mirror of https://github.com/zcash/zips.git
* Witness g_d^new and pk_d^new in Orchard as non-identity Pallas points, rather than witnessing
their representations as bit sequences. * Note that ak^P in Orchard cannot be the identity. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
7bf094e827
commit
97fa264611
|
@ -7046,8 +7046,8 @@ the prover knows an \auxiliaryInput:
|
||||||
\hparen\AuthSignPublicPoint \typecolon \GroupPstar,\\
|
\hparen\AuthSignPublicPoint \typecolon \GroupPstar,\\
|
||||||
\hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
|
\hparen\NullifierKey \typecolon \NullifierKeyTypeOrchard,\\
|
||||||
\hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
|
\hparen\CommitIvkRand \typecolon \CommitIvkTrapdoor,\\
|
||||||
\hparen\DiversifiedTransmitBaseNewRepr \typecolon \ReprP,\\
|
\hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\
|
||||||
\hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprP,\vspace{0.2ex}\\
|
\hparen\DiversifiedTransmitPublicNew \typecolon \GroupPstar,\vspace{0.2ex}\\
|
||||||
\hparen\vNew{} \typecolon \ValueType,\vspace{0.2ex}\\
|
\hparen\vNew{} \typecolon \ValueType,\vspace{0.2ex}\\
|
||||||
\hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
|
\hparen\NoteNullifierRandNew \typecolon \NoteNullifierRandType,\vspace{-0.2ex}\\
|
||||||
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
\hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength{Orchard}},\\
|
||||||
|
@ -7084,10 +7084,10 @@ $\InViewingKey = \bot$ or $\DiversifiedTransmitPublicOld = \scalarmult{\InViewin
|
||||||
$\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$.
|
$\InViewingKey = \CommitIvk{\CommitIvkRandom}\big(\ExtractP(\AuthSignPublicPoint), \NullifierKey\big)$.
|
||||||
|
|
||||||
\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
|
\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity}
|
||||||
$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr,
|
$\ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRandNew{}}(\reprP(\DiversifiedTransmitBaseNew),
|
||||||
\DiversifiedTransmitPublicNewRepr,
|
\reprP(\DiversifiedTransmitPublicNew),
|
||||||
\vNew{},
|
\vNew{}\!,
|
||||||
\NoteUniqueRandNew{},
|
\NoteUniqueRandNew{}\!,
|
||||||
\NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$,
|
\NoteNullifierRandNew)\kern-0.1em\big) \in \setof{\cmX, \bot}$,
|
||||||
where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$.
|
where $\NoteUniqueRandNew{} = \nfOld{} \pmod{\ParamP{q}}$.
|
||||||
|
|
||||||
|
@ -7110,7 +7110,8 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
||||||
(Recall from \crossref{notation} that ``$\!\!\pmod{\ParamP{q}}$'' interprets an integer as an $\GF{\ParamP{q}}$
|
(Recall from \crossref{notation} that ``$\!\!\pmod{\ParamP{q}}$'' interprets an integer as an $\GF{\ParamP{q}}$
|
||||||
element.)
|
element.)
|
||||||
\item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified.
|
\item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified.
|
||||||
In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
|
In particular, $\DiversifiedTransmitBaseOld$, $\DiversifiedTransmitPublicOld$,
|
||||||
|
$\DiversifiedTransmitBaseNew$, $\DiversifiedTransmitPublicNew$, and $\AuthSignPublicPoint$ cannot be $\ZeroP$.
|
||||||
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
|
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
|
||||||
\pallasCurve points, i.e.\ $\GroupP$.
|
\pallasCurve points, i.e.\ $\GroupP$.
|
||||||
\item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
|
\item The scalar multiplication used in $\ValueCommitAlg{Orchard}$ must operate correctly on the
|
||||||
|
@ -14523,6 +14524,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$.
|
\item Change the type of $\rt{Orchard}$ from $\GroupPx$ to $\range{0}{\ParamP{q}-1}$.
|
||||||
This reflects the existing \zcashd implementation; also checking
|
This reflects the existing \zcashd implementation; also checking
|
||||||
$\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary.
|
$\rt{Orchard} \in \GroupPx$ would require a square root and is unnecessary.
|
||||||
|
\item Witness $\DiversifiedTransmitBaseNew$ and $\DiversifiedTransmitPublicNew$ in
|
||||||
|
the \Orchard \actionCircuit as $\GroupPstar$, i.e.\ non-identity Pallas points,
|
||||||
|
rather than witnessing their representations as bit sequences. This reflects
|
||||||
|
the existing \zcashd implementation.
|
||||||
|
\item Note that $\AuthSignPublicPoint$ in \Orchard cannot be the identity.
|
||||||
} %nufive
|
} %nufive
|
||||||
\item Correct the consensus rule about the maximum value of outputs in a
|
\item Correct the consensus rule about the maximum value of outputs in a
|
||||||
\coinbaseTransaction: it should reference the \blockSubsidy rather than
|
\coinbaseTransaction: it should reference the \blockSubsidy rather than
|
||||||
|
|
Loading…
Reference in New Issue