mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
8171ec9bba
commit
63843cf2d3
|
@ -202,7 +202,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\varvv}{\varv\kern 0.02em\varv}
|
||||
|
||||
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
|
||||
\newcommand{\ssqrt}[1]{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}}
|
||||
\newcommand{\ssqrt}[1]{\rlap{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}} %
|
||||
\hspace{0.005em}\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{$\phantom{#1}\vphantom{b}$}}$}}
|
||||
|
||||
\RequirePackage[usenames,dvipsnames]{xcolor}
|
||||
% <https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips>
|
||||
|
@ -561,6 +562,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\xPedersenCommitments}{\term{Pedersen commitments}}
|
||||
\newcommand{\xPedersenValueCommitment}{\term{Pedersen value commitment}}
|
||||
\newcommand{\xPedersenValueCommitments}{\term{Pedersen value commitments}}
|
||||
\newcommand{\windowedPedersenCommitment}{\term{windowed Pedersen commitment}}
|
||||
\newcommand{\windowedPedersenCommitments}{\term{windowed Pedersen commitments}}
|
||||
\newcommand{\WindowedPedersenCommitment}{\titleterm{Windowed Pedersen Commitment}}
|
||||
\newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}}
|
||||
|
||||
% Conventions
|
||||
|
@ -569,7 +573,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\zeros}[1]{[0]^{#1}}
|
||||
\newcommand{\ones}[1]{[1]^{#1}}
|
||||
\newcommand{\bit}{\mathbb{B}}
|
||||
\newcommand{\byte}{\mathbb{Y}}
|
||||
\newcommand{\overlap}[2]{\rlap{#2}\hspace{#1}{#2}}
|
||||
\newcommand{\byte}{\mathbb{B}\kern -0.1em\raisebox{0.55ex}{\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{Y}$}}}}
|
||||
\newcommand{\Nat}{\mathbb{N}}
|
||||
\newcommand{\PosInt}{\mathbb{N}^+}
|
||||
\newcommand{\Rat}{\mathbb{Q}}
|
||||
|
@ -590,6 +595,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\upto}{\text{ up to }}
|
||||
\newcommand{\downto}{\text{ down to }}
|
||||
\newcommand{\tand}{\text{ \;and\, }}
|
||||
\newcommand{\tor}{\text{ \;or\, }}
|
||||
\newcommand{\squash}{\!\!\!}
|
||||
\newcommand{\caseif}{\squash\text{if }}
|
||||
\newcommand{\caseotherwise}{\squash\text{otherwise}}
|
||||
|
@ -608,7 +614,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ToTarget}{\mathsf{ToTarget}}
|
||||
\newcommand{\hexint}[1]{\mathtt{0x{#1}}}
|
||||
\newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}}
|
||||
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}}
|
||||
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
|
||||
\newcommand{\Justthebox}[2][-1.3ex]{\;\raisebox{#1}{\usebox{#2}}\;}
|
||||
\newcommand{\hSigCRH}{\mathsf{hSigCRH}}
|
||||
\newcommand{\hSigLength}{\mathsf{\ell_{hSig}}}
|
||||
|
@ -627,7 +633,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\CRHivkBox}[1]{\CRHivk\left(\Justthebox{#1}\right)}
|
||||
\newcommand{\setof}[1]{\{{#1}\}}
|
||||
\newcommand{\barerange}[2]{{#1}\,..\,{#2}}
|
||||
\newcommand{\powerset}[1]{\mathscr{P}\!\left({#1}\right)}
|
||||
\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
|
||||
\newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
|
||||
\newcommand{\rangenozero}[2]{\range{#1}{#2} \difference \setof{0}}
|
||||
\newcommand{\alln}{\barerange{1}{n}}
|
||||
|
@ -766,12 +773,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\CommitTrapdoor}{\CommitAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}}
|
||||
\newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}}
|
||||
\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit^{Sprout}}}}
|
||||
\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}}
|
||||
\newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}}
|
||||
\newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}}
|
||||
\newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}}
|
||||
\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit^{Sapling}}}
|
||||
\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}}
|
||||
\newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}}
|
||||
\newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}}
|
||||
\newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}}
|
||||
|
@ -849,7 +856,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
|
||||
\newcommand{\ValueCommitRand}{\mathsf{rcv}}
|
||||
\newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
|
||||
\newcommand{\ValueCommitRandNew}[1]{\ValueCommitRand^\mathsf{new}_{#1}}
|
||||
\newcommand{\ValueCommitRandOld}{\ValueCommitRand^\mathsf{old}}
|
||||
\newcommand{\ValueCommitRandNew}{\ValueCommitRand^\mathsf{new}}
|
||||
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
|
||||
\newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}}
|
||||
\newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}}
|
||||
|
@ -1124,9 +1132,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Zero}{\mathcal{O}}
|
||||
\newcommand{\Generator}{\mathcal{P}}
|
||||
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
|
||||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)}
|
||||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
||||
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
|
||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)}
|
||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
||||
|
||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
||||
|
@ -1175,12 +1183,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\GenJ}{\Generator_{\GroupJ}}
|
||||
\newcommand{\ellJ}{\ell_{\GroupJ}}
|
||||
\newcommand{\reprJ}{\repr_{\GroupJ}}
|
||||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)}
|
||||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
|
||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)}
|
||||
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
|
||||
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
|
||||
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
|
||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)}
|
||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
|
||||
|
||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||
|
@ -1245,25 +1253,28 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
|
||||
\newcommand{\consensusrule}[1]{\needspace{3ex}\subparagraph{Consensus rule:}{#1}}
|
||||
\newenvironment{consensusrules}{\introlist\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\sproutonlyitem}[1]{\item \notsprout{[\Sprout only]\,} {#1}}
|
||||
\newcommand{\sproutspecificitem}[1]{\item \sproutspecific{#1}}
|
||||
\newcommand{\sproutonlyitem}[1]{\item \sproutonly{#1}}
|
||||
\newcommand{\saplingonwarditem}[1]{\sapling{\item {[\Sapling onward]}\, {#1}}}
|
||||
\newcommand{\prenuzeroitem}[1]{\item \notsprout{[Pre-\NUZero\!]\,} {#1}}
|
||||
\newcommand{\nuzeroonwarditem}[1]{\nuzero{\item {[\NUZero onward]}\, {#1}}}
|
||||
\newcommand{\prenuzeroitem}[1]{\item \prenuzero{#1}}
|
||||
\newcommand{\nuzeroonlyitem}[1]{\nuzero{\item {[\NUZero only, pre-\Sapling\!]}\, {#1}}}
|
||||
\newcommand{\nuzeroonwarditem}[1]{\nuzero{\item {[\NUZero onward]}\, {#1}}}
|
||||
\newcommand{\sproutspecific}[1]{\notsprout{[\Sprout\!]\,} {#1}}
|
||||
\newcommand{\sproutonly}[1]{\notsprout{[\Sprout only]\,} {#1}}
|
||||
\newcommand{\saplingonward}[1]{\sapling{[\Sapling onward]\, {#1}}}
|
||||
\newcommand{\prenuzero}[1]{\notsprout{[Pre-\NUZero\!]\,} {#1}}
|
||||
\newcommand{\nuzeroonward}[1]{\nuzero{[\NUZero onward]\, {#1}}}
|
||||
\newcommand{\nuzeroonly}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\, {#1}}}
|
||||
\newcommand{\nuzeroonward}[1]{\nuzero{[\NUZero onward]\, {#1}}}
|
||||
|
||||
\newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}}
|
||||
\newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\pnote}[1]{\subparagraph{Note:}{#1}}
|
||||
\newenvironment{pnotes}{\introlist\subparagraph{Notes:}\begin{itemize}}{\end{itemize}}
|
||||
\newcommand{\sproutspecificpnote}[1]{\notsprout{[\Sprout\!]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\sproutonlypnote}[1]{\notsprout{[\Sprout only]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\prenuzeropnote}[1]{\notsprout{[Pre-\NUZero\!]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\nuzeroonwardpnote}[1]{\nuzero{[\NUZero onward]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\nuzeroonlypnote}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\nuzeroonwardpnote}[1]{\nuzero{[\NUZero onward]\,\,} \textbf{Note:\,} {#1}}
|
||||
\newcommand{\fact}[1]{\subparagraph{Fact:}{#1}}
|
||||
\newcommand{\facts}[1]{\subparagraph{Facts:}{#1}}
|
||||
|
||||
|
@ -1327,8 +1338,7 @@ non-interactive arguments of knowledge (\zkSNARKs).
|
|||
|
||||
Changes from the original \Zerocash are explained in \crossref{differences},
|
||||
and highlighted in \changed{\changedcolor} throughout the document.
|
||||
\notsprout{
|
||||
Changes specific to the \NUZero upgrade (which are also changes from
|
||||
\notsprout{Changes specific to the \NUZero upgrade (which are also changes from
|
||||
\Zerocash) are highlighted in \nuzero{\nuzerocolor}.
|
||||
Changes specific to the \Sapling upgrade following \NUZero (which are also
|
||||
changes from \Zerocash) are highlighted in \sapling{\saplingcolor}.
|
||||
|
@ -1699,7 +1709,7 @@ from it.
|
|||
\sapling{\includegraphics[scale=.5]{key_components_sapling}}
|
||||
\end{center}
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
The \receivingKey $\TransmitPrivate$, the \incomingViewingKey
|
||||
$\InViewingKey = (\AuthPublic, \TransmitPrivate)$, and the \paymentAddress
|
||||
$\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from
|
||||
|
@ -1783,9 +1793,11 @@ A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
|
|||
is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}.
|
||||
\end{itemize}
|
||||
|
||||
Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note,
|
||||
i.e.\ \changed{$\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
|
||||
\times \NoteCommitSproutTrapdoor$}.
|
||||
Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note, i.e.
|
||||
\begin{formulae}
|
||||
\item $\NoteTypeSprout := \changed{\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
|
||||
\times \NoteCommitSproutTrapdoor}$.
|
||||
\end{formulae}
|
||||
|
||||
\sapling{
|
||||
\vspace{2ex}
|
||||
|
@ -1802,9 +1814,12 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
|
|||
is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}.
|
||||
\end{itemize}
|
||||
|
||||
Let $\NoteTypeSapling$ be the type of a \Sapling \note,
|
||||
i.e.\ $\DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
|
||||
\times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
|
||||
Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
|
||||
|
||||
\begin{formulae}
|
||||
\item $\NoteTypeSapling := \DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
|
||||
\times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
|
||||
\end{formulae}
|
||||
}
|
||||
|
||||
Creation of new \notes is described in \crossref{send}. When \notes are sent,
|
||||
|
@ -1828,12 +1843,13 @@ where $\NoteCommitSprout{}$ is instantiated in \crossref{concretesproutcommit}.
|
|||
Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
A \Sapling \noteCommitment is computed as
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\DiversifiedTransmitBase$ &$:= \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$ \\
|
||||
$\NoteCommitmentSapling(\NoteTuple{})$ &$:=
|
||||
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \DiversifiedTransmitPublic, \Value)$
|
||||
\end{tabular}
|
||||
\vspace{-1ex}
|
||||
|
||||
\begin{formulae}
|
||||
\item $\DiversifiedTransmitBase := \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$
|
||||
\item $\NoteCommitmentSapling(\NoteTuple{}) :=
|
||||
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \DiversifiedTransmitPublic, \Value)$
|
||||
\end{formulae}
|
||||
\vspace{-1.5ex}
|
||||
where $\NoteCommitSapling{}$ is instantiated in \crossref{concretewindowedcommit}.
|
||||
|
||||
Notice that the above definition of a \Sapling \note does not have a
|
||||
|
@ -1932,7 +1948,9 @@ The remaining value in the \transparentValuePool{} \MUST be nonnegative.
|
|||
\notsprout{To each \transaction there are associated initial \treestates
|
||||
for \Sprout\sapling{ and for \Sapling}.}
|
||||
|
||||
\introlist
|
||||
\sprout{A}\sapling{Each} \treestate consists of:
|
||||
|
||||
\begin{itemize}
|
||||
\item a \noteCommitmentTree (\crossref{merkletree});
|
||||
\item a \nullifierSet (\crossref{nullifierset}).
|
||||
|
@ -2039,7 +2057,7 @@ Each \transaction has a sequence of \spendDescriptions and a sequence of
|
|||
\outputDescriptions.
|
||||
|
||||
To ensure balance, we use a homomorphic property of \xPedersenCommitments that
|
||||
allows them to be added and subtracted (as elliptic curve points). The result
|
||||
allows them to be added and subtracted, as elliptic curve points. The result
|
||||
of adding two \xPedersenValueCommitments, committing to values $\Value_1$ and
|
||||
$\Value_2$, is a new \xPedersenValueCommitment that commits to $\Value_1 + \Value_2$.
|
||||
Subtraction works similarly.
|
||||
|
@ -2517,13 +2535,13 @@ Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
|
|||
\vspace{-1ex}
|
||||
with the following security requirement.
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item \textbf{Discrete Logarithm Independence:} For a randomly selected member
|
||||
$\GroupGHash{\CRS}$ of the family, it is infeasible to find
|
||||
\securityrequirement{\textbf{Discrete Logarithm Independence}
|
||||
|
||||
For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
|
||||
a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
|
||||
and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
|
||||
such that $\vsum{i = 1}{n}\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
|
||||
\end{securityrequirements}
|
||||
}
|
||||
|
||||
\begin{pnotes}
|
||||
\item This property implies (and is stronger than) collision-resistance,
|
||||
|
@ -2968,7 +2986,7 @@ Then it creates each output \note with index $i \typecolon \setofNew$ as follows
|
|||
\begin{itemize}
|
||||
\item Choose $\NoteCommitRandNew{i}$ uniformly at random on $\bitseq{\NoteCommitRandLength}$.
|
||||
\changed{
|
||||
\item Compute $\NoteAddressRandNew{i} := \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
|
||||
\item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
|
||||
}
|
||||
\item Encrypt the \note to the recipient \transmissionKey $\TransmitPublicNew{i}$,
|
||||
as described in \crossref{inband}, giving the ciphertext component
|
||||
|
@ -3194,18 +3212,14 @@ $\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitS
|
|||
Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}, and let
|
||||
$\PRFpk{}$ be as defined in \crossref{abstractprfs}.
|
||||
|
||||
\sproutonly{
|
||||
For each $i \in \setofOld$, the creator of a \joinSplitDescription calculates
|
||||
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
|
||||
}
|
||||
|
||||
\sproutonly{
|
||||
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
|
||||
given in \crossref{sproutnonmalleablejs}. This ensures that a holder of
|
||||
all of the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
|
||||
\transaction has authorized the use of the private signing key corresponding
|
||||
to $\joinSplitPubKey$ to sign this \transaction.
|
||||
}
|
||||
|
||||
\saplingonward{
|
||||
\todo{Specify the \spendAuthSignature.}
|
||||
|
@ -3222,13 +3236,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an
|
|||
\emph{input} value.
|
||||
|
||||
\changed{
|
||||
\sproutonlypnote{
|
||||
Unlike original \Zerocash \cite{BCG+2014}, \Zcash does not have
|
||||
a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a
|
||||
\joinSplitDescription subsumes the functionality of both Mint and Pour. Also,
|
||||
a difference in the number of real input \notes does not by itself cause two
|
||||
\joinSplitDescriptions to be distinguishable.
|
||||
}
|
||||
|
||||
As stated in \crossref{joinsplitdesc}, either $\vpubOld$ or $\vpubNew$ \MUST be zero.
|
||||
No generality is lost because, if a \transaction in which both $\vpubOld$ and
|
||||
|
@ -3359,7 +3371,7 @@ for each $i \in \setofNew$:
|
|||
$\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
|
||||
}
|
||||
|
||||
\subparagraph{Commitment integrity} \label{sproutcommitmentintegrity}
|
||||
\subparagraph{Note commitment integrity} \label{sproutcommitmentintegrity}
|
||||
|
||||
for each $i \in \setofNew$: $\cmNew{i}$ = $\NoteCommitSprout(\nNew{i})$.
|
||||
|
||||
|
@ -3460,7 +3472,7 @@ For both encryption and decryption,
|
|||
\crossref{concretesproutkdf}.
|
||||
\item Let $\KASprout$\sapling{ and $\KASapling$} be the \keyAgreementSchemes instantiated in
|
||||
\crossref{concretekaandkdf}.
|
||||
\item \sproutonly{Let $\hSig$ be the value computed for this \joinSplitDescription in
|
||||
\item \sproutspecific{Let $\hSig$ be the value computed for this \joinSplitDescription in
|
||||
\crossref{joinsplitdesc}.}
|
||||
\end{itemize}
|
||||
}
|
||||
|
@ -3518,27 +3530,27 @@ Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciph
|
|||
component as follows:
|
||||
|
||||
\changed{
|
||||
\begin{itemize}
|
||||
\item Let $\DHSecret{i} := \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$.
|
||||
\item Let $\TransmitKey{i} := \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublic)$.
|
||||
\item Return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
|
||||
\begin{formulae}
|
||||
\item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$
|
||||
\item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublic)$
|
||||
\item return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
|
||||
\AuthPublic).$
|
||||
\end{itemize}
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
$\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
|
||||
is defined as follows:
|
||||
|
||||
\begin{itemize}
|
||||
\item Let $\TransmitPlaintext{i} :=
|
||||
\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$.
|
||||
\item If $\TransmitPlaintext{i} = \bot$, return $\bot$.
|
||||
\item Extract $\NotePlaintext{i} = (\ValueNew{i},
|
||||
\NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$.
|
||||
\item If $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
|
||||
\begin{formulae}
|
||||
\item let $\TransmitPlaintext{i} =
|
||||
\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$
|
||||
\item if $\TransmitPlaintext{i} = \bot$, return $\bot$
|
||||
\item extract $\NotePlaintext{i} = (\ValueNew{i},
|
||||
\NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$
|
||||
\item if $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
|
||||
\NoteCommitRandNew{i})) \neq \cmNew{i}$, return $\bot$, else return $\NotePlaintext{i}$.
|
||||
\end{itemize}
|
||||
\end{formulae}
|
||||
}
|
||||
|
||||
To test whether a \note is unspent in a particular \blockchain also requires
|
||||
|
@ -3681,6 +3693,7 @@ in \cite[section 5.1]{NIST2015}; i.e.\ the input to $\SHACompress$ is what
|
|||
\cite[section 5.2]{NIST2015} refers to as ``the message and its padding''.
|
||||
The Initial Hash Value is the same as for full $\SHAFull$.
|
||||
|
||||
\introlist
|
||||
\Zcash uses $\SHACompress$ to instantiate several \pseudoRandomFunctions and
|
||||
$\MerkleCRHSprout$.
|
||||
|
||||
|
@ -3702,6 +3715,7 @@ $\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$
|
|||
in sequential mode, with an output digest length of $\ell/8$ bytes,
|
||||
$16$-byte personalization string $p$, and input $x$.
|
||||
|
||||
\introlist
|
||||
$\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$,
|
||||
and $\KDFSprout$.
|
||||
\nuzero{From \NUZero onward, it is used to compute \sighashTxHashes.}
|
||||
|
@ -3923,7 +3937,7 @@ Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
|
|||
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Let $c = 63$.
|
||||
Let $c := 63$.
|
||||
|
||||
\newsavebox{\gencountbox}
|
||||
\begin{lrbox}{\gencountbox}
|
||||
|
@ -3949,9 +3963,9 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos
|
|||
\begin{formulae}
|
||||
\item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$.
|
||||
\item Let $n = \ceiling{\hfrac{\length(M')}{3 \mult c}}$.
|
||||
\item Split $M'$ into $n$ \quotedterm{segments} $M_{\barerange{1}{n}}$
|
||||
so that $M' = \concatbits(M_{\barerange{1}{n}})$, and
|
||||
each of $M_{\barerange{1}{n-1}}$ is of length $3 \smult c$ bits.
|
||||
\item Split $M'$ into $n$ \quotedterm{segments} $M_\barerange{1}{n}$
|
||||
so that $M' = \concatbits(M_\barerange{1}{n})$, and
|
||||
each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits.
|
||||
($M_n$ may be shorter.)
|
||||
\item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \GroupJ$.
|
||||
\end{formulae}
|
||||
|
@ -3962,8 +3976,8 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow
|
|||
|
||||
\begin{formulae}
|
||||
\item Let $k_i = \length(M_i)/3$.
|
||||
\item Split $M_i$ into $3$-bit \quotedterm{chunks} $m_{\barerange{1}{k_i}}$
|
||||
so that $M_i = \concatbits(m_{\barerange{1}{k_i}})$.
|
||||
\item Split $M_i$ into $3$-bit \quotedterm{chunks} $m_\barerange{1}{k_i}$
|
||||
so that $M_i = \concatbits(m_\barerange{1}{k_i})$.
|
||||
\item Write each $m_j$ as $[\sj{0}, \sj{1}, \sj{2}]$, and let
|
||||
$\enc(m_j) = (1 - 2 \smult \sj{2}) \mult (1 + \sj{0} + 2 \smult \sj{1})$.
|
||||
\item Let $\PedersenEncode{M_i} = \vsum{j=1}{k_i} \enc(m_j) \mult 2^{4 \mult (j-1)}$.
|
||||
|
@ -4041,7 +4055,7 @@ We define $\MixingPedersenHash{D} \typecolon \byteseq{8} \times \GroupJ \times \
|
|||
\rightarrow \GroupJ$ by:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf(D, \ascii{})}$.
|
||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
|
||||
\end{formulae}
|
||||
|
||||
\securityrequirement{
|
||||
|
@ -4087,7 +4101,7 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
|
|||
\vspace{2ex}
|
||||
\introlist
|
||||
% Blech. Dijkstra was right \cite{EWD831}.
|
||||
Let $\EquihashGen{n, k}(S, i) := T_{\barerange{h+1}{h+n}}$, where
|
||||
Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
|
||||
\begin{formulae}
|
||||
\item $m := \floor{\frac{512}{n}}$;
|
||||
\item $h := (i-1 \bmod m) \mult n$;
|
||||
|
@ -4115,8 +4129,9 @@ $n = 200$).
|
|||
\introsection
|
||||
\nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs}
|
||||
|
||||
The \changed{four} independent PRFs described in \crossref{abstractprfs} are
|
||||
all instantiated using the \shaCompressFunction defined in \crossref{concretesha256}:
|
||||
$\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$},
|
||||
described in \crossref{abstractprfs}, are all instantiated using the \shaCompressFunction
|
||||
defined in \crossref{concretesha256}:
|
||||
|
||||
\newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}
|
||||
|
||||
|
@ -4215,7 +4230,7 @@ $\PRGExpandSeed{}$, described in \crossref{abstractprgs}, maps a
|
|||
\Sapling \spendingKey to an \expandedSeed:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\PRGExpandSeed{\AuthPrivateSeed}() = \BlakeTwob{512}(\ascii{Zcash\_ExpandSeed}, \AuthPrivateSeed)$
|
||||
\item $\PRGExpandSeed{\AuthPrivateSeed}() := \BlakeTwob{512}(\ascii{Zcash\_ExpandSeed}, \AuthPrivateSeed)$
|
||||
\end{formulae}
|
||||
|
||||
(The \expandedSeed is used to derive the \authSigningKey $\AuthSignPrivate$
|
||||
|
@ -4550,11 +4565,11 @@ instantiated using $\RawPedersenCommit{}$ as follows:
|
|||
|
||||
The \representedPairing $\BNCurve$ is defined in this section.
|
||||
|
||||
Let $\ParamG{q} = 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
|
||||
Let $\ParamG{q} := 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
|
||||
|
||||
Let $\ParamG{r} = 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
|
||||
Let $\ParamG{r} := 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
|
||||
|
||||
Let $\ParamG{b} = 3$.
|
||||
Let $\ParamG{b} := 3$.
|
||||
|
||||
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
|
||||
|
||||
|
@ -4578,12 +4593,12 @@ $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$.
|
|||
|
||||
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
|
||||
(which is the additive identity) in $\GroupG{i}$, and let
|
||||
$\GroupGstar{i} = \GroupG{i} \setminus \setof{\ZeroG{i}}$.
|
||||
$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$.
|
||||
|
||||
Let $\GenG{1} \typecolon \GroupGstar{1} = (1, 2)$.
|
||||
Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$.
|
||||
|
||||
\begin{tabular}{@{}l@{}r@{}l@{}}
|
||||
Let $\GenG{2} \typecolon \GroupGstar{2} =\;$
|
||||
Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
|
||||
% are these the right way round?
|
||||
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
|
||||
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
||||
|
@ -4712,13 +4727,13 @@ The \representedPairing $\BLSCurve$ is defined in this section. Parameters are t
|
|||
\cite{Bowe2017}.
|
||||
|
||||
\introlist
|
||||
Let $\ParamS{q} =\;$\scalebox{0.812}[1]{$4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787$}.
|
||||
Let $\ParamS{q} :=\;$\scalebox{0.812}[1]{$4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787$}.
|
||||
|
||||
Let $\ParamS{r} = 52435875175126190479447740508185965837690552500527637822603658699938581184513$.
|
||||
Let $\ParamS{r} := 52435875175126190479447740508185965837690552500527637822603658699938581184513$.
|
||||
|
||||
Let $\ParamS{u} = -15132376222941642752$.
|
||||
Let $\ParamS{u} := -15132376222941642752$.
|
||||
|
||||
Let $\ParamS{b} = 4$.
|
||||
Let $\ParamS{b} := 4$.
|
||||
|
||||
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
|
||||
|
||||
|
@ -4741,13 +4756,13 @@ Let $\PairingS$ be the optimized ate pairing of type
|
|||
$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$.
|
||||
|
||||
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$,
|
||||
and let $\GroupSstar{i} = \GroupS{i} \setminus \setof{\ZeroS{i}}$.
|
||||
and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$.
|
||||
|
||||
\introlist
|
||||
Let $\GenS{1} \typecolon \GroupSstar{1} = (1, 2)$.
|
||||
Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$.
|
||||
|
||||
\begin{tabular}{@{}l@{}r@{}l@{}}
|
||||
Let $\GenS{2} \typecolon \GroupSstar{2} =\;$
|
||||
Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
|
||||
% are these the right way round?
|
||||
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
|
||||
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
|
||||
|
@ -4816,22 +4831,22 @@ curve.
|
|||
|
||||
The \representedGroup $\JubjubCurve$ is defined in this section.
|
||||
|
||||
Let $\ParamJ{q} = \ParamS{r}$, as defined in \crossref{blspairing}.
|
||||
Let $\ParamJ{q} := \ParamS{r}$, as defined in \crossref{blspairing}.
|
||||
|
||||
Let $\ParamJ{r} = 6554484396890773809930967563523245729705921265872317281365359162392183254199$.
|
||||
Let $\ParamJ{r} := 6554484396890773809930967563523245729705921265872317281365359162392183254199$.
|
||||
|
||||
(\hairspace $\ParamJ{q}$ and $\ParamJ{r}$ are prime.)
|
||||
|
||||
Let $\ParamJ{a} = -1$.
|
||||
Let $\ParamJ{a} := -1$.
|
||||
|
||||
Let $\ParamJ{d} = -10240/10241 \pmod{\ParamJ{q}}$.
|
||||
Let $\ParamJ{d} := -10240/10241 \pmod{\ParamJ{q}}$.
|
||||
|
||||
Let $\GroupJ$ be the group of points $(u, \varv)$ on a twisted Edwards curve $\CurveJ$
|
||||
over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.
|
||||
The zero point with coordinates $(0, 1)$ is denoted $\ZeroJ$.
|
||||
$\GroupJ$ has order $8 \smult \ParamJ{r}$.
|
||||
|
||||
Let $\ellJ = 256$.
|
||||
Let $\ellJ := 256$.
|
||||
|
||||
Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
|
||||
as in \crossref{endian}.
|
||||
|
@ -4950,7 +4965,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
|
|||
\end{lrbox}
|
||||
|
||||
\begin{formulae}
|
||||
\item $\Justthebox{\ghintbox} := \BlakeTwos{256}(D,\, \CRS \bconcat\, M))$
|
||||
\item $\Justthebox{\ghintbox} := \BlakeTwos{256}(D,\, \CRS \bconcat\, M)$
|
||||
\item $P := \abstJOf{p}$
|
||||
\item If $P = \bot$ then return $\bot$.
|
||||
\item $Q := \scalarmult{8}{P}$
|
||||
|
@ -5349,8 +5364,9 @@ cause the first two characters of the Base58Check encoding to be fixed as
|
|||
A \Sapling \paymentAddress consists of $\Diversifier \typecolon \DiversifierType$
|
||||
and $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$.
|
||||
|
||||
$\Diversifier$ is a bit sequence, encoded as 11 bytes.
|
||||
$\DiversifiedTransmitPublic$ is a $\KASaplingPublic$ key (see \crossref{concretesaplingkeyagreement}),
|
||||
$\Diversifier$ is a sequence of 11 bytes.
|
||||
$\DiversifiedTransmitPublic$ is an encoding of a $\KASaplingPublic$ key
|
||||
(see \crossref{concretesaplingkeyagreement}),
|
||||
for use with the encryption scheme defined in \crossref{inband}.
|
||||
These components are derived as described in \crossref{saplingkeycomponents}.
|
||||
|
||||
|
@ -5918,7 +5934,7 @@ Consensus rules applying to an \outputDescription are given in \crossref{outputd
|
|||
}
|
||||
|
||||
|
||||
\introlist
|
||||
\introsection
|
||||
\nsubsection{\BlockHeader} \label{blockheader}
|
||||
|
||||
The \Zcash \blockHeader format is as follows:
|
||||
|
@ -6066,11 +6082,11 @@ such that $n$ is a multiple of $k+1$. We assume $k \geq 3$.
|
|||
The Equihash parameters for the production and test networks are $n = 200, k = 9$.
|
||||
|
||||
The Generalized Birthday Problem is defined as follows: given a sequence
|
||||
$X_{\barerange{1}{\mathrm{N}}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
|
||||
$X_\barerange{1}{\mathrm{N}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
|
||||
$\vxor{j=1}{2^k} X_{i_j} = 0$.
|
||||
|
||||
\introlist
|
||||
In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_{\barerange{1}{\mathrm{N}}}$ is
|
||||
In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_\barerange{1}{\mathrm{N}}$ is
|
||||
derived from the \blockHeader and a nonce:
|
||||
|
||||
\newsavebox{\powheaderbox}
|
||||
|
@ -6332,7 +6348,7 @@ one of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHei
|
|||
|
||||
\renewcommand{\arraystretch}{0.95}
|
||||
|
||||
For the production network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFounderAddresses}}$ is:
|
||||
For the production network, $\FounderAddressList_\barerange{\mathrm{1}}{\NumFounderAddresses}$ is:
|
||||
|
||||
\begin{tabular}{@{\hskip 2.5em}l@{\;}l}
|
||||
[& \ascii{t3Vz22vK5z2LcKEdg16Yv4FFneEL1zg9ojd}, \ascii{t3cL9AucCajm3HXDhb5jBnJK2vapVoXsop3}, \\
|
||||
|
@ -6362,7 +6378,7 @@ For the production network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFou
|
|||
\end{tabular}
|
||||
|
||||
\introlist
|
||||
For the test network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFounderAddresses}}$ is:
|
||||
For the test network, $\FounderAddressList_\barerange{\mathrm{1}}{\NumFounderAddresses}$ is:
|
||||
|
||||
\begin{tabular}{@{\hskip 2.5em}l@{\;}l}
|
||||
[& \ascii{t2UNzUUx8mWBCRYPRezvA363EYXyEpHokyi}, \ascii{t2N9PH9Wk9xjqYg9iin1Ua3aekJqfAtE543}, \\
|
||||
|
@ -6630,7 +6646,7 @@ can recover access to (and be sure that they are able to spend) all
|
|||
of their funds, even if they have forgotten everything but the
|
||||
\spendingKey.
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
Instead, \Zcash enforces that an adversary must choose distinct values
|
||||
for each $\NoteAddressRand$, by making use of the fact that all of the
|
||||
\nullifiers in \joinSplitDescriptions that appear in a \validBlockchain
|
||||
|
@ -6646,7 +6662,7 @@ this uniqueness property robust even if the \transaction creator is an
|
|||
adversary.)
|
||||
}
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
The $\NoteAddressRand$ value for each output \note is then derived from
|
||||
a random private seed $\NoteAddressPreRand$ and $\hSig$ using
|
||||
$\PRFrho{\NoteAddressPreRand}$. The correct construction of
|
||||
|
@ -6654,7 +6670,7 @@ $\NoteAddressRand$ for each output \note is enforced by
|
|||
\crossref{sproutuniquerho} in the \joinSplitStatement.
|
||||
}
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
Now even if the creator of a \joinSplitDescription does not choose
|
||||
$\NoteAddressPreRand$ randomly, uniqueness of \nullifiers and
|
||||
collision resistance of both $\hSigCRH$ and $\PRFrho{}$ will ensure
|
||||
|
@ -6670,7 +6686,7 @@ $\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
|
|||
the adversary finds a collision (across both inputs) on $\PRFnf{}$,
|
||||
which is assumed to be infeasible --- see \crossref{abstractprfs}.
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
Crucially, ``\nullifier integrity'' (\crossref{sproutnullifierintegrity})
|
||||
is enforced whether or not the $\EnforceMerklePath{i}$ flag is set
|
||||
for an input \note. If this were not the case then an adversary could
|
||||
|
@ -6678,7 +6694,7 @@ perform the attack by creating a zero-valued \note with a repeated
|
|||
\nullifier, since the \nullifier does not depend on the value.
|
||||
}
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
\xNullifier{} integrity also prevents a ``roadblock attack'' in which the
|
||||
attacker sees a victim's \transaction, and is able to publish another
|
||||
\transaction that is mined first and blocks the victim's \transaction.
|
||||
|
@ -6747,7 +6763,7 @@ A side benefit is that this reduces the cost of computing the
|
|||
evaluations needed to compute each \noteCommitment from three to two,
|
||||
saving a total of four $\SHACompress$ evaluations in the \joinSplitStatement.
|
||||
|
||||
\sproutonlypnote{
|
||||
\sproutspecificpnote{
|
||||
\notsprout{\Sprout \noteCommitments are not statistically hiding, so for \Sprout notes,}
|
||||
\sprout{\Zcash \noteCommitments are not statistically hiding, so}
|
||||
\Zcash does not support the ``everlasting anonymity'' property
|
||||
|
@ -6812,18 +6828,18 @@ only in the truncated bits. These \notes would have the same \noteCommitment
|
|||
but different \nullifiers, so it would be possible to spend the same value
|
||||
twice.
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
For resistance to Faerie Gold attacks as described in
|
||||
\crossref{faeriegold}, \Zcash depends on collision resistance of
|
||||
$\hSigCRH$ (instantiated using $\BlakeTwob{256}$) and \sproutonly{$\PRFrho{}$
|
||||
(instantiated using $\SHACompress$)}. Collision resistance of a truncated hash
|
||||
$\hSigCRH$ (instantiated using $\BlakeTwob{256}$) and $\PRFrho{}$
|
||||
(instantiated using $\SHACompress$). Collision resistance of a truncated hash
|
||||
does not follow from collision resistance of the original hash, even if the
|
||||
truncation is only by one bit. This motivated avoiding truncation along any
|
||||
path from the inputs to the computation of $\hSig$ to the uses of
|
||||
$\NoteAddressRand$.
|
||||
}
|
||||
|
||||
\sproutonly{
|
||||
\sproutspecific{
|
||||
Since the PRFs are instantiated using $\SHACompress$ which has an input block
|
||||
size of $512$ bits (of which $256$ bits are used for the PRF input and $4$ bits
|
||||
are used for domain separation), it was necessary to reduce the size of the
|
||||
|
@ -6896,7 +6912,7 @@ The motivations for this change were as follows:
|
|||
$\SymSpecific$ as an authenticated encryption scheme or $\BlakeTwob{256}$ as
|
||||
a KDF) would not help to decrypt the \notesCiphertext unless
|
||||
$\TransmitPublic$ is known or guessed.
|
||||
\item \sproutonly{The KDF also takes a public seed $\hSig$ as input.
|
||||
\item \sproutspecific{The KDF also takes a public seed $\hSig$ as input.
|
||||
This can be modeled as using a different ``randomness extractor'' for each
|
||||
\joinSplitTransfer, which limits degradation of security with the number of
|
||||
\joinSplitTransfers.
|
||||
|
@ -6909,7 +6925,7 @@ The motivations for this change were as follows:
|
|||
modify it in a ciphertext from someone else's transaction for use in a
|
||||
chosen-ciphertext attack without detection.}
|
||||
\sapling{In \Sapling, there is no equivalent to $\hSig$. \todo{Explain why this is ok.}}
|
||||
\item \sproutonly{The scheme used by \SproutOrZcash includes an optimization that reuses
|
||||
\item \sproutspecific{The scheme used by \SproutOrZcash includes an optimization that reuses
|
||||
the same ephemeral key (with different nonces) for the two ciphertexts
|
||||
encrypted in each \joinSplitDescription.}
|
||||
\end{itemize}
|
||||
|
@ -6918,7 +6934,7 @@ The security proofs of \cite{ABR1999} can be adapted straightforwardly to the
|
|||
resulting scheme. Although DHAES as defined in that paper does not pass the
|
||||
recipient public key or a public seed to the \hashFunction $H$, this does not
|
||||
impair the proof because we can consider $H$ to be the specialization of our
|
||||
KDF to a given recipient key and seed. \sproutonly{It is necessary to adapt the
|
||||
KDF to a given recipient key and seed. \sproutspecific{It is necessary to adapt the
|
||||
``HDH independence'' assumptions and the proof slightly to take into account
|
||||
that the ephemeral key is reused for two encryptions.}
|
||||
|
||||
|
@ -6997,7 +7013,7 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
|
|||
\Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
|
||||
\sapling{(The definition of \notes for \Sapling is different again.)}
|
||||
\item The length of proof encodings given in the paper is $288$ bytes.
|
||||
\sproutonly{This differs from the $296$ bytes specified in \crossref{phgr},
|
||||
\sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
|
||||
because both the $x$-coordinate and compressed $y$-coordinate of each
|
||||
point need to be represented. Although it is possible to encode a proof
|
||||
in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
|
||||
|
@ -7690,15 +7706,15 @@ $\ainv = a^{-1} \pmod{\ParamS{r}}$:
|
|||
A global optimization allows to use a single inverse computation outside
|
||||
the circuit for any number of nonzero constraints. Suppose that we have
|
||||
$n$ variables (or \linearCombinations) that are supposed to be nonzero:
|
||||
$a_{\barerange{0}{n-1}}$. Multiply these together to give $a = \vproduct{i=0}{n-1} a_i$;
|
||||
$a_\barerange{0}{n-1}$. Multiply these together to give $a = \vproduct{i=0}{n-1} a_i$;
|
||||
then, constrain $a$ to be nonzero. This works because the product $a$ is nonzero
|
||||
if and only if all of $a_{\barerange{0}{n-1}}$ are nonzero.
|
||||
if and only if all of $a_\barerange{0}{n-1}$ are nonzero.
|
||||
|
||||
|
||||
\introsection
|
||||
\nsubsubsection{Not-all-one constraints} \label{cctnotallone}
|
||||
|
||||
Given a sequence $b_{\barerange{0}{n-1}}$ of variables that have already been
|
||||
Given a sequence $b_\barerange{0}{n-1}$ of variables that have already been
|
||||
boolean-constrained, we can assert that they are not all one by letting
|
||||
$a = -n + \vsum{i=0}{n-1} b_i$, and asserting $a \neq 0$ as in the previous
|
||||
section:
|
||||
|
@ -7714,11 +7730,11 @@ section:
|
|||
\nsubsubsection{Unpacking} \label{cctunpack}
|
||||
|
||||
A field element $a$ may need to be ``unpacked'' to a sequence of boolean
|
||||
variables $b_{\barerange{0}{n-1}} \typecolon \bitseq{n}$, so that
|
||||
variables $b_\barerange{0}{n-1} \typecolon \bitseq{n}$, so that
|
||||
$a = \vsum{i=0}{n-1} b_i \mult 2^i$.
|
||||
|
||||
\introlist
|
||||
This costs $n$ constraints to boolean-constrain $b_{\barerange{0}{n-1}}$
|
||||
This costs $n$ constraints to boolean-constrain $b_\barerange{0}{n-1}$
|
||||
as in \crossref{cctboolean}, and one constraint that equates the sum with
|
||||
$a$:
|
||||
|
||||
|
@ -7871,7 +7887,7 @@ can be safely used:
|
|||
|
||||
\begin{theorem} \label{thmdistinctxcriterion}
|
||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
||||
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
||||
Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
||||
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
|
||||
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
|
||||
|
||||
|
@ -7887,20 +7903,20 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ in all cases.
|
|||
\begin{proof}
|
||||
The given constraints are equivalent to the Montgomery addition formulae
|
||||
under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be
|
||||
the zero point since $k_{\barerange{1}{2}} \neq 0 \pmod s$.)
|
||||
the zero point since $k_\barerange{1}{2} \neq 0 \pmod s$.)
|
||||
Assume for a contradiction that $x_1 = x_2$. For any
|
||||
$P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
|
||||
the same $x$-coordinate. (This follows from the fact that the curve equation
|
||||
determines $\pm y$ as a function of $x$.)
|
||||
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
|
||||
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
|
||||
is injective and $k_{\barerange{1}{2}}$ are in $\range{-\halfs}{\halfs}$,
|
||||
is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$,
|
||||
then $k_2 = \pm k_1$ (contradiction).
|
||||
\end{proof}
|
||||
|
||||
The conditions of this theorem are called the \distinctXCriterion.
|
||||
|
||||
In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
|
||||
In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$
|
||||
then it is sufficient to require $k_1 \neq k_2$, since that implies
|
||||
$k_1 \neq \pm k_2$.
|
||||
|
||||
|
@ -8107,6 +8123,7 @@ as possible to be performed on the Montgomery curve. An incomplete
|
|||
Montgomery addition costs $3$ constraints, in comparison with an
|
||||
Edwards addition which costs $6$ constraints.
|
||||
|
||||
\introlist
|
||||
However, we cannot do all additions on the Montgomery curve because the
|
||||
Montgomery addition is incomplete. In order to be able to prove that
|
||||
exceptional cases do not occur, we need to ensure that the \distinctXCriterion
|
||||
|
@ -8124,6 +8141,7 @@ this calculation can be written as:
|
|||
where $\PedersenEncode{\paramdot}$ and $\PedersenGen{D}{j}$
|
||||
are defined as in \crossref{concretepedersenhash}.
|
||||
|
||||
\introlist
|
||||
We have to prove that:
|
||||
\begin{itemize}
|
||||
\item the \distinctXCriterion is met for all Montgomery additions within
|
||||
|
@ -8216,17 +8234,19 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from
|
|||
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
||||
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
||||
|
||||
\introlist
|
||||
We define $\MixingPedersenHash{D} \typecolon \byteseq{8} \times \range{0}{\ParamJ{r}-1}
|
||||
\times \GroupJ \rightarrow \GroupJ$ by:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{U}{D, \ascii{}}}$.
|
||||
\item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
|
||||
\end{formulae}
|
||||
|
||||
This costs \todo{...} for the scalar multiplication, and $6$ constraints for the
|
||||
Edwards addition, for a total of \todo{...} constraints.
|
||||
|
||||
|
||||
\introsection
|
||||
\nsubsubsection{Merkle path check} \label{cctmerklepath}
|
||||
|
||||
Checking a Merkle authentication path, as described in \crossref{merklepath},
|
||||
|
@ -8263,9 +8283,10 @@ in only one constraint by substituting $c_1 = a_0 + a_1 - c_0$ into the
|
|||
uses of $c_1$. The \Sapling circuit does not use this optimization.}
|
||||
|
||||
|
||||
\nsubsubsection{Windowed Pedersen commitment} \label{cctwindowedcommit}
|
||||
\introsection
|
||||
\nsubsubsection{\WindowedPedersenCommitment} \label{cctwindowedcommit}
|
||||
|
||||
We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
|
||||
We construct \windowedPedersenCommitments by reusing the Pedersen hash
|
||||
implementation, and adding a randomized point:
|
||||
|
||||
\begin{formulae}
|
||||
|
@ -8273,6 +8294,7 @@ implementation, and adding a randomized point:
|
|||
\PedersenHashToPoint(D, s) + \scalarmult{r}{\FindGroupJHashOf{D, \ascii{}}}$
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
This can be implemented in:
|
||||
\begin{itemize}
|
||||
\item $... \smult \ell + ...$ constraints for the Pedersen hash on
|
||||
|
@ -8285,7 +8307,7 @@ for a total of $... \smult \ell + 756$ constraints.
|
|||
|
||||
\nsubsubsection{Raw Pedersen commitments} \label{cctrawcommit}
|
||||
|
||||
The windowed Pedersen commitments defined in the preceding section are
|
||||
The \windowedPedersenCommitments defined in the preceding section are
|
||||
highly efficient, but they do not support the homomorphic property we
|
||||
need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
|
||||
and \crossref{saplingbalance}).
|
||||
|
|
Loading…
Reference in New Issue