zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Notational changes: 

- Use a superscript (r) to mark the subgroup order, instead of a subscript.
- Use G^{(r)∗} for the set of r_G-order points in G.
(r)
- Mark the subgroup order in pairing groups, e.g. use G_1^{(r)} instead of G_1.
- Make the bit-representation indicator (five-pointed star) an affix instead of a superscript.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-12 16:24:15 +01:00
parent b605fe1061
commit 81598de991
1 changed files with 188 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
protocol/protocol.tex
View File

@ -528,6 +528,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\representedGroup}{\term{represented group}}
\newcommand{\representedGroups}{\term{represented groups}}
\newcommand{\RepresentedGroup}{\titleterm{Represented Group}}
\newcommand{\representedSubgroup}{\term{represented subgroup}}
\newcommand{\representedSubgroups}{\term{represented subgroups}}
\newcommand{\hashExtractor}{\term{hash extractor}}
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
\newcommand{\groupHash}{\term{group hash}}
@ -964,9 +966,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\enc}{\mathsf{enc}}
\newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}}
\newcommand{\EphemeralPublic}{\mathsf{epk}}
\newcommand{\ReprNoKern}{\star}
\newcommand{\Repr}{\kern-0.03em\ReprNoKern}
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic^{\Repr}}
\newcommand{\Repr}{\star}
\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr}
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
@ -985,15 +987,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
\newcommand{\AuthSignBase}{\mathcal{G}}
\newcommand{\AuthSignPublic}{\mathsf{ak}}
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic^{\Repr}}
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr}
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic^{\Repr}}
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr}
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
\newcommand{\AuthSignRandomizer}{\alpha}
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
\newcommand{\AuthProveBase}{\mathcal{H}}
\newcommand{\AuthProvePublic}{\mathsf{nk}}
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic^{\Repr}}
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr}
\newcommand{\OutViewingKey}{\mathsf{ovk}}
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
@ -1006,10 +1008,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
\newcommand{\DiversifierType}{\bitseq{\DiversifierLength}}
\newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g^{\Repr}_d}}
\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}}
\newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}}
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk^{\Repr}_d}}
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}}
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
% PRFs
@ -1154,7 +1156,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand^{\Repr}}
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr}
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
@ -1515,9 +1517,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}}
\newcommand{\GroupPstar}[1]{\GroupP{#1}^{\ast}}
\newcommand{\SubgroupP}[1]{\GroupP{#1}^{\subgroupr}}
\newcommand{\SubgroupPstar}[1]{\GroupP{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprP}{\MakeRepr{\GroupP{}}{\subgroupr}}
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
\newcommand{\OneP}{\ParamP{\mathbf{1}}}
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
\newcommand{\ellP}[1]{\ell_{\GroupP{#1}}}
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
@ -1527,11 +1533,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
\newcommand{\GroupGstar}[1]{\GroupG{#1}^{\ast}}
\newcommand{\SubgroupG}[1]{\GroupG{#1}^{\subgroupr}}
\newcommand{\SubgroupGstar}[1]{\GroupG{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprG}{\MakeRepr{\GroupG{}}{\subgroupr}}
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
\newcommand{\OneG}{\ParamG{\mathbf{1}}}
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
@ -1539,8 +1547,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
\newcommand{\PairingG}{\ParamG{\hat{e}}}
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}}
\newcommand{\ExtractG}{\Extract_{\SubgroupG{}}}
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}}
\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
\newcommand{\URS}{\mathsf{URS}}
@ -1548,10 +1556,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}}
\newcommand{\GroupSstar}[1]{\GroupS{#1}^{\ast}}
\newcommand{\SubgroupS}[1]{\GroupS{#1}^{\subgroupr}}
\newcommand{\SubgroupSstar}[1]{\GroupS{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprS}{\MakeRepr{\GroupS{}}{\subgroupr}}
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
\newcommand{\OneS}{\ParamS{\mathbf{1}}}
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
@ -1559,14 +1570,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PairingS}{\ParamS{\hat{e}}}
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
\newcommand{\GrothProofS}{\ParamS{\mathsf{GrothProof}}}
\newcommand{\GrothS}{\Groth_{\kern 0.05em\mathbb{S}}}
\newcommand{\GrothSProof}{\GrothS\mathsf{.Proof}}
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
\newcommand{\GroupJ}{\mathbb{J}}
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
\newcommand{\PrimeOrderJ}{\SubgroupJ \setminus \ZeroJ}
\newcommand{\SubgroupJ}{\GroupJ^{\subgroupr}}
\newcommand{\SubgroupJstar}{\GroupJ^{\subgroupr\ast}}
\newcommand{\SubgroupReprJ}{\MakeRepr{\GroupJ}{\subgroupr}}
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
\newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1578,11 +1590,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}}
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJstar}_{#1}}
\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
\newcommand{\HashOutput}{\bytes{H}}
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}}
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
@ -2056,7 +2068,7 @@ $\sorted(S)$ means the sequence formed by sorting the elements
of $S$.
$\GF{n}$ means the finite field with $n$ elements, and
$\GFstar{n}$ means its group under multiplication.
$\GFstar{n}$ means its group under multiplication (which excludes $0$).
Where there is a need to make the distinction, we denote the unique
representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$
@ -2132,7 +2144,7 @@ i.e.
The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is
defined in \crossref{abstractgroup}.
The convention of including a superscript $^{\Repr}$ in a variable name is used
The convention of affixing $\Repr$ to a variable name is used
for variables that denote bit-sequence representations of group elements.
The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional
@ -2705,7 +2717,7 @@ Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
$\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
\sapling{
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
} %sapling
\sprout{
@ -2751,10 +2763,10 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction
satisfying the Unlinkability security property described in \crossref{concretediversifyhash}.
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
It is instantiated in \crossref{concretediversifyhash}.
$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction
instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability
security property described in that section. It is used to derive a \diversifiedBase
from a \diversifier in \crossref{saplingkeycomponents}.
} %sapling
@ -3332,11 +3344,10 @@ A \representedGroup $\GroupG{}$ consists of:
\end{itemize}
\vspace{-1.5ex}
\notsprout{
Define $\SubgroupG$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$.
Define $\SubgroupG{}$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$.
For the set of points of order $\ParamG{r}$ (which excludes $\ZeroG{}$), we write $\SubgroupGstar{}$.
Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG}$.
}
Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG{}}$.
\vspace{0.5ex}
For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that
@ -3382,13 +3393,14 @@ efficiently computable left inverse.
\introlist
\subsubsection{Group Hash} \label{abstractgrouphash}
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of:
Given a \representedSubgroup $\SubgroupG{}$, a \term{family of group hashes into\, $\SubgroupG{}$},
$\GroupGHash{}$, consists of:
\begin{itemize}
\item a type $\GroupGHashURSType$ of \uniformRandomStrings;
\item a type $\GroupGHashInput$ of inputs;
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$.
\vspace{-1ex}
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG{}$.
\end{itemize}
In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
@ -3418,7 +3430,7 @@ not return $\bot$) as a random oracle.
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
\item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies
\item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a random oracle almost surely satisfies
Discrete Logarithm Independence.
\item Discrete Logarithm Independence implies \collisionResistance\!,
since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
@ -3445,23 +3457,22 @@ A \representedPairing $\GroupP{}$ consists of:
\begin{itemize}
\item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime;
\item two \representedGroups $\GroupP{1, 2}$, both of order $\ParamP{r}$;
\item a group $\GroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\,
$\mult \typecolon \GroupP{T} \times \GroupP{T} \rightarrow \GroupP{T}$
and multiplicative identity $\ParamP{\mathbf{1}}$;
\item three generators $\GenG{1, 2, T}$ of the order-$\ParamG{r}$ subgroups of
$\GroupG{1, 2, T}$ respectively;
\item two \representedSubgroups $\SubgroupP{1, 2}$, both of order $\ParamP{r}$;
\item a group $\SubgroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\,
$\mult \typecolon \SubgroupP{T} \times \SubgroupP{T} \rightarrow \SubgroupP{T}$
and group identity $\ParamP{\mathbf{1}}$;
\item three generators $\GenP{1, 2, T}$ of $\SubgroupP{1, 2, T}$ respectively;
\item a pairing function
$\PairingP \typecolon \GroupP{1} \times \GroupP{2} \rightarrow \GroupP{T}$
$\PairingP \typecolon \SubgroupP{1} \times \SubgroupP{2} \rightarrow \SubgroupP{T}$
satisfying:
\begin{itemize}
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\;
$P \typecolon \SubgroupP{1}$, and $Q \typecolon \SubgroupP{2}$,\;
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
such that for all $Q \typecolon \GroupP{2},\;
\PairingP(P, Q) = \ParamP{\mathbf{1}}$.
\item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPstar{1}$
such that for all $Q \typecolon \SubgroupP{2},\;
\PairingP\Of{P, Q} = \OneP$.
\end{itemize}
\end{itemize}
@ -3632,7 +3643,7 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
be a \rerandomizableSignatureScheme.
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
@ -3661,7 +3672,7 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the
If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$.
\vspace{1ex}
$\AuthSignPublic \typecolon \PrimeOrderJ$, $\AuthProvePublic \typecolon \SubgroupJ$, and
$\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and
the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as:
\vspace{-0.5ex}
@ -3711,7 +3722,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define:
\end{cases}$
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
\typecolon \maybe{(\PrimeOrderJ)}}\big)$.
\typecolon \maybe{\SubgroupJstar}}\big)$.
\end{formulae}
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
@ -4408,15 +4419,15 @@ Instead of generating a key pair at random, we generate it as a function of the
and the \balancingValue.
\vspace{2ex}
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
\introlist
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}:
\begin{formulae}
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\item $\ValueCommitValueBase \typecolon \PrimeOrderJ$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \PrimeOrderJ$ is the randomness base in $\ValueCommit{}$.
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
\end{formulae}
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
@ -5852,7 +5863,7 @@ Let $c := 63$.
\introlist
\vspace{2ex}
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by:
\begin{formulae}
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
@ -6358,11 +6369,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
as follows:
Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Define $\KASaplingPublic := \GroupJ$.
Define $\KASaplingPublicPrimeOrder := \PrimeOrderJ$.
Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$.
Define $\KASaplingSharedSecret := \SubgroupJ$.
@ -6478,12 +6489,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
Its parameters are:
\begin{itemize}
\item a \representedGroup $\GroupG{}$, which also defines
a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
a subgroup $\SubgroupG{}$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
a group operation $+$, an additive identity $\ZeroG{}$,
a bit-length $\ellG{}$, a representation function $\reprG{}$,
and an abstraction function $\abstG{}$, as specified in
\crossref{abstractgroup};
\item $\GenG{}$, a generator of $\SubgroupG$;
\item $\GenG{}$, a generator of $\SubgroupG{}$;
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
@ -6613,7 +6624,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
\end{itemize}
The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between
The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, which is different between
$\BindingSig$ and $\SpendAuthSig$.
} %sapling
@ -6820,33 +6831,33 @@ Let $\ParamG{b} := 3$.
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
Let $\GroupG{1}$ be the group of points on a Barreto--Naehrig (\cite{BN2005})
curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
Let $\SubgroupG{1}$ be the group (of order $\ParamG{r}$) of rational points on a
Barreto--Naehrig (\cite{BN2005}) curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
This curve has embedding degree 12 with respect to $\ParamG{r}$.
Let $\GroupG{2}$ be the subgroup of order $r$ in the sextic twist $\CurveG{2}$ of
$\GroupG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
Let $\SubgroupG{2}$ be the subgroup of order $\ParamG{r}$ in the sextic twist $\CurveG{2}$ of
$\CurveG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
where $\xi \typecolon \GF{\ParamGexp{q}{2}}$.
We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\GroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$.
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
$\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$.
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
(which is the additive identity) in $\GroupG{i}$, and let
$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$.
(which is the additive identity) in $\SubgroupG{i}$, and let
$\SubgroupGstar{i} := \SubgroupG{i} \setminus \setof{\ZeroG{i}}$.
Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$.
Let $\GenG{1} \typecolon \SubgroupGstar{1} := (1, 2)$.
\vspace{-1ex}
\begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
Let $\GenG{2} \typecolon \SubgroupGstar{2} :=\;$
% are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
@ -6854,8 +6865,7 @@ Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular}
$\GenG{1}$ and $\GenG{2}$ are generators of the order-$\ParamG{r}$ subgroups of
$\GroupG{1}$ and $\GroupG{2}$ respectively.
$\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ respectively.
\newsavebox{\gonebox}
\begin{lrbox}{\gonebox}
@ -6893,7 +6903,7 @@ Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell}
\bitseq{\ell}$ as in \crossref{endian}.
\introlist
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
\begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
@ -6903,7 +6913,7 @@ For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
\end{itemize}
\introlist
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
\begin{itemize}
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
@ -6918,24 +6928,24 @@ For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
\end{itemize}
\begin{nnotes}
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
of most other integers in this protocol.
The encodings for $\GroupGstar{1, 2}$ are consistent with the
definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
(i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$,
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
$\GroupGstar{2}$.
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
have no defined encodings in this protocol.
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
verified to be of order $\ParamG{r}$, and therefore in $\SubgroupGstar{2}$,
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
of most other integers in this protocol.
The encodings for $\SubgroupGstar{1, 2}$ are consistent with the
definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
(i.e.\ $\ECtoOSPXL$) is used for points in $\SubgroupGstar{1}$,
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
$\SubgroupGstar{2}$.
\item Testing $y > y'$ for the compression of $\SubgroupGstar{2}$ points is equivalent
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
\item Algorithms for decompressing points from the above encodings are
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
verified to be of order $\ParamG{r}$, and therefore in $\GroupGstar{2}$,
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
given in \cite[Appendix A.12.8]{IEEE2000} for $\SubgroupGstar{1}$, and
\cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
\end{nnotes}
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
@ -6983,32 +6993,32 @@ Let $\ParamS{b} := 4$.
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
Let $\GroupS{1}$ be the group of points on a Barreto--Lynn--Scott (\cite{BLS2002})
curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with equation $y^2 = x^3 + \ParamS{b}$.
This curve has embedding degree 12 with respect to $\ParamS{r}$.
Let $\SubgroupS{1}$ be the subgroup of order $\ParamS{r}$ of the group of rational points
on a Barreto--Lynn--Scott (\cite{BLS2002}) curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with
equation $y^2 = x^3 + \ParamS{b}$. This curve has embedding degree 12 with respect to $\ParamS{r}$.
Let $\GroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
$\GroupS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
Let $\SubgroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
$\CurveS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
$i \typecolon \GF{\ParamSexp{q}{2}}$.
We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $i$ is given by $t$.
Let $\GroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$.
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
Let $\PairingS$ be the optimal ate pairing of type
$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$.
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$,
and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$.
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\SubgroupS{i}$,
and let $\SubgroupSstar{i} := \SubgroupS{i} \setminus \setof{\ZeroS{i}}$.
\introlist
Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$.
Let $\GenS{1} \typecolon \SubgroupSstar{1} := (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
Let $\GenS{2} \typecolon \SubgroupSstar{2} :=\;$
% are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
@ -7016,13 +7026,13 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular}
$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively.
$\GenS{1}$ and $\GenS{2}$ are generators of $\SubgroupS{1}$ and $\SubgroupS{2}$ respectively.
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
\bitseq{\ell}$ as in \crossref{endian}.
\introlist
For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
For a point $P \typecolon \SubgroupSstar{1} = (\xP, \yP)$:
\begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as
@ -7035,7 +7045,7 @@ For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
\end{itemize}
\introlist
For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$:
\begin{itemize}
\item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow
@ -7050,14 +7060,14 @@ For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
\end{itemize}
\begin{nnotes}
\item The encodings for $\GroupSstar{1, 2}$ are specific to \Zcash.
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
have no defined encodings in this protocol.
\item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash.
\item Algorithms for decompressing points from the encodings of
$\GroupSstar{1, 2}$ are defined analogously to those for
$\GroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
$\SubgroupSstar{1, 2}$ are defined analogously to those for
$\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
the SORT compressed form (not the LSB compressed form) is used
for $\GroupGstar{1}$.
for $\SubgroupSstar{1}$.
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
@ -7108,7 +7118,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of
$\reprJ$, then $\abstJ\Of{S} = \bot$.
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
For the set of prime-order points we write $\PrimeOrderJ$.
For the set of points of order $\ParamJ{r}$ (which excludes $\ZeroJ$), we write $\SubgroupJstar$.
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
@ -7210,14 +7220,14 @@ Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.
Let $\LEOStoIP{}$ be as defined in \crossref{endian}.
Let $\abstJ$ be as defined in \crossref{jubjub}.
Let $\SubgroupJ$, $\SubgroupJstar$, and $\abstJ$ be as defined in \crossref{jubjub}.
\vspace{1ex}
Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
let $M \typecolon \byteseqs$ be the hash input.
\introlist
The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as follows:
\begin{algorithm}
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
@ -7241,13 +7251,13 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
is injective, and both it and its inverse are efficiently computable.
$\exclusivefun{P \typecolon \GroupJ}
{\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
{\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
\end{pnotes}
\vspace{0.5ex}
@ -7256,7 +7266,7 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHash(D, M) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
\vspace{-3ex}
\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
@ -7276,15 +7286,15 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon
with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
A $\PHGR$ proof consists of a tuple
$(\Proof{A} \typecolon \GroupGstar{1},\,
\Proof{A}' \typecolon \GroupGstar{1},\,
\Proof{B} \typecolon \GroupGstar{2},\,
\Proof{B}' \typecolon \GroupGstar{1},\,
\Proof{C} \typecolon \GroupGstar{1},\,
\Proof{C}' \typecolon \GroupGstar{1},\,
\Proof{K} \typecolon \GroupGstar{1},\,
\Proof{H} \typecolon \GroupGstar{1})$.
A $\PHGR$ proof consists of
$(\Proof{A} \typecolon \SubgroupGstar{1},\,
\Proof{A}' \typecolon \SubgroupGstar{1},\,
\Proof{B} \typecolon \SubgroupGstar{2},\,
\Proof{B}' \typecolon \SubgroupGstar{1},\,
\Proof{C} \typecolon \SubgroupGstar{1},\,
\Proof{C}' \typecolon \SubgroupGstar{1},\,
\Proof{K} \typecolon \SubgroupGstar{1},\,
\Proof{H} \typecolon \SubgroupGstar{1})$.
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
specified in \crossref{bnpairing}.
@ -7336,8 +7346,8 @@ verifier \MUST check, for the encoding of each element, that:
\item the remaining bytes encode a big-endian representation of an integer in
$\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$)
$\range{0}{\ParamSexp{q}{2}\!-\!1}$;
\item the encoding represents a point in $\GroupGstar{1}$ or (in the case of
$\Proof{B}$) $\GroupGstar{2}$, including checking that it is of order
\item the encoding represents a point in $\SubgroupGstar{1}$ or (in the case of
$\Proof{B}$) $\SubgroupGstar{2}$, including checking that it is of order
$\ParamG{r}$ in the latter case.
\end{itemize}
@ -7360,10 +7370,10 @@ After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem describ
for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
A $\Groth$ proof consists of a tuple
$(\Proof{A} \typecolon \GroupSstar{1},\,
\Proof{B} \typecolon \GroupSstar{2},\,
\Proof{C} \typecolon \GroupSstar{1})$.
A $\Groth$ proof consists of
$(\Proof{A} \typecolon \SubgroupSstar{1},\,
\Proof{B} \typecolon \SubgroupSstar{2},\,
\Proof{C} \typecolon \SubgroupSstar{1})$.
It is computed as described in \cite{Groth2016}, using the pairing parameters specified
in \crossref{blspairing}.
@ -7401,8 +7411,8 @@ verifier \MUST check, for the encoding of each element, that:
\item the remaining bits encode a big-endian representation of an integer
in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in
that range;
\item the encoding represents a point in $\GroupSstar{1}$ or (in the case of $\Proof{B}$)
$\GroupSstar{2}$, including checking that it is of order $\ParamS{r}$
\item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$)
$\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$
in the latter case.
\end{itemize}
}
@ -7777,7 +7787,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
\sapling{
\subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding}
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \PrimeOrderJ$,
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
$\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
@ -7802,7 +7812,7 @@ The raw encoding of a \fullViewingKey consists of:
\end{itemize}
When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \PrimeOrderJ$,
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
or if $\AuthProvePublic \notin \SubgroupJ$.
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}.
@ -9568,6 +9578,24 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\intropart
\section{Change History}
\subparagraph{2018.0-beta-27}
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Notational changes:
\begin{itemize}
\item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a
subscript.
\item Use $\SubgroupGstar{}$ for the set of $\ParamG{r}$-order points in $\GroupG{}$.
\item Mark the subgroup order in pairing groups, e.g. use $\SubgroupG{1}$ instead
of $\GroupG{1}$.
\item Make the bit-representation indicator $\Repr$ an affix instead of a superscript.
\end{itemize}
} %sapling
\end{itemize}
\introlist
\subparagraph{2018.0-beta-26}
\begin{itemize}
@ -9665,7 +9693,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Acknowledge Tomas Sander and Amnon TaShma for \cite{ST1999}.
\item Acknowledge Kudelski Security's audit.
\sapling{
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
\item Use the more precise subgroup types $\SubgroupG{}$ and $\SubgroupJ$ in preference to
$\GroupG{}$ and $\GroupJ$ where applicable.
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
faithful to the implementation.
@ -11358,7 +11386,7 @@ cryptanalytic attention to confidently use them for \Sapling.
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$,
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$,
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
@ -11380,33 +11408,33 @@ Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSAS
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
\rightarrow \bit$ as:
\begin{algorithm}
\item For each $i \in \range{0}{N-1}$:
\item \tab Let $(\vk_i, M_i, \sigma_i) = \Entry{i}$.
\item \tab Let $\RedDSAReprR{i}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_i$, and
let $\RedDSAReprS{i}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item \tab Let $\RedDSASigR{i} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{i})\kern-0.15em\big)$, and
let $\RedDSASigS{i} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{i})$.
\item \tab Let $\vkBytes{i} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk_i}\kern 0.05em}$.
\item \tab Let $\RedDSASigc{i} = \RedDSAHashToScalar(\RedDSAReprR{i} \bconcat \vkBytes{i} \bconcat M_i)$.
\item For each $j \in \range{0}{N-1}$:
\item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$.
\item \tab Let $\RedDSAReprR{j}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_j$, and
let $\RedDSAReprS{j}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item \tab Let $\RedDSASigR{j} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{j})\kern-0.12em\big)$, and
let $\RedDSASigS{j} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{j})$.
\item \tab Let $\vkBytes{j} = \LEBStoOSPOf{\ellG{}}{\reprG{}(\vk_j)\kern-0.1em}$.
\item \tab Let $\RedDSASigc{j} = \RedDSAHashToScalar(\RedDSAReprR{j} \bconcat \vkBytes{j} \bconcat M_j)$.
\vspace{1ex}
\item \tab Choose random $z_i \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \tab Choose random $z_j \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \vspace{-2ex}
\item Return $1$ if
\vspace{1ex}
\begin{itemize}
\item for all $i \in \range{0}{N-1}$, $\RedDSASigR{i} \neq \bot$ and $\RedDSASigS{i} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{i=0}{N-1}{(z_i \mult \RedDSASigS{i})
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{i=0}{N-1}{\big(\scalarmult{z_i}{\RedDSASigR{i}} +
\scalarmult{z_i \mult \RedDSASigc{i}
\pmod{\ParamG{r}}}{\vk_i}\big)}\!\right)}
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j}
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)}
= \ZeroG{}$,
\end{itemize}
\vspace{-0.5ex}
otherwise $0$.
\end{algorithm}
The $z_i$ values \MUST be chosen independently of the batch entries.
The $z_j$ values \MUST be chosen independently of the batch entries.
The performance benefit of this approach arises partly from replacing the per-signature
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
@ -11418,7 +11446,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases;
there will be one
$\bigscalarmult{\ssum{i}{}{(z_i \mult \RedDSASigS{i}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote
@ -11429,12 +11457,12 @@ can be extended across a larger batch.} %pnote
The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}.
Let $\ParamS{q}$, $\ParamS{r}$, $\GroupS{1, 2, T}$, $\GroupSstar{1, 2, T}$, $\GenS{1, 2, T}$,
and $\PairingS$ be as defined in \crossref{blspairing}.
Let $\ParamS{q}$, $\ParamS{r}$, $\SubgroupS{1, 2, T}$, $\SubgroupSstar{1, 2, T}$, $\GenS{1, 2, T}$,
$\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and
final exponentiation respectively of the pairing computation, so that:
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
final exponentiation respectively of the $\PairingS$ pairing computation, so that:
\begin{formulae}
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
\end{formulae}
@ -11442,9 +11470,9 @@ final exponentiation respectively of the pairing computation, so that:
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex}
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.
Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \SubgroupSstar{1}$.
A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$.
A $\GrothS$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$.
Verification of a single $\Groth$ proof requires checking the equation
\vspace{-0.5ex}
@ -11469,7 +11497,7 @@ Raising to the power of random $z \neq 0$ gives:
\end{formulae}
\vspace{1ex}
This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs.
This justifies the following optimized procedure for performing faster verification of a batch of $\GrothS$ proofs.
Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
\introlist