diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 9ed46b71..45e9c427 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -547,10 +547,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\vulncolor}{BrickRed} \newcommand{\setwarning}{\color{\warningcolor}} \newcommand{\warningcolor}{BrickRed} -\newcommand{\changedcolor}{magenta} -\newcommand{\changedcolorname}{\changedcolor} -\newcommand{\setchanged}{\color{\changedcolor}} -\newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}} \newcommand{\saplingcolor}{green} \newcommand{\saplingcolorname}{\saplingcolor} \newcommand{\overwintercolor}{blue} @@ -787,7 +783,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\valueCommitmentScheme}{\term{value commitment scheme}} \newcommand{\joinSplitDescription}{\term{JoinSplit description}} \newcommand{\joinSplitDescriptions}{\terms{JoinSplit description}} -\newcommand{\sequenceOfJoinSplitDescriptions}{\changed{sequence of} \joinSplitDescription{}\kern -0.05em\changed{\textsl{s}}} \newcommand{\joinSplitTransfer}{\term{JoinSplit transfer}} \newcommand{\joinSplitTransfers}{\terms{JoinSplit transfer}} \newcommand{\joinSplitSignature}{\term{JoinSplit signature}} @@ -2455,8 +2450,7 @@ transparent payment scheme used by \defining{\Bitcoin \cite{Nakamoto2008}} with \emph{shielded} payment scheme secured by zero-knowledge succinct non-interactive arguments of knowledge (\zkSNARKs). -Changes from the original \Zerocash are explained in \crossref{differences}, -and highlighted in \changed{\changedcolorname} throughout the document. +The most significant changes from the original \Zerocash are explained in \crossref{differences}. Changes specific to the \Overwinter upgrade are highlighted in \overwinter{\overwintercolorname}. @@ -2857,8 +2851,8 @@ The following integer constants will be instantiated in \crossref{constants}: $\MerkleDepth{Sprout}$,\sapling{ $\MerkleDepth{Sapling}$,}\nufive{ $\MerkleDepth{Orchard}$,} $\MerkleHashLength{Sprout}$,\sapling{ $\MerkleHashLength{Sapling}$,}\nufive{ $\MerkleHashLength{Orchard}$,} $\NOld$, $\NNew$, $\ValueLength$, $\hSigLength$, $\PRFOutputLengthSprout$,\sapling{ $\PRFOutputLengthExpand$, - $\PRFOutputLengthNfSapling$,} $\NoteCommitRandLength$, \changed{$\RandomSeedLength$,} $\AuthPrivateLength$, - \changed{$\NoteUniquePreRandLength$,}\sapling{ $\SpendingKeyLength$, $\DiversifierLength$,\nufive{ $\DiversifierKeyLength$,} + $\PRFOutputLengthNfSapling$,} $\NoteCommitRandLength$, $\RandomSeedLength$, $\AuthPrivateLength$, + $\NoteUniquePreRandLength$,\sapling{ $\SpendingKeyLength$, $\DiversifierLength$,\nufive{ $\DiversifierKeyLength$,} $\InViewingKeyLength{Sapling}$, $\OutViewingKeyLength$, $\ScalarLength{Sapling}$,\nufive{ $\ScalarLength{Orchard}$, $\BaseLength{Orchard}$,}} $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\strut\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$,} $\SlowStartInterval$, $\PreBlossomHalvingInterval$, $\MaxBlockSubsidy$, $\NumFounderAddresses$, @@ -2938,11 +2932,11 @@ $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$, as de \sapling{\nnote{In \zcashd, all \SaplingAndOrchard keys and addresses are derived according to \cite{ZIP-32}.}} \vspace{2ex} -The composition of \shieldedPaymentAddresses, \changed{\incomingViewingKeys,} +The composition of \shieldedPaymentAddresses, \incomingViewingKeys, \sapling{\fullViewingKeys,} and \spendingKeys is a cryptographic protocol detail that should not normally be exposed to users. However, user-visible operations should be provided to obtain a -\shieldedPaymentAddress\changed{ or \incomingViewingKey}\sapling{ or \fullViewingKey} +\shieldedPaymentAddress, \incomingViewingKey\sapling{, or \fullViewingKey} from a \spendingKey\sapling{ or \extendedSpendingKey}. Users can accept payment from multiple parties with a single @@ -3012,7 +3006,7 @@ Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. \vspace{2ex} \introlist -A \Sprout \note is a tuple $\changed{(\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand)}$, +A \Sprout \note is a tuple $(\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand)$, where: \begin{itemize} \item $\AuthPublic \typecolon \PRFOutputSprout$ is the \defining{\payingKey} of the @@ -3030,8 +3024,8 @@ where: \introlist Let $\NoteType{Sprout}$ be the type of a \Sprout \note, i.e. \begin{formulae} - \item $\NoteType{Sprout} := \changed{\PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout - \times \NoteCommitTrapdoor{Sprout}}$. + \item $\NoteType{Sprout} := \PRFOutputSprout \times \range{0}{\MAXMONEY} \times \PRFOutputSprout + \times \NoteCommitTrapdoor{Sprout}$. \end{formulae} \sapling{ @@ -3100,7 +3094,7 @@ on the \blockChain. \vspace{2ex} \introlist A \Sprout{} \defining{\noteCommitment} on a \note -$\NoteTuple{} = \changed{(\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand)}$ is computed as +$\NoteTuple{} = (\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand)$ is computed as \vspace{-1ex} \begin{formulae} @@ -3208,9 +3202,9 @@ Each \Sprout{} \defining{\notePlaintext} (denoted $\NotePlaintext{}$) consists o \vspace{-1ex} \begin{formulae} - \item $(\changed{\NotePlaintextLeadByte \typecolon \byte,\ } + \item $(\NotePlaintextLeadByte \typecolon \byte, \Value \typecolon \ValueType, \NoteUniqueRand \typecolon \PRFOutputSprout, - \NoteCommitRand \typecolon \NoteCommitTrapdoor{Sprout}\changed{, \Memo \typecolon \MemoType})$. + \NoteCommitRand \typecolon \NoteCommitTrapdoor{Sprout}, \Memo \typecolon \MemoType)$. \end{formulae} \saplingonward{ @@ -3234,10 +3228,8 @@ The field $\NoteSeedBytes$ is described in \crossref{saplingsend}. } %canopy } %saplingonward -\changed{ $\Memo$ represents a $\MemoByteLength$-byte \defining{\memo} associated with this \note. The usage of the \memo is by agreement between the sender and recipient of the \note. -} Encodings are given in \crossref{notept}. The result of encryption forms part of a \noteOrNotesCiphertext. @@ -3319,8 +3311,8 @@ In a given \blockChain, \sapling{for each of \Sprout and \SaplingAndOrchard,} \transaction. \end{itemize} -\changed{\joinSplitDescriptions also have interstitial input and output -\treestates for \Sprout, explained in the following section.} +\joinSplitDescriptions also have interstitial input and output +\treestates for \Sprout, explained in the following section. \sapling{There is no equivalent of interstitial \treestates for \Sapling\nufive{ or for \Orchard}.} @@ -3338,9 +3330,9 @@ $\vpubNew$. It is associated with a \joinSplitStatement instance (\crossref{joinsplitstatement}), for which it provides a \zkSNARKProof. -Each \transaction has a \sequenceOfJoinSplitDescriptions{}. +Each \transaction has a sequence of \joinSplitDescriptions. -The \changed{total $\vpubNew$ value adds to, and the total} $\vpubOld$ +The total $\vpubNew$ value adds to, and the total $\vpubOld$ value subtracts from the \transparentTxValuePool of the containing \transaction. The \anchor of each \joinSplitDescription in a \transaction{} refers to a @@ -3349,7 +3341,6 @@ The \anchor of each \joinSplitDescription in a \transaction{} refers to a For each of the $\NOld$ \shieldedInputs, a \nullifier is revealed. This allows detection of double-spends as described in \crossref{nullifierset}. -\changed{ For each \joinSplitDescription in a \transaction, an interstitial output \treestate is constructed which adds the \noteCommitments and \nullifiers specified in that \joinSplitDescription to the input \treestate referred to by its \anchor. @@ -3361,7 +3352,6 @@ the parent of each node is determined by its \anchor. Interstitial \treestates are necessary because when a \transaction is constructed, it is not known where it will eventually appear in a mined \block. Therefore the \anchors that it uses must be independent of its eventual position. -} \vspace{-3ex} \begin{consensusrules} @@ -3370,13 +3360,11 @@ it is not known where it will eventually appear in a mined \block. Therefore the \vspace{-0.5ex} \item For the first \joinSplitDescription of a \transaction, the \anchor \MUST be the output \Sprout \treestate of a previous \block. -\changed{ \vspace{-0.5ex} \item The \anchor of each \joinSplitDescription in a \transaction \MUST refer to either some earlier \block's final \Sprout \treestate, or to the interstitial output \treestate of any prior \joinSplitDescription in the same \transaction. -} \end{consensusrules} @@ -3636,7 +3624,6 @@ $\MerkleCRH{Sprout}$ is \collisionResistant except on its first argument. These functions are instantiated in \crossref{merklecrh}. -\changed{ $\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutputSprout}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$ is a \collisionResistant \hashFunction used in \crossref{joinsplitdesc}. It is instantiated in \crossref{hsigcrh}. @@ -3646,7 +3633,6 @@ is another \hashFunction, used in \crossref{equihash} to generate input to the \Equihash solver. The first two arguments, representing the \Equihash parameters $n$ and $k$, are written subscripted. It is instantiated in \crossref{equihashgen}. -} \sapling{ $\CRHivk \typecolon \ReprJ \times \ReprJ \rightarrow \InViewingKeyTypeSapling$ @@ -3674,7 +3660,7 @@ used to derive a \diversifiedBase from a \diversifier, which is specified in $\PRF{x}{}$ denotes a \defining{\pseudoRandomFunction} keyed by $x$. -Let $\AuthPrivateLength$, $\hSigLength$, $\PRFOutputLengthSprout$, \changed{$\NoteUniquePreRandLength$,} +Let $\AuthPrivateLength$, $\hSigLength$, $\PRFOutputLengthSprout$, $\NoteUniquePreRandLength$, \sapling{$\SpendingKeyLength$, $\OutViewingKeyLength$, $\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,} $\NOld$, and $\NNew$ be as defined in \crossref{constants}. @@ -3693,12 +3679,12 @@ Let $\ellP$ and $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. \vspace{1ex} \introlist -For \Sprout, \changed{four} \emph{independent} $\PRF{x}{}$ are needed: +For \Sprout, four \emph{independent} $\PRF{x}{}$ are needed: \begin{tabular}{@{\hskip 2em}l@{\;\notnufive{\hskip 0.86em}}l@{\;\notnufive{\hskip 0.54em}}l@{\;}l@{\,\notnufive{\hskip 4em}}l} $\PRFaddr{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \byte $& &$\rightarrow \PRFOutputSprout$ \\ $\PRFpk{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \setofOld $&$\times\; \hSigType $&$\rightarrow \PRFOutputSprout$ \\ -$\setchanged\PRFrho{} $&$\setchanged\typecolon\; \bitseq{\NoteUniquePreRandLength} $&$\setchanged\times\; \setofNew $&$\setchanged\times\; \hSigType $&$\setchanged\rightarrow \PRFOutputSprout$ \\ +$\PRFrho{} $&$\typecolon\; \bitseq{\NoteUniquePreRandLength} $&$\times\; \setofNew $&$times\; \hSigType $&$\rightarrow \PRFOutputSprout$ \\ $\PRFnf{Sprout}{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \PRFOutputSprout $& &$\rightarrow \PRFOutputSprout$ \end{tabular} @@ -3760,11 +3746,11 @@ All of these \pseudoRandomFunctions are instantiated in \crossref{concreteprfs}. \begin{securityrequirements} \item Security definitions for \defining{\pseudoRandomFunctions} are given in \cite[section 4]{BDJR2000}. \item In addition to being \pseudoRandomFunctions, it is required that - $\PRFaddr{x}$,\changed{ $\PRFrho{x}$, $\PRFnf{Sprout}{x}$}\sapling{,\notnufive{ and} + $\PRFaddr{x}$, $\PRFrho{x}$, $\PRFnf{Sprout}{x}$\sapling{,\notnufive{ and} $\PRFnf{Sapling}{x}$}\nufive{ and $\PRFnf{Orchard}{x}$} be \collisionResistant across all $x$ --- i.e.\ finding $(x, y) \neq (x', y')$ such that $\PRFaddr{x}(y) = \PRFaddr{x'}(y')$ should - not be feasible\changed{, and similarly for $\PRFrho{}$ and $\PRFnf{Sprout}{}$\sapling{ and - $\PRFnf{Sapling}{}$}\nufive{ and $\PRFnf{Orchard}{}$}}. + not be feasible, and similarly for $\PRFrho{}$, $\PRFnf{Sprout}{}$\sapling{,\notnufive{ and} + $\PRFnf{Sapling}{}$}\nufive{, and $\PRFnf{Orchard}{}$}. \end{securityrequirements} \vspace{-2ex} @@ -3962,7 +3948,7 @@ $\SigValidate{\vk}(m, s) = 1$. \vspace{-1ex} The signature scheme used in script operations is instantiated by \ECDSA on the \secpCurve. -\changed{$\JoinSplitSig$ is instantiated by \EdSpecific.} +$\JoinSplitSig$ is instantiated by \EdSpecific. \sapling{$\SpendAuthSig{}$ and $\BindingSig{}$ are instantiated by $\RedDSA$; on the \jubjubCurve in \Sapling\nufive{, and on the \pallasCurve in \Orchard}.} @@ -4610,16 +4596,14 @@ A new \Sprout \spendingKey $\AuthPrivate$ is generated by choosing a bit sequenc uniformly at random from $\bitseq{\AuthPrivateLength}$. \introlist -\changed{ $\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from -$\AuthPrivate$ -as follows:} +$\AuthPrivate$ as follows: \vspace{-0.5ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\AuthPublic$ &$:= \changed{\PRFaddr{\AuthPrivate}(0)}$ \\ - $\TransmitPrivate$ &$:= \changed{\KAFormatPrivate{Sprout}(\PRFaddr{\AuthPrivate}(1))}$ \\ - $\TransmitPublic$ &$:= \changed{\KADerivePublic{Sprout}(\TransmitPrivate, \KABase{Sprout})}$. + $\AuthPublic$ &$:= \PRFaddr{\AuthPrivate}(0)$ \\ + $\TransmitPrivate$ &$:= \KAFormatPrivate{Sprout}(\PRFaddr{\AuthPrivate}(1))$ \\ + $\TransmitPublic$ &$:= \KADerivePublic{Sprout}(\TransmitPrivate, \KABase{Sprout})$. \end{tabular} @@ -4915,8 +4899,8 @@ A \joinSplitDescription comprises $(\vpubOld, \vpubNew, \rt{Sprout}, \nfOld{\all \TransmitCiphertext{\allNew})$ \\ where \begin{itemize} - \item \changed{$\vpubOld \typecolon \range{0}{\MAXMONEY}$ is - the value that the \joinSplitTransfer removes from the \transparentTxValuePool}; + \item $\vpubOld \typecolon \range{0}{\MAXMONEY}$ is + the value that the \joinSplitTransfer removes from the \transparentTxValuePool; \item $\vpubNew \typecolon \range{0}{\MAXMONEY}$ is the value that the \joinSplitTransfer inserts into the \transparentTxValuePool; \item $\rt{Sprout} \typecolon \MerkleHash{Sprout}$ is an \anchor, as defined in @@ -4927,18 +4911,18 @@ where the sequence of \nullifiers for the input \notes; \item $\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew}$ is the sequence of \noteCommitments for the output \notes; - \item \changed{$\EphemeralPublic \typecolon \KAPublic{Sprout}$ is + \item $\EphemeralPublic \typecolon \KAPublic{Sprout}$ is a key agreement \publicKey, used to derive the key for encryption - of the \notesCiphertextSprout (\crossref{sproutinband})}; - \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is + of the \notesCiphertextSprout (\crossref{sproutinband}); + \item $\RandomSeed \typecolon \RandomSeedType$ is a seed that must be chosen independently at random for each - \joinSplitDescription}; + \joinSplitDescription; \vspace{-0.5ex} \item $\h{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld}$ is a sequence of tags that bind $\hSig$ to each $\AuthPrivate$ of the input \notes; \item $\ProofJoinSplit \typecolon \JoinSplitProof$ is a \zkProof with - \primaryInput $(\rt{Sprout}, \nfOld{\allOld}, \cmNew{\allNew},\changed{ \vpubOld,\,} + \primaryInput $(\rt{Sprout}, \nfOld{\allOld}, \cmNew{\allNew}, \vpubOld, \vpubNew, \hSig, \h{\allOld})$ for the \joinSplitStatement defined in \crossref{joinsplitstatement}\sapling{ (this is a \BCTV proof before \Sapling activation, and a \Groth proof after \Sapling @@ -4950,10 +4934,10 @@ where \introlist The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertextSprout. -The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the +The value $\hSig$ is also computed from $\RandomSeed$, $\nfOld{\allOld}$, and the $\joinSplitPubKey$ of the containing \transaction: \begin{formulae} - \item $\hSig := \hSigCRH(\changed{\RandomSeed, \nfOld{\allOld},\,} \joinSplitPubKey)$. + \item $\hSig := \hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey)$. \end{formulae} \vspace{-1ex} @@ -4962,7 +4946,7 @@ $\joinSplitPubKey$ of the containing \transaction: above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$). \item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}\big(\kern-0.1em(\rt{Sprout}, \nfOld{\allOld}, - \cmNew{\allNew},\changed{\vpubOld,} \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}\big) = 1$. + \cmNew{\allNew}, \vpubOld, \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}\big) = 1$. \item Either $\vpubOld$ or $\vpubNew$ \MUST be zero. \canopyonwarditem{$\vpubOld$ \MUST be zero.} \end{consensusrules} @@ -5219,18 +5203,16 @@ generating a new $\JoinSplitSig$ key pair: For each \joinSplitDescription, the sender chooses $\RandomSeed$ uniformly at random on $\bitseq{\RandomSeedLength}$, and selects the input \notes. At this point there is sufficient information to compute $\hSig$, -as described in the previous section. \changed{The sender also chooses $\NoteUniquePreRand$ -uniformly at random on $\strut\smash{\bitseq{\NoteUniquePreRandLength}}$.} +as described in the previous section. The sender also chooses $\NoteUniquePreRand$ +uniformly at random on $\strut\smash{\bitseq{\NoteUniquePreRandLength}}$. Then it creates each output \note with index $i \typecolon \setofNew$: \begin{itemize} \item Choose uniformly random $\NoteCommitRand_i \leftarrowR \NoteCommitGenTrapdoor{Sprout}()$. -\changed{ \item Compute $\NoteUniqueRand_i = \PRFrho{\NoteUniquePreRand}(i, \hSig)$. -} \item Compute $\cm_i = \NoteCommit{Sprout}{\NoteCommitRand_i}(\AuthPublicSub{i}, \Value_i, \NoteUniqueRand_i)$. - \item Let $\NotePlaintext{i} = (\changed{\hexint{00},\ } \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i\changed{, \Memo_i})$. + \item Let $\NotePlaintext{i} = (\hexint{00}, \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i, \Memo_i)$. \end{itemize} \vspace{-1ex} @@ -5460,7 +5442,6 @@ Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{abstractcommit}. \introlist \vspace{0.5ex} -\changed{ A \dummy \Sprout input \note, with index $i$ in the \joinSplitDescription, is constructed as follows: \vspace{-0.5ex} @@ -5477,7 +5458,6 @@ is constructed as follows: \auxiliaryInput to the \joinSplitStatement (this will not be checked). \item When generating the \joinSplitProof\!\!, set $\EnforceMerklePath{i}$ to $0$. \end{itemize} -} A \dummy \Sprout output \note is constructed as normal but with zero value, and sent to a random \shieldedPaymentAddress. @@ -5677,16 +5657,16 @@ in \crossref{sproutnonmalleability}\sapling{, \crossref{bindingsig}, and \crossr \introlist To provide additional flexibility when combining spend authorizations from different sources, \Bitcoin defines several \defining{\sighashTypes} that cover various parts of a transaction -\cite{Bitcoin-SigHash}. One of these types is $\SIGHASHALL$\changed{, which is used for -\Zcash-specific signatures, i.e.\ \joinSplitSignatures\sapling{, \spendAuthSignatures, -\notnufive{and} \saplingBindingSignatures}\nufive{, and \orchardBindingSignatures}}. -\changed{In these cases the \sighashTxHash is not associated with a \transparentInput, +\cite{Bitcoin-SigHash}. One of these types is $\SIGHASHALL$, which is used for +\Zcash-specific signatures, i.e.\ \joinSplitSignatures\sapling{, \spendAuthSignatures,\notnufive{ and} +\saplingBindingSignatures}\nufive{, and \orchardBindingSignatures}. +In these cases the \sighashTxHash is not associated with a \transparentInput, and so the input to hashing excludes \emph{all} of the $\scriptSig$ fields in the -non-\Zcash-specific parts of the \transaction.} +non-\Zcash-specific parts of the \transaction. -\changed{In \Zcash, all \sighashTypes are extended to cover the \Zcash-specific +In \Zcash, all \sighashTypes are extended to cover the \Zcash-specific fields $\nJoinSplit$, $\vJoinSplit$, and if present $\joinSplitPubKey$. These fields -are described in \crossref{txnencodingandconsensus}. The hash \emph{does not} cover the field $\joinSplitSig$.} +are described in \crossref{txnencodingandconsensus}. The hash \emph{does not} cover the field $\joinSplitSig$. \overwinter{After \Overwinter activation, all \sighashTypes are also extended to cover \transaction fields introduced in that upgrade\sapling{, and similarly after \Sapling activation}\nufive{ and after \NUFive activation}. @@ -5732,7 +5712,7 @@ by \cite{ZIP-225}. It will use a new \consensusBranchID \hexint{F919A198} as def \lsubsection{Non-malleability (\SproutText)}{sproutnonmalleability} Let $\dataToBeSigned$ be the hash of the \transaction{}, not associated with an input, -\changed{using the $\SIGHASHALL$ \sighashType}. +using the $\SIGHASHALL$ \sighashType. In order to ensure that a \joinSplitDescription is cryptographically bound to the \transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and @@ -5743,12 +5723,10 @@ signed with the private \signingKey of this key pair. The corresponding public $\JoinSplitSig$ is instantiated in \crossref{concretejssig}. -\changed{ If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are omitted. Otherwise, a \transaction has a correct \defining{\joinSplitSignature} if and only if $\JoinSplitSigValidate{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitSig) = 1$. % FIXME: distinguish pubkey and signature from their encodings. -} Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}. @@ -5775,14 +5753,12 @@ to the \minerSubsidy in the \coinbaseTransaction of the \block. \Zcash \Sprout extends this by adding \joinSplitTransfers. Each \joinSplitTransfer can be seen, from the perspective of the \transparentTxValuePool, -as an input \changed{and an output simultaneously}. +as an input and an output simultaneously. -\changed{$\vpubOld$ takes value from the \transparentTxValuePool and} -$\vpubNew$ adds value to the \transparentTxValuePool. As a result, \changed{$\vpubOld$ is -treated like an \emph{output} value, whereas} $\vpubNew$ is treated like an -\emph{input} value. +$\vpubOld$ takes value from the \transparentTxValuePool and $\vpubNew$ adds value to +the \transparentTxValuePool. As a result, $\vpubOld$ is treated like an \emph{output} +value, whereas $\vpubNew$ is treated like an \emph{input} value. -\changed{ \defining{As defined in \cite{ZIP-209}, the \SproutChainValuePoolBalance for a given \blockChain is the sum of all $\vpubOld$ field values for \transactions in the \blockChain, minus the sum of all $\vpubNew$ fields values for transactions in the \blockChain.} @@ -5805,7 +5781,6 @@ $\vpubNew$ were nonzero were allowed, it could be replaced by an equivalent one in which $\minimum(\vpubOld, \vpubNew)$ is subtracted from both of these values. This restriction helps to avoid unnecessary distinctions between \transactions according to client implementation. -} %changed \sapling{ @@ -6348,8 +6323,7 @@ For each shielded protocol, the requirements on \nullifier derivation are as fol \item The derived \nullifier must be determined completely by the fields of the \note\sapling{, and possibly its position}, in a way that can be checked in the corresponding statement that controls spends (i.e.\ the - \changed{\joinSplitStatement}\sapling{, \spendStatement}\nufive{, or - \actionStatement}). + \joinSplitStatement\sapling{, \spendStatement}\nufive{, or \actionStatement}). \item Under the assumption that $\NoteUniqueRand$ values are unique, it must not be possible to generate two \notes with distinct \noteCommitments but the same \nullifier. (See \crossref{faeriegold} for further discussion.) @@ -6372,7 +6346,7 @@ Let $\MerkleHashLength{Sprout}$, $\PRFOutputLengthSprout$, $\MerkleDepth{Sprout} $\AuthPrivateLength$, $\NoteUniquePreRandLength$, $\hSigLength$, $\NOld$, $\NNew$ be as defined in \crossref{constants}. \vspace{-1ex} -Let $\PRFaddr{}$, $\PRFnf{Sprout}{}$, $\PRFpk{}$, \changed{and $\PRFrho{}$} be as defined in \crossref{abstractprfs}. +Let $\PRFaddr{}$, $\PRFnf{Sprout}{}$, $\PRFpk{}$, and $\PRFrho{}$ be as defined in \crossref{abstractprfs}. \vspace{-1ex} Let $\NoteCommit{Sprout}{}$ be as defined in \crossref{abstractcommit}, and @@ -6385,7 +6359,7 @@ A valid instance of a \defining{\joinSplitStatement}, $\ProofJoinSplit$, assures \item $\oparen\rt{Sprout} \typecolon \MerkleHash{Sprout},\\ \hparen\nfOld{\allOld} \typecolon \typeexp{\PRFOutputSprout}{\NOld},\\ \hparen\cmNew{\allNew} \typecolon \typeexp{\NoteCommitOutput{Sprout}}{\NNew},\vspace{0.6ex}\\ - \hparen\changed{\vpubOld \typecolon \ValueType,}\vspace{0.6ex}\\ + \hparen\vpubOld \typecolon \ValueType,\vspace{0.6ex}\\ \hparen\vpubNew \typecolon \ValueType,\\ \hparen\hSig \typecolon \hSigType,\vspace{0.5ex}\\ \hparen\h{\allOld} \typecolon \smash{\typeexp{\PRFOutputSprout}{\NOld}\cparen}$, @@ -6398,9 +6372,9 @@ the prover knows an \auxiliaryInput: \hparen\NotePosition_{\allOld} \typecolon \typeexp{\NotePositionType{Sprout}}{\NOld},\\ \hparen\nOld{\allOld} \typecolon \typeexp{\NoteType{Sprout}}{\NOld},\\ \hparen\AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},\\ - \hparen\nNew{\allNew} \typecolon \typeexp{\NoteType{Sprout}}{\NNew}\changed{,}\vspace{0.5ex}\\ - \hparen\changed{\NoteUniquePreRand \typecolon \bitseq{\NoteUniquePreRandLength},}\vspace{-0.5ex}\\ - \hparen\changed{\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}}\cparen$, + \hparen\nNew{\allNew} \typecolon \typeexp{\NoteType{Sprout}}{\NNew},\vspace{0.5ex}\\ + \hparen\NoteUniquePreRand \typecolon \bitseq{\NoteUniquePreRandLength},\vspace{-0.5ex}\\ + \hparen\EnforceMerklePath{\allOld} \typecolon \bitseq{\NOld}\cparen$, \end{formulae} \vspace{-2ex} where: @@ -6415,18 +6389,18 @@ where: such that the following conditions hold: \snarkcondition{Merkle path validity}{sproutmerklepathvalidity} -for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}: +for each $i \in \setofOld$ $\mid$ $\EnforceMerklePath{i} = 1$: $(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth $\MerkleDepth{Sprout}$ from $\NoteCommitment{Sprout}(\nOld{i})$ to the \anchor $\rt{Sprout}$. \pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement in \cite[section 4.2]{BCGGMTV2014}.} -\changed{\snarkcondition{Merkle path enforcement}{sproutmerklepathenforcement}} +\snarkcondition{Merkle path enforcement}{sproutmerklepathenforcement} for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1$. \snarkcondition{Balance}{sproutbalance} -$\changed{\vpubOld\; +} \ssum{i=1}{\NOld} \vOld{i} = \vpubNew + \ssum{i=1}{\NNew} \vNew{i} \in \ValueType$. +$\vpubOld + \ssum{i=1}{\NOld} \vOld{i} = \vpubNew + \ssum{i=1}{\NNew} \vNew{i} \in \ValueType$. \snarkcondition{Nullifier integrity}{sproutnullifierintegrity} for each $i \in \setofOld$: @@ -6434,15 +6408,15 @@ $\nfOld{i} = \PRFnf{Sprout}{\AuthPrivateOld{i}}(\NoteUniqueRandOld{i})$. \snarkcondition{Spend authority}{sproutspendauthority} for each $i \in \setofOld$: -$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$. +$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$. \snarkcondition{Non-malleability}{sproutnonmalleablejs} for each $i \in \setofOld$: $\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$. -\changed{\snarkcondition{Uniqueness of $\NoteUniqueRandNew{i}$}{sproutuniquerho} +\snarkcondition{Uniqueness of $\NoteUniqueRandNew{i}$}{sproutuniquerho} for each $i \in \setofNew$: -$\NoteUniqueRandNew{i} = \PRFrho{\NoteUniquePreRand}(i, \hSig)$.} +$\NoteUniqueRandNew{i} = \PRFrho{\NoteUniquePreRand}(i, \hSig)$. \snarkcondition{Note commitment integrity}{sproutcommitmentintegrity} for each $i \in \setofNew$: $\cmNew{i} = \NoteCommitment{Sprout}(\nNew{i})$. @@ -6793,13 +6767,13 @@ In \Sprout, the secrets that need to be transmitted to a recipient of funds in order for them to later spend, are $\Value$, $\NoteUniqueRand$, and $\NoteCommitRand$. \canopy{(After \Canopy activation, $\NoteCommitRand$ is replaced by $\NoteSeedBytes$.)} -\changed{A \memo (\crossref{noteptconcept}) is also transmitted.} +A \memo (\crossref{noteptconcept}) is also transmitted. To transmit these secrets securely to a recipient \emph{without} requiring an out-of-band communication channel, the \transmissionKey $\TransmitPublic$ is used to encrypt them. The recipient's possession of the associated \incomingViewingKey $\InViewingKey$ is used to -reconstruct the original \note\changed{ and \memo}. +reconstruct the original \note and \memo. \introlist A single \ephemeralPublicKey is shared between encryptions of the $\NNew$ @@ -6840,27 +6814,21 @@ Then to encrypt: \vspace{-0.5ex} \begin{itemize} -\changed{ \item Generate a new $\KA{Sprout}$ (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$. \vspace{-0.5ex} \item For $i \in \setofNew$, \begin{itemize} \item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$. - \vspace{-0.5ex} - \item Let $\DHSecret{i} = \KAAgree{Sprout}(\EphemeralPrivate, -\TransmitPublicSub{i})$. - \vspace{-0.5ex} - \item Let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, -\TransmitPublicSub{i})$. - \item Let $\TransmitCiphertext{i} = -\SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$. + \vspace{-0.5ex} + \item Let $\DHSecret{i} = \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSub{i})$. + \vspace{-0.5ex} + \item Let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicSub{i})$. + \item Let $\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$. \end{itemize} -} \end{itemize} \vspace{-2ex} -The resulting \defining{\notesCiphertextSprout} is $\changed{(\EphemeralPublic, -\TransmitCiphertext{\allNew})}$. +The resulting \defining{\notesCiphertextSprout} is $(\EphemeralPublic, \TransmitCiphertext{\allNew})$. \pnote{ It is technically possible to replace $\TransmitCiphertext{i}$ for a given \note @@ -6887,16 +6855,13 @@ Let $\cm_{\allNew}$ be the \noteCommitments of each output coin. Then for each $i \in \setofNew$, the recipient will attempt to decrypt that ciphertext component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows: -\changed{ \begin{formulae} \vspace{-0.5ex} \item let $\DHSecret{i} = \KAAgree{Sprout}(\TransmitPrivate, \EphemeralPublic)$ \vspace{-0.5ex} - \item let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, -\TransmitPublic)$ + \item let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublic)$ \vspace{-0.5ex} - \item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, -\AuthPublic).$ + \item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, \AuthPublic).$ \end{formulae} \introlist @@ -6910,15 +6875,14 @@ is defined as follows: \item if $\TransmitPlaintext{i} = \bot$, return $\bot$ \vspace{-1.5ex} \item extract $\NotePlaintext{i} = (\NotePlaintextLeadByte_i \typecolon \byte, -\Value_i \typecolon \ValueType, -\NoteUniqueRand_i \typecolon \PRFOutputSprout, -\NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout}, -\Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$ + \Value_i \typecolon \ValueType, + \NoteUniqueRand_i \typecolon \PRFOutputSprout, + \NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout}, + \Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$ \vspace{-0.5ex} \item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitment{Sprout}((\AuthPublic, \Value_i, \NoteUniqueRand_i, -\NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$. + \NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$. \end{formulae} -} \vspace{-0.5ex} \introlist @@ -7470,7 +7434,7 @@ are used, the text will clarify their position in each case. Define: \begin{formulae}[itemsep=0.2ex] - \item $\MerkleDepth{Sprout} \typecolon \Nat := \changed{29}$ + \item $\MerkleDepth{Sprout} \typecolon \Nat := 29$ \sapling{ \item $\MerkleDepth{Sapling} \typecolon \Nat := 32$ } %sapling @@ -7493,10 +7457,10 @@ Define: \item $\PRFOutputLengthExpand \typecolon \Nat := 512$ \item $\PRFOutputLengthNfSapling \typecolon \Nat := 256$ } %sapling - \item $\NoteCommitRandLength \typecolon \Nat := \changed{256}$ - \item $\changed{\RandomSeedLength \typecolon \Nat := 256}$ - \item $\AuthPrivateLength \typecolon \Nat := \changed{252}$ - \item $\changed{\NoteUniquePreRandLength \typecolon \Nat := 252}$ + \item $\NoteCommitRandLength \typecolon \Nat := 256$ + \item $\RandomSeedLength \typecolon \Nat := 256$ + \item $\AuthPrivateLength \typecolon \Nat := 252$ + \item $\NoteUniquePreRandLength \typecolon \Nat := 252$ \sapling{ \item $\SpendingKeyLength \typecolon \Nat := 256$ \item $\DiversifierLength \typecolon \Nat := 88$ @@ -7519,7 +7483,7 @@ Define: \vspace{-1ex} \item $\Uncommitted{Orchard} \typecolon \bitseq{\MerkleHashLength{Orchard}} := \ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ } %nufive - \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi) + \item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi) \blossom{ \item $\BlossomActivationHeight \typecolon \Nat := \begin{cases} 653600,&\squash\text{for \Mainnet} \\ @@ -7604,7 +7568,6 @@ $\MerkleCRH{Sprout}$. The ordering of bits within words in the interface to $\SHACompress$ is consistent with \cite[section 3.1]{NIST2015}, i.e.\ big-endian. -\changed{ \vspace{2ex} \EdSpecific uses \defining{\bigShaHash}: @@ -7614,7 +7577,6 @@ consistent with \cite[section 3.1]{NIST2015}, i.e.\ big-endian. \vspace{-2ex} The comment above concerning bit vs byte-sequence interfaces also applies to \bigShaHash. -} %changed \lsubsubsubsection{BLAKE2 Hash Functions}{concreteblake2} @@ -7760,7 +7722,6 @@ $\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHash{Orchard \newsavebox{\hsigbox} \begin{lrbox}{\hsigbox} -\setchanged \begin{bytefield}[bitwidth=0.04em]{1024} \sbitbox{256}{$256$-bit $\RandomSeed$} & \sbitbox{256}{\hfill $256$-bit $\nfOld{\mathrm{1}}$\hfill...\;} & @@ -7772,7 +7733,6 @@ $\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHash{Orchard \vspace{-2ex} $\hSigCRH$ is used to compute the value $\hSig$ in \crossref{joinsplitdesc}. -\changed{ \begin{formulae} \item $\hSigCRH(\RandomSeed, \nfOld{\allOld}, \joinSplitPubKey) := \BlakeTwobOf{256}{\ascii{ZcashComputehSig},\; \hSigInput}$ \end{formulae} @@ -7782,7 +7742,6 @@ where \begin{formulae} \item $\hSigInput := \Justthebox{\hsigbox}$. \end{formulae} -} \vspace{-1ex} $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. @@ -8405,14 +8364,13 @@ $n = 200$). Let \shaCompress be as given in \crossref{concretesha256}. -The \pseudoRandomFunctions $\PRFaddr{}$, $\PRFnf{Sprout}{}$, $\PRFpk{}$\changed{, and $\PRFrho{}$} +The \pseudoRandomFunctions $\PRFaddr{}$, $\PRFnf{Sprout}{}$, $\PRFpk{}$, and $\PRFrho{}$ from \crossref{abstractprfs}, are all instantiated using \shaCompress: \newcommand{\iminusone}{\hspace{0.3pt}\scriptsize{$i$\hspace{0.6pt}-1}} \newsavebox{\addrbox} \begin{lrbox}{\addrbox} -\setchanged \begin{bytefield}[bitwidth=0.06em]{512} \sbitbox{18}{$1$} & \sbitbox{18}{$1$} & @@ -8426,7 +8384,6 @@ from \crossref{abstractprfs}, are all instantiated using \shaCompress: \newsavebox{\nfbox} \begin{lrbox}{\nfbox} -\setchanged \begin{bytefield}[bitwidth=0.06em]{512} \sbitbox{18}{$1$} & \sbitbox{18}{$1$} & @@ -8439,7 +8396,6 @@ from \crossref{abstractprfs}, are all instantiated using \shaCompress: \newsavebox{\pkbox} \begin{lrbox}{\pkbox} -\setchanged \begin{bytefield}[bitwidth=0.06em]{512} \sbitbox{18}{$0$} & \sbitbox{18}{\iminusone} & @@ -8452,7 +8408,6 @@ from \crossref{abstractprfs}, are all instantiated using \shaCompress: \newsavebox{\rhobox} \begin{lrbox}{\rhobox} -\setchanged \begin{bytefield}[bitwidth=0.06em]{512} \sbitbox{18}{$0$} & \sbitbox{18}{\iminusone} & @@ -8466,10 +8421,10 @@ from \crossref{abstractprfs}, are all instantiated using \shaCompress: \vspace{-3ex} \begin{equation*} \begin{aligned} -\setchanged \PRFaddr{x}(t) &\setchanged := \SHACompressBox{\addrbox} \\ +\PRFaddr{x}(t) &:= \SHACompressBox{\addrbox} \\ \PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand) &:= \SHACompressBox{\nfbox} \\ -\PRFpk{\AuthPrivate}(i, \hSig) &:= \SHACompressBox{\pkbox} \\ -\setchanged \PRFrho{\NoteUniquePreRand}(i, \hSig) &\setchanged := \SHACompressBox{\rhobox} +\PRFpk{\AuthPrivate}(i, \hSig) &:= \SHACompressBox{\pkbox} \\ +\PRFrho{\NoteUniquePreRand}(i, \hSig) &:= \SHACompressBox{\rhobox} \end{aligned} \end{equation*} @@ -8481,7 +8436,6 @@ from \crossref{abstractprfs}, are all instantiated using \shaCompress: in the above diagrams, with input in the remaining bits. \end{securityrequirements} -\changed{ \pnote{ The first four bits --i.e.\ the most significant four bits of the first byte-- are used to separate distinct uses of \shaCompress, ensuring that the functions @@ -8495,8 +8449,7 @@ additional bit to $\AuthPrivate$ to encode a new key type, or that would have required an additional \xPRF.\sapling{ In fact since \Sapling switches to non-\shaCompress-based cryptographic primitives, these extensions are unlikely to be necessary.}) -} -} +} %pnote \newsavebox{\saplingockbox} @@ -8647,7 +8600,6 @@ PRF when keyed by its first argument, with its second argument as input. \introsection \lsubsubsection{Symmetric Encryption}{concretesym} -\changed{ Let $\Keyspace := \bitseq{256}$, $\Plaintext := \byteseqs$, and $\Ciphertext := \byteseqs$. Let the \symmetricEncryptionScheme $\SymEncrypt{\Key}(\Ptext)$ be authenticated encryption using @@ -8665,8 +8617,7 @@ or $\bot$ indicating failure to decrypt. The ``IETF" definition of $\SymSpecific$ from \cite{RFC-7539} is used; this has a $32$-bit block count and a $96$-bit nonce, rather than a $64$-bit block count and $64$-bit nonce as in the original definition of $\SymCipher$. -} -} %changed +} %pnote \nufive{ \lsubsubsection{Pseudo Random Permutations}{concreteprps} @@ -8692,7 +8643,6 @@ Define $\PRPd{K}(\Diversifier) := \FFOneAES{K}(\ascii{}, \Diversifier)$. \lsubsubsubsection{\SproutText{} Key Agreement}{concretesproutkeyagreement} -\changed{ $\KA{Sprout}$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}. It is instantiated as $\KASproutCurve$ key agreement, described in \cite{Bernstein2006}, @@ -8722,14 +8672,12 @@ Define $\KAFormatPrivate{Sprout}(x) := \KASproutCurveClamp(x)$. Define $\KADerivePublic{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. Define $\KAAgree{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. -} \introsection \lsubsubsubsection{\SproutText{} Key Derivation}{concretesproutkdf} \newsavebox{\kdftagbox} \begin{lrbox}{\kdftagbox} -\setchanged \begin{bytefield}[bitwidth=0.16em]{128} \sbitbox{64}{$64$-bit $\ascii{ZcashKDF}$} & \sbitbox{32}{$8$-bit $i\!-\!1$} & @@ -8739,7 +8687,6 @@ Define $\KAAgree{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. \newsavebox{\kdfinputbox} \begin{lrbox}{\kdfinputbox} -\setchanged \begin{bytefield}[bitwidth=0.04em]{1024} \sbitbox{256}{$256$-bit $\hSig$} & \sbitbox{256}{$256$-bit $\DHSecret{i}$} & @@ -8748,7 +8695,6 @@ Define $\KAAgree{Sprout}(n, q) := \KASproutCurveMultiply(n, q)$. \end{bytefield} \end{lrbox} -\changed{ $\KDF{Sprout}$ is a \keyDerivationFunction as specified in \crossref{abstractkdf}. It is instantiated using $\BlakeTwob{256}$ as follows: @@ -8763,7 +8709,6 @@ where: \item $\kdftag := \Justthebox{\kdftagbox}$ \item $\kdfinput := \Justthebox{\kdfinputbox}$. \end{formulae} -} $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. @@ -8884,7 +8829,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. \EdSpecific is a \signatureScheme as specified in \crossref{abstractsig}. It is used to instantiate $\JoinSplitSig$ as described in \crossref{sproutnonmalleability}. -\changed{Let $\ExcludedPointEncodings \typecolon \powerset{\byteseq{32}} = \{$ \\ +Let $\ExcludedPointEncodings \typecolon \powerset{\byteseq{32}} = \{$ \\ \scalebox{0.615}[0.7]{ \begin{tabular}{@{\hspace{1.5em}}l@{}} $\hexarray{00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00},$ \\ @@ -8917,9 +8862,9 @@ Define $\ItoLEOSP{}$, $\LEOStoBSP{}$, and $\LEBStoIP{}$ as in \crossref{endian}. Define $\reprBytesEdSpecific \typecolon \GroupEdSpecific \rightarrow \ReprEdSpecificBytes$ such that $\reprBytesEdSpecific\Of{x, y} = \ItoLEOSP{256}\big(y + 2^{255} \smult \tilde{x}\big)$, where -$\tilde{x} = x \bmod 2$.\footnotewithlabel{coordinatenames}{\changed{Here we use the $(x, y)$ naming of coordinates in +$\tilde{x} = x \bmod 2$.\footnotewithlabel{coordinatenames}{Here we use the $(x, y)$ naming of coordinates in \cite{BDLSY2012}, which is different from the $(u, \varv)$ naming used for coordinates of \ctEdwardsCurves -in \crossref{jubjub} and in \crossref{ecbackground}.}} +in \crossref{jubjub} and in \crossref{ecbackground}.} \introlist Define $\abstBytesEdSpecific \typecolon \ReprEdSpecificBytes \rightarrow \maybe{\GroupEdSpecific}$ such that @@ -8977,10 +8922,9 @@ considered invalid. \vspace{1ex} \introlist The encoding of an \EdSpecific signature is: -} + \newsavebox{\sigbox} \begin{lrbox}{\sigbox} -\setchanged \begin{bytefield}[bitwidth=0.075em]{512} \sbitbox{256}{$256$-bit $\EdDSAReprR{}$} & \sbitbox{256}{$256$-bit $\EdDSAReprS{}$} @@ -8991,7 +8935,6 @@ The encoding of an \EdSpecific signature is: \item $\Justthebox{\sigbox}$ \end{formulae} -\changed{ \vspace{-1ex} where $\EdDSAReprR{}$ and $\EdDSAReprS{}$ are as defined in \cite{BDLSY2012}. @@ -9012,7 +8955,6 @@ signature validation in \zcashd. exclude points of order less than $\ell$; however, not all such points were covered. It is possible, with due attention to detail, to reproduce this quirk without using libsodium~v1.0.15.} -} %changed \sapling{ @@ -9291,7 +9233,6 @@ $\ValueCommitRandBase{Orchard}$}. \newsavebox{\cmbox} \begin{lrbox}{\cmbox} -\setchanged \begin{bytefield}[bitwidth=0.027em]{840} \sbitbox{28}{$1$} & \sbitbox{28}{$0$} & @@ -9318,9 +9259,7 @@ instantiated using \shaHash as follows: \end{formulae} \vspace{-1ex} -\changed{\pnote{ -The leading byte of the \shaHash input is $\hexint{B0}$. -}} +\pnote{The leading byte of the \shaHash input is $\hexint{B0}$.} \begin{securityrequirements} \item \shaCompress must be \collisionResistant\!. @@ -9633,7 +9572,6 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ \newsavebox{\gonebox} \begin{lrbox}{\gonebox} -\setchanged \begin{bytefield}[bitwidth=0.045em]{264} \sbitbox{20}{$0$} & \sbitbox{20}{$0$} & @@ -9649,7 +9587,6 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ \newsavebox{\gtwobox} \begin{lrbox}{\gtwobox} -\setchanged \begin{bytefield}[bitwidth=0.045em]{520} \sbitbox{20}{$0$} & \sbitbox{20}{$0$} & @@ -10507,7 +10444,6 @@ the appropriate \network.} \newsavebox{\bctvbox} \begin{lrbox}{\bctvbox} -\setchanged \begin{bytefield}[bitwidth=0.021em]{2368} \sbitbox{264}{264-bit $\Proof{A}$} & \sbitbox{264}{264-bit $\Proof{A}'$} & @@ -10640,9 +10576,9 @@ The \notePlaintexts in a \joinSplitDescription are encrypted to the respective \transmissionKeys $\TransmitPublicNew{\allNew}$. Each \Sprout \notePlaintext (denoted $\NotePlaintext{}$) consists of: \begin{formulae} - \item $(\changed{\NotePlaintextLeadByte \typecolon \byte,\ } + \item $(\NotePlaintextLeadByte \typecolon \byte, \Value \typecolon \ValueType, \NoteUniqueRand \typecolon \PRFOutputSprout, -\NoteCommitRand \typecolon \NoteCommitOutput{Sprout}\changed{, \Memo \typecolon \MemoType})$ + \NoteCommitRand \typecolon \NoteCommitOutput{Sprout}, \Memo \typecolon \MemoType)$ \end{formulae} \saplingonward{ @@ -10656,7 +10592,7 @@ Each \Sapling \notePlaintext (denoted $\NotePlaintext{}$) consists of: \end{formulae} } -\changed{$\Memo$ is a $\MemoByteLength$-byte \memo associated with this \note. +$\Memo$ is a $\MemoByteLength$-byte \memo associated with this \note. \introlist The usage of the \memo is by agreement between the sender and recipient of the @@ -10676,7 +10612,6 @@ characters (\ReplacementCharacter). In other cases, the contents of the \memo \SHOULDNOT be displayed unless otherwise specified by \cite{ZIP-302}. -} Other fields are as defined in \crossref{notes}. @@ -10686,26 +10621,21 @@ The encoding of a \Sprout \notePlaintext consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.029em]{1672} -\changed{ - \sbitbox{220}{$8$-bit $\NotePlaintextLeadByte$} - &}\sbitbox{180}{$64$-bit $\Value$} & + \sbitbox{220}{$8$-bit $\NotePlaintextLeadByte$} & + \sbitbox{180}{$64$-bit $\Value$} & \sbitbox{256}{$256$-bit $\NoteUniqueRand$} & - \sbitbox{256}{\changed{$256$}-bit $\NoteCommitRand$} & - \changed{\sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)}} + \sbitbox{256}{$256$-bit $\NoteCommitRand$} & + \sbitbox{800}{$\Memo$ ($\MemoByteLength$ bytes)} \end{bytefield} \end{equation*} \begin{itemize} -\changed{ \item A byte, $\hexint{00}$, indicating this version of the encoding of a \Sprout \notePlaintext. -} \item $8$ bytes specifying $\Value$. \item $32$ bytes specifying $\NoteUniqueRand$. - \item \changed{32} bytes specifying $\NoteCommitRand$. -\changed{ + \item $32$ bytes specifying $\NoteCommitRand$. \item $\MemoByteLength$ bytes specifying $\Memo$. -} \end{itemize} \sapling{ @@ -10736,7 +10666,7 @@ The encoding of a \Sapling \notePlaintext consists of: \lsubsection{Encodings of Addresses and Keys}{addressandkeyencoding} -This section describes how \Zcash encodes \shieldedPaymentAddresses\changed{, \incomingViewingKeys,} +This section describes how \Zcash encodes \shieldedPaymentAddresses, \incomingViewingKeys, and \spendingKeys. Addresses and keys can be encoded as a byte sequence; this is called @@ -10856,25 +10786,22 @@ The \rawEncoding of a \Sprout \shieldedPaymentAddress consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.07em]{520} -\changed{ - \sbitbox{80}{$8$-bit $\PaymentAddressLeadByte$} - \sbitbox{80}{$8$-bit $\PaymentAddressSecondByte$} - &}\sbitbox{256}{$256$-bit $\AuthPublic$} & - \sbitbox{256}{\changed{$256$}-bit $\TransmitPublic$} + \sbitbox{80}{$8$-bit $\PaymentAddressLeadByte$} & + \sbitbox{80}{$8$-bit $\PaymentAddressSecondByte$} & + \sbitbox{256}{$256$-bit $\AuthPublic$} & + \sbitbox{256}{$256$-bit $\TransmitPublic$} \end{bytefield} \end{equation*} \begin{itemize} -\changed{ \item Two bytes $[\PaymentAddressLeadByte, \PaymentAddressSecondByte]$, indicating this version of the \rawEncoding of a \Sprout \shieldedPaymentAddress on \Mainnet. (Addresses on \Testnet use $[\PaymentAddressTestnetLeadByte, \PaymentAddressTestnetSecondByte]$ instead.) -} \item $32$ bytes specifying $\AuthPublic$. - \item \changed{$32$ bytes} specifying $\TransmitPublic$, \changed{using the - normal encoding of a $\KASproutCurve$ \publicKey \cite{Bernstein2006}}. + \item $32$ bytes specifying $\TransmitPublic$, using the + normal encoding of a $\KASproutCurve$ \publicKey \cite{Bernstein2006}. \end{itemize} \pnote{ @@ -10887,7 +10814,6 @@ cause the first two characters of the \BaseFiftyEightCheck encoding to be fixed \lsubsubsubsection{\SproutText{} Incoming Viewing Keys}{sproutinviewingkeyencoding} -\changed{ Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. A \Sprout \defining{\incomingViewingKey} consists of $\AuthPublic \typecolon \PRFOutputSprout$ @@ -10900,21 +10826,18 @@ $\TransmitPrivate$ is a $\KAPrivate{Sprout}$ key, for use with the encryption sc \introlist The \rawEncoding of a \Sprout \incomingViewingKey consists of, in order: -} + \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.062em]{536} -\changed{ \sbitbox{88}{$8$-bit $\InViewingKeyLeadByte$} \sbitbox{88}{$8$-bit $\InViewingKeySecondByte$} \sbitbox{88}{$8$-bit $\InViewingKeyThirdByte$} \sbitbox{256}{$256$-bit $\AuthPublic$} \sbitbox{256}{$256$-bit $\TransmitPrivate$} -} \end{bytefield} \end{equation*} -\changed{ \vspace{-1ex} \begin{itemize} \item Three bytes $[\InViewingKeyLeadByte, \InViewingKeySecondByte, \InViewingKeyThirdByte]$, @@ -10933,54 +10856,46 @@ considered invalid if $\TransmitPrivate \neq \KAFormatPrivate{Sprout}(\TransmitP $\KAFormatPrivate{Sprout}$ is defined in \crossref{concretesproutkeyagreement}. -\pnote{ -For addresses on \Mainnet, the lead bytes and encoded length +\pnote{For addresses on \Mainnet, the lead bytes and encoded length cause the first four characters of the \BaseFiftyEightCheck encoding to be fixed as \ascii{ZiVK}. For \Testnet, the first four characters are fixed as -\ascii{ZiVt}.}} %changed +\ascii{ZiVt}.} \lsubsubsubsection{\SproutText{} Spending Keys}{sproutspendingkeyencoding} A \Sprout{} \defining{\spendingKey} consists of $\AuthPrivate$, which is a sequence of -\changed{$252$} bits (see \crossref{sproutkeycomponents}). +$252$ bits (see \crossref{sproutkeycomponents}). \introlist The \rawEncoding of a \Sprout \spendingKey consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.07em]{264} -\changed{ - \sbitbox{80}{$8$-bit $\SpendingKeyLeadByte$} - \sbitbox{80}{$8$-bit $\SpendingKeySecondByte$} + \sbitbox{80}{$8$-bit $\SpendingKeyLeadByte$} & + \sbitbox{80}{$8$-bit $\SpendingKeySecondByte$} & \sbitbox{32}{$\zeros{4}$} & - &}\sbitbox{252}{\changed{$252$}-bit $\AuthPrivate$} + \sbitbox{252}{$252$-bit $\AuthPrivate$} \end{bytefield} \end{equation*} \begin{itemize} -\changed{ \item Two bytes $[\SpendingKeyLeadByte, \SpendingKeySecondByte]$, indicating this version of the \rawEncoding of a \Zcash \spendingKey on \Mainnet. (Addresses on \Testnet use $[\SpendingKeyTestnetLeadByte, \SpendingKeyTestnetSecondByte]$ instead.) -} - \item $32$ bytes: \changed{$4$ zero padding bits and $252$ bits} specifying $\AuthPrivate$. + \item $32$ bytes: $4$ zero padding bits and $252$ bits specifying $\AuthPrivate$. \end{itemize} -\changed{ -The zero padding occupies the most significant 4 bits of the third byte. -} +The zero padding occupies the most significant $4$ bits of the third byte. \begin{pnotes} -\changed{ \item If an implementation represents $\AuthPrivate$ internally as a sequence of $32$ bytes with the $4$ bits of zero padding intact, it will be in the correct form for use as an input to $\PRFaddr{}$, $\PRFnf{Sprout}{}$, and $\PRFpk{}$ without need for bit-shifting. Future key representations may make use of these padding bits. -} \item For addresses on \Mainnet, the lead bytes and encoded length cause the first two characters of the \BaseFiftyEightCheck encoding to be fixed as \ascii{SK}. For \Testnet, the first two characters @@ -11585,7 +11500,7 @@ $\barerange{2}{4}$ & \Varies & $\nJoinSplit$ & \type{compactSize} & The number of \joinSplitDescriptions in $\vJoinSplit$.\! \\ \hline $\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionBCTV14}\!\! \type{[$\nJoinSplit$]} & -A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded per \crossref{joinsplitencodingandconsensus}.\! \\ \hline +A sequence of \joinSplitDescriptions using \BCTV proofs, encoded per \crossref{joinsplitencodingandconsensus}.\! \\ \hline \setsapling $4$ &\setsapling \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} &\setsapling $\vJoinSplit$ &\saplingtype{JSDescriptionGroth16}\!\! \saplingtype{[$\nJoinSplit$]} &\setsapling A sequence of \joinSplitDescriptions using \Groth proofs, encoded per \crossref{joinsplitencodingandconsensus}.\! \\ \hline @@ -11967,40 +11882,40 @@ a \transaction as an instance of a \type{JoinSplitDescription} type as follows: Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} -\setchanged 8 &\setchanged $\vpubOldField$ &\setchanged \type{uint64} &\mbox{}\setchanged +$8$ & $\vpubOldField$ & \type{uint64} & A value $\vpubOld$ that the \joinSplitTransfer removes from the \transparentTxValuePool. \\ \hline -$8$ & $\vpubNewField$ & \type{uint64} & A value $\vpubNew$ that the \joinSplitTransfer inserts -into the \transparentTxValuePool. \\ \hline +$8$ & $\vpubNewField$ & \type{uint64} & +A value $\vpubNew$ that the \joinSplitTransfer inserts into the \transparentTxValuePool. \\ \hline -$32$ & $\anchorField{}$ & \type{byte[32]} & A \merkleRoot $\rt{Sprout}$ of the \Sprout{} -\noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous -\joinSplitTransfer in this \transaction. \\ \hline +$32$ & $\anchorField{}$ & \type{byte[32]} & +A \merkleRoot $\rt{Sprout}$ of the \Sprout{} \noteCommitmentTree at some \blockHeight in the past, +or the \merkleRoot produced by a previous \joinSplitTransfer in this \transaction. \\ \hline -$64$ & $\nullifiersField$ & \type{byte[32][$\NOld$]} & A sequence of \nullifiers of the input -\notes $\nfOld{\allOld}$. \\[0.4ex] \hline +$64$ & $\nullifiersField$ & \type{byte[32][$\NOld$]} & +A sequence of \nullifiers of the input \notes $\nfOld{\allOld}$. \\[0.4ex] \hline -$64$ & $\commitmentsField$ & \type{byte[32][$\NNew$]} & A sequence of \noteCommitments for the -output \notes $\cmNew{\allNew}$. \\ \hline +$64$ & $\commitmentsField$ & \type{byte[32][$\NNew$]} & +A sequence of \noteCommitments for the output \notes $\cmNew{\allNew}$. \\ \hline -\setchanged $32$ &\setchanged $\ephemeralKey$ &\setchanged \type{byte[32]} &\mbox{}\setchanged +$32$ & $\ephemeralKey$ & \type{byte[32]} & A $\KASproutCurve$ \publicKey $\EphemeralPublic$. \\ \hline -\setchanged $32$ &\setchanged $\randomSeed$ &\setchanged \type{byte[32]} &\mbox{}\setchanged +$32$ & $\randomSeed$ & \type{byte[32]} & A $256$-bit seed that must be chosen independently at random for each \joinSplitDescription. \\ \hline -$64$ & $\vmacs$ & \type{byte[32][$\NOld$]} & A sequence of message authentication tags -$\h{\allOld}$ binding $\hSig$ to each $\AuthPrivate$ of the $\joinSplitDescription$, -computed as described in \crossref{sproutnonmalleability}. \\ \hline +$64$ & $\vmacs$ & \type{byte[32][$\NOld$]} & +A sequence of message authentication tags $\h{\allOld}$ binding $\hSig$ to each $\AuthPrivate$ of the +$\joinSplitDescription$, computed as described in \crossref{sproutnonmalleability}. \\ \hline -$296\;\dagger$ & $\zkproof$ & \type{byte[296]} & An encoding of the \zkSNARKProof -$\ProofJoinSplit$ (see \crossref{bctv}). \\ \hline +$296\;\dagger$ & $\zkproof$ & \type{byte[296]} & +An encoding of the \zkSNARKProof $\ProofJoinSplit$ (see \crossref{bctv}). \\ \hline -$192\;\ddagger$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof -$\ProofJoinSplit$ (see \crossref{groth}). \\ \hline +$192\;\ddagger$ & $\zkproof$ & \type{byte[192]} & +An encoding of the \zkSNARKProof $\ProofJoinSplit$ (see \crossref{groth}). \\ \hline -$1202$ & $\encCiphertexts$ & \type{byte[601][$\NNew$]} & A sequence of ciphertext -components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \hline +$1202$ & $\encCiphertexts$ & \type{byte[601][$\NNew$]} & +A sequence of ciphertext components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \hline \end{tabularx} \end{center} @@ -12038,21 +11953,23 @@ a \transaction as an instance of a \type{SpendDescription} type as follows: Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} -$32$ & $\cvField$ & \type{byte[32]} & A \valueCommitment to the value of the input \note, -$\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline +$32$ & $\cvField$ & \type{byte[32]} & +A \valueCommitment to the value of the input \note, $\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline -$32\nufive{\;\dagger}$ & $\anchorField{}$ & \type{byte[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree -at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline +$32\nufive{\;\dagger}$ & $\anchorField{}$ & \type{byte[32]} & +A \merkleRoot of the \Sapling \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline -$32$ & $\nullifierField$ & \type{byte[32]} & The \nullifier of the input \note, $\nf$. \\ \hline +$32$ & $\nullifierField$ & \type{byte[32]} & +The \nullifier of the input \note, $\nf$. \\ \hline -$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSigField$, -$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline +$32$ & $\rkField$ & \type{byte[32]} & +The randomized \validatingKey for $\spendAuthSigField$, $\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline -$192\nufive{\;\dagger}$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof -$\ProofSpend$ (see \crossref{groth}). \\ \hline +$192\nufive{\;\dagger}$ & $\zkproof$ & \type{byte[192]} & +An encoding of the \zkSNARKProof $\ProofSpend$ (see \crossref{groth}). \\ \hline -$64\nufive{\;\dagger}$ & $\spendAuthSigField$ & \type{byte[64]} & A signature authorizing this Spend. \\ \hline +$64\nufive{\;\dagger}$ & $\spendAuthSigField$ & \type{byte[64]} & +A signature authorizing this Spend. \\ \hline \end{tabularx} \end{center} @@ -13651,6 +13568,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \historyentry{2021.1.20}{2021-03-18} \begin{itemize} \item Remove support for building the \Sprout-only specification (\texttt{sprout.pdf}). + \item Remove magenta highlighting of differences from \Zerocash. \end{itemize}