Work in progress for viewing key support.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2016-02-16 20:07:31 +00:00 · 2016-02-16 20:07:31 +00:00 · a7e10012f7
parent 9ed6ece058
commit a7e10012f7
2 changed files with 279 additions and 133 deletions
--- a/protocol/protocol.pdf
+++ b/protocol/protocol.pdf
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -74,15 +74,21 @@
 \newcommand{\script}{\term{script}}
 \newcommand{\serialNumber}{\term{serial number}}
 \newcommand{\serialNumbers}{\term{serial numbers}}
-\newcommand{\publicAddress}{\term{confidential address}}
-% Let's rename ``privateAddress'' to something else, since it sounds like an oxymoron to me. (This is related to a code naming issue #602 and we might want to update both at the same time.)
-\newcommand{\privateAddress}{\term{confidential private key}}
+% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
+\newcommand{\paymentAddress}{\term{payment address}}
+\newcommand{\paymentAddresses}{\term{payment addresses}}
+\newcommand{\viewingKey}{\term{viewing key}}
+\newcommand{\viewingKeys}{\term{viewing keys}}
+\newcommand{\spendingKey}{\term{spending key}}
+\newcommand{\spendingKeys}{\term{spending keys}}
+\newcommand{\keyTuple}{\term{key tuple}}
 \newcommand{\coinPlaintext}{\term{coin plaintext}}
 \newcommand{\coinPlaintexts}{\term{coin plaintexts}}
 \newcommand{\coinsCiphertext}{\term{transmitted coins ciphertext}}
-\newcommand{\transmitPublicAlgorithm}{\term{key-private encryption}}
-\newcommand{\transmitPrivateAlgorithm}{\term{key-private decryption}}
-\newcommand{\spendAuthority}{\term{spend authority}}
+\newcommand{\authKeypair}{\term{authorization}}
+\newcommand{\transmitKeypair}{\term{transmission}}
+\newcommand{\discloseKeypair}{\term{disclosure}}
+\newcommand{\keyPrivateAlgorithm}{\term{key-private encryption scheme}}
 \newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
 \newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
 \newcommand{\zkSNARK}{\term{zk-SNARK}}
@ -90,22 +96,35 @@
 \newcommand{\memo}{\term{memo field}}

 % key pairs:
-\newcommand{\PublicAddress}{\mathsf{addr_{pk}}}
-\newcommand{\PrivateAddress}{\mathsf{addr_{sk}}}
-\newcommand{\PublicAddressLeadByte}{\mathbf{0x92}}
-\newcommand{\PrivateAddressLeadByte}{\mathbf{0x93}}
-\newcommand{\SpendAuthorityPublic}{\mathsf{a_{pk}}}
-\newcommand{\SpendAuthorityPrivate}{\mathsf{a_{sk}}}
-\newcommand{\SpendAuthorityPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
-\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
-\newcommand{\TransmitPublicNew}[1]{\mathsf{pk_{enc,\mathnormal{#1}}}}
-\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
-\newcommand{\TransmitPrivateNew}[1]{\mathsf{sk_{enc,\mathnormal{#1}}}}
-\newcommand{\EphemeralPublic}{\mathsf{pk_{eph}}}
-\newcommand{\EphemeralPrivate}{\mathsf{sk_{eph}}}
+\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
+\newcommand{\ViewingKey}{\mathsf{addr_{viewkey}}}
+\newcommand{\SpendingKey}{\mathsf{addr_{sk}}}
+\newcommand{\PaymentAddressLeadByte}{\mathbf{0x92}}
+\newcommand{\ViewingKeyLeadByte}{\mathbf{0x??}}
+\newcommand{\SpendingKeyLeadByte}{\mathbf{0x93}}
+\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
+\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
+\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
+\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
+\newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
+\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
+\newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}}
+\newcommand{\enc}{\mathsf{enc}}
+\newcommand{\alleged}{\mathsf{alleged}}
+\newcommand{\disclose}{\mathsf{disclose}}
+\newcommand{\PublicKey}[1]{\mathsf{pk_\mathnormal{#1}}}
+\newcommand{\PrivateKey}[1]{\mathsf{sk_\mathnormal{#1}}}
+\newcommand{\EphemeralPublic}[1]{\mathsf{epk_\mathnormal{#1}}}
+\newcommand{\EphemeralPrivate}[1]{\mathsf{esk_\mathnormal{#1}}}
+\newcommand{\TransmitPublic}{\PublicKey{\enc}}
+\newcommand{\TransmitPublicNew}[1]{\mathsf{pk^{new}_{\enc,\mathnormal{#1}}}}
+\newcommand{\TransmitPrivate}{\PrivateKey{\enc}}
+\newcommand{\DisclosePublic}{\PublicKey{\disclose}}
+\newcommand{\DisclosePrivate}{\PrivateKey{\disclose}}
+\newcommand{\TransmitEphemeralPublic}{\EphemeralPublic{\enc}}
+\newcommand{\TransmitEphemeralPrivate}{\EphemeralPrivate{\enc}}
+\newcommand{\DiscloseEphemeralPublic}{\EphemeralPublic{\disclose}}
+\newcommand{\DiscloseEphemeralPrivate}{\EphemeralPrivate{\disclose}}
 \newcommand{\Value}{\mathsf{v}}

 % Coins
@ -125,12 +144,15 @@
 \newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
 \newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
 \newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
-\newcommand{\Plaintext}[1]{\mathbf{P}_{#1}}
-\newcommand{\Ciphertext}[1]{\mathbf{C}_{#1}}
+\newcommand{\Plaintext}[1]{\mathbf{P}^\enc_{#1}}
+\newcommand{\AllegedPlaintext}[1]{\mathbf{P}^\alleged_{#1}}
+\newcommand{\DisclosePlaintext}{\mathbf{P}^\disclose}
+\newcommand{\TransmitCiphertext}[1]{\mathbf{C}^\enc_{#1}}
+\newcommand{\DiscloseCiphertext}{\mathbf{C}^\disclose}
+\newcommand{\Tag}[1]{\mathsf{tag}_{#1}}
 \newcommand{\Nonce}{\mathsf{nonce}}
 \newcommand{\Prenonce}{\mathsf{prenonce}}
-\newcommand{\TransmitEncrypt}[1]{\mathsf{Encrypt}_{#1}}
-\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}}
+\newcommand{\Encrypt}[1]{\mathsf{Encrypt}_{#1}}
 \newcommand{\CRH}{\mathsf{CRH}}
 \newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
 \newcommand{\FullHash}{\mathtt{SHA256}}
@ -168,8 +190,10 @@
 \newcommand{\scriptPubKey}{\mathtt{scriptPubKey}}
 \newcommand{\serials}{\mathtt{serials}}
 \newcommand{\commitments}{\mathtt{commitments}}
-\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
-\newcommand{\ciphertexts}{\mathtt{ciphertexts}}
+\newcommand{\encEphemeral}{\mathtt{encEphemeral}}
+\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
+\newcommand{\discloseEphemeral}{\mathtt{discloseEphemeral}}
+\newcommand{\discloseCiphertext}{\mathtt{discloseCiphertext}}
 \newcommand{\rt}{\mathsf{rt}}

 % pour
@ -198,7 +222,7 @@
 \begin{document}

 \title{Zcash Protocol Specification \\
-\Large Version 2.0-draft-1}
+\Large Version 2.0-draft-2}
 \author{Sean Bowe | Daira Hopwood | Taylor Hornby}
 \date{\today}
 \maketitle
@ -278,7 +302,7 @@ ensuring that the functions are independent.
 \newsavebox{\addrbox}
 \begin{lrbox}{\addrbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{18}{0} &
        \bitbox{18}{0} &
        \bitbox{222}{$0^{254}$} &
@ -288,7 +312,7 @@ ensuring that the functions are independent.
 \newsavebox{\snbox}
 \begin{lrbox}{\snbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{18}{0} &
        \bitbox{18}{1} &
        \bitbox{222}{$\Leading{254}(\CoinAddressRand)$} &
@ -298,7 +322,7 @@ ensuring that the functions are independent.
 \newsavebox{\pkbox}
 \begin{lrbox}{\pkbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{18}{1} &
        \bitbox{18}{0} &
        \bitbox{18}{\iminusone} &
@ -323,9 +347,9 @@ is associated with this bit-packing.}

 \begin{equation*}
 \begin{aligned}
-\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\
-\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
-\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
+\AuthPublic &:= \PRFaddr{\AuthPrivate}(0) &= \CRHbox{\addrbox} \\
+\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
+\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
 \setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
 &\setchanged = \CRHbox{\rhobox}
 \end{aligned}
@ -334,43 +358,72 @@ is associated with this bit-packing.}
 \daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
 253 bits?}

-\subsection{Confidential Addresses and Private Keys}
+\subsection{Payment Addresses\changed{, Viewing Keys,} and Spending Keys}

-\nathan{This term, \publicAddress, may be confusing by comparison to
-a ``private key''. In the latter case the adjective is reminding a
-user of their responsibility to protect its privacy, but in the case
-of \publicAddress we want users to know ``transfers to this address
-are confidential, but the address itself *may* be published or kept
-confidential depending on your needs. Two different people can compare
-addresses to know they have the same \publicAddress.''}
+A \keyTuple $(\PaymentAddress, \changed{\ViewingKey,\;} \SpendingKey)$ is generated
+by users who wish to receive payments under this scheme. The parts of
+the \keyTuple are composed from \changed{three} distinct keypairs, called the
+\authKeypair, \transmitKeypair \changed{, and \discloseKeypair} keypairs.

-A key pair $(\PublicAddress, \PrivateAddress)$ is generated by
-users who wish to receive coins under this scheme. The tuple parts
-embody two distinct keypairs used for different purposes called
-the \spendAuthority and the \transmitPublicAlgorithm keypair. The
-\publicAddress $\PublicAddress$ is a tuple $(\SpendAuthorityPublic,
-\TransmitPublic)$, containing the public components of the \spendAuthority
-and \transmitPublicAlgorithm respectively. The $\PrivateAddress$ is
-a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$, containing the
-secret components respectively.
+\begin{itemize}
+  \item The \paymentAddress $\PaymentAddress$ is a pair
+        $(\AuthPublic, \TransmitPublic)$, containing the \emph{public}
+        components of the \authKeypair and \transmitKeypair keypairs
+        respectively.
+\changed{
+  \item The \viewingKey $\ViewingKey$ is a pair
+        $(\TransmitPrivate, \DisclosePrivate)$, containing the \emph{private}
+        components of the \transmitKeypair and \discloseKeypair keypairs
+        respectively.
+}
+  \item The \spendingKey $\SpendingKey$ is a \changed{triple}
+        $(\AuthPrivate, \TransmitPrivate\changed{, \DisclosePrivate})$,
+        containing the \emph{private} components of the \authKeypair,
+        \transmitKeypair\changed{, and \discloseKeypair} keypairs respectively.
+\end{itemize}

-\nathan{A diagram could really help here.}
+The following diagram depicts the relations between key components.
+Arrows point from a private component to the corresponding public
+component derived from it.
+
+\begin{center}
+\includegraphics[scale=.5]{key_components}
+\end{center}
+
+Note that a \spendingKey holder can derive
+$(\AuthPublic, \TransmitPublic\changed{, \DisclosePublic})$,
+\changed{and a \viewingKey holder can derive $(\TransmitPublic, \DisclosePublic)$,}
+even though these components are not formally part of the respective keys.
+Implementations \MAY cache these derived public components, provided that
+they are deleted if the corresponding private component is deleted.
+
+The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys
+is a cryptographic protocol detail that should not normally be
+exposed to users. However, user-visible operations should be provided
+to:
+
+\begin{itemize}
+\changed{
+  \item obtain a \viewingKey from a \spendingKey; and
+}
+  \item obtain a \paymentAddress from a \spendingKey.
+\end{itemize}

 Users can accept payment from multiple parties with a single
-$\PublicAddress$ and the fact that these payments are destined to
+$\PaymentAddress$ and the fact that these payments are destined to
 the same payee is not revealed on the blockchain, even to the
 paying parties. \emph{However} if two parties collude to compare a
-$\PublicAddress$ they can trivially determine they are the same. In the
+$\PaymentAddress$ they can trivially determine they are the same. In the
 case that a payee wishes to prevent this they should create a distinct
-\publicAddress for each payer.
+\paymentAddress for each payer.

 \subsection{Coins}

-A \coin (denoted $\Coin$) is a tuple $\changed{(\SpendAuthorityPublic, \Value,
+A \coin (denoted $\Coin$) is a tuple $\changed{(\AuthPublic, \Value,
 \CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
-spendable by the recipient who holds the $\spendAuthority$ key pair
-$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that
-$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$.
+spendable by the recipient who holds the $\authKeypair$ key pair
+$(\AuthPublic, \AuthPrivate)$ such that
+$\AuthPublic = \PRFaddr{\AuthPrivate}(0)$.

 $\CoinCommitRand$ is randomly generated by the sender. \changed{$\CoinAddressRand$
 is generated from a random seed $\CoinAddressPreRand$ using
@ -383,13 +436,17 @@ the value and recipient \emph{except} to those who possess these tokens.
 In order to transmit the secret $\Value$, $\CoinAddressRand$, and $\CoinCommitRand$
 (necessary for the recipient to later spend) \changed{and also a \memo} to the
 recipient \emph{without} requiring an out-of-band communication channel, the
-$\transmitPublicAlgorithm$ public key $\TransmitPublic$ is used to encrypt these
-secrets to form a \coinsCiphertext. The recipient's possession of the associated
-$(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and
+\transmitKeypair public key $\TransmitPublic$ is used to encrypt these
+secrets. The recipient's possession of the associated
+$(\PaymentAddress, \SpendingKey)$ (which contains both $\AuthPublic$ and
 $\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}.
+\changed{To also transmit these values to a \viewingKey holder for outgoing
+\PourTransfers, the \discloseKeypair public key $\DisclosePublic$ is used to
+encrypt the ephemeral secret and address public keys from the preceding
+encryptions.} The encryptions are combined to form a \coinsCiphertext.

 \changed{
-The encryption algorithm is defined in terms of $\CryptoBox$ (i.e.
+The encryption algorithm is defined in terms of $\CryptoBox$ (specifically,
 $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
 }

@ -397,9 +454,9 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
 \begin{lrbox}{\prenoncebox}
 \setchanged
 \begin{bytefield}[bitwidth=0.05em]{520}
-        \bitbox{120}{64 bit $i-1$} &
-        \bitbox{256}{256 bit $\EphemeralPublic$}
-        \bitbox{256}{256 bit $\TransmitPublicNew{i}$}
+        \bitbox{120}{64 bit $\Tag{i}$} &
+        \bitbox{256}{256 bit $\EphemeralPublic{}$}
+        \bitbox{256}{256 bit $\PublicKey{i}$}
 \end{bytefield}
 \end{lrbox}

@ -408,74 +465,148 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
 \setchanged
 \begin{bytefield}[bitwidth=0.085em]{192}
        \bitbox{128}{$\Leading{128}(\Prenonce)$} &
-        \bitbox{72}{64 bit $i-1$}
+        \bitbox{64}{64 bit $\Tag{i}$}
+\end{bytefield}
+\end{lrbox}
+
+\newsavebox{\tagibox}
+\begin{lrbox}{\tagibox}
+\setchanged
+\begin{bytefield}[bitwidth=0.09em]{64}
+        \bitbox{64}{64 bit $i-1$}
+\end{bytefield}
+\end{lrbox}
+
+\newsavebox{\tagdbox}
+\begin{lrbox}{\tagdbox}
+\setchanged
+\begin{bytefield}[bitwidth=0.09em]{64}
+        \bitbox{64}{$1^{64}$}
+\end{bytefield}
+\end{lrbox}
+
+\newsavebox{\disclosebox}
+\begin{lrbox}{\disclosebox}
+\setchanged
+\begin{bytefield}[bitwidth=0.04em]{1536}
+        \bitbox{256}{256 bit $\TransmitEphemeralPrivate$}
+        \bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
+        \bitbox{40}{...}
+        \bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
 \end{bytefield}
 \end{lrbox}

 Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys
-for the intended recipient addresses of each new \coin, and let $\Plaintext{1..\NNew}$
-be their \coinPlaintexts.
+for the intended recipient addresses of each new \coin,
+\changed{let $\PublicKey{\disclose}$ be the sender's \discloseKeypair public key,}
+and let $\Plaintext{1..\NNew}$ be the \coinPlaintexts.

 \changed{
 Define:
 \begin{equation*}
 \begin{aligned}
-\Prenonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \FullHashbox{\prenoncebox} \\
-\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \Justthebox{\noncebox}
+\Prenonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \FullHashbox{\prenoncebox} \\
+\Nonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \Justthebox{\noncebox} \\
+\Tag{i} &:= \Justthebox{\tagibox} \\
+\Tag{\disclose} &:= \Justthebox{\tagdbox} \\
+\DisclosePlaintext &:= \Justthebox{\disclosebox}
 \end{aligned}
 \end{equation*}
 }

 Then to encrypt:

-\changed{
 \begin{itemize}
-  \item Generate a new Curve25519 (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$.
-  \item For $i$ in $\{1..\NNew\}$, let $\Ciphertext{i} = \CryptoBox(\Plaintext{i}, \TransmitPublicNew{i}, \EphemeralPrivate,
-\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}))$.
-  \item Let $\TransmitEncrypt{\TransmitPublicNew{\mathrm{1}..\NNew}}(\Plaintext{1..\NNew}) =
-(\EphemeralPublic, \Ciphertext{1..\NNew})$.
-\end{itemize}
+\changed{
+  \item Generate two new independent Curve25519 (public, private) key pairs:
+$(\TransmitEphemeralPublic, \TransmitEphemeralPrivate)$ and
+$(\DiscloseEphemeralPublic, \DiscloseEphemeralPrivate)$.
+  \item For $i$ in $\{1..\NNew\}$, let $\TransmitCiphertext{i} =
+\CryptoBox(\Plaintext{i}, \PublicKey{i}, \EphemeralPrivate,
+\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
+  \item Let $\DiscloseCiphertext = \CryptoBox(\DisclosePlaintext,
+\DisclosePublic, \DiscloseEphemeralPrivate,
+\Nonce(\Tag{\disclose}, \DiscloseEphemeralPublic, \DisclosePublic))$
 }
+\end{itemize}
+
+The resulting \coinsCiphertext is $\changed{(\TransmitEphemeralPublic,}\;
+\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseEphemeralPublic,
+\DiscloseCiphertext)}$.

 Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
-(public, private) key pair, and let $\changed{(\EphemeralPublic,}\;
-\Ciphertext{1..\NNew}\changed{)}$ be the \coinsCiphertext.
+(public, private) key pair. Then for each $i$ in $\{1..\NNew\}$, the recipient
+will attempt to decrypt that ciphertext component as follows:

-Then for each $i$ in $\{1..\NNew\}$, the recipient will attempt to decrypt that
-ciphertext component as follows:
+\begin{itemize}
+\changed{
+  \item $\AllegedPlaintext{i} := \CryptoBoxOpen(\TransmitCiphertext{i},
+\TransmitEphemeralPublic, \TransmitPrivate,
+\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublic))$
+  \item \todo{validation}
+}
+\end{itemize}

 \changed{
-\begin{itemize}
-  \item $\TransmitDecrypt{\TransmitPrivate}(i, \EphemeralPublic, \Ciphertext{i}) =
-\CryptoBoxOpen(\Ciphertext{i}, \EphemeralPublic, \TransmitPrivate,
-\Nonce(i, \EphemeralPublic, \TransmitPublic))$
-\end{itemize}
+Similarly, let $(\DisclosePublic, \DisclosePrivate)$ be a \viewingKey holder's
+Curve25519 (public, private) key pair. Then for each \PourDescription in its
+\blockchainview, the \viewingKey holder will attempt to decrypt the corresponding
+\coinsCiphertext as follows:
 }

-Any ciphertext components that fail to decrypt with a given recipient's private key
-will be ignored.
+\begin{itemize}
+\changed{
+  \item Let $\DisclosePlaintext :=
+\CryptoBoxOpen(\DiscloseCiphertext, \DiscloseEphemeralPublic,
+\DisclosePrivate, \Nonce(\Tag{i}, \DiscloseEphemeralPublic, \DisclosePublic))$
+  \item Extract $\TransmitEphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$
+from $\DisclosePlaintext$.
+  \item For $i$ in $\{1..\NNew\}$,
+    \begin{itemize}
+      \item let $\AllegedPlaintext{i} :=
+\CryptoBoxOpen(\TransmitCiphertext{i}, \TransmitEphemeralPrivate,
+\TransmitPublicNew{i}, \Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
+      \item \todo{validation}
+    \end{itemize}
+}
+\end{itemize}
+
+Any ciphertext components that fail to decrypt \MUST be ignored. Once a component
+has been decrypted, it \MUST be validated as described in section ``Coin Commitments''.

 \changed{
-This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium
-\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a
-given \PourDescription, and with the nonce for each ciphertext component depending
-on the index $i$. Also, $\FullHash$ (the full hash, not the compression function) is
-used instead of $\mathsf{blake2b}$. The particular nonce construction is chosen so
-that a known-nonce distinguisher for $\mathsf{Salsa20}$ would not directly lead to a
-break of the IK-CCA (key privacy) property.
+This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
+\cite{cryptoboxseal}, but with the following differences:
+\begin{itemize}
+  \item The same ephemeral key is used for all encryptions to the recipient keys
+        in a given \PourDescription.
+  \item The nonce for each ciphertext component depends on the index $i$.
+        The particular nonce construction is chosen so that a known-nonce
+        distinguisher for $\mathsf{Salsa20}$ would not directly lead to a break
+        of the IK-CCA (key privacy) property.
+  \item $\FullHash$ (the full hash, not the compression function) is used instead
+        of $\mathsf{blake2b}$.
+  \item The ephemeral secret $\TransmitEphemeralPrivate$ is included together with
+        the \transmitKeypair public keys of the recipients, encrypted to the
+        \discloseKeypair public key. This allows a \viewingKey holder to decrypt
+        and validate these ciphertexts (if the sender constructs the \PourDescription
+        honestly). It also ensures (without assuming honesty of the sender) that if
+        the \viewingKey holder can decrypt a given component, then the indicated
+        recipient also has enough information to decrypt it and will receive the
+        same \coinPlaintext.
+\end{itemize}
 }

 \subsubsection{Coin Commitments}

-The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
+The underlying $\Value$ and $\AuthPublic$ are blinded with $\CoinAddressRand$
 and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
 multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.

 \newsavebox{\ihbox}
 \begin{lrbox}{\ihbox}
 \begin{bytefield}[bitwidth=0.08em]{512}
-	\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
+	\bitbox{256}{256 bit $\AuthPublic$} &
 	\bitbox{256}{256 bit $\CoinAddressRand$}
 \end{bytefield}
 \end{lrbox}
@ -508,8 +639,8 @@ multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
 \subsubsection{Serial numbers}

 A \serialNumber (denoted $\sn$) equals 
-$\PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand)$. A \coin is spent by proving
-knowledge of $\CoinAddressRand$ and $\SpendAuthorityPrivate$ in zero knowledge while
+$\PRFsn{\AuthPrivate}(\CoinAddressRand)$. A \coin is spent by proving
+knowledge of $\CoinAddressRand$ and $\AuthPrivate$ in zero knowledge while
 disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.

 \subsection{Coin Commitment Tree}
@ -633,14 +764,21 @@ $\scriptSig$.
 $\cmNew{\mathrm{1}..\NNew}$.

 \changed{
-\item $\ephemeralKey$ which is a Curve25519 public key $\EphemeralPublic$.
+\item $\encEphemeral$ which is a Curve25519 public key $\TransmitEphemeralPublic$.
+
+\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
+components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
+
+\item $\discloseEphemeral$ which is a Curve25519 public key $\DiscloseEphemeralPublic$.
+
+\item $\discloseCiphertext$ which is the ciphertext component
+$\DiscloseCiphertext$.
+
+(The preceding four fields together form the \coinsCiphertext.)
 }

-\item $\ciphertexts$ which is a $\NNew$ size sequence of ciphertext components.
-(\changed{$\ephemeralKey$ and} $\ciphertexts$ together form the \coinsCiphertext.)
-
 \item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
-$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\SpendAuthorityPrivate$ of the
+$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\AuthPrivate$ of the
 $\PourDescription$.

 \item $\zkproof$ which is the zero-knowledge proof $\PourProof$.
@ -714,15 +852,15 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$.
 A valid instance of $\PourProof$ assures that given a \term{primary input}
 $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
 \vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
-$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{\mathrm{1}..\NOld},
+$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
 \cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:

 \begin{list}{}{}

-\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\SpendAuthorityPublicOld{i},
+\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
 \vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$

-\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\SpendAuthorityPublicNew{i},
+\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
 \vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$

 \item The following conditions hold:
@ -742,16 +880,16 @@ $\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew}
 \subparagraph{Serial integrity}

 for each $i \in \{1..\NNew\}$: 
-$\snOld{i} = \PRFsn{\SpendAuthorityPrivateOld{i}}(\CoinAddressRandOld{i})$.
+$\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.

 \subparagraph{Spend authority}

 for each $i \in \{1..\NOld\}$:
-$\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
+$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.

 \subparagraph{Non-malleability}

-for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
+for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$

 \changed{
 \subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
@ -788,8 +926,8 @@ These are encoded in the same way as in \Bitcoin \cite{Base58Check}.

 \subsection{Confidential Public Addresses}

-A \publicAddress consists of $\SpendAuthorityPublic$ and $\TransmitPublic$.
-$\SpendAuthorityPublic$ is a SHA-256 compression function output.
+A \paymentAddress consists of $\AuthPublic$ and $\TransmitPublic$.
+$\AuthPublic$ is a SHA-256 compression function output.
 $\TransmitPublic$ is a \changed{Curve25519} public key, for use with the
 encryption scheme defined in section ``In-band secret distribution".

@ -799,18 +937,19 @@ The raw encoding of a confidential address consists of:

 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
-    \bitbox{48}{\changed{$\PublicAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPublic$ (32 bytes)} &
+\changed{
+    \bitbox{48}{$\PaymentAddressLeadByte$}
+  &}\bitbox{256}{$\AuthPublic$ (32 bytes)} &
    \bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
 \end{bytefield}
 \end{equation*}

 \begin{itemize}
 \changed{
-    \item A byte, $\PublicAddressLeadByte$, indicating this version of the
+    \item A byte, $\PaymentAddressLeadByte$, indicating this version of the
        raw encoding of a \Zcash public address.
 }
-    \item 32 bytes specifying $\SpendAuthorityPublic$.
+    \item 32 bytes specifying $\AuthPublic$.
    \item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
        normal encoding of a Curve25519 public key \cite{Curve25519}}.
 \end{itemize}
@ -822,8 +961,8 @@ and produces `z' as the Base58Check leading character.}

 \subsection{Confidential Address Secrets}

-A confidential address secret consists of $\SpendAuthorityPrivate$ and
-$\TransmitPrivate$. $\SpendAuthorityPrivate$ is a SHA-256 compression function
+A confidential address secret consists of $\AuthPrivate$ and
+$\TransmitPrivate$. $\AuthPrivate$ is a SHA-256 compression function
 output. $\TransmitPrivate$ is a \changed{Curve25519} private key, for use with
 the encryption scheme defined in section ``In-band secret distribution".

@ -833,18 +972,19 @@ The raw encoding of a confidential address secret consists of, in order:

 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
-    \bitbox{48}{\changed{$\PrivateAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPrivate$ (32 bytes)} &
+\changed{
+    \bitbox{48}{$\SpendingKeyLeadByte$}
+  &}\bitbox{256}{$\AuthPrivate$ (32 bytes)} &
    \bitbox{256}{$\TransmitPrivate$ (32 bytes)}
 \end{bytefield}
 \end{equation*}

 \begin{itemize}
 \changed{
-    \item A byte $\PrivateAddressLeadByte$ indicating this version of the
+    \item A byte $\SpendingKeyLeadByte$ indicating this version of the
        raw encoding of a \Zcash private key.
 }
-    \item 32 bytes specifying $\SpendAuthorityPrivate$.
+    \item 32 bytes specifying $\AuthPrivate$.
    \item 32 bytes specifying $\TransmitPrivate$.
 \end{itemize}

@ -859,16 +999,19 @@ Transmitted coins are stored on the blockchain in encrypted form, together with
 a \coinCommitment $\cm$.

 The \coinPlaintexts associated with a \PourDescription are encrypted to the
-respective \transmitPublicAlgorithm keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
+respective \transmitKeypair keys $\PublicKey{\mathrm{1}..\NNew}$,
 and the result forms a \coinsCiphertext.

-Each \coinPlaintext consists of $(\Value, \CoinAddressRand, \CoinCommitRand\changed{, \Memo})$,
-where:
+Each \coinPlaintext consists of $(\changed{\AuthPublic, }\Value, \CoinAddressRand,
+\CoinCommitRand\changed{, \Memo})$, where:

 \begin{itemize}
+\changed{
+    \item $\AuthPublic$ is a 32-byte \authKeypair public key of the recipient.
+}
    \item $\Value$ is a 64-bit unsigned integer representing the value of the
        \coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
-    \item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ preimage.
+    \item $\CoinAddressRand$ is a 32-byte $\PRFsn{\AuthPrivate}$ preimage.
    \item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
 \changed{
    \item $\Memo$ is a 64-byte \memo associated with this \coin.
@ -894,9 +1037,11 @@ does not use it.
 The raw encoding of a \coinPlaintext consists of, in order:

 \begin{equation*}
-\begin{bytefield}[bitwidth=0.035em]{1224}
-    \bitbox{80}{\changed{$\TransmitPlaintextVersionByte$}} &
-    \bitbox{144}{$\Value$ (8 bytes)} &
+\begin{bytefield}[bitwidth=0.03em]{1480}
+\changed{
+    \bitbox{88}{$\TransmitPlaintextVersionByte$}&
+    \bitbox{256}{$\AuthPublic$ (32 bytes)}&
+  &}\bitbox{168}{$\Value$ (8 bytes)} &
    \bitbox{256}{$\CoinAddressRand$ (32 bytes)} &
    \bitbox{384}{$\CoinCommitRand$ (48 bytes)} &
    \changed{\bitbox{512}{$\Memo$ (64 bytes)}}
@ -907,6 +1052,7 @@ The raw encoding of a \coinPlaintext consists of, in order:
 \changed{
    \item A byte $\TransmitPlaintextVersionByte$ indicating this version of the raw 
 encoding of a \coinPlaintext.
+    \item 32 bytes specifying $\AuthPublic$.
 }
    \item 8 bytes specifying a big-endian encoding of $\Value$.
    \item 32 bytes specifying $\CoinAddressRand$.
@ -934,9 +1080,9 @@ TBD.
    \item Instead of ECIES, we use an encryption scheme based on $\CryptoBox$,
 defined in section ``In-band secret distribution".
    \item Faerie Gold fix (TBD).
-    \item The paper defines a coin as a tuple $(\SpendAuthorityPublic, \Value,
+    \item The paper defines a coin as a tuple $(\AuthPublic, \Value,
 \CoinAddressRand, \CoinCommitRand, \CoinCommitS, \cm)$, whereas this specification
-defines it as $(\SpendAuthorityPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
+defines it as $(\AuthPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
 This is just a clarification, because the instantiation of $\COMM{\CoinCommitS}$
 in section 5.1 of the paper does not use $\CoinCommitS$, and $\cm$ can be computed
 from the other fields.