mirror of https://github.com/zcash/zips.git
Fixes to Pour statement.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
19eb032dac
commit
7719e708c7
Binary file not shown.
|
@ -753,33 +753,43 @@ exists in the map.
|
||||||
|
|
||||||
In \Zcash, $\NOld$ and $\NNew$ are both $2$.
|
In \Zcash, $\NOld$ and $\NNew$ are both $2$.
|
||||||
|
|
||||||
A valid instance of $\PourProof$ assures that given a \term{primary input}
|
A valid instance of $\PourProof$ assures that given a \term{primary input}:
|
||||||
$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
|
||||||
\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
|
|
||||||
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
|
|
||||||
\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:
|
|
||||||
|
|
||||||
\begin{list}{}{}
|
\begin{itemize}
|
||||||
|
\item[] $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
||||||
|
\vpubNew, \hSig, \h{1..\NOld}, \changed{\TransmitCiphertext{1..\NNew},
|
||||||
|
\DiscloseCiphertext{1..\NOld}, \SharedCiphertext})$,
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
|
there exists a witness of \term{auxiliary input}:
|
||||||
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
|
|
||||||
|
|
||||||
\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
|
\begin{itemize}
|
||||||
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
|
\item[] $(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
|
||||||
|
\changed{\DiscloseKeyOld{\mathrm{1}..\NOld}, \cpNew{1..\NNew},
|
||||||
|
\CoinAddressPreRand, \SharedKey{}, \TransmitKey{1..\NOld}})$
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\item The following conditions hold:
|
where:
|
||||||
|
|
||||||
\end{list}
|
\begin{itemize}
|
||||||
|
\item[] for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
|
||||||
|
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$;
|
||||||
|
\item[] for each $i \in \{1..\NNew\}$: $\cpNew{i}$ = $(\AuthPublicNew{i},
|
||||||
|
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i}, \Memo_i)$,
|
||||||
|
and $\TransmitPlaintext{i}$ is a raw encoding of $\cpNew{i}$;
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
such that the following conditions hold:
|
||||||
|
|
||||||
\subparagraph{Merkle path validity}
|
\subparagraph{Merkle path validity}
|
||||||
|
|
||||||
for each $i \in \{1..\NOld\}$ \changed{$\mid$ $\vOld{i} \neq 0$}:
|
for each $i \in \{1..\NOld\}$ \changed{$\mid$ $\vOld{i} \neq 0$}:
|
||||||
$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from
|
$\treepath{i}$ must be a valid path of depth $\MerkleDepth$ from \linebreak
|
||||||
$\CoinCommitment(\cOld{i})$ to \coinCommitmentTree root $\rt$.
|
$\CoinCommitment(\cOld{i})$ to \coinCommitmentTree root $\rt$.
|
||||||
|
|
||||||
\subparagraph{Balance}
|
\subparagraph{Balance}
|
||||||
|
|
||||||
$\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
|
$\changed{\vpubOld\; +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew} \vNew{i}$.
|
||||||
|
|
||||||
\subparagraph{Serial integrity}
|
\subparagraph{Serial integrity}
|
||||||
|
|
||||||
|
@ -789,22 +799,42 @@ $\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.
|
||||||
\subparagraph{Spend authority}
|
\subparagraph{Spend authority}
|
||||||
|
|
||||||
for each $i \in \{1..\NOld\}$:
|
for each $i \in \{1..\NOld\}$:
|
||||||
$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.
|
\changed{
|
||||||
|
$\DiscloseKeyOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$ and
|
||||||
|
$\AuthPublicOld{i} = \PRFaddr{\DiscloseKeyOld{i}}(1)$.
|
||||||
|
}
|
||||||
|
|
||||||
\subparagraph{Non-malleability}
|
\subparagraph{Non-malleability}
|
||||||
|
|
||||||
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
|
for each $i \in \{1..\NOld\}$:
|
||||||
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
|
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
|
||||||
|
|
||||||
for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$
|
for each $i \in \{1..\NNew\}$:
|
||||||
|
$\CoinAddressRandNew{i} = \PRFrho{\CoinAddressPreRand}(i, \hSig)$
|
||||||
}
|
}
|
||||||
|
|
||||||
\subparagraph{Commitment integrity}
|
\subparagraph{Commitment integrity}
|
||||||
|
|
||||||
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$
|
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment(\cNew{i})$
|
||||||
|
|
||||||
|
\changed{
|
||||||
|
\subparagraph{$\TransmitCiphertext{}$ integrity}
|
||||||
|
|
||||||
|
for each $i \in \{1..\NNew\}$:
|
||||||
|
$\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i}, \Empty)$.
|
||||||
|
|
||||||
|
\subparagraph{$\DiscloseCiphertext{}$ integrity}
|
||||||
|
|
||||||
|
for each $i \in \{1..\NOld\}$:
|
||||||
|
$\DiscloseCiphertext{i} = \SymEncrypt{\DiscloseKeyOld{i}}(\SharedKey{}, \Tag{i})$
|
||||||
|
|
||||||
|
\subparagraph{$\SharedCiphertext$ integrity}
|
||||||
|
|
||||||
|
$\SharedCiphertext = \SymEncrypt{\SharedKey{}}(\SharedPlaintext{}, \Empty)$
|
||||||
|
}
|
||||||
|
|
||||||
\section{In-band secret distribution}
|
\section{In-band secret distribution}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue