
Signed-off-by: Daira Hopwood <>
This commit is contained in:
Daira Hopwood 2018-08-12 16:28:59 +01:00
parent 81598de991
commit 998cb2ff95
1 changed files with 55 additions and 41 deletions

View File

@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
\newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}}
\newcommand{\bigrangenozero}[2]{\bigrange{#1}{#2} \setminus \setof{0}}
@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}}
\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}}
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}}
@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
% Consensus rules
@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}:
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
Suppose that the \transaction has:
@ -4445,6 +4451,7 @@ Suppose that the \transaction has:
\item \balancingValue $\vBalance$.
In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
but validators cannot check this directly because the values are hidden by the commitments.
@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as:
% <> ¯\_(ツ)_
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
\Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus
(This key is not encoded explicitly in the \transaction and must be recalculated.)
@ -4469,20 +4476,22 @@ calculate the corresponding signing key as:
In order to check for implementation faults, the signer \SHOULD also check that
\item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$.
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$.
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
We now explain why this works.
A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of
$\BindingPublic$ with respect to $\ValueCommitRandBase$.
That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$.
@ -4504,13 +4513,14 @@ equivalent to:
\begin{tabular}{@{\hskip 2em}r@{\;}l}
$\BindingPublic$ &$= \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
\bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
$\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
\Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
&$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$.
Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$.
Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$.
@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r
known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be
replayed in other \transactions.
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$.
@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$.
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
@ -5160,8 +5170,8 @@ Then to encrypt:
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
\item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \vspace{-2ex}
@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after
$\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme
which instantiates $\SpendAuthSig$ and $\BindingSig$.}
\item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$
@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$.
$\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$,
and $\GroupJHash{}$.
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
\noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix
as noted in \crossref{concretewindowedcommit}.}} %sapling
as noted in \crossref{concretewindowedcommit}.} %sapling
\subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh}
@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross
$\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a
\collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits
corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
$\NoteAddressRandRepr$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$
$\NoteAddressRandRepr$. Note that
{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
and therefore is not uniformly distributed on $\ReprJ$.
$\SubgroupReprJ$ is defined in \crossref{jubjub}.
@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$.
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
Let $\PairingS$ be the optimal ate pairing of type
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$.
\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}
Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
let $\GroupGHashURSType := \byteseq{64}$.
@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHash(D, M) :=
Define $\FindGroupJHash\big(D, M\big) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}:
\section{Network Upgrades} \label{networkupgrades}
\Zcash launched with a protocol revision that we call \Sprout.
@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}.
Each network upgrade is introduced as a
\quotedterm{bilateral consensus rule change}. In this kind of upgrade,
@ -8701,7 +8714,7 @@ Define:
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$.
\item $\mean(S) := \hfrac{\ssum{i=1}{\length(S)} S_i}{\length(S)}$.
\item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$
\item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\trunc{x} := \begin{cases}
@ -10868,7 +10881,7 @@ can be safely used:
\begin{theorem} \label{thmdistinctxcriterion}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$.
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
the same $x$-coordinate. (This follows from the fact that the curve equation
determines $\pm y$ as a function of $x$.)
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$,
Since $\fun{k \typecolon \bigrange{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_\barerange{1}{2}$ are in $\bigrange{-\halfs}{\halfs}$,
then $k_2 = \pm k_1$ (contradiction).
The conditions of this theorem are called the \distinctXCriterion.
In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$
In particular, if $k_\barerange{1}{2}$ are integers in $\bigrange{1}{\halfs}$
then it is sufficient to require $k_1 \neq k_2$, since that implies
$k_1 \neq \pm k_2$.
@ -11147,7 +11160,7 @@ We have to prove that:
The proof of \theoremref{thmpedersenencodeinjective} showed that
all indices of addition inputs are in the range
Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$)
are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$,
@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j}
\item $\scalarmult{\ParamG{h}}{\Big(\Bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j}
= \ZeroG{}$,
otherwise $0$.
@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases;
there will be one
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
$\Bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote
@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
final exponentiation respectively of the $\PairingS$ pairing computation, so that:
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.