mirror of https://github.com/zcash/zips.git
Fixes to Pour statement.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
19eb032dac
commit
7719e708c7
Binary file not shown.
|
@ -753,33 +753,43 @@ exists in the map.
|
|||
|
||||
In \Zcash, $\NOld$ and $\NNew$ are both $2$.
|
||||
|
||||
A valid instance of $\PourProof$ assures that given a \term{primary input}
|
||||
$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
||||
\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
|
||||
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
|
||||
\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:
|
||||
A valid instance of $\PourProof$ assures that given a \term{primary input}:
|
||||
|
||||
\begin{list}{}{}
|
||||
\begin{itemize}
|
||||
\item[] $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
||||
\vpubNew, \hSig, \h{1..\NOld}, \changed{\TransmitCiphertext{1..\NNew},
|
||||
\DiscloseCiphertext{1..\NOld}, \SharedCiphertext})$,
|
||||
\end{itemize}
|
||||
|
||||
\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
|
||||
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
|
||||
there exists a witness of \term{auxiliary input}:
|
||||
|
||||
\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
|
||||
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
|
||||
\begin{itemize}
|
||||
\item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
|
||||
\changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew},
|
||||
\CoinAddressPreRand, \SharedKey{}, \TransmitKey{1..\NOld}})$
|
||||
\end{itemize}
|
||||
|
||||
\item The following conditions hold:
|
||||
where:
|
||||
|
||||
\end{list}
|
||||
\begin{itemize}
|
||||
\item[] for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
|
||||
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$;
|
||||
\item[] for each $i \in \{1..\NNew\}$: $\cpNew{i}$ = $(\AuthPublicNew{i},
|
||||
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$,
|
||||
and $\TransmitPlaintext{i}$ is a raw encoding of $\cpNew{i}$;
|
||||
\end{itemize}
|
||||
|
||||
such that the following conditions hold:
|
||||
|
||||
\subparagraph{Merkle path validity}
|
||||
|
||||
for each $i \in \{1..\NOld\}$ \changed{$\mid$ $\vOld{i} \neq 0$}:
|
||||
$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from
|
||||
$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak
|
||||
$\CoinCommitment(\cOld{i})$ to \coinCommitmentTree root $\rt$.
|
||||
|
||||
\subparagraph{Balance}
|
||||
|
||||
$\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
|
||||
$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
|
||||
|
||||
\subparagraph{Serial integrity}
|
||||
|
||||
|
@ -789,22 +799,42 @@ $\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.
|
|||
\subparagraph{Spend authority}
|
||||
|
||||
for each $i \in \{1..\NOld\}$:
|
||||
$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.
|
||||
\changed{
|
||||
$\DiscloseKeyOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$ and
|
||||
$\AuthPublicOld{i} = \PRFaddr{\DiscloseKeyOld{i}}(1)$.
|
||||
}
|
||||
|
||||
\subparagraph{Non-malleability}
|
||||
|
||||
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
|
||||
for each $i \in \{1..\NOld\}$:
|
||||
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
|
||||
|
||||
\changed{
|
||||
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
|
||||
|
||||
for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$
|
||||
for each $i \in \{1..\NNew\}$:
|
||||
$\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$
|
||||
}
|
||||
|
||||
\subparagraph{Commitment integrity}
|
||||
|
||||
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$
|
||||
|
||||
\changed{
|
||||
\subparagraph{$\TransmitCiphertext{}$ integrity}
|
||||
|
||||
for each $i \in \{1..\NNew\}$:
|
||||
$\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$.
|
||||
|
||||
\subparagraph{$\DiscloseCiphertext{}$ integrity}
|
||||
|
||||
for each $i \in \{1..\NOld\}$:
|
||||
$\DiscloseCiphertext{i} = \SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Tag{i})$
|
||||
|
||||
\subparagraph{$\SharedCiphertext$ integrity}
|
||||
|
||||
$\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$
|
||||
}
|
||||
|
||||
\section{In-band secret distribution}
|
||||
|
||||
|
|
Loading…
Reference in New Issue