mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
96cfbe9232
commit
7cde004f83
|
@ -1149,9 +1149,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\Curve}{E}
|
\newcommand{\Curve}{E}
|
||||||
\newcommand{\Zero}{\mathcal{O}}
|
\newcommand{\Zero}{\mathcal{O}}
|
||||||
\newcommand{\Generator}{\mathcal{P}}
|
\newcommand{\Generator}{\mathcal{P}}
|
||||||
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
|
\newcommand{\Selectu}{\scalebox{1.53}{$u$}}
|
||||||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
||||||
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
|
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
||||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
||||||
|
|
||||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||||
|
@ -2406,8 +2406,8 @@ $\SigVerify{\vk}(m, s) = 1$.
|
||||||
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
|
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
|
||||||
which is used to sign \transactions that contain at least one
|
which is used to sign \transactions that contain at least one
|
||||||
\joinSplitDescription\sprout{.}\notsprout{;}
|
\joinSplitDescription\sprout{.}\notsprout{;}
|
||||||
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated
|
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated in
|
||||||
in \crossref{concretespendauthsig}), which is used to sign authorizations of
|
\crossref{concretespendauthsig}), which is used to sign authorizations of
|
||||||
\spendDescriptions.}
|
\spendDescriptions.}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -3124,7 +3124,7 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Check that $\DiversifiedTransmitPublic$ is a valid compressed representation of
|
\item Check that $\DiversifiedTransmitPublic$ is a valid compressed representation of
|
||||||
an Edwards point on the $\JubjubCurve$ curve and this point is not of small order
|
an Edwards point on the \jubjubCurve and this point is not of small order
|
||||||
(i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and
|
(i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and
|
||||||
$\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$).
|
$\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$).
|
||||||
|
|
||||||
|
@ -4021,7 +4021,7 @@ the same effect as using that feature.
|
||||||
|
|
||||||
$\PedersenHash$ is an algebraic hash function with collision resistance
|
$\PedersenHash$ is an algebraic hash function with collision resistance
|
||||||
(for fixed input length) derived from assumed hardness of the
|
(for fixed input length) derived from assumed hardness of the
|
||||||
Discrete Logarithm Problem on the $\JubjubCurve$ curve.
|
Discrete Logarithm Problem on the \jubjubCurve.
|
||||||
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
|
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
|
||||||
Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in
|
Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in
|
||||||
\cite{CDG1987}, \cite{BCP1988} and \cite{CvHP1991},
|
\cite{CDG1987}, \cite{BCP1988} and \cite{CvHP1991},
|
||||||
|
@ -4202,7 +4202,7 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
\introlist
|
\introlist
|
||||||
% Blech. Dijkstra was right \cite{EWD831}.
|
% Blech. Dijkstra was right \cite{EWD-831}.
|
||||||
Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
|
Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $m := \floor{\frac{512}{n}}$;
|
\item $m := \floor{\frac{512}{n}}$;
|
||||||
|
@ -4619,7 +4619,7 @@ The encoding of a public key is as defined in \cite{BDLSY2012}.
|
||||||
$\SpendAuthSig$ is specified in \crossref{abstractsig}.
|
$\SpendAuthSig$ is specified in \crossref{abstractsig}.
|
||||||
|
|
||||||
It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} over the
|
It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} over the
|
||||||
$\JubjubCurve$ curve which these additional constraints: \todo{...}
|
\jubjubCurve which these additional constraints: \todo{...}
|
||||||
|
|
||||||
\cite{FKMSSS2016}
|
\cite{FKMSSS2016}
|
||||||
} %sapling
|
} %sapling
|
||||||
|
@ -4673,7 +4673,7 @@ The leading byte of the $\SHAFull$ input is $\hexint{B0}$.
|
||||||
|
|
||||||
We construct \quotedterm{windowed} \xPedersenCommitments by reusing the \xPedersenHash
|
We construct \quotedterm{windowed} \xPedersenCommitments by reusing the \xPedersenHash
|
||||||
construction from \crossref{concretepedersenhash}, and adding a randomized point
|
construction from \crossref{concretepedersenhash}, and adding a randomized point
|
||||||
on the $\JubjubCurve$ curve (see \crossref{jubjub}):
|
on the \jubjubCurve (see \crossref{jubjub}):
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\WindowedPedersenCommit{r}(D, s) :=
|
\item $\WindowedPedersenCommit{r}(D, s) :=
|
||||||
|
@ -5100,7 +5100,7 @@ Therefore, $-\varv \neq \varv$.
|
||||||
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
||||||
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||||
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||||
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$; contradiction since
|
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
|
||||||
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
||||||
since $G$ is of odd order \cite{KvE2013}).
|
since $G$ is of odd order \cite{KvE2013}).
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
@ -5665,7 +5665,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
|
||||||
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \GroupJ$
|
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \GroupJ$
|
||||||
and $\AuthProvePublic \typecolon \GroupJ$.
|
and $\AuthProvePublic \typecolon \GroupJ$.
|
||||||
|
|
||||||
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the $\JubjubCurve$ curve
|
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
|
||||||
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
|
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -6017,12 +6017,12 @@ A value $\vpubOld$ that the \joinSplitTransfer removes from the \transparentValu
|
||||||
$8$ & $\vpubNewField$ & \type{uint64\_t} & A value $\vpubNew$ that the \joinSplitTransfer inserts
|
$8$ & $\vpubNewField$ & \type{uint64\_t} & A value $\vpubNew$ that the \joinSplitTransfer inserts
|
||||||
into the \transparentValuePool. \\ \hline
|
into the \transparentValuePool. \\ \hline
|
||||||
|
|
||||||
$32$ & $\anchorField$ & \type{char[32]} & A merkle root $\rt$ of the \SproutOrNothing
|
$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot $\rt$ of the \SproutOrNothing
|
||||||
\noteCommitmentTree at some \blockHeight in the past, or the merkle root produced by a previous
|
\noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous
|
||||||
\joinSplitTransfer in this \transaction. \\ \hline
|
\joinSplitTransfer in this \transaction. \\ \hline
|
||||||
|
|
||||||
$64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input
|
$64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input
|
||||||
\notes $\nfOld{\allOld}$. \\ \hline
|
\notes $\nfOld{\allOld}$. \\[0.4ex] \hline
|
||||||
|
|
||||||
$64$ & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the
|
$64$ & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the
|
||||||
output \notes $\cmNew{\allNew}$. \\ \hline
|
output \notes $\cmNew{\allNew}$. \\ \hline
|
||||||
|
@ -7067,7 +7067,7 @@ The motivations for this change were as follows:
|
||||||
We believe that Curve25519 has significant side-channel resistance,
|
We believe that Curve25519 has significant side-channel resistance,
|
||||||
performance, implementation complexity, and robustness advantages
|
performance, implementation complexity, and robustness advantages
|
||||||
over most other available curve choices, as explained in \cite{Bern2006}.
|
over most other available curve choices, as explained in \cite{Bern2006}.
|
||||||
\sapling{For \Sapling, the $\JubjubCurve$ curve was designed according to a
|
\sapling{For \Sapling, the \jubjubCurve was designed according to a
|
||||||
similar design process following the ``Safe curves'' criteria
|
similar design process following the ``Safe curves'' criteria
|
||||||
\cite{BL-SafeCurves} \cite{GitHub-jubjub}.
|
\cite{BL-SafeCurves} \cite{GitHub-jubjub}.
|
||||||
This retains Curve25519's advantages while keeping \paymentAddress sizes
|
This retains Curve25519's advantages while keeping \paymentAddress sizes
|
||||||
|
@ -7414,7 +7414,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
||||||
``roadblock'' attack.
|
``roadblock'' attack.
|
||||||
\sapling{
|
\sapling{
|
||||||
\item Update some explanations of changes from \Zerocash for \Sapling.
|
\item Update some explanations of changes from \Zerocash for \Sapling.
|
||||||
\item Add a description of the $\JubjubCurve$ curve.
|
\item Add a description of the \jubjubCurve.
|
||||||
\item Add an acknowledgement to George Tankersley.
|
\item Add an acknowledgement to George Tankersley.
|
||||||
\item Add an appendix on the design of the \Sapling circuits at the
|
\item Add an appendix on the design of the \Sapling circuits at the
|
||||||
\quadraticArithmeticProgram level.
|
\quadraticArithmeticProgram level.
|
||||||
|
@ -8132,7 +8132,7 @@ has no solutions for $y$, hence $x + 1 \neq 0$.
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
(The complete twisted Edwards curve referred to in the proof is an
|
(The complete twisted Edwards curve referred to in the proof is an
|
||||||
isomorphic $y$-coordinate rescaling of the $\JubjubCurve$ curve.)
|
isomorphic $y$-coordinate rescaling of the \jubjubCurve.)
|
||||||
|
|
||||||
|
|
||||||
\introsection
|
\introsection
|
||||||
|
|
Loading…
Reference in New Issue