zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Delete some 'new' superscripts that only added notational clutter. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2020-06-26 18:58:17 +01:00
parent 3567634837
commit a3e4403f50
1 changed files with 53 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
protocol/protocol.tex
View File

@ -1206,6 +1206,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PtoPKHAddressTestnetSecondByte}{\hexint{25}}
\newcommand{\NotePlaintextLeadByte}{\mathsf{leadByte}}
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
\newcommand{\AuthPublicSub}[1]{\mathsf{a_{pk,\mathnormal{#1}}}}
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
\newcommand{\AuthPrivateSup}[1]{\mathsf{a^\mathrm{#1}_{sk}}}
\newcommand{\AuthPrivateLength}{\mathsf{\ell_{\AuthPrivate}}}
@ -1231,6 +1232,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
\newcommand{\TransmitPublicSup}[1]{\mathsf{pk}^{#1}_\mathsf{enc}}
\newcommand{\TransmitPublicNew}[1]{\mathsf{pk^{new}_{\enc,\mathnormal{#1}}}}
\newcommand{\TransmitPublicSub}[1]{\mathsf{pk_{\enc,\mathnormal{#1}}}}
\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
\newcommand{\TransmitPrivateSup}[1]{\mathsf{sk}^{#1}_\mathsf{enc}}
\newcommand{\TransmitBase}{\mathsf{g}}
@ -1307,13 +1309,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\CommitInput}{\CommitAlg\mathsf{.Input}}
\newcommand{\CommitOutput}{\CommitAlg\mathsf{.Output}}
\newcommand{\NoteCommitSproutAlg}{\mathsf{\sprout{COMM}\notsprout{NoteCommit}}^{\mathsf{Sprout}}}
\newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{#1}}
\newcommand{\NoteCommitSprout}[1]{\NoteCommitSproutAlg_{\vphantom{l}#1}}
\newcommand{\NoteCommitSproutTrapdoor}{\NoteCommitSproutAlg\mathsf{.Trapdoor}}
\newcommand{\NoteCommitSproutGenTrapdoor}{\NoteCommitSproutAlg\mathsf{.GenTrapdoor}}
\newcommand{\NoteCommitSproutInput}{\NoteCommitSproutAlg\mathsf{.Input}}
\newcommand{\NoteCommitSproutOutput}{\NoteCommitSproutAlg\mathsf{.Output}}
\newcommand{\NoteCommitSaplingAlg}{\mathsf{NoteCommit}^{\mathsf{Sapling}}}
\newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{#1}}
\newcommand{\NoteCommitSapling}[1]{\NoteCommitSaplingAlg_{\vphantom{l}#1}}
\newcommand{\NoteCommitSaplingTrapdoor}{\NoteCommitSaplingAlg\mathsf{.Trapdoor}}
\newcommand{\NoteCommitSaplingTrapdoorBytes}{\byteseq{32}}
\newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}}
@ -4383,17 +4385,17 @@ uniformly at random on $\bitseq{\NoteAddressPreRandLength}$.}
Then it creates each output \note with index $i \typecolon \setofNew$:
\begin{itemize}
\item Choose uniformly random $\NoteCommitRandNew{i} \leftarrowR \NoteCommitSproutGenTrapdoor()$.
\item Choose uniformly random $\NoteCommitRand_i \leftarrowR \NoteCommitSproutGenTrapdoor()$.
\changed{
\item Compute $\NoteAddressRandNew{i} = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
\item Compute $\NoteAddressRand_i = \PRFrho{\NoteAddressPreRand}(i, \hSig)$.
}
\item Compute $\cmNew{i} =
\NoteCommitSprout{\NoteCommitRandNew{i}}(\AuthPublicNew{i}, \ValueNew{i}, \NoteAddressRandNew{i})$.
\item Let $\NotePlaintext{i} = (\ValueNew{i}, \NoteAddressRandNew{i}, \NoteCommitRandNew{i}, \Memo_i)$.
\item Compute $\cm_i =
\NoteCommitSprout{\NoteCommitRand_i}(\AuthPublicSub{i}, \Value_i, \NoteAddressRand_i)$.
\item Let $\NotePlaintext{i} = (\Value_i, \NoteAddressRand_i, \NoteCommitRand_i, \Memo_i)$.
\end{itemize}
$\NotePlaintext{\allNew}$ are then encrypted to the recipient \transmissionKeys
$\TransmitPublicNew{\allNew}$, giving the \notesCiphertext
$\TransmitPublicSub{\allNew}$, giving the \notesCiphertext
$(\EphemeralPublic, \TransmitCiphertext{\allNew})$, as described in \crossref{sproutinband}.
In order to minimize information leakage, the sender \SHOULD randomize the order
@ -4454,7 +4456,7 @@ if $\BlockHeight \geq \CanopyActivationHeight$.
\introlist
\vspace{2ex}
For each \outputDescription, the sender selects a value $\ValueNew{} \typecolon \range{0}{\MAXMONEY}$
For each \outputDescription, the sender selects a value $\Value \typecolon \range{0}{\MAXMONEY}$
and a destination \Sapling{} \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, and then
performs the following steps:
@ -4467,14 +4469,14 @@ performs the following steps:
\item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
and check that $\DiversifiedTransmitBase \neq \bot$.
\item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRandNew{} \leftarrowR \ValueCommitGenTrapdoor()$.
\item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor()$.
\canopy{
\item If $\NotePlaintextLeadByte = \hexint{01}$:
}
\item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KASaplingPrivate \setminus \setof{0}$.
\item \canopy{\tab} Choose a uniformly random \commitmentTrapdoor $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
\item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=} \NoteCommitRandBytes := \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRandNew{})\kern-0.12em}$.
\item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=\ } \NoteCommitRandBytes := \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRand)\kern-0.12em}$.
\canopy{
\item else:
\item \tab Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
@ -4485,13 +4487,13 @@ performs the following steps:
\item Calculate
\begin{tabular}{@{\hskip 2em}r@{\;}l}
$\cvNew{}$ &$:= \ValueCommit{\ValueCommitRandNew{}}(\ValueNew{})$ \\[1ex]
$\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\ValueNew{})$
$\cv$ &$:= \ValueCommit{\ValueCommitRand}(\Value)$ \\[1ex]
$\cm$ &$:= \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)$
\end{tabular}
\item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \ValueNew{}, \NoteCommitRandBytesOrSeedBytes, \Memo)$.
\item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$.
\item Encrypt $\NotePlaintext{}$ to the recipient
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with
@ -4499,12 +4501,12 @@ performs the following steps:
\outgoingViewingKey $\OutViewingKey$, giving the \noteCiphertext
$(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$.
This procedure is described in \crossref{saplingencrypt}; it also uses
$\cvNew{}$ and $\cmNew{}$ to derive the \outgoingCipherKey, and takes
$\cv$ and $\cm$ to derive the \outgoingCipherKey, and takes
$\EphemeralPrivate$ as an input.
\item Generate a proof $\ProofOutput$ for the \outputStatement in \crossref{outputstatement}.
\item Return $(\cvNew{}, \cmNew{}, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$.
\item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$.
\end{algorithm}
In order to minimize information leakage, the sender \SHOULD randomize the order
@ -5398,7 +5400,7 @@ For both encryption and decryption,
Let $\KASprout$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}.
Let $\TransmitPublicNew{\allNew}$ be the \transmissionKeys
Let $\TransmitPublicSub{\allNew}$ be the \transmissionKeys
for the intended recipient addresses of each new \note.
Let $\NotePlaintext{\allNew}$ be \SproutOrNothing{} \notePlaintexts
@ -5416,9 +5418,9 @@ $(\EphemeralPublic, \EphemeralPrivate)$.
\begin{itemize}
\item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$.
\item Let $\DHSecret{i} := \KASproutAgree(\EphemeralPrivate,
\TransmitPublicNew{i})$.
\TransmitPublicSub{i})$.
\item Let $\TransmitKey{i} := \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
\TransmitPublicNew{i})$.
\TransmitPublicSub{i})$.
\item Let $\TransmitCiphertext{i} :=
\SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
\end{itemize}
@ -5445,7 +5447,7 @@ Let $\InViewingKey = (\AuthPublic, \TransmitPrivate)$ be the recipient's \incomi
and let $\TransmitPublic$ be the corresponding \transmissionKey derived from
$\TransmitPrivate$ as specified in \crossref{sproutkeycomponents}.
Let $\cmNew{\allNew}$ be the \noteCommitments of each output coin.
Let $\cm_{\allNew}$ be the \noteCommitments of each output coin.
\introsection
\vspace{0.5ex}
@ -5458,24 +5460,24 @@ component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows:
\item let $\DHSecret{i} = \KASproutAgree(\TransmitPrivate, \EphemeralPublic)$
\item let $\TransmitKey{i} = \KDFSprout(i, \hSig, \DHSecret{i}, \EphemeralPublic,
\TransmitPublic)$
\item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i},
\item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i,
\AuthPublic).$
\end{formulae}
\introlist
$\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cmNew{i}, \AuthPublic)$
$\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, \AuthPublic)$
is defined as follows:
\begin{formulae}
\item let $\TransmitPlaintext{i} =
\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$
\item if $\TransmitPlaintext{i} = \bot$, return $\bot$
\item extract $\NotePlaintext{i} = (\ValueNew{i} \typecolon \ValueType,
\NoteAddressRandNew{i} \typecolon \PRFOutputSprout,
\NoteCommitRandNew{i} \typecolon \NoteCommitSproutTrapdoor,
\item extract $\NotePlaintext{i} = (\Value_i \typecolon \ValueType,
\NoteAddressRand_i \typecolon \PRFOutputSprout,
\NoteCommitRand_i \typecolon \NoteCommitSproutTrapdoor,
\Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$
\item if $\NoteCommitmentSprout((\AuthPublic, \ValueNew{i}, \NoteAddressRandNew{i},
\NoteCommitRandNew{i})) \neq \cmNew{i}$, return $\bot$, else return $\NotePlaintext{i}$.
\item if $\NoteCommitmentSprout((\AuthPublic, \Value_i, \NoteAddressRand_i,
\NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$.
\end{formulae}
}
@ -5535,13 +5537,13 @@ For both encryption and decryption,
\sapling{
\lsubsubsection{Encryption (\SaplingText)}{saplingencrypt}
Let $\DiversifiedTransmitPublicNew \typecolon \KASaplingPublicPrimeOrder$ be the
Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeOrder$ be the
\diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note,
and let $\DiversifiedTransmitBaseNew \typecolon \KASaplingPublicPrimeOrder$ be the corresponding
and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeOrder$ be the corresponding
\diversifiedBase computed as $\DiversifyHash(\Diversifier)$.
Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that
$\DiversifiedTransmitBaseNew$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey
$\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey
$\EphemeralPrivate$ has been chosen.
Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \crossref{saplingsend},
@ -5553,7 +5555,7 @@ be the \Sapling{} \notePlaintext.
$\NotePlaintext{}$ is encoded as defined in \crossref{notept}.
Let $\cvNew{}$ be the \valueCommitment for the new \note, and let $\cmNew{}$ be the \noteCommitment.
Let $\cv$ be the \valueCommitment for the new \note, and let $\cm$ be the \noteCommitment.
(These are needed to derive the \defining{\outgoingCipherKey} $\OutCipherKey$ in order to produce the
\defining{\outputCiphertext} $\OutCiphertext$.)
@ -5563,19 +5565,19 @@ Then to encrypt:
\begin{algorithm}
\vspace{-0.5ex}
\item let $\TransmitPlaintext{}$ be the \rawEncoding of $\NotePlaintext{}$
\item let $\EphemeralPublic = \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBaseNew)$
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublicNew)$
\item let $\EphemeralPublic = \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
\item let $\TransmitCiphertext{} = \SymEncrypt{\TransmitKey{}}(\TransmitPlaintext{})$
\item if $\OutViewingKey = \bot$:
\item \tab choose random $\OutCipherKey \leftarrowR \Keyspace$ and $\OutPlaintext \leftarrowR \byteseq{(\ellJ + 256)/8}$
\item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmuField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.12em\big)$
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cv)\kern-0.12em\big)$
\item \tab let $\cmuField = \LEBStoOSP{256}\big(\ExtractJ(\cm)\kern-0.12em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}\kern 0.03em}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmuField, \ephemeralKey)$
\vspace{0.5ex}
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublic) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \blank
\item let $\OutCiphertext = \SymEncrypt{\OutCipherKey}(\OutPlaintext)$
\end{algorithm}
@ -5644,9 +5646,9 @@ components of the \noteCiphertext as follows:
\item \blank
}
\item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
@ -5732,9 +5734,9 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
\item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
return $\bot$
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
} %sapling
@ -10469,6 +10471,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\intropart
\lsection{Change History}{changehistory}
\historyentry{2020.1.7}{2020-06-26}
\begin{itemize}
\item Delete some `new' superscripts that only added notational clutter.
\end{itemize}
\historyentry{2020.1.6}{2020-06-17}
\begin{itemize}