From 7cc31111bbe23871f16c31cae339f00e63d65a12 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 15 Mar 2021 16:17:34 +0000 Subject: [PATCH] Yet more WIP. Nullifier derivation for Orchard is correct now. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 738 ++++++++++++++++++++++++++---------------- 1 file changed, 466 insertions(+), 272 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 40f61254..9812996e 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -769,6 +769,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\note}{\term{note}} \newcommand{\notes}{\terms{note}} \newcommand{\dummy}{\termandindex{dummy}{dummy note}} +\newcommand{\dummyNote}{\term{dummy note}} \newcommand{\dummyNotes}{\terms{dummy note}} \newcommand{\commitmentScheme}{\term{commitment scheme}} \newcommand{\commitmentSchemes}{\terms{commitment scheme}} @@ -1274,6 +1275,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\mult}{\cdot} \newcommand{\smult}{\!\cdot\!} \newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}} +\newcommand{\bigscalarmult}[2]{\big[{#1}\big]\,{#2}} \newcommand{\Bigscalarmult}[2]{\Big[{#1}\Big]{#2}} \newcommand{\Biggscalarmult}[2]{\Bigg[{#1}\Bigg]{#2}} \newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}} @@ -1390,7 +1392,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}} \newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}} \newcommand{\ScalarLength}[1]{\ell^\mathsf{#1\vphantom{p}}_{\mathsf{scalar}}} -\newcommand{\CompactLengthOrchard}{\mathsf{\ell^{Orchard\vphantom{p}}_{compact\vphantom{d}}}} +\newcommand{\BaseLength}[1]{\ell^\mathsf{#1\vphantom{p}}_{\mathsf{base}}} \newcommand{\enc}{\mathsf{enc}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\EphemeralPublic}{\mathsf{epk}} @@ -1518,6 +1520,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CommitIvkGenTrapdoor}{\CommitIvkAlg\mathsf{.GenTrapdoor}} \newcommand{\CommitIvkInput}{\CommitIvkAlg\mathsf{.Input}} \newcommand{\CommitIvkOutput}{\CommitIvkAlg\mathsf{.Output}} +\newcommand{\DeriveNullifierAlg}{\mathsf{DeriveNullifier}} +\newcommand{\DeriveNullifier}[1]{\DeriveNullifierAlg_{#1}} % Symmetric encryption @@ -1632,11 +1636,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Memo}{\mathsf{memo}} \newcommand{\MemoByteLength}{512} \newcommand{\MemoType}{\byteseq{\MemoByteLength}} -\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}} -\newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}} -\newcommand{\DecryptNoteOrchard}{\mathtt{DecryptNoteOrchard}} +\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNoteSprout}} \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}} -\newcommand{\maybeSapling}{\notnufive{Sapling}} % Money supply @@ -1883,7 +1884,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\nOutputsSapling}{\mathtt{nOutputsSapling}} \newcommand{\vOutputsSapling}{\mathtt{vOutputsSapling}} \newcommand{\vSpendProofsSapling}{\mathtt{vSpendProofsSapling}} -\newcommand{\vSpendAuthSigsSapling}{\mathtt{vSpendAuthSigsSapling}} +\newcommand{\vSpendAuthSigs}[1]{\mathtt{vSpendAuthSigs{#1}}} \newcommand{\vOutputProofsSapling}{\mathtt{vOutputProofsSapling}} \newcommand{\nActionsOrchard}{\mathtt{nActionsOrchard}} \newcommand{\vActionsOrchard}{\mathtt{vActionsOrchard}} @@ -1892,7 +1893,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\enableOutputsOrchard}{\mathtt{enableOutputsOrchard}} \newcommand{\sizeProofsOrchard}{\mathtt{sizeProofsOrchard}} \newcommand{\proofsOrchard}{\mathtt{proofsOrchard}} -\newcommand{\vSpendAuthSigsOrchard}{\mathtt{vSpendAuthSigsOrchard}} \newcommand{\vpubOldField}{\mathtt{vpub\_old}} \newcommand{\vpubNewField}{\mathtt{vpub\_new}} \newcommand{\anchorField}[1]{\mathtt{anchor#1}} @@ -1990,7 +1990,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ActionVerify}{\Action\mathsf{.Verify}} \newcommand{\ActionProve}{\Action\mathsf{.Prove}} \newcommand{\ActionProof}{\Action\mathsf{.Proof}} -\newcommand{\Proof}[1]{\pi_{\!{#1}}} +\newcommand{\Proof}[1]{\pi_{\kern-0.1em{#1}}} \newcommand{\ProofJoinSplit}{\pi_\JoinSplit} \newcommand{\ProofSpend}{\pi_\Spend} \newcommand{\ProofOutput}{\pi_\Output} @@ -2150,9 +2150,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}} \newcommand{\GroupP}{\mathbb{P}} -\newcommand{\GroupPx}{\GroupP_x} +\newcommand{\GroupPx}{\GroupP_{\!x}} \newcommand{\GroupPstar}{\GroupP^{\ast}} -\newcommand{\GroupPstarx}{\GroupP^{\ast}_x} +\newcommand{\GroupPstarx}{\GroupP^{\ast}_{\!x}} \newcommand{\CurveP}{\Curve_{\GroupP}} \newcommand{\ZeroP}{\Zero_{\GroupP}} \newcommand{\ellP}{\ell_{\GroupP}} @@ -2898,7 +2898,7 @@ The following integer constants will be instantiated in \crossref{constants}: $\NOld$, $\NNew$, $\ValueLength$, $\hSigLength$, $\PRFOutputLengthSprout$,\sapling{ $\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,} $\NoteCommitRandLength$, \changed{$\RandomSeedLength$,} $\AuthPrivateLength$, \changed{$\NoteUniquePreRandLength$,}\sapling{ $\SpendingKeyLength$, $\DiversifierLength$,\nufive{ $\DiversifierKeyLength$,} - $\InViewingKeyLength{Sapling}$, $\OutViewingKeyLength$, $\ScalarLength{Sapling}$,\nufive{ $\ScalarLength{Orchard}$, $\CompactLengthOrchard$},} + $\InViewingKeyLength{Sapling}$, $\OutViewingKeyLength$, $\ScalarLength{Sapling}$,\nufive{ $\ScalarLength{Orchard}$, $\BaseLength{Orchard}$,}} $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\strut\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$,} $\SlowStartInterval$, $\PreBlossomHalvingInterval$, $\MaxBlockSubsidy$, $\NumFounderAddresses$, $\PoWLimit$, $\PoWAveragingWindow$, $\PoWMedianBlockSpan$, $\PoWDampingFactor$, @@ -3206,14 +3206,19 @@ $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRa \begin{formulae} \item $\DiversifiedTransmitBase := \DiversifyHash{Orchard}(\Diversifier)$ \vspace{-1ex} - \item $\NoteCommitment{Orchard}(\NoteTuple{}) := + \item $\NoteCommitment{Orchard}(\NoteTuple{}) := \begin{cases} + \bot, &\caseif \DiversifiedTransmitBase = \ZeroP \\ \NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase}, \reprP\Of{\DiversifiedTransmitPublic}, - \Value, \NoteUniqueRand, \NoteNullifierRand)$. + \Value, \NoteUniqueRand, \NoteNullifierRand), &\caseotherwise. + \end{cases}$ \end{formulae} \vspace{-2.5ex} where $\NoteCommitAlg{Orchard}$ is instantiated in \crossref{concretesinsemillacommit}. +The case that $\DiversifyHash{Orchard}(\Diversifier)$ returns $\ZeroP$ occurs with +negligible probability. + Unlike in \Sapling, the definition of an \Orchard \note includes the $\NoteUniqueRand$ field; the \note's position in the \noteCommitmentTree does not need to be known in order to compute this value. @@ -3726,7 +3731,7 @@ in the \spendStatement to confirm use of the correct $\NoteUniqueRand$ value as input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. $\DiversifyHash{Sapling} \typecolon \DiversifierType \rightarrow \SubgroupJstar$\nufive{ and -$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupPstar$}\notnufive{ is a +$\DiversifyHash{Orchard} \typecolon \DiversifierType \rightarrow \GroupP$}\notnufive{ is a \hashFunction}\nufive{ are \hashFunctions} instantiated in \crossref{concretediversifyhash}, satisfying the Unlinkability security property described in that section. \notnufive{It is}\nufive{They are} used to derive a \diversifiedBase from a \diversifier, which is specified in @@ -3800,7 +3805,7 @@ $\PRFexpand{}$ is used in the following places: \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$ (the last of these is also specified in \cite{ZIP-32});} \item in the processes of sending (\crossref{saplingandorchardsend}) and of receiving (\crossref{saplingandorchardinband}) - \SaplingOrOrchard \notes, with inputs $[4]$ and $[5]$; + \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes, or $[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes; \item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}), $[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$. \end{itemize} @@ -4393,6 +4398,8 @@ Define: $\NoteCommitOutput{Orchard} := \GroupP$; \item $\ValueCommitTrapdoor{Orchard} := \binaryrange{\ScalarLength{Orchard}}$ and $\ValueCommitOutput{Orchard} := \GroupP$. + \item $\CommitIvkTrapdoor := \binaryrange{\ScalarLength{Orchard}}$ and + $\CommitIvkOutput := \GF{\ParamP{r}}$. \end{formulae} \introlist @@ -4958,7 +4965,7 @@ as follows: \item let $\AuthSignPublic = \ExtractP(\AuthSignPublicPoint)$ \item let $\InViewingKey = \CommitIvk{\CommitIvkRand}\big(\AuthSignPublic, \NullifierKey\big)$ \item let $K = \ItoLEBSPOf{\SpendingKeyLength}{\CommitIvkRand}$ - \item let $R = \PRFexpand{K}\Of{[\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}}$ + \item let $R = \PRFexpand{K}\big([\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}\kern-0.25em\big)$ \item let $\DiversifierKey$ be the first $\DiversifierKeyLength/8$ bytes of $R$ and let $\OutViewingKey$ be the remaining $\OutViewingKeyLength/8$ bytes of $R$. \end{algorithm} @@ -4980,6 +4987,9 @@ Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitP \item $\DiversifiedTransmitPublic := \KADerivePublic{Orchard}(\InViewingKey, \DiversifiedTransmitBase)$. \end{formulae} +If $\DiversifiedTransmitBase = \ZeroP$, discard this \diversifierIndex (this occurs +with negligible probability). + \vspace{-1ex} The resulting \diversifiedPaymentAddress is $(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KAPublic{Orchard})$. @@ -5077,6 +5087,7 @@ $\joinSplitPubKey$ of the containing \transaction: \item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$. \end{formulae} +\vspace{-1ex} \begin{consensusrules} \item Elements of a \joinSplitDescription \MUST have the types given above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$). @@ -5089,8 +5100,10 @@ $\joinSplitPubKey$ of the containing \transaction: \sapling{ +\vspace{-2ex} \lsubsection{Spend Descriptions}{spenddesc} +\vspace{-1ex} A \spendTransfer, as specified in \crossref{spendsandoutputs}, is encoded in \transactions as a \defining{\spendDescription}. @@ -5129,9 +5142,6 @@ where \begin{consensusrules} \item Elements of a \spendDescription \MUST be valid encodings of the types given above. - \nufiveonwarditem{As required by \cite{ZIP-216}, $\cv$ and $\AuthSignRandomizedPublic$ - \MUST be canonically encoded, i.e.\ $\reprJ\Of{\abstJ\Of{\cv}} = \cv$ and - $\reprJ\Of{\abstJ\Of{\AuthSignRandomizedPublic}} = \AuthSignRandomizedPublic$.} \item $\cv$ and $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\cv}$ \MUSTNOT be $\ZeroJ$ and $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed @@ -5149,14 +5159,22 @@ where \end{consensusrules} \vspace{-1ex} -\nnote{The check that $\AuthSignRandomizedPublic$ is not of small order is technically redundant with -a check in the \spendCircuit, but it is simple and cheap to also check this outside the circuit.} +\begin{nnotes} + \item The check that $\AuthSignRandomizedPublic$ is not of small order is technically redundant with + a check in the \spendCircuit, but it is simple and cheap to also check this outside the circuit. + \item The rule that $\cv$ and $\AuthSignRandomizedPublic$ \MUST not be small-order has the effect + of also preventing non-canonical encodings of these fields\nufive{, as required by \cite{ZIP-216}}. + That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and + $\reprJ\Of{\abstJ\Of{\AuthSignRandomizedPublic}\kern0.05em} = \AuthSignRandomizedPublic$. +\end{nnotes} } %sapling \sapling{ +\vspace{-2ex} \lsubsection{Output Descriptions}{outputdesc} +\vspace{-1ex} An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in \transactions as an \defining{\outputDescription}. @@ -5180,8 +5198,8 @@ Let $\Output$ be as defined in \crossref{abstractzk}. An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$ where \begin{itemize} -\vspace{1ex} \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note; + \vspace{-0.5ex} \item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note; \item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is @@ -5196,17 +5214,21 @@ where $(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}. \end{itemize} +\vspace{-1ex} \begin{consensusrules} \item Elements of an \outputDescription \MUST be valid encodings of the types given above. - \nufiveonwarditem{As required by \cite{ZIP-216}, $\cv$ and $\EphemeralPublic$ - \MUST be canonically encoded, i.e.\ $\reprJ\Of{\abstJ\Of{\cv}} = \cv$ and - $\reprJ\Of{\abstJ\Of{\EphemeralPublic}} = \EphemeralPublic$.} \item $\cv$ and $\EphemeralPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\cv}$ \MUSTNOT be $\ZeroJ$ and $\scalarmult{\ParamJ{h}}{\EphemeralPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ --- i.e.\ $\SpendVerify{}\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$. \end{consensusrules} + +\vspace{-2ex} +\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect +of also preventing non-canonical encodings of these fields\nufive{, as required by \cite{ZIP-216}}. +That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and +$\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.} } %sapling @@ -5293,15 +5315,19 @@ $\ProofAction$ is aggregated with other Action proofs and encoded in the $\proof i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. \end{consensusrules} -\nnote{$\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$.} +\vspace{-3ex} +\nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ can be the zero point $\ZeroP$.} } %nufive +\vspace{-1ex} \introlist \lsubsection{Sending Notes}{send} +\vspace{-1ex} \notsprout{\lsubsubsection{Sending Notes (\SproutText)}{sproutsend}} +\vspace{-1ex} In order to send \Sprout \shielded value, the sender constructs a \transaction containing one or more \joinSplitDescriptions. @@ -5319,12 +5345,13 @@ generating a new $\JoinSplitSig$ key pair: \item $\joinSplitPubKey := \JoinSplitSigDerivePublic(\joinSplitPrivKey)$. \end{formulae} +\vspace{-1ex} \introlist For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at random on $\bitseq{\RandomSeedLength}$, and selects the input \notes. At this point there is sufficient information to compute $\hSig$, as described in the previous section. \changed{The sender also chooses $\NoteUniquePreRand$ -uniformly at random on $\bitseq{\NoteUniquePreRandLength}$.} +uniformly at random on $\strut\smash{\bitseq{\NoteUniquePreRandLength}}$.} Then it creates each output \note with index $i \typecolon \setofNew$: \begin{itemize} @@ -5337,6 +5364,7 @@ Then it creates each output \note with index $i \typecolon \setofNew$: \item Let $\NotePlaintext{i} = (\changed{\hexint{00},\ } \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i\changed{, \Memo_i})$. \end{itemize} +\vspace{-1ex} $\NotePlaintext{\allNew}$ are then encrypted to the recipient \transmissionKeys $\TransmitPublicSub{\allNew}$, giving the \notesCiphertextSprout $(\EphemeralPublic, \TransmitCiphertext{\allNew})$, as described in \crossref{sproutinband}. @@ -5346,7 +5374,6 @@ of the input \notes and of the output \notes. Other considerations relating to information leakage from the structure of \transactions are beyond the scope of this specification. -\introlist After generating all of the \joinSplitDescriptions, the sender obtains $\dataToBeSigned \typecolon \byteseqs$ as described in \crossref{sproutnonmalleability}, and signs it with the private \defining{\joinSplitSigningKey}: @@ -5363,51 +5390,40 @@ to send to \Sprout addresses. This \SHOULD be made clear in user interfaces and The facility to send to \Sprout addresses is \notbeforecanopy{in any case} \OPTIONAL for a particular node or wallet implementation. + \sapling{ \introlist -\extralabel{saplingsend}{\lsubsubsection{Sending Notes (\SaplingAndOrchardText)}{saplingandorchardsend}} +\lsubsubsection{Sending Notes (\SaplingText)}{saplingsend} \vspace{-1ex} -In order to send \SaplingOrOrchard \shielded value, the sender constructs a \transaction -containing one or more \outputDescriptions. +In order to send \Sapling \shielded value, the sender constructs a \transaction +with one or more \outputDescriptions. -Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\nufive{, -$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as in -\crossref{abstractcommit}. +Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in \crossref{abstractcommit}. -Let $\KA{Sapling}$\nufive{ and $\KA{Orchard}$} be as specified in \crossref{abstractkeyagreement}. +\vspace{-0.5ex} +Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}. -Let $\DiversifyHash{Sapling}$\nufive{ and $\DiversifyHash{Orchard}$} be as specified in -\crossref{abstracthashes}. +\vspace{-0.5ex} +Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}. -Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}\nufive{ and -let $\ToScalar{Orchard}$ be as specified in \crossref{orchardkeycomponents}}. - -\nufive{ -When we use $\ValueCommitAlg{}$, $\NoteCommitAlg{}$, $\KA{}$, $\DiversifyHash{}$, or $\ToScalar{}$ -without the \textsf{Sapling} or \textsf{Orchard} suffix, we mean the corresponding \Sapling or \Orchard -instantiation according to the type of \note being sent. -} +\vspace{-0.5ex} +Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}. Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. -\nufive{ -Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. - -Let $\repr$ be $\reprJ$ for a \Sapling \note, or $\reprP$ for an \Orchard \note. -} %nufive - -Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ -be as defined in \crossref{endian}. +Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. \vspace{1ex} -Let $\OutViewingKey$ be an \outgoingViewingKey\nufive{ (for the same shielded protocol as the \note)} -that is intended to be able to decrypt this payment. This may be one of: +Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt +this payment. This may be one of: \begin{itemize} \item the \outgoingViewingKey for the address (or one of the addresses) from which the payment was sent; + \vspace{-0.5ex} \item the \outgoingViewingKey for all payments associated with an \definingquotedterm{account}, to be defined in \cite{ZIP-32}; + \vspace{-0.5ex} \item $\bot$, if the sender should not be able to decrypt the payment once it has deleted its own copy. \end{itemize} @@ -5426,46 +5442,34 @@ if $\BlockHeight \geq \CanopyActivationHeight$. \introlist For each \outputDescription, the sender selects a value $\Value \typecolon \range{0}{\MAXMONEY}$ -and a destination \SaplingOrOrchard \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, -and then performs the following steps: +and a destination \Sapling \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, and then +performs the following steps: \begin{algorithm} - \item Check that $\DiversifiedTransmitPublic$ is of the correct type. For $\Sapling$ this type - is $\KAPublicPrimeSubgroup{Sapling}$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid - \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and - $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. \nufive{For \Orchard - this type is $\KAPublic{Orchard}$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid - \swCurve point other than $\ZeroP$ on the \pallasCurve (as defined in \crossref{pallasandvesta}).} - - \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{\maybeSapling}(\Diversifier)$ + \item Check that $\DiversifiedTransmitPublic$ is of type $\KAPublicPrimeSubgroup{Sapling}$, i.e.\ it + \MUST be a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and + $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. + \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{Sapling}(\Diversifier)$ and check that $\DiversifiedTransmitBase \neq \bot$. - - \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{\maybeSapling}()$. - + \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Sapling}()$. \canopy{ \item If $\NotePlaintextLeadByte = \hexint{01}$: } - \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KAPrivate{\maybeSapling} \setminus \setof{0}$. + \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KAPrivate{Sapling} \setminus \setof{0}$. \item \canopy{\tab} Choose a uniformly random \commitmentTrapdoor $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{}()$. - \item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=\ } \NoteCommitRandBytes := \ItoLEOSP{256}(\NoteCommitRand)$. + \item \canopy{\tab} Set $\NoteCommitRandBytesOrSeedBytes := \ItoLEOSP{256}(\NoteCommitRand)$. \canopy{ \item else: \item \tab Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. - \item \tab Derive $\EphemeralPrivate = \ToScalar{\maybeSapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. - \item \tab Derive $\NoteCommitRandBytes = \ToScalar{\maybeSapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. - \item \vspace{-4ex} + \item \tab Derive $\EphemeralPrivate = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. + \item \tab Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. + \item \vspace{-2ex} } - \item Calculate - - \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\cv$ &$:= \ValueCommit{\maybeSapling}{\ValueCommitRand}(\Value)$ \\ - $\cm$ &$:= \NoteCommit{\maybeSapling}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, - \reprMaybeJ\Of{\DiversifiedTransmitPublic}, - \Value)$ - \end{tabular} - + \item Let $\cv = \ValueCommit{Sapling}{\ValueCommitRand}(\Value)$. + \item Let $\cm = \NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, + \Value)$. \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. - \item Encrypt $\NotePlaintext{}$ to the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with \diversifiedBase $\DiversifiedTransmitBase$, and to the @@ -5475,27 +5479,97 @@ and then performs the following steps: $\cvField$ and $\cmuField$ to derive $\OutCipherKey$, and takes $\EphemeralPrivate$ as input. - \item \notbeforenufive{For a \Sapling \note, generate}\notnufive{Generate} a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}. + \item Generate a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}. -\nufive{ - \item For an \Orchard \note, generate a proof $\ProofAction$ for the \actionStatement in \crossref{actionstatement}. -} %nufive - - \item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput\nufive{\text{ or }\ProofAction})$. + \item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$. \end{algorithm} -In order to minimize information leakage, the sender \SHOULD randomize the order -of \outputDescriptions\nufive{ or \actionDescriptions} in a \transaction. Other considerations -relating to information leakage from the structure of \transactions are beyond the -scope of this specification. The encoded \transaction is submitted to the peer-to-peer network. +\vspace{-0.5ex} +In order to minimize information leakage, the sender \SHOULD randomize the order of +\outputDescriptions in a \transaction. Other considerations relating to information +leakage from the structure of \transactions are beyond the scope of this specification. +The encoded \transaction is submitted to the peer-to-peer network. } %sapling -\introsection +\nufive{ +\introlist +\lsubsubsection{Sending Notes (\OrchardText)}{orchardsend} + +In order to send \Orchard \shielded value, the sender constructs a \transaction +with one or more \actionDescriptions. This section describes how to produce the +output-related fields of an \actionDescription. + +\vspace{1ex} +Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in \crossref{abstractcommit}. + +Let $\KA{Orchard}$ be as specified in \crossref{abstractkeyagreement}. + +Let $\DiversifyHash{Orchard}$ be as specified in \crossref{abstracthashes}. + +Let $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ be as specified in \crossref{orchardkeycomponents}. + +Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. + +Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. + +\vspace{1ex} +Let $\OutViewingKey$ be an \Orchard \outgoingViewingKey that is intended to be able to decrypt +this payment. The considerations for choosing \outgoingViewingKeys are as described for \Sapling +in \crossref{saplingsend}. + +Let $\NotePlaintextLeadByte$ be the \notePlaintextLeadByte, which \MUST be $\hexint{02}$. + +\introlist +For each \actionDescription, the sender selects a value $\Value \typecolon \range{0}{\MAXMONEY}$ +and a destination \Orchard \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, +and then performs the following steps: + +\begin{algorithm} + \item Check that $\DiversifiedTransmitPublic$ is of type $\KAPublic{Orchard}$, i.e.\ it + \MUST be a valid \swCurve point on the \pallasCurve (as defined in \crossref{pallasandvesta}). + \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{Orchard}(\Diversifier)$ + and check that $\DiversifiedTransmitBase \neq \bot$. + \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$. + \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. + \item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$. + \item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.11em\big)$. + \item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([11])\kern-0.1em\big)$. + \item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([12])\kern-0.09em\big)$. + \item Let $\cv = \ValueCommit{Orchard}{\ValueCommitRand}(\Value)$. + \item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase}, + \reprP\Of{\DiversifiedTransmitPublic}, + \Value, \NoteUniqueRand, \NoteNullifierRand)$. + \vspace{0.5ex} + \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. + \vspace{0.5ex} + \item Encrypt $\NotePlaintext{}$ to the recipient + \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with + \diversifiedBase $\DiversifiedTransmitBase$, and to the + \outgoingViewingKey $\OutViewingKey$, giving the \noteCiphertextOrchard + $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$. + This procedure is described in \crossref{saplingandorchardencrypt}; it also uses + $\cvField$ and $\cmxField$ to derive $\OutCipherKey$, and takes + $\EphemeralPrivate$ as input. + \item For an \Orchard \note, generate a proof $\ProofAction$ for the \actionStatement in \crossref{actionstatement}. + \item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$. +\end{algorithm} + +In order to minimize information leakage, the sender \SHOULD randomize the order of +\actionDescriptions in a \transaction. Other considerations relating to information +leakage from the structure of \transactions are beyond the scope of this specification. +The encoded \transaction is submitted to the peer-to-peer network. +} %nufive + + +\vspace{-1ex} +\introlist \lsubsection{Dummy Notes}{\sprout{sproutdummynotes}\notsprout{dummynotes}} +\vspace{-1ex} \notsprout{\lsubsubsection{Dummy Notes\pSproutOrNothingText}{sproutdummynotes}} +\vspace{-1ex} The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and $\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer with fewer input or output \notes. This is achieved using \defining{\dummyNotes}. @@ -5516,7 +5590,9 @@ is constructed as follows: \begin{itemize} \item Generate a new uniformly random \spendingKey $\AuthPrivateOld{i} \leftarrowR \bitseq{\AuthPrivateLength}$ and derive its \payingKey $\AuthPublicOld{i}$. - \item \vspace{-0.5ex} Set $\vOld{i} = 0$. + \vspace{-0.5ex} + \item Set $\vOld{i} = 0$. + \vspace{-0.5ex} \item Choose uniformly random $\NoteUniqueRandOld{i} \leftarrowR \PRFOutputSprout$ and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitGenTrapdoor{Sprout}()$. \item Compute $\nfOld{i} = \PRFnf{Sprout}{\AuthPrivateOld{i}}(\NoteUniqueRandOld{i})$. @@ -5532,71 +5608,50 @@ zero value, and sent to a random \paymentAddress. \sapling{ \introsection -\extralabel{saplingdummynotes}{\lsubsubsection{Dummy Notes (\SaplingAndOrchardText)}{saplingandorcharddummynotes}} +\lsubsubsection{Dummy Notes (\SaplingText)}{saplingdummynotes} -In \SaplingAndOrchard there is no need to use \dummyNotes simply in order to fill +In \Sapling there is no need to use \dummyNotes simply in order to fill otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless it may be useful for privacy to obscure the number of real \shieldedInputs from -\Sapling \notes\nufive{ and from \Orchard \notes}. +\Sapling \notes. \vspace{0.5ex} Let $\SpendingKeyLength$ be as defined in \crossref{constants}. -Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\nufive{, -$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as in -\crossref{abstractcommit}. +Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as defined in \crossref{abstractcommit}. -Let $\DiversifyHash{Sapling}$\nufive{ and $\DiversifyHash{Orchard}$} be as specified in -\crossref{abstracthashes}. +Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}. -Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}\nufive{ and -let $\ToScalar{Orchard}$ be as specified in \crossref{orchardkeycomponents}}. - -\nufive{ -When we use $\ValueCommitAlg{}$, $\NoteCommitAlg{}$, $\KA{}$, $\DiversifyHash{}$, or $\ToScalar{}$ -without the \textsf{Sapling} or \textsf{Orchard} suffix, we mean the corresponding \Sapling or \Orchard -instantiation according to the type of \note being sent. -} +Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}. Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. -\nufive{ -Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. - -Let $\repr$ be $\reprJ$ for a \Sapling \note, or $\reprP$ for an \Orchard \note. -} %nufive - -Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}. - -Let $\AuthProveBaseSapling$ be as defined in \crossref{saplingkeycomponents}. - Let $\PRFnf{Sapling}{}$ be as defined in \crossref{abstractprfs}. Let $\NoteCommitAlg{Sapling}$ be as defined in \crossref{abstractcommit}. \introlist \vspace{0.5ex} -A \dummy \SaplingOrOrchard input \note is constructed as follows: +A \spendDescription for a \dummy \Sapling input \note is constructed as follows: \vspace{-0.5ex} \begin{itemize} \item Choose uniformly random $\SpendingKey \leftarrowR \SpendingKeyType$. - \item Generate a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$ and a + \item Generate a \fullViewingKey $(\AuthSignPublic, \NullifierKey)$ and a \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ - for $\SpendingKey$ as described in \crossref{saplingkeycomponents}\nufive{ or - \crossref{orchardkeycomponents}}. - \item Set $\vOld{} = 0$, and set $\NotePosition = 0$. - \item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{\maybeSapling}()$. - \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{\maybeSapling}()$. - \item Let $\cvOld{} = \ValueCommit{\maybeSapling}{\ValueCommitRand}(\vOld{})$. - \item Let $\cmOld{} = \NoteCommit{\maybeSapling}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, - \reprMaybeJ\Of{\DiversifiedTransmitPublic}, - \vOld{})$. - \item Let $\NotePosition = 0$. - \item Let $\NoteUniqueRandRepr = \reprMaybeJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. - \item Let $\NullifierKeyRepr = \reprMaybeJ(\NullifierKey)$. - \item Let $\nfOld{} = \PRFnf{Sapling}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$. + for $\SpendingKey$ as described in \crossref{saplingkeycomponents}. + \item Let $\Value = 0$ and $\NotePosition = 0$. + \item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Sapling}()$. + \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. + \item Derive $\NoteCommitRand = \ToScalar{Sapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. + \item Let $\cv = \ValueCommit{Sapling}{\ValueCommitRand}(\Value)$. + \item Let $\cm = \NoteCommit{Sapling}{\NoteCommitRand}\big(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, + \Value\big)$. + \item Let $\NoteUniqueRandRepr = \reprJ\big(\MixingPedersenHash(\cm, \NotePosition)\kern-0.1em\big)$. + \item Let $\NullifierKeyRepr = \reprJ(\NullifierKey)$. + \item Let $\nf = \PRFnf{Sapling}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$. \item Construct a \dummy \merklePath $\TreePath{}$ for use in the - \auxiliaryInput to the \spendStatement (this will not be checked, because $\vOld{} = 0$). + \auxiliaryInput to the \spendStatement (this will not be checked, because $\Value = 0$). \end{itemize} As in \Sprout, a \dummy \Sapling output \note is constructed as normal but with @@ -5604,6 +5659,60 @@ zero value, and sent to a random \paymentAddress. } %sapling +\nufive{ +\introsection +\lsubsubsection{Dummy Notes (\OrchardText)}{orcharddummynotes} + +As for \Sapling, it may be useful for privacy to obscure the number of real \shieldedInputs +from \Orchard \notes. + +\vspace{0.5ex} +Let $\SpendingKeyLength$ be as defined in \crossref{constants}. + +\vspace{-0.5ex} +Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as defined in \crossref{abstractcommit}. + +\vspace{-0.5ex} +Let $\DiversifyHash{Orchard}$ be as specified in \crossref{abstracthashes}. + +\vspace{-0.5ex} +Let $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ be as specified in \crossref{orchardkeycomponents}. + +Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. + +Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. + +Let $\NoteCommitAlg{Orchard}$ be as defined in \crossref{abstractcommit}. + +\introlist +\vspace{0.5ex} +The spend-related fields of an \actionDescription for a \dummy \Orchard input \note are +constructed as follows: +\begin{itemize} + \item Choose uniformly random $\SpendingKey \leftarrowR \SpendingKeyType$. + \item Generate a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$ and a + \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ + for $\SpendingKey$ as described in \crossref{orchardkeycomponents}. + \item Let $\Value = 0$ and $\NotePosition = 0$. + \item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$. + \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. + \item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.11em\big)$. + \item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([11])\kern-0.1em\big)$. + \item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([12])\kern-0.09em\big)$. + \item Let $\cv = \ValueCommit{Orchard}{\ValueCommitRand}(\Value)$. + \item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}\big(\reprP\Of{\DiversifiedTransmitBase}, + \reprP\Of{\DiversifiedTransmitPublic}, + \Value, \NoteUniqueRand, \NoteNullifierRand\big)$. + \item Let $\nf = \DeriveNullifier{\NullifierKey}(\NoteUniqueRand, \NoteNullifierRand, \cm)$. + \item Construct a \dummy \merklePath $\TreePath{}$ for use in the + \auxiliaryInput to the \spendStatement (this will not be checked, because $\Value = 0$). +\end{itemize} + +As in \Sprout, a \dummy \Orchard output \note is constructed as normal but with +zero value, and sent to a random \paymentAddress. +} %nufive + + \introsection \lsubsection{Merkle Path Validity}{merklepath} @@ -5773,7 +5882,6 @@ $\JoinSplitSigValidate{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSpli % FIXME: distinguish pubkey and signature from their encodings. } -\introsection Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}. Let $\PRFpk{}$ be as defined in \crossref{abstractprfs}. @@ -5811,9 +5919,11 @@ treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an \blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain, minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.} +\vspace{-1ex} \consensusrule{If the \SproutChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} +\vspace{2ex} Unlike original \Zerocash \cite{BCGGMTV2014}, \Zcash does not have a distinction between Mint and Pour operations. The addition of $\vpubOld$ to a \joinSplitDescription subsumes the functionality of both Mint and Pour. @@ -5858,9 +5968,12 @@ from that pool. \blockChain is the negation of the sum of all $\valueBalance{Sapling}$ field values for \transactions in the \blockChain.} +\vspace{-1ex} \consensusrule{If the \SaplingChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} +\introlist +\vspace{2ex} Consistency of $\vBalance{Sapling}$ with the \valueCommitments in \spendDescriptions and \outputDescriptions is enforced by the \defining{\saplingBindingSignature}. This signature has a dual rôle in the \Sapling protocol: @@ -5883,19 +5996,20 @@ and the \saplingBalancingValue. Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist -Let $\ValueCommitAlg{Sapling}$, $\ValueCommitValueBase{Sapling}$, and $\ValueCommitRandBase{Sapling}$ -be as defined in \crossref{concretevaluecommit}: +\crossref{concretevaluecommit} instantiates: \vspace{-0.5ex} \begin{formulae} \item $\ValueCommitAlg{Sapling} \typecolon \ValueCommitTrapdoor{Sapling} \times \ValueCommitTypeSapling \rightarrow \ValueCommitOutput{Sapling}$; \vspace{-1ex} - \item $\ValueCommitValueBase{Sapling} \typecolon \SubgroupJstar$ is the value base in $\ValueCommitAlg{Sapling}$; - \item $\ValueCommitRandBase{Sapling} \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommitAlg{Sapling}$. + \item $\ValueCommitValueBase{Sapling} \typecolon \SubgroupJstar$, the value base in $\ValueCommitAlg{Sapling}$; + \item $\ValueCommitRandBase{Sapling} \typecolon \SubgroupJstar$, the randomness base in $\ValueCommitAlg{Sapling}$. \end{formulae} $\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. -These and the derived $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and -$\sgrpsum{i=1\vphantom{p}}{\rmN}$ are specified in \crossref{abstractsigmono}. + +\crossref{abstractsigmono} specifies these operations and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, +$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as +operating on the prime-order subgroup of the \jubjubCurve and its scalar field. \vspace{1.5ex} \introlist @@ -5932,7 +6046,6 @@ calculate the corresponding \signingKey as: \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)$. \end{formulae} -\introlist \vspace{-1ex} In order to check for implementation faults, the signer \SHOULD also check that \begin{formulae} @@ -6001,10 +6114,16 @@ Similarly the $\outputStatements$ prove that all of $\vNew{\allm}$ are in $\Valu $\vBalance{Sapling}$ is encoded in the \transaction as a signed two's complement $64$-bit integer in the range $\SignedValueType$. $\ValueLength$ is defined as 64, so $\vSum$ is in the range $\range{-m \mult (2^{64}-1) - 2^{63} + 1}{n \mult (2^{64}-1) + 2^{63}}$. -The maximum \transaction size of $2$ MB limits $n$ to at most $\floor{\frac{2000000}{384}} = 5208$ -and $m$ to at most $\floor{\frac{2000000}{948}} = 2109$, ensuring -$\vSum \in \range{-38913406623490299131842}{96079866507916199586728}$ -which is a subrange of $\ValueCommitTypeSapling$. +The maximum \transaction size is $2$ MB, and the minimum contributions of a \spendDescription +and an \outputDescription to \transaction size +are\notnufive{ $384$ bytes}\nufive{ (in a v5 \transaction) $352$ bytes} and $948$ bytes +respectively, limiting $n$ to at +most\notnufive{ $\floor{\frac{2000000}{384}} = 5208$}\nufive{ $\floor{\frac{2000000}{352}} = 5681$} +and $m$ to at most $\floor{\frac{2000000}{948}} = 2109$. + +This ensures that $\vSum \in +\range{-38913406623490299131842}{\notnufive{96079866507916199586728}\nufive{104805176454780817500623}}$, +a subrange of $\ValueCommitTypeSapling$. Thus checking the \saplingBindingSignature ensures that the \spendTransfers and \outputTransfers in the \transaction balance, without their individual values being revealed. @@ -6055,9 +6174,12 @@ from that pool. \OrchardChainValuePoolBalance for a given \blockChain is the negation of the sum of all $\valueBalance{Orchard}$ field values for \transactions in the \blockChain.} +\vspace{-1ex} \consensusrule{If the \OrchardChainValuePoolBalance would become negative in the \blockChain created as a result of accepting a \block, then all nodes \MUST reject the block as invalid.} +\introlist +\vspace{2ex} Consistency of $\vBalance{Orchard}$ with the \valueCommitments in \actionDescriptions is enforced by the \defining{\orchardBindingSignature}. The rôle of this signature in the \Orchard protocol is to prove that the net value spent (i.e.\ the total value spent minus @@ -6075,22 +6197,23 @@ Instead of generating a key pair at random, we generate it as a function of the \valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue. \vspace{2ex} -Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallas}. +Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \introlist -Let $\ValueCommitAlg{Orchard}$, $\ValueCommitValueBase{Orchard}$, and $\ValueCommitRandBase{Orchard}$ -be as defined in \crossref{concretevaluecommit}: +\crossref{concretevaluecommit} instantiates: \vspace{-0.5ex} \begin{formulae} \item $\ValueCommitAlg{Orchard} \typecolon \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard \rightarrow \ValueCommitOutput{Orchard}$; \vspace{-1ex} - \item $\ValueCommitValueBase{Orchard} \typecolon \GroupPstar$ is the value base in $\ValueCommitAlg{Orchard}$; - \item $\ValueCommitRandBase{Orchard} \typecolon \GroupPstar$ is the randomness base in $\ValueCommitAlg{Orchard}$. + \item $\ValueCommitValueBase{Orchard} \typecolon \GroupPstar$, the value base in $\ValueCommitAlg{Orchard}$; + \item $\ValueCommitRandBase{Orchard} \typecolon \GroupPstar$, the randomness base in $\ValueCommitAlg{Orchard}$. \end{formulae} $\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. -These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and -$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsigmono}. + +\crossref{abstractsigmono} specifies these operations and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, +$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as +operating on the \pallasCurve and its scalar field. \vspace{1.5ex} \introlist @@ -6121,7 +6244,6 @@ The signer knows $\ValueCommitRandNet{\alln}$, and so can calculate the correspo \item $\BindingPrivate{Orchard} := \vgrpsum{i=1}{n} \ValueCommitRandNet{i}$. \end{formulae} -\introlist \vspace{-1ex} In order to check for implementation faults, the signer \SHOULD also check that \begin{formulae} @@ -6129,6 +6251,7 @@ In order to check for implementation faults, the signer \SHOULD also check that \end{formulae} \vspace{0.5ex} +\introlist A \transaction containing \actionDescriptions is necessarily a version 5 \transaction. Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244} as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$. @@ -6186,9 +6309,11 @@ $\vSum = 0$, we will also demonstrate that it does not overflow $\ValueCommitTyp The $\actionStatements$ prove that all of $\vNet{\alln}$ are in $\SignedValueType$. Similarly, $\vBalance{Orchard}$ is encoded in the \transaction as a signed two's complement $64$-bit integer in the range $\SignedValueType$. Therefore, $\vSum$ is in the range $\range{-n \mult 2^{63}}{n \mult (2^{63}-1)}$. -The maximum \transaction size of $2$ MB limits $n$ to at most \todo{$\floor{\frac{2000000}{884}} = 2262$, -ensuring $\vSum \in \range{-20863267547365502877696}{20863267547365502875434}$ which is a subrange of -$\ValueCommitTypeOrchard$}. \todo{check after finalizing v5 tx format} +$n$ and $m$ are limited by consensus rule to at most $2^{16}-1$ (this rule is technically redundant due +to the $2$ MB \transaction size limit, but it suffices here). + +This ensures that $\vSum \in \range{-604453686435277732577280}{604453686435277732511745}$, +a subrange of $\ValueCommitTypeOrchard$. Thus checking the \orchardBindingSignature ensures that the \actionTransfers in the \transaction balance, without their individual net values being revealed. @@ -6239,25 +6364,24 @@ using the \sighashType $\SIGHASHALL$. Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in \crossref{saplingkeycomponents}. -\nufive{Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$ or $\SpendAuthSig{Orchard}$ as applicable.} +Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}. \introsection \vspace{2ex} For each \spendDescription, the signer chooses a fresh \defining{\spendAuthRandomizer} $\AuthSignRandomizer$: \begin{enumerate} - \item Choose $\AuthSignRandomizer \leftarrowR \SpendAuthSigGenRandom()$. - \item Let $\AuthSignRandomizedPrivate = \SpendAuthSigRandomizePrivate(\AuthSignRandomizer, \AuthSignPrivate)$. - \item Let $\AuthSignRandomizedPublic = \SpendAuthSigDerivePublic(\AuthSignRandomizedPrivate)$. + \item Choose $\AuthSignRandomizer \leftarrowR \SpendAuthSigGenRandom{}()$. + \item Let $\AuthSignRandomizedPrivate = \SpendAuthSigRandomizePrivate{}(\AuthSignRandomizer, \AuthSignPrivate)$. + \item Let $\AuthSignRandomizedPublic = \SpendAuthSigDerivePublic{}(\AuthSignRandomizedPrivate)$. \item Generate a proof $\Proof{}$ of the \spendStatement (\crossref{spendstatement})\nufive{ or \actionStatement (\crossref{actionstatement})}, with $\AuthSignRandomizer$ in the \auxiliaryInput and $\AuthSignRandomizedPublic$ in the \primaryInput. \item Let $\spendAuthSig = \SpendAuthSigSign{}{\AuthSignRandomizedPrivate}(\SigHash)$. \end{enumerate} -\introlist -The resulting $\spendAuthSig$ and $\Proof{}$ are included in the \spendDescription\nufive{ or -\actionDescription}. +The resulting $\spendAuthSig$ and $\Proof{}$ are included in the \spendDescription\nufive{, or +in the \vSpendAuthSigs{Sapling} or \vSpendAuthSigs{Orchard} field of a version 5 \transaction}. \vspace{1ex} \pnote{ @@ -6321,12 +6445,42 @@ $\NoteUniqueRandRepr = \reprJ(\NoteUniqueRand)$. \vspace{2ex} \nufive{ -For an \Orchard \note, the \nullifier is derived as -$\PRFnf{Orchard}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$, where $\NullifierKeyRepr$ -is a representation of the \nullifierDerivingKey associated with the \note and -$\NoteUniqueRandRepr = \reprP(\NoteUniqueRand)$. +The derivation of \nullifiers for \Orchard \notes is a little more complicated. +To avoid repetition, we define a function $\DeriveNullifierAlg \typecolon +\GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GF{\ParamP{q}} \times \GroupP$ +as follows: + +\begin{formulae} + \item $\DeriveNullifier{\NullifierKey}(\NoteUniqueRand, \NoteNullifierRand, \cm) = + \ExtractP\big(\bigscalarmult{(\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRand) + + \NoteNullifierRand) \bmod \ParamP{q}}{\NullifierBaseOrchard} + \cm\big)$. +\end{formulae} +\vspace{-0.5ex} +where $\NullifierKey$ is the \nullifierDerivingKey associated with the \note; +$\NoteUniqueRand$ and $\NoteNullifierRand$ are part of the \note; and $\cm$ is +the \noteCommitment. } %nufive +\securityrequirement{ +\sprout{The}\notsprout{For each shielded protocol, the} requirements on \nullifier +derivation are as follows: + +\begin{itemize} + \item The derived \nullifier must be determined completely by the fields of + the \note\sapling{, and possibly its position}, in a way that can be + checked in the corresponding statement that controls spends (i.e.\ the + \changed{\joinSplitStatement}\sapling{, \spendStatement}\nufive{, or + \actionStatement}). + \item Under the assumption that $\NoteUniqueRand$ values are unique, it must + not be possible to generate two \notes with distinct \noteCommitments + but the same \nullifier. (See \crossref{faeriegold} for further discussion.) + \item Given a set of \nullifiers of \emph{a priori} unknown \notes, + they must not be linkable to those \notes with probability greater + than expected by chance, even to an adversary with the corresponding + \incomingViewingKeys (but not \fullViewingKeys), and even if the + adversary may have created the \notes. +\end{itemize} +} %securityrequirement \notsprout{\pagebreak}\sprout{\intropart} \lsubsection{Zk-SNARK Statements}{snarkstatements} @@ -6354,7 +6508,7 @@ A valid instance of a \defining{\joinSplitStatement}, $\ProofJoinSplit$, assures \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew},\vspace{0.6ex}\\ \hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\ \hparen\vpubNew \typecolon \ValueType,\\ - \hparen\hSig \typecolon \hSigType,\\ + \hparen\hSig \typecolon \hSigType,\vspace{0.5ex}\\ \hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutputSprout}{\NOld}\cparen}$, \end{formulae} \vspace{-1.5ex} @@ -6365,7 +6519,7 @@ the prover knows an \auxiliaryInput: \hparen\NotePosition_{\allOld} \typecolon \typeexp{\NotePositionType{Sprout}}{\NOld},\\ \hparen\nOld{\allOld} \typecolon \typeexp{\NoteType{Sprout}}{\NOld},\\ \hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\ - \hparen\nNew{\allNew} \typecolon \typeexp{\NoteType{Sprout}}{\NNew}\changed{,}\vspace{0.8ex}\\ + \hparen\nNew{\allNew} \typecolon \typeexp{\NoteType{Sprout}}{\NNew}\changed{,}\vspace{0.5ex}\\ \hparen\changed{\NoteUniquePreRand \typecolon \bitseq{\NoteUniquePreRandLength},}\vspace{-0.5ex}\\ \hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}}\cparen$, \end{formulae} @@ -6619,6 +6773,8 @@ Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}. \vspace{-0.5ex} Let $\GroupP$, $\GroupPstar$, $\reprP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. +Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}. + \intropart \vspace{0.5ex} A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that given a \primaryInput: @@ -6630,7 +6786,7 @@ A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard},\\ \hparen\cmX \typecolon \MerkleHash{Orchard},\\ - \hparen\EphemeralPublic \typecolon \GroupPstar,\\ + \hparen\EphemeralPublic \typecolon \KAPublic{Orchard},\\ \hparen\enableSpend \typecolon \bit,\\ \hparen\enableOutput \typecolon \bit\cparen$, \end{formulae} @@ -6649,12 +6805,12 @@ the prover knows an \auxiliaryInput: \hparen\cmOld{} \typecolon \GroupP,\\ \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength{Orchard}},\\ - \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic{Orchard},\\ + \hparen\AuthSignPublic \typecolon \GroupPstarx,\\ \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex] \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\\ \hparen\vNew{} \typecolon \ValueType,\\ \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\CompactLengthOrchard},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength{Orchard}},\\ \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLength{Orchard}}\cparen$ \end{formulae} \vspace{-1.5ex} @@ -6664,9 +6820,7 @@ such that the following conditions hold: \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} $\cmOld{} = \NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big), \reprP\big(\DiversifiedTransmitPublicOld), - \vOld{}, - \NoteUniqueRand, - \NoteNullifierRand)$. + \vOld{}, \NoteUniqueRand, \NoteNullifierRand)$. \snarkcondition{Merkle path validity}{actionmerklepathvalidity} Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepth{Orchard}$, @@ -6675,12 +6829,8 @@ as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard \snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} $\cvNet{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. -\snarkcondition{Non-zero point checks}{actionnonzero} -$\DiversifiedTransmitBaseOld$ and $\DiversifiedTransmitBaseNew$ and $\AuthSignPublic$ are not $\ZeroP$. -\todo{express this in the type} - \snarkcondition{Nullifier integrity}{actionnullifierintegrity} -$\nfOld{} = \scalarmult{(\PRFnf{Orchard}{\NullifierKeyRepr}(\NoteUniqueRandRepr) + \uppsi) \bmod \ParamP{q}}{\NullifierBaseOrchard} + \cmOld{}$. +$\nfOld{} = \DeriveNullifier{\NullifierKeyRepr}(\NoteUniqueRand, \NoteNullifierRand, \cmOld{})$. \snarkcondition{Spend authority}{actionspendauthority} $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$. @@ -6698,9 +6848,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} $\cmX = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, \DiversifiedTransmitPublicNewRepr, - \vNew{}) - \NoteUniqueRand, - \NoteNullifierRand)\kern-0.12em\big)$, + \vNew{}, \NoteUniqueRand, \NoteNullifierRand)\kern-0.12em\big)$, where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,. @@ -6727,7 +6875,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer from the previous \merkleLayer. \item Unlike \Sapling, it \emph{is} checked in the \actionStatement that $\AuthSignRandomizedPublic$ - is not the zero point. + is not the zero point. Similarly, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitBaseNew$, + and $\AuthSignPublic$ cannot be the zero point. \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ or that $\NoteCommitRandNew{} < \ParamP{r}$. \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase{Orchard}}$. @@ -7406,7 +7555,7 @@ Define: } %sapling \nufive{ \item $\ScalarLength{Orchard} \typecolon \Nat := 255$ - \item $\CompactLengthOrchard \typecolon \Nat := 254$ + \item $\BaseLength{Orchard} \typecolon \Nat := 255$ } %nufive \item $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}} := \zeros{\MerkleHashLength{Sprout}}$ \sapling{ @@ -7798,8 +7947,6 @@ Define \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} -\todo{What if $\GroupPHash$ returns $\ZeroP$?} - The following security property and notes apply to both \Sapling and \Orchard. } %nufive @@ -7810,32 +7957,6 @@ The following security property and notes apply to both \Sapling and \Orchard. which could be derived from either of those authorities, such that the three addresses use different \diversifiers, it is not possible to tell which authority the third address was derived from. - -%\introlist -%Consider the following experiment: -%\begin{itemize} -% \item Choose two \incomingViewingKeys -% $\InViewingKey_{1,2} \leftarrowR \InViewingKeyTypeSapling$. -% \item An adversary chooses two (not necessarily distinct) \diversifiers -% $\Diversifier_{1,2} \typecolon \DiversifierType$. -% \item Define $\OracleNewAddress_i(\Diversifier' \typecolon \DiversifierType) := \begin{cases} -% \bot, &\caseif \DiversifyHash{Sapling}(\Diversifier') = \bot \\ -% (\Diversifier', \scalarmult{\InViewingKey_i}{\DiversifyHash{Sapling}(\Diversifier')}), &\caseotherwise -% \end{cases}$. -% \item Define $\OracleDH_i(\EphemeralPrivate \typecolon \GF{\ParamJ{r}}, -% \DiversifiedTransmitBase \typecolon \GroupJ) := \begin{cases} -% \bot, &\caseif \scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} = \ZeroJ \\ -% \scalarmult{\InViewingKey_i \mult \EphemeralPrivate}{\DiversifiedTransmitBase}, &\caseotherwise -% \end{cases}$. -% \item Choose $j \leftarrowR \setof{1, 2}$. -% \item Give the adversary $\OracleNewAddress_j$ and $\OracleDH_j$. -% \item ... -%\end{itemize} -% -%The adversary wins if it returns $j$ with probability significantly greater than $0.5$ -%(i.e.\ than chance), over choices of .... - -%% the experiment must capture Brian Warner's attack } %securityrequirement \begin{nnotes} @@ -8195,6 +8316,26 @@ No other security properties commonly associated with \hashFunctions are needed. \end{nnotes} \todo{Security proof} + +\introlist +\theoremlabel{thmshortsinsemillacr} +\begin{theorem}[Collision resistance of generalized $\SinsemillaHash$] + +Consider ... We show that ... +\end{theorem} + +\begin{proof} +... +\end{proof} + +\nnote{ +The above theorem covers the case where additional terms may be added to the +$\SinsemillaHashToPoint$ output before applying $\ExtractP$. This is needed +to show security of the $\SinsemillaShortCommitAlg$ \commitmentScheme defined in +\crossref{concretesinsemillacommit}. It is also needed to show security of the +\nullifier derivation defined in \crossref{commitmentsandnullifiers} against +Faerie Gold attacks, as described in \crossref{faeriegold}. +} %nnote } %nufive @@ -8205,8 +8346,8 @@ No other security properties commonly associated with \hashFunctions are needed. $\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$. -The S-box function is $x \mapsto x^5$. The number of outer rounds $R_P$ is $.$, -and the number of inner rounds $R_.$ is $.$. +The S-box function is $x \mapsto x^5$. The number of outer rounds $R_P$ is $58$, +and the number of inner rounds $R_F$ is $8$. We use $\Poseidon$ in a sponge configuration \cite{BDPA2011} (with elementwise addition in $\GF{\ParamP{q}}$ replacing exclusive-or of bit strings\footnote{\nufive{The sponge construction @@ -8221,7 +8362,7 @@ $\PoseidonHash \typecolon \GF{\ParamP{q}} \times \GF{\ParamP{q}} \rightarrow \GF is specified as: \begin{formulae} - \item $\PoseidonHash(x, y) = f([x, y, 0])_1$ (using $1$-based indexing). + \item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing). \end{formulae} \todo{Specify the MDS matrix and number of rounds.} @@ -8755,7 +8896,7 @@ It is instantiated as Diffie--Hellman on \Pallas as follows: Let $\GroupP$ be as defined in \crossref{pallasandvesta}. -Define $\KAPublic{Orchard} := \GroupPstar$. +Define $\KAPublic{Orchard} := \GroupP$. Define $\KASharedSecret{Orchard} := \GroupP$. @@ -9304,7 +9445,7 @@ instantiated as follows using $\WindowedPedersenCommitAlg$: \end{pnotes} \introlist -\theoremlabel{thmnocommittouncommittedsapling} +\theoremlabel{thmuncommittedsapling} \begin{theorem}[$\Uncommitted{Sapling}$ is not in the range of $\,\NoteCommitAlg{Sapling}$]\end{theorem} \begin{proof} @@ -9416,6 +9557,8 @@ which is equivalent to: \introsection \extralabel{concreteorchardnotecommit}{\lsubsubsubsection{Sinsemilla commitments}{concretesinsemillacommit}} +Let $\BaseLength{Orchard}$ be as defined in \crossref{constants}. + Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. \crossref{concretesinsemillahash} defines a \xSinsemillaHash construction. @@ -9426,18 +9569,24 @@ and adding a randomized point on the \pallasCurve (see \crossref{pallasandvesta} \item $\SinsemillaCommit{r}(D, M) := \SinsemillaHashToPoint(D \bconcat \ascii{-M}, M) + \scalarmult{r}{\GroupPHash\Of{D \bconcat \ascii{-r}, \ascii{}}}$ \item $\SinsemillaShortCommit{r}(D, M) := - \ExtractP\Of{\SinsemillaCommit{r}(D, M)}$ + \ExtractP\big(\SinsemillaCommit{r}(D, M)\kern-0.1em\big)$. \end{formulae} -See \todo{...} for rationale and efficient circuit implementation of this function. +See \cite[Section TODO]{Zcash-Orchard} for rationale and efficient circuit implementation of this function. The commitment scheme $\NoteCommitAlg{Orchard}$ specified in \crossref{abstractcommit} is instantiated as follows using $\SinsemillaCommitAlg$: \begin{formulae} - \item $\NoteCommit{Orchard}{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := - \SinsemillaCommit{\NoteCommitRand}\!\big(\ascii{z.cash:Orchard-NoteCommit}, - \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr \bconcat \ItoLEBSP{64}(\Value)\kern-0.15em\big)$ + \item $\NoteCommit{Orchard}{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value, + \NoteUniqueRand, \NoteNullifierRand) :=$ + \item \tab $\SinsemillaCommit{\NoteCommitRand}\!\big(\ascii{z.cash:Orchard-NoteCommit},$ + \vspace{-1ex} + \item \hspace{10.55em} $\DiversifiedTransmitBaseRepr \bconcat + \DiversifiedTransmitPublicRepr \bconcat + \ItoLEBSPOf{64}{\Value} \bconcat + \ItoLEBSPOf{\BaseLength{Orchard}}{\NoteUniqueRand} \bconcat + \ItoLEBSPOf{\BaseLength{Orchard}}{\NoteNullifierRand}\kern-0.25em\big)$ \item $\NoteCommitGenTrapdoor{Orchard}()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \end{formulae} @@ -9446,8 +9595,10 @@ instantiated as follows using $\SinsemillaCommitAlg$: \begin{formulae} \item $\CommitIvk{\CommitIvkRand}(\AuthSignPublic, \NullifierKey) := - \SinsemillaShortCommit{\CommitIvkRand}\left(\ascii{z.cash:Orchard-CommitIvk}, - \ItoLEBSP{\ScalarLength{Orchard}}(\AuthSignPublicRepr) \bconcat \ItoLEBSP{\ScalarLength{Orchard}}\NullifierKeyRepr\right) \pmod{\ParamP{r}}$ + \SinsemillaShortCommit{\CommitIvkRand}\big(\ascii{z.cash:Orchard-CommitIvk},$ + \vspace{-1ex} + \item \hspace{20.5em} $\ItoLEBSP{\BaseLength{Orchard}}(\AuthSignPublic) \bconcat + \ItoLEBSP{\BaseLength{Orchard}}(\NullifierKey)\kern-0.1em\big) \pmod{\ParamP{r}}$ \item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \end{formulae} @@ -9463,13 +9614,13 @@ instantiated as follows using $\SinsemillaCommitAlg$: \begin{pnotes} \item $\MerkleCRH{Orchard}$ is also defined in terms of $\SinsemillaHashToPoint$ - (see \crossref{merklecrh}). \todo{discuss layer prefix, if needed} + (see \crossref{merklecrh}). \item The arguments to $\NoteCommitAlg{Orchard}$ are the same order as their encodings in the input to $\SinsemillaCommit{}$; this is different to $\NoteCommitAlg{Sapling}$. \end{pnotes} \introlist -\theoremlabel{thmnocommittouncommittedorchard} +\theoremlabel{thmuncommittedorchard} \begin{theorem}[$\Uncommitted{Orchard}$ is not in the range of $\,\NoteCommitAlg{Orchard}$]\end{theorem} \begin{proof} @@ -9479,8 +9630,9 @@ $\ExtractP$, $\SinsemillaShortCommitAlg$, and $\NoteCommitAlg{Orchard}$, $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ can be in the range of $\NoteCommitAlg{Orchard}$ only if there exist $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Orchard}$, $D \typecolon \byteseqs$, and $M \typecolon \bitseq{\smash{\PosInt}}$ such that -$\ExtractP\Of{\SinsemillaCommit{\NoteCommitRand}(D, M)} = 2$. $\ExtractP\Of{\SinsemillaHashToPoint(D, M)}$ -can only be $0$ or the \affineSW $x$-coordinate of a point in $\GroupP$. +$\ExtractP\big(\SinsemillaCommit{\NoteCommitRand}(D, M)\kern-0.1em\big) = 2$. +$\ExtractP\big(\SinsemillaHashToPoint(D, M)\kern-0.1em\big)$ can only be $0$ or the +\affineSW $x$-coordinate of a point in $\GroupP$. But $0 \neq 2 \pmod{\ParamP{q}}$, and there are no points in $\GroupP$ with \affineSW $x$-coordinate $2 \pmod{\ParamP{q}}$, since $2^3 + \ParamP{b} = 13$ is not square in $\GF{\ParamP{q}}$. @@ -11354,7 +11506,7 @@ The \Zcash{} \defining{\transaction} format up to and including \transactionVers \begin{tabularx}{\sprout{1.08}\notsprout{1.21}\textwidth}{|c|c|l|p{10em}|L|} \hline \!\!Version$\footnotestar$\!\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ -\hhline{|=|=|=|=|=|} +\hhline{|=====|} $\barerange{1}{4}$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} \item $\fOverwintered$ flag (bit $31$) @@ -11458,15 +11610,15 @@ $\bindingSig{} \rightarrow \bindingSig{Sapling}$. \introlist The \Zcash{} \defining{\transaction} format for \transactionVersion 5 is as follows (this should be read in the context of consensus rules later in the section): -\vspace{-2.5ex} +\vspace{-1.6ex} \begin{center} \scalebox{0.7}{ \notsprout{\renewcommand{\arraystretch}{1.28}} \hbadness=10000 -\begin{tabularx}{1.41\textwidth}{|c|c|l|p{11.1em}|L|} +\begin{tabularx}{1.4\textwidth}{|c|c|l|p{11.1em}|L|} \hline \!\!Note\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ -\hhline{|=|=|=|=|=|} +\hhline{|=====|} & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} \item $\fOverwintered$ flag (bit $31$, always set) @@ -11481,7 +11633,7 @@ The \Zcash{} \defining{\transaction} format for \transactionVersion 5 is as foll & $4$ & $\nExpiryHeight$ & \type{uint32} & A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction will expire, or $0$ to disable expiry. \smash{\cite{ZIP-203}} \\ -\hhline{|=|=|=|=|=|} +\hhline{|=====|} & \Varies & $\txInCount$ & \type{compactSize} & Number of \transparent inputs. \\ \hline @@ -11490,7 +11642,7 @@ A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction & \Varies & $\txOutCount$ & \type{compactSize} & Number of \transparent outputs. \\ \hline & \Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ -\hhline{|=|=|=|=|=|} +\hhline{|=====|} $\footnotestar$ & \Varies & $\nJoinSplit$ & \type{compactSize} & The number of \joinSplitDescriptions in $\vJoinSplit$. \\ \hline @@ -11504,7 +11656,7 @@ An encoding of a $\JoinSplitSig$ public \validatingKey. \\ \hline $\footnotestar\;\dagger$ & $64$ & $\joinSplitSig$ & \type{byte[64]} & A signature on a prefix of the \transaction encoding, validated using $\joinSplitPubKey$ as specified in \crossref{sproutnonmalleability}. \\ -\hhline{|=|=|=|=|=|} +\hhline{|=====|} & \Varies & $\nSpendsSapling$ & \type{compactSize} & The number of \spendDescriptions in $\vSpendsSapling$. \\ \hline @@ -11527,15 +11679,15 @@ A \merkleRoot of the \Sapling \noteCommitmentTree at some \blockHeight in the pa $\ddagger$ & \Longunderstack{$192 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendProofsSapling$ & \type{byte[192]} \type{[$\nSpendsSapling$]} & Encodings of the \zkSNARKProofs for each \Sapling \spendDescription. \\ \hline -$\ddagger$ & \Longunderstack{$64 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendAuthSigsSapling$ & \type{byte[64]} \type{[$\nSpendsSapling$]} & +$\ddagger$ & \Longunderstack{$64 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendAuthSigs{Sapling}$ & \type{byte[64]} \type{[$\nSpendsSapling$]} & Authorizing signatures for each \Sapling \outputDescription. \\ \hline $\ddagger$ & \Longunderstack{$192 \mult$ \\$\!\nOutputsSapling\!$} & $\vOutputProofsSapling$ & \type{byte[192]} \type{[$\nOutputsSapling$]} & Encodings of the \zkSNARKProofs for each \Sapling \outputDescription. \\ \hline $\ddagger$ & $64$ & $\bindingSig{Sapling}$ & \type{byte[64]} & -A \saplingBindingSignature on the \sighashTxHash, validated as specified in \crossref{concretebindingsig}. \\ -\hhline{|=|=|=|=|=|} +A \saplingBindingSignature on the \sighashTxHash, validated per \crossref{concretebindingsig}.\! \\ +\hhline{|=====|} & \Varies &\setnufive $\nActionsOrchard\!$ & \type{compactSize} & The number of \actionDescriptions in $\vActionsOrchard$. \\ \hline @@ -11557,37 +11709,43 @@ $\mathsection$ & $32$ & $\anchorField{Orchard}$ & \type{byte[32]} & A \merkleRoot of the \Orchard \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Orchard}\big)$. \\ \hline $\mathsection$ & \Varies & $\sizeProofsOrchard$ & \type{compactSize} & -The length of the aggregated \zkSNARKProof $\ProofAction$. \\ \hline +The length of the aggregated \zkSNARKProof $\ProofAction$.\! \\ \hline $\mathsection$ & \!$\sizeProofsOrchard$\! & $\proofsOrchard$ & \type{byte[$\sizeProofsOrchard$]}\!\! & The aggregated \zkSNARKProof $\ProofAction$ (see \crossref{halo2}). \\ \hline +$\mathsection$ & \Longunderstack{$64 \mult$ \\$\!\nActionsOrchard\!$} & $\vSpendAuthSigs{Orchard}$ & \type{byte[64]} \type{[$\nActionsOrchard$]} & +Authorizing signatures for each spend of an \Orchard \actionDescription. \\ \hline + $\mathsection$ & $64$ & $\bindingSig{Orchard}$ & \type{byte[64]} & -An \orchardBindingSignature on the \sighashTxHash, validated as specified in \crossref{concretebindingsig}.\! \\ \hline +An \orchardBindingSignature on the \sighashTxHash, validated per \crossref{concretebindingsig}.\! \\ \hline \end{tabularx} \renewcommand{\arraystretch}{\defaultarraystretch} } %scalebox -\vspace{1ex} -\scalebox{0.9}{ -\begin{tabularx}{1.106\textwidth}{@{\!\!}l@{\hskip 1em}X@{}} -$\footnotestar$ & It is not yet decided whether these fields will be included. \\ +\vspace{-0.3ex} +\scalebox{0.85}{ +\begin{tabularx}{1.17\textwidth}{@{\!\!}l@{\hskip 1em}X@{}} +$\footnotestar$ & It is not yet decided whether these fields will be included. \\[-0.5ex] -$\dagger$ & The \joinSplitPubKey{} and \joinSplitSig{} fields are present if and only if -$\nJoinSplit > 0$. \\ +$\dagger$ & The fields \joinSplitPubKey{} and \joinSplitSig{} are present if and only if +$\nJoinSplit > 0$. \\[-0.5ex] -$\ddagger$ & The \valueBalance{Sapling}, \anchorField{Sapling}, \vSpendProofsSapling, \vSpendAuthSigsSapling, -\vOutputProofsSapling, and \bindingSig{Sapling} fields are present if and only if $\nSpendsSapling + \nOutputsSapling > 0$. -If \valueBalance{Sapling} is not present, then $\vBalance{Sapling}$ is defined to be $0$. \\ +$\ddagger$ & The fields \valueBalance{Sapling}, \anchorField{Sapling}, \vSpendProofsSapling, +\vSpendAuthSigs{Sapling}, \vOutputProofsSapling, and \bindingSig{Sapling} are present if and +only if $\nSpendsSapling + \nOutputsSapling > 0$. If \valueBalance{Sapling} is not present, +then $\vBalance{Sapling}$ is defined to be $0$. \\[-0.5ex] -$\mathsection$ & The \flagsOrchard, \valueBalance{Orchard}, \anchorField{Orchard}, \sizeProofsOrchard, -\proofsOrchard, and \bindingSig{Orchard} fields are present if and only if $\nActionsOrchard > 0$. -If \valueBalance{Orchard} is not present, then $\vBalance{Orchard}$ is defined to be $0$. +$\mathsection$ & The fields \flagsOrchard, \valueBalance{Orchard}, \anchorField{Orchard}, +\sizeProofsOrchard, \proofsOrchard, \vSpendAuthSigs{Orchard}, and \bindingSig{Orchard} +are present if and only if $\nActionsOrchard > 0$. If \valueBalance{Orchard} is not present, +then $\vBalance{Orchard}$ is defined to be $0$. \end{tabularx} } %scalebox \end{center} -\scalebox{0.9}{ +\vspace{-1ex} +\scalebox{0.85}{ \!\!\!Note that several fields are reordered and/or renamed relative to prior \transaction versions. } %scalebox } %nufive @@ -11606,6 +11764,8 @@ If \valueBalance{Orchard} is not present, then $\vBalance{Orchard}$ is defined t If the \transactionVersionNumber{} is $5$ then the \versionGroupID \MUST be $\hexint{26A7270A}$.} \presaplingitem{The encoded size of the \transaction \MUST be less than or equal to $100000$ bytes.} + \nufiveonwarditem{\nSpendsSapling, \nOutputsSapling, and \nActionsOrchard{} \MUST all be less + than $2^16$.} \presaplingitem{If $\effectiveVersion = 1$ or $\nJoinSplit = 0$, then both \txInCount{} and \txOutCount{} \MUST be nonzero.\!} \saplingonwarditem{At least one of \txInCount, \nSpendsSapling, and \nJoinSplit{} \MUST be nonzero.} \saplingonwarditem{At least one of \txOutCount, \nOutputsSapling, and \nJoinSplit{} \MUST be nonzero.} @@ -11753,6 +11913,10 @@ each \spendDescription (\crossref{spendencodingandconsensus}),\notnufive{ and} e \nufiveonwarditem{As a consequence of the \enableSpendsOrchard flag being set to $0$ (which has the effect of disabling non-zero-valued \Orchard spends), the $\valueBalance{Orchard}$ field of a \coinbaseTransaction must have a negative or zero value.} + \nufiveonwarditem{The rule that \nSpendsSapling, \nOutputsSapling, and \nActionsOrchard{} \MUST all + be less than $2^16$, is technically redundant because a \transaction that could violate this + rule would not fit within the $2$ MB \block size limit. It is included in order to simplify + the security argument for balance preservation.} \end{pnotes} \introlist @@ -11901,7 +12065,7 @@ $64\nufive{\;\dagger}$ & $\spendAuthSig$ & \type{byte[64]} & A signature authori if the \transactionVersion is $4$. For version 5 \transactions, all \spendDescriptions share the same \anchor, which is encoded once as the $\anchorField{Sapling}$ field of the \transaction as described in \crossref{txnencodingandconsensus}. The $\zkproof$ and $\spendAuthSig$ fields of a \spendDescription have been -moved into the $\vSpendProofsSapling$ and $\vSpendAuthSigsSapling$ fields respectively of version 5 \transactions.} +moved into the $\vSpendProofsSapling$ and $\vSpendAuthSigs{Sapling}$ fields respectively of version 5 \transactions.} \vspace{-2ex} \consensusrule{$\LEOStoIPOf{256}{\anchorField{Sapling}}$\nufive{, if present,} \MUST be less than $\ParamJ{q}$.} @@ -12983,7 +13147,7 @@ Instead, \Zcash enforces that an adversary must choose distinct values for each $\NoteUniqueRand$, by making use of the fact that all of the \nullifiers in \joinSplitDescriptions that appear in a \validBlockChain must be distinct. This is true regardless of whether the \nullifiers -corresponded to real or \dummy \notes (see \crossref{sproutdummynotes}). +corresponded to real or \dummyNotes (see \crossref{sproutdummynotes}). The \nullifiers are used as input to $\hSigCRH$ to derive a public value $\hSig$ which uniquely identifies the transaction, as described in \crossref{joinsplitdesc}. ($\hSig$ was already used in \Zerocash @@ -12992,7 +13156,7 @@ indistinguishability of \joinSplitDescriptions; adding the \nullifiers to the input of the hash used to calculate it has the effect of making this uniqueness property robust even if the \transaction creator is an adversary.) -} +} %sproutspecific \sproutspecific{ The $\NoteUniqueRand$ value for each output \note is then derived from @@ -13000,7 +13164,7 @@ a random private seed $\NoteUniquePreRand$ and $\hSig$ using $\PRFrho{\NoteUniquePreRand}$. The correct construction of $\NoteUniqueRand$ for each output \note is enforced by \crossref{sproutuniquerho} in the \joinSplitStatement. -} +} %sproutspecific \sproutspecific{ Now even if the creator of a \joinSplitDescription does not choose @@ -13009,17 +13173,16 @@ $\NoteUniquePreRand$ randomly, uniqueness of \nullifiers and that the derived $\NoteUniqueRand$ values are unique, at least for any two \joinSplitDescriptions that get into a \validBlockChain. This is sufficient to prevent the Faerie Gold attack. -} +} %sproutspecific A variation on the attack attempts to cause the \nullifier of a sent \note to be repeated, without repeating $\NoteUniqueRand$. However, since the \nullifier is computed as $\PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$\sapling{ or -$\PRFnf{Sapling}{\NullifierKey}(\NoteUniqueRandRepr)$}\nufive{ or -\todo{... $\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRandRepr)$ ...}}, -this is only possible if the adversary finds a collision across both -inputs on $\PRFnf{Sprout}{}$\sapling{ or $\PRFnf{Sapling}{}$}\nufive{ or -$\PRFnf{Orchard}{}$}, which is assumed to be infeasible --- see +$\PRFnf{Sapling}{\NullifierKey}(\NoteUniqueRandRepr)$}\nufive{ (for +\Orchard, see below)}; this is only possible if the adversary finds a +collision across both inputs on $\PRFnf{Sprout}{}$\sapling{ or +$\PRFnf{Sapling}{}$}, which is assumed to be infeasible --- see \crossref{abstractprfs}. \sproutspecific{ @@ -13029,7 +13192,7 @@ $\EnforceMerklePath{i}$ flag is set for an input \note then an adversary could perform the attack by creating a zero-valued \note with a repeated \nullifier, since the \nullifier would not depend on the value. -} +} %sproutspecific \sproutspecific{ \xNullifier{} integrity also prevents a ``roadblock attack'' in which the @@ -13044,7 +13207,7 @@ they are enforced to be dependent on \spendingKeys controlled by the original \transaction creator (whether or not each input \note is a \dummy), and so a roadblock attack cannot be performed by another party who does not know these keys. -} +} %sproutspecific \saplingonward{ In \Sapling, uniqueness of $\NoteUniqueRand$ is ensured by making it @@ -13060,8 +13223,39 @@ different $\NoteUniqueRand$ values and \nullifiers, but different \notePositions) to have the same \noteCommitment, but this causes no security problem. Roadblock attacks are not possible because a given \notePosition does not repeat for outputs of different \transactions in the same \blockChain. -} +Note that this depends on the fact that the value is bound by the \noteCommitment: +it could be the case that the adversary uses a \dummyNote that is not +required to have a \noteCommitment in the \noteCommitmentTree when it is spent. +If this happens and the victim's \note is not a \dummy, the \noteCommitments +will differ and so will the \nullifiers. If both \notes are dummies, the +adversary cannot know the inputs to the \noteCommitment since they are +generated at random for the victim's spend, regardless of the adversary's +potential knowledge of viewing keys. +} %saplingonward +\nufiveonward{ +In \Orchard, the \nullifier is computed as +$\DeriveNullifier{\NullifierKey}(\NoteUniqueRand, \NoteNullifierRand, \cm)$ +as described in \crossref{commitmentsandnullifiers}. This construction +combines elliptic curve cryptography and the $\Poseidon$-based $\PRFnf{Orchard}{}$ +in a way that, for privacy properties, aims to provide defence in depth +against potential weaknesses in either. Resistance to Faerie Gold attacks, on +the other hand, depends entirely on hardness of the Discrete Logarithm Problem. +The $\NoteUniqueRand$ value of a \note created in a given \actionTransfer is obtained +from the \nullifier of the \note spent in that \actionTransfer; this ensures +(without any cryptographic assumption) that all $\NoteUniqueRand$ values of +\notes added to the \noteCommitmentTree are unique. Then, the \nullifier +derivation can be considered as computing a modified Pedersen commitment on +input that includes $\NoteUniqueRand$, so that the binding property of that +\commitmentScheme ensures that \Orchard \nullifiers will be unique. (Specifically, +this is a Sinsemilla commitment with an additional term having base $\NullifierBaseOrchard$, +truncated to its $x$-coordinate. The $x$-coordinate truncation cannot harm +\collisionResistance because, assuming hardness of the Discrete Logarithm +Problem on the \pallasCurve, the security proof in \theoremref{thmshortsinsemillacr} +covers the case where the additional term is added.) Roadblock attacks are +not possible because $\NoteUniqueRand$ does not repeat for \notes in the +\noteCommitmentTree, and by a corresponding argument to \Sapling for \dummyNotes. +} %nufiveonward \lsubsection{Internal hash collision attack and fix}{internalh} @@ -13486,7 +13680,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. (It is also not true of $\abstBytesEdSpecific$, but \EdSpecific is not strictly defined as a \representedGroup in this specification.)} \sapling{ - \item Correct \theoremref{thmnocommittouncommittedsapling}, which was proving the wrong thing. + \item Correct \theoremref{thmuncommittedsapling}, which was proving the wrong thing. It needs to prove that $\NoteCommitAlg{Sapling}$ does not return $\Uncommitted{Sapling}$, but was previously proving that $\PedersenHash$ does not return that value. \item The note about non-canonical encodings in \crossref{jubjub} gave incorrect values