mirror of https://github.com/zcash/zips.git
Add comments at closing braces saying which construct is being closed.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2924ff85e1
commit
76f3b1d0fd
|
@ -1366,7 +1366,7 @@ Changes specific to the \Sapling upgrade following \NUZero (which are also
|
|||
changes from \Zerocash) are highlighted in \sapling{\saplingcolor}.
|
||||
The name \Sprout is used for the \Zcash protocol prior to \Sapling
|
||||
(both before and after \NUZero).
|
||||
}
|
||||
} %notsprout
|
||||
|
||||
Technical terms for concepts that play an important rôle in \Zcash are
|
||||
written in \term{slanted text}. \emph{Italics} are used for emphasis and
|
||||
|
@ -1492,7 +1492,7 @@ which proves that all of the following hold except with negligable probability:
|
|||
\item Each output \note is generated in such a way that it is infeasible to
|
||||
cause its \nullifier to collide with the \nullifier of any other \note.
|
||||
\end{itemize}
|
||||
}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
A \transaction also includes computationally sound \zkSNARK proofs, which prove
|
||||
that all of the following hold except with negligable probability:
|
||||
|
@ -1525,7 +1525,7 @@ outside the \zkSNARK.
|
|||
In addition, various measures (differing between \Sprout and \Sapling) are
|
||||
used to ensure that the \transaction cannot be modified by a party not authorized
|
||||
to do so.
|
||||
}
|
||||
} %notsprout
|
||||
|
||||
Outside the \zkSNARK, it is \sprout{also} checked that the \nullifiers for the input
|
||||
\notes had not already been revealed (i.e.\ they had not already been spent).
|
||||
|
@ -1738,7 +1738,7 @@ The \receivingKey $\TransmitPrivate$, the \incomingViewingKey
|
|||
$\InViewingKey = (\AuthPublic, \TransmitPrivate)$, and the \paymentAddress
|
||||
$\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from
|
||||
$\AuthPrivate$, as described in \crossref{sproutkeycomponents}.
|
||||
}
|
||||
} %sproutspecific
|
||||
|
||||
\saplingonward{
|
||||
The \authSigningKey $\AuthSignPrivate$,
|
||||
|
@ -1747,7 +1747,7 @@ the \fullViewingKey $(\AuthSignPublic, \AuthProvePublic)$,
|
|||
the \incomingViewingKey $\InViewingKey$, and
|
||||
each \diversifiedPaymentAddress $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$
|
||||
are derived from $\AuthPrivateSeed$, as described in \crossref{saplingkeycomponents}.
|
||||
}
|
||||
} %saplingonward
|
||||
|
||||
The composition of \paymentAddresses, \changed{\incomingViewingKeys,}
|
||||
\sapling{\fullViewingKeys,} and \spendingKeys is a cryptographic protocol
|
||||
|
@ -1770,7 +1770,7 @@ case that a payee wishes to prevent this they should create a distinct
|
|||
such addresses shares the same \fullViewingKey and \incomingViewingKey, and
|
||||
so creating as many unlinkable addresses as needed does not increase the cost
|
||||
of scanning the \blockchain for relevant \transactions.
|
||||
}
|
||||
} %saplingonward
|
||||
|
||||
\pnote{
|
||||
It is conventional in cryptography to refer to the key used to encrypt
|
||||
|
@ -1794,13 +1794,13 @@ A \note (denoted $\NoteTuple{}$) is a tuple $\changed{(\AuthPublic, \Value,
|
|||
\NoteAddressRand, \NoteCommitRand)}$. It represents that a value $\Value$ is
|
||||
spendable by the recipient who holds the \spendingKey $\AuthPrivate$ corresponding
|
||||
to $\AuthPublic$, as described in the previous section.
|
||||
}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
A \note (denoted $\NoteTuple{}$) can be a \Sprout \note\sapling{ or a
|
||||
\Sapling \note}. In either case it represents that a value $\Value$ is
|
||||
spendable by the recipient who holds the \spendingKey corresponding
|
||||
to a given \paymentAddress.
|
||||
}
|
||||
} %notsprout
|
||||
|
||||
A \SproutOrNothing \note is a tuple $\changed{(\AuthPublic,
|
||||
\Value, \NoteAddressRand, \NoteCommitRand)}$, where:
|
||||
|
@ -1844,7 +1844,7 @@ Let $\NoteTypeSapling$ be the type of a \Sapling \note, i.e.
|
|||
\item $\NoteTypeSapling := \DiversifierType \times \bitseq{\ellJ} \times \range{0}{\MAXMONEY}
|
||||
\times \bitseq{\ellJ} \times \NoteCommitSaplingTrapdoor$.
|
||||
\end{formulae}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
Creation of new \notes is described in \crossref{send}. When \notes are sent,
|
||||
only a commitment (see \crossref{abstractcommit}) to the above values is disclosed
|
||||
|
@ -1885,7 +1885,7 @@ We refer to the combination of a \note and its \notePosition $\NotePosition$, as
|
|||
|
||||
For a \positionedNote, we can compute the value
|
||||
$\NoteAddressRand \typecolon \bitseq{\ellJ}$ as described in \crossref{commitmentsandnullifiers}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
\vspace{2ex}
|
||||
A \nullifier (denoted $\nf$) is derived from the $\NoteAddressRand$ value
|
||||
|
@ -1915,7 +1915,7 @@ The \notePlaintext in each \outputDescription is encrypted to the
|
|||
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$.
|
||||
Each \Sapling \notePlaintext (denoted $\NotePlaintext{}$) consists of
|
||||
$(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
|
||||
}
|
||||
} %saplingonward
|
||||
|
||||
\changed{
|
||||
$\Memo$ represents a \memo associated with this \note. The usage of the
|
||||
|
@ -2109,7 +2109,7 @@ for the whole \transaction to balance.
|
|||
\item The \anchor of each \spendDescription in a \transaction{} \MUST refer
|
||||
to some earlier \block's final \Sapling \treestate.
|
||||
\end{consensusrules}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsection{\NoteCommitmentTrees} \label{merkletree}
|
||||
|
@ -2187,7 +2187,7 @@ as described in \crossref{foundersreward}.
|
|||
$\MerkleCRH \typecolon \MerkleHashSprout \times \MerkleHashSprout \rightarrow \MerkleHashSprout$
|
||||
is a collision-resistant \hashFunction used in \crossref{merklepath}.
|
||||
It is instantiated in \crossref{merklecrh}.
|
||||
}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
The functions $\MerkleCRHSprout \typecolon \MerkleLayerSprout \times \MerkleHashSprout \times \MerkleHashSprout
|
||||
\rightarrow \MerkleHashSprout$
|
||||
|
@ -2199,7 +2199,7 @@ are \hashFunctions used in \crossref{merklepath}.
|
|||
\sapling{$\MerkleCRHSapling$ is collision-resistant on all its arguments, and}
|
||||
$\MerkleCRHSprout$ is collision-resistant except on its first argument.
|
||||
Both of these functions are instantiated in \crossref{merklecrh}.
|
||||
}
|
||||
} %notsprout
|
||||
|
||||
\changed{
|
||||
$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
|
||||
|
@ -2622,7 +2622,7 @@ $\ParamG{r}$.
|
|||
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
|
||||
efficiently computable left inverse.
|
||||
}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
|
@ -2662,7 +2662,8 @@ such that $\vsum{i = 1}{n}\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right)
|
|||
mitigates the possibility that the group hash algorithm could have
|
||||
been backdoored.
|
||||
\end{pnotes}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\introlist
|
||||
\nsubsubsection{\RepresentedPairing} \label{abstractpairing}
|
||||
|
@ -2771,7 +2772,7 @@ specialized to the \joinSplitStatement given in \crossref{joinsplitstatement}.
|
|||
In this case we omit the key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$,
|
||||
taking them to be the particular \provingKey and \verifyingKey defined by the
|
||||
\joinSplitParameters in \crossref{sproutparameters}.
|
||||
}
|
||||
} %sprout
|
||||
\sapling{
|
||||
\Zcash uses two \provingSystems:
|
||||
\begin{itemize}
|
||||
|
@ -2799,7 +2800,8 @@ Similarly, we omit the key subscripts on $\SpendProve$,
|
|||
$\SpendVerify$, $\OutputProve$, and $\OutputVerify$, taking
|
||||
them to be the $\Groth$ \provingKeys and
|
||||
\verifyingKeys defined in \crossref{saplingparameters}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsection{\KeyComponents} \label{keycomponents}
|
||||
|
||||
|
@ -2927,7 +2929,7 @@ The resulting \diversifiedPaymentAddress is $(\Diversifier, \DiversifiedTransmit
|
|||
be randomly chosen unique byte sequences used to index into a database, rather
|
||||
than directly encoding the needed data.
|
||||
\end{pnotes}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsection{\JoinSplitDescriptions} \label{joinsplitdesc}
|
||||
|
@ -3030,8 +3032,10 @@ where
|
|||
\item The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature using
|
||||
$\nf$ as the public key, over \todo{...}
|
||||
\end{consensusrules}
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
\nsubsection{\OutputDescriptions} \label{outputdesc}
|
||||
|
||||
An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in
|
||||
|
@ -3062,7 +3066,7 @@ where
|
|||
from the other fields except $\TransmitCiphertext{}$.
|
||||
I.e.\ it must be the case that $\SpendVerify{}((\cv, \cm, \EphemeralPublic), \Proof{\Output}) = 1$.
|
||||
\end{consensusrules}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\introlist
|
||||
|
@ -3213,13 +3217,14 @@ information leakage from the structure of \transactions are beyond the
|
|||
scope of this specification.
|
||||
|
||||
The encoded \transaction is submitted to the network.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsection{Merkle path validity} \label{merklepath}
|
||||
|
||||
\sprout{
|
||||
The depth of the \noteCommitmentTree is $\MerkleDepth$ (defined in \crossref{constants}).
|
||||
}
|
||||
} %sprout
|
||||
\notsprout{
|
||||
Let $\MerkleDepth$ be $\MerkleDepthSprout$ for the \Sprout \noteCommitmentTree\sapling{,
|
||||
or $\MerkleDepthSapling$ for the \Sapling \noteCommitmentTree}. These constants are
|
||||
|
@ -3229,7 +3234,7 @@ Similarly, let $\MerkleCRH$ be $\MerkleCRHSprout$ for \Sprout\sapling{, or $\Mer
|
|||
for \Sapling}.
|
||||
|
||||
The following discussion applies independently to the \Sprout and \Sapling \noteCommitmentTrees.
|
||||
}
|
||||
} %notsprout
|
||||
|
||||
Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash,
|
||||
which is a bit sequence. The \merkleLayer numbered $h$, counting from
|
||||
|
@ -3377,7 +3382,7 @@ as follows:
|
|||
\end{formulae}
|
||||
|
||||
$\MixingPedersenHash$ is defined in \crossref{concretemixinghash}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
Let $\PRFnf{}{}$\sapling{ and $\PRFnr{}{}$} be as instantiated in \crossref{concreteprfs}.
|
||||
|
||||
|
@ -3388,7 +3393,7 @@ is derived as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$.
|
|||
\sapling{
|
||||
For a \Sapling \note, the \nullifier is derived as
|
||||
$\scalarmult{\PRFnr{\AuthProvePublic}(\NoteAddressRand)}{\scalarmult{8}{\AuthSignPublic}}$.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
\introsection
|
||||
|
||||
|
@ -3482,6 +3487,7 @@ for each $i \in \setofNew$: $\cmNew{i}$ = $\NoteCommitSprout(\nNew{i})$.
|
|||
\vspace{2.5ex}
|
||||
For details of the form and encoding of proofs, see \crossref{phgr}.
|
||||
|
||||
|
||||
\sapling{
|
||||
\introsection
|
||||
\nsubsubsection{\SpendStatement{} (\Sapling)} \label{spendstatement}
|
||||
|
@ -3555,14 +3561,17 @@ $\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.
|
|||
|
||||
\vspace{2.5ex}
|
||||
For details of the form and encoding of \spendStatement proofs, see \crossref{groth}.
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
\introsection
|
||||
\nsubsubsection{\OutputStatement{} (\Sapling)} \label{outputstatement}
|
||||
|
||||
\todo{}
|
||||
|
||||
For details of the form and encoding of \outputStatement proofs, see \crossref{groth}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsection{In-band secret distribution} \label{inband}
|
||||
|
@ -3758,13 +3767,13 @@ Define:
|
|||
\item $\MerkleDepthSprout \typecolon \Nat := \changed{29}$
|
||||
\sapling{
|
||||
\item $\MerkleDepthSapling \typecolon \Nat := 29$
|
||||
}
|
||||
} %sapling
|
||||
\item $\NOld \typecolon \Nat := 2$
|
||||
\item $\NNew \typecolon \Nat := 2$
|
||||
\item $\MerkleHashLengthSprout \typecolon \Nat := 256$
|
||||
\sapling{
|
||||
\item $\MerkleHashLengthSapling \typecolon \Nat := 255$
|
||||
}
|
||||
} %sapling
|
||||
\item $\hSigLength \typecolon \Nat := 256$
|
||||
\item $\PRFOutputLength \typecolon \Nat := 256$
|
||||
\item $\PRGOutputLength \typecolon \Nat := 512$
|
||||
|
@ -3774,12 +3783,12 @@ Define:
|
|||
\sapling{
|
||||
\item $\AuthPrivateSeedLength \typecolon \Nat := 256$
|
||||
\item $\DiversifierLength \typecolon \Nat := 88$
|
||||
}
|
||||
} %sapling
|
||||
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
||||
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
||||
\sapling{
|
||||
\item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ones{\MerkleHashLengthSapling}$
|
||||
}
|
||||
} %sapling
|
||||
\item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi)
|
||||
\item $\SlowStartInterval \typecolon \Nat := 20000$
|
||||
\item $\HalvingInterval \typecolon \Nat := 840000$
|
||||
|
@ -3873,7 +3882,7 @@ $\GroupJHash{}$.
|
|||
\begin{formulae}
|
||||
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
|
||||
\end{formulae}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\introsection
|
||||
|
@ -3951,7 +3960,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
|
|||
\securityrequirement{
|
||||
$\PedersenHash$ must be collision-resistant.
|
||||
}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\introlist
|
||||
|
@ -4039,7 +4048,7 @@ used rather than external truncation. However, the protocol-specific
|
|||
personalization string together with truncation achieve essentially
|
||||
the same effect as using that feature.
|
||||
}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
|
@ -4170,7 +4179,7 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo
|
|||
is collision-resistant under the same assumptions and security bounds.
|
||||
Because $\ItoLEBSP{255}$ and $\ExtractJ$ are injective, it follows that
|
||||
$\PedersenHash$ is equally collision-resistant.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\sapling{
|
||||
|
@ -4198,7 +4207,7 @@ This function must be collision-resistant on $(r, M, x)$.
|
|||
|
||||
See \crossref{cctmixinghash} for rationale and efficient circuit implementation
|
||||
of this function.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\introlist
|
||||
|
@ -4255,6 +4264,7 @@ $\floor{\frac{512}{n}}$ in the best case (which is a factor of 2 for
|
|||
$n = 200$).
|
||||
}
|
||||
|
||||
|
||||
\introsection
|
||||
\nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs}
|
||||
|
||||
|
@ -4504,7 +4514,7 @@ as follows.
|
|||
Let $\KASaplingPublic$ and $\KASaplingSharedSecret$ be the type of compressed
|
||||
$\JubjubCurve$ points $\CompressedEdwardsJubjub$, and let $\KASaplingPrivate$ be
|
||||
the type of $\JubjubCurve$ secret keys. \todo{expand this}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\newsavebox{\kdfsaplinginputbox}
|
||||
|
@ -4533,7 +4543,7 @@ where:
|
|||
\end{formulae}
|
||||
|
||||
$\BlakeTwob{256}(p, x)$ is defined in \crossref{concreteblake2}.
|
||||
}
|
||||
} %sapling
|
||||
|
||||
|
||||
\nsubsubsection{\JoinSplitSignature} \label{concretejssig}
|
||||
|
@ -4593,7 +4603,7 @@ It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} ov
|
|||
$\JubjubCurve$ curve which these additional constraints: \todo{...}
|
||||
|
||||
\cite{FKMSSS2016}
|
||||
}
|
||||
} %sapling
|
||||
|
||||
\introlist
|
||||
\nsubsubsection{Commitment schemes} \label{concretecommit}
|
||||
|
|
Loading…
Reference in New Issue