diff --git a/protocol/protocol.pdf b/protocol/protocol.pdf index fc1488b2..879df287 100644 Binary files a/protocol/protocol.pdf and b/protocol/protocol.pdf differ diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 918fe5cb..b770d5e9 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -753,33 +753,43 @@ exists in the map. In \Zcash, $\NOld$ and $\NNew$ are both $2$. -A valid instance of $\PourProof$ assures that given a \term{primary input} -$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;} -\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input} -$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld}, -\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where: +A valid instance of $\PourProof$ assures that given a \term{primary input}: -\begin{list}{}{} +\begin{itemize} + \item[] $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;} +\vpubNew, \hSig, \h{1..\NOld}, \changed{\TransmitCiphertext{1..\NNew}, +\DiscloseCiphertext{1..\NOld}, \SharedCiphertext})$, +\end{itemize} -\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i}, -\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$ +there exists a witness of \term{auxiliary input}: -\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i}, -\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$ +\begin{itemize} + \item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld}, +\changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew}, +\CoinAddressPreRand, \SharedKey{}, \TransmitKey{1..\NOld}})$ +\end{itemize} -\item The following conditions hold: +where: -\end{list} +\begin{itemize} + \item[] for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i}, +\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$; + \item[] for each $i \in \{1..\NNew\}$: $\cpNew{i}$ = $(\AuthPublicNew{i}, +\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$, +and $\TransmitPlaintext{i}$ is a raw encoding of $\cpNew{i}$; +\end{itemize} + +such that the following conditions hold: \subparagraph{Merkle path validity} for each $i \in \{1..\NOld\}$ \changed{$\mid$ $\vOld{i} \neq 0$}: -$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from +$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak $\CoinCommitment(\cOld{i})$ to \coinCommitmentTree root $\rt$. \subparagraph{Balance} -$\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$. +$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$. \subparagraph{Serial integrity} @@ -789,22 +799,42 @@ $\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$. \subparagraph{Spend authority} for each $i \in \{1..\NOld\}$: -$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$. +\changed{ +$\DiscloseKeyOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$ and +$\AuthPublicOld{i} = \PRFaddr{\DiscloseKeyOld{i}}(1)$. +} \subparagraph{Non-malleability} -for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$ +for each $i \in \{1..\NOld\}$: +$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$ \changed{ \subparagraph{Uniqueness of $\CoinAddressRandNew{i}$} -for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$ +for each $i \in \{1..\NNew\}$: +$\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$ } \subparagraph{Commitment integrity} for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$ +\changed{ +\subparagraph{$\TransmitCiphertext{}$ integrity} + +for each $i \in \{1..\NNew\}$: +$\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$. + +\subparagraph{$\DiscloseCiphertext{}$ integrity} + +for each $i \in \{1..\NOld\}$: +$\DiscloseCiphertext{i} = \SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Tag{i})$ + +\subparagraph{$\SharedCiphertext$ integrity} + +$\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$ +} \section{In-band secret distribution}