Cosmetics.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-03-06 22:16:55 +00:00 · 2018-03-06 22:16:55 +00:00 · 63843cf2d3
parent 8171ec9bba
commit 63843cf2d3
1 changed files with 146 additions and 124 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -202,7 +202,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\varvv}{\varv\kern 0.02em\varv}

 \newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
-\newcommand{\ssqrt}[1]{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}}
+\newcommand{\ssqrt}[1]{\rlap{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}} %
+             \hspace{0.005em}\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{$\phantom{#1}\vphantom{b}$}}$}}

 \RequirePackage[usenames,dvipsnames]{xcolor}
 % <https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips>
@ -561,6 +562,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\xPedersenCommitments}{\term{Pedersen commitments}}
 \newcommand{\xPedersenValueCommitment}{\term{Pedersen value commitment}}
 \newcommand{\xPedersenValueCommitments}{\term{Pedersen value commitments}}
+\newcommand{\windowedPedersenCommitment}{\term{windowed Pedersen commitment}}
+\newcommand{\windowedPedersenCommitments}{\term{windowed Pedersen commitments}}
+\newcommand{\WindowedPedersenCommitment}{\titleterm{Windowed Pedersen Commitment}}
 \newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}}

 % Conventions
@ -569,7 +573,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\zeros}[1]{[0]^{#1}}
 \newcommand{\ones}[1]{[1]^{#1}}
 \newcommand{\bit}{\mathbb{B}}
-\newcommand{\byte}{\mathbb{Y}}
+\newcommand{\overlap}[2]{\rlap{#2}\hspace{#1}{#2}}
+\newcommand{\byte}{\mathbb{B}\kern -0.1em\raisebox{0.55ex}{\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{Y}$}}}}
 \newcommand{\Nat}{\mathbb{N}}
 \newcommand{\PosInt}{\mathbb{N}^+}
 \newcommand{\Rat}{\mathbb{Q}}
@ -590,6 +595,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\upto}{\text{ up to }}
 \newcommand{\downto}{\text{ down to }}
 \newcommand{\tand}{\text{ \;and\, }}
+\newcommand{\tor}{\text{ \;or\, }}
 \newcommand{\squash}{\!\!\!}
 \newcommand{\caseif}{\squash\text{if }}
 \newcommand{\caseotherwise}{\squash\text{otherwise}}
@ -608,7 +614,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ToTarget}{\mathsf{ToTarget}}
 \newcommand{\hexint}[1]{\mathtt{0x{#1}}}
 \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}}
-\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}}
+\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
 \newcommand{\Justthebox}[2][-1.3ex]{\;\raisebox{#1}{\usebox{#2}}\;}
 \newcommand{\hSigCRH}{\mathsf{hSigCRH}}
 \newcommand{\hSigLength}{\mathsf{\ell_{hSig}}}
@ -627,7 +633,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\SHAFullBox}[1]{\SHAFull\left(\Justthebox{#1}\right)}
 \newcommand{\CRHivkBox}[1]{\CRHivk\left(\Justthebox{#1}\right)}
 \newcommand{\setof}[1]{\{{#1}\}}
-\newcommand{\barerange}[2]{{#1}\,..\,{#2}}
+\newcommand{\powerset}[1]{\mathscr{P}\!\left({#1}\right)}
+\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
 \newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
 \newcommand{\rangenozero}[2]{\range{#1}{#2} \difference \setof{0}}
 \newcommand{\alln}{\barerange{1}{n}}
@ -766,12 +773,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\CommitTrapdoor}{\CommitAlg\mathsf{.Trapdoor}}
 \newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}}
 \newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}}
-\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit^{Sprout}}}}
+\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}}
 \newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}}
 \newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}}
 \newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}}
 \newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}}
-\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit^{Sapling}}}
+\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}}
 \newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}}
 \newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}}
 \newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}}
@ -849,7 +856,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
 \newcommand{\ValueCommitRand}{\mathsf{rcv}}
 \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
-\newcommand{\ValueCommitRandNew}[1]{\ValueCommitRand^\mathsf{new}_{#1}}
+\newcommand{\ValueCommitRandOld}{\ValueCommitRand^\mathsf{old}}
+\newcommand{\ValueCommitRandNew}{\ValueCommitRand^\mathsf{new}}
 \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
 \newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}}
 \newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}}
@ -1124,9 +1132,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\Zero}{\mathcal{O}}
 \newcommand{\Generator}{\mathcal{P}}
 \newcommand{\Selectu}{\scalebox{1.52}{$u$}}
-\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)}
+\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
 \newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
-\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)}
+\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}

 \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
 \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
@ -1175,12 +1183,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\GenJ}{\Generator_{\GroupJ}}
 \newcommand{\ellJ}{\ell_{\GroupJ}}
 \newcommand{\reprJ}{\repr_{\GroupJ}}
-\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)}
+\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
 \newcommand{\abstJ}{\abst_{\GroupJ}}
-\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)}
+\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
 \newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
 \newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
-\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)}
+\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}

 \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
 \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
@ -1245,25 +1253,28 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg

 \newcommand{\consensusrule}[1]{\needspace{3ex}\subparagraph{Consensus rule:}{#1}}
 \newenvironment{consensusrules}{\introlist\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}}
-\newcommand{\sproutonlyitem}[1]{\item \notsprout{[\Sprout only]\,} {#1}}
+\newcommand{\sproutspecificitem}[1]{\item \sproutspecific{#1}}
+\newcommand{\sproutonlyitem}[1]{\item \sproutonly{#1}}
 \newcommand{\saplingonwarditem}[1]{\sapling{\item {[\Sapling onward]}\, {#1}}}
-\newcommand{\prenuzeroitem}[1]{\item \notsprout{[Pre-\NUZero\!]\,} {#1}}
-\newcommand{\nuzeroonwarditem}[1]{\nuzero{\item {[\NUZero onward]}\, {#1}}}
+\newcommand{\prenuzeroitem}[1]{\item \prenuzero{#1}}
 \newcommand{\nuzeroonlyitem}[1]{\nuzero{\item {[\NUZero only, pre-\Sapling\!]}\, {#1}}}
+\newcommand{\nuzeroonwarditem}[1]{\nuzero{\item {[\NUZero onward]}\, {#1}}}
+\newcommand{\sproutspecific}[1]{\notsprout{[\Sprout\!]\,} {#1}}
 \newcommand{\sproutonly}[1]{\notsprout{[\Sprout only]\,} {#1}}
 \newcommand{\saplingonward}[1]{\sapling{[\Sapling onward]\, {#1}}}
 \newcommand{\prenuzero}[1]{\notsprout{[Pre-\NUZero\!]\,} {#1}}
-\newcommand{\nuzeroonward}[1]{\nuzero{[\NUZero onward]\, {#1}}}
 \newcommand{\nuzeroonly}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\, {#1}}}
+\newcommand{\nuzeroonward}[1]{\nuzero{[\NUZero onward]\, {#1}}}

 \newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}}
 \newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}}
 \newcommand{\pnote}[1]{\subparagraph{Note:}{#1}}
 \newenvironment{pnotes}{\introlist\subparagraph{Notes:}\begin{itemize}}{\end{itemize}}
+\newcommand{\sproutspecificpnote}[1]{\notsprout{[\Sprout\!]\,\,} \textbf{Note:\,} {#1}}
 \newcommand{\sproutonlypnote}[1]{\notsprout{[\Sprout only]\,\,} \textbf{Note:\,} {#1}}
 \newcommand{\prenuzeropnote}[1]{\notsprout{[Pre-\NUZero\!]\,\,} \textbf{Note:\,} {#1}}
-\newcommand{\nuzeroonwardpnote}[1]{\nuzero{[\NUZero onward]\,\,} \textbf{Note:\,} {#1}}
 \newcommand{\nuzeroonlypnote}[1]{\nuzero{[\NUZero only, pre-\Sapling\!]\,\,} \textbf{Note:\,} {#1}}
+\newcommand{\nuzeroonwardpnote}[1]{\nuzero{[\NUZero onward]\,\,} \textbf{Note:\,} {#1}}
 \newcommand{\fact}[1]{\subparagraph{Fact:}{#1}}
 \newcommand{\facts}[1]{\subparagraph{Facts:}{#1}}

@ -1327,8 +1338,7 @@ non-interactive arguments of knowledge (\zkSNARKs).

 Changes from the original \Zerocash are explained in \crossref{differences},
 and highlighted in \changed{\changedcolor} throughout the document.
-\notsprout{
-Changes specific to the \NUZero upgrade (which are also changes from
+\notsprout{Changes specific to the \NUZero upgrade (which are also changes from
 \Zerocash) are highlighted in \nuzero{\nuzerocolor}.
 Changes specific to the \Sapling upgrade following \NUZero (which are also
 changes from \Zerocash) are highlighted in \sapling{\saplingcolor}.
@ -1699,7 +1709,7 @@ from it.
 \sapling{\includegraphics[scale=.5]{key_components_sapling}}
 \end{center}

-\sproutonly{
+\sproutspecific{
 The \receivingKey $\TransmitPrivate$, the \incomingViewingKey
 $\InViewingKey = (\AuthPublic, \TransmitPrivate)$, and the \paymentAddress
 $\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from
@ -1783,9 +1793,11 @@ A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
        is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}.
 \end{itemize}

-Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note,
-i.e.\ \changed{$\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
-\times \NoteCommitSproutTrapdoor$}.
+Let $\NoteTypeSprout$ be the type of a \SproutOrNothing \note, i.e.
+\begin{formulae}
+  \item $\NoteTypeSprout := \changed{\PRFOutput \times \range{0}{\MAXMONEY} \times \PRFOutput
+           \times \NoteCommitSproutTrapdoor}$.
+\end{formulae}

 \sapling{
 \vspace{2ex}
@ -1802,9 +1814,12 @@ A \Sapling \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic,
        is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}.
 \end{itemize}

-Let $\NoteTypeSapling$ be the type of a \Sapling \note,
-i.e.\ $\DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
-\times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
+Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
+
+\begin{formulae}
+  \item $\NoteTypeSapling := \DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
+           \times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
+\end{formulae}
 }

 Creation of new \notes is described in \crossref{send}. When \notes are sent,
@ -1828,12 +1843,13 @@ where $\NoteCommitSprout{}$ is instantiated in \crossref{concretesproutcommit}.
 Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}.

 A \Sapling \noteCommitment is computed as
-\begin{tabular}{@{\hskip 2em}r@{\;}l}
-  $\DiversifiedTransmitBase$ &$:= \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$ \\
-  $\NoteCommitmentSapling(\NoteTuple{})$ &$:=
-     \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \DiversifiedTransmitPublic, \Value)$
-\end{tabular}
-\vspace{-1ex}
+
+\begin{formulae}
+  \item $\DiversifiedTransmitBase := \GroupJHash{U}(\ascii{Zcash\_gd}, \Diversifier)$
+  \item $\NoteCommitmentSapling(\NoteTuple{}) :=
+           \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, \DiversifiedTransmitPublic, \Value)$
+\end{formulae}
+\vspace{-1.5ex}
 where $\NoteCommitSapling{}$ is instantiated in \crossref{concretewindowedcommit}.

 Notice that the above definition of a \Sapling \note does not have a
@ -1932,7 +1948,9 @@ The remaining value in the \transparentValuePool{} \MUST be nonnegative.
 \notsprout{To each \transaction there are associated initial \treestates
 for \Sprout\sapling{ and for \Sapling}.}

+\introlist
 \sprout{A}\sapling{Each} \treestate consists of:
+
 \begin{itemize}
  \item a \noteCommitmentTree (\crossref{merkletree});
  \item a \nullifierSet (\crossref{nullifierset}).
@ -2039,7 +2057,7 @@ Each \transaction has a sequence of \spendDescriptions and a sequence of
 \outputDescriptions.

 To ensure balance, we use a homomorphic property of \xPedersenCommitments that
-allows them to be added and subtracted (as elliptic curve points). The result
+allows them to be added and subtracted, as elliptic curve points. The result
 of adding two \xPedersenValueCommitments, committing to values $\Value_1$ and
 $\Value_2$, is a new \xPedersenValueCommitment that commits to $\Value_1 + \Value_2$.
 Subtraction works similarly.
@ -2517,13 +2535,13 @@ Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
 \vspace{-1ex}
 with the following security requirement.

-\begin{securityrequirements}
-  \item \textbf{Discrete Logarithm Independence:} For a randomly selected member
-$\GroupGHash{\CRS}$ of the family, it is infeasible to find
+\securityrequirement{\textbf{Discrete Logarithm Independence}
+
+For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
 a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
 and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
 such that $\vsum{i = 1}{n}\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
-\end{securityrequirements}
+}

 \begin{pnotes}
  \item This property implies (and is stronger than) collision-resistance,
@ -2968,7 +2986,7 @@ Then it creates each output \note with index $i \typecolon \setofNew$ as follows
 \begin{itemize}
  \item Choose $\NoteCommitRandNew{i}$ uniformly at random on $\bitseq{\NoteCommitRandLength}$.
 \changed{
-  \item Compute $\NoteAddressRandNew{i} := \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
+  \item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
 }
  \item Encrypt the \note to the recipient \transmissionKey $\TransmitPublicNew{i}$,
        as described in \crossref{inband}, giving the ciphertext component
@ -3194,18 +3212,14 @@ $\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitS
 Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}, and let
 $\PRFpk{}$ be as defined in \crossref{abstractprfs}.

-\sproutonly{
 For each $i \in \setofOld$, the creator of a \joinSplitDescription calculates
 $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$.
-}

-\sproutonly{
 The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement
 given in \crossref{sproutnonmalleablejs}. This ensures that a holder of
 all of the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the
 \transaction has authorized the use of the private signing key corresponding
 to $\joinSplitPubKey$ to sign this \transaction.
-}

 \saplingonward{
 \todo{Specify the \spendAuthSignature.}
@ -3222,13 +3236,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an
 \emph{input} value.

 \changed{
-\sproutonlypnote{
 Unlike original \Zerocash \cite{BCG+2014}, \Zcash does not have
 a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a
 \joinSplitDescription subsumes the functionality of both Mint and Pour. Also,
 a difference in the number of real input \notes does not by itself cause two
 \joinSplitDescriptions to be distinguishable.
-}

 As stated in \crossref{joinsplitdesc}, either $\vpubOld$ or $\vpubNew$ \MUST be zero.
 No generality is lost because, if a \transaction in which both $\vpubOld$ and
@ -3359,7 +3371,7 @@ for each $i \in \setofNew$:
 $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
 }

-\subparagraph{Commitment integrity} \label{sproutcommitmentintegrity}
+\subparagraph{Note commitment integrity} \label{sproutcommitmentintegrity}

 for each $i \in \setofNew$: $\cmNew{i}$ = $\NoteCommitSprout(\nNew{i})$.

@ -3460,7 +3472,7 @@ For both encryption and decryption,
        \crossref{concretesproutkdf}.
  \item Let $\KASprout$\sapling{ and $\KASapling$} be the \keyAgreementSchemes instantiated in
        \crossref{concretekaandkdf}.
-  \item \sproutonly{Let $\hSig$ be the value computed for this \joinSplitDescription in
+  \item \sproutspecific{Let $\hSig$ be the value computed for this \joinSplitDescription in
        \crossref{joinsplitdesc}.}
 \end{itemize}
 }
@ -3518,27 +3530,27 @@ Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciph
 component as follows:

 \changed{
-\begin{itemize}
-  \item Let $\DHSecret{i} := \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$.
-  \item Let $\TransmitKey{i} := \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
-\TransmitPublic)$.
-  \item Return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
+\begin{formulae}
+  \item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$
+  \item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
+\TransmitPublic)$
+  \item return $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
 \AuthPublic).$
-\end{itemize}
+\end{formulae}

 \introlist
 $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
 is defined as follows:

-\begin{itemize}
-  \item Let $\TransmitPlaintext{i} :=
-\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$.
-  \item If $\TransmitPlaintext{i} = \bot$, return $\bot$.
-  \item Extract $\NotePlaintext{i} = (\ValueNew{i},
-\NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$.
-  \item If $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
+\begin{formulae}
+  \item let $\TransmitPlaintext{i} =
+\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$
+  \item if $\TransmitPlaintext{i} = \bot$, return $\bot$
+  \item extract $\NotePlaintext{i} = (\ValueNew{i},
+\NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$ from $\TransmitPlaintext{i}$
+  \item if $\NoteCommitSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
 \NoteCommitRandNew{i})) \neq \cmNew{i}$, return $\bot$, else return $\NotePlaintext{i}$.
-\end{itemize}
+\end{formulae}
 }

 To test whether a \note is unspent in a particular \blockchain also requires
@ -3681,6 +3693,7 @@ in \cite[section 5.1]{NIST2015}; i.e.\ the input to $\SHACompress$ is what
 \cite[section 5.2]{NIST2015} refers to as ``the message and its padding''.
 The Initial Hash Value is the same as for full $\SHAFull$.

+\introlist
 \Zcash uses $\SHACompress$ to instantiate several \pseudoRandomFunctions and
 $\MerkleCRHSprout$.

@ -3702,6 +3715,7 @@ $\BlakeTwob{\ell}(p, x)$ refers to unkeyed $\BlakeTwob{\ell}$
 in sequential mode, with an output digest length of $\ell/8$ bytes,
 $16$-byte personalization string $p$, and input $x$.

+\introlist
 $\BlakeTwobGeneric$ is used to instantiate $\hSigCRH$, $\EquihashGen{}$,
 and $\KDFSprout$.
 \nuzero{From \NUZero onward, it is used to compute \sighashTxHashes.}
@ -3923,7 +3937,7 @@ Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.

 Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.

-Let $c = 63$.
+Let $c := 63$.

 \newsavebox{\gencountbox}
 \begin{lrbox}{\gencountbox}
@ -3949,9 +3963,9 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos
 \begin{formulae}
  \item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$.
  \item Let $n = \ceiling{\hfrac{\length(M')}{3 \mult c}}$.
-  \item Split $M'$ into $n$ \quotedterm{segments} $M_{\barerange{1}{n}}$
-        so that $M' = \concatbits(M_{\barerange{1}{n}})$, and
-        each of $M_{\barerange{1}{n-1}}$ is of length $3 \smult c$ bits.
+  \item Split $M'$ into $n$ \quotedterm{segments} $M_\barerange{1}{n}$
+        so that $M' = \concatbits(M_\barerange{1}{n})$, and
+        each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits.
        ($M_n$ may be shorter.)
  \item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \GroupJ$.
 \end{formulae}
@ -3962,8 +3976,8 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow

 \begin{formulae}
  \item Let $k_i = \length(M_i)/3$.
-  \item Split $M_i$ into $3$-bit \quotedterm{chunks} $m_{\barerange{1}{k_i}}$
-        so that $M_i = \concatbits(m_{\barerange{1}{k_i}})$.
+  \item Split $M_i$ into $3$-bit \quotedterm{chunks} $m_\barerange{1}{k_i}$
+        so that $M_i = \concatbits(m_\barerange{1}{k_i})$.
  \item Write each $m_j$ as $[\sj{0}, \sj{1}, \sj{2}]$, and let
        $\enc(m_j) = (1 - 2 \smult \sj{2}) \mult (1 + \sj{0} + 2 \smult \sj{1})$.
  \item Let $\PedersenEncode{M_i} = \vsum{j=1}{k_i} \enc(m_j) \mult 2^{4 \mult (j-1)}$.
@ -4041,7 +4055,7 @@ We define $\MixingPedersenHash{D} \typecolon \byteseq{8} \times \GroupJ \times \
 \rightarrow \GroupJ$ by:

 \begin{formulae}
-  \item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf(D, \ascii{})}$.
+  \item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
 \end{formulae}

 \securityrequirement{
@ -4087,7 +4101,7 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
 \vspace{2ex}
 \introlist
 % Blech. Dijkstra was right \cite{EWD831}.
-Let $\EquihashGen{n, k}(S, i) := T_{\barerange{h+1}{h+n}}$, where
+Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
 \begin{formulae}
  \item $m := \floor{\frac{512}{n}}$;
  \item $h := (i-1 \bmod m) \mult n$;
@ -4115,8 +4129,9 @@ $n = 200$).
 \introsection
 \nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs}

-The \changed{four} independent PRFs described in \crossref{abstractprfs} are
-all instantiated using the \shaCompressFunction defined in \crossref{concretesha256}:
+$\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$},
+described in \crossref{abstractprfs}, are all instantiated using the \shaCompressFunction
+defined in \crossref{concretesha256}:

 \newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}}

@ -4215,7 +4230,7 @@ $\PRGExpandSeed{}$, described in \crossref{abstractprgs}, maps a
 \Sapling \spendingKey to an \expandedSeed:

 \begin{formulae}
-  \item $\PRGExpandSeed{\AuthPrivateSeed}() = \BlakeTwob{512}(\ascii{Zcash\_ExpandSeed}, \AuthPrivateSeed)$
+  \item $\PRGExpandSeed{\AuthPrivateSeed}() := \BlakeTwob{512}(\ascii{Zcash\_ExpandSeed}, \AuthPrivateSeed)$
 \end{formulae}

 (The \expandedSeed is used to derive the \authSigningKey $\AuthSignPrivate$
@ -4550,11 +4565,11 @@ instantiated using $\RawPedersenCommit{}$ as follows:

 The \representedPairing $\BNCurve$ is defined in this section.

-Let $\ParamG{q} = 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
+Let $\ParamG{q} := 21888242871839275222246405745257275088696311157297823662689037894645226208583$.

-Let $\ParamG{r} = 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
+Let $\ParamG{r} := 21888242871839275222246405745257275088548364400416034343698204186575808495617$.

-Let $\ParamG{b} = 3$.
+Let $\ParamG{b} := 3$.

 (\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)

@ -4578,12 +4593,12 @@ $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$.

 For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
 (which is the additive identity) in $\GroupG{i}$, and let
-$\GroupGstar{i} = \GroupG{i} \setminus \setof{\ZeroG{i}}$.
+$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$.

-Let $\GenG{1} \typecolon \GroupGstar{1} = (1, 2)$.
+Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$.

 \begin{tabular}{@{}l@{}r@{}l@{}}
-Let $\GenG{2} \typecolon \GroupGstar{2} =\;$
+Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
 % are these the right way round?
 &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
 &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $,           $ \\
@ -4712,13 +4727,13 @@ The \representedPairing $\BLSCurve$ is defined in this section. Parameters are t
 \cite{Bowe2017}.

 \introlist
-Let $\ParamS{q} =\;$\scalebox{0.812}[1]{$4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787$}.
+Let $\ParamS{q} :=\;$\scalebox{0.812}[1]{$4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787$}.

-Let $\ParamS{r} = 52435875175126190479447740508185965837690552500527637822603658699938581184513$.
+Let $\ParamS{r} := 52435875175126190479447740508185965837690552500527637822603658699938581184513$.

-Let $\ParamS{u} = -15132376222941642752$.
+Let $\ParamS{u} := -15132376222941642752$.

-Let $\ParamS{b} = 4$.
+Let $\ParamS{b} := 4$.

 (\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)

@ -4741,13 +4756,13 @@ Let $\PairingS$ be the optimized ate pairing of type
 $\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$.

 For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$,
-and let $\GroupSstar{i} = \GroupS{i} \setminus \setof{\ZeroS{i}}$.
+and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$.

 \introlist
-Let $\GenS{1} \typecolon \GroupSstar{1} = (1, 2)$.
+Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$.

 \begin{tabular}{@{}l@{}r@{}l@{}}
-Let $\GenS{2} \typecolon \GroupSstar{2} =\;$
+Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
 % are these the right way round?
 &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
 &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $,           $ \\
@ -4816,22 +4831,22 @@ curve.

 The \representedGroup $\JubjubCurve$ is defined in this section.

-Let $\ParamJ{q} = \ParamS{r}$, as defined in \crossref{blspairing}.
+Let $\ParamJ{q} := \ParamS{r}$, as defined in \crossref{blspairing}.

-Let $\ParamJ{r} = 6554484396890773809930967563523245729705921265872317281365359162392183254199$.
+Let $\ParamJ{r} := 6554484396890773809930967563523245729705921265872317281365359162392183254199$.

 (\hairspace $\ParamJ{q}$ and $\ParamJ{r}$ are prime.)

-Let $\ParamJ{a} = -1$.
+Let $\ParamJ{a} := -1$.

-Let $\ParamJ{d} = -10240/10241 \pmod{\ParamJ{q}}$.
+Let $\ParamJ{d} := -10240/10241 \pmod{\ParamJ{q}}$.

 Let $\GroupJ$ be the group of points $(u, \varv)$ on a twisted Edwards curve $\CurveJ$
 over $\GF{\ParamJ{q}}$ with equation $\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$.
 The zero point with coordinates $(0, 1)$ is denoted $\ZeroJ$.
 $\GroupJ$ has order $8 \smult \ParamJ{r}$.

-Let $\ellJ = 256$.
+Let $\ellJ := 256$.

 Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \range{0}{2^\ell\!-\!1} \rightarrow \bitseq{\ell}$
 as in \crossref{endian}.
@ -4950,7 +4965,7 @@ The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
 \end{lrbox}

 \begin{formulae}
-  \item $\Justthebox{\ghintbox} := \BlakeTwos{256}(D,\, \CRS \bconcat\, M))$
+  \item $\Justthebox{\ghintbox} := \BlakeTwos{256}(D,\, \CRS \bconcat\, M)$
  \item $P := \abstJOf{p}$
  \item If $P = \bot$ then return $\bot$.
  \item $Q := \scalarmult{8}{P}$
@ -5349,8 +5364,9 @@ cause the first two characters of the Base58Check encoding to be fixed as
 A \Sapling \paymentAddress consists of $\Diversifier \typecolon \DiversifierType$
 and $\DiversifiedTransmitPublic \typecolon \KASaplingPublic$.

-$\Diversifier$ is a bit sequence, encoded as 11 bytes.
-$\DiversifiedTransmitPublic$ is a $\KASaplingPublic$ key (see \crossref{concretesaplingkeyagreement}),
+$\Diversifier$ is a sequence of 11 bytes.
+$\DiversifiedTransmitPublic$ is an encoding of a $\KASaplingPublic$ key
+(see \crossref{concretesaplingkeyagreement}),
 for use with the encryption scheme defined in \crossref{inband}.
 These components are derived as described in \crossref{saplingkeycomponents}.

@ -5918,7 +5934,7 @@ Consensus rules applying to an \outputDescription are given in \crossref{outputd
 }


-\introlist
+\introsection
 \nsubsection{\BlockHeader} \label{blockheader}

 The \Zcash \blockHeader format is as follows:
@ -6066,11 +6082,11 @@ such that $n$ is a multiple of $k+1$. We assume $k \geq 3$.
 The Equihash parameters for the production and test networks are $n = 200, k = 9$.

 The Generalized Birthday Problem is defined as follows: given a sequence
-$X_{\barerange{1}{\mathrm{N}}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
+$X_\barerange{1}{\mathrm{N}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
 $\vxor{j=1}{2^k} X_{i_j} = 0$.

 \introlist
-In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_{\barerange{1}{\mathrm{N}}}$ is
+In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_\barerange{1}{\mathrm{N}}$ is
 derived from the \blockHeader and a nonce:

 \newsavebox{\powheaderbox}
@ -6332,7 +6348,7 @@ one of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHei

 \renewcommand{\arraystretch}{0.95}

-For the production network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFounderAddresses}}$ is:
+For the production network, $\FounderAddressList_\barerange{\mathrm{1}}{\NumFounderAddresses}$ is:

 \begin{tabular}{@{\hskip 2.5em}l@{\;}l}
 [& \ascii{t3Vz22vK5z2LcKEdg16Yv4FFneEL1zg9ojd}, \ascii{t3cL9AucCajm3HXDhb5jBnJK2vapVoXsop3}, \\
@ -6362,7 +6378,7 @@ For the production network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFou
 \end{tabular}

 \introlist
-For the test network, $\FounderAddressList_{\barerange{\mathrm{1}}{\NumFounderAddresses}}$ is:
+For the test network, $\FounderAddressList_\barerange{\mathrm{1}}{\NumFounderAddresses}$ is:

 \begin{tabular}{@{\hskip 2.5em}l@{\;}l}
 [& \ascii{t2UNzUUx8mWBCRYPRezvA363EYXyEpHokyi}, \ascii{t2N9PH9Wk9xjqYg9iin1Ua3aekJqfAtE543}, \\
@ -6630,7 +6646,7 @@ can recover access to (and be sure that they are able to spend) all
 of their funds, even if they have forgotten everything but the
 \spendingKey.

-\sproutonly{
+\sproutspecific{
 Instead, \Zcash enforces that an adversary must choose distinct values
 for each $\NoteAddressRand$, by making use of the fact that all of the
 \nullifiers in \joinSplitDescriptions that appear in a \validBlockchain
@ -6646,7 +6662,7 @@ this uniqueness property robust even if the \transaction creator is an
 adversary.)
 }

-\sproutonly{
+\sproutspecific{
 The $\NoteAddressRand$ value for each output \note is then derived from
 a random private seed $\NoteAddressPreRand$ and $\hSig$ using
 $\PRFrho{\NoteAddressPreRand}$. The correct construction of
@ -6654,7 +6670,7 @@ $\NoteAddressRand$ for each output \note is enforced by
 \crossref{sproutuniquerho} in the \joinSplitStatement.
 }

-\sproutonly{
+\sproutspecific{
 Now even if the creator of a \joinSplitDescription does not choose
 $\NoteAddressPreRand$ randomly, uniqueness of \nullifiers and
 collision resistance of both $\hSigCRH$ and $\PRFrho{}$ will ensure
@ -6670,7 +6686,7 @@ $\PRFnf{\AuthPrivate}(\NoteAddressRand)$, this is only possible if
 the adversary finds a collision (across both inputs) on $\PRFnf{}$,
 which is assumed to be infeasible --- see \crossref{abstractprfs}.

-\sproutonly{
+\sproutspecific{
 Crucially, ``\nullifier integrity'' (\crossref{sproutnullifierintegrity})
 is enforced whether or not the $\EnforceMerklePath{i}$ flag is set
 for an input \note. If this were not the case then an adversary could
@ -6678,7 +6694,7 @@ perform the attack by creating a zero-valued \note with a repeated
 \nullifier, since the \nullifier does not depend on the value.
 }

-\sproutonly{
+\sproutspecific{
 \xNullifier{} integrity also prevents a ``roadblock attack'' in which the
 attacker sees a victim's \transaction, and is able to publish another
 \transaction that is mined first and blocks the victim's \transaction.
@ -6747,7 +6763,7 @@ A side benefit is that this reduces the cost of computing the
 evaluations needed to compute each \noteCommitment from three to two,
 saving a total of four $\SHACompress$ evaluations in the \joinSplitStatement.

-\sproutonlypnote{
+\sproutspecificpnote{
 \notsprout{\Sprout \noteCommitments are not statistically hiding, so for \Sprout notes,}
 \sprout{\Zcash \noteCommitments are not statistically hiding, so}
 \Zcash does not support the ``everlasting anonymity'' property
@ -6812,18 +6828,18 @@ only in the truncated bits. These \notes would have the same \noteCommitment
 but different \nullifiers, so it would be possible to spend the same value
 twice.

-\sproutonly{
+\sproutspecific{
 For resistance to Faerie Gold attacks as described in
 \crossref{faeriegold}, \Zcash depends on collision resistance of
-$\hSigCRH$ (instantiated using $\BlakeTwob{256}$) and \sproutonly{$\PRFrho{}$
-(instantiated using $\SHACompress$)}. Collision resistance of a truncated hash
+$\hSigCRH$ (instantiated using $\BlakeTwob{256}$) and $\PRFrho{}$
+(instantiated using $\SHACompress$). Collision resistance of a truncated hash
 does not follow from collision resistance of the original hash, even if the
 truncation is only by one bit. This motivated avoiding truncation along any
 path from the inputs to the computation of $\hSig$ to the uses of
 $\NoteAddressRand$.
 }

-\sproutonly{
+\sproutspecific{
 Since the PRFs are instantiated using $\SHACompress$ which has an input block
 size of $512$ bits (of which $256$ bits are used for the PRF input and $4$ bits
 are used for domain separation), it was necessary to reduce the size of the
@ -6896,7 +6912,7 @@ The motivations for this change were as follows:
        $\SymSpecific$ as an authenticated encryption scheme or $\BlakeTwob{256}$ as
        a KDF) would not help to decrypt the \notesCiphertext unless
        $\TransmitPublic$ is known or guessed.
-  \item \sproutonly{The KDF also takes a public seed $\hSig$ as input.
+  \item \sproutspecific{The KDF also takes a public seed $\hSig$ as input.
        This can be modeled as using a different ``randomness extractor'' for each
        \joinSplitTransfer, which limits degradation of security with the number of
        \joinSplitTransfers.
@ -6909,7 +6925,7 @@ The motivations for this change were as follows:
        modify it in a ciphertext from someone else's transaction for use in a
        chosen-ciphertext attack without detection.}
        \sapling{In \Sapling, there is no equivalent to $\hSig$. \todo{Explain why this is ok.}}
-  \item \sproutonly{The scheme used by \SproutOrZcash includes an optimization that reuses
+  \item \sproutspecific{The scheme used by \SproutOrZcash includes an optimization that reuses
        the same ephemeral key (with different nonces) for the two ciphertexts
        encrypted in each \joinSplitDescription.}
 \end{itemize}
@ -6918,7 +6934,7 @@ The security proofs of \cite{ABR1999} can be adapted straightforwardly to the
 resulting scheme. Although DHAES as defined in that paper does not pass the
 recipient public key or a public seed to the \hashFunction $H$, this does not
 impair the proof because we can consider $H$ to be the specialization of our
-KDF to a given recipient key and seed. \sproutonly{It is necessary to adapt the
+KDF to a given recipient key and seed. \sproutspecific{It is necessary to adapt the
 ``HDH independence'' assumptions and the proof slightly to take into account
 that the ephemeral key is reused for two encryptions.}

@ -6997,7 +7013,7 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
          \Zcash \joinSplitStatement. $\cm$ can be computed from the other fields.
          \sapling{(The definition of \notes for \Sapling is different again.)}
    \item The length of proof encodings given in the paper is $288$ bytes.
-          \sproutonly{This differs from the $296$ bytes specified in \crossref{phgr},
+          \sproutspecific{This differs from the $296$ bytes specified in \crossref{phgr},
          because both the $x$-coordinate and compressed $y$-coordinate of each
          point need to be represented. Although it is possible to encode a proof
          in $288$ bytes by making use of the fact that elements of $\GF{q}$ can
@ -7690,15 +7706,15 @@ $\ainv = a^{-1} \pmod{\ParamS{r}}$:
 A global optimization allows to use a single inverse computation outside
 the circuit for any number of nonzero constraints. Suppose that we have
 $n$ variables (or \linearCombinations) that are supposed to be nonzero:
-$a_{\barerange{0}{n-1}}$. Multiply these together to give $a = \vproduct{i=0}{n-1} a_i$;
+$a_\barerange{0}{n-1}$. Multiply these together to give $a = \vproduct{i=0}{n-1} a_i$;
 then, constrain $a$ to be nonzero. This works because the product $a$ is nonzero
-if and only if all of $a_{\barerange{0}{n-1}}$ are nonzero.
+if and only if all of $a_\barerange{0}{n-1}$ are nonzero.


 \introsection
 \nsubsubsection{Not-all-one constraints} \label{cctnotallone}

-Given a sequence $b_{\barerange{0}{n-1}}$ of variables that have already been
+Given a sequence $b_\barerange{0}{n-1}$ of variables that have already been
 boolean-constrained, we can assert that they are not all one by letting
 $a = -n + \vsum{i=0}{n-1} b_i$, and asserting $a \neq 0$ as in the previous
 section:
@ -7714,11 +7730,11 @@ section:
 \nsubsubsection{Unpacking} \label{cctunpack}

 A field element $a$ may need to be ``unpacked'' to a sequence of boolean
-variables $b_{\barerange{0}{n-1}} \typecolon \bitseq{n}$, so that
+variables $b_\barerange{0}{n-1} \typecolon \bitseq{n}$, so that
 $a = \vsum{i=0}{n-1} b_i \mult 2^i$.

 \introlist
-This costs $n$ constraints to boolean-constrain $b_{\barerange{0}{n-1}}$
+This costs $n$ constraints to boolean-constrain $b_\barerange{0}{n-1}$
 as in \crossref{cctboolean}, and one constraint that equates the sum with
 $a$:

@ -7871,7 +7887,7 @@ can be safely used:

 \begin{theorem} \label{thmdistinctxcriterion}
 Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
-Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
+Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
 Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
 $k_1 \neq \pm k_2$. Then the non-unified addition constraints

@ -7887,20 +7903,20 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ in all cases.
 \begin{proof}
 The given constraints are equivalent to the Montgomery addition formulae
 under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be
-the zero point since $k_{\barerange{1}{2}} \neq 0 \pmod s$.)
+the zero point since $k_\barerange{1}{2} \neq 0 \pmod s$.)
 Assume for a contradiction that $x_1 = x_2$. For any
 $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
 the same $x$-coordinate. (This follows from the fact that the curve equation
 determines $\pm y$ as a function of $x$.)
 But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
 Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
-is injective and $k_{\barerange{1}{2}}$ are in $\range{-\halfs}{\halfs}$,
+is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$,
 then $k_2 = \pm k_1$ (contradiction).
 \end{proof}

 The conditions of this theorem are called the \distinctXCriterion.

-In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
+In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$
 then it is sufficient to require $k_1 \neq k_2$, since that implies
 $k_1 \neq \pm k_2$.

@ -8107,6 +8123,7 @@ as possible to be performed on the Montgomery curve. An incomplete
 Montgomery addition costs $3$ constraints, in comparison with an
 Edwards addition which costs $6$ constraints.

+\introlist
 However, we cannot do all additions on the Montgomery curve because the
 Montgomery addition is incomplete. In order to be able to prove that
 exceptional cases do not occur, we need to ensure that the \distinctXCriterion
@ -8124,6 +8141,7 @@ this calculation can be written as:
 where $\PedersenEncode{\paramdot}$ and $\PedersenGen{D}{j}$
 are defined as in \crossref{concretepedersenhash}.

+\introlist
 We have to prove that:
 \begin{itemize}
  \item the \distinctXCriterion is met for all Montgomery additions within
@ -8216,17 +8234,19 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from
 $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
 input a \xPedersenCommitment $P$, and hashes it with another input $x$.

+\introlist
 We define $\MixingPedersenHash{D} \typecolon \byteseq{8} \times \range{0}{\ParamJ{r}-1}
 \times \GroupJ \rightarrow \GroupJ$ by:

 \begin{formulae}
-  \item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{U}{D, \ascii{}}}$.
+  \item $\MixingPedersenHash(D, P, x) := P + \scalarmult{x}{\FindGroupJHashOf{D, \ascii{}}}$.
 \end{formulae}

 This costs \todo{...} for the scalar multiplication, and $6$ constraints for the
 Edwards addition, for a total of \todo{...} constraints.


+\introsection
 \nsubsubsection{Merkle path check} \label{cctmerklepath}

 Checking a Merkle authentication path, as described in \crossref{merklepath},
@ -8263,9 +8283,10 @@ in only one constraint by substituting $c_1 = a_0 + a_1 - c_0$ into the
 uses of $c_1$. The \Sapling circuit does not use this optimization.}


-\nsubsubsection{Windowed Pedersen commitment} \label{cctwindowedcommit}
+\introsection
+\nsubsubsection{\WindowedPedersenCommitment} \label{cctwindowedcommit}

-We construct ``windowed'' Pedersen commitments by reusing the Pedersen hash
+We construct \windowedPedersenCommitments by reusing the Pedersen hash
 implementation, and adding a randomized point:

 \begin{formulae}
@ -8273,6 +8294,7 @@ implementation, and adding a randomized point:
           \PedersenHashToPoint(D, s) + \scalarmult{r}{\FindGroupJHashOf{D, \ascii{}}}$
 \end{formulae}

+\introlist
 This can be implemented in:
 \begin{itemize}
  \item $... \smult \ell + ...$ constraints for the Pedersen hash on
@ -8285,7 +8307,7 @@ for a total of $... \smult \ell + 756$ constraints.

 \nsubsubsection{Raw Pedersen commitments} \label{cctrawcommit}

-The windowed Pedersen commitments defined in the preceding section are
+The \windowedPedersenCommitments defined in the preceding section are
 highly efficient, but they do not support the homomorphic property we
 need when instantiating $\ValueCommit{}$ (see \crossref{spendsandoutputs}
 and \crossref{saplingbalance}).