More cosmetics.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>

protocol/protocol.tex

@@ -696,7 +696,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\merkleInternalNode}{\term{internal node}}
 \newcommand{\merkleInternalNodes}{\term{internal nodes}}
 \newcommand{\MerkleInternalNodes}{\term{Internal nodes}}
-\newcommand{\merklePath}{\term{Merkle tree path}}
+\newcommand{\merklePath}{\term{Merkle path}}
 \newcommand{\merkleLayer}{\term{layer}}
 \newcommand{\merkleLayers}{\term{layers}}
 \newcommand{\merkleIndex}{\term{index}}
@@ -813,7 +813,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
 \newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}}
 \newcommand{\setof}[1]{\{{#1}\}}
-\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.35em\left(\strut{#1}\right)}
+\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
 \newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
 \newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
 \newcommand{\rangenozero}[2]{\range{#1}{#2} \difference \setof{0}}
@@ -916,6 +916,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\PaymentAddressSecondByte}{\hexint{9A}}
 \newcommand{\InViewingKey}{\mathsf{ivk}}
 \newcommand{\InViewingKeyLength}{\ell_{\InViewingKey}}
+\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength}}
 \newcommand{\InViewingKeyLeadByte}{\hexint{A8}}
 \newcommand{\InViewingKeySecondByte}{\hexint{AB}}
 \newcommand{\InViewingKeyThirdByte}{\hexint{D3}}
@@ -1100,7 +1101,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\KASaplingPublic}{\KASapling\mathsf{.Public}}
 \newcommand{\KASaplingPrivate}{\KASapling\mathsf{.Private}}
 \newcommand{\KASaplingSharedSecret}{\KASapling\mathsf{.SharedSecret}}
-\newcommand{\KASaplingFormatPrivate}{\KASapling\mathsf{.FormatPrivate}}
 \newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}}
 \newcommand{\KASaplingAgree}{\KASapling\mathsf{.Agree}}
 
@@ -1151,6 +1151,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\nf}{\mathsf{nf}}
 \newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
 \newcommand{\Memo}{\mathsf{memo}}
+\newcommand{\MemoByteLength}{512}
 \newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}}
 \newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}}
 \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
@@ -2367,7 +2368,7 @@ knowledge of $\AuthSignPrivate$.}
 Transmitted \notes are stored on the \blockchain in encrypted form, together with
 a representation of the \noteCommitment $\cm$.
 
-The \notePlaintexts in a \joinSplitDescription are encrypted to the
+The \notePlaintexts in each \joinSplitDescription are encrypted to the
 respective \transmissionKeys $\TransmitPublicNew{\allNew}$.
 Each \SproutOrNothing{} \notePlaintext (denoted $\NotePlaintext{}$) consists of
 $(\Value, \NoteAddressRand, \NoteCommitRand\changed{, \Memo})$.
@@ -2467,8 +2468,8 @@ In a given \blockchain, \sapling{for each of \Sprout and \Sapling,}
         \transaction.
 \end{itemize}
 
-\joinSplitDescriptions also have interstitial input and output
-\treestates\notsprout{ for \Sprout}, explained in the following section.
+\changed{\joinSplitDescriptions also have interstitial input and output
+\treestates\notsprout{ for \Sprout}, explained in the following section.}
 \sapling{There is no equivalent of interstitial \treestates for \Sapling.}
 
 
@@ -2694,11 +2695,11 @@ It is instantiated in \crossref{equihashgen}.
 }
 
 \sapling{
-$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \binaryrange{\InViewingKeyLength}$
+$\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \InViewingKeyTypeSapling$
 is a \collisionResistant \hashFunction used in \crossref{saplingkeycomponents}
 to derive an \incomingViewingKey for a \Sapling \paymentAddress. It is also used
 in the \spendStatement (\crossref{spendstatement}) to confirm use of the correct
-key for the \note being spent. It is instantiated in \crossref{concretecrhivk}.
+keys for the \note being spent. It is instantiated in \crossref{concretecrhivk}.
 
 $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
 \rightarrow \GroupJ$ is a \hashFunction used in \crossref{commitmentsandnullifiers}
@@ -3072,12 +3073,12 @@ $Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\seto
 that records queried messages and corresponding signatures.
 
 \vspace{1ex}
-\begin{formulae}
+\begin{algorithm}
   \item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$
   \item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\SigRandomizer, \sk)}(m)$
   \item \tab $Q \leftarrow Q \union \setof{(m, \sigma)}$
   \item \tab return $\sigma \typecolon \SigSignature$.
-\end{formulae}
+\end{algorithm}
 
 For random $\sk \leftarrowR \SigGenPrivate()$ and $\vk = \SigDerivePublic(\sk)$, it must be
 infeasible for an adversary given $\vk$ and a new instance of $\Oracle_{\sk}$ to find
@@ -3165,8 +3166,8 @@ when at least one of $\sk_{\alln}$ is unknown.)
 \introlist
 \subsubsection{Commitment} \label{abstractcommit}
 
-A \commitmentScheme is a function that, given a random \commitmentTrapdoor
-and an input, can be used to commit to the input in such a way that:
+A \commitmentScheme is a function that, given a \commitmentTrapdoor generated at
+random and an input, can be used to commit to the input in such a way that:
 
 \begin{itemize}
   \item no information is revealed about it without the \trapdoor (\quotedterm{hiding}),
@@ -3184,7 +3185,7 @@ Let $\CommitAlg \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \Comm
 be a function satisfying the following security requirements.
 
 \vspace{-2ex}
-\begin{securityrequirements}
+\begin{securityrequirements}[leftmargin=2em]
   \item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$,
         the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$
         and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are
@@ -3518,9 +3519,9 @@ We omit the key subscripts on $\JoinSplitProve$ and
 $\JoinSplitVerify$, taking them to be the $\PHGR$ \provingKey
 and \verifyingKey defined in \crossref{sproutparameters}.
 
-Similarly, we omit the key subscripts on $\SpendProve$,
+We also omit subscripts on $\SpendProve$,
 $\SpendVerify$, $\OutputProve$, and $\OutputVerify$, taking
-them to be the $\Groth$ \provingKeys and
+them to be the relevant $\Groth$ \provingKeys and
 \verifyingKeys defined in \crossref{saplingparameters}.
 } %sapling
 
@@ -3893,7 +3894,7 @@ random on $\bitseq{\RandomSeedLength}$, and selects
 the input \notes. At this point there is sufficient information to compute $\hSig$,
 as described in the previous section. \changed{The sender also chooses $\NoteAddressPreRand$
 uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
-Then it creates each output \note with index $i \typecolon \setofNew$ as follows:
+Then it creates each output \note with index $i \typecolon \setofNew$:
 
 \begin{itemize}
   \item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutTrapdoor$.
@@ -4432,7 +4433,7 @@ For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthS
 \end{enumerate}
 
 \introlist
-The $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
+The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescription.
 
 \vspace{-1ex}
 \pnote{
@@ -4668,7 +4669,7 @@ $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
 \begin{formulae}
   \item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
         \vspace{-1ex}
-  \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\big)$.
+  \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
 \end{formulae}
 
 \vspace{-1ex}
@@ -4800,7 +4801,7 @@ are combined to form a \notesCiphertext.
 For both encryption and decryption,
 
 \begin{itemize}
-  \item let $\Sym$ be the \encryptionScheme instantiated in \crossref{concretesym};
+  \item let $\Sym$ be the scheme instantiated in \crossref{concretesym};
   \item let $\KDFSprout$ be the \keyDerivationFunction instantiated in \crossref{concretesproutkdf};
   \item let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement};
   \item let $\hSig$ be the value computed for this \joinSplitDescription in \crossref{joinsplitdesc}.
@@ -4815,7 +4816,7 @@ Let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretespr
 Let $\TransmitPublicNew{\allNew}$ be the \transmissionKeys
 for the intended recipient addresses of each new \note.
 
-Let $\NotePlaintext{\allNew}$ be the \SproutOrNothing \notePlaintexts as
+Let $\NotePlaintext{\allNew}$ be \SproutOrNothing \notePlaintexts
 defined in \crossref{notept}.
 
 \introlist
@@ -5019,7 +5020,7 @@ $\NoteAddressRand$ value can immediately be calculated as described in
 
 To test whether a \Sapling{} \note is unspent in a particular \blockchain also requires
 the \nullifierKey $\AuthProvePublicRepr$; the coin is unspent if and only if
-$\nf = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$ is not in the
+$\nf = \PRFnfSapling{\AuthProvePublicRepr}\big(\reprJ(\NoteAddressRand)\kern-0.15em\big)$ is not in the
 \nullifierSet for that \blockchain.
 
 \vspace{-3ex}
@@ -5044,7 +5045,7 @@ Let $(\EphemeralPublic, \TransmitCiphertext{})$ be the \noteCiphertext from the
 
 \introlist
 \vspace{1ex}
-Once detected, the \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows:
+The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows:
 
 \introlist
 \begin{algorithm}
@@ -6108,8 +6109,6 @@ Define $\KASaplingSharedSecret := \SubgroupJ$.
 
 Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
 
-Define $\KASaplingFormatPrivate(x) := x$.
-
 Define $\KASaplingDerivePublic(\sk, B) := \scalarmult{\sk}{B}$.
 
 Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$.
@@ -7154,7 +7153,7 @@ Each \Sapling \notePlaintext (denoted $\NotePlaintext{}$) consists of
 $(\Diversifier, \Value, \NoteCommitRand, \Memo)$.
 }
 
-\changed{$\Memo$ is a 512-byte \memo associated with this \note.
+\changed{$\Memo$ is a $\MemoByteLength$-byte \memo associated with this \note.
 
 \introlist
 The usage of the \memo is by agreement between the sender and recipient of the
@@ -7162,7 +7161,7 @@ The usage of the \memo is by agreement between the sender and recipient of the
 
 \begin{itemize}
   \item a UTF-8 human-readable string \cite{Unicode}, padded by appending zero bytes; or
-  \item an arbitrary sequence of 512 bytes starting with a byte value of $\hexint{F5}$
+  \item an arbitrary sequence of $\MemoByteLength$ bytes starting with a byte value of $\hexint{F5}$
         or greater, which is therefore not a valid UTF-8 string.
 \end{itemize}
 
@@ -7191,7 +7190,7 @@ The encoding of a \SproutOrNothing \notePlaintext consists of:
   &}\sbitbox{180}{$64$-bit $\Value$} &
     \sbitbox{256}{$256$-bit $\NoteAddressRand$} &
     \sbitbox{256}{\changed{$256$}-bit $\NoteCommitRand$} &
-    \changed{\sbitbox{800}{$\Memo$ ($512$ bytes)}}
+    \changed{\sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)}}
 \end{bytefield}
 \end{equation*}
 
@@ -7204,7 +7203,7 @@ The encoding of a \SproutOrNothing \notePlaintext consists of:
     \item $32$ bytes specifying $\NoteAddressRand$.
     \item \changed{32} bytes specifying $\NoteCommitRand$.
 \changed{
-    \item $512$ bytes specifying $\Memo$.
+    \item $\MemoByteLength$ bytes specifying $\Memo$.
 }
 \end{itemize}
 
@@ -7219,7 +7218,7 @@ The encoding of a \Sapling \notePlaintext consists of:
     \sbitbox{240}{$88$-bit $\Diversifier$}
     \sbitbox{180}{$64$-bit $\Value$}
     \sbitbox{256}{$256$-bit $\NoteCommitRand$}
-    \sbitbox{800}{$\Memo$ ($512$ bytes)}
+    \sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)}
 \end{bytefield}
 \end{equation*}
 
@@ -7229,7 +7228,7 @@ The encoding of a \Sapling \notePlaintext consists of:
     \item $11$ bytes specifying $\Diversifier$.
     \item $8$ bytes specifying $\Value$.
     \item $32$ bytes specifying $\NoteCommitRand$.
-    \item $512$ bytes specifying $\Memo$.
+    \item $\MemoByteLength$ bytes specifying $\Memo$.
 \end{itemize}
 } %sapling
 
@@ -7479,7 +7478,7 @@ The raw encoding of an \incomingViewingKey consists of:
   \item $32$ bytes (little-endian) specifying $\InViewingKey$.
 \end{itemize}
 
-$\InViewingKey$ \MUST be in the range $\binaryrange{\InViewingKeyLength}$ as specified
+$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeSapling$ as specified
 in \crossref{saplingkeycomponents}. That is, a decoded \incomingViewingKey{} \MUST be
 considered invalid if $\InViewingKey$ is not in this range.
 
@@ -8034,13 +8033,13 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
 \hhline{|=|=|=|=|}
 
 $32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
-$\LEBStoOSPOf{256}{\cv}$. \\ \hline
+$\LEBStoOSPOf{256}{\reprJOf{\cv}\kern 0.05em}$. \\ \hline
 
 $32$ & $\cmField$ & \type{char[32]} & The \noteCommitment for the output \note,
 $\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ItoLEBSPOf{\MerkleHashLengthSapling}{\ExtractJ(\cm)}$. \\ \hline
 
-$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of a $\JubjubCurve$ public key $\EphemeralPublic$
-(see \crossref{concretesaplingkeyagreement}). \\ \hline
+$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
+$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}}$. \\ \hline
 
 $580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the
 encrypted output \note, $\TransmitCiphertext{}$. \\ \hline