From 8abebf4296b7ecc8b46adb42f5d98f4f342caac8 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Mon, 4 Jun 2018 18:22:24 +0100
Subject: [PATCH] Type corrections and precision improvements. Also add more
 cross-references.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 254 +++++++++++++++++++++++++-----------------
 1 file changed, 154 insertions(+), 100 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 089c6ada..7f30d967 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -752,6 +752,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ones}[1]{[1]^{#1}}
 \newcommand{\bit}{\mathbb{B}}
 \newcommand{\overlap}[2]{\rlap{#2}\hspace{#1}{#2}}
+\newcommand{\plap}[2]{\rlap{\hphantom{#2}}{#1}}
 \newcommand{\byte}{\mathbb{B}\kern -0.1em\raisebox{0.55ex}{\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{Y}$}}}}
 \newcommand{\Nat}{\mathbb{N}}
 \newcommand{\PosInt}{\mathbb{N}^+}
@@ -994,14 +995,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\PRFpk}[1]{\PRF{#1}{pk}}
 \newcommand{\PRFrho}[1]{\PRF{#1}{\NoteAddressRand}}
 \newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}}
-\newcommand{\PRFOutputLength}{\mathsf{\ell_{PRF}}}
-\newcommand{\PRFOutput}{\bitseq{\PRFOutputLength}}
 \newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}}
 \newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}}
 \newcommand{\PRFOutputLengthNfSapling}{\mathsf{\ell_{PRFnfSapling}}}
 \newcommand{\PRFOutputNfSapling}{\bitseq{\PRFOutputLengthNfSapling}}
 \newcommand{\PRFOutputLengthExpand}{\mathsf{\ell_{PRFexpand}}}
-\newcommand{\PRFOutputExpand}{\bitseq{\PRFOutputLengthExpand}}
+\newcommand{\PRFOutputExpand}{\byteseq{\PRFOutputLengthExpand/8}}
 \newcommand{\PRFInputExpand}{\byteseq{\barerange{1}{2}}}
 
 % Commitments
@@ -1463,6 +1462,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
 \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
 \newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
+\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
 
 \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
 \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
@@ -1480,9 +1480,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
 \newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
 \newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
-\newcommand{\SubgroupG}{\mathbb{G}_{r}}
+\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
 \newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
-\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^\GroupG{#1}}
+\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}}
 \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
 \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
 \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
@@ -1493,7 +1493,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
 \newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
 \newcommand{\PairingG}{\ParamG{\hat{e}}}
-\newcommand{\ExtractG}{\ParamG{\mathsf{Extract}}}
+\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}}
 
 \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
 \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
@@ -1512,9 +1512,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
 \newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
 \newcommand{\GroupJ}{\mathbb{J}}
-\newcommand{\SubgroupJ}{\mathbb{J}_{r}}
+\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
 \newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
-\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^\mathbb{J}_{#1}}
+\newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ}
+\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}}
 \newcommand{\CurveJ}{\Curve_{\GroupJ}}
 \newcommand{\ZeroJ}{\Zero_{\GroupJ}}
 \newcommand{\GenJ}{\Generator_{\GroupJ}}
@@ -1524,8 +1525,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
 \newcommand{\abstJ}{\abst_{\GroupJ}}
 \newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
-\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
-\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
+\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}}
+\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}}
 \newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
 \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
 
@@ -2198,8 +2199,8 @@ spendable by the recipient who holds the \spendingKey corresponding
 to a given \paymentAddress.
 } %notsprout
 
-Let \sprout{$\MAXMONEY$ and $\PRFOutputLength$}
-\notsprout{$\MAXMONEY$, $\PRFOutputLength$\sapling{, and $\DiversifierLength$}}
+Let \sprout{$\MAXMONEY$ and $\PRFOutputLengthSprout$}
+\notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$, and $\DiversifierLength$}}
 be as defined in \crossref{constants}.
 
 Let $\NoteCommitSproutAlg$ be as defined in \crossref{concretesproutnotecommit}.
@@ -2619,12 +2620,11 @@ as described in \crossref{foundersreward}.
 \subsubsection{\HashFunctions} \label{abstracthashes}
 
 Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
-\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$,}
+\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$, $\DiversifierLength$,}
 $\RandomSeedLength$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
 
 \sapling{
-% \todo{define the abstract protocol over a generic group.}
-Let $\GroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
+Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
 } %sapling
 
 \sprout{
@@ -2646,7 +2646,7 @@ Both of these functions are instantiated in \crossref{merklecrh}.
 } %notsprout
 
 \changed{
-$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
+$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutputSprout}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
 is a \collisionResistant \hashFunction used in \crossref{joinsplitdesc}.
 It is instantiated in \crossref{hsigcrh}.
 
@@ -2670,7 +2670,7 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
 in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
 input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
 
-$\DiversifyHash \typecolon \DiversifierType \rightarrow \GroupJ$ is a \hashFunction
+$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction
 satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!)
 described in \crossref{abstractgrouphash}.
 It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
@@ -2684,8 +2684,9 @@ It is instantiated in \crossref{concretediversifyhash}.
 $\PRF{x}{}$ is a \pseudoRandomFunction keyed by $x$.
 
 Let $\AuthPrivateLength$, $\NoteAddressPreRandLength$, $\hSigLength$,
-$\PRFOutputLengthSprout$, \sapling{$\PRFOutputLengthNfSapling$,} $\NOld$, and $\NNew$
-be as defined in \crossref{constants}.
+$\PRFOutputLengthSprout$, \sapling{$\SpendingKeyLength$, $\OutViewingKeyLength$,
+$\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,}
+$\NOld$, and $\NNew$ be as defined in \crossref{constants}.
 
 \sapling{
 Let $\ellJ$ and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
@@ -2771,8 +2772,8 @@ a shared secret, each using their private key and the other party's public key.
 A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type
 of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$.
 
-Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function
-to convert a bit string of length $\PRFOutputLength$ to a $\KA$ private key.
+\sapling{Optional:} Let $\KAFormatPrivate \typecolon \PRFOutputSprout \rightarrow \KAPrivate$
+be a function to convert a bit string of length $\PRFOutputLengthSprout$ to a $\KA$ private key.
 
 Let $\KADerivePublic \typecolon \KAPrivate \times \KAPublic \rightarrow \KAPublic$
 be a function that derives the $\KA$ public key corresponding to a given $\KA$
@@ -3171,7 +3172,7 @@ Let $\NoteCommitRandLength$, $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$
 $\ValueLength$ be as defined in \crossref{constants}.
 
 \sapling{
-Let $\GroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
+Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
 } %sapling
 
 \sprout{
@@ -3185,9 +3186,9 @@ Define:
         $\NoteCommitSproutOutput := \bitseq{\MerkleHashLengthSprout}$;
 \sapling{
   \item $\NoteCommitSaplingTrapdoor := \GF{\ParamJ{r}}$ and
-        $\NoteCommitSaplingOutput := \GroupJ$;
+        $\NoteCommitSaplingOutput := \SubgroupJ$;
   \item $\ValueCommitTrapdoor := \GF{\ParamJ{r}}$ and
-        $\ValueCommitOutput := \GroupJ$.
+        $\ValueCommitOutput := \SubgroupJ$.
 } %sapling
 \end{formulae}
 } %notsprout
@@ -3271,9 +3272,9 @@ $\scalarmult{a}{G}$ meaning $\scalarmult{a \bmod \ParamG{r}}{G}$ as defined abov
 \subsubsection{\HashExtractor} \label{abstractextractor}
 
 A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
-$\ExtractG \typecolon \GroupG{} \rightarrow T$ for some type $T$,
-such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order
-$\ParamG{r}$.
+$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$,
+such that $\ExtractG$ is injective on $\SubgroupG{}$ (the subgroup of $\GroupG{}$
+of order $\ParamG{r}$).
 
 \vspace{-2ex}
 \pnote{
@@ -3287,19 +3288,20 @@ efficiently computable left inverse.
 \introlist
 \subsubsection{\GroupHash} \label{abstractgrouphash}
 
-Given a represented group $\GroupG{}$ and a type $\CRSType$, we define a
-\term{family of group hashes into\, $\GroupG{}$} as a function
+Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
+and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$}
+as a function
 
 \begin{formulae}
-  \item $\GroupGHash{} \typecolon \CRSType \times \bitseq{\ell} \rightarrow \GroupG{}$
+  \item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$
 \end{formulae}
 
 \vspace{-2ex}
 \securityrequirement{\textbf{Discrete Logarithm Independence}
 
 For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
-a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
-and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
+a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$
+and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
 such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
 }
 
@@ -3317,6 +3319,9 @@ such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right
         group hash algorithm to be used.
         This mitigates the possibility that the group hash algorithm could have
         been backdoored.
+  \item The input element with type $\byteseq{8}$ is intended to act as a
+        ``personalization'' parameter to distinguish uses of the \groupHash for
+        different purposes.
 \end{nnotes}
 } %sapling
 
@@ -3468,6 +3473,8 @@ them to be the $\Groth$ \provingKeys and
 
 \notsprout{\subsubsection{\Sprout{} \KeyComponents}} \label{sproutkeycomponents}
 
+Let $\AuthPrivateLength$ be as defined in \crossref{constants}.
+
 Let $\PRFaddr{}$ be a \pseudoRandomFunction, instantiated in \crossref{concreteprfs}.
 
 Let $\KASprout$ be a \keyAgreementScheme, instantiated in \crossref{concretesproutkeyagreement}.
@@ -3492,7 +3499,10 @@ as follows:}
 \sapling{
 \subsubsection{\Sapling{} \KeyComponents} \label{saplingkeycomponents}
 
-Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions, instantiated in \crossref{concreteprfs}.
+Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, and $\DiversifierLength$
+be as defined in \crossref{constants}.
+
+Let $\PRFexpand{}$ and $\PRFock{}$ be \pseudoRandomFunctions instantiated in \crossref{concreteprfs}.
 
 Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesaplingkeyagreement}.
 
@@ -3503,17 +3513,16 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
 Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
 be a \rerandomizableSignatureScheme.
 
+Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
+
 Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
 
-Let $\AuthProveBase = \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
-
-Let $\reprJ$ be the representation function for the $\JubjubCurve$ \representedGroup,
-instantiated in \crossref{jubjub}.
-
 Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
 and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
 be as defined in \crossref{endian}.
 
+Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
+
 Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
 
 A new \Sapling \spendingKey $\SpendingKey$ is generated by choosing a bit sequence
@@ -3523,24 +3532,13 @@ uniformly at random from $\SpendingKeyType$.
 From this \spendingKey, the \authSigningKey $\AuthSignPrivate$ and \authProvingKey $\AuthProvePrivate$
 are derived as follows:
 
-\begin{formulae}
-  \item $\AuthSignPrivate := \ToScalar(\PRFexpand{\SpendingKey}([0]))$
-  \item $\AuthProvePrivate := \ToScalar(\PRFexpand{\SpendingKey}([1]))$
-  \item $\OutViewingKey := \truncate{32}(\PRFexpand{\SpendingKey}([2]))$
-\end{formulae}
-} %sapling
+\vspace{-0.5ex}
+\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
+  $\AuthSignPrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([0]))$ \\
+  $\AuthProvePrivate$ &$:= \ToScalar(\PRFexpand{\SpendingKey}([1]))$ \\
+  $\OutViewingKey$ &$:= \truncate{(\OutViewingKeyLength/8)}(\PRFexpand{\SpendingKey}([2]))$
+\end{tabular}
 
-\newsavebox{\crhivkinputbox}
-\begin{lrbox}{\crhivkinputbox}
-\begin{bytefield}[bitwidth=0.06em]{512}
-\sapling{
-    \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$} &
-    \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$}
-}
-\end{bytefield}
-\end{lrbox}
-
-\sapling{
 \vspace{1ex}
 $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
 
@@ -3548,7 +3546,7 @@ $\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as:
 \begin{tabular}{@{\hskip 1.7em}r@{\;}l}
   $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
   $\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
-  $\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
+  \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$.
 \end{tabular}
 
 If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
@@ -3592,7 +3590,8 @@ Define:
           \Diversifier, &\caseotherwise
         \end{cases}$
   \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
-          \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \typecolon \GroupJ}\big)$.
+          \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
+                                              \typecolon \maybe{\SubgroupJ}}\big)$.
 \end{formulae}
 
 For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
@@ -3628,12 +3627,12 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
         is computationally indistinguishable from that of $\SpendAuthSigGenPrivate()$ (defined
         in \crossref{concretespendauthsig}).
   \item Similarly, the distribution of $\AuthProvePrivate$, i.e.\
-        $\PRFexpand{\SpendingKey}([1]) : \SpendingKey \leftarrowR \SpendingKeyType$,
+        $\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
         is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
-        Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}}
-                   {\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \GroupJ}$
-        is injective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
-        indistinguishable from the uniform distribution on $\SubgroupReprJ$ (defined in \crossref{jubjub})
+        Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
+                   {\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
+        is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
+        indistinguishable from the uniform distribution on $\SubgroupReprJ$
         which is the keyspace of $\PRFnfSapling{}$.
 \end{nnotes}
 } %sapling
@@ -3648,6 +3647,20 @@ Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
 When this sequence is non-empty, the \transaction also includes encodings of a
 $\JoinSplitSig$ public verification key and signature.
 
+Let $\MerkleHashLengthSprout$, $\PRFOutputLengthSprout$, $\RandomSeedLength$,
+$\NOld$, $\NNew$, and $\MAXMONEY$ be as defined in \crossref{constants}.
+
+Let $\hSigCRH$ be as defined in \crossref{abstracthashes}.
+
+Let $\NoteCommitSprout{}$ be as defined in \crossref{abstractcommit}.
+
+Let $\KASprout$ be as defined in \crossref{abstractkeyagreement}.
+
+Let $\Sym$ be as defined in \crossref{abstractsym}.
+
+Let $\JoinSplit$ be as defined in \crossref{abstractzk}.
+
+\vspace{1ex}
 \introlist
 A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, \nfOld{\allOld},
 \cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit,
@@ -3658,11 +3671,11 @@ where
         the value that the \joinSplitTransfer removes from the \transparentValuePool};
   \item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is
         the value that the \joinSplitTransfer inserts into the \transparentValuePool;
-  \item $\rt \typecolon \MerkleHash$ is an \anchor, as defined in
+  \item $\rt \typecolon \MerkleHashSprout$ is an \anchor, as defined in
         \crossref{blockchain}, for the output \treestate of either
         a previous \block, or a previous \joinSplitTransfer in this
         \transaction.
-  \item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
+  \item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
         the sequence of \nullifiers for the input \notes;
   \item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew}$ is
         the sequence of \noteCommitments for the output \notes;
@@ -3672,7 +3685,7 @@ where
   \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is
         a seed that must be chosen independently at random for each
         \joinSplitDescription};
-  \item $\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
+  \item $\h{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is
         a sequence of tags that bind $\hSig$ to each
         $\AuthPrivate$ of the input \notes;
   \item $\ProofJoinSplit \typecolon \JoinSplitProof$ is a \zkProof with
@@ -3692,8 +3705,6 @@ $\joinSplitPubKey$ of the containing \transaction:
   \item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$.
 \end{formulae}
 
-$\hSigCRH$ is instantiated in \crossref{hsigcrh}.
-
 \vspace{2ex}
 \begin{consensusrules}
   \item Elements of a \joinSplitDescription{} \MUST have the types given
@@ -3719,6 +3730,11 @@ Let $\MerkleHashLengthSapling$ and $\PRFOutputLengthNfSapling$ be as defined in
 
 Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}.
 
+Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}.
+
+Let $\Spend$ be as defined in \crossref{abstractzk}.
+
+\vspace{1ex}
 \introlist
 A \spendDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
 where
@@ -3761,6 +3777,13 @@ An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in
 Each \transaction includes a sequence of zero or more \outputDescriptions.
 There are no signatures associated with \outputDescriptions.
 
+Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}.
+
+Let $\Sym$ be as defined in \crossref{abstractsym}.
+
+Let $\Spend$ be as defined in \crossref{abstractzk}.
+
+\vspace{1ex}
 \introlist
 An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
 where
@@ -3917,6 +3940,12 @@ The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and
 $\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer
 with fewer input or output \notes. This is achieved using \dummyNotes.
 
+Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
+
+Let $\PRFnf{}$ be as defined in \crossref{abstractprfs}.
+
+Let $\NoteCommitSproutTrapdoor$ be as defined in \crossref{abstractcommit}.
+
 \introlist
 \changed{
 A \dummy{} \SproutOrNothing input \note, with index $i$ in the \joinSplitDescription,
@@ -3926,7 +3955,7 @@ is constructed as follows:
   \item Generate a new uniformly random \spendingKey $\AuthPrivateOld{i} \leftarrowR \bitseq{\AuthPrivateLength}$
         and derive its \payingKey $\AuthPublicOld{i}$.
   \item \vspace{-0.5ex} Set $\vOld{i} = 0$.
-  \item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutput$
+  \item Choose uniformly random $\NoteAddressRandOld{i} \leftarrowR \PRFOutputSprout$
         and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitSproutTrapdoor$.
   \item Compute $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$.
   \item Construct a \dummy \merklePath $\TreePath{i}$ for use in the
@@ -3948,6 +3977,16 @@ otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless
 it may be useful for privacy to obscure the number of real \shieldedInputs from
 \Sapling{} \notes{}.
 
+Let $\SpendingKeyLength$ be as defined in \crossref{constants}.
+
+Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}.
+
+Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
+
+Let $\PRFnfSapling{}$ be as defined in \crossref{abstractprfs}.
+
+Let $\NoteCommitSaplingTrapdoor$ be as defined in \crossref{abstractcommit}.
+
 \introlist
 A \dummy{} \Sapling input \note is constructed as follows:
 
@@ -4155,13 +4194,15 @@ Instead of generating a key pair at random, we generate it as a function of the
 and the \balancingValue.
 
 \vspace{2ex}
+Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
+
 \introlist
 Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
 be as defined in \crossref{concretevaluecommit}:
 \begin{formulae}
   \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
-  \item $\ValueCommitValueBase \typecolon \GroupJ$ is the value base in $\ValueCommit{}$;
-  \item $\ValueCommitRandBase \typecolon \GroupJ$ is the randomness base in $\ValueCommit{}$.
+  \item $\ValueCommitValueBase \typecolon \SubgroupJ$ is the value base in $\ValueCommit{}$;
+  \item $\ValueCommitRandBase \typecolon \SubgroupJ$ is the randomness base in $\ValueCommit{}$.
 \end{formulae}
 
 $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
@@ -4390,12 +4431,12 @@ A valid instance of $\ProofJoinSplit$ assures that given a \primaryInput:
 \vspace{-1ex}
 \begin{formulae}
   \item $\oparen\rt \typecolon \MerkleHashSprout,\\
-         \hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},\\
+         \hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\
          \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitSproutOutput}{\NNew},\vspace{0.6ex}\\
          \hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\
          \hparen\vpubNew \typecolon \ValueType,\\
          \hparen\hSig \typecolon \hSigType,\\
-         \hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutput}{\NOld}\cparen}$,
+         \hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutputSprout}{\NOld}\cparen}$,
 \end{formulae}
 \vspace{-1ex}
 \introlist
@@ -4484,10 +4525,13 @@ Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{a
 
 Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}.
 
-Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
+Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{q}$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}.
 
-Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
+Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
 
+Let $\AuthProveBase$ be as defined in \crossref{saplingkeycomponents}.
+
+\intropart
 A valid instance of $\ProofSpend$ assures that given a \primaryInput:
 
 \begin{formulae}
@@ -5447,9 +5491,9 @@ $\PedersenHash$ is used in the \incrementalMerkleTree over \noteCommitments
 (\crossref{merkletree}) and in the definition of \xPedersenCommitments
 (\crossref{concretewindowedcommit}).
 
-Let $\GroupJ$ be as defined in \crossref{jubjub}.
+Let $\GroupJ$, $\SubgroupJ$, $\ZeroJ$, $\ParamJ{q}$, $\ParamJ{r}$, $\ParamJ{a}$, and $\ParamJ{d}$ be as defined in \crossref{jubjub}.
 
-Let $\ExtractJ$ be as defined in \crossref{concreteextractorjubjub}.
+Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be as defined in \crossref{concreteextractorjubjub}.
 
 Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
 
@@ -5464,7 +5508,7 @@ Let $c := 63$.
 
 \introlist
 \vspace{2ex}
-Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$ by:
+Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
 
 \begin{formulae}
   \item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$.
@@ -5474,7 +5518,7 @@ Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \GroupJ$
 
 \vspace{2ex}
 \introsection
-Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt})$ as follows:
+Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\PosInt}) \rightarrow \SubgroupJ$ as follows:
 
 \begin{formulae}
   \item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$.
@@ -5483,7 +5527,7 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos
         so that $M' = \concatbits(M_\barerange{1}{n})$, and
         each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits.
         ($M_n$ may be shorter.)
-  \item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \GroupJ$.
+  \item Return $\vsum{i=1}{n} \scalarmult{\PedersenEncode{M_i}}{\PedersenGen{D}{i}} \typecolon \SubgroupJ$.
 \end{formulae}
 
 where
@@ -5813,6 +5857,7 @@ corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
 $\NoteAddressRand$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
 is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
 and therefore is not uniformly distributed on $\ReprJ$.
+$\SubgroupReprJ$ is defined in \crossref{jubjub}.
 }
 } %sapling
 
@@ -5930,11 +5975,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
 It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
 as follows:
 
-Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
+Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
 
 Define $\KASaplingPublic := \GroupJ$.
 
-Define $\KASaplingSharedSecret := \GroupJ$.
+Define $\KASaplingSharedSecret := \SubgroupJ$.
 
 Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
 
@@ -6050,13 +6095,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
 Its parameters are:
 \begin{itemize}
   \item a \representedGroup $\GroupG{}$, which also defines
-        a subgroup order $\ParamG{r}$, a cofactor $\ParamG{h}$,
+        a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
         a group operation $+$, an additive identity $\ZeroG{}$,
         a bit-length $\ellG{}$, a representation function $\reprG{}$,
         and an abstraction function $\abstG{}$, as specified in
         \crossref{abstractgroup};
-  \item a generator $\GenG{}$ of the subgroup of $\GroupG{}$ of
-        order $\ParamG{r}$;
+  \item $\GenG{}$, a generator of $\SubgroupG$;
   \item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
         $2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
   \item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
@@ -6181,7 +6225,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
   \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
 \end{itemize}
 
-The generator $\GenG{}$ is left as an unspecified parameter, which is different between
+The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between
 $\BindingSig$ and $\SpendAuthSig$.
 } %sapling
 
@@ -6667,6 +6711,10 @@ Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
 be the left inverse of $\reprJ$ such that if $S$ is not in the range of
 $\reprJ$, then $\abstJOf{S} = \bot$.
 
+Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
+
+Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
+
 \begin{nnotes}
   \item The encoding of a compressed twisted Edwards point used here is
         consistent with that used in EdDSA \cite{BJLSY2015} for public keys and
@@ -6692,36 +6740,35 @@ other conditions on points, for example that they have order at least $\ParamJ{r
 
 Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
 
-Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
+Let $\ExtractJ \typecolon \SubgroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
 
-Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime).
-
-\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.}
+\facts{The point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order $2$ in $\GroupJ$.
+$\SubgroupJ$ is of odd-prime order.}
 
 % <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
 \vspace{2ex}
 \begin{lemma*}
-Let $P = (u, \varv) \in G$. Then $(u, -\varv) \notin G$.
+Let $P = (u, \varv) \in \SubgroupJ$. Then $(u, -\varv) \notin \SubgroupJ$.
 \end{lemma*}
 
 \begin{proof}
-If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin G$.
+If $P = \ZeroJ$ then $(u, -\varv) = (0, -1) \notin \SubgroupJ$.
 Else, $P$ is of odd-prime order. Note that $\varv \neq 0$.
 (If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula
 gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$;
 contradiction since then $P$ would not be of odd-prime order.)
 Therefore, $-\varv \neq \varv$.
-Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
+Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
 doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
 But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
 $Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
-$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
-since $G$ is of odd order \cite{KvE2013}).
+$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
+since $\SubgroupJ$ is of odd order \cite{KvE2013}).
 \end{proof}
 
 \vspace{0.5ex}
 \begin{theorem} \label{thmselectuinjective}
-$\Selectu$ is injective on $G$.
+$\Selectu$ is injective on $\SubgroupJ$.
 \end{theorem}
 
 \begin{proof}
@@ -6731,8 +6778,8 @@ potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a
 complete twisted Edwards curve, we see that for a given $u$ there can be at
 most two possible solutions for $\varv$, and that if there are two solutions
 they can be written as $\varv$ and $-\varv$. In that case by the Lemma, at
-most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\Selectu$
-is injective on points in $G$.
+most one of $(u, \varv)$ and $(u, -\varv)$ is in $\SubgroupJ$. Therefore, $\Selectu$
+is injective on points in $\SubgroupJ$.
 \end{proof}
 }
 
@@ -6754,7 +6801,7 @@ let $M \typecolon \byteseqs$ be the hash input.
 
 \vspace{2ex}
 \introlist
-The hash $\GroupJHash{\CRS}(D, M)$ is calculated as follows:
+The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
 
 \begin{formulae}
   \item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
@@ -6767,8 +6814,8 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
 so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
 such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
 
-Let $\FindGroupJHashOf{D, M} =
-\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \GroupJ})$.
+Define $\FindGroupJHashOf{D, M} :=
+\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
 
 \begin{pnotes}
   \item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
@@ -9008,6 +9055,13 @@ found by Brian Warner.
     \item Remove the consensus rule
           ``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
           which was never implemented.
+\sapling{
+    \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
+          $\GroupG{}$ and $\GroupJ$ where applicable.
+    \item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
+    \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
+    \item Improve cross-referencing.
+} %sapling
 \end{itemize}
 
 \introlist