mirror of https://github.com/zcash/zips.git
More cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
1f02902d6e
commit
8dd6074164
|
@ -696,7 +696,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\merkleInternalNode}{\term{internal node}}
|
||||
\newcommand{\merkleInternalNodes}{\term{internal nodes}}
|
||||
\newcommand{\MerkleInternalNodes}{\term{Internal nodes}}
|
||||
\newcommand{\merklePath}{\term{Merkle tree path}}
|
||||
\newcommand{\merklePath}{\term{Merkle path}}
|
||||
\newcommand{\merkleLayer}{\term{layer}}
|
||||
\newcommand{\merkleLayers}{\term{layers}}
|
||||
\newcommand{\merkleIndex}{\term{index}}
|
||||
|
@ -813,7 +813,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
|
||||
\newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}}
|
||||
\newcommand{\setof}[1]{\{{#1}\}}
|
||||
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.35em\left(\strut{#1}\right)}
|
||||
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
|
||||
\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
|
||||
\newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
|
||||
\newcommand{\rangenozero}[2]{\range{#1}{#2} \difference \setof{0}}
|
||||
|
@ -916,6 +916,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\PaymentAddressSecondByte}{\hexint{9A}}
|
||||
\newcommand{\InViewingKey}{\mathsf{ivk}}
|
||||
\newcommand{\InViewingKeyLength}{\ell_{\InViewingKey}}
|
||||
\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength}}
|
||||
\newcommand{\InViewingKeyLeadByte}{\hexint{A8}}
|
||||
\newcommand{\InViewingKeySecondByte}{\hexint{AB}}
|
||||
\newcommand{\InViewingKeyThirdByte}{\hexint{D3}}
|
||||
|
@ -1100,7 +1101,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}}
|
||||
\newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}}
|
||||
\newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}}
|
||||
\newcommand{\KASaplingFormatPrivate}{\KASapling\mathsf{.FormatPrivate}}
|
||||
\newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}}
|
||||
\newcommand{\KASaplingAgree}{\KASapling\mathsf{.Agree}}
|
||||
|
||||
|
@ -1151,6 +1151,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\nf}{\mathsf{nf}}
|
||||
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
|
||||
\newcommand{\Memo}{\mathsf{memo}}
|
||||
\newcommand{\MemoByteLength}{512}
|
||||
\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}}
|
||||
\newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}}
|
||||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||
|
@ -2367,7 +2368,7 @@ knowledge of $\AuthSignPrivate$.}
|
|||
Transmitted \notes are stored on the \blockchain in encrypted form, together with
|
||||
a representation of the \noteCommitment $\cm$.
|
||||
|
||||
The \notePlaintexts in a \joinSplitDescription are encrypted to the
|
||||
The \notePlaintexts in each \joinSplitDescription are encrypted to the
|
||||
respective \transmissionKeys $\TransmitPublicNew{\allNew}$.
|
||||
Each \SproutOrNothing{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
|
||||
$(\Value, \NoteAddressRand, \NoteCommitRand\changed{, \Memo})$.
|
||||
|
@ -2467,8 +2468,8 @@ In a given \blockchain, \sapling{for each of \Sprout and \Sapling,}
|
|||
\transaction.
|
||||
\end{itemize}
|
||||
|
||||
\joinSplitDescriptions also have interstitial input and output
|
||||
\treestates\notsprout{ for \Sprout}, explained in the following section.
|
||||
\changed{\joinSplitDescriptions also have interstitial input and output
|
||||
\treestates\notsprout{ for \Sprout}, explained in the following section.}
|
||||
\sapling{There is no equivalent of interstitial \treestates for \Sapling.}
|
||||
|
||||
|
||||
|
@ -2694,11 +2695,11 @@ It is instantiated in \crossref{equihashgen}.
|
|||
}
|
||||
|
||||
\sapling{
|
||||
$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \binaryrange{\InViewingKeyLength}$
|
||||
$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \InViewingKeyTypeSapling$
|
||||
is a \collisionResistant \hashFunction used in \crossref{saplingkeycomponents}
|
||||
to derive an \incomingViewingKey for a \Sapling \paymentAddress. It is also used
|
||||
in the \spendStatement (\crossref{spendstatement}) to confirm use of the correct
|
||||
key for the \note being spent. It is instantiated in \crossref{concretecrhivk}.
|
||||
keys for the \note being spent. It is instantiated in \crossref{concretecrhivk}.
|
||||
|
||||
$\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
|
||||
\rightarrow \GroupJ$ is a \hashFunction used in \crossref{commitmentsandnullifiers}
|
||||
|
@ -3072,12 +3073,12 @@ $Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\seto
|
|||
that records queried messages and corresponding signatures.
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{formulae}
|
||||
\begin{algorithm}
|
||||
\item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$
|
||||
\item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\SigRandomizer, \sk)}(m)$
|
||||
\item \tab $Q \leftarrow Q \union \setof{(m, \sigma)}$
|
||||
\item \tab return $\sigma \typecolon \SigSignature$.
|
||||
\end{formulae}
|
||||
\end{algorithm}
|
||||
|
||||
For random $\sk \leftarrowR \SigGenPrivate()$ and $\vk = \SigDerivePublic(\sk)$, it must be
|
||||
infeasible for an adversary given $\vk$ and a new instance of $\Oracle_{\sk}$ to find
|
||||
|
@ -3165,8 +3166,8 @@ when at least one of $\sk_{\alln}$ is unknown.)
|
|||
\introlist
|
||||
\subsubsection{Commitment} \label{abstractcommit}
|
||||
|
||||
A \commitmentScheme is a function that, given a random \commitmentTrapdoor
|
||||
and an input, can be used to commit to the input in such a way that:
|
||||
A \commitmentScheme is a function that, given a \commitmentTrapdoor generated at
|
||||
random and an input, can be used to commit to the input in such a way that:
|
||||
|
||||
\begin{itemize}
|
||||
\item no information is revealed about it without the \trapdoor (\quotedterm{hiding}),
|
||||
|
@ -3184,7 +3185,7 @@ Let $\CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \Comm
|
|||
be a function satisfying the following security requirements.
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{securityrequirements}
|
||||
\begin{securityrequirements}[leftmargin=2em]
|
||||
\item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
|
||||
the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
|
||||
and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
|
||||
|
@ -3518,9 +3519,9 @@ We omit the key subscripts on $\JoinSplitProve$ and
|
|||
$\JoinSplitVerify$, taking them to be the $\PHGR$ \provingKey
|
||||
and \verifyingKey defined in \crossref{sproutparameters}.
|
||||
|
||||
Similarly, we omit the key subscripts on $\SpendProve$,
|
||||
We also omit subscripts on $\SpendProve$,
|
||||
$\SpendVerify$, $\OutputProve$, and $\OutputVerify$, taking
|
||||
them to be the $\Groth$ \provingKeys and
|
||||
them to be the relevant $\Groth$ \provingKeys and
|
||||
\verifyingKeys defined in \crossref{saplingparameters}.
|
||||
} %sapling
|
||||
|
||||
|
@ -3893,7 +3894,7 @@ random on $\bitseq{\RandomSeedLength}$, and selects
|
|||
the input \notes. At this point there is sufficient information to compute $\hSig$,
|
||||
as described in the previous section. \changed{The sender also chooses $\NoteAddressPreRand$
|
||||
uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
|
||||
Then it creates each output \note with index $i \typecolon \setofNew$ as follows:
|
||||
Then it creates each output \note with index $i \typecolon \setofNew$:
|
||||
|
||||
\begin{itemize}
|
||||
\item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutTrapdoor$.
|
||||
|
@ -4432,7 +4433,7 @@ For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthS
|
|||
\end{enumerate}
|
||||
|
||||
\introlist
|
||||
The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
|
||||
The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
|
||||
|
||||
\vspace{-1ex}
|
||||
\pnote{
|
||||
|
@ -4668,7 +4669,7 @@ $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
|||
\begin{formulae}
|
||||
\item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
|
||||
\vspace{-1ex}
|
||||
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\big)$.
|
||||
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-1ex}
|
||||
|
@ -4800,7 +4801,7 @@ are combined to form a \notesCiphertext.
|
|||
For both encryption and decryption,
|
||||
|
||||
\begin{itemize}
|
||||
\item let $\Sym$ be the \encryptionScheme instantiated in \crossref{concretesym};
|
||||
\item let $\Sym$ be the scheme instantiated in \crossref{concretesym};
|
||||
\item let $\KDFSprout$ be the \keyDerivationFunction instantiated in \crossref{concretesproutkdf};
|
||||
\item let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement};
|
||||
\item let $\hSig$ be the value computed for this \joinSplitDescription in \crossref{joinsplitdesc}.
|
||||
|
@ -4815,7 +4816,7 @@ Let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretespr
|
|||
Let $\TransmitPublicNew{\allNew}$ be the \transmissionKeys
|
||||
for the intended recipient addresses of each new \note.
|
||||
|
||||
Let $\NotePlaintext{\allNew}$ be the \SproutOrNothing \notePlaintexts as
|
||||
Let $\NotePlaintext{\allNew}$ be \SproutOrNothing \notePlaintexts
|
||||
defined in \crossref{notept}.
|
||||
|
||||
\introlist
|
||||
|
@ -5019,7 +5020,7 @@ $\NoteAddressRand$ value can immediately be calculated as described in
|
|||
|
||||
To test whether a \Sapling{} \note is unspent in a particular \blockchain also requires
|
||||
the \nullifierKey $\AuthProvePublicRepr$; the coin is unspent if and only if
|
||||
$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$ is not in the
|
||||
$\nf = \PRFnfSapling{\AuthProvePublicRepr}\big(\reprJ(\NoteAddressRand)\kern-0.15em\big)$ is not in the
|
||||
\nullifierSet for that \blockchain.
|
||||
|
||||
\vspace{-3ex}
|
||||
|
@ -5044,7 +5045,7 @@ Let $(\EphemeralPublic, \TransmitCiphertext{})$ be the \noteCiphertext from the
|
|||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
Once detected, the \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows:
|
||||
The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows:
|
||||
|
||||
\introlist
|
||||
\begin{algorithm}
|
||||
|
@ -6108,8 +6109,6 @@ Define $\KASaplingSharedSecret := \SubgroupJ$.
|
|||
|
||||
Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
|
||||
|
||||
Define $\KASaplingFormatPrivate(x) := x$.
|
||||
|
||||
Define $\KASaplingDerivePublic(\sk, B) := \scalarmult{\sk}{B}$.
|
||||
|
||||
Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$.
|
||||
|
@ -7154,7 +7153,7 @@ Each \Sapling \notePlaintext (denoted $\NotePlaintext{}$) consists of
|
|||
$(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
|
||||
}
|
||||
|
||||
\changed{$\Memo$ is a 512-byte \memo associated with this \note.
|
||||
\changed{$\Memo$ is a $\MemoByteLength$-byte \memo associated with this \note.
|
||||
|
||||
\introlist
|
||||
The usage of the \memo is by agreement between the sender and recipient of the
|
||||
|
@ -7162,7 +7161,7 @@ The usage of the \memo is by agreement between the sender and recipient of the
|
|||
|
||||
\begin{itemize}
|
||||
\item a UTF-8 human-readable string \cite{Unicode}, padded by appending zero bytes; or
|
||||
\item an arbitrary sequence of 512 bytes starting with a byte value of $\hexint{F5}$
|
||||
\item an arbitrary sequence of $\MemoByteLength$ bytes starting with a byte value of $\hexint{F5}$
|
||||
or greater, which is therefore not a valid UTF-8 string.
|
||||
\end{itemize}
|
||||
|
||||
|
@ -7191,7 +7190,7 @@ The encoding of a \SproutOrNothing \notePlaintext consists of:
|
|||
&}\sbitbox{180}{$64$-bit $\Value$} &
|
||||
\sbitbox{256}{$256$-bit $\NoteAddressRand$} &
|
||||
\sbitbox{256}{\changed{$256$}-bit $\NoteCommitRand$} &
|
||||
\changed{\sbitbox{800}{$\Memo$ ($512$ bytes)}}
|
||||
\changed{\sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)}}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
@ -7204,7 +7203,7 @@ The encoding of a \SproutOrNothing \notePlaintext consists of:
|
|||
\item $32$ bytes specifying $\NoteAddressRand$.
|
||||
\item \changed{32} bytes specifying $\NoteCommitRand$.
|
||||
\changed{
|
||||
\item $512$ bytes specifying $\Memo$.
|
||||
\item $\MemoByteLength$ bytes specifying $\Memo$.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
|
@ -7219,7 +7218,7 @@ The encoding of a \Sapling \notePlaintext consists of:
|
|||
\sbitbox{240}{$88$-bit $\Diversifier$}
|
||||
\sbitbox{180}{$64$-bit $\Value$}
|
||||
\sbitbox{256}{$256$-bit $\NoteCommitRand$}
|
||||
\sbitbox{800}{$\Memo$ ($512$ bytes)}
|
||||
\sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)}
|
||||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
|
@ -7229,7 +7228,7 @@ The encoding of a \Sapling \notePlaintext consists of:
|
|||
\item $11$ bytes specifying $\Diversifier$.
|
||||
\item $8$ bytes specifying $\Value$.
|
||||
\item $32$ bytes specifying $\NoteCommitRand$.
|
||||
\item $512$ bytes specifying $\Memo$.
|
||||
\item $\MemoByteLength$ bytes specifying $\Memo$.
|
||||
\end{itemize}
|
||||
} %sapling
|
||||
|
||||
|
@ -7479,7 +7478,7 @@ The raw encoding of an \incomingViewingKey consists of:
|
|||
\item $32$ bytes (little-endian) specifying $\InViewingKey$.
|
||||
\end{itemize}
|
||||
|
||||
$\InViewingKey$ \MUST be in the range $\binaryrange{\InViewingKeyLength}$ as specified
|
||||
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeSapling$ as specified
|
||||
in \crossref{saplingkeycomponents}. That is, a decoded \incomingViewingKey{} \MUST be
|
||||
considered invalid if $\InViewingKey$ is not in this range.
|
||||
|
||||
|
@ -8034,13 +8033,13 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
|
|||
\hhline{|=|=|=|=|}
|
||||
|
||||
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
|
||||
$\LEBStoOSPOf{256}{\cv}$. \\ \hline
|
||||
$\LEBStoOSPOf{256}{\reprJOf{\cv}\kern 0.05em}$. \\ \hline
|
||||
|
||||
$32$ & $\cmField$ & \type{char[32]} & The \noteCommitment for the output \note,
|
||||
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ItoLEBSPOf{\MerkleHashLengthSapling}{\ExtractJ(\cm)}$. \\ \hline
|
||||
|
||||
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of a $\JubjubCurve$ public key $\EphemeralPublic$
|
||||
(see \crossref{concretesaplingkeyagreement}). \\ \hline
|
||||
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
|
||||
$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}}$. \\ \hline
|
||||
|
||||
$580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the
|
||||
encrypted output \note, $\TransmitCiphertext{}$. \\ \hline
|
||||
|
|
Loading…
Reference in New Issue