zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-12 16:28:59 +01:00
parent 81598de991
commit 998cb2ff95
1 changed files with 55 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
protocol/protocol.tex
View File

@ -824,10 +824,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}''}}
\newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}} \newcommand{\Justthebox}[2][-1.8ex]{\raisebox{#1}{\;\usebox{#2}\;}}
\newcommand{\setof}[1]{\{{#1}\}} \newcommand{\setof}[1]{\{{#1}\}}
\newcommand{\bigsetof}[1]{\left\{{#1}\right\}}
\newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)} \newcommand{\powerset}[1]{\raisebox{-0.28ex}{\scalebox{1.25}{$\mathscr{P}$}}\kern -0.2em\big(\strut{#1}\big)}
\newcommand{\barerange}[2]{{{#1}\,..\,{#2}}} \newcommand{\barerange}[2]{{{#1}\,..\,{#2}}}
\newcommand{\range}[2]{\setof{\barerange{#1}{#2}}} \newcommand{\range}[2]{\setof{\barerange{#1}{#2}}}
\newcommand{\bigrange}[2]{\bigsetof{\barerange{#1}{#2}}}
\newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}} \newcommand{\rangenozero}[2]{\range{#1}{#2} \setminus \setof{0}}
\newcommand{\bigrangenozero}[2]{\bigrange{#1}{#2} \setminus \setof{0}}
\newcommand{\binaryrange}[1]{\range{0}{2^{#1}\!-\!1}} \newcommand{\binaryrange}[1]{\range{0}{2^{#1}\!-\!1}}
\newcommand{\oneto}[1]{\mathrm{1}..{#1}} \newcommand{\oneto}[1]{\mathrm{1}..{#1}}
\newcommand{\alln}{\oneto{n}} \newcommand{\alln}{\oneto{n}}
@ -872,7 +875,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\mult}{\cdot} \newcommand{\mult}{\cdot}
\newcommand{\smult}{\!\cdot\!} \newcommand{\smult}{\!\cdot\!}
\newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}} \newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\,{#2}}
\newcommand{\bigscalarmult}[2]{\left[{#1}\right]{#2}} \newcommand{\Bigscalarmult}[2]{\Big[{#1}\Big]{#2}}
\newcommand{\Biggscalarmult}[2]{\Bigg[{#1}\Bigg]{#2}}
\newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}} \newcommand{\rightarrowR}{\mathop{\clasp[-0.18em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\rightarrow\,$}}}
\newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}} \newcommand{\leftarrowR}{\mathop{\clasp[0.15em]{\raisebox{1.15ex}{\scriptsize R}}{$\,\leftarrow\,$}}}
\newcommand{\union}{\cup} \newcommand{\union}{\cup}
@ -1139,7 +1143,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}} \newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
\newcommand{\ValueLength}{\ell_{\mathsf{value}}} \newcommand{\ValueLength}{\ell_{\mathsf{value}}}
\newcommand{\ValueType}{\binaryrange{\ValueLength}} \newcommand{\ValueType}{\binaryrange{\ValueLength}}
\newcommand{\ValueCommitType}{\range{-\SignedScalarLimitJ}{\SignedScalarLimitJ}} \newcommand{\ValueCommitType}{\bigrange{-\SignedScalarLimitJ}{\SignedScalarLimitJ}}
\newcommand{\ValueCommitRand}{\mathsf{rcv}} \newcommand{\ValueCommitRand}{\mathsf{rcv}}
\newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}} \newcommand{\ValueCommitRandLength}{\mathsf{\ell_{\ValueCommitRand}}}
\newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}} \newcommand{\ValueCommitRandOld}[1]{\ValueCommitRand^\mathsf{old}_{#1}}
@ -1646,7 +1650,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}} \newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}}
\newcommand{\PedersenEncode}[1]{\langle{#1}\rangle} \newcommand{\PedersenEncode}[1]{\langle{#1}\rangle}
\newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}} \newcommand{\PedersenEncodeSub}[2]{\langle{#2}\rangle_{\kern -0.1em {#1}\vphantom{S'}}}
\newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\PedersenRangeOffset}} \newcommand{\PedersenEncodeNonneg}[1]{\langle{#1}\rangle^{\kern -0.1em\PedersenRangeOffset}}
\newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}} \newcommand{\PedersenHashToPoint}{\mathsf{PedersenHashToPoint}}
\newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}} \newcommand{\MixingPedersenHash}{\mathsf{MixingPedersenHash}}
\newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}} \newcommand{\WindowedPedersenCommitAlg}{\mathsf{WindowedPedersenCommit}}
@ -1654,7 +1658,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}} \newcommand{\HomomorphicPedersenCommitAlg}{\mathsf{HomomorphicPedersenCommit}}
\newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}} \newcommand{\HomomorphicPedersenCommit}[1]{\HomomorphicPedersenCommitAlg_{#1}}
\newcommand{\Digits}{\mathsf{Digits}} \newcommand{\Digits}{\mathsf{Digits}}
\newcommand{\PedersenRangeOffset}{\Delta} \newcommand{\PedersenRangeOffset}{\mathsf{\Delta}}
\newcommand{\Sign}{\mathsf{\Theta}} \newcommand{\Sign}{\mathsf{\Theta}}
% Consensus rules % Consensus rules
@ -4424,8 +4428,10 @@ Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{
\introlist \introlist
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$ Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}: be as defined in \crossref{concretevaluecommit}:
\vspace{-0.5ex}
\begin{formulae} \begin{formulae}
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$; \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\vspace{-1ex}
\item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$; \item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$. \item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
\end{formulae} \end{formulae}
@ -4434,7 +4440,7 @@ $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concret
These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and These and the derived notation $\combminus$, $\scombsum{i=1}{\rmN}$, $\grpminus$, and
$\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}. $\sgrpsum{i=1}{\rmN}$ are specified in \crossref{abstractsighom}.
\vspace{2ex} \vspace{1.5ex}
\introlist \introlist
Suppose that the \transaction has: Suppose that the \transaction has:
\begin{itemize} \begin{itemize}
@ -4445,6 +4451,7 @@ Suppose that the \transaction has:
\item \balancingValue $\vBalance$. \item \balancingValue $\vBalance$.
\end{itemize} \end{itemize}
\vspace{-0.5ex}
In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$, In a correctly constructed \transaction, $\vBalance = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
but validators cannot check this directly because the values are hidden by the commitments. but validators cannot check this directly because the values are hidden by the commitments.
@ -4454,9 +4461,9 @@ Instead, validators calculate the \txBindingVerificationKey as:
% <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_ % <https://twitter.com/hdevalence/status/984145085674676224> ¯\_(ツ)_
\item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\! \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\!
\Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus \Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus
\ValueCommit{0}(\vBalance)$. \ValueCommit{0}\big(\vBalance\big)$.
\end{formulae} \end{formulae}
\vspace{-1ex}
(This key is not encoded explicitly in the \transaction and must be recalculated.) (This key is not encoded explicitly in the \transaction and must be recalculated.)
\introlist \introlist
@ -4469,20 +4476,22 @@ calculate the corresponding signing key as:
\end{formulae} \end{formulae}
\introlist \introlist
\vspace{-1ex}
In order to check for implementation faults, the signer \SHOULD also check that In order to check for implementation faults, the signer \SHOULD also check that
\begin{formulae} \begin{formulae}
\item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$. \item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$.
\end{formulae} \end{formulae}
\vspace{1ex} \vspace{0.5ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input, Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$. using the \sighashType $\SIGHASHALL$.
A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$. A validator checks balance by verifying that $\BindingSigVerify{\BindingPublic}(\SigHash, \bindingSig) = 1$.
\vspace{1ex}
We now explain why this works. We now explain why this works.
\vspace{2ex} \vspace{1ex}
A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of A \bindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of
$\BindingPublic$ with respect to $\ValueCommitRandBase$. $\BindingPublic$ with respect to $\ValueCommitRandBase$.
That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$. That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase}$.
@ -4504,13 +4513,14 @@ equivalent to:
\vspace{1ex} \vspace{1ex}
\begin{tabular}{@{\hskip 2em}r@{\;}l} \begin{tabular}{@{\hskip 2em}r@{\;}l}
$\BindingPublic$ &$= \bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance}{\ValueCommitValueBase}\, \combplus
\bigscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\!
\Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex] \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase}$ \\[3.5ex]
&$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$. &$= \ValueCommit{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance\Bigg)$.
\end{tabular} \end{tabular}
\introlist
Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$. Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance$.
Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$.
@ -4577,6 +4587,7 @@ key is a re-randomization of the \spendAuthAddressKey $\AuthSignPublic$ with a r
known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be known to the signer. The \spendAuthSignature is over the \sighashTxHash, so that it cannot be
replayed in other \transactions. replayed in other \transactions.
\intropart
\vspace{2ex} \vspace{2ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input, Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243}, not associated with an input,
using the \sighashType $\SIGHASHALL$. using the \sighashType $\SIGHASHALL$.
@ -4584,7 +4595,6 @@ using the \sighashType $\SIGHASHALL$.
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}. Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
\vspace{2ex} \vspace{2ex}
\intropart
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$: For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
\vspace{-1ex} \vspace{-1ex}
@ -5160,8 +5170,8 @@ Then to encrypt:
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$ \item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
\item else: \item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$ \item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$ \item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$ \item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$ \item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$ \item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \vspace{-2ex} \item \vspace{-2ex}
@ -5575,7 +5585,7 @@ as specified in \cite{ZIP-143}\sapling{, or as in \cite{ZIP-243} after
$\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme $\PRFock{}$, $\KDFSapling$, and in the $\RedJubjub$ \signatureScheme
which instantiates $\SpendAuthSig$ and $\BindingSig$.} which instantiates $\SpendAuthSig$ and $\BindingSig$.}
\vspace{-1ex} \vspace{-0.5ex}
\begin{formulae} \begin{formulae}
\item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$ \item $\BlakeTwob{\ell} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$
\end{formulae} \end{formulae}
@ -5596,7 +5606,7 @@ $8$-byte personalization string $p$, and input $x$.
$\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$, $\BlakeTwosGeneric$ is used to instantiate $\PRFnfSapling{}$, $\CRHivk$,
and $\GroupJHash{}$. and $\GroupJHash{}$.
\vspace{-1.5ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$ \item $\BlakeTwos{\ell} \typecolon \byteseq{8} \times \byteseqs \rightarrow \byteseq{\ell/8}$
\end{formulae} \end{formulae}
@ -5689,10 +5699,10 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\vspace{-5ex} \vspace{-5ex}
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.} \securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
\vspace{-4ex} \vspace{1ex}
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the \textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
\noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix \noteCommitmentTree. It is distinct from the $\NoteCommitSaplingAlg$ prefix
as noted in \crossref{concretewindowedcommit}.}} %sapling as noted in \crossref{concretewindowedcommit}.} %sapling
\subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh} \subsubsubsection{\hSigText{} \HashFunction} \label{hsigcrh}
@ -6248,7 +6258,8 @@ It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \cross
$\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a $\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a
\collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits \collisionResistant PRF for output range $\byteseq{32}$ when keyed by the bits
corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to
$\NoteAddressRandRepr$. Note that $\AuthProvePublicRepr \typecolon \SubgroupReprJ$ $\NoteAddressRandRepr$. Note that
{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing
is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve, is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve,
and therefore is not uniformly distributed on $\ReprJ$. and therefore is not uniformly distributed on $\ReprJ$.
$\SubgroupReprJ$ is defined in \crossref{jubjub}. $\SubgroupReprJ$ is defined in \crossref{jubjub}.
@ -6846,6 +6857,7 @@ $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$. $\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
\vspace{-1ex}
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
$\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$. $\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
@ -7008,6 +7020,7 @@ $t^2 + 1$; in this representation, $i$ is given by $t$.
Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$. $\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
\vspace{-1ex}
Let $\PairingS$ be the optimal ate pairing of type Let $\PairingS$ be the optimal ate pairing of type
$\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$. $\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
@ -7206,7 +7219,6 @@ $\ExtractJ$ is injective on $\SubgroupJ$.
\introsection \introsection
\subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub} \subsubsubsection{Group Hash into \Jubjub} \label{concretegrouphashjubjub}
\vspace{-2ex}
Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and
let $\GroupGHashURSType := \byteseq{64}$. let $\GroupGHashURSType := \byteseq{64}$.
@ -7254,9 +7266,9 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo
{\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$ {\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable. is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$ {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)}
{\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle. {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
\end{pnotes} \end{pnotes}
@ -7265,7 +7277,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHash(D, M) := Define $\FindGroupJHash\big(D, M\big) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$. \first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
\vspace{-3ex} \vspace{-3ex}
@ -7957,7 +7969,7 @@ It is derived as described in \cite{Bowe2018}:
\notsprout{ \notsprout{
\introsection \intropart
\section{Network Upgrades} \label{networkupgrades} \section{Network Upgrades} \label{networkupgrades}
\Zcash launched with a protocol revision that we call \Sprout. \Zcash launched with a protocol revision that we call \Sprout.
@ -7975,6 +7987,7 @@ The upgrade mechanism is described in \cite{ZIP-200}.
\cite{ZIP-243}.} \cite{ZIP-243}.}
\vspace{1ex} \vspace{1ex}
\introlist
Each network upgrade is introduced as a Each network upgrade is introduced as a
\quotedterm{bilateral consensus rule change}. In this kind of upgrade, \quotedterm{bilateral consensus rule change}. In this kind of upgrade,
@ -8701,7 +8714,7 @@ Define:
\vspace{-1ex} \vspace{-1ex}
\begin{formulae} \begin{formulae}
\hfuzz=10pt \hfuzz=10pt
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$. \item $\mean(S) := \hfrac{\ssum{i=1}{\length(S)} S_i}{\length(S)}$.
\item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$ \item $\median(S) := \sorted(S)_{\sceiling{\length(S) / 2}}$
\item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$ \item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\trunc{x} := \begin{cases} \item $\trunc{x} := \begin{cases}
@ -10868,7 +10881,7 @@ can be safely used:
\begin{theorem} \label{thmdistinctxcriterion} \begin{theorem} \label{thmdistinctxcriterion}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$. Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
Let $k_\barerange{1}{2}$ be integers in $\rangenozero{-\halfs}{\halfs}$. Let $k_\barerange{1}{2}$ be integers in $\bigrangenozero{-\halfs}{\halfs}$.
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
$k_1 \neq \pm k_2$. Then the non-unified addition constraints $k_1 \neq \pm k_2$. Then the non-unified addition constraints
@ -10890,14 +10903,14 @@ $P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
the same $x$-coordinate. (This follows from the fact that the curve equation the same $x$-coordinate. (This follows from the fact that the curve equation
determines $\pm y$ as a function of $x$.) determines $\pm y$ as a function of $x$.)
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$. But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$ Since $\fun{k \typecolon \bigrange{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_\barerange{1}{2}$ are in $\range{-\halfs}{\halfs}$, is injective and $k_\barerange{1}{2}$ are in $\bigrange{-\halfs}{\halfs}$,
then $k_2 = \pm k_1$ (contradiction). then $k_2 = \pm k_1$ (contradiction).
\end{proof} \end{proof}
The conditions of this theorem are called the \distinctXCriterion. The conditions of this theorem are called the \distinctXCriterion.
In particular, if $k_\barerange{1}{2}$ are integers in $\range{1}{\halfs}$ In particular, if $k_\barerange{1}{2}$ are integers in $\bigrange{1}{\halfs}$
then it is sufficient to require $k_1 \neq k_2$, since that implies then it is sufficient to require $k_1 \neq k_2$, since that implies
$k_1 \neq \pm k_2$. $k_1 \neq \pm k_2$.
@ -11147,7 +11160,7 @@ We have to prove that:
The proof of \theoremref{thmpedersenencodeinjective} showed that The proof of \theoremref{thmpedersenencodeinjective} showed that
all indices of addition inputs are in the range all indices of addition inputs are in the range
$\rangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$. $\bigrangenozero{-\hfrac{\ParamJ{r}-1}{2}}{\hfrac{\ParamJ{r}-1}{2}}$.
Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$) Because the $\PedersenGen{D}{j}$ (which are outputs of $\GroupJHash{}$)
are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$, are all of prime order, and $\PedersenEncode{M_j} \neq 0 \pmod{\ParamJ{r}}$,
@ -11423,14 +11436,14 @@ Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
\vspace{1ex} \vspace{1ex}
\begin{itemize} \begin{itemize}
\item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and \item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j}) \item $\scalarmult{\ParamG{h}}{\Big(\Bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} + \pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} + \ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_j \mult \RedDSASigc{j} \scalarmult{z_j \mult \RedDSASigc{j}
\pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)} \pmod{\ParamG{r}}}{\vk_j}\big)}\!\Big)}
= \ZeroG{}$, = \ZeroG{}$,
\end{itemize} \end{itemize}
\vspace{-0.5ex} \vspace{-1ex}
otherwise $0$. otherwise $0$.
\end{algorithm} \end{algorithm}
@ -11446,7 +11459,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$. binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases; It is straightforward to adapt the above procedure to handle multiple bases;
there will be one there will be one
$\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. $\Bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote can be extended across a larger batch.} %pnote
@ -11463,10 +11476,11 @@ $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$ Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
final exponentiation respectively of the $\PairingS$ pairing computation, so that: final exponentiation respectively of the $\PairingS$ pairing computation, so that:
\vspace{0.5ex}
\begin{formulae} \begin{formulae}
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$ \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
\end{formulae} \end{formulae}
\vspace{-1.5ex} \vspace{-1ex}
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$. where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex} \vspace{2ex}