diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 56f636c0..3e16ffec 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -528,6 +528,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\representedGroup}{\term{represented group}} \newcommand{\representedGroups}{\term{represented groups}} \newcommand{\RepresentedGroup}{\titleterm{Represented Group}} +\newcommand{\representedSubgroup}{\term{represented subgroup}} +\newcommand{\representedSubgroups}{\term{represented subgroups}} \newcommand{\hashExtractor}{\term{hash extractor}} \newcommand{\HashExtractor}{\titleterm{Hash Extractor}} \newcommand{\groupHash}{\term{group hash}} @@ -964,9 +966,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\enc}{\mathsf{enc}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\EphemeralPublic}{\mathsf{epk}} -\newcommand{\ReprNoKern}{\star} -\newcommand{\Repr}{\kern-0.03em\ReprNoKern} -\newcommand{\EphemeralPublicRepr}{\EphemeralPublic^{\Repr}} +\newcommand{\Repr}{\star} +\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}} +\newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr} \newcommand{\EphemeralPrivate}{\mathsf{esk}} \newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}} \newcommand{\EphemeralPrivateBytesType}{\byteseq{32}} @@ -985,15 +987,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthSignPrivate}{\mathsf{ask}} \newcommand{\AuthSignBase}{\mathcal{G}} \newcommand{\AuthSignPublic}{\mathsf{ak}} -\newcommand{\AuthSignPublicRepr}{\AuthSignPublic^{\Repr}} +\newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} -\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic^{\Repr}} +\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr} \newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}} \newcommand{\AuthSignRandomizer}{\alpha} \newcommand{\AuthProvePrivate}{\mathsf{nsk}} \newcommand{\AuthProveBase}{\mathcal{H}} \newcommand{\AuthProvePublic}{\mathsf{nk}} -\newcommand{\AuthProvePublicRepr}{\AuthProvePublic^{\Repr}} +\newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr} \newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} @@ -1006,10 +1008,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}} \newcommand{\DiversifierType}{\bitseq{\DiversifierLength}} \newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}} -\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g^{\Repr}_d}} +\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}} \newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}} \newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}} -\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk^{\Repr}_d}} +\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}} \newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}} % PRFs @@ -1154,7 +1156,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}} \newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}} \newcommand{\NoteAddressRand}{\mathsf{\uprho}} -\newcommand{\NoteAddressRandRepr}{\NoteAddressRand^{\Repr}} +\newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr} \newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}} \newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}} \newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}} @@ -1515,9 +1517,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}} \newcommand{\GroupP}[1]{\mathbb{P}_{#1}} -\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}} +\newcommand{\GroupPstar}[1]{\GroupP{#1}^{\ast}} +\newcommand{\SubgroupP}[1]{\GroupP{#1}^{\subgroupr}} +\newcommand{\SubgroupPstar}[1]{\GroupP{#1}^{\subgroupr\ast}} +\newcommand{\SubgroupReprP}{\MakeRepr{\GroupP{}}{\subgroupr}} \newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}} \newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}} +\newcommand{\OneP}{\ParamP{\mathbf{1}}} \newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}} \newcommand{\ellP}[1]{\ell_{\GroupP{#1}}} \newcommand{\reprP}[1]{\repr_{\GroupP{#1}}} @@ -1527,11 +1533,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}} \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}} \newcommand{\GroupG}[1]{\mathbb{G}_{#1}} -\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}} -\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}} -\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}} +\newcommand{\GroupGstar}[1]{\GroupG{#1}^{\ast}} +\newcommand{\SubgroupG}[1]{\GroupG{#1}^{\subgroupr}} +\newcommand{\SubgroupGstar}[1]{\GroupG{#1}^{\subgroupr\ast}} +\newcommand{\SubgroupReprG}{\MakeRepr{\GroupG{}}{\subgroupr}} \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}} \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}} +\newcommand{\OneG}{\ParamG{\mathbf{1}}} \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}} \newcommand{\ellG}[1]{\ell_{\GroupG{#1}}} \newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}} @@ -1539,8 +1547,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}} \newcommand{\PairingG}{\ParamG{\hat{e}}} -\newcommand{\ExtractG}{\Extract_{\SubgroupG}} -\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}} +\newcommand{\ExtractG}{\Extract_{\SubgroupG{}}} +\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}} \newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}} \newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}} \newcommand{\URS}{\mathsf{URS}} @@ -1548,10 +1556,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}} \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}} \newcommand{\GroupS}[1]{\mathbb{S}_{#1}} -\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}} -\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}} +\newcommand{\GroupSstar}[1]{\GroupS{#1}^{\ast}} +\newcommand{\SubgroupS}[1]{\GroupS{#1}^{\subgroupr}} +\newcommand{\SubgroupSstar}[1]{\GroupS{#1}^{\subgroupr\ast}} +\newcommand{\SubgroupReprS}{\MakeRepr{\GroupS{}}{\subgroupr}} \newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}} \newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}} +\newcommand{\OneS}{\ParamS{\mathbf{1}}} \newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}} \newcommand{\ellS}[1]{\ell_{\GroupS{#1}}} \newcommand{\reprS}[1]{\repr_{\GroupS{#1}}} @@ -1559,14 +1570,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PairingS}{\ParamS{\hat{e}}} \newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}} \newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}} -\newcommand{\GrothProofS}{\ParamS{\mathsf{GrothProof}}} +\newcommand{\GrothS}{\Groth_{\kern 0.05em\mathbb{S}}} +\newcommand{\GrothSProof}{\GrothS\mathsf{.Proof}} \newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}} \newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}} \newcommand{\GroupJ}{\mathbb{J}} -\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}} -\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}} -\newcommand{\PrimeOrderJ}{\SubgroupJ \setminus \ZeroJ} +\newcommand{\SubgroupJ}{\GroupJ^{\subgroupr}} +\newcommand{\SubgroupJstar}{\GroupJ^{\subgroupr\ast}} +\newcommand{\SubgroupReprJ}{\MakeRepr{\GroupJ}{\subgroupr}} \newcommand{\CurveJ}{\Curve_{\GroupJ}} \newcommand{\ZeroJ}{\Zero_{\GroupJ}} \newcommand{\GenJ}{\Generator_{\GroupJ}} @@ -1578,11 +1590,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}} \newcommand{\ExtractJ}{\Extract_{\SubgroupJ}} -\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}} +\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJstar}_{#1}} \newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}} \newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}} \newcommand{\HashOutput}{\bytes{H}} -\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}} +\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}} \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} @@ -2056,7 +2068,7 @@ $\sorted(S)$ means the sequence formed by sorting the elements of $S$. $\GF{n}$ means the finite field with $n$ elements, and -$\GFstar{n}$ means its group under multiplication. +$\GFstar{n}$ means its group under multiplication (which excludes $0$). Where there is a need to make the distinction, we denote the unique representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$ @@ -2132,7 +2144,7 @@ i.e. The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is defined in \crossref{abstractgroup}. -The convention of including a superscript $^{\Repr}$ in a variable name is used +The convention of affixing $\Repr$ to a variable name is used for variables that denote bit-sequence representations of group elements. The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional @@ -2705,7 +2717,7 @@ Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$, $\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}. \sapling{ -Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}. +Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}. } %sapling \sprout{ @@ -2751,10 +2763,10 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction -satisfying the Unlinkability security property described in \crossref{concretediversifyhash}. -It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. -It is instantiated in \crossref{concretediversifyhash}. +$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction +instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability +security property described in that section. It is used to derive a \diversifiedBase +from a \diversifier in \crossref{saplingkeycomponents}. } %sapling @@ -3332,11 +3344,10 @@ A \representedGroup $\GroupG{}$ consists of: \end{itemize} \vspace{-1.5ex} -\notsprout{ -Define $\SubgroupG$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$. +Define $\SubgroupG{}$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$. +For the set of points of order $\ParamG{r}$ (which excludes $\ZeroG{}$), we write $\SubgroupGstar{}$. -Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG}$. -} +Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG{}}$. \vspace{0.5ex} For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that @@ -3382,13 +3393,14 @@ efficiently computable left inverse. \introlist \subsubsection{Group Hash} \label{abstractgrouphash} -Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$, -a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of: +Given a \representedSubgroup $\SubgroupG{}$, a \term{family of group hashes into\, $\SubgroupG{}$}, +$\GroupGHash{}$, consists of: \begin{itemize} \item a type $\GroupGHashURSType$ of \uniformRandomStrings; \item a type $\GroupGHashInput$ of inputs; - \item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$. + \vspace{-1ex} + \item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG{}$. \end{itemize} In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into @@ -3418,7 +3430,7 @@ not return $\bot$) as a random oracle. a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$ and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$ such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$. - \item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies + \item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a random oracle almost surely satisfies Discrete Logarithm Independence. \item Discrete Logarithm Independence implies \collisionResistance\!, since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a @@ -3445,23 +3457,22 @@ A \representedPairing $\GroupP{}$ consists of: \begin{itemize} \item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime; - \item two \representedGroups $\GroupP{1, 2}$, both of order $\ParamP{r}$; - \item a group $\GroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\, - $\mult \typecolon \GroupP{T} \times \GroupP{T} \rightarrow \GroupP{T}$ - and multiplicative identity $\ParamP{\mathbf{1}}$; - \item three generators $\GenG{1, 2, T}$ of the order-$\ParamG{r}$ subgroups of - $\GroupG{1, 2, T}$ respectively; + \item two \representedSubgroups $\SubgroupP{1, 2}$, both of order $\ParamP{r}$; + \item a group $\SubgroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\, + $\mult \typecolon \SubgroupP{T} \times \SubgroupP{T} \rightarrow \SubgroupP{T}$ + and group identity $\ParamP{\mathbf{1}}$; + \item three generators $\GenP{1, 2, T}$ of $\SubgroupP{1, 2, T}$ respectively; \item a pairing function - $\PairingP \typecolon \GroupP{1} \times \GroupP{2} \rightarrow \GroupP{T}$ + $\PairingP \typecolon \SubgroupP{1} \times \SubgroupP{2} \rightarrow \SubgroupP{T}$ satisfying: \begin{itemize} \item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$, - $P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\; + $P \typecolon \SubgroupP{1}$, and $Q \typecolon \SubgroupP{2}$,\; $\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and - \item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$ - such that for all $Q \typecolon \GroupP{2},\; - \PairingP(P, Q) = \ParamP{\mathbf{1}}$. + \item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPstar{1}$ + such that for all $Q \typecolon \SubgroupP{2},\; + \PairingP\Of{P, Q} = \OneP$. \end{itemize} \end{itemize} @@ -3632,7 +3643,7 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. -Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and +Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ @@ -3661,7 +3672,7 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. \vspace{1ex} -$\AuthSignPublic \typecolon \PrimeOrderJ$, $\AuthProvePublic \typecolon \SubgroupJ$, and +$\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: \vspace{-0.5ex} @@ -3711,7 +3722,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define: \end{cases}$ \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) := \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) - \typecolon \maybe{(\PrimeOrderJ)}}\big)$. + \typecolon \maybe{\SubgroupJstar}}\big)$. \end{formulae} For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$; @@ -4408,15 +4419,15 @@ Instead of generating a key pair at random, we generate it as a function of the and the \balancingValue. \vspace{2ex} -Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. +Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$ be as defined in \crossref{concretevaluecommit}: \begin{formulae} \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$; - \item $\ValueCommitValueBase \typecolon \PrimeOrderJ$ is the value base in $\ValueCommit{}$; - \item $\ValueCommitRandBase \typecolon \PrimeOrderJ$ is the randomness base in $\ValueCommit{}$. + \item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$; + \item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$. \end{formulae} $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. @@ -5852,7 +5863,7 @@ Let $c := 63$. \introlist \vspace{2ex} -Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by: +Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by: \begin{formulae} \item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$. @@ -6358,11 +6369,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$ as follows: -Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}. +Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}. Define $\KASaplingPublic := \GroupJ$. -Define $\KASaplingPublicPrimeOrder := \PrimeOrderJ$. +Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$. Define $\KASaplingSharedSecret := \SubgroupJ$. @@ -6478,12 +6489,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup. Its parameters are: \begin{itemize} \item a \representedGroup $\GroupG{}$, which also defines - a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$, + a subgroup $\SubgroupG{}$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$, a representation function $\reprG{}$, and an abstraction function $\abstG{}$, as specified in \crossref{abstractgroup}; - \item $\GenG{}$, a generator of $\SubgroupG$; + \item $\GenG{}$, a generator of $\SubgroupG{}$; \item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that $2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$; \item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$. @@ -6613,7 +6624,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with: \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}. \end{itemize} -The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between +The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, which is different between $\BindingSig$ and $\SpendAuthSig$. } %sapling @@ -6820,33 +6831,33 @@ Let $\ParamG{b} := 3$. (\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.) -Let $\GroupG{1}$ be the group of points on a Barreto--Naehrig (\cite{BN2005}) -curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$. +Let $\SubgroupG{1}$ be the group (of order $\ParamG{r}$) of rational points on a +Barreto--Naehrig (\cite{BN2005}) curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$. This curve has embedding degree 12 with respect to $\ParamG{r}$. -Let $\GroupG{2}$ be the subgroup of order $r$ in the sextic twist $\CurveG{2}$ of -$\GroupG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$, +Let $\SubgroupG{2}$ be the subgroup of order $\ParamG{r}$ in the sextic twist $\CurveG{2}$ of +$\CurveG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$, where $\xi \typecolon \GF{\ParamGexp{q}{2}}$. We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$. -Let $\GroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in -$\GFstar{\ParamGexp{q}{12}}$. +Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in +$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$. Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type -$\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$. +$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$. For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity -(which is the additive identity) in $\GroupG{i}$, and let -$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$. +(which is the additive identity) in $\SubgroupG{i}$, and let +$\SubgroupGstar{i} := \SubgroupG{i} \setminus \setof{\ZeroG{i}}$. -Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$. +Let $\GenG{1} \typecolon \SubgroupGstar{1} := (1, 2)$. \vspace{-1ex} \begin{tabular}{@{}l@{}r@{}l@{}} -Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$ +Let $\GenG{2} \typecolon \SubgroupGstar{2} :=\;$ % are these the right way round? &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\ &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\ @@ -6854,8 +6865,7 @@ Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$ &$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $ \end{tabular} -$\GenG{1}$ and $\GenG{2}$ are generators of the order-$\ParamG{r}$ subgroups of -$\GroupG{1}$ and $\GroupG{2}$ respectively. +$\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ respectively. \newsavebox{\gonebox} \begin{lrbox}{\gonebox} @@ -6893,7 +6903,7 @@ Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \bitseq{\ell}$ as in \crossref{endian}. \introlist -For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$: +For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$: \begin{itemize} \item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as @@ -6903,7 +6913,7 @@ For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$: \end{itemize} \introlist -For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$: +For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$: \begin{itemize} \item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow @@ -6918,24 +6928,24 @@ For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$: \end{itemize} \begin{nnotes} - \item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding - of most other integers in this protocol. - The encodings for $\GroupGstar{1, 2}$ are consistent with the - definition of $\ECtoOSP{}$ for compressed curve points in - \cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form - (i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$, - and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in - $\GroupGstar{2}$. \item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and have no defined encodings in this protocol. - \item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent + \item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be + verified to be of order $\ParamG{r}$, and therefore in $\SubgroupGstar{2}$, + by checking that $\ParamG{r} \mult P = \ZeroG{2}$. + \item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding + of most other integers in this protocol. + The encodings for $\SubgroupGstar{1, 2}$ are consistent with the + definition of $\ECtoOSP{}$ for compressed curve points in + \cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form + (i.e.\ $\ECtoOSPXL$) is used for points in $\SubgroupGstar{1}$, + and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in + $\SubgroupGstar{2}$. + \item Testing $y > y'$ for the compression of $\SubgroupGstar{2}$ points is equivalent to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order. \item Algorithms for decompressing points from the above encodings are - given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and - \cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$. - \item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be - verified to be of order $\ParamG{r}$, and therefore in $\GroupGstar{2}$, - by checking that $\ParamG{r} \mult P = \ZeroG{2}$. + given in \cite[Appendix A.12.8]{IEEE2000} for $\SubgroupGstar{1}$, and + \cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$. \end{nnotes} When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in @@ -6983,32 +6993,32 @@ Let $\ParamS{b} := 4$. (\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.) -Let $\GroupS{1}$ be the group of points on a Barreto--Lynn--Scott (\cite{BLS2002}) -curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with equation $y^2 = x^3 + \ParamS{b}$. -This curve has embedding degree 12 with respect to $\ParamS{r}$. +Let $\SubgroupS{1}$ be the subgroup of order $\ParamS{r}$ of the group of rational points +on a Barreto--Lynn--Scott (\cite{BLS2002}) curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with +equation $y^2 = x^3 + \ParamS{b}$. This curve has embedding degree 12 with respect to $\ParamS{r}$. -Let $\GroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of -$\GroupS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where +Let $\SubgroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of +$\CurveS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where $i \typecolon \GF{\ParamSexp{q}{2}}$. We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial $t^2 + 1$; in this representation, $i$ is given by $t$. -Let $\GroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in -$\GFstar{\ParamSexp{q}{12}}$. +Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in +$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$. Let $\PairingS$ be the optimal ate pairing of type -$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$. +$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$. -For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$, -and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$. +For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\SubgroupS{i}$, +and let $\SubgroupSstar{i} := \SubgroupS{i} \setminus \setof{\ZeroS{i}}$. \introlist -Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$. +Let $\GenS{1} \typecolon \SubgroupSstar{1} := (1, 2)$. \begin{tabular}{@{}l@{}r@{}l@{}} -Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$ +Let $\GenS{2} \typecolon \SubgroupSstar{2} :=\;$ % are these the right way round? &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\ &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\ @@ -7016,13 +7026,13 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$ &$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $ \end{tabular} -$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively. +$\GenS{1}$ and $\GenS{2}$ are generators of $\SubgroupS{1}$ and $\SubgroupS{2}$ respectively. Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ as in \crossref{endian}. \introlist -For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$: +For a point $P \typecolon \SubgroupSstar{1} = (\xP, \yP)$: \begin{itemize} \item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as @@ -7035,7 +7045,7 @@ For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$: \end{itemize} \introlist -For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$: +For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$: \begin{itemize} \item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow @@ -7050,14 +7060,14 @@ For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$: \end{itemize} \begin{nnotes} - \item The encodings for $\GroupSstar{1, 2}$ are specific to \Zcash. \item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and have no defined encodings in this protocol. + \item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash. \item Algorithms for decompressing points from the encodings of - $\GroupSstar{1, 2}$ are defined analogously to those for - $\GroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that + $\SubgroupSstar{1, 2}$ are defined analogously to those for + $\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that the SORT compressed form (not the LSB compressed form) is used - for $\GroupGstar{1}$. + for $\SubgroupSstar{1}$. \item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$, by checking that $\ParamS{r} \mult P = \ZeroS{2}$. @@ -7108,7 +7118,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of $\reprJ$, then $\abstJ\Of{S} = \bot$. Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$. -For the set of prime-order points we write $\PrimeOrderJ$. +For the set of points of order $\ParamJ{r}$ (which excludes $\ZeroJ$), we write $\SubgroupJstar$. Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$. @@ -7210,14 +7220,14 @@ Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. Let $\LEOStoIP{}$ be as defined in \crossref{endian}. -Let $\abstJ$ be as defined in \crossref{jubjub}. +Let $\SubgroupJ$, $\SubgroupJstar$, and $\abstJ$ be as defined in \crossref{jubjub}. \vspace{1ex} Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and let $M \typecolon \byteseqs$ be the hash input. \introlist -The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows: +The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as follows: \begin{algorithm} \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$ @@ -7241,13 +7251,13 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll is injective, and both it and its inverse are efficiently computable. $\exclusivefun{P \typecolon \GroupJ} - {\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$ + {\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$ is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable. It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$ is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} - {\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle. + {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle. \end{pnotes} \vspace{0.5ex} @@ -7256,7 +7266,7 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. Define $\FindGroupJHash(D, M) := -\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$. +\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$. \vspace{-3ex} \pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$. @@ -7276,15 +7286,15 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of the systems in \cite{PHGR2013} and \cite{BCGTV2013}. -A $\PHGR$ proof consists of a tuple -$(\Proof{A} \typecolon \GroupGstar{1},\, - \Proof{A}' \typecolon \GroupGstar{1},\, - \Proof{B} \typecolon \GroupGstar{2},\, - \Proof{B}' \typecolon \GroupGstar{1},\, - \Proof{C} \typecolon \GroupGstar{1},\, - \Proof{C}' \typecolon \GroupGstar{1},\, - \Proof{K} \typecolon \GroupGstar{1},\, - \Proof{H} \typecolon \GroupGstar{1})$. +A $\PHGR$ proof consists of +$(\Proof{A} \typecolon \SubgroupGstar{1},\, + \Proof{A}' \typecolon \SubgroupGstar{1},\, + \Proof{B} \typecolon \SubgroupGstar{2},\, + \Proof{B}' \typecolon \SubgroupGstar{1},\, + \Proof{C} \typecolon \SubgroupGstar{1},\, + \Proof{C}' \typecolon \SubgroupGstar{1},\, + \Proof{K} \typecolon \SubgroupGstar{1},\, + \Proof{H} \typecolon \SubgroupGstar{1})$. It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters specified in \crossref{bnpairing}. @@ -7336,8 +7346,8 @@ verifier \MUST check, for the encoding of each element, that: \item the remaining bytes encode a big-endian representation of an integer in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) $\range{0}{\ParamSexp{q}{2}\!-\!1}$; - \item the encoding represents a point in $\GroupGstar{1}$ or (in the case of - $\Proof{B}$) $\GroupGstar{2}$, including checking that it is of order + \item the encoding represents a point in $\SubgroupGstar{1}$ or (in the case of + $\Proof{B}$) $\SubgroupGstar{2}$, including checking that it is of order $\ParamG{r}$ in the latter case. \end{itemize} @@ -7360,10 +7370,10 @@ After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem describ for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and \outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}. -A $\Groth$ proof consists of a tuple -$(\Proof{A} \typecolon \GroupSstar{1},\, - \Proof{B} \typecolon \GroupSstar{2},\, - \Proof{C} \typecolon \GroupSstar{1})$. +A $\Groth$ proof consists of +$(\Proof{A} \typecolon \SubgroupSstar{1},\, + \Proof{B} \typecolon \SubgroupSstar{2},\, + \Proof{C} \typecolon \SubgroupSstar{1})$. It is computed as described in \cite{Groth2016}, using the pairing parameters specified in \crossref{blspairing}. @@ -7401,8 +7411,8 @@ verifier \MUST check, for the encoding of each element, that: \item the remaining bits encode a big-endian representation of an integer in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in that range; - \item the encoding represents a point in $\GroupSstar{1}$ or (in the case of $\Proof{B}$) - $\GroupSstar{2}$, including checking that it is of order $\ParamS{r}$ + \item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$) + $\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$ in the latter case. \end{itemize} } @@ -7777,7 +7787,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z \sapling{ \subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding} -A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \PrimeOrderJ$, +A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$. $\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve @@ -7802,7 +7812,7 @@ The raw encoding of a \fullViewingKey consists of: \end{itemize} When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$ -for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \PrimeOrderJ$, +for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$, or if $\AuthProvePublic \notin \SubgroupJ$. For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}. @@ -9568,6 +9578,24 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \section{Change History} +\subparagraph{2018.0-beta-27} + +\begin{itemize} + \item No changes to \Sprout. +\sapling{ + \item Notational changes: + \begin{itemize} + \item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a + subscript. + \item Use $\SubgroupGstar{}$ for the set of $\ParamG{r}$-order points in $\GroupG{}$. + \item Mark the subgroup order in pairing groups, e.g. use $\SubgroupG{1}$ instead + of $\GroupG{1}$. + \item Make the bit-representation indicator $\Repr$ an affix instead of a superscript. + \end{itemize} +} %sapling +\end{itemize} + +\introlist \subparagraph{2018.0-beta-26} \begin{itemize} @@ -9665,7 +9693,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Acknowledge Tomas Sander and Amnon Ta–Shma for \cite{ST1999}. \item Acknowledge Kudelski Security's audit. \sapling{ - \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to + \item Use the more precise subgroup types $\SubgroupG{}$ and $\SubgroupJ$ in preference to $\GroupG{}$ and $\GroupJ$ where applicable. \item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more faithful to the implementation. @@ -11358,7 +11386,7 @@ cryptanalytic attention to confidently use them for \Sapling. The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}. -Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$, +Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$, a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$; $\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$; @@ -11380,33 +11408,33 @@ Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSAS Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N}) \rightarrow \bit$ as: \begin{algorithm} - \item For each $i \in \range{0}{N-1}$: - \item \tab Let $(\vk_i, M_i, \sigma_i) = \Entry{i}$. - \item \tab Let $\RedDSAReprR{i}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_i$, and - let $\RedDSAReprS{i}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. - \item \tab Let $\RedDSASigR{i} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{i})\kern-0.15em\big)$, and - let $\RedDSASigS{i} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{i})$. - \item \tab Let $\vkBytes{i} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk_i}\kern 0.05em}$. - \item \tab Let $\RedDSASigc{i} = \RedDSAHashToScalar(\RedDSAReprR{i} \bconcat \vkBytes{i} \bconcat M_i)$. + \item For each $j \in \range{0}{N-1}$: + \item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$. + \item \tab Let $\RedDSAReprR{j}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_j$, and + let $\RedDSAReprS{j}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. + \item \tab Let $\RedDSASigR{j} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{j})\kern-0.12em\big)$, and + let $\RedDSASigS{j} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{j})$. + \item \tab Let $\vkBytes{j} = \LEBStoOSPOf{\ellG{}}{\reprG{}(\vk_j)\kern-0.1em}$. + \item \tab Let $\RedDSASigc{j} = \RedDSAHashToScalar(\RedDSAReprR{j} \bconcat \vkBytes{j} \bconcat M_j)$. \vspace{1ex} - \item \tab Choose random $z_i \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$. + \item \tab Choose random $z_j \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$. \item \vspace{-2ex} \item Return $1$ if \vspace{1ex} \begin{itemize} - \item for all $i \in \range{0}{N-1}$, $\RedDSASigR{i} \neq \bot$ and $\RedDSASigS{i} < \ParamG{r}$; and - \item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{i=0}{N-1}{(z_i \mult \RedDSASigS{i}) + \item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and + \item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\GenG{}} + - \ssum{i=0}{N-1}{\big(\scalarmult{z_i}{\RedDSASigR{i}} + - \scalarmult{z_i \mult \RedDSASigc{i} - \pmod{\ParamG{r}}}{\vk_i}\big)}\!\right)} + \ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} + + \scalarmult{z_j \mult \RedDSASigc{j} + \pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)} = \ZeroG{}$, \end{itemize} \vspace{-0.5ex} otherwise $0$. \end{algorithm} -The $z_i$ values \MUST be chosen independently of the batch entries. +The $z_j$ values \MUST be chosen independently of the batch entries. The performance benefit of this approach arises partly from replacing the per-signature scalar multiplication of the base $\GenG{}$ with one such multiplication per batch, @@ -11418,7 +11446,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$. It is straightforward to adapt the above procedure to handle multiple bases; there will be one -$\bigscalarmult{\ssum{i}{}{(z_i \mult \RedDSASigS{i}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. +$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. The benefit of this relative to using separate batches is that the multiscalar multiplication can be extended across a larger batch.} %pnote @@ -11429,12 +11457,12 @@ can be extended across a larger batch.} %pnote The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}. -Let $\ParamS{q}$, $\ParamS{r}$, $\GroupS{1, 2, T}$, $\GroupSstar{1, 2, T}$, $\GenS{1, 2, T}$, -and $\PairingS$ be as defined in \crossref{blspairing}. +Let $\ParamS{q}$, $\ParamS{r}$, $\SubgroupS{1, 2, T}$, $\SubgroupSstar{1, 2, T}$, $\GenS{1, 2, T}$, +$\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}. -Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$ -and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and -final exponentiation respectively of the pairing computation, so that: +Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$ +and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and +final exponentiation respectively of the $\PairingS$ pairing computation, so that: \begin{formulae} \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$ \end{formulae} @@ -11442,9 +11470,9 @@ final exponentiation respectively of the pairing computation, so that: where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$. \vspace{2ex} -Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$. +Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \SubgroupSstar{1}$. -A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$. +A $\GrothS$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$. Verification of a single $\Groth$ proof requires checking the equation \vspace{-0.5ex} @@ -11469,7 +11497,7 @@ Raising to the power of random $z \neq 0$ gives: \end{formulae} \vspace{1ex} -This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs. +This justifies the following optimized procedure for performing faster verification of a batch of $\GrothS$ proofs. Implementations \MAY use this procedure to determine whether all proofs in a batch are valid. \introlist