mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
59331fca67
commit
a626f28117
|
@ -78,7 +78,7 @@
|
||||||
\renewcommand{\bottomtitlespace}{8ex}
|
\renewcommand{\bottomtitlespace}{8ex}
|
||||||
|
|
||||||
% Use rubber lengths between paragraphs to improve default pagination.
|
% Use rubber lengths between paragraphs to improve default pagination.
|
||||||
% https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results
|
% <https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results>
|
||||||
\setlength{\parskip}{1.5ex plus 1pt minus 1pt}
|
\setlength{\parskip}{1.5ex plus 1pt minus 1pt}
|
||||||
|
|
||||||
\setlist[enumerate]{before=\vspace{-1ex}}
|
\setlist[enumerate]{before=\vspace{-1ex}}
|
||||||
|
@ -88,7 +88,7 @@
|
||||||
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace{1.5ex}}
|
\setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace{1.5ex}}
|
||||||
|
|
||||||
\newlist{lines}{itemize}{3}
|
\newlist{lines}{itemize}{3}
|
||||||
\setlist[lines]{itemsep=-0.5ex,topsep=0ex,before=\vspace{1ex},leftmargin=1.5em,label=,after=\vspace{1ex}}
|
\setlist[lines]{itemsep=-0.5ex,topsep=0ex,before=\vspace{1ex},leftmargin=0.6em,label=,after=\vspace{1ex}}
|
||||||
|
|
||||||
\newcommand{\docversion}{Version unavailable (check protocol.ver)}
|
\newcommand{\docversion}{Version unavailable (check protocol.ver)}
|
||||||
\newcommand{\SaplingSpec}{Overwinter+Sapling}
|
\newcommand{\SaplingSpec}{Overwinter+Sapling}
|
||||||
|
@ -129,7 +129,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\crossref}[1]{\autoref{#1}\, \emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
|
\newcommand{\crossref}[1]{\autoref{#1}\, \emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}}
|
||||||
\newcommand{\theoremref}[1]{\autoref{#1} on p.\,\pageref*{#1}}
|
\newcommand{\theoremref}[1]{\autoref{#1} on p.\,\pageref*{#1}}
|
||||||
|
|
||||||
% https://tex.stackexchange.com/a/60212/78411
|
% <https://tex.stackexchange.com/a/60212/78411>
|
||||||
\newcommand{\subsubsubsection}[1]{\paragraph{#1}\mbox{}\\}
|
\newcommand{\subsubsubsection}[1]{\paragraph{#1}\mbox{}\\}
|
||||||
\setcounter{secnumdepth}{4}
|
\setcounter{secnumdepth}{4}
|
||||||
\setcounter{tocdepth}{4}
|
\setcounter{tocdepth}{4}
|
||||||
|
@ -141,14 +141,14 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\nsubsubsubsection}[1]{\subsubsubsection{\nstrut{#1}}}
|
\newcommand{\nsubsubsubsection}[1]{\subsubsubsection{\nstrut{#1}}}
|
||||||
|
|
||||||
\newcommand{\introlist}{\needspace{15ex}}
|
\newcommand{\introlist}{\needspace{15ex}}
|
||||||
\newcommand{\introsection}{\needspace{30ex}}
|
\newcommand{\introsection}{\needspace{35ex}}
|
||||||
|
|
||||||
\mathchardef\mhyphen="2D
|
\mathchardef\mhyphen="2D
|
||||||
|
|
||||||
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{↔}}
|
\newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{↔}}
|
||||||
\newcommand{\titlemu}{\texorpdfstring{$\upmu$}{μ}}
|
\newcommand{\titlemu}{\texorpdfstring{$\upmu$}{μ}}
|
||||||
|
|
||||||
% https://tex.stackexchange.com/a/309445/78411
|
% <https://tex.stackexchange.com/a/309445/78411>
|
||||||
\DeclareFontFamily{U}{FdSymbolA}{}
|
\DeclareFontFamily{U}{FdSymbolA}{}
|
||||||
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
|
\DeclareFontShape{U}{FdSymbolA}{m}{n}{
|
||||||
<-> s*[.4] FdSymbolA-Regular
|
<-> s*[.4] FdSymbolA-Regular
|
||||||
|
@ -187,10 +187,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\varvv}{\varv\kern 0.02em\varv}
|
\newcommand{\varvv}{\varv\kern 0.02em\varv}
|
||||||
|
|
||||||
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
|
\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
|
||||||
|
\newcommand{\ssqrt}[1]{\scalebox{0.64}[1]{$\sqrt{\scalebox{1.5625}[1]{${#1}\vphantom{b}$}}$}}
|
||||||
|
|
||||||
\RequirePackage[usenames,dvipsnames]{xcolor}
|
\RequirePackage[usenames,dvipsnames]{xcolor}
|
||||||
% https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips
|
% <https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips>
|
||||||
|
|
||||||
\newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}}
|
\newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}}
|
||||||
\definecolor{green}{RGB}{0,100,10}
|
\definecolor{green}{RGB}{0,100,10}
|
||||||
|
@ -513,9 +513,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\Memos}{\titleterm{Memo Fields}}
|
\newcommand{\Memos}{\titleterm{Memo Fields}}
|
||||||
\newcommand{\keyAgreementScheme}{\term{key agreement scheme}}
|
\newcommand{\keyAgreementScheme}{\term{key agreement scheme}}
|
||||||
\newcommand{\keyAgreementSchemes}{\term{key agreement schemes}}
|
\newcommand{\keyAgreementSchemes}{\term{key agreement schemes}}
|
||||||
\newcommand{\KeyAgreement}{\titleterm{Key Agreement}}
|
|
||||||
\newcommand{\keyDerivationFunction}{\term{Key Derivation Function}}
|
\newcommand{\keyDerivationFunction}{\term{Key Derivation Function}}
|
||||||
\newcommand{\keyDerivationFunctions}{\term{Key Derivation Functions}}
|
\newcommand{\keyDerivationFunctions}{\term{Key Derivation Functions}}
|
||||||
|
\newcommand{\KeyAgreement}{\titleterm{Key Agreement}}
|
||||||
\newcommand{\KeyDerivation}{\titleterm{Key Derivation}}
|
\newcommand{\KeyDerivation}{\titleterm{Key Derivation}}
|
||||||
\newcommand{\hashFunction}{\term{hash function}}
|
\newcommand{\hashFunction}{\term{hash function}}
|
||||||
\newcommand{\hashFunctions}{\term{hash functions}}
|
\newcommand{\hashFunctions}{\term{hash functions}}
|
||||||
|
@ -630,7 +630,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\intersection}{\cap}
|
\newcommand{\intersection}{\cap}
|
||||||
\newcommand{\difference}{\setminus}
|
\newcommand{\difference}{\setminus}
|
||||||
\newcommand{\suchthat}{\,\vert\;}
|
\newcommand{\suchthat}{\,\vert\;}
|
||||||
\newcommand{\lincomb}[1]{(\kern-.025em{#1}\kern-0.04em)}
|
\newcommand{\lincomb}[1]{\left(\vphantom{a^q_b}\kern-.025em{#1}\kern-0.04em\right)}
|
||||||
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \times\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
|
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \times\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
|
||||||
|
|
||||||
% Key pairs
|
% Key pairs
|
||||||
|
@ -664,8 +664,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NotePlaintextLeadByteSapling}{\hexint{01}}
|
\newcommand{\NotePlaintextLeadByteSapling}{\hexint{01}}
|
||||||
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
|
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
|
||||||
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
|
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
|
||||||
\newcommand{\AuthPublicX}[1]{\mathsf{a^\mathrm{#1}_{pk}}}
|
\newcommand{\AuthPrivateSup}[1]{\mathsf{a^\mathrm{#1}_{sk}}}
|
||||||
\newcommand{\AuthPrivateX}[1]{\mathsf{a^\mathrm{#1}_{sk}}}
|
|
||||||
\newcommand{\AuthPrivateLength}{\mathsf{\ell_{\AuthPrivate}}}
|
\newcommand{\AuthPrivateLength}{\mathsf{\ell_{\AuthPrivate}}}
|
||||||
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
||||||
\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
||||||
|
@ -822,8 +821,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
% Notes
|
% Notes
|
||||||
|
|
||||||
\newcommand{\Value}{\mathsf{v}}
|
\newcommand{\Value}{\mathsf{v}}
|
||||||
\newcommand{\ValueNew}[1]{\mathsf{v^{new}_\mathnormal{#1}}}
|
\newcommand{\ValueNew}[1]{\Value^\mathsf{new}_{#1}}
|
||||||
\newcommand{\ValueOld}[1]{\mathsf{v^{old}_\mathnormal{#1}}}
|
\newcommand{\ValueOld}[1]{\Value^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
|
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
|
||||||
\newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}}
|
\newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}}
|
||||||
\newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}}
|
\newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}}
|
||||||
|
@ -833,9 +832,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
|
||||||
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
\newcommand{\NoteAddressRand}{\mathsf{\uprho}}
|
||||||
\newcommand{\NoteAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}}
|
|
||||||
\newcommand{\NoteAddressRandOldX}[1]{\mathsf{\uprho^{old}_\mathrm{#1}}}
|
\newcommand{\NoteAddressRandOldX}[1]{\mathsf{\uprho^{old}_\mathrm{#1}}}
|
||||||
\newcommand{\NoteAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}}
|
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
|
||||||
|
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
|
||||||
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
|
||||||
\newcommand{\NoteAddressPreRandLength}{\mathsf{\ell_{\NoteAddressPreRand}}}
|
\newcommand{\NoteAddressPreRandLength}{\mathsf{\ell_{\NoteAddressPreRand}}}
|
||||||
\newcommand{\OutputUnique}{\upmu}
|
\newcommand{\OutputUnique}{\upmu}
|
||||||
|
@ -843,12 +842,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\OutputIndexType}{\mathsf{OutputIndex}}
|
\newcommand{\OutputIndexType}{\mathsf{OutputIndex}}
|
||||||
\newcommand{\NoteCommitS}{\mathsf{s}}
|
\newcommand{\NoteCommitS}{\mathsf{s}}
|
||||||
\newcommand{\cm}{\mathsf{cm}}
|
\newcommand{\cm}{\mathsf{cm}}
|
||||||
\newcommand{\cmOld}[1]{\mathsf{{cm}^{old}_\mathnormal{#1}}}
|
\newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}}
|
||||||
\newcommand{\cmOldX}[1]{\mathsf{{cm}^{old}_\mathrm{#1}}}
|
\newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}}
|
||||||
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}}
|
\newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
|
||||||
\newcommand{\snOldX}[1]{\mathsf{{sn}^{old}_\mathrm{#1}}}
|
|
||||||
\newcommand{\nf}{\mathsf{nf}}
|
\newcommand{\nf}{\mathsf{nf}}
|
||||||
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_\mathnormal{#1}}
|
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_{#1}}
|
||||||
\newcommand{\Memo}{\mathsf{memo}}
|
\newcommand{\Memo}{\mathsf{memo}}
|
||||||
\newcommand{\DecryptNote}{\mathtt{DecryptNote}}
|
\newcommand{\DecryptNote}{\mathtt{DecryptNote}}
|
||||||
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
|
||||||
|
@ -1099,7 +1097,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\Zero}{\mathcal{O}}
|
\newcommand{\Zero}{\mathcal{O}}
|
||||||
\newcommand{\Generator}{\mathcal{P}}
|
\newcommand{\Generator}{\mathcal{P}}
|
||||||
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
|
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
|
||||||
|
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)}
|
||||||
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
|
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
|
||||||
|
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)}
|
||||||
|
|
||||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||||
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
|
||||||
|
@ -1151,6 +1151,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||||
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
|
\newcommand{\ExtractJ}{\ParamJ{\mathsf{Extract}}}
|
||||||
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
|
\newcommand{\FindGroupJHash}{\mathsf{FindGroupHash}^\mathbb{J}}
|
||||||
|
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)}
|
||||||
|
|
||||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||||
|
@ -1271,7 +1272,7 @@ and should not be used as a reference for the current protocol.}
|
||||||
\addcontentsline{toc}{section}{\larger\nstrut{Contents}}
|
\addcontentsline{toc}{section}{\larger\nstrut{Contents}}
|
||||||
|
|
||||||
\renewcommand{\contentsname}{}
|
\renewcommand{\contentsname}{}
|
||||||
% http://tex.stackexchange.com/a/182744/78411
|
% <https://tex.stackexchange.com/a/182744/78411>
|
||||||
\renewcommand{\baselinestretch}{0.85}\normalsize
|
\renewcommand{\baselinestretch}{0.85}\normalsize
|
||||||
\tableofcontents
|
\tableofcontents
|
||||||
\renewcommand{\baselinestretch}{1.0}\normalsize
|
\renewcommand{\baselinestretch}{1.0}\normalsize
|
||||||
|
@ -1357,6 +1358,7 @@ part of the normative protocol specification. \notsprout{This overview applies
|
||||||
to both \Sprout and \Sapling, differences in the cryptographic constructions
|
to both \Sprout and \Sapling, differences in the cryptographic constructions
|
||||||
used notwithstanding.}
|
used notwithstanding.}
|
||||||
|
|
||||||
|
\introsection
|
||||||
Value in \Zcash is either \transparent or \shielded. Transfers of \transparent
|
Value in \Zcash is either \transparent or \shielded. Transfers of \transparent
|
||||||
value work essentially as in \Bitcoin and have the same privacy properties.
|
value work essentially as in \Bitcoin and have the same privacy properties.
|
||||||
\xShielded value is carried by \notes\hairspace\footnote{\label{notesandnullifiers}
|
\xShielded value is carried by \notes\hairspace\footnote{\label{notesandnullifiers}
|
||||||
|
@ -1588,7 +1590,7 @@ $\GFstar{n}$ means its group under multiplication.
|
||||||
$\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients
|
$\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients
|
||||||
in $\GF{n}$.
|
in $\GF{n}$.
|
||||||
|
|
||||||
$a \mult b$ means the result of multiplying $a$ and $b$.
|
$a \mult b$ means the product of multiplying $a$ and $b$.
|
||||||
This may refer to multiplication of integers, rationals, or
|
This may refer to multiplication of integers, rationals, or
|
||||||
finite field elements according to context.
|
finite field elements according to context.
|
||||||
|
|
||||||
|
@ -1600,7 +1602,7 @@ means the remainder on dividing $a$ by $q$.
|
||||||
|
|
||||||
$a \xor b$ means the bitwise-exclusive-or of $a$ and $b$,
|
$a \xor b$ means the bitwise-exclusive-or of $a$ and $b$,
|
||||||
and $a \band b$ means the bitwise-and of $a$ and $b$. These are
|
and $a \band b$ means the bitwise-and of $a$ and $b$. These are
|
||||||
defined either on integers or bit sequences according to context.
|
defined on integers or bit sequences according to context.
|
||||||
|
|
||||||
$\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\;
|
$\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\;
|
||||||
$\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$.
|
$\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$.
|
||||||
|
@ -1818,6 +1820,7 @@ $\AuthPrivate$\sapling{ or $(\AuthSignPrivate, \AuthProvePrivate)$}
|
||||||
in zero knowledge while publically disclosing its \nullifier $\nf$,
|
in zero knowledge while publically disclosing its \nullifier $\nf$,
|
||||||
allowing $\nf$ to be used to prevent double-spending.
|
allowing $\nf$ to be used to prevent double-spending.
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{\NotePlaintexts{} and \Memos} \label{noteptconcept}
|
\nsubsubsection{\NotePlaintexts{} and \Memos} \label{noteptconcept}
|
||||||
|
|
||||||
Transmitted \notes are stored on the \blockchain in encrypted form, together with
|
Transmitted \notes are stored on the \blockchain in encrypted form, together with
|
||||||
|
@ -3434,7 +3437,7 @@ for that \blockchain.
|
||||||
\item The decryption algorithm corresponds to step 3 (b) i. and ii.
|
\item The decryption algorithm corresponds to step 3 (b) i. and ii.
|
||||||
(first bullet point) of the $\Receive$ algorithm shown in \cite[Figure 2]{BCG+2014}.
|
(first bullet point) of the $\Receive$ algorithm shown in \cite[Figure 2]{BCG+2014}.
|
||||||
\item A \note can change from being unspent to spent as a node's view of the best
|
\item A \note can change from being unspent to spent as a node's view of the best
|
||||||
\blockchain is extended by new \transactions. Also, \blockchain reorganisations
|
\blockchain is extended by new \transactions. Also, \blockchain reorganizations
|
||||||
can cause a node to switch to a different best \blockchain that does not
|
can cause a node to switch to a different best \blockchain that does not
|
||||||
contain the \transaction in which a \note was output.
|
contain the \transaction in which a \note was output.
|
||||||
\end{pnotes}
|
\end{pnotes}
|
||||||
|
@ -3489,7 +3492,9 @@ Define:
|
||||||
\item $\NoteCommitRandLength \typecolon \Nat := \changed{256}$
|
\item $\NoteCommitRandLength \typecolon \Nat := \changed{256}$
|
||||||
\item $\changed{\RandomSeedLength \typecolon \Nat := 256}$
|
\item $\changed{\RandomSeedLength \typecolon \Nat := 256}$
|
||||||
\item $\AuthPrivateLength \typecolon \Nat := \changed{252}$
|
\item $\AuthPrivateLength \typecolon \Nat := \changed{252}$
|
||||||
\item $\AuthPrivateSeedLength \typecolon \Nat := \changed{256}$
|
\sapling{
|
||||||
|
\item $\AuthPrivateSeedLength \typecolon \Nat := 256$
|
||||||
|
}
|
||||||
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
\item $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
|
||||||
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
\item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$
|
||||||
\sapling{
|
\sapling{
|
||||||
|
@ -3621,7 +3626,7 @@ such that $\SHACompress(x) = \zeros{256}$.
|
||||||
\begin{lrbox}{\hsigbox}
|
\begin{lrbox}{\hsigbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.04em]{1024}
|
\begin{bytefield}[bitwidth=0.04em]{1024}
|
||||||
\bitbox{256}{$256$-bit $\RandomSeed$}
|
\bitbox{256}{$256$-bit $\RandomSeed$} &
|
||||||
\bitbox{256}{\hfill $256$-bit $\nfOld{\mathrm{1}}$\hfill...\;} &
|
\bitbox{256}{\hfill $256$-bit $\nfOld{\mathrm{1}}$\hfill...\;} &
|
||||||
\bitbox{256}{$256$-bit $\nfOld{\NOld}$} &
|
\bitbox{256}{$256$-bit $\nfOld{\NOld}$} &
|
||||||
\bitbox{300}{$256$-bit $\joinSplitPubKey$}
|
\bitbox{300}{$256$-bit $\joinSplitPubKey$}
|
||||||
|
@ -3648,18 +3653,18 @@ $\BlakeTwob{256}(\ascii{ZcashComputehSig}, x)$ must be collision-resistant.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
\sapling{
|
|
||||||
\introlist
|
|
||||||
\nsubsubsubsection{\CRHivkText{} \HashFunction} \label{concretecrhivk}
|
|
||||||
|
|
||||||
\newsavebox{\crhivkbox}
|
\newsavebox{\crhivkbox}
|
||||||
\begin{lrbox}{\crhivkbox}
|
\begin{lrbox}{\crhivkbox}
|
||||||
\begin{bytefield}[bitwidth=0.05em]{512}
|
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||||
\bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$}
|
\bitbox{256}{$256$-bit $\reprJ(\AuthSignPublic)$} &
|
||||||
\bitbox{256}{$256$-bit $\reprJ(\AuthProvePublic)$}
|
\bitbox{256}{$256$-bit $\reprJ(\AuthProvePublic)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
\sapling{
|
||||||
|
\introlist
|
||||||
|
\nsubsubsubsection{\CRHivkText{} \HashFunction} \label{concretecrhivk}
|
||||||
|
|
||||||
$\CRHivk$ is used to derive the \incomingViewingKey $\InViewingKey$
|
$\CRHivk$ is used to derive the \incomingViewingKey $\InViewingKey$
|
||||||
for a \Sapling \paymentAddress.
|
for a \Sapling \paymentAddress.
|
||||||
For its use when generating an address see \crossref{saplingkeycomponents},
|
For its use when generating an address see \crossref{saplingkeycomponents},
|
||||||
|
@ -3784,8 +3789,8 @@ and an index to an output of length $n$ bits. It is used in \crossref{equihash}.
|
||||||
\newsavebox{\powtagbox}
|
\newsavebox{\powtagbox}
|
||||||
\begin{lrbox}{\powtagbox}
|
\begin{lrbox}{\powtagbox}
|
||||||
\begin{bytefield}[bitwidth=0.16em]{128}
|
\begin{bytefield}[bitwidth=0.16em]{128}
|
||||||
\bitbox{64}{64-bit $\ascii{ZcashPoW}$}
|
\bitbox{64}{64-bit $\ascii{ZcashPoW}$} &
|
||||||
\bitbox{32}{32-bit $n$}
|
\bitbox{32}{32-bit $n$} &
|
||||||
\bitbox{32}{32-bit $k$}
|
\bitbox{32}{32-bit $k$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -3952,12 +3957,12 @@ Let $\Keyspace := \bitseq{256}$, $\Plaintext := \byteseqs$, and $\Ciphertext :=
|
||||||
|
|
||||||
Let $\SymEncrypt{\Key}(\Ptext)$ be authenticated encryption using
|
Let $\SymEncrypt{\Key}(\Ptext)$ be authenticated encryption using
|
||||||
$\SymSpecific$ \cite{RFC-7539} encryption of plaintext $\Ptext \in \Plaintext$,
|
$\SymSpecific$ \cite{RFC-7539} encryption of plaintext $\Ptext \in \Plaintext$,
|
||||||
with empty ``associated data", all-zero nonce $\zeros{96}$, and 256-bit key
|
with empty ``associated data", all-zero nonce $\zeros{96}$, and $256$-bit key
|
||||||
$\Key \in \Keyspace$.
|
$\Key \in \Keyspace$.
|
||||||
|
|
||||||
Similarly, let $\SymDecrypt{\Key}(\Ctext)$ be $\SymSpecific$
|
Similarly, let $\SymDecrypt{\Key}(\Ctext)$ be $\SymSpecific$
|
||||||
decryption of ciphertext $\Ctext \in \Ciphertext$, with empty
|
decryption of ciphertext $\Ctext \in \Ciphertext$, with empty
|
||||||
``associated data", all-zero nonce $\zeros{96}$, and 256-bit key
|
``associated data", all-zero nonce $\zeros{96}$, and $256$-bit key
|
||||||
$\Key \in \Keyspace$. The result is either the plaintext byte sequence,
|
$\Key \in \Keyspace$. The result is either the plaintext byte sequence,
|
||||||
or $\bot$ indicating failure to decrypt.
|
or $\bot$ indicating failure to decrypt.
|
||||||
}
|
}
|
||||||
|
@ -3999,14 +4004,14 @@ Define $\KASproutAgree(n, q) := \CurveMultiply(n, q)$.
|
||||||
}
|
}
|
||||||
|
|
||||||
\introsection
|
\introsection
|
||||||
\nsubsubsection{\SproutOrNothing \KeyDerivation} \label{concretesproutkdf}
|
\nsubsubsubsection{\SproutOrNothing \KeyDerivation} \label{concretesproutkdf}
|
||||||
|
|
||||||
\newsavebox{\kdftagbox}
|
\newsavebox{\kdftagbox}
|
||||||
\begin{lrbox}{\kdftagbox}
|
\begin{lrbox}{\kdftagbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.16em]{128}
|
\begin{bytefield}[bitwidth=0.16em]{128}
|
||||||
\bitbox{64}{$64$-bit $\ascii{ZcashKDF}$} &
|
\bitbox{64}{$64$-bit $\ascii{ZcashKDF}$} &
|
||||||
\bitbox{32}{$8$-bit $i\!-\!1$}
|
\bitbox{32}{$8$-bit $i\!-\!1$} &
|
||||||
\bitbox{56}{$\zeros{56}$}
|
\bitbox{56}{$\zeros{56}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4015,10 +4020,10 @@ Define $\KASproutAgree(n, q) := \CurveMultiply(n, q)$.
|
||||||
\begin{lrbox}{\kdfinputbox}
|
\begin{lrbox}{\kdfinputbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.04em]{1024}
|
\begin{bytefield}[bitwidth=0.04em]{1024}
|
||||||
\bitbox{256}{$256$-bit $\hSig$}
|
\bitbox{256}{$256$-bit $\hSig$} &
|
||||||
\bitbox{256}{$256$-bit $\DHSecret{i}$} &
|
\bitbox{256}{$256$-bit $\DHSecret{i}$} &
|
||||||
\bitbox{256}{$256$-bit $\EphemeralPublic$} &
|
\bitbox{256}{$256$-bit $\EphemeralPublic$} &
|
||||||
\bitbox{256}{$256$-bit $\TransmitPublicNew{i}$} &
|
\bitbox{256}{$256$-bit $\TransmitPublicNew{i}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -4059,6 +4064,7 @@ Let $\KDFSapling(\OutputUnique, \OutputIndex, \DHSecret{}, \EphemeralPublic) :=
|
||||||
\OutputUnique \bconcat \OutputIndex \bconcat \reprJ(\DHSecret{}) \bconcat \reprJ(\EphemeralPublic))$.
|
\OutputUnique \bconcat \OutputIndex \bconcat \reprJ(\DHSecret{}) \bconcat \reprJ(\EphemeralPublic))$.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{\JoinSplitSignature} \label{concretesig}
|
\nsubsubsection{\JoinSplitSignature} \label{concretesig}
|
||||||
|
|
||||||
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
$\JoinSplitSig$ is specified in \crossref{abstractsig}.
|
||||||
|
@ -4083,7 +4089,7 @@ $\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally.
|
||||||
\begin{lrbox}{\sigbox}
|
\begin{lrbox}{\sigbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.075em]{512}
|
\begin{bytefield}[bitwidth=0.075em]{512}
|
||||||
\bitbox{256}{$256$-bit $\EdDSAR$}
|
\bitbox{256}{$256$-bit $\EdDSAR$} &
|
||||||
\bitbox{256}{$256$-bit $\EdDSAS$}
|
\bitbox{256}{$256$-bit $\EdDSAS$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4116,7 +4122,7 @@ $\ShieldedOutputsSig$ and $\SpendAuthorizationSig$ are specified in \crossref{ab
|
||||||
\newsavebox{\cmbox}
|
\newsavebox{\cmbox}
|
||||||
\begin{lrbox}{\cmbox}
|
\begin{lrbox}{\cmbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.032em]{840}
|
\begin{bytefield}[bitwidth=0.031em]{840}
|
||||||
\bitbox{24}{$1$} &
|
\bitbox{24}{$1$} &
|
||||||
\bitbox{24}{$0$} &
|
\bitbox{24}{$0$} &
|
||||||
\bitbox{24}{$1$} &
|
\bitbox{24}{$1$} &
|
||||||
|
@ -4127,8 +4133,8 @@ $\ShieldedOutputsSig$ and $\SpendAuthorizationSig$ are specified in \crossref{ab
|
||||||
\bitbox{24}{$0$} &
|
\bitbox{24}{$0$} &
|
||||||
\bitbox{256}{$256$-bit $\AuthPublic$} &
|
\bitbox{256}{$256$-bit $\AuthPublic$} &
|
||||||
\bitbox{128}{$64$-bit $\Value$} &
|
\bitbox{128}{$64$-bit $\Value$} &
|
||||||
\bitbox{256}{$256$-bit $\NoteAddressRand$}
|
\bitbox{256}{$256$-bit $\NoteAddressRand$} &
|
||||||
\bitbox{256}{$256$-bit $\NoteCommitRand$} &
|
\bitbox{256}{$256$-bit $\NoteCommitRand$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -4206,14 +4212,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
|
||||||
\begin{lrbox}{\gonebox}
|
\begin{lrbox}{\gonebox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.045em]{264}
|
\begin{bytefield}[bitwidth=0.045em]{264}
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$1$}
|
\bitbox{20}{$1$} &
|
||||||
\bitbox{80}{$1$-bit $\tilde{y}$}
|
\bitbox{80}{$1$-bit $\tilde{y}$} &
|
||||||
\bitbox{256}{$256$-bit $\ItoOSP{32}(x)$}
|
\bitbox{256}{$256$-bit $\ItoOSP{32}(x)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4222,14 +4228,14 @@ $\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respec
|
||||||
\begin{lrbox}{\gtwobox}
|
\begin{lrbox}{\gtwobox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.045em]{520}
|
\begin{bytefield}[bitwidth=0.045em]{520}
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$1$}
|
\bitbox{20}{$1$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{20}{$1$}
|
\bitbox{20}{$1$} &
|
||||||
\bitbox{80}{$1$-bit $\tilde{y}$}
|
\bitbox{80}{$1$-bit $\tilde{y}$} &
|
||||||
\bitbox{512}{$512$-bit $\ItoOSP{64}(x)$}
|
\bitbox{512}{$512$-bit $\ItoOSP{64}(x)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4296,9 +4302,9 @@ the square root exists, or that the encoding represents a point on the curve.
|
||||||
\begin{lrbox}{\sonebox}
|
\begin{lrbox}{\sonebox}
|
||||||
\setsapling
|
\setsapling
|
||||||
\begin{bytefield}[bitwidth=0.045em]{384}
|
\begin{bytefield}[bitwidth=0.045em]{384}
|
||||||
\bitbox{20}{$1$}
|
\bitbox{20}{$1$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{80}{$1$-bit $\tilde{y}$}
|
\bitbox{80}{$1$-bit $\tilde{y}$} &
|
||||||
\bitbox{381}{$381$-bit $\ItoBSP{381}(x)$}
|
\bitbox{381}{$381$-bit $\ItoBSP{381}(x)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4307,10 +4313,10 @@ the square root exists, or that the encoding represents a point on the curve.
|
||||||
\begin{lrbox}{\stwobox}
|
\begin{lrbox}{\stwobox}
|
||||||
\setsapling
|
\setsapling
|
||||||
\begin{bytefield}[bitwidth=0.045em]{768}
|
\begin{bytefield}[bitwidth=0.045em]{768}
|
||||||
\bitbox{20}{$1$}
|
\bitbox{20}{$1$} &
|
||||||
\bitbox{20}{$0$}
|
\bitbox{20}{$0$} &
|
||||||
\bitbox{80}{$1$-bit $\tilde{y}$}
|
\bitbox{80}{$1$-bit $\tilde{y}$} &
|
||||||
\bitbox{381}{$381$-bit $\ItoBSP{381}(x_1)$}
|
\bitbox{381}{$381$-bit $\ItoBSP{381}(x_1)$} &
|
||||||
\bitbox{384}{$384$-bit $\ItoBSP{384}(x_2)$}
|
\bitbox{384}{$384$-bit $\ItoBSP{384}(x_2)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4487,7 +4493,7 @@ large prime-order subgroup.
|
||||||
\sapling{
|
\sapling{
|
||||||
\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
|
\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
|
||||||
|
|
||||||
Let $\Selectu((u, \varv)) = u$ and let $\Selectv((u, \varv)) = \varv$.
|
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
|
||||||
|
|
||||||
Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
|
Let $\ExtractJ \typecolon \GroupJ \rightarrow \GF{\ParamJ{q}}$ be $\Selectu$.
|
||||||
|
|
||||||
|
@ -4511,7 +4517,7 @@ Therefore, $-\varv \neq \varv$.
|
||||||
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
||||||
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||||
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||||
$Q = -P$ (then $\Selectv(Q) = \Selectv(-P)$; contradiction since
|
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$; contradiction since
|
||||||
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
||||||
since $G$ is of odd order \cite{KvE2013}).
|
since $G$ is of odd order \cite{KvE2013}).
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
@ -4533,6 +4539,7 @@ is injective on points in $G$.
|
||||||
\end{proof}
|
\end{proof}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
\nsubsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub}
|
\nsubsubsubsection{\GroupHash{} into \Jubjub} \label{concretegrouphashjubjub}
|
||||||
|
|
||||||
|
@ -4574,7 +4581,7 @@ so that $\first(f) = f(i)$ where $i$ is the least nonnegative integer
|
||||||
such that $f(i) \neq \bot$. (For our use of $\first$, such an $i$ always
|
such that $f(i) \neq \bot$. (For our use of $\first$, such an $i$ always
|
||||||
exists.)
|
exists.)
|
||||||
|
|
||||||
Let $\FindGroupJHash(D, M) =
|
Let $\FindGroupJHashOf{D, M} =
|
||||||
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat \ItoOSPvar(i)) \typecolon \GroupJ})$.
|
\first(\fun{i \typecolon \Nat}{\GroupJHash{\CRS}(D, M \bconcat \ItoOSPvar(i)) \typecolon \GroupJ})$.
|
||||||
|
|
||||||
\begin{pnotes}
|
\begin{pnotes}
|
||||||
|
@ -4623,13 +4630,13 @@ and a \provingSystem implementation that is interoperable with the \Zcash fork o
|
||||||
\begin{lrbox}{\phgrbox}
|
\begin{lrbox}{\phgrbox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.021em]{2368}
|
\begin{bytefield}[bitwidth=0.021em]{2368}
|
||||||
\bitbox{264}{264-bit $\Proof{A}$}
|
\bitbox{264}{264-bit $\Proof{A}$} &
|
||||||
\bitbox{264}{264-bit $\Proof{A}'$}
|
\bitbox{264}{264-bit $\Proof{A}'$} &
|
||||||
\bitbox{520}{520-bit $\Proof{B}$}
|
\bitbox{520}{520-bit $\Proof{B}$} &
|
||||||
\bitbox{264}{264-bit $\Proof{B}'$}
|
\bitbox{264}{264-bit $\Proof{B}'$} &
|
||||||
\bitbox{264}{264-bit $\Proof{C}$}
|
\bitbox{264}{264-bit $\Proof{C}$} &
|
||||||
\bitbox{264}{264-bit $\Proof{C}'$}
|
\bitbox{264}{264-bit $\Proof{C}'$} &
|
||||||
\bitbox{264}{264-bit $\Proof{K}$}
|
\bitbox{264}{264-bit $\Proof{K}$} &
|
||||||
\bitbox{264}{264-bit $\Proof{H}$}
|
\bitbox{264}{264-bit $\Proof{H}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -4657,6 +4664,17 @@ verifier \MUST check, for the encoding of each element, that:
|
||||||
$\ParamG{r}$ in the latter case.
|
$\ParamG{r}$ in the latter case.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
||||||
|
\newsavebox{\grothbox}
|
||||||
|
\begin{lrbox}{\grothbox}
|
||||||
|
\setsapling
|
||||||
|
\begin{bytefield}[bitwidth=0.021em]{1536}
|
||||||
|
\bitbox{384}{384-bit $\Proof{A}$} &
|
||||||
|
\bitbox{768}{768-bit $\Proof{B}$} &
|
||||||
|
\bitbox{384}{384-bit $\Proof{C}$}
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
\nsubsubsubsection{\GrothProvingSystem} \label{groth}
|
\nsubsubsubsection{\GrothProvingSystem} \label{groth}
|
||||||
|
|
||||||
|
@ -4684,16 +4702,6 @@ library used by \Zcash, to ensure compatibility.
|
||||||
\introlist
|
\introlist
|
||||||
\subparagraph{\EncodingOfGrothProofs} \vspace{1ex} \label{grothencoding}
|
\subparagraph{\EncodingOfGrothProofs} \vspace{1ex} \label{grothencoding}
|
||||||
|
|
||||||
\newsavebox{\grothbox}
|
|
||||||
\begin{lrbox}{\grothbox}
|
|
||||||
\setsapling
|
|
||||||
\begin{bytefield}[bitwidth=0.021em]{1536}
|
|
||||||
\bitbox{384}{384-bit $\Proof{A}$}
|
|
||||||
\bitbox{768}{768-bit $\Proof{B}$}
|
|
||||||
\bitbox{384}{384-bit $\Proof{C}$}
|
|
||||||
\end{bytefield}
|
|
||||||
\end{lrbox}
|
|
||||||
|
|
||||||
A $\Groth$ proof is encoded by concatenating the encodings of its elements:
|
A $\Groth$ proof is encoded by concatenating the encodings of its elements:
|
||||||
|
|
||||||
\begin{formulae}[leftmargin=0.2em]
|
\begin{formulae}[leftmargin=0.2em]
|
||||||
|
@ -5105,7 +5113,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
|
||||||
\nsubsubsection{\SproutOrNothing \SpendingKeys} \label{sproutspendingkeyencoding}
|
\nsubsubsection{\SproutOrNothing \SpendingKeys} \label{sproutspendingkeyencoding}
|
||||||
|
|
||||||
A \SproutOrNothing \spendingKey consists of $\AuthPrivate$, which is a sequence of
|
A \SproutOrNothing \spendingKey consists of $\AuthPrivate$, which is a sequence of
|
||||||
\changed{252} bits (see \crossref{sproutkeycomponents}).
|
\changed{$252$} bits (see \crossref{sproutkeycomponents}).
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
The raw encoding of a \SproutOrNothing \spendingKey consists of:
|
The raw encoding of a \SproutOrNothing \spendingKey consists of:
|
||||||
|
@ -5251,14 +5259,14 @@ from the \Sapling-supporting network.
|
||||||
|
|
||||||
This allows us to specify arbitrary protocol changes that
|
This allows us to specify arbitrary protocol changes that
|
||||||
take effect at a given \blockHeight. Note, however, that a
|
take effect at a given \blockHeight. Note, however, that a
|
||||||
\blockchain reorganisation across a forking \block is possible.
|
\blockchain reorganization across a forking \block is possible.
|
||||||
In the case of such a reorganisation, \blocks at a height
|
In the case of such a reorganization, \blocks at a height
|
||||||
before the forking \blockHeight will still be created and
|
before the forking \blockHeight will still be created and
|
||||||
validated according to the pre-\Sapling rules, and
|
validated according to the pre-\Sapling rules, and
|
||||||
\Sapling-supporting nodes \MUST allow for this.
|
\Sapling-supporting nodes \MUST allow for this.
|
||||||
However, once a node has seen 99 valid \blocks on top of a
|
However, once a node has seen 99 valid \blocks on top of a
|
||||||
forking \block, it may assume that the fork is ``locked in''
|
forking \block, it may assume that the fork is ``locked in''
|
||||||
and need not support reorganisations that roll back to before
|
and need not support reorganizations that roll back to before
|
||||||
that forking \block.
|
that forking \block.
|
||||||
|
|
||||||
For the \Sapling hard fork (but not necessarily for bilateral
|
For the \Sapling hard fork (but not necessarily for bilateral
|
||||||
|
@ -5567,6 +5575,7 @@ The changes relative to \Bitcoin version $4$ blocks as described in \cite{Bitc-B
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
\nsubsection{Proof of Work}
|
\nsubsection{Proof of Work}
|
||||||
|
|
||||||
\Zcash uses Equihash \cite{BK2016} as its Proof of Work. Motivations for
|
\Zcash uses Equihash \cite{BK2016} as its Proof of Work. Motivations for
|
||||||
|
@ -5601,13 +5610,13 @@ derived from the \blockHeader and a nonce:
|
||||||
\newsavebox{\powheaderbox}
|
\newsavebox{\powheaderbox}
|
||||||
\begin{lrbox}{\powheaderbox}
|
\begin{lrbox}{\powheaderbox}
|
||||||
\begin{bytefield}[bitwidth=0.064em]{1152}
|
\begin{bytefield}[bitwidth=0.064em]{1152}
|
||||||
\bitbox{128}{32-bit $\nVersion$}
|
\bitbox{128}{$32$-bit $\nVersion$} &
|
||||||
\bitbox{256}{256-bit $\hashPrevBlock$}
|
\bitbox{256}{$256$-bit $\hashPrevBlock$} &
|
||||||
\bitbox{256}{256-bit $\hashMerkleRoot$} \\
|
\bitbox{256}{$256$-bit $\hashMerkleRoot$} \\
|
||||||
\bitbox{256}{256-bit $\hashReserved$}
|
\bitbox{256}{$256$-bit $\hashReserved$} &
|
||||||
\bitbox{128}{32-bit $\nTimeField$}
|
\bitbox{128}{$32$-bit $\nTimeField$} &
|
||||||
\bitbox{128}{32-bit $\nBitsField$} \\
|
\bitbox{128}{$32$-bit $\nBitsField$} \\
|
||||||
\bitbox{256}{256-bit $\nNonce$}
|
\bitbox{256}{$256$-bit $\nNonce$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -5633,7 +5642,7 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
|
||||||
\introlist
|
\introlist
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
\item For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
||||||
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
|
\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeros; and
|
||||||
\item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
\item For all $r \in \range{1}{k}$, for all $w \in \range{0}{2^{k-r}\!-\!1}:
|
||||||
i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} <
|
i_{w \mult 2^r + 1 .. w \mult 2^r + 2^{r-1}} <
|
||||||
i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
|
i_{w \mult 2^r + 2^{r-1} + 1 .. w \mult 2^r + 2^r}$ lexicographically.
|
||||||
|
@ -5654,9 +5663,9 @@ field of a \blockHeader as follows:
|
||||||
\newsavebox{\solutionbox}
|
\newsavebox{\solutionbox}
|
||||||
\begin{lrbox}{\solutionbox}
|
\begin{lrbox}{\solutionbox}
|
||||||
\begin{bytefield}[bitwidth=0.45em]{105}
|
\begin{bytefield}[bitwidth=0.45em]{105}
|
||||||
\bitbox{21}{$\ItoBSP{21}(i_1-1)$}
|
\bitbox{21}{$\ItoBSP{21}(i_1-1)$} &
|
||||||
\bitbox{21}{$\ItoBSP{21}(i_2-1)$}
|
\bitbox{21}{$\ItoBSP{21}(i_2-1)$} &
|
||||||
\bitbox{42}{$\cdots$}
|
\bitbox{42}{$\cdots$} &
|
||||||
\bitbox{21}{$\ItoBSP{21}(i_{512}-1)$}
|
\bitbox{21}{$\ItoBSP{21}(i_{512}-1)$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -5666,8 +5675,8 @@ field of a \blockHeader as follows:
|
||||||
\newsavebox{\eqexamplebox}
|
\newsavebox{\eqexamplebox}
|
||||||
\begin{lrbox}{\eqexamplebox}
|
\begin{lrbox}{\eqexamplebox}
|
||||||
\begin{bytefield}[bitwidth=0.75em]{63}
|
\begin{bytefield}[bitwidth=0.75em]{63}
|
||||||
\bitbox{21}{$\ItoBSP{21}(68)$}
|
\bitbox{21}{$\ItoBSP{21}(68)$} &
|
||||||
\bitbox{21}{$\ItoBSP{21}(41)$}
|
\bitbox{21}{$\ItoBSP{21}(41)$} &
|
||||||
\bitbox{21}{$\ItoBSP{21}(2^{21}-1)$} \\
|
\bitbox{21}{$\ItoBSP{21}(2^{21}-1)$} \\
|
||||||
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\zb\zb\ob\zb\zb
|
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\zb\zb\ob\zb\zb
|
||||||
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\ob\zb\zb\ob
|
\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\zb\ob\zb\ob\zb\zb\ob
|
||||||
|
@ -5718,7 +5727,7 @@ Difficulty is defined in terms of a \targetThreshold, which is adjusted for each
|
||||||
|
|
||||||
The difficulty filter is unchanged from \Bitcoin, and is calculated using
|
The difficulty filter is unchanged from \Bitcoin, and is calculated using
|
||||||
\SHAd on the whole \blockHeader (including $\solutionSize$ and $\solution$).
|
\SHAd on the whole \blockHeader (including $\solutionSize$ and $\solution$).
|
||||||
The result is interpreted as a 256-bit integer represented in little-endian
|
The result is interpreted as a $256$-bit integer represented in little-endian
|
||||||
byte order, which \MUST be less than or equal to the \targetThreshold given by
|
byte order, which \MUST be less than or equal to the \targetThreshold given by
|
||||||
$\ToTarget(\nBitsField)$.
|
$\ToTarget(\nBitsField)$.
|
||||||
|
|
||||||
|
@ -6304,7 +6313,7 @@ The format of inputs to the PRFs instantiated in \crossref{concreteprfs}
|
||||||
has changed relative to \Zerocash. There is also a requirement for another PRF,
|
has changed relative to \Zerocash. There is also a requirement for another PRF,
|
||||||
$\PRFrho{}$, which must be domain-separated from the others.
|
$\PRFrho{}$, which must be domain-separated from the others.
|
||||||
|
|
||||||
In the \Zerocash protocol, $\NoteAddressRandOld{i}$ is truncated from 256
|
In the \Zerocash protocol, $\NoteAddressRandOld{i}$ is truncated from $256$
|
||||||
to $254$ bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcash).
|
to $254$ bits in the input to $\PRFsn{}$ (which corresponds to $\PRFnf{}$ in \Zcash).
|
||||||
Also, $\hSig$ is truncated from $256$ to $253$ bits in the input to $\PRFpk{}$.
|
Also, $\hSig$ is truncated from $256$ to $253$ bits in the input to $\PRFpk{}$.
|
||||||
These truncations are not taken into account in the security proofs.
|
These truncations are not taken into account in the security proofs.
|
||||||
|
@ -6358,13 +6367,13 @@ $\NoteAddressRand$.
|
||||||
|
|
||||||
\sproutonly{
|
\sproutonly{
|
||||||
Since the PRFs are instantiated using $\SHACompress$ which has an input block
|
Since the PRFs are instantiated using $\SHACompress$ which has an input block
|
||||||
size of 512 bits (of which 256 bits are used for the PRF input and 4 bits
|
size of $512$ bits (of which $256$ bits are used for the PRF input and $4$ bits
|
||||||
are used for domain separation), it was necessary to reduce the size of the
|
are used for domain separation), it was necessary to reduce the size of the
|
||||||
PRF key to 252 bits. The key is set to $\AuthPrivate$ in the case of
|
PRF key to $252$ bits. The key is set to $\AuthPrivate$ in the case of
|
||||||
$\PRFaddr{}$, $\PRFnf{}$, and $\PRFpk{}$, and to $\NoteAddressPreRand$ (which
|
$\PRFaddr{}$, $\PRFnf{}$, and $\PRFpk{}$, and to $\NoteAddressPreRand$ (which
|
||||||
does not exist in \Zerocash) for $\PRFrho{}$, and so those values have been
|
does not exist in \Zerocash) for $\PRFrho{}$, and so those values have been
|
||||||
reduced to 252 bits. This is preferable to requiring reasoning about truncation,
|
reduced to $252$ bits. This is preferable to requiring reasoning about truncation,
|
||||||
and 252 bits is quite sufficient for security of these cryptovalues.
|
and $252$ bits is quite sufficient for security of these cryptovalues.
|
||||||
}
|
}
|
||||||
|
|
||||||
\sapling{
|
\sapling{
|
||||||
|
@ -6454,7 +6463,7 @@ KDF to a given recipient key and seed. \sproutonly{It is necessary to adapt the
|
||||||
``HDH independence'' assumptions and the proof slightly to take into account
|
``HDH independence'' assumptions and the proof slightly to take into account
|
||||||
that the ephemeral key is reused for two encryptions.}
|
that the ephemeral key is reused for two encryptions.}
|
||||||
|
|
||||||
Note that the 256-bit key for $\SymSpecific$ maintains a high concrete security
|
Note that the $256$-bit key for $\SymSpecific$ maintains a high concrete security
|
||||||
level even under attacks using parallel hardware \cite{Bern2005} in the multi-user
|
level even under attacks using parallel hardware \cite{Bern2005} in the multi-user
|
||||||
setting \cite{Zave2012}. This is especially necessary because the privacy of
|
setting \cite{Zave2012}. This is especially necessary because the privacy of
|
||||||
\Zcash transactions may need to be maintained far into the future, and upgrading
|
\Zcash transactions may need to be maintained far into the future, and upgrading
|
||||||
|
@ -6462,7 +6471,7 @@ the encryption algorithm would not prevent a future adversary from attempting
|
||||||
to decrypt ciphertexts encrypted before the upgrade. Other cryptovalues that
|
to decrypt ciphertexts encrypted before the upgrade. Other cryptovalues that
|
||||||
could be attacked to break the privacy of transactions are also sufficiently long
|
could be attacked to break the privacy of transactions are also sufficiently long
|
||||||
to resist parallel brute force in the multi-user setting: \notsprout{for \Sprout,}
|
to resist parallel brute force in the multi-user setting: \notsprout{for \Sprout,}
|
||||||
$\AuthPrivate$ is 252 bits, and $\TransmitPrivate$ is no shorter than $\AuthPrivate$.
|
$\AuthPrivate$ is $252$ bits, and $\TransmitPrivate$ is no shorter than $\AuthPrivate$.
|
||||||
|
|
||||||
|
|
||||||
\nsubsection{Omission in \Zerocash security proof} \label{crprf}
|
\nsubsection{Omission in \Zerocash security proof} \label{crprf}
|
||||||
|
@ -6472,7 +6481,7 @@ it is not specified to be collision-resistant. This reveals a flaw in
|
||||||
the proof of the Balance property.
|
the proof of the Balance property.
|
||||||
|
|
||||||
Suppose that an adversary finds a collision on $\PRFaddr{}$ such that
|
Suppose that an adversary finds a collision on $\PRFaddr{}$ such that
|
||||||
$\AuthPrivateX{1}$ and $\AuthPrivateX{2}$ are distinct \spendingKeys for
|
$\AuthPrivateSup{1}$ and $\AuthPrivateSup{2}$ are distinct \spendingKeys for
|
||||||
the same $\AuthPublic$. Because the \noteCommitment is to $\AuthPublic$,
|
the same $\AuthPublic$. Because the \noteCommitment is to $\AuthPublic$,
|
||||||
but the \nullifier is computed from $\AuthPrivate$ (and $\NoteAddressRand$),
|
but the \nullifier is computed from $\AuthPrivate$ (and $\NoteAddressRand$),
|
||||||
the adversary is able to double-spend the note, once with each $\AuthPrivate$.
|
the adversary is able to double-spend the note, once with each $\AuthPrivate$.
|
||||||
|
@ -6486,11 +6495,11 @@ The error is in the proof of Balance in \cite[Appendix D.3]{BCG+2014}.
|
||||||
For the ``$\Adversary$ violates Condition I'' case, the proof says:
|
For the ``$\Adversary$ violates Condition I'' case, the proof says:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item[``(i)] If $\cmOldX{1} = \cmOldX{2}$, then the fact that
|
\item[``(i)] If $\cmOld{1} = \cmOld{2}$, then the fact that
|
||||||
$\snOldX{1} \neq \snOldX{2}$ implies that the witness $a$ contains
|
$\snOld{1} \neq \snOld{2}$ implies that the witness $a$ contains
|
||||||
two distinct openings of $\cmOldX{1}$ (the first opening contains
|
two distinct openings of $\cmOld{1}$ (the first opening contains
|
||||||
$(\AuthPrivateOldX{1}, \NoteAddressRandOldX{1})$, while the second
|
$(\AuthPrivateOldX{1}, \NoteAddressRandOld{1})$, while the second
|
||||||
opening contains $(\AuthPrivateOldX{2}, \NoteAddressRandOldX{2})$).
|
opening contains $(\AuthPrivateOldX{2}, \NoteAddressRandOld{2})$).
|
||||||
This violates the binding property of the commitment scheme $\CommitAlg$."
|
This violates the binding property of the commitment scheme $\CommitAlg$."
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -6934,7 +6943,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
||||||
\subparagraph{2016.0-beta-1}
|
\subparagraph{2016.0-beta-1}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Major reorganisation to separate the abstract cryptographic protocol
|
\item Major reorganization to separate the abstract cryptographic protocol
|
||||||
from the algorithm instantiations.
|
from the algorithm instantiations.
|
||||||
\item Add type declarations.
|
\item Add type declarations.
|
||||||
\item Add a ``High-level Overview'' section.
|
\item Add a ``High-level Overview'' section.
|
||||||
|
@ -7087,21 +7096,23 @@ inversions required. In the circuit, it turns out that a division can be
|
||||||
implemented at the same cost as a multiplication, i.e.\ one constraint.
|
implemented at the same cost as a multiplication, i.e.\ one constraint.
|
||||||
Therefore it is beneficial to use affine coordinates for both curves.
|
Therefore it is beneficial to use affine coordinates for both curves.
|
||||||
|
|
||||||
|
\introlist
|
||||||
We define the following types representing affine Edwards and Montgomery
|
We define the following types representing affine Edwards and Montgomery
|
||||||
coordinates respectively:
|
coordinates respectively:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{tabular}{@{\hskip 2em}r@{\;}l@{\;}l}
|
||||||
\item $\AffineEdwardsJubjub = (u \typecolon \GF{\ParamS{r}}) \times (\varv \typecolon \GF{\ParamS{r}}) :
|
$\AffineEdwardsJubjub$ &$:= (u \typecolon \GF{\ParamS{r}}) \times (\hspace{0.04em}\varv\hspace{0.04em} \typecolon \GF{\ParamS{r}})$
|
||||||
\ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$
|
&$: \ParamJ{a} \smult u^2 + \varv^2 = 1 + \ParamJ{d} \smult u^2 \smult \varv^2$ \\
|
||||||
\item $\AffineMontJubjub = (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}}) :
|
$\AffineMontJubjub$ &$:= (x \typecolon \GF{\ParamS{r}}) \times (y \typecolon \GF{\ParamS{r}})$
|
||||||
\ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
|
&$: \ParamM{B} \smult y^2 = x^3 + \ParamM{A} \smult x^2 + x$
|
||||||
\end{formulae}
|
\end{tabular}
|
||||||
|
|
||||||
|
\introlist
|
||||||
We also define a type representing compressed, \emph{not necessarily valid},
|
We also define a type representing compressed, \emph{not necessarily valid},
|
||||||
Edwards coordinates:
|
Edwards coordinates:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\CompressedEdwardsJubjub = (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
|
\item $\CompressedEdwardsJubjub := (\tilde{u} \typecolon \bit) \times (\varv \typecolon \GF{\ParamS{r}})$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
\vspace{-1.5ex}
|
\vspace{-1.5ex}
|
||||||
See \crossref{jubjub} for how this type is represented as a byte sequence in
|
See \crossref{jubjub} for how this type is represented as a byte sequence in
|
||||||
|
@ -7118,6 +7129,7 @@ the wrong answer. We must ensure that these cases do not arise.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
\nsubsection{Circuit Components}
|
\nsubsection{Circuit Components}
|
||||||
|
|
||||||
Each of the following sections describes how to implement a particular
|
Each of the following sections describes how to implement a particular
|
||||||
|
@ -7134,6 +7146,7 @@ A boolean constraint $b \in \bit$ can be implemented as:
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
\introlist
|
||||||
\nsubsubsection{Selection constraints} \label{cctselection}
|
\nsubsubsection{Selection constraints} \label{cctselection}
|
||||||
|
|
||||||
A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implemented as:
|
A selection constraint $b \bchoose x : y = z$, where $b \in \bit$, can be implemented as:
|
||||||
|
@ -7154,6 +7167,7 @@ To check that $(u, \varv)$ is a point on the Edwards curve, use:
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
\introlist
|
||||||
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
|
\nsubsubsection{Edwards decompression and validation} \label{ccteddecompressvalidate}
|
||||||
|
|
||||||
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
|
Define $\DecompressValidate \typecolon \CompressedEdwardsJubjub \rightarrow \AffineEdwardsJubjub$
|
||||||
|
@ -7166,7 +7180,7 @@ as follows:
|
||||||
This can be implemented by:
|
This can be implemented by:
|
||||||
|
|
||||||
|
|
||||||
|
\introlist
|
||||||
\nsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion}
|
\nsubsubsection{Edwards \lrarrow\ Montgomery conversion} \label{cctconversion}
|
||||||
|
|
||||||
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$
|
Define $\EdwardsToMont \typecolon \AffineEdwardsJubjub \rightarrow \AffineMontJubjub$
|
||||||
|
@ -7196,9 +7210,9 @@ Either of these conversions can be implemented by the same \quadraticArithmeticP
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
|
||||||
|
\introsection
|
||||||
\nsubsubsection{Affine-Montgomery arithmetic} \label{cctmontarithmetic}
|
\nsubsubsection{Affine-Montgomery arithmetic} \label{cctmontarithmetic}
|
||||||
|
|
||||||
\introlist
|
|
||||||
The incomplete affine-Montgomery addition formulae given in
|
The incomplete affine-Montgomery addition formulae given in
|
||||||
\cite[section 4.3.2]{BL2017} are:
|
\cite[section 4.3.2]{BL2017} are:
|
||||||
|
|
||||||
|
@ -7212,12 +7226,12 @@ The incomplete affine-Montgomery addition formulae given in
|
||||||
\end{cases}$
|
\end{cases}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
\introlist
|
||||||
The following theorem helps to determine when these incomplete addition formulae
|
The following theorem helps to determine when these incomplete addition formulae
|
||||||
can be safely used:
|
can be safely used:
|
||||||
|
|
||||||
\newcommand{\halfs}{\frac{s-1}{2}}
|
\newcommand{\halfs}{\frac{s-1}{2}}
|
||||||
|
|
||||||
\introlist
|
|
||||||
\begin{theorem} \label{thmdistinctxcriterion}
|
\begin{theorem} \label{thmdistinctxcriterion}
|
||||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
||||||
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
||||||
|
@ -7253,6 +7267,7 @@ In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
|
||||||
then it is sufficient to require $k_1 \neq k_2$, since that implies
|
then it is sufficient to require $k_1 \neq k_2$, since that implies
|
||||||
$k_1 \neq \pm k_2$.
|
$k_1 \neq \pm k_2$.
|
||||||
|
|
||||||
|
\vspace{2ex}
|
||||||
\introlist
|
\introlist
|
||||||
Affine-Montgomery doubling can be implemented as:
|
Affine-Montgomery doubling can be implemented as:
|
||||||
|
|
||||||
|
@ -7322,6 +7337,7 @@ $(u, \varv) = (u_1, \varv_1) = (u_2, \varv_2)$ and observing that $u \mult \varv
|
||||||
Cofactor multiplication is used to ensure that that the resulting point is of
|
Cofactor multiplication is used to ensure that that the resulting point is of
|
||||||
order $\ParamJ{r}$, which avoids certain small-subgroup attacks.
|
order $\ParamJ{r}$, which avoids certain small-subgroup attacks.
|
||||||
|
|
||||||
|
\introlist
|
||||||
The cofactor for the Jubjub curve is $8$. A cofactor multiplication can therefore
|
The cofactor for the Jubjub curve is $8$. A cofactor multiplication can therefore
|
||||||
be implemented by doubling three times, using the affine-Edwards doubling implementation
|
be implemented by doubling three times, using the affine-Edwards doubling implementation
|
||||||
in \crossref{cctedarithmetic}:
|
in \crossref{cctedarithmetic}:
|
||||||
|
@ -7368,22 +7384,23 @@ $w_{(B,\,i,\,k_i)} = \scalarmult{k_i \smult 8^i}{B}$.
|
||||||
|
|
||||||
We precompute all of $w_{(B,\,i,\,s)}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
|
We precompute all of $w_{(B,\,i,\,s)}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
|
||||||
|
|
||||||
|
\introlist
|
||||||
To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
|
To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
|
||||||
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\lincomb{s_1} \times \lincomb{s_0} = \lincomb{s\suband}$
|
\item $\lincomb{s_1} \times \lincomb{s_0} = \lincomb{s\suband}$
|
||||||
\item $\lincomb{s_2} \times (-\hairspace u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
\item $\lincomb{s_2} \times \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
||||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
|
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
|
||||||
\mhspace{2.91em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
|
\mhspace{3.28em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
|
||||||
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband) = \\
|
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\
|
||||||
\mhspace{1.52em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
\mhspace{1.68em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
||||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
|
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
|
||||||
\item $\lincomb{s_2} \times (-\hairspace \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
\item $\lincomb{s_2} \times \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
||||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
|
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
|
||||||
\mhspace{2.91em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
|
\mhspace{3.27em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
|
||||||
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband) = \\
|
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\
|
||||||
\mhspace{1.52em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
\mhspace{1.66em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
||||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
|
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
@ -7623,14 +7640,17 @@ addition saves a constraint because the $\varv$-coordinate is not needed.)
|
||||||
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
$\BlakeTwosGeneric$ is defined in \cite{ANWW2013}. Its main subcomponent is a
|
||||||
``$G$ function'', defined as follows:
|
``$G$ function'', defined as follows:
|
||||||
|
|
||||||
$G \typecolon ... \rightarrow ...$
|
\begin{formulae}
|
||||||
|
\item $G \typecolon ... \rightarrow ...$
|
||||||
$G(...) = ...$
|
\item $G(...) = ...$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
A 32-bit exclusive-or can be implemented in $32$ constraints, one for each bit position
|
A 32-bit exclusive-or can be implemented in $32$ constraints, one for each bit position
|
||||||
$a \xor b = c$:
|
$a \xor b = c$:
|
||||||
|
|
||||||
$(2 \smult a) \times (b) = (a + b - c)$
|
\begin{formulae}
|
||||||
|
\item $\constraint{2 \smult a}{b}{a + b - c}$
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
Additions not involving a message word require $33$ constraints:
|
Additions not involving a message word require $33$ constraints:
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue