From 7656d392044d5188bc8d2a8204578e7994a21901 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Mon, 8 Jul 2019 22:57:50 +0100
Subject: [PATCH] Protocol spec: cosmetics.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 46 ++++++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 18 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index a1c7eb16..885241e5 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -4941,6 +4941,7 @@ Let $\PRFaddr{}$, $\PRFnf{}$, $\PRFpk{}$, and $\PRFrho{}$ be as defined in \cros
 Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}, and
 let $\NoteTypeSprout$ and $\NoteCommitmentSprout$ be as defined in \crossref{notes}.
 
+\vspace{-0.5ex}
 A valid instance of $\ProofJoinSplit$ assures that given a \primaryInput:
 
 \vspace{-2ex}
@@ -4962,7 +4963,7 @@ the prover knows an \auxiliaryInput:
          \hparen\nOld{\allOld} \typecolon \typeexp{\NoteTypeSprout}{\NOld},\\
          \hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\
          \hparen\nNew{\allNew} \typecolon \typeexp{\NoteTypeSprout}{\NNew}\changed{,}\vspace{0.8ex}\\
-         \hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\\
+         \hparen\changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},}\vspace{-0.5ex}\\
          \hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}}\cparen$,
 \end{formulae}
 \vspace{-2.5ex}
@@ -4974,7 +4975,7 @@ where:
   \item for each $i \in \setofNew$: $\nNew{i} = (\AuthPublicNew{i},
 \vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$
 \end{formulae}
-\vspace{-1.5ex}
+\vspace{-2ex}
 such that the following conditions hold:
 
 \snarkcondition{Merkle path validity} \label{sproutmerklepathvalidity}
@@ -5039,13 +5040,16 @@ as defined in \crossref{constants}.
 \vspace{-0.5ex}
 Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}.
 
+\vspace{-0.5ex}
 Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}.
 
+\vspace{-0.5ex}
 Let $\GroupJ$, $\SubgroupJ$, $\reprJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
 
 \vspace{-0.5ex}
 Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ be as defined in \crossref{concreteextractorjubjub}.
 
+\vspace{-0.5ex}
 Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
 
 \intropart
@@ -5059,11 +5063,11 @@ A valid instance of $\ProofSpend$ assures that given a \primaryInput:
          \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic\cparen$,
 \end{formulae}
 
-\vspace{-2ex}
+\vspace{-2.5ex}
 \introlist
 the prover knows an \auxiliaryInput:
 
-\vspace{-1ex}
+\vspace{-1.5ex}
 \begin{formulae}
   \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthSapling},\\
          \hparen\NotePosition \typecolon \NotePositionTypeSapling,\vspace{0.4ex}\\
@@ -5077,32 +5081,35 @@ the prover knows an \auxiliaryInput:
          \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\
          \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$
 \end{formulae}
-\vspace{-1ex}
+\vspace{-1.5ex}
 such that the following conditions hold:
 
-\vspace{1ex}
+\vspace{0.5ex}
 \snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity}
 
 $\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase},
                                                      \reprJ\Of{\DiversifiedTransmitPublic},
                                                      \vOld{})$.
 
-\vspace{-1ex}
+\vspace{-0.5ex}
 \snarkcondition{Merkle path validity} \label{spendmerklepathvalidity}
 
 Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthSapling$,
 as defined in \crossref{merklepath}, from $\cmU = \ExtractJ(\cmOld{})$ to the \anchor $\rt$.
 
+\vspace{-0.5ex}
 \snarkcondition{Value commitment integrity} \label{spendvaluecommitmentintegrity}
 
 $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
 
+\vspace{-0.5ex}
 \snarkcondition{Small order checks} \label{spendnonsmall}
 
 $\DiversifiedTransmitBase$ and $\AuthSignPublic$
 are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
 and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
 
+\vspace{-0.5ex}
 \snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
 
 $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
@@ -5113,11 +5120,12 @@ $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
   \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
 \end{formulae}
 
-\vspace{-1ex}
+\vspace{-0.5ex}
 \snarkcondition{Spend authority} \label{spendauthority}
 
 $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$.
 
+\vspace{-0.5ex}
 \snarkcondition{Diversified address integrity} \label{spendaddressintegrity}
 
 $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where
@@ -5128,7 +5136,6 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
   \item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
 \end{formulae}
 
-\vspace{1ex}
 For details of the form and encoding of \spendStatement proofs, see \crossref{groth}.
 
 \begin{pnotes}
@@ -9469,6 +9476,7 @@ be ignored:
 \cite{BIP-13} applies with the changes to address version bytes described
 in \crossref{transparentaddrencoding}.
 
+\introlist
 \cite{BIP-111} applies from network protocol version $170004$ onward; that is:
 \begin{itemize}
   \item references to protocol version $70002$ are to be replaced by $170003$;
@@ -10041,7 +10049,9 @@ distinct openings of the \noteCommitment when Condition I or II is violated.
 
 The inventors of \Zerocash are Eli Ben-Sasson, Alessandro Chiesa,
 Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars
-Virza. The designers of the \Zcash protocol are the \Zerocash inventors
+Virza.
+
+The designers of the \Zcash protocol are the \Zerocash inventors
 and also Daira Hopwood, Sean Bowe, Jack Grigg, Simon Liu, Taylor Hornby,
 Nathan Wilcox, Zooko Wilcox, Jay Graber, Ariel Gabizon, and George Tankersley.
 The \Equihash proof-of-work algorithm was designed by Alex Biryukov and
@@ -10049,9 +10059,9 @@ Dmitry Khovratovich.
 
 The authors would like to thank everyone with whom they have discussed the
 \Zerocash and \Zcash protocol designs; in addition to the preceding, this
-includes Mike Perry, isis agora lovecruft, Leif Ryge, Andrew Miller, Samantha Hulsey,
-jl777, Ben Blaxill, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
-Alison Stevenson, John Tromp, Paige Peterson, Maureen Walsh, Jack Gavigan,
+includes Mike Perry, isis agora lovecruft, Leif Ryge, Andrew Miller, Ben Blaxill,
+Samantha Hulsey, Alex Balducci, Jake Tarren, Solar Designer, Ling Ren,
+John Tromp, Paige Peterson, Jack Gavigan, jl777, Alison Stevenson, Maureen Walsh,
 Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller,
 Michael Dixon, Andrew Poelstra, Eirik Ogilvie-Wigley, Benjamin Winston, and
 no doubt others. We would also like to thank the designers and developers of
@@ -12579,7 +12589,6 @@ final $\xor$ operations), but not the message bits.
 \end{nnotes}
 
 
-\vspace{20ex}
 \intropart
 \subsection{The \SaplingText{} Spend circuit} \label{cctsaplingspend}
 
@@ -12617,7 +12626,8 @@ The auxiliary input is
          \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$.
 \end{formulae}
 
-$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are $\GroupJ$, so we have
+\introlist
+$\ValueCommitOutput$ and $\SpendAuthSigPublic$ are of type $\GroupJ$, so we have
 $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, $\DiversifiedTransmitBase$,
 $\DiversifiedTransmitPublic$, and $\AuthSignPublic$ that
 represent \jubjubCurve points. However,
@@ -12644,7 +12654,7 @@ Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePubl
 and $\NoteAddressRand$ that need to be constrained to valid \jubjubCurve points as
 described in \crossref{ccteddecompressvalidate}.
 
-\introlist
+\introsection
 In order to aid in comparing the implementation with the specification,
 we present the checks needed in the order in which they are implemented
 in the sapling-crypto code:
@@ -12784,7 +12794,7 @@ The auxiliary input is
    \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$
 \end{formulae}
 
-$\ValueCommitOutput$ is $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$,
+$\ValueCommitOutput$ is of type $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$,
 and $\DiversifiedTransmitBase$ that represent \jubjubCurve points. However,
 \vspace{1ex}
 \begin{itemize}
@@ -12887,7 +12897,7 @@ Let $\LEOStoBSP{}$, $\LEOStoIP{}$, and $\LEBStoOSP{}$ be as defined in \crossref
 
 Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSASignature$.
 
-\introlist
+\introsection
 Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
                                       \rightarrow \bit$ as:
 \begin{algorithm}