mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
bfc9ba5b21
commit
a1f90a56cf
|
@ -418,6 +418,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\collisionResistant}{collision\hyp resistant }
|
||||
\newcommand{\collisionResistance}{collision resistance }
|
||||
|
||||
\newcommand{\keyPrivacy}{\term{key privacy}}
|
||||
\newcommand{\xKeyPrivacy}{\term{Key privacy}}
|
||||
\newcommand{\keyPrivate}{\term{key\hyp private}}
|
||||
\newcommand{\xKeyPrivate}{\term{Key\hyp private}}
|
||||
|
||||
\newcommand{\note}{\term{note}}
|
||||
\newcommand{\notes}{\term{notes}}
|
||||
\newcommand{\Note}{\titleterm{Note}}
|
||||
|
@ -983,7 +988,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\EphemeralPublic}{\mathsf{epk}}
|
||||
\newcommand{\Repr}{\star}
|
||||
\newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
|
||||
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr}
|
||||
\newcommand{\EphemeralPublicRepr}{{\EphemeralPublic\Repr}}
|
||||
\newcommand{\EphemeralPrivate}{\mathsf{esk}}
|
||||
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
|
||||
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
|
||||
|
@ -1002,15 +1007,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\AuthSignPrivate}{\mathsf{ask}}
|
||||
\newcommand{\AuthSignBase}{\mathcal{G}}
|
||||
\newcommand{\AuthSignPublic}{\mathsf{ak}}
|
||||
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr}
|
||||
\newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}}
|
||||
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
|
||||
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr}
|
||||
\newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}}
|
||||
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
|
||||
\newcommand{\AuthSignRandomizer}{\alpha}
|
||||
\newcommand{\AuthProvePrivate}{\mathsf{nsk}}
|
||||
\newcommand{\AuthProveBase}{\mathcal{H}}
|
||||
\newcommand{\AuthProvePublic}{\mathsf{nk}}
|
||||
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr}
|
||||
\newcommand{\AuthProvePublicRepr}{{\AuthProvePublic\Repr}}
|
||||
\newcommand{\OutViewingKey}{\mathsf{ovk}}
|
||||
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
|
||||
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
|
||||
|
@ -1171,7 +1176,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
||||
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr}
|
||||
\newcommand{\NoteAddressRandRepr}{{\NoteAddressRand\Repr}}
|
||||
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
||||
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
||||
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
||||
|
@ -1898,7 +1903,7 @@ which proves that all of the following hold except with insignificant probabilit
|
|||
|
||||
\begin{itemize}
|
||||
\item The input and output values balance (individually for each \joinSplitTransfer).
|
||||
\item For each input \note of non-zero value, some revealed \noteCommitment
|
||||
\item For each input \note of nonzero value, some revealed \noteCommitment
|
||||
exists for that \note.
|
||||
\item The prover knew the private \spendingKeys of the input \notes.
|
||||
\item The \nullifiers and \noteCommitments are computed correctly.
|
||||
|
@ -1918,7 +1923,7 @@ For each \shieldedInput,
|
|||
\begin{itemize}
|
||||
\item \saplingonward{there is a revealed \valueCommitment to the same value as
|
||||
the input \note;}
|
||||
\item if the value is non-zero, some revealed \noteCommitment exists for this \note;
|
||||
\item if the value is nonzero, some revealed \noteCommitment exists for this \note;
|
||||
\item the prover knew the \authProvingKey of the \note;
|
||||
\item the \nullifier and \noteCommitment are computed correctly.
|
||||
\end{itemize}
|
||||
|
@ -2991,15 +2996,15 @@ with $\KASapling$ and derives keys for $\SymEncrypt{}$.
|
|||
\begin{securityrequirements}
|
||||
\item The asymmetric encryption scheme in \crossref{sproutinband}, constructed
|
||||
from $\KASprout$, $\KDFSprout$ and $\Sym$, is required to be IND-CCA2-secure
|
||||
and key-private.
|
||||
and \keyPrivate.
|
||||
\item \sapling{
|
||||
The asymmetric encryption scheme in \crossref{saplinginband}, constructed
|
||||
from $\KASapling$, $\KDFSapling$ and $\Sym$, is required to be IND-CCA2-secure
|
||||
and key-private.
|
||||
and \keyPrivate.
|
||||
} %sapling
|
||||
\end{securityrequirements}
|
||||
|
||||
Key privacy is defined in \cite{BBDP2001}.
|
||||
\xKeyPrivacy is defined in \cite{BBDP2001}.
|
||||
} %notsprout
|
||||
|
||||
|
||||
|
@ -4613,7 +4618,7 @@ using the \sighashType $\SIGHASHALL$.
|
|||
Let $\AuthSignPrivate$ be the \spendAuthPrivateKey as defined in \crossref{saplingkeycomponents}.
|
||||
|
||||
\vspace{2ex}
|
||||
For each \spendDescription, the signer uses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
|
||||
For each \spendDescription, the signer chooses a fresh \spendAuthRandomizer $\AuthSignRandomizer$:
|
||||
|
||||
\vspace{-1ex}
|
||||
\begin{enumerate}
|
||||
|
@ -6906,6 +6911,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
|
|||
See \crossref{ccthomomorphiccommit} for rationale and efficient circuit implementation
|
||||
of this function.
|
||||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
Define:
|
||||
\begin{formulae}
|
||||
|
@ -7024,11 +7030,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$
|
|||
\end{bytefield}
|
||||
\end{lrbox}
|
||||
|
||||
\introlist
|
||||
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
|
||||
\bitseq{\ell}$ as in \crossref{endian}.
|
||||
|
||||
\introlist
|
||||
\vspace{2ex}
|
||||
For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
||||
\vspace{1ex}
|
||||
|
||||
\begin{itemize}
|
||||
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
|
||||
|
@ -7038,8 +7047,10 @@ For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{itemize}
|
||||
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
|
||||
\range{0}{\ParamGexp{q}{2}\!-\!1}$ such that
|
||||
|
@ -7081,6 +7092,7 @@ For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
|
|||
\cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
|
||||
\end{nnotes}
|
||||
|
||||
\vspace{2ex}
|
||||
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
|
||||
order to decompress a point encoding, the implementation \MUSTNOT assume that
|
||||
the square root exists, or that the encoding represents a point on the curve.
|
||||
|
@ -7110,6 +7122,7 @@ the square root exists, or that the encoding represents a point on the curve.
|
|||
\end{lrbox}
|
||||
|
||||
\sapling{
|
||||
\intropart
|
||||
\subsubsubsection{\BLSRepresentedPairing} \label{blspairing}
|
||||
|
||||
The \representedPairing $\BLSCurve$ is defined in this section. Parameters are taken from
|
||||
|
@ -11598,9 +11611,9 @@ $\range{0}{\MAXMONEY}$, but the \Sapling circuit uses $64$.}.
|
|||
This can be straightforwardly implemented in ... constraints.
|
||||
|
||||
|
||||
\introsection
|
||||
\subsubsection{BLAKE2s hashes} \label{cctblake2s}
|
||||
|
||||
\introlist
|
||||
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
||||
``$G$ function'', defined as follows:
|
||||
|
||||
|
@ -11619,6 +11632,7 @@ $\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
|||
\end{tabular}
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
The following table is used to determine which message words the $x$ and $y$ arguments
|
||||
to $G$ are selected from:
|
||||
|
||||
|
|
Loading…
Reference in New Issue