]{\ValueCommitAlg{#1}\mathsf{.Input}} \newcommand{\ValueCommitOutput}[1]{\ValueCommitAlg{#1}\mathsf{.Output}} -\newcommand{\ValueCommitValueBase}[1]{\mathcal{V}^{#1}} -\newcommand{\ValueCommitRandBase}[1]{\mathcal{R}^{#1}} +\newcommand{\ValueCommitValueBase}[1]{\mathcal{V}^{#1\!}} +\newcommand{\ValueCommitRandBase}[1]{\mathcal{R}^{#1\!}} \newcommand{\CommitIvkAlg}{\mathsf{Commit}^{\InViewingKey}} \newcommand{\CommitIvk}[1]{\CommitIvkAlg_{#1}} \newcommand{\CommitIvkTrapdoor}{\CommitIvkAlg\mathsf{.Trapdoor}} @@ -1491,7 +1492,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Key agreement -\newcommand{\KA}[1]{\mathsf{KA^{#1}}} +\newcommand{\KA}[1]{\mathsf{KA^{#1\!}}} \newcommand{\KAPublic}[1]{\KA{#1}\mathsf{.Public}} \newcommand{\KAPublicPrimeSubgroup}[1]{\KA{#1}\mathsf{.PublicPrimeSubgroup}} \newcommand{\KAPrivate}[1]{\KA{#1}\mathsf{.Private}} @@ -1508,7 +1509,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % KDF -\newcommand{\KDF}[1]{\mathsf{KDF^{#1}}} +\newcommand{\KDF}[1]{\mathsf{KDF^{#1\!}}} \newcommand{\kdftag}{\mathsf{kdftag}} \newcommand{\kdfinput}{\mathsf{kdfinput}} @@ -1521,7 +1522,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ValueLength}{\ell_{\mathsf{value}}} \newcommand{\ValueType}{\binaryrange{\ValueLength}} \newcommand{\SignedValueType}{\range{-2^{63}}{2^{63}-1}} -\newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} +\newcommand{\ValueCommitTypeSapling}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} +\newcommand{\ValueCommitTypeOrchard}{\bigrange{-\SignedScalarLimitP}{\SignedScalarLimitP}} \newcommand{\ValueCommitRand}{\mathsf{rcv}} \newcommand{\ValueCommitRandRepr}{{\ValueCommitRand\Repr}} \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}} @@ -1529,7 +1531,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ValueCommitRandNew}[1]{\ValueCommitRand^\mathsf{new}_{#1}} \newcommand{\ValueCommitRandNet}[1]{\ValueCommitRand^\mathsf{net}_{#1}} \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}} -\newcommand{\NoteType}[1]{\mathsf{Note^{#1}}} +\newcommand{\NoteType}[1]{\mathsf{Note^{#1\!}}} \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}} \newcommand{\OutPlaintext}{\mathbf{op}} \newcommand{\NoteSeedBytes}{\mathsf{rseed}} @@ -1742,7 +1744,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\JoinSplitSigSign}[1]{\JoinSplitSig\mathsf{.Sign}_{#1}} \newcommand{\JoinSplitSigValidate}[1]{\JoinSplitSig\mathsf{.Validate}_{#1}} -\newcommand{\SpendAuthSig}[1]{\mathsf{SpendAuthSig^{#1}}} +\newcommand{\SpendAuthSig}[1]{\mathsf{SpendAuthSig^{#1\!}}} \newcommand{\SpendAuthSigPublic}[1]{\SpendAuthSig{#1}\mathsf{.Public}} \newcommand{\SpendAuthSigPrivate}[1]{\SpendAuthSig{#1}\mathsf{.Private}} \newcommand{\SpendAuthSigMessage}[1]{\SpendAuthSig{#1}\mathsf{.Message}} @@ -1758,7 +1760,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SpendAuthSigRandomizerId}[1]{\SpendAuthSig{#1}\mathsf{.Id}} \newcommand{\SpendAuthSigRandomizer}{\alpha} -\newcommand{\BindingSig}[1]{\mathsf{BindingSig^{#1}}} +\newcommand{\BindingSig}[1]{\mathsf{BindingSig^{#1\!}}} \newcommand{\BindingSigPublic}[1]{\BindingSig{#1}\mathsf{.Public}} \newcommand{\BindingSigPrivate}[1]{\BindingSig{#1}\mathsf{.Private}} \newcommand{\BindingSigMessage}[1]{\BindingSig{#1}\mathsf{.Message}} @@ -1786,11 +1788,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg % Merkle tree -\newcommand{\MerkleDepth}[1]{\mathsf{MerkleDepth^{#1}}} +\newcommand{\MerkleDepth}[1]{\mathsf{MerkleDepth^{#1\!}}} \newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}} \newcommand{\MerkleSibling}{\mathsf{sibling}} -\newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH^{#1}}} -\newcommand{\MerkleHashLength}[1]{\mathsf{\ell^{#1}_{Merkle}}} +\newcommand{\MerkleCRH}[1]{\mathsf{MerkleCRH^{#1\!}}} +\newcommand{\MerkleHashLength}[1]{\mathsf{\ell^{#1\!}_{Merkle}}} \newcommand{\MerkleHash}[1]{\bitseq{\MerkleHashLength{#1}}} \newcommand{\MerkleLayer}[1]{\range{0}{\MerkleDepth{#1}-1}} @@ -1799,6 +1801,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\headerField}{\mathtt{header}} \newcommand{\fOverwintered}{\mathtt{fOverwintered}} \newcommand{\versionField}{\mathtt{version}} +\newcommand{\effectiveVersion}{\mathsf{effectiveVersion}} \newcommand{\nVersionGroupId}{\mathtt{nVersionGroupId}} \newcommand{\txInCount}{\mathtt{tx\_in\_count}} \newcommand{\txIn}{\mathtt{tx\_in}} @@ -1817,7 +1820,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\vJoinSplit}{\mathtt{vJoinSplit}} \newcommand{\vpubOldField}{\mathtt{vpub\_old}} \newcommand{\vpubNewField}{\mathtt{vpub\_new}} -\newcommand{\anchorField}{\mathtt{anchor}} +\newcommand{\anchorField}[1]{\mathtt{anchor#1}} \newcommand{\joinSplitSig}{\mathtt{joinSplitSig}} \newcommand{\joinSplitPrivKey}{\mathtt{joinSplitPrivKey}} \newcommand{\joinSplitPubKey}{\mathtt{joinSplitPubKey}} @@ -1838,7 +1841,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Varies}{\textit{\!Varies}} \newcommand{\heading}[1]{\multicolumn{1}{c|}{#1}} \newcommand{\type}[1]{\texttt{#1}} -\newcommand{\compactSize}{\type{compactSize uint}} +\newcommand{\overwintertype}[1]{\textcolor{\overwintercolor}{\type{#1}}} +\newcommand{\saplingtype}[1]{\textcolor{\saplingcolor}{\type{#1}}} +\newcommand{\orchardtype}[1]{\textcolor{\orchardcolor}{\type{#1}}} % Tx hashing and scripts @@ -1943,7 +1948,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\vNew}[1]{\mathsf{v}_{#1}^\mathsf{new}} \newcommand{\vNet}[1]{\mathsf{v}_{#1}^\mathsf{net}} \newcommand{\RandomSeed}{\mathsf{randomSeed}} -\newcommand{\rt}{\mathsf{rt}} +\newcommand{\rt}[1]{\mathsf{rt^{#1\!}}} \newcommand{\TreePath}[1]{\mathsf{path}_{#1}} \newcommand{\Receive}{\mathsf{Receive}} \newcommand{\EnforceMerklePath}[1]{\mathsf{enforceMerklePath}_{~\!\!#1}} @@ -2449,7 +2454,7 @@ To each \note there is cryptographically associated a \noteCommitment. Once the \transaction creating a \note has been mined, the \note is associated with a fixed \notePosition in a tree of \noteCommitments, and with a \nullifier\footnoteref{notesandnullifiers} unique to that \note. Computing the \nullifier requires the associated private -\spendingKey\sapling{ (or the \nullifierDerivingKey for \SaplingOrOrchard{} \notes)}. +\spendingKey\sapling{ (or the \nullifierDerivingKey for \SaplingOrOrchard \notes)}. It is infeasible to correlate the \noteCommitment or \notePosition with the corresponding \nullifier without knowledge of at least this \sprout{\spendingKey}\notsprout{key}. An unspent valid \note, at a given point @@ -2859,14 +2864,14 @@ Two methods of doing so are defined: \orchardonward{ An \Orchard \spendingKey $\SpendingKey$ is used to derive a \authSigningKey $\AuthSignPrivate$, -and a \fullViewingKey $(\AuthProvePrivate, \NullifierKey, \CommitIvkRand)$. From the \fullViewingKey +and a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$. From the \fullViewingKey we can also derive an \incomingViewingKey $\InViewingKey$, an \outgoingViewingKey $\OutViewingKey$, and a set of \diversifiedPaymentAddresses $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$, as described in \crossref{orchardkeycomponents}. } %orchardonward \vspace{-2ex} -\nnote{In \zcashd, all \SaplingAndOrchard{} keys and addresses are derived according to \cite{ZIP-32}.} +\nnote{In \zcashd, all \SaplingAndOrchard keys and addresses are derived according to \cite{ZIP-32}.} } %saplingonward \vspace{2ex} @@ -3364,7 +3369,9 @@ for the whole \transaction to balance. \item The \spendTransfers and \outputTransfers of the \transaction{} \MUST balance as specified in \crossref{saplingbalance}. \item The \anchor of each \spendDescription{} \MUST refer to some earlier \block's final - \Sapling{} \treestate. + \Sapling{} \treestate. \orchard{The \anchor is encoded separately in each \spendDescription + for v4 \transactions, or encoded once and shared between all \spendDescriptions + in a v5 \transaction.} \end{consensusrules} } %sapling @@ -3408,8 +3415,9 @@ the same \transaction. \begin{consensusrules} \item The \actionTransfers of the \transaction{} \MUST balance as specified in \crossref{orchardbalance}. - \item The \anchor of each \actionDescription{} \MUST refer to some earlier \block's - final \Orchard{} \treestate. + \item The \anchor{} \MUST refer to some earlier \block's final \Orchard{} \treestate. + The \Orchard anchor is encoded once in the \transaction and shared between all + \actionDescriptions. \end{consensusrules} } %orchard @@ -3456,7 +3464,7 @@ double-spends. \consensusrule{ A \nullifier{} \MUSTNOT repeat either within a \transaction, or across \transactions -in a \validBlockChain. \sapling{\Sprout and \SaplingAndOrchard{} \nullifiers are +in a \validBlockChain. \sapling{\Sprout and \SaplingAndOrchard \nullifiers are considered disjoint, even if they have the same bit pattern.} } @@ -3581,19 +3589,14 @@ to derive the unique $\NoteUniqueRand$ value for a \Sapling{} \note. It is also in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction -instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability -security property described in that section. It is used to derive a \diversifiedBase -from a \diversifier in \crossref{saplingkeycomponents}. +$\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$\orchard{ and +$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupPstar$}\notorchard{ is a +\hashFunction}\orchard{ are \hashFunctions} instantiated in \crossref{concretediversifyhash}, +and satisfying the Unlinkability security property described in that section. \notorchard{It is}\orchard{They are} +used to derive a \diversifiedBase from a \diversifier, which is specified in +\crossref{saplingkeycomponents}\orchard{ and in \crossref{orchardkeycomponents}}. } %sapling -\orchard{ -$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupPstar$ is a \hashFunction -instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability -security property described in that section. It is used to derive a \diversifiedBase -from a \diversifier in \crossref{orchardkeycomponents}. -} - \introsection \lsubsubsection{Pseudo Random Functions}{abstractprfs} @@ -3635,6 +3638,14 @@ $\PRFock{} $&$\typecolon\; \OutViewingKeyType $&$\times\; \ReprJBytes \tim $\PRFnfSapling{} $&$\typecolon\; \SubgroupReprJ $&$\times\; \ReprJ $& &$\rightarrow \PRFOutputNfSapling $ \end{tabular} +\orchard{ +For \Orchard, we need $\PRFexpand{}$ and $\PRFock{}$, and also: + +\begin{tabular}{@{\hskip 2em}l@{\;}l@{\;}l@{\;}l@{\,}l} +$\PRFnfOrchard{} $&$\typecolon\; \GF{\ParamP{q}} $&$\times\; \GF{\ParamP{q}} $& &$\rightarrow \PRFOutputNfOrchard $ +\end{tabular} +} %orchard + $\PRFexpand{}$ is used in the following places: \begin{itemize} \item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$; @@ -3649,15 +3660,19 @@ $\PRFock{}$ is used in \crossref{saplinginband}. $\PRFnfSapling{}$ is used in \crossref{spendstatement}. } %sapling +\orchard{ +$\PRFnfOrchard{}$ is used in \crossref{actionstatement}. +} %orchard + \sprout{They}\notsprout{All of these \pseudoRandomFunctions} are instantiated in \crossref{concreteprfs}. \begin{securityrequirements} \item Security definitions for \defining{\pseudoRandomFunctions} are given in \cite[section 4]{BDJR2000}. \item In addition to being \pseudoRandomFunctions, it is required that - $\PRFnf{x}$,\changed{ $\PRFaddr{x}$,\sprout{ and} $\PRFrho{x}$}\sapling{, and $\PRFnfSapling{x}$} - be \collisionResistant across all $x$ --- i.e.\ finding $(x, y) \neq (x', y')$ - such that $\PRFnf{x}(y) = \PRFnf{x'}(y')$ should not be feasible\changed{, and - similarly for $\PRFaddr{}$ and $\PRFrho{}$\sapling{ and $\PRFnfSapling{}$}}. + $\PRFnf{x}$,\changed{ $\PRFaddr{x}$,\sprout{ and} $\PRFrho{x}$}\sapling{,\notorchard{ and} + $\PRFnfSapling{x}$}\orchard{ and $\PRFnfOrchard{x}$} be \collisionResistant across all $x$ --- + i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFnf{x}(y) = \PRFnf{x'}(y')$ should not be feasible\changed{, and + similarly for $\PRFaddr{}$ and $\PRFrho{}$\sapling{ and $\PRFnfSapling{}$}\orchard{ and $\PRFnfOrchard{}$}}. \end{securityrequirements} \vspace{-2ex} @@ -3801,7 +3816,7 @@ with $\KA{Sapling}$ and derives keys for $\SymEncrypt{}$. and \keyPrivate. \item \sapling{ The asymmetric encryption scheme in \crossref{saplingandorchardinband}, constructed - from $\KA{Sapling}$, $\KDF{Sapling}$ and $\Sym$\orchard{or from $\KA{Orchard}$, + from $\KA{Sapling}$, $\KDF{Sapling}$ and $\Sym$\orchard{ or from $\KA{Orchard}$, $\KDF{Orchard}$ and $\Sym$}, is required to be IND-CCA2-secure and \keyPrivate. } %sapling \end{securityrequirements} @@ -3845,9 +3860,10 @@ $\SigValidate{\vk}(m, s) = 1$. \crossref{concretespendauthsig}) which is used to sign authorizations of \spendTransfers;} \saplingonwarditem{one called $\BindingSig{}$ (instantiated in - \crossref{concretebindingsig}), which is used to enforce balance of - \spendTransfers and \outputTransfers, and to prevent their replay across - \transactions.} + \crossref{concretebindingsig}). A \saplingBindingSignature is used to + enforce balance of \spendTransfers and \outputTransfers, and to prevent their + replay across \transactions. \orchard{Similarly, an \orchardBindingSignature + is used to enforce balance of \actionTransfers and to prevent their replay.}} \end{itemize} The signature scheme used in script operations is instantiated by \ECDSA on the \secpCurve. @@ -3880,9 +3896,9 @@ pair without access to the \signingKey. \item We need separate \signingKey generation and \validatingKey derivation algorithms, rather than the more conventional combined key pair generation algorithm $\SigGen \typecolon () \rightarrowR \SigPrivate \times \SigPublic$, to support - the key derivation in \crossref{saplingkeycomponents}. This also simplifies some - aspects of the definitions of \signatureSchemes with additional features in - \crossref{abstractsigrerand} and \crossref{abstractsigmono}. + the key derivation in \crossref{saplingkeycomponents}\orchard{ and in + \crossref{orchardkeycomponents}}. The definitions of schemes with additional features + in \crossref{abstractsigrerand} and in \crossref{abstractsigmono} also become simpler. } %notsprout \item A fresh signature key pair is generated for each \transaction containing a \joinSplitDescription{}. @@ -4150,7 +4166,7 @@ Define: \begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l} $\NoteCommitAlg{Sapling} $&$\typecolon\; \NoteCommitTrapdoor{Sapling} \times \ReprJ \times \ReprJ \times \ValueType $&$\rightarrow \NoteCommitOutput{Sapling}$ \\ - $\ValueCommitAlg{Sapling} $&$\typecolon\; \ValueCommitTrapdoor{Sapling} \times \ValueCommitType{Sapling} $&$\rightarrow \ValueCommitOutput{Sapling}$ + $\ValueCommitAlg{Sapling} $&$\typecolon\; \ValueCommitTrapdoor{Sapling} \times \ValueCommitTypeSapling $&$\rightarrow \ValueCommitOutput{Sapling}$ \end{tabular} $\NoteCommitAlg{Sapling}$ is instantiated in \crossref{concretesaplingnotecommit}, and @@ -4182,9 +4198,9 @@ Define: \Orchard uses three additional commitment schemes: \begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l} - $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprJ \times \ReprJ \times \ValueType + $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprPstar \times \ReprPstar \times \ValueType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\ - $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitType{Orchard} $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ + $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GF{\ParamP{r}} \times \GF{\ParamP{r}} $&$\rightarrow \CommitIvkOutput$ \end{tabular} @@ -4673,7 +4689,7 @@ Let $\JoinSplit$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist -A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, \nfOld{\allOld}, +A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt{Sprout}, \nfOld{\allOld}, \cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit, \TransmitCiphertext{\allNew})$ \\ where @@ -4682,7 +4698,7 @@ where the value that the \joinSplitTransfer removes from the \transparentTxValuePool}; \item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is the value that the \joinSplitTransfer inserts into the \transparentTxValuePool; - \item $\rt \typecolon \MerkleHash{Sprout}$ is an \anchor, as defined in + \item $\rt{Sprout} \typecolon \MerkleHash{Sprout}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of either a previous \block, or a previous \joinSplitTransfer in this \transaction. @@ -4701,7 +4717,7 @@ where a sequence of tags that bind $\hSig$ to each $\AuthPrivate$ of the input \notes; \item $\ProofJoinSplit \typecolon \JoinSplitProof$ is a \zkProof with - \primaryInput $(\rt, \nfOld{\allOld}, \cmNew{\allNew},\changed{ \vpubOld,\,} + \primaryInput $(\rt{Sprout}, \nfOld{\allOld}, \cmNew{\allNew},\changed{ \vpubOld,\,} \vpubNew, \hSig, \h{\allOld})$ for the \joinSplitStatement defined in \crossref{joinsplitstatement}\sapling{ (this is a \BCTV proof before \Sapling activation, and a \Groth proof after \Sapling @@ -4723,7 +4739,7 @@ $\joinSplitPubKey$ of the containing \transaction: \item Elements of a \joinSplitDescription{} \MUST have the types given above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$). \item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed - from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}((\rt, \nfOld{\allOld}, + from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}((\rt{Sprout}, \nfOld{\allOld}, \cmNew{\allNew},\changed{\vpubOld,} \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}) = 1$. \item Either $\vpubOld$ or $\vpubNew$ \MUST be zero. \canopyonwarditem{$\vpubOld$ \MUST be zero.} @@ -4750,18 +4766,18 @@ Let $\Spend$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist -A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$ +A \spendDescription consists of $(\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$ where \vspace{1ex} \begin{itemize} \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the input \note; - \item $\rt \typecolon \MerkleHash{Sapling}$ is an \anchor, as defined in + \item $\rt{Sapling} \typecolon \MerkleHash{Sapling}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of a previous \block; \item $\nf \typecolon \PRFOutputNfSapling$ is the \nullifier for the input \note; \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; \item $\ProofSpend \typecolon \SpendProof$ is a \zkSNARKProof with \primaryInput - $(\cv, \rt, \nf, \AuthSignRandomizedPublic)$ for the \spendStatement defined in + $(\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic)$ for the \spendStatement defined in \crossref{spendstatement}; \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Sapling}$ is as specified in \crossref{spendauthsig}. @@ -4773,7 +4789,7 @@ where \MUSTNOT be $\ZeroJ$ and $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed from the other fields except $\spendAuthSig$ --- - i.e.\ $\SpendVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$. + i.e.\ $\SpendVerify{}((\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$. \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, as defined in \crossref{sighash} using $\SIGHASHALL$. @@ -4864,14 +4880,14 @@ Let $\Action$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist -An \actionDescription consists of $(\cvNet, \rt, \nf, \AuthSignRandomizedPublic, \spendAuthSig, +An \actionDescription consists of $(\cvNet, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, \cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$ where \vspace{1ex} \begin{itemize} \item $\cvNet \typecolon \ValueCommitOutput{Orchard}$ is the \valueCommitment to the value of the input \note minus the value of the output \note; - \item $\rt \typecolon \MerkleHash{Orchard}$ is an \anchor, as defined in + \item $\rt{Orchard} \typecolon \MerkleHash{Orchard}$ is an \anchor, as defined in \crossref{blockchain}, for the output \treestate of a previous \block; \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey @@ -4889,7 +4905,7 @@ where a \fullViewingKey to recover the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey $\EphemeralPrivate$ (and therefore the entire \notePlaintext); \item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput - $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ for the \actionStatement + $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ for the \actionStatement defined in \crossref{actionstatement}; \end{itemize} @@ -4902,8 +4918,8 @@ where using $\AuthSignRandomizedPublic$ as the \validatingKey --- i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput formed - from $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- - i.e.\ $\ActionVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}) = 1$. + from $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- + i.e.\ $\ActionVerify{}((\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}) = 1$. \end{consensusrules} \nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ have type $\GroupPstar$, @@ -4981,7 +4997,7 @@ node or wallet implementation. \introlist \extralabel{saplingsend}{\lsubsubsection{Sending Notes (\SaplingAndOrchardText)}{saplingororchardsend}} -In order to send \SaplingOrOrchard{} \shielded value, the sender constructs a \transaction +In order to send \SaplingOrOrchard \shielded value, the sender constructs a \transaction containing one or more \outputDescriptions. Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\orchard{, @@ -5037,7 +5053,7 @@ if $\BlockHeight \geq \CanopyActivationHeight$. \introlist \vspace{2ex} For each \outputDescription, the sender selects a value $\Value \typecolon \range{0}{\MAXMONEY}$ -and a destination \SaplingOrOrchard{} \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, +and a destination \SaplingOrOrchard \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following steps: \vspace{0.5ex} @@ -5253,7 +5269,7 @@ where \end{formulae} Given such a \merklePath, it is possible to verify that \merkleLeafNode -$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt = \MerkleNode{0}{0}$. +$\MerkleNode{\MerkleDepth{}}{i}$ is in a tree with a given \merkleRoot $\rt{} = \MerkleNode{0}{0}$. \lsubsection{SIGHASH Transaction Hashing}{sighash} @@ -5293,7 +5309,7 @@ fields in the non-\Zcash-specific parts of the \transaction.} \changed{In \Zcash, all \sighashTypes are extended to cover the \Zcash-specific fields $\nJoinSplit$, $\vJoinSplit$, and if present $\joinSplitPubKey$. These fields -are described in \crossref{txnencoding}. The hash \emph{does not} cover the field $\joinSplitSig$.} +are described in \crossref{txnencodingandconsensus}. The hash \emph{does not} cover the field $\joinSplitSig$.} \overwinter{After \Overwinter activation, all \sighashTypes are also extended to cover \transaction fields introduced in that upgrade\sapling{, and similarly after \SaplingAndOrchard activation\notbeforeorchard{s}}. @@ -5412,7 +5428,7 @@ according to client implementation. } %changed -\sapling{ +%\sapling{ \introsection \extralabel{bindingsig}{\lsubsection{Balance and Binding Signature (\SaplingText)}{saplingbalance}} @@ -5422,8 +5438,13 @@ The net value of \spendTransfers minus \outputTransfers in a \transaction is called the \defining{\saplingBalancingValue}, measured in \zatoshi as a signed integer $\vBalance{Sapling}$. -$\vBalance{Sapling}$ is encoded explicitly in a \transaction as the field \valueBalance{Sapling}. -(Transaction fields are described in \crossref{txnencoding}.) +$\vBalance{Sapling}$ is encoded in a \transaction as the field \valueBalance{Sapling}. +For a v4 \transaction, $\vBalance{Sapling}$ is always explicitly encoded. +\orchard{ +For a v5 \transaction, $\vBalance{Sapling}$ is implicitly zero if the \transaction has +no \spendDescriptions or \outputDescriptions. +} %orchard +Transaction fields are described in \crossref{txnencodingandconsensus}. A positive $\saplingBalancingValue$ takes value from the \defining{\SaplingTxValuePool} and adds it to the \transparentTxValuePool. A negative $\saplingBalancingValue$ does the @@ -5464,7 +5485,7 @@ Let $\ValueCommitAlg{Sapling}$, $\ValueCommitValueBase{Sapling}$, and $\ValueCom be as defined in \crossref{concretevaluecommit}: \vspace{-0.5ex} \begin{formulae} - \item $\ValueCommitAlg{Sapling} \typecolon \ValueCommitTrapdoor{Sapling} \times \ValueCommitType{Sapling} \rightarrow \ValueCommitOutput{Sapling}$; + \item $\ValueCommitAlg{Sapling} \typecolon \ValueCommitTrapdoor{Sapling} \times \ValueCommitTypeSapling \rightarrow \ValueCommitOutput{Sapling}$; \vspace{-1ex} \item $\ValueCommitValueBase{Sapling} \typecolon \SubgroupJstar$ is the value base in $\ValueCommitAlg{Sapling}$; \item $\ValueCommitRandBase{Sapling} \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommitAlg{Sapling}$. @@ -5570,7 +5591,7 @@ breaking the binding property of the \valueCommitmentScheme. \introlist The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that -$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType{Sapling}$. +$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeSapling$. The $\spendStatements$ prove that all of $\vOld{\alln}$ are in $\ValueType$. Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\ValueType$. @@ -5580,7 +5601,7 @@ is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2 The maximum \transaction size of $2$ MB limits $n$ to at most $\floor{\frac{2000000}{384}} = 5208$ and $m$ to at most $\floor{\frac{2000000}{948}} = 2109$, ensuring $\vSum \in \range{-38913406623490299131842}{96079866507916199586728}$ -which is a subrange of $\ValueCommitType$. +which is a subrange of $\ValueCommitTypeSapling$. Thus checking the \saplingBindingSignature ensures that the \spendTransfers and \outputTransfers in the \transaction balance, without their individual values being revealed. @@ -5605,7 +5626,7 @@ in the sense that it is synthesized from the other blinding factors (\trapdoors) $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$; this technique is also used in \Bulletproofs \cite{Dalek-notes}. } %nnote -} %sapling +%} %sapling \orchard{ @@ -5617,8 +5638,9 @@ and optionally perform an output. Similarly to \Sapling, the net value of \Orcha spends minus outputs in a \transaction is called the \defining{\orchardBalancingValue}, measured in \zatoshi as a signed integer $\vBalance{\Orchard}$. -$\vBalance{Orchard}$ is encoded explicitly in a \transaction as the field \valueBalance{Orchard}. -(Transaction fields are described in \crossref{txnencoding}.) +$\vBalance{Orchard}$ is encoded in a \transaction as the field \valueBalance{Orchard}. +If a \transaction has no \actionDescriptions, $\vBalance{Orchard}$ is implicitly zero. +Transaction fields are described in \crossref{txnencoding}. A positive $\orchardBalancingValue$ takes value from the \defining{\OrchardTxValuePool} and adds it to the \transparentTxValuePool. A negative $\orchardBalancingValue$ does the @@ -5657,7 +5679,7 @@ Let $\ValueCommitAlg{Orchard}$, $\ValueCommitValueBase{Orchard}$, and $\ValueCom be as defined in \crossref{concretevaluecommit}: \vspace{-0.5ex} \begin{formulae} - \item $\ValueCommitAlg{Orchard} \typecolon \ValueCommitTrapdoor{Orchard} \times \ValueCommitType{Orchard} \rightarrow \ValueCommitOutput{Orchard}$; + \item $\ValueCommitAlg{Orchard} \typecolon \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard \rightarrow \ValueCommitOutput{Orchard}$; \vspace{-1ex} \item $\ValueCommitValueBase{Orchard} \typecolon \GroupPstar$ is the value base in $\ValueCommitAlg{Orchard}$; \item $\ValueCommitRandBase{Orchard} \typecolon \GroupPstar$ is the randomness base in $\ValueCommitAlg{Orchard}$. @@ -5755,13 +5777,14 @@ breaking the binding property of the \valueCommitmentScheme. \introlist The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that -$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitType{Orchard}$. +$\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTypeOrchard$. The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly, $\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$. -The maximum \transaction size of $2$ MB limits $n$ to at most \todo{$\floor{\frac{2000000}{?}} = ?$, -ensuring $\vSum \in ?$ which is a subrange of $\ValueCommitType{Orchard}$}. +The maximum \transaction size of $2$ MB limits $n$ to at most \todo{$\floor{\frac{2000000}{884}} = 2262$, +ensuring $\vSum \in \range{-20863267547365502877696}{20863267547365502875434}$ which is a subrange of +$\ValueCommitTypeOrchard$}. \todo{check after finalizing v5 tx format} Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction balance, without their individual net values being revealed. @@ -5913,7 +5936,7 @@ A valid instance of a \defining{\joinSplitStatement}, $\ProofJoinSplit$, assures \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHash{Sprout},\\ + \item $\oparen\rt{Sprout} \typecolon \MerkleHash{Sprout},\\ \hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\ \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew},\vspace{0.6ex}\\ \hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\ @@ -5948,7 +5971,7 @@ such that the following conditions hold: \snarkcondition{Merkle path validity}{sproutmerklepathvalidity} for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}: $(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth -$\MerkleDepth{Sprout}$ from $\NoteCommitment{Sprout}(\nOld{i})$ to the \anchor $\rt$. +$\MerkleDepth{Sprout}$ from $\NoteCommitment{Sprout}(\nOld{i})$ to the \anchor $\rt{Sprout}$. \pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement in \cite[section 4.2]{BCGGMTV2014}.} @@ -6010,7 +6033,7 @@ A valid instance of a \defining{\spendStatement}, $\ProofSpend$, assures that gi \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHash{Sapling},\\ + \item $\oparen\rt{Sapling} \typecolon \MerkleHash{Sapling},\\ \hparen\cvOld{} \typecolon \ValueCommitOutput{Sapling},\\ \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Sapling}\cparen$, @@ -6045,7 +6068,7 @@ $\cmOld{} = \NoteCommit{Sapling}{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTra \snarkcondition{Merkle path validity}{spendmerklepathvalidity} Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Sapling}$, -as defined in \crossref{merklepath}, from $\cmU = \ExtractJ(\cmOld{})$ to the \anchor $\rt$. +as defined in \crossref{merklepath}, from $\cmU = \ExtractJ(\cmOld{})$ to the \anchor $\rt{Sapling}$. \snarkcondition{Value commitment integrity}{spendvaluecommitmentintegrity} $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$. @@ -6187,7 +6210,7 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that \vspace{-1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHash{Orchard},\\ + \item $\oparen\rt{Orchard} \typecolon \MerkleHash{Orchard},\\ \hparen\cvNet{} \typecolon \ValueCommitOutput{Orchard},\\ \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ @@ -6230,7 +6253,7 @@ $\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprPstar\Of{\Diversifie \snarkcondition{Merkle path validity}{actionmerklepathvalidity} Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$, -as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt$. +as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$. \snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} $\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. @@ -6433,6 +6456,8 @@ engineering rationale behind this encryption scheme. \sapling{ \extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}} +\todo{generalize} + In \SaplingAndOrchard, the secrets that need to be transmitted to a recipient of funds in order for them to later spend, are $\Diversifier$, $\Value$, and $\NoteCommitRand$. A \memo (\crossref{noteptconcept}) is also transmitted. @@ -6443,7 +6468,7 @@ $\DiversifiedTransmitPublic$ is used to encrypt them. The recipient's possession of the associated \incomingViewingKey $\InViewingKey$ is used to reconstruct the original \note and \memo. -Unlike in a \Sprout{} \joinSplitDescription, each \SaplingOrOrchard{} \shieldedOutput +Unlike in a \Sprout{} \joinSplitDescription, each \SaplingOrOrchard \shieldedOutput is encrypted by a fresh \ephemeralPublicKey. \vspace{0.5ex} @@ -6466,12 +6491,14 @@ For both encryption and decryption, \sapling{ \extralabel{saplingencrypt}{\lsubsubsection{Encryption (\SaplingAndOrchardText)}{saplingandorchardencrypt}} +\todo{generalize} + Let $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$ be the \diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note, and let $\DiversifiedTransmitBase \typecolon \KAPublicPrimeSubgroup{Sapling}$ be the corresponding \diversifiedBase computed as $\DiversifyHash{Sapling}(\Diversifier)$. -Since \SaplingAndOrchard{} \note encryption is used only in the context of +Since \SaplingAndOrchard \note encryption is used only in the context of \crossref{saplingororchardsend}, we may assume that $\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey $\EphemeralPrivate$ has been chosen. @@ -6529,7 +6556,9 @@ received out-of-band, which are not addressed in this document. \sapling{ -\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{saplingdecryptivk} +\extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}} + +\todo{generalize} Let $\InViewingKey \typecolon \InViewingKeyType{Sapling}$ be the recipient's \incomingViewingKey, as specified in \crossref{saplingkeycomponents}. @@ -6613,9 +6642,10 @@ from $\TransmitPlaintext{}$ \sapling{ -\lsubsubsection{Decryption using a Full Viewing Key (\SaplingAndOrchardText)}{saplingdecryptovk} +\extralabel{saplingdecryptovk}{\lsubsubsection{Decryption using a Full Viewing Key (\SaplingAndOrchardText)}{decryptovk}} + +\todo{generalize} -\vspace{-0.5ex} Let $\OutViewingKey \typecolon \OutViewingKeyType$ be the \outgoingViewingKey, as specified in \crossref{saplingkeycomponents}, that is to be used for decryption. (If $\OutViewingKey = \bot$ was used for encryption, the payment is not decryptable by @@ -6680,14 +6710,14 @@ from $\TransmitPlaintext{}$ \vspace{-0.5ex} \item $\DiversifiedTransmitPublicRepr$ can also be non-canonical. The decoded point $\DiversifiedTransmitPublic$ is \emph{not} checked to be in the subgroup $\SubgroupJ$. - \item The comments in \crossref{saplingdecryptivk} concerning calculation of $\NoteUniqueRand$, detection + \item The comments in \crossref{decryptivk} concerning calculation of $\NoteUniqueRand$, detection of spent \notes, and decryption of \noteCiphertextsSapling for \transactions in the \mempool also apply to \notes decrypted by this procedure. \end{pnotes} \vspace{-1ex} \nnote{Implementors should pay close attention to the similarities and differences between this procedure -and that in \crossref{saplingdecryptivk}. \canopy{In particular: +and that in \crossref{decryptivk}. \canopy{In particular: \vspace{1ex} \begin{itemize} \item in this procedure, the ephemeral \privateKey $\EphemeralPrivate'$ derived from $\NoteSeedBytes$ @@ -6705,6 +6735,8 @@ and that in \crossref{saplingdecryptivk}. \canopy{In particular: \lsubsection{Block Chain Scanning\pSproutOrNothingText}{sproutscan} +\todo{generalize} + Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}. Let $\NoteType{Sprout}$ be as defined in \crossref{notes}. @@ -6756,7 +6788,9 @@ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPu \sapling{ -\lsubsection{Block Chain Scanning (\SaplingAndOrchardText)}{saplingscan} +\extralabel{saplingscan}{\lsubsection{Block Chain Scanning (\SaplingAndOrchardText)}{scan}} + +\todo{generalize} In \Sapling, \blockChain scanning requires only the $\NullifierKey$ and $\InViewingKey$ key components, rather than a \spendingKey as in \Sprout. @@ -6788,7 +6822,7 @@ and its final status (spent or unspent). \item \tab for each \outputDescription in $\tx$ with \notePosition $\NotePosition$: \item \tab \tab Attempt to decrypt the \noteCiphertextSapling components $\EphemeralPublic$ and $\TransmitCiphertext{}$ using $\InViewingKey$ with the algorithm\vspace{-1.2ex}% - \item \tab \tab in \crossref{saplingdecryptivk}. If this succeeds giving $\NotePlaintext{}$: + \item \tab \tab in \crossref{decryptivk}. If this succeeds giving $\NotePlaintext{}$: \item \tab \tab \tab Extract $\NoteTuple{}$ and $\Memo \typecolon \MemoType$ from $\NotePlaintext{}$ \item \tab \tab \tab Add $(\NoteTuple{}, \Memo)$ to $\ReceivedSet$ \item \tab \tab \tab Calculate the nullifier $\nf$ of $\NoteTuple{}$ using $\NullifierKey$ @@ -6805,7 +6839,7 @@ and its final status (spent or unspent). \begin{nnotes} \item The above algorithm does not use the $\OutViewingKey$ key component, or the $\OutCiphertext$ \noteCiphertextSapling component. When scanning the whole \blockChain, these are indeed not necessary. - The advantage of supporting decryption using $\OutViewingKey$ as described in \crossref{saplingdecryptovk}, + The advantage of supporting decryption using $\OutViewingKey$ as described in \crossref{decryptovk}, is that it allows recovering information about the \notePlaintexts sent in a \transaction from that \transaction alone. \item When scanning only part of a \blockChain, it may be useful to augment the above algorithm with @@ -10271,19 +10305,20 @@ upgrade-supporting nodes \MUST allow for this. \intropart \lsection{Consensus Changes from \BitcoinText}{consensusfrombitcoin} -\vspace{-1ex} +\vspace{-2ex} \extralabel{txnencoding}{\lsubsection{Transaction Encoding and Consensus}{txnencodingandconsensus}} The \Zcash{} \defining{\transaction} format is as follows (this should be read in the context of consensus rules later in the section): +\vspace{-1ex} \begin{center} -\scalebox{\sprout{0.87}\notsprout{0.84}}{ +\scalebox{\sprout{0.87}\notsprout{\notorchard{0.84}\notbeforeorchard{0.77}}}{ \notsprout{\renewcommand{\arraystretch}{1.3}} \hbadness=10000 -\begin{tabularx}{\sprout{1.07}\notsprout{1.13}\textwidth}{|c|c|l|p{10em}|L|} +\begin{tabularx}{\sprout{1.07}\notsprout{\notorchard{1.13}\notbeforeorchard{1.25}}\textwidth}{|c|c|l|p{10em}|L|} \hline -\!\!Version\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ +\!\!Version$\footnotestar$\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|=|} $\geq 1$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} @@ -10293,76 +10328,119 @@ $\geq 1$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemiz \end{compactitemize} \\ \hline \notsprout{ -$\geq 3$ & $4$ & $\nVersionGroupId\!$ & \type{uint32} & Version group ID (nonzero). \\ \hline +\setoverwinter $\geq 3$ &\setoverwinter $4$ &\setoverwinter $\nVersionGroupId\!$ &\overwintertype{uint32} &\setoverwinter +Version group ID (nonzero). \\ \hline } -$\geq 1$ & \Varies & $\txInCount$ & \compactSize & Number of \transparent inputs. \\ \hline +$\geq 1$ & \Varies & $\txInCount$ & \type{compactSize} & Number of \transparent inputs. \\ \hline $\geq 1$ & \Varies & $\txIn$ & $\txIn$ & \xTransparent inputs, encoded as in \Bitcoin. \\ \hline -$\geq 1$ & \Varies & $\txOutCount$ & \compactSize & Number of \transparent outputs. \\ \hline +$\geq 1$ & \Varies & $\txOutCount$ & \type{compactSize} & Number of \transparent outputs. \\ \hline $\geq 1$ & \Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ \hline -$\geq 1$ & $4$ & $\lockTime$ & \type{uint32} & A Unix epoch time (UTC) or \blockHeight, encoded as in \Bitcoin. \\ \hline +\setorchard $\barerange{1}{4}$ & $4$ & $\lockTime$ & \type{uint32} & Unix-epoch UTC time or \blockHeight, encoded as in \Bitcoin. \\ \hline \notsprout{ -$\geq 3$ & $4$ & $\nExpiryHeight$ & \type{uint32} & A \blockHeight in the range $\range{1}{499999999}$ after which -the \transaction will expire, or $0$ to disable expiry (\smash{\cite{ZIP-203}}). \\ \hline +\setoverwinter $\geq 3$ &\setoverwinter $4$ &\setoverwinter $\nExpiryHeight$ &\overwintertype{uint32} &\setoverwinter +A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction will expire, or $0$ to disable expiry. +\smash{\cite{ZIP-203}} \\ \hline -$\geq 4$ & $8$ & $\valueBalance{Sapling}$ & \type{int64} & The net value of \Sapling{} \spendTransfers minus \outputTransfers. \\ \hline +\setsapling $= 4$ &\setsapling $8$ &\setsapling $\valueBalance{Sapling}\!$ &\saplingtype{int64} &\setsapling +The net value of \Sapling{} spends minus outputs. \\ \hline -$\geq 4$ & \Varies & $\nShieldedSpend$ & \compactSize & The number of \spendDescriptions -in $\vShieldedSpend$. \\ \hline +\setsapling $\geq 4$ &\setsapling \Varies &\setsapling $\nShieldedSpend$ &\saplingtype{compactSize} &\setsapling +The number of \spendDescriptions in $\vShieldedSpend$. \\ \hline -$\geq 4$ & \Longunderstack{$384 \mult$ \\$\!\nShieldedSpend\!$} & $\vShieldedSpend$ & \type{SpendDescription} \type{[$\nShieldedSpend$]} & -A sequence of \spendDescriptions{}, encoded as in \crossref{spendencoding}. \\ \hline +\setsapling $\geq 4$ &\setsapling \Longunderstack{$(384\text{ or }362) \mult$ \\$\!\nShieldedSpend\!$} &\setsapling $\vShieldedSpend$ &\saplingtype{SpendDescription} \saplingtype{[$\nShieldedSpend$]} &\setsapling +A sequence of \spendDescriptions{}, encoded as in \crossref{spendencodingandconsensus}. \\ \hline -$\geq 4$ & \Varies & $\nShieldedOutput\!$ & \compactSize & The number of \outputDescriptions -in $\vShieldedOutput$. \\ \hline +\setsapling $\geq 4$ &\setsapling \Varies &\setsapling $\nShieldedOutput\!$ &\saplingtype{compactSize} &\setsapling +The number of \outputDescriptions in $\vShieldedOutput$. \\ \hline -$\geq 4$ & \Longunderstack{$948 \mult$ \\$\!\nShieldedOutput\!$} & $\vShieldedOutput\!$ & \type{OutputDescription} \type{[$\nShieldedOutput$]} & -A sequence of \outputDescriptions{}, encoded as in \crossref{outputencoding}. \\ \hline +\setsapling $\geq 4$ &\setsapling \Longunderstack{$948 \mult$ \\$\!\nShieldedOutput\!$} &\setsapling $\vShieldedOutput\!$ &\saplingtype{OutputDescription} \saplingtype{[$\nShieldedOutput$]} &\setsapling +A sequence of \outputDescriptions{}, encoded as in \crossref{outputencodingandconsensus}. \\ \hline } %notsprout -$\geq 2$ & \Varies & $\nJoinSplit$ & \compactSize & The number of \joinSplitDescriptions -in $\vJoinSplit$. \\ \hline +\notbeforeorchard{ +\setorchard $\geq 5$ &\setorchard \Varies &\setorchard $\nShieldedAction\!$ &\orchardtype{compactSize} &\setorchard +The number of \actionDescriptions in $\vShieldedAction$. \\ \hline + +\setorchard $\geq 5$ &\setorchard \Longunderstack{$884 \mult$ \\$\!\nShieldedAction\!$} &\setorchard $\vShieldedAction\!$ &\orchardtype{ActionDescription} \orchardtype{[$\nShieldedAction$]} &\setorchard +A sequence of \actionDescriptions{}, encoded as in \crossref{actionencodingandconsensus}. \\ \hline +} %notbeforeorchard + +$\geq 2$ & \Varies & $\nJoinSplit$ & \type{compactSize} & +The number of \joinSplitDescriptions in $\vJoinSplit$. \\ \hline \sprout{ $\geq 2$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JoinSplitDescription}\!\! \type{[$\nJoinSplit$]} & -A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencoding}. \\ \hline +A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline } %sprout \notsprout{ $\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionBCTV14}\!\! \type{[$\nJoinSplit$]} & -A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencoding}. \\ \hline +A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline -\setsapling $\geq 4$ &\setsapling \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} &\setsapling $\vJoinSplit$ &\textcolor{\saplingcolor}{\type{JSDescriptionGroth16}\!\! \type{[$\nJoinSplit$]}} & -\setsapling A sequence of \joinSplitDescriptions using \Groth proofs, encoded as in \crossref{joinsplitencoding}. \\ \hline +\setsapling $\geq 4$ &\setsapling \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} &\setsapling $\vJoinSplit$ &\saplingtype{JSDescriptionGroth16}\!\! \saplingtype{[$\nJoinSplit$]} &\setsapling +A sequence of \joinSplitDescriptions using \Groth proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline } %notsprout -$\geq 2\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{char[32]} & An encoding of a $\JoinSplitSig$ -public \validatingKey. \\ \hline +\notbeforeorchard{ +\setorchard $\geq 5\;\mathsection$ &\setorchard $8$ &\setorchard $\valueBalance{Sapling}\!$ &\orchardtype{int64} &\setorchard +The net value of \Sapling{} spends minus outputs. \\ \hline -$\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{char[64]} & A signature on a prefix of the \transaction encoding, -to be verified using $\joinSplitPubKey$. \\ \hline +\setorchard $\geq 5\;\mathsection$ &\setorchard $32$ &\setorchard $\anchorField{Sapling}$ &\orchardtype{byte[32]} &\setorchard +A \merkleRoot of the \Sapling{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline + +\setorchard $\geq 5\;\mathsection$ &\setorchard $8$ &\setorchard $\valueBalance{Orchard}\!$ &\orchardtype{int64} &\setorchard +The net value of \Orchard{} spends minus outputs. \\ \hline + +\setorchard $\geq 5\;\mathsection$ &\setorchard $32$ &\setorchard $\anchorField{Orchard}$ &\orchardtype{byte[32]} &\setorchard +A \merkleRoot of the \Orchard{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Orchard}}$. \\ \hline +} %notbeforeorchard + +$\geq 2\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{byte[32]} & +An encoding of a $\JoinSplitSig$ public \validatingKey. \\ \hline + +$\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{byte[64]} & +A signature on a prefix of the \transaction encoding, to be verified using $\joinSplitPubKey$ as specified in +\crossref{sproutnonmalleability}. \\ \hline \notsprout{ -\setsapling $\geq 4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig{Sapling}$ &\textcolor{\saplingcolor}{\type{char[64]}} &\setsapling A signature on the \sighashTxHash, to be verified -as specified in \crossref{concretebindingsig}. \\ \hline +\setsapling $\geq 4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig{Sapling}$ &\saplingtype{byte[64]} &\setsapling +A \saplingBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline } %notsprout + +\notbeforeorchard{ +\setorchard $\geq 5\;\mathsection$ &\setorchard $64$ &\setorchard $\bindingSig{Orchard}$ &\orchardtype{byte[64]} &\setorchard +An \orchardBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline +} %notbeforeorchard \end{tabularx} \renewcommand{\arraystretch}{\defaultarraystretch} } %scalebox \end{center} +{\footnotesize +$\footnotestar$ Version constraints apply to the $\effectiveVersion$, which is equal to +$\minimum(2, \versionField)$ when $\fOverwintered = 0$ and to $\versionField$ otherwise. + +\vspace{-1ex} $\dagger$ The \joinSplitPubKey{} and \joinSplitSig{} fields are present if and only if -$\versionField \geq 2$ and $\nJoinSplit > 0$. The encoding of $\joinSplitPubKey$ and -the data to be signed are specified in \crossref{sproutnonmalleability}. +$\effectiveVersion \geq 2$ and $\nJoinSplit > 0$. \sapling{ +\vspace{-1ex} $\ddagger$ The \bindingSig{Sapling} field is present if and only if -$\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. +$\effectiveVersion \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. } %sapling + +\orchard{ +\vspace{-1.5ex} +$\mathsection$ The \anchorField{Orchard} and \bindingSig{Orchard} fields are present if and only if +$\effectiveVersion \geq 5$ and $\nShieldedAction > 0$. +} %orchard +} %footnotesize \sprout{\vspace{3ex}} \begin{consensusrules} @@ -10372,20 +10450,20 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. \overwinteronwarditem{The \versionGroupID{} \MUST be recognized.} \overwinteronlyitem{The \transactionVersionNumber{} \MUST be $3$, and the \versionGroupID{} \MUST be $\hexint{03C48270}$.} - \saplingonwarditem{\;The\, \transactionVersionNumber\, \MUST\, be\, $4$,\; and\, the\, \versionGroupID\, + \saplingonwarditem{\;The\, \transactionVersionNumber\kern0.25em \MUST\, be\, $4$,\; and\, the\, \versionGroupID\kern0.25em \MUST\, be\, $\hexint{892F2085}$.} \orchardonwarditem{The \transactionVersionNumber{} \MUST be $4$ or $5$. If the \transactionVersionNumber{} is $4$ then the \versionGroupID{} \MUST be $\hexint{892F2085}$. If the \transactionVersionNumber{} is $5$ then the \versionGroupID{} \MUST be $\hexint{26A7270A}$.} \presaplingitem{The encoded size of the \transaction{} \MUST be less than or equal to $100000$ bytes.} - \presaplingitem{If $\versionField = 1$ or $\nJoinSplit = 0$, then both \txInCount{} and \txOutCount{} \MUST be nonzero.\!} + \presaplingitem{If $\effectiveVersion = 1$ or $\nJoinSplit = 0$, then both \txInCount{} and \txOutCount{} \MUST be nonzero.\!} \saplingonwarditem{At least one of \txInCount, \nShieldedSpend, and \nJoinSplit{} \MUST be nonzero.} \saplingonwarditem{At least one of \txOutCount, \nShieldedOutput, and \nJoinSplit{} \MUST be nonzero.} \item A \transaction with one or more \transparent inputs from \coinbaseTransactions{} \MUST have no \transparent outputs (i.e.\ \txOutCount{} \MUST be $0$). Inputs from \coinbaseTransactions include \foundersReward outputs and \fundingStream outputs. - \item If $\versionField \geq 2$ and $\nJoinSplit > 0$, then: + \item If $\effectiveVersion \geq 2$ and $\nJoinSplit > 0$, then: \begin{itemize} \item \joinSplitPubKey{} \MUST be a valid encoding (see \crossref{concretejssig}) of an \EdSpecific \validatingKey. @@ -10393,7 +10471,7 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. $\dataToBeSigned$, as defined in \crossref{sproutnonmalleability}. \end{itemize} \vspace{-1ex} - \saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$, + \saplingonwarditem{If $\effectiveVersion \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$, then: \begin{itemize} \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{saplingbalance}; @@ -10402,9 +10480,9 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. i.e.\ $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. \end{itemize}} \vspace{-1ex} - \saplingonwarditem{If $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput = 0$, + \saplingonwarditem{If $\effectiveVersion = 4$ and there are no \spendDescriptions or \outputDescriptions, then $\valueBalance{Sapling}$ \MUST be $0$.} - \orchardonwarditem{If $\versionField \geq 5$ and $\nShieldedAction > 0$, + \orchardonwarditem{If $\effectiveVersion \geq 5$ and $\nShieldedAction > 0$, then: \begin{itemize} \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{orchardbalance}; @@ -10413,13 +10491,12 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. i.e.\ $\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. \end{itemize}} \vspace{-1ex} - \saplingonwarditem{If $\versionField \geq 5$ and $\nShieldedAction = 0$, + \saplingonwarditem{If $\effectiveVersion \geq 5$ and $\nShieldedAction = 0$, then $\valueBalance{Orchard}$ \MUST be $0$.} - \item The total amount of \transparentOutputs from a \coinbaseTransaction,\heartwood{ minus - the amount of the $\valueBalance{Sapling}$ field if present,}\orchard{ minus the amount - of the $\valueBalance{Orchard}$ field if present,} \MUSTNOT be greater than the - amount of \minerSubsidy plus the total amount of \transactionFees paid by \transactions - in this \block. + \item The total value in \zatoshi of \transparentOutputs from a \coinbaseTransaction\heartwood{, minus + the $\valueBalance{Sapling}$ field\orchard{ if present},}\orchard{ minus the $\valueBalance{Orchard}$ + field if present,} \MUSTNOT be greater than the value in \zatoshi of \minerSubsidy plus the + \transactionFees paid by \transactions in this \block. \notheartwood{ \item A \coinbaseTransaction{} \MUSTNOT have any \joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}. @@ -10446,17 +10523,18 @@ $\versionField \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. \overwinteronwarditem{If a \transaction is not a \coinbaseTransaction and its \nExpiryHeight{} field is nonzero, then it \MUSTNOT be mined at a \blockHeight greater than its \nExpiryHeight.} \saplingonwarditem{\valueBalance{} \MUST be in the range $\range{-\MAXMONEY}{\MAXMONEY}$.} - \heartwoodonwarditem{All \Sapling outputs in \coinbaseTransactions{} \MUST decrypt to a \notePlaintext, - i.e. the procedure in \crossref{saplingdecryptovk} does not return $\bot$, using a sequence of - $32$ zero bytes as the \outgoingViewingKey.} - \canopyonwarditem{Any \Sapling output of a \coinbaseTransaction decrypted to a \notePlaintext according + \heartwoodonwarditem{All \SaplingAndOrchard outputs in \coinbaseTransactions{} \MUST decrypt to a + \notePlaintext, i.e.\ the procedure in \crossref{decryptovk} does not return $\bot$, + using a sequence of $32$ zero bytes as the \outgoingViewingKey.} + \canopyonwarditem{Any \SaplingOrOrchard output of a \coinbaseTransaction decrypted to a \notePlaintext according to the preceding rule \MUST have \notePlaintextLeadByte equal to $\hexint{02}$. (This applies even during the ``grace period'' specified in \cite{ZIP-212}.)} \item \todo{Other rules inherited from \Bitcoin.} \end{consensusrules} -Consensus rules associated with each \joinSplitDescription (\crossref{joinsplitencoding})\sapling{, -each \spendDescription (\crossref{spendencoding}), and each \outputDescription (\crossref{outputencoding})} +Consensus rules associated with each \joinSplitDescription (\crossref{joinsplitencodingandconsensus})\sapling{, +each \spendDescription (\crossref{spendencodingandconsensus}),\notorchard{ and} each \outputDescription +(\crossref{outputencodingandconsensus})}\orchard{, and each \actionDescription (\crossref{actionencodingandconsensus})} \MUST also be followed. \begin{pnotes} @@ -10568,35 +10646,35 @@ A value $\vpubOld$ that the \joinSplitTransfer removes from the \transparentTxVa $8$ & $\vpubNewField$ & \type{uint64} & A value $\vpubNew$ that the \joinSplitTransfer inserts into the \transparentTxValuePool. \\ \hline -$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot $\rt$ of the \SproutOrNothing{} +$32$ & $\anchorField{}$ & \type{byte[32]} & A \merkleRoot $\rt{Sprout}$ of the \SproutOrNothing{} \noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous \joinSplitTransfer in this \transaction. \\ \hline -$64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input +$64$ & $\nullifiersField$ & \type{byte[32][$\NOld$]} & A sequence of \nullifiers of the input \notes $\nfOld{\allOld}$. \\[0.4ex] \hline -$64$ & $\commitmentsField$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the +$64$ & $\commitmentsField$ & \type{byte[32][$\NNew$]} & A sequence of \noteCommitments for the output \notes $\cmNew{\allNew}$. \\ \hline -\setchanged $32$ &\setchanged $\ephemeralKey$ &\setchanged \type{char[32]} &\mbox{}\setchanged +\setchanged $32$ &\setchanged $\ephemeralKey$ &\setchanged \type{byte[32]} &\mbox{}\setchanged A $\KASproutCurve$ \publicKey $\EphemeralPublic$. \\ \hline -\setchanged $32$ &\setchanged $\randomSeed$ &\setchanged \type{char[32]} &\mbox{}\setchanged +\setchanged $32$ &\setchanged $\randomSeed$ &\setchanged \type{byte[32]} &\mbox{}\setchanged A $256$-bit seed that must be chosen independently at random for each \joinSplitDescription. \\ \hline -$64$ & $\vmacs$ & \type{char[32][$\NOld$]} & A sequence of message authentication tags +$64$ & $\vmacs$ & \type{byte[32][$\NOld$]} & A sequence of message authentication tags $\h{\allOld}$ binding $\hSig$ to each $\AuthPrivate$ of the $\joinSplitDescription$, computed as described in \crossref{sproutnonmalleability}. \\ \hline -$296\notsprout{\;\dagger}$ & $\zkproof$ & \type{char[296]} & An encoding of the \zkSNARKProof +$296\notsprout{\;\dagger}$ & $\zkproof$ & \type{byte[296]} & An encoding of the \zkSNARKProof $\ProofJoinSplit$ (see \crossref{bctv}). \\ \hline \notsprout{ -$192\;\ddagger$ & $\zkproof$ & \type{char[192]} & An encoding of the \zkSNARKProof +$192\;\ddagger$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof $\ProofJoinSplit$ (see \crossref{groth}). \\ \hline } -$1202$ & $\encCiphertexts$ & \type{char[601][$\NNew$]} & A sequence of ciphertext +$1202$ & $\encCiphertexts$ & \type{byte[601][$\NNew$]} & A sequence of ciphertext components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \hline \end{tabularx} @@ -10637,27 +10715,31 @@ a \transaction as an instance of a \type{SpendDescription} type as follows: Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} -$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the input \note, +$32$ & $\cvField$ & \type{byte[32]} & A \valueCommitment to the value of the input \note, $\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline -$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling{} \noteCommitmentTree -at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline +$32\orchard{\;\dagger}$ & $\anchorField{}$ & \type{byte[32]} & A \merkleRoot of the \Sapling{} \noteCommitmentTree +at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline -$32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note, $\nf$. \\ \hline +$32$ & $\nullifierField$ & \type{byte[32]} & The \nullifier of the input \note, $\nf$. \\ \hline -$32$ & $\rkField$ & \type{char[32]} & The randomized \validatingKey for $\spendAuthSig$, +$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSig$, $\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline -$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zkSNARKProof +$192$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof $\ProofSpend$ (see \crossref{groth}). \\ \hline -$64$ & $\spendAuthSig$ & \type{char[64]} & A signature authorizing this Spend. \\ \hline +$64$ & $\spendAuthSig$ & \type{byte[64]} & A signature authorizing this Spend. \\ \hline \end{tabularx} \end{center} +\orchard{$\dagger$ The $\anchorField{}$ field is only present in a \spendDescription if the \transactionVersion is $4$. +For version 5 \transactions, all \spendDescriptions share the same \anchor, which is encoded once as the +$\anchorField{Sapling}$ field of the \transaction as described in \crossref{txnencodingandconsensus}.} + \vspace{-2ex} -\consensusrule{$\LEOStoIPOf{256}{\anchorField}$ \MUST be less than $\ParamJ{q}$.} +\consensusrule{$\LEOStoIPOf{256}{\anchorField{Sapling}}$\orchard{, if present,} \MUST be less than $\ParamJ{q}$.} \vspace{-0.5ex} Other consensus rules applying to a \spendDescription are given in \crossref{spenddesc}. @@ -10682,22 +10764,22 @@ a \transaction as an instance of an \type{OutputDescription} type as follows: Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} -$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note, +$32$ & $\cvField$ & \type{byte[32]} & A \valueCommitment to the value of the output \note, $\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline -$32$ & $\cmuField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note, +$32$ & $\cmuField$ & \type{byte[32]} & The $u$-coordinate of the \noteCommitment for the output \note, $\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline -$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral \Jubjub \publicKey, +$32$ & $\ephemeralKey$ & \type{byte[32]} & An encoding of an ephemeral \Jubjub \publicKey, $\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}}$. \\ \hline -$580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the +$580$ & $\encCiphertext$ & \type{byte[580]} & A ciphertext component for the encrypted output \note, $\TransmitCiphertext{}$. \\ \hline -$80$ & $\outCiphertext$ & \type{char[80]} & A ciphertext component for the +$80$ & $\outCiphertext$ & \type{byte[80]} & A ciphertext component for the encrypted output \note, $\OutCiphertext{}$. \\ \hline -$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zkSNARKProof +$192$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof $\ProofOutput$ (see \crossref{groth}). \\ \hline \end{tabularx} @@ -10712,7 +10794,68 @@ The $\ephemeralKey$, $\encCiphertext$, and $\outCiphertext$ fields together form \vspace{-0.5ex} Other consensus rules applying to an \outputDescription are given in \crossref{outputdesc}. -} +} %sapling + + +\orchard{ +\introsection +\lsubsection{Action Description Encoding and Consensus}{actionencodingandconsensus} + +Let $\LEBStoOSP{}{}$ be as defined in \crossref{endian}. + +\vspace{-0.5ex} +Let $\reprPstar$ and $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. + +\vspace{-0.5ex} +An abstract \actionDescription, as described in \crossref{actions}, is encoded in +a \transaction as an instance of an \type{ActionDescription} type as follows: + +\vspace{-2.5ex} +\begin{center} +\hbadness=2000 +\begin{tabularx}{0.92\textwidth}{|c|l|l|L|} +\hline +Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ +\hhline{|=|=|=|=|} + +$32$ & $\cvField$ & \type{byte[32]} & A \valueCommitment to the net value of the input \note +minus the output \note, $\LEBStoOSPOf{256}{\reprPstar\Of{\cv}}$. \\ \hline + +$32$ & $\nullifierField$ & \type{byte[32]} & The \nullifier of the input \note, $\nf$. \\ \hline + +$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSig$, +$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline + +$32$ & $\cmuField$ & \type{byte[32]} & The $u$-coordinate of the \noteCommitment for the output \note, +$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline + +$32$ & $\ephemeralKey$ & \type{byte[32]} & An encoding of an ephemeral \Jubjub \publicKey, +$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}}$. \\ \hline + +$580$ & $\encCiphertext$ & \type{byte[580]} & A ciphertext component for the +encrypted output \note, $\TransmitCiphertext{}$. \\ \hline + +$80$ & $\outCiphertext$ & \type{byte[80]} & A ciphertext component for the +encrypted output \note, $\OutCiphertext{}$. \\ \hline + +$2208$ & $\zkproof$ & \type{byte[2208]} & An encoding of the \zkSNARKProof +$\ProofAction$ (see \crossref{halo2}). \\ \hline + +$64$ & $\spendAuthSig$ & \type{byte[64]} & A signature authorizing this Spend. \\ \hline + +\end{tabularx} +\end{center} + +\vspace{-2ex} +The $\ephemeralKey$, $\encCiphertext$, and $\outCiphertext$ fields together form the +\noteCiphertextOrchard, which is computed as described in \crossref{saplinginband}. + +\vspace{-2ex} +\consensusrule{$\LEOStoIPOf{256}{\cmxField}$ \MUST be less than $\ParamP{q}$.} + +\vspace{-0.5ex} +Other consensus rules applying to an \actionDescription are given in \crossref{actiondesc}. +} %orchard \introsection @@ -10732,19 +10875,19 @@ $4$ & $\nVersion$ & \type{int32} & \defining{The \blockVersionNumber indicates w \block validation rules to follow.} The current and only defined \blockVersionNumber for \Zcash is $4$. \\ \hline -$32$ & $\hashPrevBlock$ & \type{char[32]} & A \shadHash hash in internal byte order of the +$32$ & $\hashPrevBlock$ & \type{byte[32]} & A \shadHash hash in internal byte order of the previous \block's \header. This ensures no previous \block can be changed without also changing this \block's \header. \\ \hline -$32$ & $\hashMerkleRoot$ & \type{char[32]} & A \shadHash hash in internal byte order. The +$32$ & $\hashMerkleRoot$ & \type{byte[32]} & A \shadHash hash in internal byte order. The merkle root is derived from the hashes of all \transactions included in this \block, ensuring that none of those \transactions can be modified without modifying the \header. \\ \hline $32$ & \sprout{$\hashReserved$} \notsprout{\Longunderstack[l]{$\hashReserved$ /\\ \sapling{$\hashFinalSaplingRoot$} \notbeforeheartwood{/}\\ \heartwood{$\hashLightClientRoot$} }} & -\type{char[32]} & +\type{byte[32]} & \presapling{A reserved field which should be ignored.} -\saplingandblossom{The \merkleRoot $\LEBStoOSPOf{256}{\rt}$ of the \Sapling{} +\saplingandblossom{The \merkleRoot $\LEBStoOSPOf{256}{\rt{Sapling}}$ of the \Sapling{} \noteCommitmentTree corresponding to the final \Sapling{} \treestate of this \block.} \heartwoodonward{The $\hashChainHistoryRoot$ of this \block.} \\ \hline @@ -10755,12 +10898,12 @@ $4$ & $\nBitsField$ & \type{uint32} & An encoded version of the \targetThreshold \header hash must be less than or equal to, in the same nBits format used by \Bitcoin. \cite{Bitcoin-nBits} \\ \hline -$32$ & $\nNonce$ & \type{char[32]} & An arbitrary field that miners can change to modify the +$32$ & $\nNonce$ & \type{byte[32]} & An arbitrary field that miners can change to modify the \header hash in order to produce a hash less than or equal to the \targetThreshold. \\ \hline -$3$ & $\solutionSize$ & \compactSize & The size of an \Equihash solution in bytes (always $1344$). \\ \hline +$3$ & $\solutionSize$ & \type{compactSize} & The size of an \Equihash solution in bytes (always $1344$). \\ \hline -$1344$ & $\solution$ & \type{char[1344]} & The \Equihash solution. \\ \hline +$1344$ & $\solution$ & \type{byte[1344]} & The \Equihash solution. \\ \hline \end{tabularx} \end{center} @@ -10793,13 +10936,13 @@ preceding \blocks if there are fewer than $\PoWMedianBlockSpan$). The \medianTim the \medianTimePast of that \block plus $90 \mult 60$ seconds. \item The size of a \block{} \MUST be less than or equal to $2000000$ bytes. \notheartwood{ - \saplingonwarditem{$\hashFinalSaplingRoot$ \MUST be $\LEBStoOSPOf{256}{\rt}$ where - $\rt$ is the \merkleRoot of the \Sapling{} \noteCommitmentTree for the final + \saplingonwarditem{$\hashFinalSaplingRoot$ \MUST be $\LEBStoOSPOf{256}{\rt{Sapling}}$ where + $\rt{Sapling}$ is the \merkleRoot of the \Sapling{} \noteCommitmentTree for the final \Sapling{} \treestate of this \block.} } \notbeforeheartwood{ - \saplingandblossomitem{$\hashLightClientRoot$ \MUST be $\LEBStoOSPOf{256}{\rt}$ where - $\rt$ is the \merkleRoot of the \Sapling{} \noteCommitmentTree for the final + \saplingandblossomitem{$\hashLightClientRoot$ \MUST be $\LEBStoOSPOf{256}{\rt{Sapling}}$ where + $\rt{Sapling}$ is the \merkleRoot of the \Sapling{} \noteCommitmentTree for the final \Sapling{} \treestate of this \block.} \heartwoodonwarditem{$\hashLightClientRoot$ \MUST be set to the value of $\hashChainHistoryRoot$ for this \block, as specified in \cite{ZIP-221}.} @@ -10828,7 +10971,7 @@ rejected by this rule at a given point in time may later be accepted. its interpretation. \item There is no relation between the values of the $\versionField$ field of a \transaction, and the $\nVersion$ field of a \blockHeader. - \item Like other serialized fields of type $\compactSize$, the $\solutionSize$ field \MUST + \item Like other serialized fields of type $\type{compactSize}$, the $\solutionSize$ field \MUST be encoded with the minimum number of bytes ($3$ in this case), and other encodings \MUST be rejected. This is necessary to avoid a potential attack in which a miner could test several distinct encodings of each \Equihash solution against the difficulty @@ -10866,7 +11009,7 @@ The changes relative to \Bitcoin version $4$ blocks as described in \cite{Bitcoi \item \Blockversions less than $4$ are not supported. \item The $\hashReserved$\sapling{ (or $\hashFinalSaplingRoot$)}, $\solutionSize$, and $\solution$ fields have been added. - \item The type of the $\nNonce$ field has changed from \type{uint32} to \type{char[32]}. + \item The type of the $\nNonce$ field has changed from \type{uint32} to \type{byte[32]}. \item The maximum \block size has been doubled to $2000000$ bytes. \end{itemize} @@ -11415,7 +11558,7 @@ recipient address represented by $\fsAddressList_{\fsAddressIndex(\BlockHeight)} P2SH multisig addresses, or \cite{Bitcoin-P2SH} for other P2SH addresses. \item The ``prescribed way" to pay a \Sapling address is as defined in \cite{ZIP-213}, using the post-\Heartwood consensus rules specified - for \Sapling outputs of \coinbaseTransactions in \crossref{txnencoding}. + for \Sapling outputs of \coinbaseTransactions in \crossref{txnencodingandconsensus}. \end{itemize} } %canopyonward } %consensusrule @@ -12169,6 +12312,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item In the consensus rule that a \transaction with one or more \transparent inputs from \coinbaseTransactions{} \MUST have no \transparent outputs, explicitly say that inputs from \coinbaseTransactions include \fundingStream outputs. + \item Rename \type{char} to \type{byte} in field type declarations. \end{itemize} @@ -12325,7 +12469,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \canopy{ \item Specify that \shieldedOutputs of \coinbaseTransactions \MUST use v2 \notePlaintexts after \Canopy activation. - \item Correct a bug in \crossref{saplingdecryptovk}: $\EphemeralPrivate$ is only to be checked + \item Correct a bug in \crossref{decryptovk}: $\EphemeralPrivate$ is only to be checked against $\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.11em\big)$ when $\NotePlaintextLeadByte \neq \hexint{01}$. } %canopy @@ -12904,7 +13048,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. faithful to the implementation. \item Rename the $\texttt{cm}$ field of an \outputDescription to $\cmuField$, reflecting the fact that it is a \jubjubCurve $u$-coordinate. - \item Add explicit consensus rules that the $\anchorField$ field of a \spendDescription and the $\cmuField$ + \item Add explicit consensus rules that the $\anchorField{Sapling}$ field of a \spendDescription and the $\cmuField$ field of an \outputDescription{} must be canonical encodings. \item Enforce that $\EphemeralPrivate$ in $\outCiphertext$ is a canonical encoding. \item Add consensus rules that $\cv$ in a \spendDescription, and $\cv$ and $\EphemeralPublic$ in an @@ -13002,7 +13146,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Correct a subtle problem with the type of the value input to $\ValueCommitAlg{Sapling}$: although it is only directly used to commit to values in $\ValueType$, the security argument depends on a sum - of commitments being binding on $\ValueCommitType{Sapling}$. + of commitments being binding on $\ValueCommitTypeSapling$. \item Fix the loss of tightness in the use of $\PRFnfSapling{}$ by specifying the keyspace more precisely. \item Correct type ambiguities for $\NoteUniqueRand$. @@ -13141,7 +13285,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item No changes to \Sprout. \sapling{ \item Add sections on \spendDescriptions and \outputDescriptions. - \item Swap order of $\cv$ and $\rt$ in a \spendDescription for consistency. + \item Swap order of $\cv$ and $\rt{}$ in a \spendDescription for consistency. \item Fix off-by-one error in the range of $\InViewingKey$. } \end{itemize} @@ -13459,7 +13603,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \item Correct the omission of $\solutionSize$ from the \blockHeader format. - \item Document that \compactSize{} encodings must be canonical. + \item Document that \type{compactSize}{} encodings must be canonical. \item Add a note about conformance language in the introduction. \item Add acknowledgements for Solar Designer, Ling Ren and Alison Stevenson, and for the NCC Group and Coinspect security audits. @@ -14885,7 +15029,7 @@ The \Sapling Spend \statement is defined in \crossref{spendstatement}. The primary input is \vspace{1ex} \begin{formulae} - \item $\oparen\rt \typecolon \MerkleHash{Sapling},\\ + \item $\oparen\rt{Sapling} \typecolon \MerkleHash{Sapling},\\ \hparen\cvOld{} \typecolon \ValueCommitOutput,\\ \hparen\nfOld{} \typecolon \PRFOutputNfSapling,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$, @@ -14893,7 +15037,7 @@ The primary input is which is encoded as $8$ $\GF{\ParamS{r}}$ elements (starting with the fixed element $1$ required by \Groth): \begin{formulae} \item $[1, \Selectu(\AuthSignRandomizedPublic), \Selectv(\AuthSignRandomizedPublic), - \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLength{Sapling}}{\rt}, + \Selectu(\cvOld{}), \Selectv(\cvOld{}), \LEBStoIPOf{\MerkleHashLength{Sapling}}{\rt{Sapling}}, \LEBStoIP{254}\big(\nfOldRepr{\!\barerange{0}{253}}\big), \LEBStoIP{2}\big(\nfOldRepr{\!\barerange{254}{255}}\big)]$ \end{formulae} \vspace{-2ex} @@ -15021,16 +15165,16 @@ Check & Implements & \heading{Cost} & Reference \\ $\cmU = \ExtractJ(\cm)$ & \snarkref{Merkle path validity}{spendmerklepathvalidity} & 0 & \\ \cline{1-1}\cline{3-4} - \raggedright $\rt'$ is the root of a Merkle tree with leaf $\cmU$, and authentication path $(\TreePath{}, \NotePositionRepr)$ + \raggedright $\rt{}'$ is the root of a Merkle tree with leaf $\cmU$, and authentication path $(\TreePath{}, \NotePositionRepr)$ & & 32 \mult 1380 & \shortcrossref{cctmerklepath} \\ \cline{1-1}\cline{3-4} $\NotePositionRepr = \ItoLEBSPOf{\MerkleDepth{Sapling}}{\NotePosition}$ & & 1 & \shortcrossref{cctmodpack} \\ \cline{1-1}\cline{3-4} - if $\vOld{} \neq 0$ then $\rt' = \rt$ + if $\vOld{} \neq 0$ then $\rt{}' = \rt{Sapling}$ & & 1 & \shortcrossref{cctcondeq} \\ \cline{1-1}\cline{3-4} - inputize $\rt$ + inputize $\rt{Sapling}$ & & ? & \\ \hline $\NoteUniqueRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$