mirror of https://github.com/zcash/zips.git
Protocol spec: minor wording changes, added cross-references, and better "changed" marking.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
b684ce88e2
commit
70e920e1c8
|
|
@ -3092,7 +3092,7 @@ from a \diversifier in \crossref{saplingkeycomponents}.
|
|||
|
||||
$\PRF{x}{}$ is a \defining{\pseudoRandomFunction} keyed by $x$.
|
||||
|
||||
Let $\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$,
|
||||
Let $\AuthPrivateLength$, \changed{$\NoteAddressPreRandLength$,} $\hSigLength$,
|
||||
$\PRFOutputLengthSprout$, \sapling{$\SpendingKeyLength$, $\OutViewingKeyLength$,
|
||||
$\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,}
|
||||
$\NOld$, and $\NNew$ be as defined in \crossref{constants}.
|
||||
|
|
@ -3112,7 +3112,7 @@ Let $\Sym$ be as defined in \crossref{concretesym}.
|
|||
$\PRFaddr{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFnf{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutputSprout $& &$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFpk{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $\\
|
||||
$\PRFrho{} $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \setofNew $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout $
|
||||
$\setchanged\PRFrho{} $&$\setchanged\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\setchanged\times\; \setofNew $&$\setchanged\times\; \hSigType $&$\setchanged\rightarrow \PRFOutputSprout $
|
||||
\end{tabular}
|
||||
|
||||
These are used in \crossref{joinsplitstatement}; $\PRFaddr{}$ is also used to
|
||||
|
|
@ -4234,11 +4234,13 @@ There are no signatures associated with \outputDescriptions.
|
|||
|
||||
Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
Let $\MerkleHashLengthSapling$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}.
|
||||
|
||||
Let $\Sym$ be as defined in \crossref{abstractsym}.
|
||||
|
||||
Let $\Spend$ be as defined in \crossref{abstractzk}.
|
||||
Let $\Output$ be as defined in \crossref{abstractzk}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introlist
|
||||
|
|
@ -4334,7 +4336,11 @@ containing one or more \outputDescriptions.
|
|||
|
||||
Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}.
|
||||
|
||||
Let $\reprJ$ and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}.
|
||||
|
||||
Let $\DiversifyHash$ be as defined in \crossref{abstracthashes}.
|
||||
|
||||
Let $\reprJ$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
\vspace{1ex}
|
||||
Let $\OutViewingKey$ be an \outgoingViewingKey that is intended to be able to decrypt
|
||||
|
|
@ -4419,7 +4425,7 @@ Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref
|
|||
|
||||
Let $\PRFnf{}$ be as defined in \crossref{abstractprfs}.
|
||||
|
||||
Let $\NoteCommitSproutTrapdoor$ be as defined in \crossref{abstractcommit}.
|
||||
Let $\NoteCommitSproutAlg$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
\introlist
|
||||
\vspace{0.5ex}
|
||||
|
|
@ -4462,7 +4468,7 @@ Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
|
|||
|
||||
Let $\PRFnfSapling{}$ be as defined in \crossref{abstractprfs}.
|
||||
|
||||
Let $\NoteCommitSaplingTrapdoor$ be as defined in \crossref{abstractcommit}.
|
||||
Let $\NoteCommitSaplingAlg$ be as defined in \crossref{abstractcommit}.
|
||||
|
||||
\introlist
|
||||
\vspace{0.5ex}
|
||||
|
|
@ -4982,7 +4988,7 @@ Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\MerkleDepthSprout$, $
|
|||
$\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$, $\NOld$, $\NNew$ be as defined in \crossref{constants}.
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$, and $\PRFrho{}$ be as defined in \crossref{abstractprfs}.
|
||||
Let $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$, \changed{and $\PRFrho{}$} be as defined in \crossref{abstractprfs}.
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}, and
|
||||
|
|
@ -5584,6 +5590,8 @@ Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
|
|||
|
||||
Let $\NoteTypeSprout$ be as defined in \crossref{notes}.
|
||||
|
||||
Let $\KASprout$ be as defined in \crossref{concretesproutkeyagreement}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introsection
|
||||
The following algorithm can be used, given the \blockchain and a
|
||||
|
|
@ -5642,6 +5650,8 @@ Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
|
|||
|
||||
Let $\NoteTypeSapling$ be as defined in \crossref{notes}.
|
||||
|
||||
Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}.
|
||||
|
||||
\introsection
|
||||
\vspace{1ex}
|
||||
The following algorithm can be used, given the \blockchain and
|
||||
|
|
@ -6245,6 +6255,8 @@ Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ be as defin
|
|||
\vspace{-1ex}
|
||||
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
|
||||
|
||||
Let $\UncommittedSapling$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $c := 63$.
|
||||
|
||||
\newsavebox{\gencountbox}
|
||||
|
|
@ -6360,6 +6372,7 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally
|
|||
\begin{theorem}[$\UncommittedSapling$ is not in the range of $\PedersenHash$]\end{theorem}
|
||||
|
||||
\begin{proof}
|
||||
$\UncommittedSapling$ is defined as $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$.
|
||||
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and definitions of
|
||||
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$
|
||||
can be in the range of $\PedersenHash$ only if there exist
|
||||
|
|
@ -6813,7 +6826,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
|
|||
$\JoinSplitSig$ is a \signatureScheme as specified in \crossref{abstractsig}.
|
||||
|
||||
\changed{It is instantiated as $\JoinSplitSigSpecific$ \cite{BDLSY2012},
|
||||
with the additional requirements that:
|
||||
with the additional requirements that for a signature $(\EdDSAReprS, \EdDSAReprR)$:
|
||||
|
||||
\begin{itemize}
|
||||
\item $\EdDSAReprS$ \MUST represent an integer less than
|
||||
|
|
@ -7107,9 +7120,9 @@ instantiated using $\SHAFull$ as follows:
|
|||
\item $\NoteCommitSproutGenTrapdoor()$ generates the uniform distribution on $\NoteCommitSproutTrapdoor$.
|
||||
\end{formulae}
|
||||
|
||||
\pnote{
|
||||
\changed{\pnote{
|
||||
The leading byte of the $\SHAFull$ input is $\hexint{B0}$.
|
||||
}
|
||||
}}
|
||||
|
||||
\begin{securityrequirements}
|
||||
\item The \shaCompressFunction must be \collisionResistant\!.
|
||||
|
|
@ -11661,7 +11674,7 @@ boolean-constraining $u_\barerange{0}{254}$.
|
|||
|
||||
The same \quadraticConstraintProgram is used for compression and decompression.
|
||||
|
||||
\pnote{
|
||||
\nnote{
|
||||
The point-on-curve check could be omitted if $(u, \varv)$ were already known to be on the curve.
|
||||
However, the \Sapling circuit never omits it; this provides a consistency check on the elliptic
|
||||
curve arithmetic.
|
||||
|
|
|
|||
Loading…
Reference in New Issue