zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Type corrections and precision improvements. Also add more cross-references. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-06-04 18:22:24 +01:00
parent 4035e4c5e0
commit 8abebf4296
1 changed files with 154 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

254
protocol/protocol.tex
View File

@ -752,6 +752,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ones}[1]{[1]^{#1}}
\newcommand{\bit}{\mathbb{B}}
\newcommand{\overlap}[2]{\rlap{#2}\hspace{#1}{#2}}
\newcommand{\plap}[2]{\rlap{\hphantom{#2}}{#1}}
\newcommand{\byte}{\mathbb{B}\kern -0.1em\raisebox{0.55ex}{\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{Y}$}}}}
\newcommand{\Nat}{\mathbb{N}}
\newcommand{\PosInt}{\mathbb{N}^+}
@ -994,14 +995,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
\newcommand{\PRFrho}[1]{\PRF{#1}{\NoteAddressRand}}
\newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}}
\newcommand{\PRFOutputLength}{\mathsf{\ell_{PRF}}}
\newcommand{\PRFOutput}{\bitseq{\PRFOutputLength}}
\newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}}
\newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}}
\newcommand{\PRFOutputLengthNfSapling}{\mathsf{\ell_{PRFnfSapling}}}
\newcommand{\PRFOutputNfSapling}{\bitseq{\PRFOutputLengthNfSapling}}
\newcommand{\PRFOutputLengthExpand}{\mathsf{\ell_{PRFexpand}}}
\newcommand{\PRFOutputExpand}{\bitseq{\PRFOutputLengthExpand}}
\newcommand{\PRFOutputExpand}{\byteseq{\PRFOutputLengthExpand/8}}
\newcommand{\PRFInputExpand}{\byteseq{\barerange{1}{2}}}
% Commitments
@ -1463,6 +1462,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
@ -1480,9 +1480,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
\newcommand{\SubgroupG}{\mathbb{G}_{r}}
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^\GroupG{#1}}
\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}}
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
@ -1493,7 +1493,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
\newcommand{\PairingG}{\ParamG{\hat{e}}}
\newcommand{\ExtractG}{\ParamG{\mathsf{Extract}}}
\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}}
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
@ -1512,9 +1512,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
\newcommand{\GroupJ}{\mathbb{J}}
\newcommand{\SubgroupJ}{\mathbb{J}_{r}}
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^\mathbb{J}_{#1}}
\newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ}
\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}}
\newcommand{\CurveJ}{\Curve_{\GroupJ}}
\newcommand{\ZeroJ}{\Zero_{\GroupJ}}
\newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1524,8 +1525,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
\newcommand{\abstJ}{\abst_{\GroupJ}}
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}}
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}}
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
@ -2198,8 +2199,8 @@ spendable by the recipient who holds the \spendingKey corresponding
to a given \paymentAddress.
} %notsprout
Let \sprout{$\MAXMONEY$ and $\PRFOutputLength$}
\notsprout{$\MAXMONEY$, $\PRFOutputLength$\sapling{, and $\DiversifierLength$}}
Let \sprout{$\MAXMONEY$ and $\PRFOutputLengthSprout$}
\notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$, and $\DiversifierLength$}}
be as defined in \crossref{constants}.
Let $\NoteCommitSproutAlg$ be as defined in \crossref{concretesproutnotecommit}.
@ -2619,12 +2620,11 @@ as described in \crossref{foundersreward}.
\subsubsection{\HashFunctions} \label{abstracthashes}
Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$,}
\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$, $\DiversifierLength$,}
$\RandomSeedLength$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
\sapling{
% \todo{define the abstract protocol over a generic group.}
Let $\GroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
} %sapling
\sprout{
@ -2646,7 +2646,7 @@ Both of these functions are instantiated in \crossref{merklecrh}.
} %notsprout
\changed{
$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutputSprout}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
is a \collisionResistant \hashFunction used in \crossref{joinsplitdesc}.
It is instantiated in \crossref{hsigcrh}.
@ -2670,7 +2670,7 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
$\DiversifyHash \typecolon \DiversifierType \rightarrow \GroupJ$ is a \hashFunction
$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction
satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!)
described in \crossref{abstractgrouphash}.
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
@ -2684,8 +2684,9 @@ It is instantiated in \crossref{concretediversifyhash}.
$\PRF{x}{}$ is a \pseudoRandomFunction keyed by $x$.
Let $\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$,
$\PRFOutputLengthSprout$, \sapling{$\PRFOutputLengthNfSapling$,} $\NOld$, and $\NNew$
be as defined in \crossref{constants}.
$\PRFOutputLengthSprout$, \sapling{$\SpendingKeyLength$, $\OutViewingKeyLength$,
$\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,}
$\NOld$, and $\NNew$ be as defined in \crossref{constants}.
\sapling{
Let $\ellJ$ and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
@ -2771,8 +2772,8 @@ a shared secret, each using their private key and the other party's public key.
A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type
of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function
to convert a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ private key.
Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$
be a function that derives the $\KA$ public key corresponding to a given $\KA$
@ -3171,7 +3172,7 @@ Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$
$\ValueLength$ be as defined in \crossref{constants}.
\sapling{
Let $\GroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
} %sapling
\sprout{
@ -3185,9 +3186,9 @@ Define:
$\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$;
\sapling{
\item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and
$\NoteCommitSaplingOutput := \GroupJ$;
$\NoteCommitSaplingOutput := \SubgroupJ$;
\item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and
$\ValueCommitOutput := \GroupJ$.
$\ValueCommitOutput := \SubgroupJ$.
} %sapling
\end{formulae}
} %notsprout
@ -3271,9 +3272,9 @@ $\scalarmult{a}{G}$ meaning $\scalarmult{a \bmod \ParamG{r}}{G}$ as defined abov
\subsubsection{\HashExtractor} \label{abstractextractor}
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
$\ExtractG \typecolon \GroupG{} \rightarrow T$ for some type $T$,
such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order
$\ParamG{r}$.
$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$,
such that $\ExtractG$ is injective on $\SubgroupG{}$ (the subgroup of $\GroupG{}$
of order $\ParamG{r}$).
\vspace{-2ex}
\pnote{
@ -3287,19 +3288,20 @@ efficiently computable left inverse.
\introlist
\subsubsection{\GroupHash} \label{abstractgrouphash}
Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
\term{family of group hashes into\, $\GroupG{}$} as a function
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$}
as a function
\begin{formulae}
\item $\GroupGHash{} \typecolon \CRSType \times \bitseq{\ell} \rightarrow \GroupG{}$
\item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$
\end{formulae}
\vspace{-2ex}
\securityrequirement{\textbf{Discrete Logarithm Independence}
For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
}
@ -3317,6 +3319,9 @@ such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right
group hash algorithm to be used.
This mitigates the possibility that the group hash algorithm could have
been backdoored.
\item The input element with type $\byteseq{8}$ is intended to act as a
``personalization'' parameter to distinguish uses of the \groupHash for
different purposes.
\end{nnotes}
} %sapling
@ -3468,6 +3473,8 @@ them to be the $\Groth$ \provingKeys and
\notsprout{\subsubsection{\Sprout{} \KeyComponents}} \label{sproutkeycomponents}
Let $\AuthPrivateLength$ be as defined in \crossref{constants}.
Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concreteprfs}.
Let $\KASprout$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}.
@ -3492,7 +3499,10 @@ as follows:}
\sapling{
\subsubsection{\Sapling{} \KeyComponents} \label{saplingkeycomponents}
Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions, instantiated in \crossref{concreteprfs}.
Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, and $\DiversifierLength$
be as defined in \crossref{constants}.
Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions instantiated in \crossref{concreteprfs}.
Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesaplingkeyagreement}.
@ -3503,17 +3513,16 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
be a \rerandomizableSignatureScheme.
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
Let $\AuthProveBase = \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup,
instantiated in \crossref{jubjub}.
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
be as defined in \crossref{endian}.
Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
A new \Sapling \spendingKey $\SpendingKey$ is generated by choosing a bit sequence
@ -3523,24 +3532,13 @@ uniformly at random from $\SpendingKeyType$.
From this \spendingKey, the \authSigningKey $\AuthSignPrivate$ and \authProvingKey $\AuthProvePrivate$
are derived as follows:
\begin{formulae}
\item $\AuthSignPrivate := \ToScalar(\PRFexpand{\SpendingKey}([0]))$
\item $\AuthProvePrivate := \ToScalar(\PRFexpand{\SpendingKey}([1]))$
\item $\OutViewingKey := \truncate{32}(\PRFexpand{\SpendingKey}([2]))$
\end{formulae}
} %sapling
\vspace{-0.5ex}
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
$\AuthSignPrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([0]))$ \\
$\AuthProvePrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([1]))$ \\
$\OutViewingKey$ &$:= \truncate{(\OutViewingKeyLength/8)}(\PRFexpand{\SpendingKey}([2]))$
\end{tabular}
\newsavebox{\crhivkinputbox}
\begin{lrbox}{\crhivkinputbox}
\begin{bytefield}[bitwidth=0.06em]{512}
\sapling{
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$} &
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$}
}
\end{bytefield}
\end{lrbox}
\sapling{
\vspace{1ex}
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
@ -3548,7 +3546,7 @@ $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
$\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$.
\end{tabular}
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
@ -3592,7 +3590,8 @@ Define:
\Diversifier, &\caseotherwise
\end{cases}$
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$.
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
\typecolon \maybe{\SubgroupJ}}\big)$.
\end{formulae}
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
@ -3628,12 +3627,12 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
is computationally indistinguishable from that of $\SpendAuthSigGenPrivate()$ (defined
in \crossref{concretespendauthsig}).
\item Similarly, the distribution of $\AuthProvePrivate$, i.e.\
$\PRFexpand{\SpendingKey}([1]) : \SpendingKey \leftarrowR \SpendingKeyType$,
$\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}}
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \GroupJ}$
is injective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
indistinguishable from the uniform distribution on $\SubgroupReprJ$ (defined in \crossref{jubjub})
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
indistinguishable from the uniform distribution on $\SubgroupReprJ$
which is the keyspace of $\PRFnfSapling{}$.
\end{nnotes}
} %sapling
@ -3648,6 +3647,20 @@ Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
When this sequence is non-empty, the \transaction also includes encodings of a
$\JoinSplitSig$ public verification key and signature.
Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$,
$\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}.
Let $\hSigCRH$ be as defined in \crossref{abstracthashes}.
Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}.
Let $\KASprout$ be as defined in \crossref{abstractkeyagreement}.
Let $\Sym$ be as defined in \crossref{abstractsym}.
Let $\JoinSplit$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, \nfOld{\allOld},
\cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit,
@ -3658,11 +3671,11 @@ where
the value that the \joinSplitTransfer removes from the \transparentValuePool};
\item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is
the value that the \joinSplitTransfer inserts into the \transparentValuePool;
\item $\rt \typecolon \MerkleHash$ is an \anchor, as defined in
\item $\rt \typecolon \MerkleHashSprout$ is an \anchor, as defined in
\crossref{blockchain}, for the output \treestate of either
a previous \block, or a previous \joinSplitTransfer in this
\transaction.
\item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
\item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
the sequence of \nullifiers for the input \notes;
\item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew}$ is
the sequence of \noteCommitments for the output \notes;
@ -3672,7 +3685,7 @@ where
\item \changed{$\RandomSeed \typecolon \RandomSeedType$ is
a seed that must be chosen independently at random for each
\joinSplitDescription};
\item $\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
\item $\h{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
a sequence of tags that bind $\hSig$ to each
$\AuthPrivate$ of the input \notes;
\item $\ProofJoinSplit \typecolon \JoinSplitProof$ is a \zkProof with
@ -3692,8 +3705,6 @@ $\joinSplitPubKey$ of the containing \transaction:
\item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$.
\end{formulae}
$\hSigCRH$ is instantiated in \crossref{hsigcrh}.
\vspace{2ex}
\begin{consensusrules}
\item Elements of a \joinSplitDescription{} \MUST have the types given
@ -3719,6 +3730,11 @@ Let $\MerkleHashLengthSapling$ and $\PRFOutputLengthNfSapling$ be as defined in
Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}.
Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}.
Let $\Spend$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
where
@ -3761,6 +3777,13 @@ An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in
Each \transaction includes a sequence of zero or more \outputDescriptions.
There are no signatures associated with \outputDescriptions.
Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}.
Let $\Sym$ be as defined in \crossref{abstractsym}.
Let $\Spend$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
where
@ -3917,6 +3940,12 @@ The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and
$\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer
with fewer input or output \notes. This is achieved using \dummyNotes.
Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
Let $\PRFnf{}$ be as defined in \crossref{abstractprfs}.
Let $\NoteCommitSproutTrapdoor$ be as defined in \crossref{abstractcommit}.
\introlist
\changed{
A \dummy{} \SproutOrNothing input \note, with index $i$ in the \joinSplitDescription,
@ -3926,7 +3955,7 @@ is constructed as follows:
\item Generate a new uniformly random \spendingKey $\AuthPrivateOld{i} \leftarrowR \bitseq{\AuthPrivateLength}$
and derive its \payingKey $\AuthPublicOld{i}$.
\item \vspace{-0.5ex} Set $\vOld{i} = 0$.
\item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutput$
\item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$
and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$.
\item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
\item Construct a \dummy \merklePath $\TreePath{i}$ for use in the
@ -3948,6 +3977,16 @@ otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless
it may be useful for privacy to obscure the number of real \shieldedInputs from
\Sapling{} \notes{}.
Let $\SpendingKeyLength$ be as defined in \crossref{constants}.
Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}.
Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
Let $\PRFnfSapling{}$ be as defined in \crossref{abstractprfs}.
Let $\NoteCommitSaplingTrapdoor$ be as defined in \crossref{abstractcommit}.
\introlist
A \dummy{} \Sapling input \note is constructed as follows:
@ -4155,13 +4194,15 @@ Instead of generating a key pair at random, we generate it as a function of the
and the \balancingValue.
\vspace{2ex}
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
\introlist
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}:
\begin{formulae}
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\item $\ValueCommitValueBase \typecolon \GroupJ$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \GroupJ$ is the randomness base in $\ValueCommit{}$.
\item $\ValueCommitValueBase \typecolon \SubgroupJ$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \SubgroupJ$ is the randomness base in $\ValueCommit{}$.
\end{formulae}
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
@ -4390,12 +4431,12 @@ A valid instance of $\ProofJoinSplit$ assures that given a \primaryInput:
\vspace{-1ex}
\begin{formulae}
\item $\oparen\rt \typecolon \MerkleHashSprout,\\
\hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},\\
\hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\
\hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew},\vspace{0.6ex}\\
\hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\
\hparen\vpubNew \typecolon \ValueType,\\
\hparen\hSig \typecolon \hSigType,\\
\hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutput}{\NOld}\cparen}$,
\hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutputSprout}{\NOld}\cparen}$,
\end{formulae}
\vspace{-1ex}
\introlist
@ -4484,10 +4525,13 @@ Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{a
Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}.
Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
\intropart
A valid instance of $\ProofSpend$ assures that given a \primaryInput:
\begin{formulae}
@ -5447,9 +5491,9 @@ $\PedersenHash$ is used in the \incrementalMerkleTree over \noteCommitments
(\crossref{merkletree}) and in the definition of \xPedersenCommitments
(\crossref{concretewindowedcommit}).
Let $\GroupJ$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, $\ZeroJ$, $\ParamJ{q}$, $\ParamJ{r}$, $\ParamJ{a}$, and $\ParamJ{d}$ be as defined in \crossref{jubjub}.
Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
@ -5464,7 +5508,7 @@ Let $c := 63$.
\introlist
\vspace{2ex}
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$ by:
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
\begin{formulae}
\item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$.
@ -5474,7 +5518,7 @@ Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$
\vspace{2ex}
\introsection
Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt})$ as follows:
Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt}) \rightarrow \SubgroupJ$ as follows:
\begin{formulae}
\item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$.
@ -5483,7 +5527,7 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos
so that $M' = \concatbits(M_\barerange{1}{n})$, and
each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits.
($M_n$ may be shorter.)
\item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \GroupJ$.
\item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \SubgroupJ$.
\end{formulae}
where
@ -5813,6 +5857,7 @@ corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
$\NoteAddressRand$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
and therefore is not uniformly distributed on $\ReprJ$.
$\SubgroupReprJ$ is defined in \crossref{jubjub}.
}
} %sapling
@ -5930,11 +5975,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
as follows:
Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Define $\KASaplingPublic := \GroupJ$.
Define $\KASaplingSharedSecret := \GroupJ$.
Define $\KASaplingSharedSecret := \SubgroupJ$.
Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
@ -6050,13 +6095,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
Its parameters are:
\begin{itemize}
\item a \representedGroup $\GroupG{}$, which also defines
a subgroup order $\ParamG{r}$, a cofactor $\ParamG{h}$,
a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
a group operation $+$, an additive identity $\ZeroG{}$,
a bit-length $\ellG{}$, a representation function $\reprG{}$,
and an abstraction function $\abstG{}$, as specified in
\crossref{abstractgroup};
\item a generator $\GenG{}$ of the subgroup of $\GroupG{}$ of
order $\ParamG{r}$;
\item $\GenG{}$, a generator of $\SubgroupG$;
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
@ -6181,7 +6225,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
\end{itemize}
The generator $\GenG{}$ is left as an unspecified parameter, which is different between
The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between
$\BindingSig$ and $\SpendAuthSig$.
} %sapling
@ -6667,6 +6711,10 @@ Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
$\reprJ$, then $\abstJOf{S} = \bot$.
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
\begin{nnotes}
\item The encoding of a compressed twisted Edwards point used here is
consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
@ -6692,36 +6740,35 @@ other conditions on points, for example that they have order at least $\ParamJ{r
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime).
\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.}
\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.
$\SubgroupJ$ is of odd-prime order.}
% <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
\vspace{2ex}
\begin{lemma*}
Let $P = (u, \varv) \in G$. Then $(u, -\varv) \notin G$.
Let $P = (u, \varv) \in \SubgroupJ$. Then $(u, -\varv) \notin \SubgroupJ$.
\end{lemma*}
\begin{proof}
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin G$.
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin \SubgroupJ$.
Else, $P$ is of odd-prime order. Note that $\varv \neq 0$.
(If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula
gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$;
contradiction since then $P$ would not be of odd-prime order.)
Therefore, $-\varv \neq \varv$.
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
since $G$ is of odd order \cite{KvE2013}).
$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
since $\SubgroupJ$ is of odd order \cite{KvE2013}).
\end{proof}
\vspace{0.5ex}
\begin{theorem} \label{thmselectuinjective}
$\Selectu$ is injective on $G$.
$\Selectu$ is injective on $\SubgroupJ$.
\end{theorem}
\begin{proof}
@ -6731,8 +6778,8 @@ potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a
complete twisted Edwards curve, we see that for a given $u$ there can be at
most two possible solutions for $\varv$, and that if there are two solutions
they can be written as $\varv$ and $-\varv$. In that case by the Lemma, at
most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\Selectu$
is injective on points in $G$.
most one of $(u, \varv)$ and $(u, -\varv)$ is in $\SubgroupJ$. Therefore, $\Selectu$
is injective on points in $\SubgroupJ$.
\end{proof}
}
@ -6754,7 +6801,7 @@ let $M \typecolon \byteseqs$ be the hash input.
\vspace{2ex}
\introlist
The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
\begin{formulae}
\item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
@ -6767,8 +6814,8 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Let $\FindGroupJHashOf{D, M} =
\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \GroupJ})$.
Define $\FindGroupJHashOf{D, M} :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
\begin{pnotes}
\item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
@ -9008,6 +9055,13 @@ found by Brian Warner.
\item Remove the consensus rule
``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
which was never implemented.
\sapling{
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
$\GroupG{}$ and $\GroupJ$ where applicable.
\item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
\item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
\item Improve cross-referencing.
} %sapling
\end{itemize}
\introlist