zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improve pagination. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2017-01-20 02:24:49 +00:00
parent 1982700426
commit 963f042eb9
1 changed files with 121 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
protocol/protocol.tex
View File

@ -15,6 +15,8 @@
\RequirePackage{hhline} \RequirePackage{hhline}
\RequirePackage[usestackEOL]{stackengine} \RequirePackage[usestackEOL]{stackengine}
\RequirePackage{comment} \RequirePackage{comment}
\RequirePackage{needspace}
\RequirePackage[nobottomtitles]{titlesec}
\RequirePackage[style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,backref=true,backrefstyle=none,backend=biber]{biblatex} \RequirePackage[style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,backref=true,backrefstyle=none,backend=biber]{biblatex}
\addbibresource{zcash.bib} \addbibresource{zcash.bib}
@ -57,12 +59,18 @@
\setlength{\textwidth}{7in} \setlength{\textwidth}{7in}
\setlength{\topmargin}{-0.75in} \setlength{\topmargin}{-0.75in}
\setlength{\textheight}{9.2in} \setlength{\textheight}{9.2in}
\setlength{\parskip}{1.5ex}
\setlength{\parindent}{0ex} \setlength{\parindent}{0ex}
\renewcommand{\arraystretch}{1.4} \renewcommand{\arraystretch}{1.4}
\overfullrule=2cm \overfullrule=2cm
\setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,after=\vspace{1.5ex}} \renewcommand{\bottomtitlespace}{8ex}
% Use rubber lengths between paragraphs to improve default pagination.
% https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results
\setlength{\parskip}{1.5ex plus 1pt minus 1pt}
\setlist[enumerate]{before=\vspace{-1ex}}
\setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,before=\vspace{-1ex},after=\vspace{1.5ex}}
\newlist{formulae}{itemize}{3} \newlist{formulae}{itemize}{3}
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,before=\vspace{-1ex},after=\vspace{1.5ex}} \setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,before=\vspace{-1ex},after=\vspace{1.5ex}}
@ -92,6 +100,8 @@
\newcommand{\nsubsection}[1]{\subsection{\nstrut{#1}}} \newcommand{\nsubsection}[1]{\subsection{\nstrut{#1}}}
\newcommand{\nsubsubsection}[1]{\subsubsection{\nstrut{#1}}} \newcommand{\nsubsubsection}[1]{\subsubsection{\nstrut{#1}}}
\newcommand{\introlist}{\needspace{15ex}}
\mathchardef\mhyphen="2D \mathchardef\mhyphen="2D
% http://tex.stackexchange.com/a/309445/78411 % http://tex.stackexchange.com/a/309445/78411
@ -632,12 +642,12 @@
\newcommand{\EnforceCommit}[1]{\mathsf{enforce}_{#1}} \newcommand{\EnforceCommit}[1]{\mathsf{enforce}_{#1}}
\newcommand{\consensusrule}[1]{\subparagraph{Consensus rule:}{#1}} \newcommand{\consensusrule}[1]{\needspace{3ex}\subparagraph{Consensus rule:}{#1}}
\newenvironment{consensusrules}{\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}} \newenvironment{consensusrules}{\introlist\subparagraph{Consensus rules:}\begin{itemize}}{\end{itemize}}
\newcommand{\securityrequirement}[1]{\subparagraph{Security requirement:}{#1}} \newcommand{\securityrequirement}[1]{\needspace{3ex}\subparagraph{Security requirement:}{#1}}
\newenvironment{securityrequirements}{\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}} \newenvironment{securityrequirements}{\introlist\subparagraph{Security requirements:}\begin{itemize}}{\end{itemize}}
\newcommand{\pnote}[1]{\subparagraph{Note:}{#1}} \newcommand{\pnote}[1]{\subparagraph{Note:}{#1}}
\newenvironment{pnotes}{\subparagraph{Notes:}\begin{itemize}}{\end{itemize}} \newenvironment{pnotes}{\introlist\subparagraph{Notes:}\begin{itemize}}{\end{itemize}}
\begin{document} \begin{document}
@ -678,6 +688,8 @@ document are to be interpreted as described in \cite{RFC-2119} when they
appear in \ALLCAPS. These words may also appear in this document in appear in \ALLCAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings. lower case as plain English words, absent their normative meanings.
\vspace{2ex}
\introlist
This specification is structured as follows: This specification is structured as follows:
\begin{itemize} \begin{itemize}
@ -737,6 +749,7 @@ this \spendingKey. An unspent valid \note, at a given point on the \blockchain,
is one for which the \noteCommitment has been publically revealed on the is one for which the \noteCommitment has been publically revealed on the
\blockchain prior to that point, but the \nullifier has not. \blockchain prior to that point, but the \nullifier has not.
\introlist
A \transaction can contain \transparent inputs, outputs, and scripts, which all A \transaction can contain \transparent inputs, outputs, and scripts, which all
work as in \Bitcoin \cite{Bitcoin-Protocol}. It also contains a sequence of zero or work as in \Bitcoin \cite{Bitcoin-Protocol}. It also contains a sequence of zero or
more \joinSplitDescriptions. Each of these describes a \joinSplitTransfer\hairspace\footnote{ more \joinSplitDescriptions. Each of these describes a \joinSplitTransfer\hairspace\footnote{
@ -940,6 +953,7 @@ an adversary would have to know $\TransmitPublic$ in order to exploit a
hypothetical weakness in that cryptosystem. hypothetical weakness in that cryptosystem.
} }
\needspace{20ex}
\nsubsection{\Notes} \nsubsection{\Notes}
A \note (denoted $\NoteTuple{}$) is a tuple $\changed{(\AuthPublic, \Value, A \note (denoted $\NoteTuple{}$) is a tuple $\changed{(\AuthPublic, \Value,
@ -1022,6 +1036,7 @@ a \noteCommitmentTree state given the assumed security properties of the Merkle
hash function. Since the \nullifierSet is always updated together with the hash function. Since the \nullifierSet is always updated together with the
\noteCommitmentTree, this also identifies a particular state of the \nullifierSet. \noteCommitmentTree, this also identifies a particular state of the \nullifierSet.
\introlist
In a given node's \blockchainview, \treestates are chained as follows: In a given node's \blockchainview, \treestates are chained as follows:
\begin{itemize} \begin{itemize}
@ -1150,6 +1165,7 @@ the Equihash parameters $n$ and $k$, are written subscripted.
It is instantiated in \crossref{equihashgen}. It is instantiated in \crossref{equihashgen}.
} }
\introlist
\nsubsubsection{\PseudoRandomFunctions} \label{abstractprfs} \nsubsubsection{\PseudoRandomFunctions} \label{abstractprfs}
$\PRF{x}{}$ is a \pseudoRandomFunction keyed by $x$. \changed{Four} \emph{independent} $\PRF{x}{}$ is a \pseudoRandomFunction keyed by $x$. \changed{Four} \emph{independent}
@ -1251,6 +1267,7 @@ independently at random from $\KAPrivate$.
Let $\TransmitPublicSup{j} := \KADerivePublic(\TransmitPrivateSup{j})$. Let $\TransmitPublicSup{j} := \KADerivePublic(\TransmitPrivateSup{j})$.
\introlist
An adversary can adaptively query a function An adversary can adaptively query a function
$Q \typecolon \range{1}{2} \times \hSigType \rightarrow $Q \typecolon \range{1}{2} \times \hSigType \rightarrow
\KAPublic \times \Keyspace_{\allNew}$ where $Q_j(\hSig)$ is defined as follows: \KAPublic \times \Keyspace_{\allNew}$ where $Q_j(\hSig)$ is defined as follows:
@ -1279,6 +1296,7 @@ This is not considered to be a significant security weakness.
} }
\introlist
\nsubsubsection{Signatures} \label{abstractsig} \nsubsubsection{Signatures} \label{abstractsig}
A signature scheme $\Sig$ defines: A signature scheme $\Sig$ defines:
@ -1329,10 +1347,12 @@ pair without access to the signing key.
\end{pnotes} \end{pnotes}
\introlist
\nsubsubsection{Commitment} \label{abstractcomm} \nsubsubsection{Commitment} \label{abstractcomm}
A \commitmentScheme is a function that, given a random \commitmentTrapdoor A \commitmentScheme is a function that, given a random \commitmentTrapdoor
and an input, can be used to commit to the input in such a way that: and an input, can be used to commit to the input in such a way that:
\begin{itemize} \begin{itemize}
\item no information is revealed about it without the \trapdoor (``hiding''), \item no information is revealed about it without the \trapdoor (``hiding''),
\item given the \trapdoor and input, the commitment can be verified to ``open'' \item given the \trapdoor and input, the commitment can be verified to ``open''
@ -1357,6 +1377,7 @@ in zero knowledge --- that is, without revealing information about the
\auxiliaryInputs other than that implied by the \statement. The type of \auxiliaryInputs other than that implied by the \statement. The type of
\zeroKnowledgeProvingSystem needed by \Zcash is a \ppzkSNARK. \zeroKnowledgeProvingSystem needed by \Zcash is a \ppzkSNARK.
\introlist
A \ppzkSNARK instance $\ZK$ defines: A \ppzkSNARK instance $\ZK$ defines:
\begin{itemize} \begin{itemize}
@ -1414,6 +1435,7 @@ Let $\KA$ be a \keyAgreementScheme, instantiated in \crossref{concretekeyagreeme
A new \spendingKey $\AuthPrivate$ is generated by choosing a bit string A new \spendingKey $\AuthPrivate$ is generated by choosing a bit string
uniformly at random from $\bitseq{\AuthPrivateLength}$. uniformly at random from $\bitseq{\AuthPrivateLength}$.
\introlist
\changed{ \changed{
$\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from $\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from
$\AuthPrivate$ $\AuthPrivate$
@ -1437,6 +1459,7 @@ Each \transaction includes a sequence of zero or more \joinSplitDescriptions.
When this sequence is non-empty, the \transaction also includes encodings of a When this sequence is non-empty, the \transaction also includes encodings of a
$\JoinSplitSig$ public verification key and signature. $\JoinSplitSig$ public verification key and signature.
\introlist
Each \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt, Each \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt,
\nfOld{\allOld}, \cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \nfOld{\allOld}, \cmNew{\allNew}, \EphemeralPublic, \RandomSeed,
\h{\allOld}, \JoinSplitProof, \TransmitCiphertext{\allNew})$ \h{\allOld}, \JoinSplitProof, \TransmitCiphertext{\allNew})$
@ -1472,6 +1495,7 @@ where
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext. The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext.
\introlist
The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the
$\joinSplitPubKey$ of the containing \transaction: $\joinSplitPubKey$ of the containing \transaction:
@ -1491,6 +1515,7 @@ $\hSigCRH$ is instantiated in \crossref{hsigcrh}.
\vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof_{\JoinSplit}) = 1$. \vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof_{\JoinSplit}) = 1$.
\end{consensusrules} \end{consensusrules}
\introlist
\nsubsection{Sending \Notes} \label{send} \nsubsection{Sending \Notes} \label{send}
In order to send \shielded value, the sender constructs a \transaction In order to send \shielded value, the sender constructs a \transaction
@ -1501,12 +1526,14 @@ a new $\JoinSplitSig$ key pair:
\item $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrowR \JoinSplitSigGen()$. \item $(\joinSplitPrivKey, \joinSplitPubKey) \leftarrowR \JoinSplitSigGen()$.
\end{formulae} \end{formulae}
\introlist
For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at
random on $\bitseq{\RandomSeedLength}$, and selects random on $\bitseq{\RandomSeedLength}$, and selects
the input \notes. At this point there is sufficient information to compute $\hSig$, the input \notes. At this point there is sufficient information to compute $\hSig$,
as described in the previous section. \changed{The sender also chooses $\NoteAddressPreRand$ as described in the previous section. \changed{The sender also chooses $\NoteAddressPreRand$
uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.} uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
Then it creates each output \note with index $i \typecolon \setofNew$ as follows: Then it creates each output \note with index $i \typecolon \setofNew$ as follows:
\begin{itemize} \begin{itemize}
\item Choose $\NoteCommitRandNew{i}$ uniformly at random on $\bitseq{\NoteCommitRandLength}$. \item Choose $\NoteCommitRandNew{i}$ uniformly at random on $\bitseq{\NoteCommitRandLength}$.
\changed{ \changed{
@ -1522,6 +1549,7 @@ of the input \notes and of the output \notes. Other considerations relating to
information leakage from the structure of \transactions are beyond the information leakage from the structure of \transactions are beyond the
scope of this specification. scope of this specification.
\introlist
After generating all of the \joinSplitDescriptions, the sender obtains the After generating all of the \joinSplitDescriptions, the sender obtains the
$\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with $\dataToBeSigned$ (\crossref{nonmalleability}), and signs it with
the private \joinSplitSigningKey: the private \joinSplitSigningKey:
@ -1539,9 +1567,11 @@ The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and
$\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer $\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer
with fewer input or output \notes. This is achieved using \dummyNotes. with fewer input or output \notes. This is achieved using \dummyNotes.
\introlist
\changed{ \changed{
A \dummy input \note, with index $i$ in the \joinSplitDescription, is constructed A \dummy input \note, with index $i$ in the \joinSplitDescription, is constructed
as follows: as follows:
\begin{itemize} \begin{itemize}
\item Generate a new random \spendingKey $\AuthPrivateOld{i}$ and derive its \item Generate a new random \spendingKey $\AuthPrivateOld{i}$ and derive its
\payingKey $\AuthPublicOld{i}$. \payingKey $\AuthPublicOld{i}$.
@ -1578,6 +1608,7 @@ When a \noteCommitment is added to the tree, it occupies the \merkleLeafNode
It is assumed to be infeasible to find a preimage \note $\NoteTuple{}$ such that It is assumed to be infeasible to find a preimage \note $\NoteTuple{}$ such that
$\NoteCommit(\NoteTuple{}) = \Uncommitted$. $\NoteCommit(\NoteTuple{}) = \Uncommitted$.
\introlist
The \merkleNodes at \merkleLayers $0$ to $\MerkleDepth-1$ inclusive are called The \merkleNodes at \merkleLayers $0$ to $\MerkleDepth-1$ inclusive are called
\merkleInternalNodes, and are associated with $\MerkleCRH$ outputs. \merkleInternalNodes, and are associated with $\MerkleCRH$ outputs.
\MerkleInternalNodes are computed from their children in the next \merkleLayer \MerkleInternalNodes are computed from their children in the next \merkleLayer
@ -1587,6 +1618,7 @@ as follows: for $0 \leq h < \MerkleDepth$ and $0 \leq i < 2^h$,
\item $\MerkleNode{h}{i} := \MerkleCRH(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$. \item $\MerkleNode{h}{i} := \MerkleCRH(\MerkleNode{h+1}{2i}, \MerkleNode{h+1}{2i+1})$.
\end{formulae} \end{formulae}
\introlist
A \merklePath from \merkleLeafNode $\MerkleNode{\MerkleDepth}{i}$ in the A \merklePath from \merkleLeafNode $\MerkleNode{\MerkleDepth}{i}$ in the
\incrementalMerkleTree is the sequence \incrementalMerkleTree is the sequence
@ -1679,6 +1711,7 @@ exists in the set.
\nsubsection{\JoinSplitStatement} \label{jsstatement} \nsubsection{\JoinSplitStatement} \label{jsstatement}
\introlist
A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}: A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}:
\begin{formulae} \begin{formulae}
@ -1692,6 +1725,7 @@ A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}:
\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$, \h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$,
\end{formulae} \end{formulae}
\introlist
the prover knows an \term{auxiliary input}: the prover knows an \term{auxiliary input}:
\begin{formulae} \begin{formulae}
@ -1704,6 +1738,7 @@ the prover knows an \term{auxiliary input}:
\EnforceCommit{\allOld} \typecolon \bitseq{\NOld}})$, \EnforceCommit{\allOld} \typecolon \bitseq{\NOld}})$,
\end{formulae} \end{formulae}
\introlist
where: where:
\begin{formulae} \begin{formulae}
@ -1713,6 +1748,7 @@ where:
\vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$ \vNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i})$
\end{formulae} \end{formulae}
\introlist
such that the following conditions hold: such that the following conditions hold:
\subparagraph{Merkle path validity} \label{merklepathvalidity} \subparagraph{Merkle path validity} \label{merklepathvalidity}
@ -1776,7 +1812,9 @@ the original \note \changed{ and \memo}.
All of the resulting ciphertexts are combined to form a \notesCiphertext. All of the resulting ciphertexts are combined to form a \notesCiphertext.
\introlist
For both encryption and decryption, For both encryption and decryption,
\begin{itemize} \begin{itemize}
\item Let $\Sym$ be the \encryptionScheme instantiated in \crossref{concretesym}. \item Let $\Sym$ be the \encryptionScheme instantiated in \crossref{concretesym}.
\item Let $\KDF$ be the \keyDerivationFunction instantiated in \crossref{concretekdf}. \item Let $\KDF$ be the \keyDerivationFunction instantiated in \crossref{concretekdf}.
@ -1791,7 +1829,9 @@ for the intended recipient addresses of each new \note.
Let $\NotePlaintext{\allNew}$ be the \notePlaintexts as defined in \crossref{notept}. Let $\NotePlaintext{\allNew}$ be the \notePlaintexts as defined in \crossref{notept}.
\introlist
Then to encrypt: Then to encrypt:
\begin{itemize} \begin{itemize}
\changed{ \changed{
\item Generate a new $\KA$ (public, private) key pair \item Generate a new $\KA$ (public, private) key pair
@ -1829,6 +1869,7 @@ Let $\PaymentAddress = (\AuthPublic, \TransmitPublic)$ be the recipient's
Let $\cmNew{\allNew}$ be the \noteCommitments of each output coin. Let $\cmNew{\allNew}$ be the \noteCommitments of each output coin.
\introlist
Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciphertext Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciphertext
component as follows: component as follows:
@ -1841,6 +1882,7 @@ component as follows:
\AuthPublic).$ \AuthPublic).$
\end{itemize} \end{itemize}
\introlist
$\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$ $\DecryptNote(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
is defined as follows: is defined as follows:
@ -1951,6 +1993,7 @@ For example, the following diagrams are all equivalent:
and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint{12}]$. and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint{12}]$.
\end{comment} \end{comment}
\introlist
\nsubsection{Constants} \label{constants} \nsubsection{Constants} \label{constants}
Define: Define:
@ -1976,6 +2019,7 @@ Define:
\end{formulae} \end{formulae}
\introlist
\nsubsection{Concrete Cryptographic Functions} \nsubsection{Concrete Cryptographic Functions}
\nsubsubsection{Merkle Tree Hash Function} \label{merklecrh} \nsubsubsection{Merkle Tree Hash Function} \label{merklecrh}
@ -2006,6 +2050,7 @@ $\SHA$ must be collision-resistant, and it must be infeasible to find a preimage
such that $\SHA(x) = \zeros{256}$. such that $\SHA(x) = \zeros{256}$.
} }
\introlist
\nsubsubsection{\hSigText{} Hash Function} \label{hsigcrh} \nsubsubsection{\hSigText{} Hash Function} \label{hsigcrh}
\newsavebox{\hsigbox} \newsavebox{\hsigbox}
@ -2043,6 +2088,7 @@ block.
$\Blake{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant. $\Blake{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
} }
\introlist
\nsubsubsection{Equihash Generator} \label{equihashgen} \nsubsubsection{Equihash Generator} \label{equihashgen}
$\EquihashGen{n, k}$ is a specialized hash function that maps an input $\EquihashGen{n, k}$ is a specialized hash function that maps an input
@ -2069,6 +2115,7 @@ Let $\powtag := \Justthebox{\powtagbox}$.
Let $\powcount(g) := \Justthebox{\powcountbox}$. Let $\powcount(g) := \Justthebox{\powcountbox}$.
\vspace{2ex} \vspace{2ex}
\introlist
% Blech. Dijkstra was right \cite{EWD831}. % Blech. Dijkstra was right \cite{EWD831}.
Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where
\begin{formulae} \begin{formulae}
@ -2098,6 +2145,7 @@ the number of calls to $\BlakeGeneric$ can be reduced by a factor of $\floor{\fr
in the best case (which is a factor of 2 for $n = 200$). in the best case (which is a factor of 2 for $n = 200$).
} }
\introlist
\nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs} \nsubsubsection{\PseudoRandomFunctions} \label{concreteprfs}
The \changed{four} independent PRFs described in \crossref{abstractprfs} are The \changed{four} independent PRFs described in \crossref{abstractprfs} are
@ -2242,6 +2290,7 @@ Define $\KAFormatPrivate(x) := \Clamp(x)$.
Define $\KAAgree(n, q) := \CurveMultiply(n, q)$. Define $\KAAgree(n, q) := \CurveMultiply(n, q)$.
} }
\introlist
\nsubsubsection{\KeyDerivation} \label{concretekdf} \nsubsubsection{\KeyDerivation} \label{concretekdf}
\newsavebox{\kdftagbox} \newsavebox{\kdftagbox}
@ -2309,6 +2358,7 @@ $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
\end{bytefield} \end{bytefield}
\end{lrbox} \end{lrbox}
\introlist
\changed{ \changed{
The encoding of a signature is: The encoding of a signature is:
} }
@ -2322,6 +2372,7 @@ where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}.
The encoding of a public key is as defined in \cite{BDL+2012}. The encoding of a public key is as defined in \cite{BDL+2012}.
} }
\introlist
\nsubsubsection{Commitment} \label{concretecomm} \nsubsubsection{Commitment} \label{concretecomm}
\newsavebox{\cmbox} \newsavebox{\cmbox}
@ -2372,8 +2423,10 @@ $(\Value, \NoteAddressRand, \NoteCommitRand\changed{, \Memo})$.
The first three of these fields are as defined earlier. The first three of these fields are as defined earlier.
\changed{$\Memo$ is a 512-byte \memo associated with this \note. \changed{$\Memo$ is a 512-byte \memo associated with this \note.
\introlist
The usage of the \memo is by agreement between the sender and recipient of the The usage of the \memo is by agreement between the sender and recipient of the
\note. The \memo{} \SHOULD be encoded either as: \note. The \memo{} \SHOULD be encoded either as:
\begin{itemize} \begin{itemize}
\item a UTF-8 human-readable string \cite{Unicode}, padded by appending zero bytes; or \item a UTF-8 human-readable string \cite{Unicode}, padded by appending zero bytes; or
\item an arbitrary sequence of 512 bytes starting with a byte value of $\hexint{F5}$ \item an arbitrary sequence of 512 bytes starting with a byte value of $\hexint{F5}$
@ -2391,7 +2444,9 @@ A start byte of $\hexint{F6}$ or greater is reserved for use in future \Zcash
protocol extensions. protocol extensions.
} }
\introlist
The encoding of a \notePlaintext consists of, in order: The encoding of a \notePlaintext consists of, in order:
\begin{equation*} \begin{equation*}
\begin{bytefield}[bitwidth=0.029em]{1608} \begin{bytefield}[bitwidth=0.029em]{1608}
\changed{ \changed{
@ -2436,6 +2491,7 @@ The language consisting of the following encoding possibilities is prefix-free.
\xTransparent payment addresses are either P2SH (Pay to Script Hash) \cite{BIP-13} \xTransparent payment addresses are either P2SH (Pay to Script Hash) \cite{BIP-13}
or P2PKH (Pay to Public Key Hash) \cite{Bitcoin-P2PKH} addresses. or P2PKH (Pay to Public Key Hash) \cite{Bitcoin-P2PKH} addresses.
\introlist
The raw encoding of a P2SH address consists of: The raw encoding of a P2SH address consists of:
\begin{equation*} \begin{equation*}
@ -2455,6 +2511,7 @@ The raw encoding of a P2SH address consists of:
\item 160 bits specifying a script hash \cite{Bitcoin-P2SH}. \item 160 bits specifying a script hash \cite{Bitcoin-P2SH}.
\end{itemize} \end{itemize}
\introlist
The raw encoding of a P2PKH address consists of: The raw encoding of a P2PKH address consists of:
\begin{equation*} \begin{equation*}
@ -2501,6 +2558,7 @@ $\TransmitPublic$ is a $\KAPublic$ key (see \crossref{concretekeyagreement}),
for use with the encryption scheme defined in \crossref{inband}. These for use with the encryption scheme defined in \crossref{inband}. These
components are derived from a \spendingKey as described in \crossref{keycomponents}. components are derived from a \spendingKey as described in \crossref{keycomponents}.
\introlist
The raw encoding of a \paymentAddress consists of: The raw encoding of a \paymentAddress consists of:
\begin{equation*} \begin{equation*}
@ -2538,6 +2596,7 @@ cause the first two characters of the Base58Check encoding to be fixed as
A \spendingKey consists of $\AuthPrivate$, which is a sequence of \changed{252} bits A \spendingKey consists of $\AuthPrivate$, which is a sequence of \changed{252} bits
(see \crossref{keycomponents}). (see \crossref{keycomponents}).
\introlist
The raw encoding of a \spendingKey consists of, in order: The raw encoding of a \spendingKey consists of, in order:
\begin{equation*} \begin{equation*}
@ -2589,6 +2648,7 @@ the systems in \cite{PGHR2013} and \cite{BCGTV2013}.
The pairing implementation is $\BNImpl$. The pairing implementation is $\BNImpl$.
\introlist
Let $q = 21888242871839275222246405745257275088696311157297823662689037894645226208583$. Let $q = 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
Let $r = 21888242871839275222246405745257275088548364400416034343698204186575808495617$. Let $r = 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
@ -2597,7 +2657,9 @@ Let $b = 3$.
($q$ and $r$ are prime.) ($q$ and $r$ are prime.)
\introlist
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where: The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where:
\begin{itemize} \begin{itemize}
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation \item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
@ -2609,6 +2671,7 @@ irreducible polynomial $t^2 + 1$.
$\GFstar{q^{12}}$. $\GFstar{q^{12}}$.
\end{itemize} \end{itemize}
\introlist
Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$. Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}} \begin{tabular}{@{}l@{}r@{}l@{}}
@ -2681,7 +2744,9 @@ Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \
\typeexp{\range{0}{255}}{k}$ such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes \typeexp{\range{0}{255}}{k}$ such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes
representing $n$ in big-endian order. representing $n$ in big-endian order.
\introlist
For a point $P \typecolon \GroupG{1} = (x_P, y_P)$: For a point $P \typecolon \GroupG{1} = (x_P, y_P)$:
\begin{itemize} \begin{itemize}
\item The field elements $x_P$ and $y_P \typecolon \GF{q}$ are represented as \item The field elements $x_P$ and $y_P \typecolon \GF{q}$ are represented as
integers $x$ and $y \typecolon \range{0}{q\!-\!1}$. integers $x$ and $y \typecolon \range{0}{q\!-\!1}$.
@ -2689,7 +2754,9 @@ For a point $P \typecolon \GroupG{1} = (x_P, y_P)$:
\item $P$ is encoded as $\Justthebox{\gonebox}$. \item $P$ is encoded as $\Justthebox{\gonebox}$.
\end{itemize} \end{itemize}
\introlist
For a point $P \typecolon \GroupG{2} = (x_P, y_P)$: For a point $P \typecolon \GroupG{2} = (x_P, y_P)$:
\begin{itemize} \begin{itemize}
\item A field element $w \typecolon \GF{q^2}$ is represented as \item A field element $w \typecolon \GF{q^2}$ is represented as
a polynomial $a_{w,1} \mult t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$. a polynomial $a_{w,1} \mult t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$.
@ -2703,7 +2770,9 @@ For a point $P \typecolon \GroupG{2} = (x_P, y_P)$:
\item $P$ is encoded as $\Justthebox{\gtwobox}$. \item $P$ is encoded as $\Justthebox{\gtwobox}$.
\end{itemize} \end{itemize}
\introlist
\subparagraph{Non-normative notes:} \subparagraph{Non-normative notes:}
\begin{itemize} \begin{itemize}
\item The use of big-endian byte order is different from the encoding \item The use of big-endian byte order is different from the encoding
of most other integers in this protocol. The above encodings are consistent of most other integers in this protocol. The above encodings are consistent
@ -2722,6 +2791,7 @@ When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress
a point encoding, the implementation \MUSTNOT assume that the square root a point encoding, the implementation \MUSTNOT assume that the square root
exists, or that the encoding represents a point on the curve. exists, or that the encoding represents a point on the curve.
\introlist
\nsubsubsection{Encoding of \ZeroKnowledgeProofs} \label{proofencoding} \nsubsubsection{Encoding of \ZeroKnowledgeProofs} \label{proofencoding}
\newsavebox{\proofbox} \newsavebox{\proofbox}
@ -2748,9 +2818,10 @@ A proof is encoded by concatenating the encodings of its elements:
The resulting proof size is 296 bytes. The resulting proof size is 296 bytes.
\vspace{0.8ex} \vspace{0.8ex}
\introlist
In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2015}, the In addition to the steps to verify a proof given in \cite[Appendix B]{BCTV2015}, the
verifier \MUST check, for the encoding of each element, that: verifier \MUST check, for the encoding of each element, that:
\begin{itemize} \begin{itemize}
\item the lead byte is of the required form; \item the lead byte is of the required form;
\item the remaining bytes encode a big-endian representation of an integer \item the remaining bytes encode a big-endian representation of an integer
@ -2760,6 +2831,7 @@ verifier \MUST check, for the encoding of each element, that:
the subgroup $\GroupG{2}$). the subgroup $\GroupG{2}$).
\end{itemize} \end{itemize}
\introlist
\nsubsection{\JoinSplitParameters} \label{jsparameters} \nsubsection{\JoinSplitParameters} \label{jsparameters}
For the \Zcash production \blockchain and testnet, the $\FullHashName$ hashes of the For the \Zcash production \blockchain and testnet, the $\FullHashName$ hashes of the
@ -2774,6 +2846,7 @@ format, are:
These parameters were obtained by a multi-party computation described in \cite{GitHub-mpc}. These parameters were obtained by a multi-party computation described in \cite{GitHub-mpc}.
\needspace{30ex}
\nsection{Consensus Changes from \Bitcoin} \nsection{Consensus Changes from \Bitcoin}
\nsubsection{Encoding of \Transactions} \label{txnencoding} \nsubsection{Encoding of \Transactions} \label{txnencoding}
@ -2822,7 +2895,9 @@ $\versionField > 1$ and $\nJoinSplit > 0$.
The encoding of $\joinSplitPubKey$ and the data to be signed are specified in The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
\crossref{nonmalleability}. \crossref{nonmalleability}.
\introlist
The changes relative to \Bitcoin version 1 transactions as described in \cite{Bitcoin-Format} are: The changes relative to \Bitcoin version 1 transactions as described in \cite{Bitcoin-Format} are:
\begin{itemize} \begin{itemize}
\item The \transactionVersionNumber{} can be either 1 or 2. A version 1 \transaction is \item The \transactionVersionNumber{} can be either 1 or 2. A version 1 \transaction is
equivalent to a version 2 \transaction with $\nJoinSplit = 0$. Software that parses equivalent to a version 2 \transaction with $\nJoinSplit = 0$. Software that parses
@ -2843,6 +2918,7 @@ it is associated with support for \ScriptOP{CHECKSEQUENCEVERIFY} as specified in
9, 112 and 113. 9, 112 and 113.
} }
\introlist
\nsubsection{Encoding of \JoinSplitDescriptions} \label{joinsplitencoding} \nsubsection{Encoding of \JoinSplitDescriptions} \label{joinsplitencoding}
An abstract \joinSplitDescription, as described in \crossref{joinsplit}, is encoded in An abstract \joinSplitDescription, as described in \crossref{joinsplit}, is encoded in
@ -2938,7 +3014,9 @@ according to \crossref{equihash}. \\ \hline
\end{tabularx} \end{tabularx}
\end{center} \end{center}
\introlist
The changes relative to \Bitcoin version 4 blocks as described in \cite{Bitcoin-Block} are: The changes relative to \Bitcoin version 4 blocks as described in \cite{Bitcoin-Block} are:
\begin{itemize} \begin{itemize}
\item The \blockVersionNumber{} \MUST be 4. Previous versions are not supported. Software \item The \blockVersionNumber{} \MUST be 4. Previous versions are not supported. Software
that parses blocks \MUSTNOT assume, when an encoded \block starts with an $\nVersion$ that parses blocks \MUSTNOT assume, when an encoded \block starts with an $\nVersion$
@ -2964,7 +3042,9 @@ The changes relative to \Bitcoin version 4 blocks as described in \cite{Bitcoin-
changing the Proof of Work from \SHAd used by \Bitcoin are described changing the Proof of Work from \SHAd used by \Bitcoin are described
in \cite{WG2016}. in \cite{WG2016}.
\introlist
A \block satisfies the Proof of Work if and only if: A \block satisfies the Proof of Work if and only if:
\begin{itemize} \begin{itemize}
\item The $\solution$ field encodes a \validEquihashSolution according to \crossref{equihash}. \item The $\solution$ field encodes a \validEquihashSolution according to \crossref{equihash}.
\item The \blockHeader satisfies the difficulty check according to \crossref{difficulty}. \item The \blockHeader satisfies the difficulty check according to \crossref{difficulty}.
@ -2982,6 +3062,7 @@ The Generalized Birthday Problem is defined as follows: given a sequence
$X_{1..\mathrm{N}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that $X_{1..\mathrm{N}}$ of $n$-bit strings, find $2^k$ distinct $X_{i_j}$ such that
$\vxor{j=1}{2^k} X_{i_j} = 0$. $\vxor{j=1}{2^k} X_{i_j} = 0$.
\introlist
In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_{1..\mathrm{N}}$ is In Equihash, $\mathrm{N} = 2^{\frac{n}{k+1}+1}$, and the sequence $X_{1..\mathrm{N}}$ is
derived from the \blockHeader and a nonce: derived from the \blockHeader and a nonce:
@ -3017,6 +3098,7 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
\subparagraph{Algorithm Binding conditions} \subparagraph{Algorithm Binding conditions}
\introlist
For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$: For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$:
\begin{itemize} \begin{itemize}
\item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and \item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
@ -3028,6 +3110,7 @@ This does not include a difficulty condition, because here we are defining valid
of an Equihash solution independent of difficulty. of an Equihash solution independent of difficulty.
} }
\introlist
An Equihash solution with $n = 200$ and $k = 9$ is encoded in the $\solution$ An Equihash solution with $n = 200$ and $k = 9$ is encoded in the $\solution$
field of a \blockHeader as follows: field of a \blockHeader as follows:
@ -3067,7 +3150,7 @@ field of a \blockHeader as follows:
\item $\Justthebox{\solutionbox}$ \item $\Justthebox{\solutionbox}$
\end{formulae} \end{formulae}
\vspace{1ex} \introlist
Recall from \crossref{boxnotation} that bits in the above diagram are Recall from \crossref{boxnotation} that bits in the above diagram are
ordered from most to least significant in each byte. ordered from most to least significant in each byte.
For example, if the first 3 elements of $i$ are $[69, 42, 2^{21}]$, For example, if the first 3 elements of $i$ are $[69, 42, 2^{21}]$,
@ -3136,6 +3219,7 @@ one of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHei
\renewcommand{\arraystretch}{0.95} \renewcommand{\arraystretch}{0.95}
\introlist
For the production network, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is: For the production network, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is:
\begin{tabular}{@{\hskip 2.5em}l@{\;}l} \begin{tabular}{@{\hskip 2.5em}l@{\;}l}
@ -3165,6 +3249,7 @@ For the production network, $\FounderAddressList_{\mathrm{1}..\NumFounderAddress
& \ascii{t3R3Y5vnBLrEn8L6wFjPjBLnxSUQsKnmFpv}, \ascii{t3Pcm737EsVkGTbhsu2NekKtJeG92mvYyoN}\, ] & \ascii{t3R3Y5vnBLrEn8L6wFjPjBLnxSUQsKnmFpv}, \ascii{t3Pcm737EsVkGTbhsu2NekKtJeG92mvYyoN}\, ]
\end{tabular} \end{tabular}
\introlist
For the test network, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is: For the test network, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is:
\begin{tabular}{@{\hskip 2.5em}l@{\;}l} \begin{tabular}{@{\hskip 2.5em}l@{\;}l}
@ -3201,6 +3286,7 @@ P2SH multisig address.
Let $\SlowStartShift$ be defined as in the previous section. Let $\SlowStartShift$ be defined as in the previous section.
\introlist
Define: Define:
\begin{formulae} \begin{formulae}
@ -3325,10 +3411,12 @@ the recipient of each output \note. This feature is described in
more detail in \crossref{notept}. more detail in \crossref{notept}.
\introlist
\nsubsection{Unification of Mints and Pours} \nsubsection{Unification of Mints and Pours}
In the original \Zerocash protocol, there were two kinds of transaction In the original \Zerocash protocol, there were two kinds of transaction
relating to \shieldedNotes: relating to \shieldedNotes:
\begin{itemize} \begin{itemize}
\item a ``Mint'' transaction takes value from \transparent UTXOs as \item a ``Mint'' transaction takes value from \transparent UTXOs as
input and produces a new \shieldedNote as output. input and produces a new \shieldedNote as output.
@ -3375,6 +3463,7 @@ legends in which faeries pay mortals in what appears to be gold,
but which soon after reveals itself to be leaves, gorse blossoms, but which soon after reveals itself to be leaves, gorse blossoms,
gingerbread cakes, or other less valuable things \cite{LG2004}. gingerbread cakes, or other less valuable things \cite{LG2004}.
\introlist
This attack does not violate the security definitions given in This attack does not violate the security definitions given in
\cite{BCG+2014}. The issue could be framed as a problem \cite{BCG+2014}. The issue could be framed as a problem
either with the definition of Completeness, or the definition of either with the definition of Completeness, or the definition of
@ -3489,9 +3578,11 @@ to 254 bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcas
Also, $\hSig$ is truncated from 256 to 253 bits in the input to $\PRFpk{}$. Also, $\hSig$ is truncated from 256 to 253 bits in the input to $\PRFpk{}$.
These truncations are not taken into account in the security proofs. These truncations are not taken into account in the security proofs.
\introlist
Both truncations affect the validity of the proof sketch for Lemma D.2 in Both truncations affect the validity of the proof sketch for Lemma D.2 in
the proof of Ledger Indistinguishability in \cite[Appendix D]{BCG+2014}. the proof of Ledger Indistinguishability in \cite[Appendix D]{BCG+2014}.
In more detail: In more detail:
\begin{itemize} \begin{itemize}
\item In the argument relating $\mathbf{H}$ and $\Game_2$, it is stated that in $\Game_2$, \item In the argument relating $\mathbf{H}$ and $\Game_2$, it is stated that in $\Game_2$,
``for each $i \in \setof{1, 2}, \mathsf{sn}_i := \PRFsn{\AuthPrivate}(\NoteAddressRand)$ ``for each $i \in \setof{1, 2}, \mathsf{sn}_i := \PRFsn{\AuthPrivate}(\NoteAddressRand)$
@ -3549,6 +3640,7 @@ changed to a scheme based on Curve25519 key agreement, and the authenticated
encryption algorithm $\SymSpecific$. This scheme is still loosely based on ECIES, encryption algorithm $\SymSpecific$. This scheme is still loosely based on ECIES,
and on the $\CryptoBoxSeal$ scheme defined in libsodium \cite{libsodium-Seal}. and on the $\CryptoBoxSeal$ scheme defined in libsodium \cite{libsodium-Seal}.
\introlist
The motivations for this change were as follows: The motivations for this change were as follows:
\begin{itemize} \begin{itemize}
@ -3633,6 +3725,7 @@ The \joinSplitStatements are still valid because they can only
check that the $\AuthPrivate$ in the witness is \emph{some} preimage of check that the $\AuthPrivate$ in the witness is \emph{some} preimage of
the $\AuthPublic$ used in the \noteCommitment. the $\AuthPublic$ used in the \noteCommitment.
\introlist
The error is in the proof of Balance in \cite[Appendix D.3]{BCG+2014}. The error is in the proof of Balance in \cite[Appendix D.3]{BCG+2014}.
For the ``$\Adversary$ violates Condition I'' case, the proof says: For the ``$\Adversary$ violates Condition I'' case, the proof says:
@ -3717,6 +3810,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\crossref{truncation} were also found by Daira Hopwood. \crossref{truncation} were also found by Daira Hopwood.
\introlist
\nsection{Change history} \nsection{Change history}
\subparagraph{2016.0-beta-1.13} \subparagraph{2016.0-beta-1.13}
@ -3725,6 +3819,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Define $\PRFaddr{}$ in \crossref{keycomponents}. \item Define $\PRFaddr{}$ in \crossref{keycomponents}.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.12} \subparagraph{2016.0-beta-1.12}
\begin{itemize} \begin{itemize}
@ -3734,6 +3829,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Add acknowledgements for Filippo Valsorda and Zaki Manian. \item Add acknowledgements for Filippo Valsorda and Zaki Manian.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.11} \subparagraph{2016.0-beta-1.11}
\begin{itemize} \begin{itemize}
@ -3742,6 +3838,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
follow \cite{BIP-34}. follow \cite{BIP-34}.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.10} \subparagraph{2016.0-beta-1.10}
\begin{itemize} \begin{itemize}
@ -3751,6 +3848,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Clarify the discussion of proof size in ``Differences from the \Zerocash paper''. \item Clarify the discussion of proof size in ``Differences from the \Zerocash paper''.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.9} \subparagraph{2016.0-beta-1.9}
\begin{itemize} \begin{itemize}
@ -3758,6 +3856,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Change \quotedterm{protected} terminology to \quotedterm{shielded}. \item Change \quotedterm{protected} terminology to \quotedterm{shielded}.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.8} \subparagraph{2016.0-beta-1.8}
\begin{itemize} \begin{itemize}
@ -3774,6 +3873,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\type{uint32\_t}. \type{uint32\_t}.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.7} \subparagraph{2016.0-beta-1.7}
\begin{itemize} \begin{itemize}
@ -3781,6 +3881,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
response to an issue raised by the NCC audit. response to an issue raised by the NCC audit.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.6} \subparagraph{2016.0-beta-1.6}
\begin{itemize} \begin{itemize}
@ -3798,6 +3899,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
Jay Graber, and Jack Gavigan. Jay Graber, and Jack Gavigan.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.5} \subparagraph{2016.0-beta-1.5}
\begin{itemize} \begin{itemize}
@ -3805,6 +3907,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Add some clarifications based on Eli Ben-Sasson's review. \item Add some clarifications based on Eli Ben-Sasson's review.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.4} \subparagraph{2016.0-beta-1.4}
\begin{itemize} \begin{itemize}
@ -3814,6 +3917,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
``$\typeexp{T}{\ell}$'' for sequence types) to avoid ambiguity. ``$\typeexp{T}{\ell}$'' for sequence types) to avoid ambiguity.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.3} \subparagraph{2016.0-beta-1.3}
\begin{itemize} \begin{itemize}
@ -3824,6 +3928,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
and for the NCC Group and Coinspect security audits. and for the NCC Group and Coinspect security audits.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.2} \subparagraph{2016.0-beta-1.2}
\begin{itemize} \begin{itemize}
@ -3832,6 +3937,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Correct the security requirement for $\EquihashGen{}$. \item Correct the security requirement for $\EquihashGen{}$.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1.1} \subparagraph{2016.0-beta-1.1}
\begin{itemize} \begin{itemize}
@ -3841,6 +3947,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
than as a distribution of parameters. than as a distribution of parameters.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-beta-1} \subparagraph{2016.0-beta-1}
\begin{itemize} \begin{itemize}
@ -3882,18 +3989,21 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Terminology changes. \item Terminology changes.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-alpha-3.1} \subparagraph{2016.0-alpha-3.1}
\begin{itemize} \begin{itemize}
\item Change main font to Quattrocento. \item Change main font to Quattrocento.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2016.0-alpha-3} \subparagraph{2016.0-alpha-3}
\begin{itemize} \begin{itemize}
\item Change version numbering convention (no other changes). \item Change version numbering convention (no other changes).
\end{itemize} \end{itemize}
\introlist
\subparagraph{2.0-alpha-3} \subparagraph{2.0-alpha-3}
\begin{itemize} \begin{itemize}
@ -3902,6 +4012,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Add change history. \item Add change history.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2.0-alpha-2} \subparagraph{2.0-alpha-2}
\begin{itemize} \begin{itemize}
@ -3916,6 +4027,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\item Changes to terminology around keys. \item Changes to terminology around keys.
\end{itemize} \end{itemize}
\introlist
\subparagraph{2.0-alpha-1} \subparagraph{2.0-alpha-1}
\begin{itemize} \begin{itemize}