mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
bfc9ba5b21
commit
a1f90a56cf
|
@ -418,6 +418,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\collisionResistant}{collision\hyp resistant }
|
\newcommand{\collisionResistant}{collision\hyp resistant }
|
||||||
\newcommand{\collisionResistance}{collision resistance }
|
\newcommand{\collisionResistance}{collision resistance }
|
||||||
|
|
||||||
|
\newcommand{\keyPrivacy}{\term{key privacy}}
|
||||||
|
\newcommand{\xKeyPrivacy}{\term{Key privacy}}
|
||||||
|
\newcommand{\keyPrivate}{\term{key\hyp private}}
|
||||||
|
\newcommand{\xKeyPrivate}{\term{Key\hyp private}}
|
||||||
|
|
||||||
\newcommand{\note}{\term{note}}
|
\newcommand{\note}{\term{note}}
|
||||||
\newcommand{\notes}{\term{notes}}
|
\newcommand{\notes}{\term{notes}}
|
||||||
\newcommand{\Note}{\titleterm{Note}}
|
\newcommand{\Note}{\titleterm{Note}}
|
||||||
|
@ -983,7 +988,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
||||||
\newcommand{\Repr}{\star}
|
\newcommand{\Repr}{\star}
|
||||||
\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
|
\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
|
||||||
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr}
|
\newcommand{\EphemeralPublicRepr}{{\EphemeralPublic\Repr}}
|
||||||
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
||||||
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
|
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
|
||||||
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
|
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
|
||||||
|
@ -1002,15 +1007,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
|
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
|
||||||
\newcommand{\AuthSignBase}{\mathcal{G}}
|
\newcommand{\AuthSignBase}{\mathcal{G}}
|
||||||
\newcommand{\AuthSignPublic}{\mathsf{ak}}
|
\newcommand{\AuthSignPublic}{\mathsf{ak}}
|
||||||
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr}
|
\newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}}
|
||||||
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
|
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
|
||||||
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr}
|
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
|
||||||
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
||||||
\newcommand{\AuthSignRandomizer}{\alpha}
|
\newcommand{\AuthSignRandomizer}{\alpha}
|
||||||
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
||||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||||
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
||||||
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr}
|
\newcommand{\AuthProvePublicRepr}{{\AuthProvePublic\Repr}}
|
||||||
\newcommand{\OutViewingKey}{\mathsf{ovk}}
|
\newcommand{\OutViewingKey}{\mathsf{ovk}}
|
||||||
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
|
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
|
||||||
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
||||||
|
@ -1171,7 +1176,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
||||||
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr}
|
\newcommand{\NoteAddressRandRepr}{{\NoteAddressRand\Repr}}
|
||||||
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
||||||
|
@ -1898,7 +1903,7 @@ which proves that all of the following hold except with insignificant probabilit
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The input and output values balance (individually for each \joinSplitTransfer).
|
\item The input and output values balance (individually for each \joinSplitTransfer).
|
||||||
\item For each input \note of non-zero value, some revealed \noteCommitment
|
\item For each input \note of nonzero value, some revealed \noteCommitment
|
||||||
exists for that \note.
|
exists for that \note.
|
||||||
\item The prover knew the private \spendingKeys of the input \notes.
|
\item The prover knew the private \spendingKeys of the input \notes.
|
||||||
\item The \nullifiers and \noteCommitments are computed correctly.
|
\item The \nullifiers and \noteCommitments are computed correctly.
|
||||||
|
@ -1918,7 +1923,7 @@ For each \shieldedInput,
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item \saplingonward{there is a revealed \valueCommitment to the same value as
|
\item \saplingonward{there is a revealed \valueCommitment to the same value as
|
||||||
the input \note;}
|
the input \note;}
|
||||||
\item if the value is non-zero, some revealed \noteCommitment exists for this \note;
|
\item if the value is nonzero, some revealed \noteCommitment exists for this \note;
|
||||||
\item the prover knew the \authProvingKey of the \note;
|
\item the prover knew the \authProvingKey of the \note;
|
||||||
\item the \nullifier and \noteCommitment are computed correctly.
|
\item the \nullifier and \noteCommitment are computed correctly.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -2991,15 +2996,15 @@ with $\KASapling$ and derives keys for $\SymEncrypt{}$.
|
||||||
\begin{securityrequirements}
|
\begin{securityrequirements}
|
||||||
\item The asymmetric encryption scheme in \crossref{sproutinband}, constructed
|
\item The asymmetric encryption scheme in \crossref{sproutinband}, constructed
|
||||||
from $\KASprout$, $\KDFSprout$ and $\Sym$, is required to be IND-CCA2-secure
|
from $\KASprout$, $\KDFSprout$ and $\Sym$, is required to be IND-CCA2-secure
|
||||||
and key-private.
|
and \keyPrivate.
|
||||||
\item \sapling{
|
\item \sapling{
|
||||||
The asymmetric encryption scheme in \crossref{saplinginband}, constructed
|
The asymmetric encryption scheme in \crossref{saplinginband}, constructed
|
||||||
from $\KASapling$, $\KDFSapling$ and $\Sym$, is required to be IND-CCA2-secure
|
from $\KASapling$, $\KDFSapling$ and $\Sym$, is required to be IND-CCA2-secure
|
||||||
and key-private.
|
and \keyPrivate.
|
||||||
} %sapling
|
} %sapling
|
||||||
\end{securityrequirements}
|
\end{securityrequirements}
|
||||||
|
|
||||||
Key privacy is defined in \cite{BBDP2001}.
|
\xKeyPrivacy is defined in \cite{BBDP2001}.
|
||||||
} %notsprout
|
} %notsprout
|
||||||
|
|
||||||
|
|
||||||
|
@ -4613,7 +4618,7 @@ using the \sighashType $\SIGHASHALL$.
|
||||||
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
|
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
|
For each \spendDescription, the signer chooses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
|
@ -6906,6 +6911,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
|
||||||
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||||
of this function.
|
of this function.
|
||||||
|
|
||||||
|
\introlist
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
Define:
|
Define:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
|
@ -7024,11 +7030,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
\introlist
|
||||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
||||||
\bitseq{\ell}$ as in \crossref{endian}.
|
\bitseq{\ell}$ as in \crossref{endian}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
\vspace{2ex}
|
||||||
For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
||||||
|
\vspace{1ex}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
||||||
|
@ -7038,8 +7047,10 @@ For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
\vspace{1ex}
|
||||||
For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
||||||
|
|
||||||
|
\vspace{1ex}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
|
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
|
||||||
\range{0}{\ParamGexp{q}{2}\!-\!1}$ such that
|
\range{0}{\ParamGexp{q}{2}\!-\!1}$ such that
|
||||||
|
@ -7081,6 +7092,7 @@ For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
||||||
\cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
|
\cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
|
||||||
\end{nnotes}
|
\end{nnotes}
|
||||||
|
|
||||||
|
\vspace{2ex}
|
||||||
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
|
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
|
||||||
order to decompress a point encoding, the implementation \MUSTNOT assume that
|
order to decompress a point encoding, the implementation \MUSTNOT assume that
|
||||||
the square root exists, or that the encoding represents a point on the curve.
|
the square root exists, or that the encoding represents a point on the curve.
|
||||||
|
@ -7110,6 +7122,7 @@ the square root exists, or that the encoding represents a point on the curve.
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
|
\intropart
|
||||||
\subsubsubsection{\BLSRepresentedPairing} \label{blspairing}
|
\subsubsubsection{\BLSRepresentedPairing} \label{blspairing}
|
||||||
|
|
||||||
The \representedPairing $\BLSCurve$ is defined in this section. Parameters are taken from
|
The \representedPairing $\BLSCurve$ is defined in this section. Parameters are taken from
|
||||||
|
@ -11598,9 +11611,9 @@ $\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}.
|
||||||
This can be straightforwardly implemented in ... constraints.
|
This can be straightforwardly implemented in ... constraints.
|
||||||
|
|
||||||
|
|
||||||
\introsection
|
|
||||||
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
|
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
|
||||||
|
|
||||||
|
\introlist
|
||||||
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
||||||
``$G$ function'', defined as follows:
|
``$G$ function'', defined as follows:
|
||||||
|
|
||||||
|
@ -11619,6 +11632,7 @@ $\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
\introlist
|
||||||
The following table is used to determine which message words the $x$ and $y$ arguments
|
The following table is used to determine which message words the $x$ and $y$ arguments
|
||||||
to $G$ are selected from:
|
to $G$ are selected from:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue