diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 3e16ffec..92dbbf67 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} \newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}} \newcommand{\setof}[1]{\{{#1}\}} +\newcommand{\bigsetof}[1]{\left\{{#1}\right\}} \newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)} \newcommand{\barerange}[2]{{{#1}\,..\,{#2}}} \newcommand{\range}[2]{\setof{\barerange{#1}{#2}}} +\newcommand{\bigrange}[2]{\bigsetof{\barerange{#1}{#2}}} \newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}} +\newcommand{\bigrangenozero}[2]{\bigrange{#1}{#2} \setminus \setof{0}} \newcommand{\binaryrange}[1]{\range{0}{2^{#1}\!-\!1}} \newcommand{\oneto}[1]{\mathrm{1}..{#1}} \newcommand{\alln}{\oneto{n}} @@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\mult}{\cdot} \newcommand{\smult}{\!\cdot\!} \newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}} -\newcommand{\bigscalarmult}[2]{\left[{#1}\right]{#2}} +\newcommand{\Bigscalarmult}[2]{\Big[{#1}\Big]{#2}} +\newcommand{\Biggscalarmult}[2]{\Bigg[{#1}\Bigg]{#2}} \newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}} \newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}} \newcommand{\union}{\cup} @@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}} \newcommand{\ValueLength}{\ell_{\mathsf{value}}} \newcommand{\ValueType}{\binaryrange{\ValueLength}} -\newcommand{\ValueCommitType}{\range{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} +\newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} \newcommand{\ValueCommitRand}{\mathsf{rcv}} \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}} \newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}} @@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}} \newcommand{\PedersenEncode}[1]{\langle{#1}\rangle} \newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}} -\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\PedersenRangeOffset}} +\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}} \newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}} \newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}} \newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}} @@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}} \newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}} \newcommand{\Digits}{\mathsf{Digits}} -\newcommand{\PedersenRangeOffset}{\Delta} +\newcommand{\PedersenRangeOffset}{\mathsf{\Delta}} \newcommand{\Sign}{\mathsf{\Theta}} % Consensus rules @@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{ \introlist Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$ be as defined in \crossref{concretevaluecommit}: +\vspace{-0.5ex} \begin{formulae} \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$; + \vspace{-1ex} \item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$; \item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$. \end{formulae} @@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and $\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}. -\vspace{2ex} +\vspace{1.5ex} \introlist Suppose that the \transaction has: \begin{itemize} @@ -4445,6 +4451,7 @@ Suppose that the \transaction has: \item \balancingValue $\vBalance$. \end{itemize} +\vspace{-0.5ex} In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$, but validators cannot check this directly because the values are hidden by the commitments. @@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as: % ¯\_(ツ)_/¯ \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\! \Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus - \ValueCommit{0}(\vBalance)$. + \ValueCommit{0}\big(\vBalance\big)$. \end{formulae} - +\vspace{-1ex} (This key is not encoded explicitly in the \transaction and must be recalculated.) \introlist @@ -4469,20 +4476,22 @@ calculate the corresponding signing key as: \end{formulae} \introlist +\vspace{-1ex} In order to check for implementation faults, the signer \SHOULD also check that \begin{formulae} \item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$. \end{formulae} -\vspace{1ex} +\vspace{0.5ex} Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input, using the \sighashType $\SIGHASHALL$. A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$. +\vspace{1ex} We now explain why this works. -\vspace{2ex} +\vspace{1ex} A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of $\BindingPublic$ with respect to $\ValueCommitRandBase$. That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$. @@ -4504,13 +4513,14 @@ equivalent to: \vspace{1ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\BindingPublic$ &$= \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus - \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex] + $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! + \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus + \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! + \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex] &$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$. \end{tabular} +\introlist Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$. Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. @@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be replayed in other \transactions. +\intropart \vspace{2ex} Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input, using the \sighashType $\SIGHASHALL$. @@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$. Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}. \vspace{2ex} -\intropart For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$: \vspace{-1ex} @@ -5160,8 +5170,8 @@ Then to encrypt: \item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$ \item else: \item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$ - \item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$ - \item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$ + \item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$ + \item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$ \item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$ \item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$ \item \vspace{-2ex} @@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after $\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme which instantiates $\SpendAuthSig$ and $\BindingSig$.} -\vspace{-1ex} +\vspace{-0.5ex} \begin{formulae} \item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$ \end{formulae} @@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$. $\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$, and $\GroupJHash{}$. -\vspace{-1.5ex} +\vspace{-1ex} \begin{formulae} \item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$ \end{formulae} @@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim \vspace{-5ex} \securityrequirement{$\PedersenHash$ must be \collisionResistant\!.} -\vspace{-4ex} -\pnote{The prefix $l$ provides domain separation between inputs at different layers of the +\vspace{1ex} +\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the \noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix -as noted in \crossref{concretewindowedcommit}.}} %sapling +as noted in \crossref{concretewindowedcommit}.} %sapling \subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh} @@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross $\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a \collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to -$\NoteAddressRandRepr$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$ +$\NoteAddressRandRepr$. Note that +{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve, and therefore is not uniformly distributed on $\ReprJ$. $\SubgroupReprJ$ is defined in \crossref{jubjub}. @@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$. Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in $\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$. +\vspace{-1ex} Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type $\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$. @@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$. Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in $\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$. +\vspace{-1ex} Let $\PairingS$ be the optimal ate pairing of type $\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$. @@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$. \introsection \subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub} -\vspace{-2ex} Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and let $\GroupGHashURSType := \byteseq{64}$. @@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo {\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$ is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable. - It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} + It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)} {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$ - is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} + is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)} {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle. \end{pnotes} @@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. -Define $\FindGroupJHash(D, M) := +Define $\FindGroupJHash\big(D, M\big) := \first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$. \vspace{-3ex} @@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}: \notsprout{ -\introsection +\intropart \section{Network Upgrades} \label{networkupgrades} \Zcash launched with a protocol revision that we call \Sprout. @@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}. \cite{ZIP-243}.} \vspace{1ex} +\introlist Each network upgrade is introduced as a \quotedterm{bilateral consensus rule change}. In this kind of upgrade, @@ -8701,7 +8714,7 @@ Define: \vspace{-1ex} \begin{formulae} \hfuzz=10pt - \item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$. + \item $\mean(S) := \hfrac{\ssum{i=1}{\length(S)} S_i}{\length(S)}$. \item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$ \item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$ \item $\trunc{x} := \begin{cases} @@ -10868,7 +10881,7 @@ can be safely used: \begin{theorem} \label{thmdistinctxcriterion} Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$. -Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$. +Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$. Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with $k_1 \neq \pm k_2$. Then the non-unified addition constraints @@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with the same $x$-coordinate. (This follows from the fact that the curve equation determines $\pm y$ as a function of $x$.) But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$. -Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$ -is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$, +Since $\fun{k \typecolon \bigrange{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$ +is injective and $k_\barerange{1}{2}$ are in $\bigrange{-\halfs}{\halfs}$, then $k_2 = \pm k_1$ (contradiction). \end{proof} The conditions of this theorem are called the \distinctXCriterion. -In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$ +In particular, if $k_\barerange{1}{2}$ are integers in $\bigrange{1}{\halfs}$ then it is sufficient to require $k_1 \neq k_2$, since that implies $k_1 \neq \pm k_2$. @@ -11147,7 +11160,7 @@ We have to prove that: The proof of \theoremref{thmpedersenencodeinjective} showed that all indices of addition inputs are in the range -$\rangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$. +$\bigrangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$. Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$) are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$, @@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty \vspace{1ex} \begin{itemize} \item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and - \item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j}) - \pmod{\ParamG{r}}}}{\GenG{}} + - \ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} + - \scalarmult{z_j \mult \RedDSASigc{j} - \pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)} + \item $\scalarmult{\ParamG{h}}{\Big(\Bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j}) + \pmod{\ParamG{r}}}}{\GenG{}} + + \ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} + + \scalarmult{z_j \mult \RedDSASigc{j} + \pmod{\ParamG{r}}}{\vk_j}\big)}\!\Big)} = \ZeroG{}$, \end{itemize} - \vspace{-0.5ex} + \vspace{-1ex} otherwise $0$. \end{algorithm} @@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$. It is straightforward to adapt the above procedure to handle multiple bases; there will be one -$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. +$\Bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. The benefit of this relative to using separate batches is that the multiscalar multiplication can be extended across a larger batch.} %pnote @@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}. Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$ and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and final exponentiation respectively of the $\PairingS$ pairing computation, so that: +\vspace{0.5ex} \begin{formulae} \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$ \end{formulae} -\vspace{-1.5ex} +\vspace{-1ex} where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$. \vspace{2ex}