Group Hash and DiversifyHash refactoring. Also fix an error in the definition of set difference.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-06-22 22:11:30 +01:00 · 2018-06-22 22:11:30 +01:00 · 8c80decd3b
parent f480f351b7
commit 8c80decd3b
1 changed files with 158 additions and 80 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -530,7 +530,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
 \newcommand{\groupHash}{\term{group hash}}
 \newcommand{\groupHashes}{\term{group hashes}}
-\newcommand{\GroupHash}{\titleterm{Group Hash}}
 \newcommand{\representedPairing}{\term{represented pairing}}
 \newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}}
 \newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}}
@ -545,7 +544,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\JubjubCurve}{\mathsf{Jubjub}}
 \newcommand{\jubjubCurve}{\term{Jubjub curve}}
 \newcommand{\Jubjub}{\titleterm{Jubjub}}
-\newcommand{\commonRandomString}{\term{Common Random String}}
+\newcommand{\uniformRandomString}{\term{Uniform Random String}}
+\newcommand{\uniformRandomStrings}{\term{Uniform Random Strings}}
 \newcommand{\BNRepresentedPairing}{\titleterm{BN-254}}
 \newcommand{\BLSRepresentedPairing}{\titleterm{BLS12-381}}
 \newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}}
@ -782,6 +782,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\bconcat}{\mathop{\kern 0.05em||}}
 \newcommand{\listcomp}[1]{\overlap{0.06em}{\ensuremath{[}}~{#1}~\overlap{0.06em}{\ensuremath{]}}}
 \newcommand{\fun}[2]{{#1} \mapsto {#2}}
+\newcommand{\exclusivefun}[3]{{#1} \mapsto_{\neq\kern 0.05em{#3}\!} {#2}}
 \newcommand{\first}{\mathsf{first}}
 \newcommand{\for}{\text{ for }}
 \newcommand{\from}{\text{ from }}
@ -1478,6 +1479,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
 \newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
 \newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
+\newcommand{\Extract}{\mathsf{Extract}}
+\newcommand{\GroupHash}{\mathsf{GroupHash}}
+\newcommand{\FindGroupHash}{\mathsf{FindGroupHash}}

 \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
 \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
@ -1497,7 +1501,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
 \newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}}
 \newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}}
-\newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^{\SubgroupG}_{#1}}
 \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
 \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
 \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
@ -1508,7 +1511,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
 \newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
 \newcommand{\PairingG}{\ParamG{\hat{e}}}
-\newcommand{\ExtractG}{\mathsf{Extract}_{\SubgroupG}}
+
+\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
+\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}}
+\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
+\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
+\newcommand{\URS}{\mathsf{URS}}

 \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
 \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
@ -1530,7 +1538,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}}
 \newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}}
 \newcommand{\PrimeOrderJ}{\SubgroupJ \difference \ZeroJ}
-\newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^{\SubgroupJ}_{#1}}
 \newcommand{\CurveJ}{\Curve_{\GroupJ}}
 \newcommand{\ZeroJ}{\Zero_{\GroupJ}}
 \newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1540,11 +1547,16 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
 \newcommand{\abstJ}{\abst_{\GroupJ}}
 \newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
-\newcommand{\ExtractJ}{\mathsf{Extract}_{\SubgroupJ}}
-\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^{\SubgroupJ}}
-\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
 \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}

+\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
+\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}}
+\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
+\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
+\newcommand{\HashOutput}{\bytes{H}}
+\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
+\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
+
 \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
 \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}

@ -1562,9 +1574,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\xP}{{x_{\hspace{-0.12em}P}}}
 \newcommand{\yP}{{y_{\hspace{-0.03em}P}}}

-\newcommand{\CRS}{\mathsf{CRS}}
-\newcommand{\CRSType}{\mathsf{CRSType}}
-
 % Conversions

 \newcommand{\ECtoOSP}{\mathsf{EC2OSP}}
@ -1942,11 +1951,27 @@ written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
 $f \typecolon X \times Y \rightarrow Z$, then an invocation of
 $f(x, y)$ can also be written $f_x(y)$.

+$\setof{x \typecolon T \suchthat p_x}$ means the subset of $x$ from $T$
+for which $p_x$ (a boolean expression depending on $x$) holds.
+
+$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
+$S \union T$ means the set union of $S$ and $T$.
+
+$S \intersection T$ means the set intersection of $S$ and $T$,
+i.e.\ $\setof{x \typecolon S \suchthat x \in T}$.
+
 \notsprout{
+$S \difference T$ means the set difference obtained by removing elements
+in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \notin T}$.
+
 $\fun{x \typecolon T}{e_x \typecolon U}$ means the function of type $T \rightarrow U$
 mapping formal parameter $x$ to $e_x$ (an expression depending on~$x$).
 The types $T$ and $U$ are always explicit.

+$\exclusivefun{x \typecolon T}{e_x \typecolon U}{y}$ means
+$\fun{x \typecolon T}{e_x \typecolon U \union \setof{y}}$ restricted to the domain
+$\setof{x \typecolon T \suchthat e_x \neq y}$ and range $U$.
+
 $\powerset{T}$ means the powerset of $T$.
 }

@ -1963,23 +1988,6 @@ $\length(S)$ means the length of (number of elements in) $S$.
 $\truncate{k}(S)$ means the sequence formed from the first $k$ elements of $S$.
 }

-$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
-
-\notsprout{
-$\setof{x \typecolon T \suchthat p(x)}$ means the subset of $x$ from $T$
-for which $p(x)$ holds.
-}
-
-$S \union T$ means the set union of $S$ and $T$, or the type corresponding
-to it.
-
-$S \intersection T$ means the set intersection of $S$ and $T$.
-
-\notsprout{
-$S \difference T$ means the set difference obtained by removing elements
-in $T$ from $S$, i.e. $\setof{x \typecolon S \suchthat x \neq T}$.
-}
-
 $\hexint{}$ followed by a string of $\mathtt{monospace}$ hexadecimal
 digits means the corresponding integer converted from hexadecimal.

@ -2693,9 +2701,8 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
 in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
 input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.

-$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJ$ is a \hashFunction
-satisfying the Discrete Logarithm Independence property (which implies \collisionResistance\!\!)
-described in \crossref{abstractgrouphash}.
+$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction
+satisfying the Unlinkability security property described in \crossref{concretediversifyhash}.
 It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}.
 It is instantiated in \crossref{concretediversifyhash}.
 } %sapling
@ -3311,43 +3318,60 @@ efficiently computable left inverse.

 \sapling{
 \introlist
-\subsubsection{\GroupHash} \label{abstractgrouphash}
+\subsubsection{Group Hash} \label{abstractgrouphash}

 Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$,
-and a type $\CRSType$, we define a \term{family of group hashes into\, $\SubgroupG$}
-as a function
+a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of:

-\begin{formulae}
-  \item $\GroupGHash{} \typecolon \CRSType \times (\byteseq{8} \times \byteseqs) \rightarrow \SubgroupG$
-\end{formulae}
+\begin{itemize}
+  \item a type $\GroupGHashURSType$ of \uniformRandomStrings;
+  \item a type $\GroupGHashInput$ of inputs;
+  \item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$.
+\end{itemize}
+
+In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
+the \jubjubCurve defined by \crossref{jubjub}.

 \vspace{-2ex}
-\securityrequirement{\textbf{Discrete Logarithm Independence}
-
-For a randomly selected member $\GroupGHash{\CRS}$ of the family, it is infeasible to find
-a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{(\byteseq{8} \times \byteseqs)}{n}$
-and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
-such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\CRS}(m_i)}\right) = \ZeroG{}$.
-}
+\securityrequirement{
+For a randomly selected $\URS \typecolon \GroupGHashURSType$,
+it must be reasonble to model $\GroupGHash{\URS}$ (restricted to inputs for which it does
+not return $\bot$) as a random oracle.
+} %securityrequirement

 \vspace{-1ex}
 \begin{nnotes}
-  \item This property implies (and is stronger than) collision-resistance,
-        since a collision $(m_1, m_2)$ for $\GroupGHash{\CRS}$ trivially gives a
-        discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$.
-  \item An alternative approach is to model $\GroupGHash{\CRS}$ as a random
-        oracle, and assume that the Discrete Logarithm Problem is hard in
-        the group. We prefer to avoid the Random Oracle Model and instead make
-        a more specific standard-model assumption, which is effectively no
-        stronger than the assumptions made in the random oracle approach.
-  \item $\CRS$ is a \commonRandomString; we choose it verifiably at random
+\vspace{-0.5ex}
+  \item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes:
+        the bases $\AuthSignBase$ and $\AuthProveBase$ used in \Sapling key generation,
+        the \xPedersenHash defined in \crossref{concretepedersenhash}, and
+        the commitment schemes defined in \crossref{concretewindowedcommit} and
+        in \crossref{concretehomomorphiccommit}.
+
+        The security property needed for these uses can alternatively be defined in the
+        standard model as follows:
+
+        \textbf{Discrete Logarithm Independence}:
+        For a randomly selected member $\GroupGHash{\URS}$ of the family, it is infeasible to find
+        a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
+        and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
+        such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
+  \item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies
+        Discrete Logarithm Independence.
+  \item Discrete Logarithm Independence implies \collisionResistance\!,
+        since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
+        discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. It is in fact
+        stronger than \collisionResistance\!.
+  \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash$ in \crossref{concretediversifyhash}.
+        We do not know how to prove the Unlinkability property defined in that section
+        in the standard model, but in a model where $\GroupJHash{}$ (restricted to
+        inputs for which it does not return $\bot$) is taken as a random oracle,
+        it is implied by the Decisional Diffie-Hellman assumption on $\SubgroupJ$.
+  \item $\URS$ is a \uniformRandomString; we choose it verifiably at random
        (see \crossref{beacon}), \emph{after} fixing the concrete
        group hash algorithm to be used.
        This mitigates the possibility that the group hash algorithm could have
        been backdoored.
-  \item The input element with type $\byteseq{8}$ is intended to act as a
-        ``personalization'' parameter to distinguish uses of the \groupHash for
-        different purposes.
 \end{nnotes}
 } %sapling

@ -3540,9 +3564,8 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
 Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
 be a \rerandomizableSignatureScheme.

-Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}.
-
-Let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
+Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
+let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.

 Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
 and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
@ -3617,7 +3640,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define:
        \end{cases}$
  \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
          \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
-                                              \typecolon \maybe{\SubgroupJ}}\big)$.
+                                              \typecolon \maybe{(\PrimeOrderJ)}}\big)$.
 \end{formulae}

 For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
@ -5547,9 +5570,24 @@ Define

 \vspace{-3ex}
 \securityrequirement{
-$\DiversifyHash$ must satisfy the Discrete Logarithm Independence property
-described in \crossref{abstractgrouphash}.
-}
+\textbf{Unlinkability:} Given two randomly selected
+\paymentAddresses from different spend authorities, and a third \paymentAddress
+which could be derived from either of those authorities, it is not possible to
+tell which authority the third address was derived from.}
+
+\begin{nnotes}
+  \item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not
+        return $\bot$) is modelled as a random oracle from \diversifiers to points
+        of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability
+        of $\DiversifyHash$ holds under the Decisional Diffie-Hellman assumption on the
+        \jubjubCurve.
+  \item Informally, the random self-reducibility property of DDH implies that an
+        adversary would gain no advantage from being able to query an oracle for
+        additional $(\DiversifiedTransmitBase, \DiversifiedTransmitPublic)$ pairs
+        with the same spend authority as an existing \paymentAddress, since they
+        could also create such pairs on their own. This justifies only considering
+        two \paymentAddresses in the security definition.
+\end{nnotes}
 } %sapling


@ -6799,6 +6837,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of
 $\reprJ$, then $\abstJOf{S} = \bot$.

 Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
+For the set of prime-order points we write $\PrimeOrderJ$.

 Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.

@ -6877,9 +6916,17 @@ $\Selectu$ is injective on points in $\SubgroupJ$.

 \sapling{
 \introsection
-\subsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub}
+\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}

-Let $\CRS$ be the MPC randomness beacon defined in \crossref{beacon}.
+\vspace{-2ex}
+Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
+let $\GroupGHashURSType := \byteseq{64}$.
+
+(The input element with type $\byteseq{8}$ is intended to act as a
+``personalization'' parameter to distinguish uses of the \groupHash for
+different purposes.)
+
+Let $\URS$ be the MPC randomness beacon defined in \crossref{beacon}.

 Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.

@ -6892,15 +6939,38 @@ Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
 let $M \typecolon \byteseqs$ be the hash input.

 \introlist
-The hash $\GroupJHash{\CRS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:
+The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows:

 \begin{algorithm}
-  \item $P := \abstJOf{\LEOStoBSPOf{256}{\BlakeTwosOf{256}{D,\, \CRS \bconcat\, M}}}$
-  \item If $P = \bot$ then return $\bot$.
-  \item $Q := \scalarmult{\ParamJ{h}}{P}$
-  \item If $Q = \ZeroJ$ then return $\bot$, else return $Q$.
+  \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
+  \item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
+  \item if $P = \bot$ then return $\bot$
+  \item let $Q = \scalarmult{\ParamJ{h}}{P}$
+  \item if $Q = \ZeroJ$ then return $\bot$, else return $Q$.
 \end{algorithm}

+\vspace{-3ex}
+\begin{pnotes}
+\vspace{-1ex}
+  \item The $\BlakeTwos{256}$ chaining variable after processing $\URS$ may be precomputed.
+  \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash$ and to generate independent bases
+        needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$);
+        here we show that it is sufficient to employ a simpler random oracle instantiated by
+        $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis.
+
+        $\exclusivefun{\HashOutput \typecolon \byteseq{32}}
+          {\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
+        is injective, and both it and its inverse are efficiently computable.
+
+        $\exclusivefun{P \typecolon \GroupJ}
+          {\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$
+        is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
+
+        It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
+          {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M} \typecolon \byteseq{32}}$
+        is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
+          {\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle.
+\end{pnotes}

 \vspace{0.5ex}
 Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
@ -6908,15 +6978,14 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
 such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.

 Define $\FindGroupJHashOf{D, M} :=
-\first(\fun{i \typecolon \byte}{\GroupJHash{\CRS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
+\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.

-\begin{pnotes}
-  \item The $\BlakeTwos{256}$ chaining variable after processing $\CRS$ may be precomputed.
-  \item For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
-        In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not
-        return $\bot$; the only use that could potentially return $\bot$ is in the
-        computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}.
-\end{pnotes}
+\vspace{-3ex}
+\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
+In the \Zcash protocol, most uses of $\FindGroupJHash$ are for constants and do not
+return $\bot$; the only use that could potentially return $\bot$ is in the
+computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycomponents}.
+} %pnote
 } %sapling


@ -7560,7 +7629,7 @@ These parameters were obtained by a multi-party computation described in \todo{}
 \introsection
 \subsection{Randomness Beacon} \label{beacon}

-Let $\CRS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$.
+Let $\URS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0}$.

 This value is used in the definition of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub},
 and in the multi-party computation to obtain the \Sapling parameters given in
@ -7576,7 +7645,7 @@ It is derived as described in \cite{Bowe2018}:
 \end{itemize}

 \vspace{-4ex}
-\pnote{$\CRS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.}
+\pnote{$\URS$ is a $64$-byte US-ASCII string, i.e.\ the first byte is \hexint{30}, not \hexint{09}.}
 } %sapling


@ -9160,12 +9229,21 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
    \item Remove the consensus rule
          ``If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than $\SIGHASHALL$.'',
          which was never implemented.
+    \item Correct the definition of set difference ($S \setminus T$).
 \sapling{
    \item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to
          $\GroupG{}$ and $\GroupJ$ where applicable.
    \item Correct or improve the types of $\GroupJHash{}$, $\FindGroupJHash$, $\ExtractJ$, $\PRFexpand{}$, and $\CRHivk$.
    \item Ensure that \Sprout functions and values are given \Sprout-specific types where appropriate.
    \item Improve cross-referencing.
+    \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow
+          proving unlinkability of $\DiversifyHash$. Explain how this relates to the Discrete Logarithm
+          Independence assumption used previously, and justify this modelling by showing that it
+          follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of
+          $\GroupJHash{}$.
+    \item Rename $\mathsf{CRS}$ (Common Random String) to $\URS$ (\uniformRandomString), to
+          match the terminology adopted at the first zkproof workshop held in Boston, Massachusetts
+          on May~10--11, 2018.
    \item Generalize $\PRFexpand{}$ to accept an arbitrary-length input. (This specification does not
          use that generalization, but \cite{ZIP-32} does.)
    \item Change the notation for a multiplication constraint in \crossref{circuitdesign} to avoid