mirror of https://github.com/zcash/zips.git
Work in progress for viewing key support.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
9ed6ece058
commit
a7e10012f7
Binary file not shown.
|
@ -74,15 +74,21 @@
|
||||||
\newcommand{\script}{\term{script}}
|
\newcommand{\script}{\term{script}}
|
||||||
\newcommand{\serialNumber}{\term{serial number}}
|
\newcommand{\serialNumber}{\term{serial number}}
|
||||||
\newcommand{\serialNumbers}{\term{serial numbers}}
|
\newcommand{\serialNumbers}{\term{serial numbers}}
|
||||||
\newcommand{\publicAddress}{\term{confidential address}}
|
% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
|
||||||
% Let's rename ``privateAddress'' to something else, since it sounds like an oxymoron to me. (This is related to a code naming issue #602 and we might want to update both at the same time.)
|
\newcommand{\paymentAddress}{\term{payment address}}
|
||||||
\newcommand{\privateAddress}{\term{confidential private key}}
|
\newcommand{\paymentAddresses}{\term{payment addresses}}
|
||||||
|
\newcommand{\viewingKey}{\term{viewing key}}
|
||||||
|
\newcommand{\viewingKeys}{\term{viewing keys}}
|
||||||
|
\newcommand{\spendingKey}{\term{spending key}}
|
||||||
|
\newcommand{\spendingKeys}{\term{spending keys}}
|
||||||
|
\newcommand{\keyTuple}{\term{key tuple}}
|
||||||
\newcommand{\coinPlaintext}{\term{coin plaintext}}
|
\newcommand{\coinPlaintext}{\term{coin plaintext}}
|
||||||
\newcommand{\coinPlaintexts}{\term{coin plaintexts}}
|
\newcommand{\coinPlaintexts}{\term{coin plaintexts}}
|
||||||
\newcommand{\coinsCiphertext}{\term{transmitted coins ciphertext}}
|
\newcommand{\coinsCiphertext}{\term{transmitted coins ciphertext}}
|
||||||
\newcommand{\transmitPublicAlgorithm}{\term{key-private encryption}}
|
\newcommand{\authKeypair}{\term{authorization}}
|
||||||
\newcommand{\transmitPrivateAlgorithm}{\term{key-private decryption}}
|
\newcommand{\transmitKeypair}{\term{transmission}}
|
||||||
\newcommand{\spendAuthority}{\term{spend authority}}
|
\newcommand{\discloseKeypair}{\term{disclosure}}
|
||||||
|
\newcommand{\keyPrivateAlgorithm}{\term{key-private encryption scheme}}
|
||||||
\newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
|
\newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
|
||||||
\newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
|
\newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
|
||||||
\newcommand{\zkSNARK}{\term{zk-SNARK}}
|
\newcommand{\zkSNARK}{\term{zk-SNARK}}
|
||||||
|
@ -90,22 +96,35 @@
|
||||||
\newcommand{\memo}{\term{memo field}}
|
\newcommand{\memo}{\term{memo field}}
|
||||||
|
|
||||||
% key pairs:
|
% key pairs:
|
||||||
\newcommand{\PublicAddress}{\mathsf{addr_{pk}}}
|
\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
|
||||||
\newcommand{\PrivateAddress}{\mathsf{addr_{sk}}}
|
\newcommand{\ViewingKey}{\mathsf{addr_{viewkey}}}
|
||||||
\newcommand{\PublicAddressLeadByte}{\mathbf{0x92}}
|
\newcommand{\SpendingKey}{\mathsf{addr_{sk}}}
|
||||||
\newcommand{\PrivateAddressLeadByte}{\mathbf{0x93}}
|
\newcommand{\PaymentAddressLeadByte}{\mathbf{0x92}}
|
||||||
\newcommand{\SpendAuthorityPublic}{\mathsf{a_{pk}}}
|
\newcommand{\ViewingKeyLeadByte}{\mathbf{0x??}}
|
||||||
\newcommand{\SpendAuthorityPrivate}{\mathsf{a_{sk}}}
|
\newcommand{\SpendingKeyLeadByte}{\mathbf{0x93}}
|
||||||
\newcommand{\SpendAuthorityPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
|
||||||
\newcommand{\SpendAuthorityPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
|
||||||
\newcommand{\SpendAuthorityPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
|
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
|
||||||
\newcommand{\SpendAuthorityPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
|
\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
|
||||||
\newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
|
\newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
|
||||||
\newcommand{\TransmitPublicNew}[1]{\mathsf{pk_{enc,\mathnormal{#1}}}}
|
\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
|
||||||
\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
|
\newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}}
|
||||||
\newcommand{\TransmitPrivateNew}[1]{\mathsf{sk_{enc,\mathnormal{#1}}}}
|
\newcommand{\enc}{\mathsf{enc}}
|
||||||
\newcommand{\EphemeralPublic}{\mathsf{pk_{eph}}}
|
\newcommand{\alleged}{\mathsf{alleged}}
|
||||||
\newcommand{\EphemeralPrivate}{\mathsf{sk_{eph}}}
|
\newcommand{\disclose}{\mathsf{disclose}}
|
||||||
|
\newcommand{\PublicKey}[1]{\mathsf{pk_\mathnormal{#1}}}
|
||||||
|
\newcommand{\PrivateKey}[1]{\mathsf{sk_\mathnormal{#1}}}
|
||||||
|
\newcommand{\EphemeralPublic}[1]{\mathsf{epk_\mathnormal{#1}}}
|
||||||
|
\newcommand{\EphemeralPrivate}[1]{\mathsf{esk_\mathnormal{#1}}}
|
||||||
|
\newcommand{\TransmitPublic}{\PublicKey{\enc}}
|
||||||
|
\newcommand{\TransmitPublicNew}[1]{\mathsf{pk^{new}_{\enc,\mathnormal{#1}}}}
|
||||||
|
\newcommand{\TransmitPrivate}{\PrivateKey{\enc}}
|
||||||
|
\newcommand{\DisclosePublic}{\PublicKey{\disclose}}
|
||||||
|
\newcommand{\DisclosePrivate}{\PrivateKey{\disclose}}
|
||||||
|
\newcommand{\TransmitEphemeralPublic}{\EphemeralPublic{\enc}}
|
||||||
|
\newcommand{\TransmitEphemeralPrivate}{\EphemeralPrivate{\enc}}
|
||||||
|
\newcommand{\DiscloseEphemeralPublic}{\EphemeralPublic{\disclose}}
|
||||||
|
\newcommand{\DiscloseEphemeralPrivate}{\EphemeralPrivate{\disclose}}
|
||||||
\newcommand{\Value}{\mathsf{v}}
|
\newcommand{\Value}{\mathsf{v}}
|
||||||
|
|
||||||
% Coins
|
% Coins
|
||||||
|
@ -125,12 +144,15 @@
|
||||||
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
|
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}}
|
||||||
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}}
|
||||||
\newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
|
\newcommand{\CryptoBoxSpecific}{\mathsf{crypto\_box\_curve25519xsalsa20poly1305}}
|
||||||
\newcommand{\Plaintext}[1]{\mathbf{P}_{#1}}
|
\newcommand{\Plaintext}[1]{\mathbf{P}^\enc_{#1}}
|
||||||
\newcommand{\Ciphertext}[1]{\mathbf{C}_{#1}}
|
\newcommand{\AllegedPlaintext}[1]{\mathbf{P}^\alleged_{#1}}
|
||||||
|
\newcommand{\DisclosePlaintext}{\mathbf{P}^\disclose}
|
||||||
|
\newcommand{\TransmitCiphertext}[1]{\mathbf{C}^\enc_{#1}}
|
||||||
|
\newcommand{\DiscloseCiphertext}{\mathbf{C}^\disclose}
|
||||||
|
\newcommand{\Tag}[1]{\mathsf{tag}_{#1}}
|
||||||
\newcommand{\Nonce}{\mathsf{nonce}}
|
\newcommand{\Nonce}{\mathsf{nonce}}
|
||||||
\newcommand{\Prenonce}{\mathsf{prenonce}}
|
\newcommand{\Prenonce}{\mathsf{prenonce}}
|
||||||
\newcommand{\TransmitEncrypt}[1]{\mathsf{Encrypt}_{#1}}
|
\newcommand{\Encrypt}[1]{\mathsf{Encrypt}_{#1}}
|
||||||
\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}}
|
|
||||||
\newcommand{\CRH}{\mathsf{CRH}}
|
\newcommand{\CRH}{\mathsf{CRH}}
|
||||||
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)}
|
||||||
\newcommand{\FullHash}{\mathtt{SHA256}}
|
\newcommand{\FullHash}{\mathtt{SHA256}}
|
||||||
|
@ -168,8 +190,10 @@
|
||||||
\newcommand{\scriptPubKey}{\mathtt{scriptPubKey}}
|
\newcommand{\scriptPubKey}{\mathtt{scriptPubKey}}
|
||||||
\newcommand{\serials}{\mathtt{serials}}
|
\newcommand{\serials}{\mathtt{serials}}
|
||||||
\newcommand{\commitments}{\mathtt{commitments}}
|
\newcommand{\commitments}{\mathtt{commitments}}
|
||||||
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}}
|
\newcommand{\encEphemeral}{\mathtt{encEphemeral}}
|
||||||
\newcommand{\ciphertexts}{\mathtt{ciphertexts}}
|
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
|
||||||
|
\newcommand{\discloseEphemeral}{\mathtt{discloseEphemeral}}
|
||||||
|
\newcommand{\discloseCiphertext}{\mathtt{discloseCiphertext}}
|
||||||
\newcommand{\rt}{\mathsf{rt}}
|
\newcommand{\rt}{\mathsf{rt}}
|
||||||
|
|
||||||
% pour
|
% pour
|
||||||
|
@ -198,7 +222,7 @@
|
||||||
\begin{document}
|
\begin{document}
|
||||||
|
|
||||||
\title{Zcash Protocol Specification \\
|
\title{Zcash Protocol Specification \\
|
||||||
\Large Version 2.0-draft-1}
|
\Large Version 2.0-draft-2}
|
||||||
\author{Sean Bowe | Daira Hopwood | Taylor Hornby}
|
\author{Sean Bowe | Daira Hopwood | Taylor Hornby}
|
||||||
\date{\today}
|
\date{\today}
|
||||||
\maketitle
|
\maketitle
|
||||||
|
@ -278,7 +302,7 @@ ensuring that the functions are independent.
|
||||||
\newsavebox{\addrbox}
|
\newsavebox{\addrbox}
|
||||||
\begin{lrbox}{\addrbox}
|
\begin{lrbox}{\addrbox}
|
||||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{222}{$0^{254}$} &
|
\bitbox{222}{$0^{254}$} &
|
||||||
|
@ -288,7 +312,7 @@ ensuring that the functions are independent.
|
||||||
\newsavebox{\snbox}
|
\newsavebox{\snbox}
|
||||||
\begin{lrbox}{\snbox}
|
\begin{lrbox}{\snbox}
|
||||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{18}{1} &
|
\bitbox{18}{1} &
|
||||||
\bitbox{222}{$\Leading{254}(\CoinAddressRand)$} &
|
\bitbox{222}{$\Leading{254}(\CoinAddressRand)$} &
|
||||||
|
@ -298,7 +322,7 @@ ensuring that the functions are independent.
|
||||||
\newsavebox{\pkbox}
|
\newsavebox{\pkbox}
|
||||||
\begin{lrbox}{\pkbox}
|
\begin{lrbox}{\pkbox}
|
||||||
\begin{bytefield}[bitwidth=0.065em]{512}
|
\begin{bytefield}[bitwidth=0.065em]{512}
|
||||||
\bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
|
\bitbox{242}{256 bit $\AuthPrivate$} &
|
||||||
\bitbox{18}{1} &
|
\bitbox{18}{1} &
|
||||||
\bitbox{18}{0} &
|
\bitbox{18}{0} &
|
||||||
\bitbox{18}{\iminusone} &
|
\bitbox{18}{\iminusone} &
|
||||||
|
@ -323,9 +347,9 @@ is associated with this bit-packing.}
|
||||||
|
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\
|
\AuthPublic &:= \PRFaddr{\AuthPrivate}(0) &= \CRHbox{\addrbox} \\
|
||||||
\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
|
\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
|
||||||
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
|
\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
|
||||||
\setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
|
\setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
|
||||||
&\setchanged = \CRHbox{\rhobox}
|
&\setchanged = \CRHbox{\rhobox}
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
|
@ -334,43 +358,72 @@ is associated with this bit-packing.}
|
||||||
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
|
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
|
||||||
253 bits?}
|
253 bits?}
|
||||||
|
|
||||||
\subsection{Confidential Addresses and Private Keys}
|
\subsection{Payment Addresses\changed{, Viewing Keys,} and Spending Keys}
|
||||||
|
|
||||||
\nathan{This term, \publicAddress, may be confusing by comparison to
|
A \keyTuple $(\PaymentAddress, \changed{\ViewingKey,\;} \SpendingKey)$ is generated
|
||||||
a ``private key''. In the latter case the adjective is reminding a
|
by users who wish to receive payments under this scheme. The parts of
|
||||||
user of their responsibility to protect its privacy, but in the case
|
the \keyTuple are composed from \changed{three} distinct keypairs, called the
|
||||||
of \publicAddress we want users to know ``transfers to this address
|
\authKeypair, \transmitKeypair \changed{, and \discloseKeypair} keypairs.
|
||||||
are confidential, but the address itself *may* be published or kept
|
|
||||||
confidential depending on your needs. Two different people can compare
|
|
||||||
addresses to know they have the same \publicAddress.''}
|
|
||||||
|
|
||||||
A key pair $(\PublicAddress, \PrivateAddress)$ is generated by
|
\begin{itemize}
|
||||||
users who wish to receive coins under this scheme. The tuple parts
|
\item The \paymentAddress $\PaymentAddress$ is a pair
|
||||||
embody two distinct keypairs used for different purposes called
|
$(\AuthPublic, \TransmitPublic)$, containing the \emph{public}
|
||||||
the \spendAuthority and the \transmitPublicAlgorithm keypair. The
|
components of the \authKeypair and \transmitKeypair keypairs
|
||||||
\publicAddress $\PublicAddress$ is a tuple $(\SpendAuthorityPublic,
|
respectively.
|
||||||
\TransmitPublic)$, containing the public components of the \spendAuthority
|
\changed{
|
||||||
and \transmitPublicAlgorithm respectively. The $\PrivateAddress$ is
|
\item The \viewingKey $\ViewingKey$ is a pair
|
||||||
a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$, containing the
|
$(\TransmitPrivate, \DisclosePrivate)$, containing the \emph{private}
|
||||||
secret components respectively.
|
components of the \transmitKeypair and \discloseKeypair keypairs
|
||||||
|
respectively.
|
||||||
|
}
|
||||||
|
\item The \spendingKey $\SpendingKey$ is a \changed{triple}
|
||||||
|
$(\AuthPrivate, \TransmitPrivate\changed{, \DisclosePrivate})$,
|
||||||
|
containing the \emph{private} components of the \authKeypair,
|
||||||
|
\transmitKeypair\changed{, and \discloseKeypair} keypairs respectively.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\nathan{A diagram could really help here.}
|
The following diagram depicts the relations between key components.
|
||||||
|
Arrows point from a private component to the corresponding public
|
||||||
|
component derived from it.
|
||||||
|
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=.5]{key_components}
|
||||||
|
\end{center}
|
||||||
|
|
||||||
|
Note that a \spendingKey holder can derive
|
||||||
|
$(\AuthPublic, \TransmitPublic\changed{, \DisclosePublic})$,
|
||||||
|
\changed{and a \viewingKey holder can derive $(\TransmitPublic, \DisclosePublic)$,}
|
||||||
|
even though these components are not formally part of the respective keys.
|
||||||
|
Implementations \MAY cache these derived public components, provided that
|
||||||
|
they are deleted if the corresponding private component is deleted.
|
||||||
|
|
||||||
|
The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys
|
||||||
|
is a cryptographic protocol detail that should not normally be
|
||||||
|
exposed to users. However, user-visible operations should be provided
|
||||||
|
to:
|
||||||
|
|
||||||
|
\begin{itemize}
|
||||||
|
\changed{
|
||||||
|
\item obtain a \viewingKey from a \spendingKey; and
|
||||||
|
}
|
||||||
|
\item obtain a \paymentAddress from a \spendingKey.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
Users can accept payment from multiple parties with a single
|
Users can accept payment from multiple parties with a single
|
||||||
$\PublicAddress$ and the fact that these payments are destined to
|
$\PaymentAddress$ and the fact that these payments are destined to
|
||||||
the same payee is not revealed on the blockchain, even to the
|
the same payee is not revealed on the blockchain, even to the
|
||||||
paying parties. \emph{However} if two parties collude to compare a
|
paying parties. \emph{However} if two parties collude to compare a
|
||||||
$\PublicAddress$ they can trivially determine they are the same. In the
|
$\PaymentAddress$ they can trivially determine they are the same. In the
|
||||||
case that a payee wishes to prevent this they should create a distinct
|
case that a payee wishes to prevent this they should create a distinct
|
||||||
\publicAddress for each payer.
|
\paymentAddress for each payer.
|
||||||
|
|
||||||
\subsection{Coins}
|
\subsection{Coins}
|
||||||
|
|
||||||
A \coin (denoted $\Coin$) is a tuple $\changed{(\SpendAuthorityPublic, \Value,
|
A \coin (denoted $\Coin$) is a tuple $\changed{(\AuthPublic, \Value,
|
||||||
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
|
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
|
||||||
spendable by the recipient who holds the $\spendAuthority$ key pair
|
spendable by the recipient who holds the $\authKeypair$ key pair
|
||||||
$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that
|
$(\AuthPublic, \AuthPrivate)$ such that
|
||||||
$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$.
|
$\AuthPublic = \PRFaddr{\AuthPrivate}(0)$.
|
||||||
|
|
||||||
$\CoinCommitRand$ is randomly generated by the sender. \changed{$\CoinAddressRand$
|
$\CoinCommitRand$ is randomly generated by the sender. \changed{$\CoinAddressRand$
|
||||||
is generated from a random seed $\CoinAddressPreRand$ using
|
is generated from a random seed $\CoinAddressPreRand$ using
|
||||||
|
@ -383,13 +436,17 @@ the value and recipient \emph{except} to those who possess these tokens.
|
||||||
In order to transmit the secret $\Value$, $\CoinAddressRand$, and $\CoinCommitRand$
|
In order to transmit the secret $\Value$, $\CoinAddressRand$, and $\CoinCommitRand$
|
||||||
(necessary for the recipient to later spend) \changed{and also a \memo} to the
|
(necessary for the recipient to later spend) \changed{and also a \memo} to the
|
||||||
recipient \emph{without} requiring an out-of-band communication channel, the
|
recipient \emph{without} requiring an out-of-band communication channel, the
|
||||||
$\transmitPublicAlgorithm$ public key $\TransmitPublic$ is used to encrypt these
|
\transmitKeypair public key $\TransmitPublic$ is used to encrypt these
|
||||||
secrets to form a \coinsCiphertext. The recipient's possession of the associated
|
secrets. The recipient's possession of the associated
|
||||||
$(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and
|
$(\PaymentAddress, \SpendingKey)$ (which contains both $\AuthPublic$ and
|
||||||
$\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}.
|
$\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}.
|
||||||
|
\changed{To also transmit these values to a \viewingKey holder for outgoing
|
||||||
|
\PourTransfers, the \discloseKeypair public key $\DisclosePublic$ is used to
|
||||||
|
encrypt the ephemeral secret and address public keys from the preceding
|
||||||
|
encryptions.} The encryptions are combined to form a \coinsCiphertext.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
The encryption algorithm is defined in terms of $\CryptoBox$ (i.e.
|
The encryption algorithm is defined in terms of $\CryptoBox$ (specifically,
|
||||||
$\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
$\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -397,9 +454,9 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
||||||
\begin{lrbox}{\prenoncebox}
|
\begin{lrbox}{\prenoncebox}
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.05em]{520}
|
\begin{bytefield}[bitwidth=0.05em]{520}
|
||||||
\bitbox{120}{64 bit $i-1$} &
|
\bitbox{120}{64 bit $\Tag{i}$} &
|
||||||
\bitbox{256}{256 bit $\EphemeralPublic$}
|
\bitbox{256}{256 bit $\EphemeralPublic{}$}
|
||||||
\bitbox{256}{256 bit $\TransmitPublicNew{i}$}
|
\bitbox{256}{256 bit $\PublicKey{i}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -408,74 +465,148 @@ $\CryptoBoxSpecific$) \cite{cryptobox} as follows.
|
||||||
\setchanged
|
\setchanged
|
||||||
\begin{bytefield}[bitwidth=0.085em]{192}
|
\begin{bytefield}[bitwidth=0.085em]{192}
|
||||||
\bitbox{128}{$\Leading{128}(\Prenonce)$} &
|
\bitbox{128}{$\Leading{128}(\Prenonce)$} &
|
||||||
\bitbox{72}{64 bit $i-1$}
|
\bitbox{64}{64 bit $\Tag{i}$}
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
\newsavebox{\tagibox}
|
||||||
|
\begin{lrbox}{\tagibox}
|
||||||
|
\setchanged
|
||||||
|
\begin{bytefield}[bitwidth=0.09em]{64}
|
||||||
|
\bitbox{64}{64 bit $i-1$}
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
\newsavebox{\tagdbox}
|
||||||
|
\begin{lrbox}{\tagdbox}
|
||||||
|
\setchanged
|
||||||
|
\begin{bytefield}[bitwidth=0.09em]{64}
|
||||||
|
\bitbox{64}{$1^{64}$}
|
||||||
|
\end{bytefield}
|
||||||
|
\end{lrbox}
|
||||||
|
|
||||||
|
\newsavebox{\disclosebox}
|
||||||
|
\begin{lrbox}{\disclosebox}
|
||||||
|
\setchanged
|
||||||
|
\begin{bytefield}[bitwidth=0.04em]{1536}
|
||||||
|
\bitbox{256}{256 bit $\TransmitEphemeralPrivate$}
|
||||||
|
\bitbox{256}{256 bit $\TransmitPublicNew{\mathrm{1}}$}
|
||||||
|
\bitbox{40}{...}
|
||||||
|
\bitbox{256}{256 bit $\TransmitPublicNew{\NNew}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys
|
Let $\TransmitPublicNew{\mathrm{1}..\NNew}$ be the \changed{Curve25519} public keys
|
||||||
for the intended recipient addresses of each new \coin, and let $\Plaintext{1..\NNew}$
|
for the intended recipient addresses of each new \coin,
|
||||||
be their \coinPlaintexts.
|
\changed{let $\PublicKey{\disclose}$ be the sender's \discloseKeypair public key,}
|
||||||
|
and let $\Plaintext{1..\NNew}$ be the \coinPlaintexts.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
Define:
|
Define:
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
\Prenonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \FullHashbox{\prenoncebox} \\
|
\Prenonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \FullHashbox{\prenoncebox} \\
|
||||||
\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \Justthebox{\noncebox}
|
\Nonce(\Tag{i}, \EphemeralPublic, \PublicKey{i}) &:= \Justthebox{\noncebox} \\
|
||||||
|
\Tag{i} &:= \Justthebox{\tagibox} \\
|
||||||
|
\Tag{\disclose} &:= \Justthebox{\tagdbox} \\
|
||||||
|
\DisclosePlaintext &:= \Justthebox{\disclosebox}
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
}
|
}
|
||||||
|
|
||||||
Then to encrypt:
|
Then to encrypt:
|
||||||
|
|
||||||
\changed{
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item Generate a new Curve25519 (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$.
|
\changed{
|
||||||
\item For $i$ in $\{1..\NNew\}$, let $\Ciphertext{i} = \CryptoBox(\Plaintext{i}, \TransmitPublicNew{i}, \EphemeralPrivate,
|
\item Generate two new independent Curve25519 (public, private) key pairs:
|
||||||
\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}))$.
|
$(\TransmitEphemeralPublic, \TransmitEphemeralPrivate)$ and
|
||||||
\item Let $\TransmitEncrypt{\TransmitPublicNew{\mathrm{1}..\NNew}}(\Plaintext{1..\NNew}) =
|
$(\DiscloseEphemeralPublic, \DiscloseEphemeralPrivate)$.
|
||||||
(\EphemeralPublic, \Ciphertext{1..\NNew})$.
|
\item For $i$ in $\{1..\NNew\}$, let $\TransmitCiphertext{i} =
|
||||||
\end{itemize}
|
\CryptoBox(\Plaintext{i}, \PublicKey{i}, \EphemeralPrivate,
|
||||||
|
\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
|
||||||
|
\item Let $\DiscloseCiphertext = \CryptoBox(\DisclosePlaintext,
|
||||||
|
\DisclosePublic, \DiscloseEphemeralPrivate,
|
||||||
|
\Nonce(\Tag{\disclose}, \DiscloseEphemeralPublic, \DisclosePublic))$
|
||||||
}
|
}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
The resulting \coinsCiphertext is $\changed{(\TransmitEphemeralPublic,}\;
|
||||||
|
\TransmitCiphertext{\mathrm{1}..\NNew}\changed{, \DiscloseEphemeralPublic,
|
||||||
|
\DiscloseCiphertext)}$.
|
||||||
|
|
||||||
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
|
Let $(\TransmitPublic, \TransmitPrivate)$ be the recipient's \changed{Curve25519}
|
||||||
(public, private) key pair, and let $\changed{(\EphemeralPublic,}\;
|
(public, private) key pair. Then for each $i$ in $\{1..\NNew\}$, the recipient
|
||||||
\Ciphertext{1..\NNew}\changed{)}$ be the \coinsCiphertext.
|
will attempt to decrypt that ciphertext component as follows:
|
||||||
|
|
||||||
Then for each $i$ in $\{1..\NNew\}$, the recipient will attempt to decrypt that
|
\begin{itemize}
|
||||||
ciphertext component as follows:
|
\changed{
|
||||||
|
\item $\AllegedPlaintext{i} := \CryptoBoxOpen(\TransmitCiphertext{i},
|
||||||
|
\TransmitEphemeralPublic, \TransmitPrivate,
|
||||||
|
\Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublic))$
|
||||||
|
\item \todo{validation}
|
||||||
|
}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
\begin{itemize}
|
Similarly, let $(\DisclosePublic, \DisclosePrivate)$ be a \viewingKey holder's
|
||||||
\item $\TransmitDecrypt{\TransmitPrivate}(i, \EphemeralPublic, \Ciphertext{i}) =
|
Curve25519 (public, private) key pair. Then for each \PourDescription in its
|
||||||
\CryptoBoxOpen(\Ciphertext{i}, \EphemeralPublic, \TransmitPrivate,
|
\blockchainview, the \viewingKey holder will attempt to decrypt the corresponding
|
||||||
\Nonce(i, \EphemeralPublic, \TransmitPublic))$
|
\coinsCiphertext as follows:
|
||||||
\end{itemize}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Any ciphertext components that fail to decrypt with a given recipient's private key
|
\begin{itemize}
|
||||||
will be ignored.
|
\changed{
|
||||||
|
\item Let $\DisclosePlaintext :=
|
||||||
|
\CryptoBoxOpen(\DiscloseCiphertext, \DiscloseEphemeralPublic,
|
||||||
|
\DisclosePrivate, \Nonce(\Tag{i}, \DiscloseEphemeralPublic, \DisclosePublic))$
|
||||||
|
\item Extract $\TransmitEphemeralPrivate$ and $\TransmitPublicNew{\mathrm{1}..\NNew}$
|
||||||
|
from $\DisclosePlaintext$.
|
||||||
|
\item For $i$ in $\{1..\NNew\}$,
|
||||||
|
\begin{itemize}
|
||||||
|
\item let $\AllegedPlaintext{i} :=
|
||||||
|
\CryptoBoxOpen(\TransmitCiphertext{i}, \TransmitEphemeralPrivate,
|
||||||
|
\TransmitPublicNew{i}, \Nonce(\Tag{i}, \TransmitEphemeralPublic, \TransmitPublicNew{i}))$
|
||||||
|
\item \todo{validation}
|
||||||
|
\end{itemize}
|
||||||
|
}
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
Any ciphertext components that fail to decrypt \MUST be ignored. Once a component
|
||||||
|
has been decrypted, it \MUST be validated as described in section ``Coin Commitments''.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium
|
This is based loosely on the $\CryptoBoxSeal$ algorithm defined in libsodium
|
||||||
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a
|
\cite{cryptoboxseal}, but with the following differences:
|
||||||
given \PourDescription, and with the nonce for each ciphertext component depending
|
\begin{itemize}
|
||||||
on the index $i$. Also, $\FullHash$ (the full hash, not the compression function) is
|
\item The same ephemeral key is used for all encryptions to the recipient keys
|
||||||
used instead of $\mathsf{blake2b}$. The particular nonce construction is chosen so
|
in a given \PourDescription.
|
||||||
that a known-nonce distinguisher for $\mathsf{Salsa20}$ would not directly lead to a
|
\item The nonce for each ciphertext component depends on the index $i$.
|
||||||
break of the IK-CCA (key privacy) property.
|
The particular nonce construction is chosen so that a known-nonce
|
||||||
|
distinguisher for $\mathsf{Salsa20}$ would not directly lead to a break
|
||||||
|
of the IK-CCA (key privacy) property.
|
||||||
|
\item $\FullHash$ (the full hash, not the compression function) is used instead
|
||||||
|
of $\mathsf{blake2b}$.
|
||||||
|
\item The ephemeral secret $\TransmitEphemeralPrivate$ is included together with
|
||||||
|
the \transmitKeypair public keys of the recipients, encrypted to the
|
||||||
|
\discloseKeypair public key. This allows a \viewingKey holder to decrypt
|
||||||
|
and validate these ciphertexts (if the sender constructs the \PourDescription
|
||||||
|
honestly). It also ensures (without assuming honesty of the sender) that if
|
||||||
|
the \viewingKey holder can decrypt a given component, then the indicated
|
||||||
|
recipient also has enough information to decrypt it and will receive the
|
||||||
|
same \coinPlaintext.
|
||||||
|
\end{itemize}
|
||||||
}
|
}
|
||||||
|
|
||||||
\subsubsection{Coin Commitments}
|
\subsubsection{Coin Commitments}
|
||||||
|
|
||||||
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
|
The underlying $\Value$ and $\AuthPublic$ are blinded with $\CoinAddressRand$
|
||||||
and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
|
and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
|
||||||
multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
||||||
|
|
||||||
\newsavebox{\ihbox}
|
\newsavebox{\ihbox}
|
||||||
\begin{lrbox}{\ihbox}
|
\begin{lrbox}{\ihbox}
|
||||||
\begin{bytefield}[bitwidth=0.08em]{512}
|
\begin{bytefield}[bitwidth=0.08em]{512}
|
||||||
\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
|
\bitbox{256}{256 bit $\AuthPublic$} &
|
||||||
\bitbox{256}{256 bit $\CoinAddressRand$}
|
\bitbox{256}{256 bit $\CoinAddressRand$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
@ -508,8 +639,8 @@ multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
|
||||||
\subsubsection{Serial numbers}
|
\subsubsection{Serial numbers}
|
||||||
|
|
||||||
A \serialNumber (denoted $\sn$) equals
|
A \serialNumber (denoted $\sn$) equals
|
||||||
$\PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand)$. A \coin is spent by proving
|
$\PRFsn{\AuthPrivate}(\CoinAddressRand)$. A \coin is spent by proving
|
||||||
knowledge of $\CoinAddressRand$ and $\SpendAuthorityPrivate$ in zero knowledge while
|
knowledge of $\CoinAddressRand$ and $\AuthPrivate$ in zero knowledge while
|
||||||
disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.
|
disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.
|
||||||
|
|
||||||
\subsection{Coin Commitment Tree}
|
\subsection{Coin Commitment Tree}
|
||||||
|
@ -633,14 +764,21 @@ $\scriptSig$.
|
||||||
$\cmNew{\mathrm{1}..\NNew}$.
|
$\cmNew{\mathrm{1}..\NNew}$.
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
\item $\ephemeralKey$ which is a Curve25519 public key $\EphemeralPublic$.
|
\item $\encEphemeral$ which is a Curve25519 public key $\TransmitEphemeralPublic$.
|
||||||
|
|
||||||
|
\item $\encCiphertexts$ which is a $\NNew$ size sequence of ciphertext
|
||||||
|
components, $\TransmitCiphertext{\mathrm{1}..\NNew}$.
|
||||||
|
|
||||||
|
\item $\discloseEphemeral$ which is a Curve25519 public key $\DiscloseEphemeralPublic$.
|
||||||
|
|
||||||
|
\item $\discloseCiphertext$ which is the ciphertext component
|
||||||
|
$\DiscloseCiphertext$.
|
||||||
|
|
||||||
|
(The preceding four fields together form the \coinsCiphertext.)
|
||||||
}
|
}
|
||||||
|
|
||||||
\item $\ciphertexts$ which is a $\NNew$ size sequence of ciphertext components.
|
|
||||||
(\changed{$\ephemeralKey$ and} $\ciphertexts$ together form the \coinsCiphertext.)
|
|
||||||
|
|
||||||
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
\item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
|
||||||
$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\SpendAuthorityPrivate$ of the
|
$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\AuthPrivate$ of the
|
||||||
$\PourDescription$.
|
$\PourDescription$.
|
||||||
|
|
||||||
\item $\zkproof$ which is the zero-knowledge proof $\PourProof$.
|
\item $\zkproof$ which is the zero-knowledge proof $\PourProof$.
|
||||||
|
@ -714,15 +852,15 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$.
|
||||||
A valid instance of $\PourProof$ assures that given a \term{primary input}
|
A valid instance of $\PourProof$ assures that given a \term{primary input}
|
||||||
$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
|
||||||
\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
|
\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
|
||||||
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{\mathrm{1}..\NOld},
|
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
|
||||||
\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:
|
\cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:
|
||||||
|
|
||||||
\begin{list}{}{}
|
\begin{list}{}{}
|
||||||
|
|
||||||
\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\SpendAuthorityPublicOld{i},
|
\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
|
||||||
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
|
\vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$
|
||||||
|
|
||||||
\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\SpendAuthorityPublicNew{i},
|
\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
|
||||||
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
|
\vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$
|
||||||
|
|
||||||
\item The following conditions hold:
|
\item The following conditions hold:
|
||||||
|
@ -742,16 +880,16 @@ $\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew}
|
||||||
\subparagraph{Serial integrity}
|
\subparagraph{Serial integrity}
|
||||||
|
|
||||||
for each $i \in \{1..\NNew\}$:
|
for each $i \in \{1..\NNew\}$:
|
||||||
$\snOld{i} = \PRFsn{\SpendAuthorityPrivateOld{i}}(\CoinAddressRandOld{i})$.
|
$\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.
|
||||||
|
|
||||||
\subparagraph{Spend authority}
|
\subparagraph{Spend authority}
|
||||||
|
|
||||||
for each $i \in \{1..\NOld\}$:
|
for each $i \in \{1..\NOld\}$:
|
||||||
$\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
|
$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.
|
||||||
|
|
||||||
\subparagraph{Non-malleability}
|
\subparagraph{Non-malleability}
|
||||||
|
|
||||||
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
|
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$
|
||||||
|
|
||||||
\changed{
|
\changed{
|
||||||
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
|
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
|
||||||
|
@ -788,8 +926,8 @@ These are encoded in the same way as in \Bitcoin \cite{Base58Check}.
|
||||||
|
|
||||||
\subsection{Confidential Public Addresses}
|
\subsection{Confidential Public Addresses}
|
||||||
|
|
||||||
A \publicAddress consists of $\SpendAuthorityPublic$ and $\TransmitPublic$.
|
A \paymentAddress consists of $\AuthPublic$ and $\TransmitPublic$.
|
||||||
$\SpendAuthorityPublic$ is a SHA-256 compression function output.
|
$\AuthPublic$ is a SHA-256 compression function output.
|
||||||
$\TransmitPublic$ is a \changed{Curve25519} public key, for use with the
|
$\TransmitPublic$ is a \changed{Curve25519} public key, for use with the
|
||||||
encryption scheme defined in section ``In-band secret distribution".
|
encryption scheme defined in section ``In-band secret distribution".
|
||||||
|
|
||||||
|
@ -799,18 +937,19 @@ The raw encoding of a confidential address consists of:
|
||||||
|
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{bytefield}[bitwidth=0.07em]{520}
|
\begin{bytefield}[bitwidth=0.07em]{520}
|
||||||
\bitbox{48}{\changed{$\PublicAddressLeadByte$}} &
|
\changed{
|
||||||
\bitbox{256}{$\SpendAuthorityPublic$ (32 bytes)} &
|
\bitbox{48}{$\PaymentAddressLeadByte$}
|
||||||
|
&}\bitbox{256}{$\AuthPublic$ (32 bytes)} &
|
||||||
\bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
|
\bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\changed{
|
\changed{
|
||||||
\item A byte, $\PublicAddressLeadByte$, indicating this version of the
|
\item A byte, $\PaymentAddressLeadByte$, indicating this version of the
|
||||||
raw encoding of a \Zcash public address.
|
raw encoding of a \Zcash public address.
|
||||||
}
|
}
|
||||||
\item 32 bytes specifying $\SpendAuthorityPublic$.
|
\item 32 bytes specifying $\AuthPublic$.
|
||||||
\item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
|
\item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
|
||||||
normal encoding of a Curve25519 public key \cite{Curve25519}}.
|
normal encoding of a Curve25519 public key \cite{Curve25519}}.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
@ -822,8 +961,8 @@ and produces `z' as the Base58Check leading character.}
|
||||||
|
|
||||||
\subsection{Confidential Address Secrets}
|
\subsection{Confidential Address Secrets}
|
||||||
|
|
||||||
A confidential address secret consists of $\SpendAuthorityPrivate$ and
|
A confidential address secret consists of $\AuthPrivate$ and
|
||||||
$\TransmitPrivate$. $\SpendAuthorityPrivate$ is a SHA-256 compression function
|
$\TransmitPrivate$. $\AuthPrivate$ is a SHA-256 compression function
|
||||||
output. $\TransmitPrivate$ is a \changed{Curve25519} private key, for use with
|
output. $\TransmitPrivate$ is a \changed{Curve25519} private key, for use with
|
||||||
the encryption scheme defined in section ``In-band secret distribution".
|
the encryption scheme defined in section ``In-band secret distribution".
|
||||||
|
|
||||||
|
@ -833,18 +972,19 @@ The raw encoding of a confidential address secret consists of, in order:
|
||||||
|
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{bytefield}[bitwidth=0.07em]{520}
|
\begin{bytefield}[bitwidth=0.07em]{520}
|
||||||
\bitbox{48}{\changed{$\PrivateAddressLeadByte$}} &
|
\changed{
|
||||||
\bitbox{256}{$\SpendAuthorityPrivate$ (32 bytes)} &
|
\bitbox{48}{$\SpendingKeyLeadByte$}
|
||||||
|
&}\bitbox{256}{$\AuthPrivate$ (32 bytes)} &
|
||||||
\bitbox{256}{$\TransmitPrivate$ (32 bytes)}
|
\bitbox{256}{$\TransmitPrivate$ (32 bytes)}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\changed{
|
\changed{
|
||||||
\item A byte $\PrivateAddressLeadByte$ indicating this version of the
|
\item A byte $\SpendingKeyLeadByte$ indicating this version of the
|
||||||
raw encoding of a \Zcash private key.
|
raw encoding of a \Zcash private key.
|
||||||
}
|
}
|
||||||
\item 32 bytes specifying $\SpendAuthorityPrivate$.
|
\item 32 bytes specifying $\AuthPrivate$.
|
||||||
\item 32 bytes specifying $\TransmitPrivate$.
|
\item 32 bytes specifying $\TransmitPrivate$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
|
@ -859,16 +999,19 @@ Transmitted coins are stored on the blockchain in encrypted form, together with
|
||||||
a \coinCommitment $\cm$.
|
a \coinCommitment $\cm$.
|
||||||
|
|
||||||
The \coinPlaintexts associated with a \PourDescription are encrypted to the
|
The \coinPlaintexts associated with a \PourDescription are encrypted to the
|
||||||
respective \transmitPublicAlgorithm keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
|
respective \transmitKeypair keys $\PublicKey{\mathrm{1}..\NNew}$,
|
||||||
and the result forms a \coinsCiphertext.
|
and the result forms a \coinsCiphertext.
|
||||||
|
|
||||||
Each \coinPlaintext consists of $(\Value, \CoinAddressRand, \CoinCommitRand\changed{, \Memo})$,
|
Each \coinPlaintext consists of $(\changed{\AuthPublic, }\Value, \CoinAddressRand,
|
||||||
where:
|
\CoinCommitRand\changed{, \Memo})$, where:
|
||||||
|
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
\changed{
|
||||||
|
\item $\AuthPublic$ is a 32-byte \authKeypair public key of the recipient.
|
||||||
|
}
|
||||||
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
||||||
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
|
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
|
||||||
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ preimage.
|
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\AuthPrivate}$ preimage.
|
||||||
\item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
|
\item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
|
||||||
\changed{
|
\changed{
|
||||||
\item $\Memo$ is a 64-byte \memo associated with this \coin.
|
\item $\Memo$ is a 64-byte \memo associated with this \coin.
|
||||||
|
@ -894,9 +1037,11 @@ does not use it.
|
||||||
The raw encoding of a \coinPlaintext consists of, in order:
|
The raw encoding of a \coinPlaintext consists of, in order:
|
||||||
|
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{bytefield}[bitwidth=0.035em]{1224}
|
\begin{bytefield}[bitwidth=0.03em]{1480}
|
||||||
\bitbox{80}{\changed{$\TransmitPlaintextVersionByte$}} &
|
\changed{
|
||||||
\bitbox{144}{$\Value$ (8 bytes)} &
|
\bitbox{88}{$\TransmitPlaintextVersionByte$}&
|
||||||
|
\bitbox{256}{$\AuthPublic$ (32 bytes)}&
|
||||||
|
&}\bitbox{168}{$\Value$ (8 bytes)} &
|
||||||
\bitbox{256}{$\CoinAddressRand$ (32 bytes)} &
|
\bitbox{256}{$\CoinAddressRand$ (32 bytes)} &
|
||||||
\bitbox{384}{$\CoinCommitRand$ (48 bytes)} &
|
\bitbox{384}{$\CoinCommitRand$ (48 bytes)} &
|
||||||
\changed{\bitbox{512}{$\Memo$ (64 bytes)}}
|
\changed{\bitbox{512}{$\Memo$ (64 bytes)}}
|
||||||
|
@ -907,6 +1052,7 @@ The raw encoding of a \coinPlaintext consists of, in order:
|
||||||
\changed{
|
\changed{
|
||||||
\item A byte $\TransmitPlaintextVersionByte$ indicating this version of the raw
|
\item A byte $\TransmitPlaintextVersionByte$ indicating this version of the raw
|
||||||
encoding of a \coinPlaintext.
|
encoding of a \coinPlaintext.
|
||||||
|
\item 32 bytes specifying $\AuthPublic$.
|
||||||
}
|
}
|
||||||
\item 8 bytes specifying a big-endian encoding of $\Value$.
|
\item 8 bytes specifying a big-endian encoding of $\Value$.
|
||||||
\item 32 bytes specifying $\CoinAddressRand$.
|
\item 32 bytes specifying $\CoinAddressRand$.
|
||||||
|
@ -934,9 +1080,9 @@ TBD.
|
||||||
\item Instead of ECIES, we use an encryption scheme based on $\CryptoBox$,
|
\item Instead of ECIES, we use an encryption scheme based on $\CryptoBox$,
|
||||||
defined in section ``In-band secret distribution".
|
defined in section ``In-band secret distribution".
|
||||||
\item Faerie Gold fix (TBD).
|
\item Faerie Gold fix (TBD).
|
||||||
\item The paper defines a coin as a tuple $(\SpendAuthorityPublic, \Value,
|
\item The paper defines a coin as a tuple $(\AuthPublic, \Value,
|
||||||
\CoinAddressRand, \CoinCommitRand, \CoinCommitS, \cm)$, whereas this specification
|
\CoinAddressRand, \CoinCommitRand, \CoinCommitS, \cm)$, whereas this specification
|
||||||
defines it as $(\SpendAuthorityPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
|
defines it as $(\AuthPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
|
||||||
This is just a clarification, because the instantiation of $\COMM{\CoinCommitS}$
|
This is just a clarification, because the instantiation of $\COMM{\CoinCommitS}$
|
||||||
in section 5.1 of the paper does not use $\CoinCommitS$, and $\cm$ can be computed
|
in section 5.1 of the paper does not use $\CoinCommitS$, and $\cm$ can be computed
|
||||||
from the other fields.
|
from the other fields.
|
||||||
|
|
Loading…
Reference in New Issue