mirror of https://github.com/zcash/zips.git
Protocol spec: cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
76bfab70a1
commit
7656d39204
|
|
@ -4941,6 +4941,7 @@ Let $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$, and $\PRFrho{}$ be as defined in \cros
|
|||
Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}, and
|
||||
let $\NoteTypeSprout$ and $\NoteCommitmentSprout$ be as defined in \crossref{notes}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
A valid instance of $\ProofJoinSplit$ assures that given a \primaryInput:
|
||||
|
||||
\vspace{-2ex}
|
||||
|
|
@ -4962,7 +4963,7 @@ the prover knows an \auxiliaryInput:
|
|||
\hparen\nOld{\allOld} \typecolon \typeexp{\NoteTypeSprout}{\NOld},\\
|
||||
\hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\
|
||||
\hparen\nNew{\allNew} \typecolon \typeexp{\NoteTypeSprout}{\NNew}\changed{,}\vspace{0.8ex}\\
|
||||
\hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\\
|
||||
\hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\vspace{-0.5ex}\\
|
||||
\hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}}\cparen$,
|
||||
\end{formulae}
|
||||
\vspace{-2.5ex}
|
||||
|
|
@ -4974,7 +4975,7 @@ where:
|
|||
\item for each $i \in \setofNew$: $\nNew{i} = (\AuthPublicNew{i},
|
||||
\vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$
|
||||
\end{formulae}
|
||||
\vspace{-1.5ex}
|
||||
\vspace{-2ex}
|
||||
such that the following conditions hold:
|
||||
|
||||
\snarkcondition{Merkle path validity} \label{sproutmerklepathvalidity}
|
||||
|
|
@ -5039,13 +5040,16 @@ as defined in \crossref{constants}.
|
|||
\vspace{-0.5ex}
|
||||
Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\GroupJ$, $\SubgroupJ$, $\reprJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ be as defined in \crossref{concreteextractorjubjub}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
|
||||
|
||||
\intropart
|
||||
|
|
@ -5059,11 +5063,11 @@ A valid instance of $\ProofSpend$ assures that given a \primaryInput:
|
|||
\hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-2ex}
|
||||
\vspace{-2.5ex}
|
||||
\introlist
|
||||
the prover knows an \auxiliaryInput:
|
||||
|
||||
\vspace{-1ex}
|
||||
\vspace{-1.5ex}
|
||||
\begin{formulae}
|
||||
\item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\
|
||||
\hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\
|
||||
|
|
@ -5077,32 +5081,35 @@ the prover knows an \auxiliaryInput:
|
|||
\hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
|
||||
\hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$
|
||||
\end{formulae}
|
||||
\vspace{-1ex}
|
||||
\vspace{-1.5ex}
|
||||
such that the following conditions hold:
|
||||
|
||||
\vspace{1ex}
|
||||
\vspace{0.5ex}
|
||||
\snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity}
|
||||
|
||||
$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||
\vOld{})$.
|
||||
|
||||
\vspace{-1ex}
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Merkle path validity} \label{spendmerklepathvalidity}
|
||||
|
||||
Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthSapling$,
|
||||
as defined in \crossref{merklepath}, from $\cmU = \ExtractJ(\cmOld{})$ to the \anchor $\rt$.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Value commitment integrity} \label{spendvaluecommitmentintegrity}
|
||||
|
||||
$\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Small order checks} \label{spendnonsmall}
|
||||
|
||||
$\DiversifiedTransmitBase$ and $\AuthSignPublic$
|
||||
are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
|
||||
and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
|
||||
|
||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
||||
|
|
@ -5113,11 +5120,12 @@ $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
|||
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-1ex}
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Spend authority} \label{spendauthority}
|
||||
|
||||
$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\snarkcondition{Diversified address integrity} \label{spendaddressintegrity}
|
||||
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where
|
||||
|
|
@ -5128,7 +5136,6 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
|
|||
\item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{1ex}
|
||||
For details of the form and encoding of \spendStatement proofs, see \crossref{groth}.
|
||||
|
||||
\begin{pnotes}
|
||||
|
|
@ -9469,6 +9476,7 @@ be ignored:
|
|||
\cite{BIP-13} applies with the changes to address version bytes described
|
||||
in \crossref{transparentaddrencoding}.
|
||||
|
||||
\introlist
|
||||
\cite{BIP-111} applies from network protocol version $170004$ onward; that is:
|
||||
\begin{itemize}
|
||||
\item references to protocol version $70002$ are to be replaced by $170003$;
|
||||
|
|
@ -10041,7 +10049,9 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
|
|||
|
||||
The inventors of \Zerocash are Eli Ben-Sasson, Alessandro Chiesa,
|
||||
Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars
|
||||
Virza. The designers of the \Zcash protocol are the \Zerocash inventors
|
||||
Virza.
|
||||
|
||||
The designers of the \Zcash protocol are the \Zerocash inventors
|
||||
and also Daira Hopwood, Sean Bowe, Jack Grigg, Simon Liu, Taylor Hornby,
|
||||
Nathan Wilcox, Zooko Wilcox, Jay Graber, Ariel Gabizon, and George Tankersley.
|
||||
The \Equihash proof-of-work algorithm was designed by Alex Biryukov and
|
||||
|
|
@ -10049,9 +10059,9 @@ Dmitry Khovratovich.
|
|||
|
||||
The authors would like to thank everyone with whom they have discussed the
|
||||
\Zerocash and \Zcash protocol designs; in addition to the preceding, this
|
||||
includes Mike Perry, isis agora lovecruft, Leif Ryge, Andrew Miller, Samantha Hulsey,
|
||||
jl777, Ben Blaxill, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
|
||||
Alison Stevenson, John Tromp, Paige Peterson, Maureen Walsh, Jack Gavigan,
|
||||
includes Mike Perry, isis agora lovecruft, Leif Ryge, Andrew Miller, Ben Blaxill,
|
||||
Samantha Hulsey, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
|
||||
John Tromp, Paige Peterson, Jack Gavigan, jl777, Alison Stevenson, Maureen Walsh,
|
||||
Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller,
|
||||
Michael Dixon, Andrew Poelstra, Eirik Ogilvie-Wigley, Benjamin Winston, and
|
||||
no doubt others. We would also like to thank the designers and developers of
|
||||
|
|
@ -12579,7 +12589,6 @@ final $\xor$ operations), but not the message bits.
|
|||
\end{nnotes}
|
||||
|
||||
|
||||
\vspace{20ex}
|
||||
\intropart
|
||||
\subsection{The \SaplingText{} Spend circuit} \label{cctsaplingspend}
|
||||
|
||||
|
|
@ -12617,7 +12626,8 @@ The auxiliary input is
|
|||
\hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$.
|
||||
\end{formulae}
|
||||
|
||||
$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have
|
||||
\introlist
|
||||
$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are of type $\GroupJ$, so we have
|
||||
$\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$,
|
||||
$\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that
|
||||
represent \jubjubCurve points. However,
|
||||
|
|
@ -12644,7 +12654,7 @@ Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePubl
|
|||
and $\NoteAddressRand$ that need to be constrained to valid \jubjubCurve points as
|
||||
described in \crossref{ccteddecompressvalidate}.
|
||||
|
||||
\introlist
|
||||
\introsection
|
||||
In order to aid in comparing the implementation with the specification,
|
||||
we present the checks needed in the order in which they are implemented
|
||||
in the sapling-crypto code:
|
||||
|
|
@ -12784,7 +12794,7 @@ The auxiliary input is
|
|||
\hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$
|
||||
\end{formulae}
|
||||
|
||||
$\ValueCommitOutput$ is $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$,
|
||||
$\ValueCommitOutput$ is of type $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$,
|
||||
and $\DiversifiedTransmitBase$ that represent \jubjubCurve points. However,
|
||||
\vspace{1ex}
|
||||
\begin{itemize}
|
||||
|
|
@ -12887,7 +12897,7 @@ Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref
|
|||
|
||||
Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
|
||||
|
||||
\introlist
|
||||
\introsection
|
||||
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
|
||||
\rightarrow \bit$ as:
|
||||
\begin{algorithm}
|
||||
|
|
|
|||
Loading…
Reference in New Issue