zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-03-11 14:00:00 +00:00
parent 96cfbe9232
commit 7cde004f83
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
protocol/protocol.tex
View File

@ -1149,9 +1149,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\Curve}{E} \newcommand{\Curve}{E}
\newcommand{\Zero}{\mathcal{O}} \newcommand{\Zero}{\mathcal{O}}
\newcommand{\Generator}{\mathcal{P}} \newcommand{\Generator}{\mathcal{P}}
\newcommand{\Selectu}{\scalebox{1.52}{$u$}} \newcommand{\Selectu}{\scalebox{1.53}{$u$}}
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!} \newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}} \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!} \newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}} \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
@ -2406,8 +2406,8 @@ $\SigVerify{\vk}(m, s) = 1$.
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}), \item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
which is used to sign \transactions that contain at least one which is used to sign \transactions that contain at least one
\joinSplitDescription\sprout{.}\notsprout{;} \joinSplitDescription\sprout{.}\notsprout{;}
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated \saplingonwarditem{one called $\SpendAuthSig$ (instantiated in
in \crossref{concretespendauthsig}), which is used to sign authorizations of \crossref{concretespendauthsig}), which is used to sign authorizations of
\spendDescriptions.} \spendDescriptions.}
\end{itemize} \end{itemize}
@ -3124,7 +3124,7 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
\begin{enumerate} \begin{enumerate}
\item Check that $\DiversifiedTransmitPublic$ is a valid compressed representation of \item Check that $\DiversifiedTransmitPublic$ is a valid compressed representation of
an Edwards point on the $\JubjubCurve$ curve and this point is not of small order an Edwards point on the \jubjubCurve and this point is not of small order
(i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and (i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and
$\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$). $\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$).
@ -4021,7 +4021,7 @@ the same effect as using that feature.
$\PedersenHash$ is an algebraic hash function with collision resistance $\PedersenHash$ is an algebraic hash function with collision resistance
(for fixed input length) derived from assumed hardness of the (for fixed input length) derived from assumed hardness of the
Discrete Logarithm Problem on the $\JubjubCurve$ curve. Discrete Logarithm Problem on the \jubjubCurve.
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf, It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in
\cite{CDG1987}, \cite{BCP1988} and \cite{CvHP1991}, \cite{CDG1987}, \cite{BCP1988} and \cite{CvHP1991},
@ -4202,7 +4202,7 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
\vspace{2ex} \vspace{2ex}
\introlist \introlist
% Blech. Dijkstra was right \cite{EWD831}. % Blech. Dijkstra was right \cite{EWD-831}.
Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
\begin{formulae} \begin{formulae}
\item $m := \floor{\frac{512}{n}}$; \item $m := \floor{\frac{512}{n}}$;
@ -4619,7 +4619,7 @@ The encoding of a public key is as defined in \cite{BDLSY2012}.
$\SpendAuthSig$ is specified in \crossref{abstractsig}. $\SpendAuthSig$ is specified in \crossref{abstractsig}.
It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} over the It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} over the
$\JubjubCurve$ curve which these additional constraints: \todo{...} \jubjubCurve which these additional constraints: \todo{...}
\cite{FKMSSS2016} \cite{FKMSSS2016}
} %sapling } %sapling
@ -4673,7 +4673,7 @@ The leading byte of the $\SHAFull$ input is $\hexint{B0}$.
We construct \quotedterm{windowed} \xPedersenCommitments by reusing the \xPedersenHash We construct \quotedterm{windowed} \xPedersenCommitments by reusing the \xPedersenHash
construction from \crossref{concretepedersenhash}, and adding a randomized point construction from \crossref{concretepedersenhash}, and adding a randomized point
on the $\JubjubCurve$ curve (see \crossref{jubjub}): on the \jubjubCurve (see \crossref{jubjub}):
\begin{formulae} \begin{formulae}
\item $\WindowedPedersenCommit{r}(D, s) := \item $\WindowedPedersenCommit{r}(D, s) :=
@ -5100,7 +5100,7 @@ Therefore, $-\varv \neq \varv$.
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$. doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$; contradiction since $Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction $-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
since $G$ is of odd order \cite{KvE2013}). since $G$ is of odd order \cite{KvE2013}).
\end{proof} \end{proof}
@ -5665,7 +5665,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \GroupJ$ A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \GroupJ$
and $\AuthProvePublic \typecolon \GroupJ$. and $\AuthProvePublic \typecolon \GroupJ$.
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the $\JubjubCurve$ curve $\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}. (see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
\introlist \introlist
@ -6017,12 +6017,12 @@ A value $\vpubOld$ that the \joinSplitTransfer removes from the \transparentValu
$8$ & $\vpubNewField$ & \type{uint64\_t} & A value $\vpubNew$ that the \joinSplitTransfer inserts $8$ & $\vpubNewField$ & \type{uint64\_t} & A value $\vpubNew$ that the \joinSplitTransfer inserts
into the \transparentValuePool. \\ \hline into the \transparentValuePool. \\ \hline
$32$ & $\anchorField$ & \type{char[32]} & A merkle root $\rt$ of the \SproutOrNothing $32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot $\rt$ of the \SproutOrNothing
\noteCommitmentTree at some \blockHeight in the past, or the merkle root produced by a previous \noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous
\joinSplitTransfer in this \transaction. \\ \hline \joinSplitTransfer in this \transaction. \\ \hline
$64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input $64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input
\notes $\nfOld{\allOld}$. \\ \hline \notes $\nfOld{\allOld}$. \\[0.4ex] \hline
$64$ & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the $64$ & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the
output \notes $\cmNew{\allNew}$. \\ \hline output \notes $\cmNew{\allNew}$. \\ \hline
@ -7067,7 +7067,7 @@ The motivations for this change were as follows:
We believe that Curve25519 has significant side-channel resistance, We believe that Curve25519 has significant side-channel resistance,
performance, implementation complexity, and robustness advantages performance, implementation complexity, and robustness advantages
over most other available curve choices, as explained in \cite{Bern2006}. over most other available curve choices, as explained in \cite{Bern2006}.
\sapling{For \Sapling, the $\JubjubCurve$ curve was designed according to a \sapling{For \Sapling, the \jubjubCurve was designed according to a
similar design process following the ``Safe curves'' criteria similar design process following the ``Safe curves'' criteria
\cite{BL-SafeCurves} \cite{GitHub-jubjub}. \cite{BL-SafeCurves} \cite{GitHub-jubjub}.
This retains Curve25519's advantages while keeping \paymentAddress sizes This retains Curve25519's advantages while keeping \paymentAddress sizes
@ -7414,7 +7414,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
``roadblock'' attack. ``roadblock'' attack.
\sapling{ \sapling{
\item Update some explanations of changes from \Zerocash for \Sapling. \item Update some explanations of changes from \Zerocash for \Sapling.
\item Add a description of the $\JubjubCurve$ curve. \item Add a description of the \jubjubCurve.
\item Add an acknowledgement to George Tankersley. \item Add an acknowledgement to George Tankersley.
\item Add an appendix on the design of the \Sapling circuits at the \item Add an appendix on the design of the \Sapling circuits at the
\quadraticArithmeticProgram level. \quadraticArithmeticProgram level.
@ -8132,7 +8132,7 @@ has no solutions for $y$, hence $x + 1 \neq 0$.
\end{proof} \end{proof}
(The complete twisted Edwards curve referred to in the proof is an (The complete twisted Edwards curve referred to in the proof is an
isomorphic $y$-coordinate rescaling of the $\JubjubCurve$ curve.) isomorphic $y$-coordinate rescaling of the \jubjubCurve.)
\introsection \introsection