diff --git a/protocol/protocol.tex b/protocol/protocol.tex index ae41ab50..9c5e35dd 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -7046,8 +7046,8 @@ the prover knows an \auxiliaryInput: \hparen\AuthSignPublicPoint \typecolon \GroupPstar,\\ \hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\ \hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\ - \hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\ - \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\ + \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\ + \hparen\DiversifiedTransmitPublicNew \typecolon \GroupPstar,\vspace{0.2ex}\\ \hparen\vNew{} \typecolon \ValueType,\vspace{0.2ex}\\ \hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\ \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\ @@ -7084,10 +7084,10 @@ $\InViewingKey = \bot$ or $\DiversifiedTransmitPublicOld = \scalarmult{\InViewin $\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$. \snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} -$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, - \DiversifiedTransmitPublicNewRepr, - \vNew{}, - \NoteUniqueRandNew{}, +$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\reprP(\DiversifiedTransmitBaseNew), + \reprP(\DiversifiedTransmitPublicNew), + \vNew{}\!, + \NoteUniqueRandNew{}\!, \NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$, where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$. @@ -7110,7 +7110,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h (Recall from \crossref{notation} that ``$\!\!\pmod{\ParamP{q}}$'' interprets an integer as an $\GF{\ParamP{q}}$ element.) \item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified. - In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$. + In particular, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitPublicOld$, + $\DiversifiedTransmitBaseNew$, $\DiversifiedTransmitPublicNew$, and $\AuthSignPublicPoint$ cannot be $\ZeroP$. The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent \pallasCurve points, i.e.\ $\GroupP$. \item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the @@ -14523,6 +14524,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$. This reflects the existing \zcashd implementation; also checking $\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary. + \item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in + the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points, + rather than witnessing their representations as bit sequences. This reflects + the existing \zcashd implementation. + \item Note that $\AuthSignPublicPoint$ in \Orchard cannot be the identity. } %nufive \item Correct the consensus rule about the maximum value of outputs in a \coinbaseTransaction: it should reference the \blockSubsidy rather than