Add comments at closing braces saying which construct is being closed.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-03-10 04:11:23 +00:00 · 2018-03-10 04:11:23 +00:00 · 76f3b1d0fd
parent 2924ff85e1
commit 76f3b1d0fd
1 changed files with 48 additions and 38 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -1366,7 +1366,7 @@ Changes specific to the \Sapling upgrade following \NUZero (which are also
 changes from \Zerocash) are highlighted in \sapling{\saplingcolor}.
 The name \Sprout is used for the \Zcash protocol prior to \Sapling
 (both before and after \NUZero).
-}
+} %notsprout

 Technical terms for concepts that play an important rôle in \Zcash are
 written in \term{slanted text}. \emph{Italics} are used for emphasis and
@ -1492,7 +1492,7 @@ which proves that all of the following hold except with negligable probability:
  \item Each output \note is generated in such a way that it is infeasible to
        cause its \nullifier to collide with the \nullifier of any other \note.
 \end{itemize}
-}
+} %sprout
 \notsprout{
 A \transaction also includes computationally sound \zkSNARK proofs, which prove
 that all of the following hold except with negligable probability:
@ -1525,7 +1525,7 @@ outside the \zkSNARK.
 In addition, various measures (differing between \Sprout and \Sapling) are
 used to ensure that the \transaction cannot be modified by a party not authorized
 to do so.
-}
+} %notsprout

 Outside the \zkSNARK, it is \sprout{also} checked that the \nullifiers for the input
 \notes had not already been revealed (i.e.\ they had not already been spent).
@ -1738,7 +1738,7 @@ The \receivingKey $\TransmitPrivate$, the \incomingViewingKey
 $\InViewingKey = (\AuthPublic, \TransmitPrivate)$, and the \paymentAddress
 $\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from
 $\AuthPrivate$, as described in \crossref{sproutkeycomponents}.
-}
+} %sproutspecific

 \saplingonward{
 The \authSigningKey $\AuthSignPrivate$,
@ -1747,7 +1747,7 @@ the \fullViewingKey $(\AuthSignPublic, \AuthProvePublic)$,
 the \incomingViewingKey $\InViewingKey$, and
 each \diversifiedPaymentAddress $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$
 are derived from $\AuthPrivateSeed$, as described in \crossref{saplingkeycomponents}.
-}
+} %saplingonward

 The composition of \paymentAddresses, \changed{\incomingViewingKeys,}
 \sapling{\fullViewingKeys,} and \spendingKeys is a cryptographic protocol
@ -1770,7 +1770,7 @@ case that a payee wishes to prevent this they should create a distinct
 such addresses shares the same \fullViewingKey and \incomingViewingKey, and
 so creating as many unlinkable addresses as needed does not increase the cost
 of scanning the \blockchain for relevant \transactions.
-}
+} %saplingonward

 \pnote{
 It is conventional in cryptography to refer to the key used to encrypt
@ -1794,13 +1794,13 @@ A \note (denoted $\NoteTuple{}$) is a tuple $\changed{(\AuthPublic, \Value,
 \NoteAddressRand, \NoteCommitRand)}$. It represents that a value $\Value$ is
 spendable by the recipient who holds the \spendingKey $\AuthPrivate$ corresponding
 to $\AuthPublic$, as described in the previous section.
-}
+} %sprout
 \notsprout{
 A \note (denoted $\NoteTuple{}$) can be a \Sprout \note\sapling{ or a
 \Sapling \note}. In either case it represents that a value $\Value$ is
 spendable by the recipient who holds the \spendingKey corresponding
 to a given \paymentAddress.
-}
+} %notsprout

 A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
 \Value, \NoteAddressRand, \NoteCommitRand)}$, where:
@ -1844,7 +1844,7 @@ Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
  \item $\NoteTypeSapling := \DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
           \times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
 \end{formulae}
-}
+} %sapling

 Creation of new \notes is described in \crossref{send}. When \notes are sent,
 only a commitment (see \crossref{abstractcommit}) to the above values is disclosed
@ -1885,7 +1885,7 @@ We refer to the combination of a \note and its \notePosition $\NotePosition$, as

 For a \positionedNote, we can compute the value
 $\NoteAddressRand \typecolon \bitseq{\ellJ}$ as described in \crossref{commitmentsandnullifiers}.
-}
+} %sapling

 \vspace{2ex}
 A \nullifier (denoted $\nf$) is derived from the $\NoteAddressRand$ value
@ -1915,7 +1915,7 @@ The \notePlaintext in each \outputDescription is encrypted to the
 \diversifiedTransmissionKey $\DiversifiedTransmitPublic$.
 Each \Sapling \notePlaintext (denoted $\NotePlaintext{}$) consists of
 $(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
-}
+} %saplingonward

 \changed{
 $\Memo$ represents a \memo associated with this \note. The usage of the
@ -2109,7 +2109,7 @@ for the whole \transaction to balance.
  \item The \anchor of each \spendDescription in a \transaction{} \MUST refer
        to some earlier \block's final \Sapling \treestate.
 \end{consensusrules}
-}
+} %sapling


 \nsubsection{\NoteCommitmentTrees} \label{merkletree}
@ -2187,7 +2187,7 @@ as described in \crossref{foundersreward}.
 $\MerkleCRH \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$
 is a collision-resistant \hashFunction used in \crossref{merklepath}.
 It is instantiated in \crossref{merklecrh}.
-}
+} %sprout
 \notsprout{
 The functions $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
 \rightarrow \MerkleHashSprout$
@ -2199,7 +2199,7 @@ are \hashFunctions used in \crossref{merklepath}.
 \sapling{$\MerkleCRHSapling$ is collision-resistant on all its arguments, and}
 $\MerkleCRHSprout$ is collision-resistant except on its first argument.
 Both of these functions are instantiated in \crossref{merklecrh}.
-}
+} %notsprout

 \changed{
 $\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
@ -2622,7 +2622,7 @@ $\ParamG{r}$.
 Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
 efficiently computable left inverse.
 }
-}
+} %sapling


 \sapling{
@ -2662,7 +2662,8 @@ such that $\vsum{i = 1}{n}\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right)
        mitigates the possibility that the group hash algorithm could have
        been backdoored.
 \end{pnotes}
-}
+} %sapling
+

 \introlist
 \nsubsubsection{\RepresentedPairing} \label{abstractpairing}
@ -2771,7 +2772,7 @@ specialized to the \joinSplitStatement given in \crossref{joinsplitstatement}.
 In this case we omit the key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$,
 taking them to be the particular \provingKey and \verifyingKey defined by the
 \joinSplitParameters in \crossref{sproutparameters}.
-}
+} %sprout
 \sapling{
 \Zcash uses two \provingSystems:
 \begin{itemize}
@ -2799,7 +2800,8 @@ Similarly, we omit the key subscripts on $\SpendProve$,
 $\SpendVerify$, $\OutputProve$, and $\OutputVerify$, taking
 them to be the $\Groth$ \provingKeys and
 \verifyingKeys defined in \crossref{saplingparameters}.
-}
+} %sapling
+

 \nsubsection{\KeyComponents} \label{keycomponents}

@ -2927,7 +2929,7 @@ The resulting \diversifiedPaymentAddress is $(\Diversifier, \DiversifiedTransmit
        be randomly chosen unique byte sequences used to index into a database, rather
        than directly encoding the needed data.
 \end{pnotes}
-}
+} %sapling


 \nsubsection{\JoinSplitDescriptions} \label{joinsplitdesc}
@ -3030,8 +3032,10 @@ where
  \item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature using
        $\nf$ as the public key, over \todo{...}
 \end{consensusrules}
+} %sapling


+\sapling{
 \nsubsection{\OutputDescriptions} \label{outputdesc}

 An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in
@ -3062,7 +3066,7 @@ where
        from the other fields except $\TransmitCiphertext{}$.
        I.e.\ it must be the case that $\SpendVerify{}((\cv, \cm, \EphemeralPublic), \Proof{\Output}) = 1$.
 \end{consensusrules}
-}
+} %sapling


 \introlist
@ -3213,13 +3217,14 @@ information leakage from the structure of \transactions are beyond the
 scope of this specification.

 The encoded \transaction is submitted to the network.
-}
+} %sapling
+

 \nsubsection{Merkle path validity} \label{merklepath}

 \sprout{
 The depth of the \noteCommitmentTree is $\MerkleDepth$ (defined in \crossref{constants}).
-}
+} %sprout
 \notsprout{
 Let $\MerkleDepth$ be $\MerkleDepthSprout$ for the \Sprout \noteCommitmentTree\sapling{,
 or $\MerkleDepthSapling$ for the \Sapling \noteCommitmentTree}. These constants are
@ -3229,7 +3234,7 @@ Similarly, let $\MerkleCRH$ be $\MerkleCRHSprout$ for \Sprout\sapling{, or $\Mer
 for \Sapling}.

 The following discussion applies independently to the \Sprout and \Sapling \noteCommitmentTrees.
-}
+} %notsprout

 Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash,
 which is a bit sequence. The \merkleLayer numbered $h$, counting from
@ -3377,7 +3382,7 @@ as follows:
 \end{formulae}

 $\MixingPedersenHash$ is defined in \crossref{concretemixinghash}.
-}
+} %sapling

 Let $\PRFnf{}{}$\sapling{ and $\PRFnr{}{}$} be as instantiated in \crossref{concreteprfs}.

@ -3388,7 +3393,7 @@ is derived as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$.
 \sapling{
 For a \Sapling \note, the \nullifier is derived as
 $\scalarmult{\PRFnr{\AuthProvePublic}(\NoteAddressRand)}{\scalarmult{8}{\AuthSignPublic}}$.
-}
+} %sapling

 \introsection

@ -3482,6 +3487,7 @@ for each $i \in \setofNew$: $\cmNew{i}$ = $\NoteCommitSprout(\nNew{i})$.
 \vspace{2.5ex}
 For details of the form and encoding of proofs, see \crossref{phgr}.

+
 \sapling{
 \introsection
 \nsubsubsection{\SpendStatement{} (\Sapling)} \label{spendstatement}
@ -3555,14 +3561,17 @@ $\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.

 \vspace{2.5ex}
 For details of the form and encoding of \spendStatement proofs, see \crossref{groth}.
+} %sapling

+
+\sapling{
 \introsection
 \nsubsubsection{\OutputStatement{} (\Sapling)} \label{outputstatement}

 \todo{}

 For details of the form and encoding of \outputStatement proofs, see \crossref{groth}.
-}
+} %sapling


 \nsubsection{In-band secret distribution} \label{inband}
@ -3758,13 +3767,13 @@ Define:
  \item $\MerkleDepthSprout \typecolon \Nat := \changed{29}$
 \sapling{
  \item $\MerkleDepthSapling \typecolon \Nat := 29$
-}
+} %sapling
  \item $\NOld \typecolon \Nat := 2$
  \item $\NNew \typecolon \Nat := 2$
  \item $\MerkleHashLengthSprout \typecolon \Nat := 256$
 \sapling{
  \item $\MerkleHashLengthSapling \typecolon \Nat := 255$
-}
+} %sapling
  \item $\hSigLength \typecolon \Nat := 256$
  \item $\PRFOutputLength \typecolon \Nat := 256$
  \item $\PRGOutputLength \typecolon \Nat := 512$
@ -3774,12 +3783,12 @@ Define:
 \sapling{
  \item $\AuthPrivateSeedLength \typecolon \Nat := 256$
  \item $\DiversifierLength \typecolon \Nat := 88$
-}
+} %sapling
  \item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
  \item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
 \sapling{
  \item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ones{\MerkleHashLengthSapling}$
-}
+} %sapling
  \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi)
  \item $\SlowStartInterval \typecolon \Nat := 20000$
  \item $\HalvingInterval \typecolon \Nat := 840000$
@ -3873,7 +3882,7 @@ $\GroupJHash{}$.
 \begin{formulae}
  \item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
 \end{formulae}
-}
+} %sapling


 \introsection
@ -3951,7 +3960,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
 \securityrequirement{
 $\PedersenHash$ must be collision-resistant.
 }
-}
+} %sapling


 \introlist
@ -4039,7 +4048,7 @@ used rather than external truncation. However, the protocol-specific
 personalization string together with truncation achieve essentially
 the same effect as using that feature.
 }
-}
+} %sapling


 \sapling{
@ -4170,7 +4179,7 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo
 is collision-resistant under the same assumptions and security bounds.
 Because $\ItoLEBSP{255}$ and $\ExtractJ$ are injective, it follows that
 $\PedersenHash$ is equally collision-resistant.
-}
+} %sapling


 \sapling{
@ -4198,7 +4207,7 @@ This function must be collision-resistant on $(r, M, x)$.

 See \crossref{cctmixinghash} for rationale and efficient circuit implementation
 of this function.
-}
+} %sapling


 \introlist
@ -4255,6 +4264,7 @@ $\floor{\frac{512}{n}}$ in the best case (which is a factor of 2 for
 $n = 200$).
 }

+
 \introsection
 \nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs}

@ -4504,7 +4514,7 @@ as follows.
 Let $\KASaplingPublic$ and $\KASaplingSharedSecret$ be the type of compressed
 $\JubjubCurve$ points $\CompressedEdwardsJubjub$, and let $\KASaplingPrivate$ be
 the type of $\JubjubCurve$ secret keys. \todo{expand this}
-}
+} %sapling


 \newsavebox{\kdfsaplinginputbox}
@ -4533,7 +4543,7 @@ where:
 \end{formulae}

 $\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
-}
+} %sapling


 \nsubsubsection{\JoinSplitSignature} \label{concretejssig}
@ -4593,7 +4603,7 @@ It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} ov
 $\JubjubCurve$ curve which these additional constraints: \todo{...}

 \cite{FKMSSS2016}
-}
+} %sapling

 \introlist
 \nsubsubsection{Commitment schemes} \label{concretecommit}