zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

More WIP: 

* fix the use of inputs to PRF^expand in Orchard note encryption;
* rename "hash extractor" to "coordinate extractor";
* miscellaneous minor fixes;
* set date of Change History entry.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-15 16:18:11 +00:00
parent 37d8221c4d
commit ad032d456a
1 changed files with 138 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
protocol/protocol.tex
View File

@ -874,7 +874,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\representedGroups}{\terms{represented group}}
\newcommand{\representedSubgroup}{\term{represented subgroup}}
\newcommand{\representedSubgroups}{\terms{represented subgroup}}
\newcommand{\hashExtractor}{\term{hash extractor}}
\newcommand{\coordinateExtractor}{\term{coordinate extractor}}
\newcommand{\groupHash}{\term{group hash}}
\newcommand{\groupHashes}{\termes{group hash}}
\newcommand{\familyOfGroupHashesIntoTheSubgroup}{\termandindex{family of group hashes into the subgroup}{family of group hashes into a subgroup}}
@ -939,6 +939,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\joinSplitParameters}{\term{JoinSplit parameters}}
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}}
\newcommand{\primary}{\termandindex{primary}{primary input}}
\newcommand{\xPrimary}{\termandindex{Primary}{primary input}}
\newcommand{\primaryInput}{\term{primary input}}
\newcommand{\primaryInputs}{\terms{primary input}}
\newcommand{\auxiliaryInput}{\term{auxiliary input}}
@ -1640,6 +1641,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\MemoType}{\byteseq{\MemoByteLength}}
\newcommand{\DecryptNoteSprout}{\mathtt{DecryptNoteSprout}}
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
\newcommand{\maybeSapling}{\notnufive{Sapling}}
% Money supply
@ -1824,6 +1826,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SpendAuthSigRandomizePrivate}[1]{\SpendAuthSig{#1}\mathsf{.RandomizePrivate}}
\newcommand{\SpendAuthSigRandomizerId}[1]{\SpendAuthSig{#1}\mathsf{.Id}}
\newcommand{\SpendAuthSigRandomizer}{\alpha}
\newcommand{\spendAuthSig}{\mathsf{spendAuthSig}}
\newcommand{\BindingSig}[1]{\mathsf{BindingSig}^\mathsf{#1\kern-0.1em}}
\newcommand{\BindingSigPublic}[1]{\BindingSig{#1}\mathsf{.Public}}
@ -1915,7 +1918,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\encCiphertexts}{\mathtt{encCiphertexts}}
\newcommand{\outCiphertext}{\mathtt{outCiphertext}}
\newcommand{\randomSeed}{\mathtt{randomSeed}}
\newcommand{\spendAuthSig}{\mathtt{spendAuthSig}}
\newcommand{\spendAuthSigField}{\mathtt{spendAuthSig}}
\newcommand{\Varies}{\textit{\!Varies}}
\newcommand{\heading}[1]{\multicolumn{1}{c|}{#1}}
\newcommand{\type}[1]{\texttt{#1}}
@ -3812,8 +3815,8 @@ $\PRFexpand{}$ is used in the following places:
} %notnufive
\notbeforenufive{
\item in the processes of sending (\crossref{saplingsend}\nufive{ and \crossref{orchardsend}}) and of receiving
(\crossref{saplingandorchardinband}) \notes, with inputs $[4]$ and $[5]$ for \Sapling \notes\nufive{, or
$[9]$, $[10]$, $[11]$, and $[12]$ for \Orchard \notes};
(\crossref{saplingandorchardinband}) \notes, with inputs $[4]$ and $[5]$\nufive{, and for \Orchard also
$[9]$ and $[10]$};
} %notbeforenufive
\item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}),
$[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$.
@ -4387,6 +4390,7 @@ Define:
$\NoteCommitAlg{Sapling}$ is instantiated in \crossref{concretesaplingnotecommit}, and
$\ValueCommitAlg{Sapling}$ is instantiated in \crossref{concretevaluecommit}.
\vspace{-1ex}
\nnote{$\NoteCommitAlg{Sapling}$ and $\ValueCommitAlg{Sapling}$ always return points in the subgroup $\SubgroupJ$.
However, we declare the type of these commitment outputs to be $\GroupJ$ because they are not
directly checked to be in the subgroup when $\ValueCommitAlg{Sapling}$ outputs appear in \spendDescriptions
@ -4482,18 +4486,16 @@ $\scalarmult{a}{G}$ meaning $\scalarmult{a \bmod \ParamG{r}}{G}$ as defined abov
\sapling{
\vspace{-1ex}
\introsection
\lsubsubsection{Hash Extractor}{abstractextractor}
\lsubsubsection{Coordinate Extractor}{abstractextractor}
\vspace{-1ex}
A \defining{\hashExtractor} for a \representedGroup $\GroupG{}$ is a function
A \defining{\coordinateExtractor} for a \representedGroup $\GroupG{}$ is a function
$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$.
\todo{\hashExtractor is a bad name, because it extracts commitments as well as hashes.}
\pnote{
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
efficiently computable left inverse.
}
} %pnote
} %sapling
@ -5050,7 +5052,7 @@ Let $\JoinSplit$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
A \joinSplitDescription consists of $(\vpubOld, \vpubNew, \rt{Sprout}, \nfOld{\allOld},
A \joinSplitDescription comprises $(\vpubOld, \vpubNew, \rt{Sprout}, \nfOld{\allOld},
\cmNew{\allNew}, \EphemeralPublic, \RandomSeed, \h{\allOld}, \ProofJoinSplit,
\TransmitCiphertext{\allNew})$ \\
where
@ -5132,7 +5134,7 @@ Let $\Spend$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
A \spendDescription consists of $(\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
A \spendDescription comprises $(\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic, \ProofSpend, \spendAuthSig)$
where
\vspace{1ex}
\begin{itemize}
@ -5204,7 +5206,7 @@ Let $\Output$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
where
\begin{itemize}
\item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note;
@ -5270,8 +5272,8 @@ Let $\Action$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
An \actionDescription consists of $(\cvNet, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpend, \enableOutput,$ $\ProofAction)$
An \actionDescription comprises $(\cvNet, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpend, \enableOutput, \Proof{})$
where
\vspace{1ex}
\begin{itemize}
@ -5295,10 +5297,10 @@ where
a \fullViewingKey to recover the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$
and the \ephemeralPrivateKey $\EphemeralPrivate$ (and therefore the entire \notePlaintext);
\item $\enableSpend \typecolon \bit$ is a flag that is set in order to enable non-zero-valued
spends in this action;
spends in this Action;
\item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued
outputs in this action;
\item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
outputs in this Action;
\item $\Proof{} \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput
$(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \enableSpend,$ $\enableOutput)$
for the \actionStatement defined in \crossref{actionstatement}.
\end{itemize}
@ -5306,7 +5308,7 @@ where
\pnote{The $\rt{Orchard}$, $\enableSpend$, and $\enableOutput$ components are the same for all
\actionTransfers in a \transaction. They are encoded once in the \transaction body (specified in
\crossref{txnencodingandconsensus}), not in the $\type{ActionDescription}$ structure.
$\ProofAction$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field of a
$\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field of a
\transaction.}
\begin{consensusrules}
@ -5513,6 +5515,8 @@ output-related fields of an \actionDescription.
\vspace{1ex}
Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in \crossref{abstractcommit}.
Let $\PRFexpand{Orchard}{}$ be as specified in \crossref{abstractprf}.
Let $\KA{Orchard}$ be as specified in \crossref{abstractkeyagreement}.
Let $\DiversifyHash{Orchard}$ be as specified in \crossref{abstracthashes}.
@ -5542,10 +5546,10 @@ and then performs the following steps:
and check that $\DiversifiedTransmitBase \neq \bot$.
\item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$.
\item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.11em\big)$.
\item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([11])\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([12])\kern-0.09em\big)$.
\item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$.
\item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.09em\big)$.
\item Let $\cv = \ValueCommit{Orchard}{\ValueCommitRand}(\Value)$.
\item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase},
\reprP\Of{\DiversifiedTransmitPublic},
@ -5561,14 +5565,20 @@ and then performs the following steps:
This procedure is described in \crossref{saplingandorchardencrypt}; it also uses
$\cvField$ and $\cmxField$ to derive $\OutCipherKey$, and takes
$\EphemeralPrivate$ as input.
\item For an \Orchard \note, generate a proof $\ProofAction$ for the \actionStatement in \crossref{actionstatement}.
\item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$.
\item For an \Orchard \note, generate a proof $\Proof{}$ for the \actionStatement in \crossref{actionstatement}.
\item Return $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \Proof{})$.
\end{algorithm}
In order to minimize information leakage, the sender \SHOULD randomize the order of
\actionDescriptions in a \transaction. Other considerations relating to information
leakage from the structure of \transactions are beyond the scope of this specification.
The encoded \transaction is submitted to the peer-to-peer network.
\nnote{
The inputs $[4]$ and $[5]$ are used as inputs to $\PRFexpand{}$ in both \Sapling and
\Orchard shielded protocols. Since a fresh $\NoteSeedBytes$ is generated for each \note,
this should have no negative effect on security.
} %nnote
} %nufive
@ -5706,9 +5716,9 @@ constructed as follows:
\item Let $\Value = 0$ and $\NotePosition = 0$.
\item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$.
\item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.11em\big)$.
\item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([11])\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([12])\kern-0.09em\big)$.
\item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$.
\item Derive $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$.
\item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.09em\big)$.
\item Let $\cv = \ValueCommit{Orchard}{\ValueCommitRand}(\Value)$.
\item Let $\cm = \NoteCommit{Orchard}{\NoteCommitRand}\big(\reprP\Of{\DiversifiedTransmitBase},
\reprP\Of{\DiversifiedTransmitPublic},
@ -6290,7 +6300,7 @@ $\cvNet{\alln}$. We may also assume, from Knowledge Soundness of \HaloTwo, that
proofs could not have been generated without knowing $\ValueCommitRandNet{\alln} \pmod{\ParamP{r}}$.
\introlist
Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Orchard}}\,
Using the fact that $\ValueCommit{Orchard}{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Orchard}}\,
\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Orchard}}$, the expression for $\BindingPublic{Orchard}$
above is equivalent to:
@ -6374,20 +6384,22 @@ using the \sighashType $\SIGHASHALL$.
Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in \crossref{saplingkeycomponents}.
\notbeforenufive{
Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}.
} %notbeforenufive
\introsection
\vspace{2ex}
For each \spendDescription, the signer chooses a fresh \defining{\spendAuthRandomizer} $\AuthSignRandomizer$:
\begin{enumerate}
\item Choose $\AuthSignRandomizer \leftarrowR \SpendAuthSigGenRandom{}()$.
\item Let $\AuthSignRandomizedPrivate = \SpendAuthSigRandomizePrivate{}(\AuthSignRandomizer, \AuthSignPrivate)$.
\item Let $\AuthSignRandomizedPublic = \SpendAuthSigDerivePublic{}(\AuthSignRandomizedPrivate)$.
\item Choose $\AuthSignRandomizer \leftarrowR \SpendAuthSigGenRandom{\maybeSapling}()$.
\item Let $\AuthSignRandomizedPrivate = \SpendAuthSigRandomizePrivate{\maybeSapling}(\AuthSignRandomizer, \AuthSignPrivate)$.
\item Let $\AuthSignRandomizedPublic = \SpendAuthSigDerivePublic{\maybeSapling}(\AuthSignRandomizedPrivate)$.
\item Generate a proof $\Proof{}$ of the \spendStatement (\crossref{spendstatement})\nufive{ or
\actionStatement (\crossref{actionstatement})}, with $\AuthSignRandomizer$ in the
\auxiliaryInput and $\AuthSignRandomizedPublic$ in the \primaryInput.
\item Let $\spendAuthSig = \SpendAuthSigSign{}{\AuthSignRandomizedPrivate}(\SigHash)$.
\item Let $\spendAuthSig = \SpendAuthSigSign{\maybeSapling}{\AuthSignRandomizedPrivate}(\SigHash)$.
\end{enumerate}
The resulting $\spendAuthSig$ and $\Proof{}$ are included in the \spendDescription\nufive{, or
@ -6469,6 +6481,11 @@ as follows:
where $\NullifierKey$ is the \nullifierDerivingKey associated with the \note;
$\NoteUniqueRand$ and $\NoteNullifierRand$ are part of the \note; and $\cm$ is
the \noteCommitment.
\vspace{-1ex}
\pnote{The addition of $\PRFnf{Orchard}{\NullifierKey}(\NoteUniqueRand)$ and $\NoteNullifierRand$
is intentionally done modulo $\ParamP{q}$, even though the scalar multiplication is on the \pallasCurve
which has scalar field $\GF{\ParamP{r}}$.}
} %nufive
\securityrequirement{
@ -6586,8 +6603,8 @@ For details of the form and encoding of proofs, see \crossref{bctv}.
\lsubsubsection{Spend Statement (\SaplingText)}{spendstatement}
\vspace{-1ex}
Let $\MerkleHashLength{Sapling}$, $\PRFOutputLengthNfSapling$, and $\ScalarLength{Sapling}$ be
as defined in \crossref{constants}.
Let $\MerkleHashLength{Sapling}$, $\PRFOutputLengthNfSapling$, $\ScalarLength{Sapling}$, and $\MerkleDepth{Sapling}$
be as defined in \crossref{constants}.
\vspace{-0.5ex}
Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in \crossref{abstractcommit}.
@ -6679,7 +6696,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
For details of the form and encoding of \spendStatement proofs, see \crossref{groth}.
\begin{pnotes}
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
\item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
see \crossref{ccteddecompressvalidate}, for required validity checks on compressed
representations of \jubjubCurve points.
@ -6757,7 +6774,7 @@ $\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBase}$.
For details of the form and encoding of \outputStatement proofs, see \crossref{groth}.
\begin{pnotes}
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
\item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified. In particular,
see \crossref{ccteddecompressvalidate}, for required validity checks on compressed
representations of \jubjubCurve points.
The $\ValueCommitOutput{Sapling}$ type also represents points, i.e. $\GroupJ$.
@ -6772,10 +6789,10 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g
\lsubsubsection{Action Statement (\OrchardText)}{actionstatement}
\vspace{-1ex}
Let $\MerkleHashLength{Orchard}$ and $\ScalarLength{Orchard}$ be as defined in \crossref{constants}.
Let $\MerkleHashLength{Orchard}$, $\ScalarLength{Orchard}$, and $\MerkleDepth{Orchard}$ be as defined in \crossref{constants}.
\vspace{-0.5ex}
Let $\ValueCommitAlg{Orchard}$ and $\NoteCommitAlg{Orchard}$ be as specified in \crossref{abstractcommit}.
Let $\ValueCommitAlg{Orchard}$, $\NoteCommitAlg{Orchard}$, and $\CommitIvkAlg$ be as specified in \crossref{abstractcommit}.
\vspace{-0.5ex}
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{concretespendauthsig}.
@ -6788,7 +6805,7 @@ Let $\DeriveNullifierAlg$ be as defined in \crossref{commitmentsandnullifiers}.
\intropart
\vspace{0.5ex}
A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that given a \primaryInput:
A valid instance of a \defining{\actionStatement}, $\Proof{}$, assures that given a \primaryInput:
\vspace{-1ex}
\begin{formulae}
@ -6845,7 +6862,7 @@ Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath o
as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt{Orchard}$.
\snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity}
$\cvNet{} = \ValueCommit{Orchard}{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$.
$\cvNet{} = \ValueCommit{Orchard}{\ValueCommitRand}(\vOld{} - \vNew{})$.
\vspace{-0.5ex}
\snarkcondition{Nullifier integrity}{actionnullifierintegrity}
@ -6876,7 +6893,7 @@ $\vNew{} = 0$ or $\enableOutput = 1$.
For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}.
\begin{pnotes}
\item Public and \auxiliaryInputs \MUST be constrained to have the types specified.
\item \xPrimary and \auxiliaryInputs \MUST be constrained to have the types specified.
In particular, $\DiversifiedTransmitBaseOld$ cannot be $\ZeroP$.
The $\ValueCommitOutput{Orchard}$ and $\SpendAuthSigPublic{Orchard}$ types represent
\pallasCurve points, i.e.\ $\GroupP$.
@ -6891,6 +6908,15 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
\item The validity of $\DiversifiedTransmitBaseRepr$ and $\DiversifiedTransmitPublicRepr$ are
\emph{not} checked in this circuit.
\end{pnotes}
\vspace{-2ex}
\nnote{
There is intentionally no equivalent to the \snarkref{Ephemeral public key integrity}{outputepkintegrity}
check in the \Sapling \outputStatement. It is unnecessary for the sender of an
\Orchard \note to prove knowledge of $\EphemeralPrivate$, because the potential
attack this originally addressed for \Sapling is prevented by the checks added
at \Canopy activation by \cite{ZIP-212}.
} %nnote
} %nufive
@ -7065,8 +7091,8 @@ For both encryption and decryption,
\vspace{-0.5ex}
\item let $\PRFock{}{}$ be $\PRFock{Sapling}{}$\nufive{ or $\PRFock{Orchard}{}$} instantiated in
\crossref{concreteprfs};
\item let $\DiversifyHash{}$ be $\DiversifyHash{Sapling}$\nufive{ or $\DiversifyHash{Orchard}$}
instantiated in \crossref{concretediversifyhash};
\item let $\DiversifyHash{}$ be $\DiversifyHash{Sapling}$ in \crossref{concretediversifyhash}\nufive{, or
$\DiversifyHash{Orchard}$ in the same section};
\item let $\ToScalar{}$ be $\ToScalar{Sapling}$ defined in \crossref{saplingkeycomponents}\nufive{ or
$\ToScalar{Orchard}$ defined in \crossref{orchardkeycomponents}}.
\end{itemize}
@ -7081,16 +7107,17 @@ Let $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{}$ be the
and let $\DiversifiedTransmitBase \typecolon \KAPublicPrimeSubgroup{}$ be the corresponding
\diversifiedBase computed as $\DiversifyHash{}(\Diversifier)$.
Since \SaplingAndOrchard \note encryption is used only in the context of
\crossref{saplingandorchardsend}, we may assume that $\DiversifiedTransmitBase$ has already been
calculated and is not $\bot$. Also, the \ephemeralPrivateKey $\EphemeralPrivate$ has been chosen.
Since \Sapling \note encryption is used only in the context of \crossref{saplingsend}\nufive{, and similarly
\Orchard \note encryption is used only in the context of \crossref{orchardsend}}, we may assume that
$\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey
$\EphemeralPrivate$ has been chosen.
Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \crossref{saplingandorchardsend},
i.e.\ the \outgoingViewingKey of the \paymentAddress from which the \note is being spent, or an
\outgoingViewingKey associated with a \cite{ZIP-32} account, or $\bot$.
Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \shortcrossref{saplingsend}\nufive{ or
\shortcrossref{orchardsend}}, i.e.\ the \outgoingViewingKey of the \paymentAddress from which the \note is being
spent, or an \outgoingViewingKey associated with a \cite{ZIP-32} account, or $\bot$.
Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$
be the \Sapling \notePlaintext.
be the \SaplingOrOrchard \notePlaintext.
$\NotePlaintext{}$ is encoded as defined in \crossref{notept}.
@ -7141,13 +7168,14 @@ received out-of-band, which are not addressed in this document.
\sapling{
\extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}}
Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\nufive{ or $\InViewingKeyTypeOrchard$}
be the recipient's \incomingViewingKey, as specified in \crossref{saplingkeycomponents}\nufive{ or
\crossref{orchardkeycomponents}}.
Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\notbeforenufive{ (in \Sapling)\nufive{ or
$\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's \incomingViewingKey, as specified in
\crossref{saplingkeycomponents}\nufive{ or \crossref{orchardkeycomponents}}.
Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the
\outputDescription{}. Let $\cmstarField$ be the $\cmuField$\nufive{ or $\cmxField$} field of
the \outputDescription (encoding the $u$-coordinate\nufive{ or $x$-coordinate} of the \noteCommitment).
the \outputDescription\nufive{ or \actionDescription respectively}. (This encodes the
$u$-coordinate\nufive{ or $x$-coordinate} of the \noteCommitment, i.e.\ $\ExtractG(\cm)$.)
\canopy{
Let the constant $\CanopyActivationHeight$ be as defined in \crossref{constants}.
@ -7188,28 +7216,40 @@ from $\TransmitPlaintext{}$
\item \tab if $\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big) \neq \ephemeralKey$,
return $\bot$
\item \blank
}
} %canopy
\item let $\DiversifiedTransmitPublic = \KADerivePublic{}(\InViewingKey, \DiversifiedTransmitBase)$
\item let $\cmstar' = \ExtractG{}\big(\NoteCommit{Sapling}{\NoteCommitRand}(\reprG{}\Of{\DiversifiedTransmitBase},
\reprG{}\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item \notbeforenufive{for \Sapling,} let $\cmstar' = \ExtractJ{}\big(\NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.1em\big)$.
\nufive{
\item for \Orchard:
\item \tab let $\NoteUniqueRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9])\kern-0.1em\big)$
\item \tab let $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([10])\kern-0.09em\big)$
\item \tab let $\cmstar' = \ExtractP\big(\NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase},
\reprP\Of{\DiversifiedTransmitPublic},
\Value,
\NoteUniqueRand,
\NoteNullifierRand)\kern-0.1em\big)$
\item \blank
} %nufive
\item if $\LEBStoOSPOf{256}{\cmstar'} \neq \cmstarField$, return $\bot$
\item return $\NotePlaintext{}$.
\end{algorithm}
\begin{pnotes}
\item As explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint compressed encodings
of \jubjubCurve points. Therefore, an implementation \MUST use the original $\ephemeralKey$ field as
encoded in the \transaction as input to $\KDF{Sapling}$\canopy{, and (if \Canopy is active and
$\NotePlaintextLeadByte \neq \hexint{01}$) in the comparison against
$\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$}.
\item For \Sapling, as explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint
compressed encodings of \jubjubCurve points. Therefore, an implementation \MUST use the original
$\ephemeralKey$ field as encoded in the \transaction as input to $\KDF{Sapling}$\canopy{, and
(if \Canopy is active and $\NotePlaintextLeadByte \neq \hexint{01}$) in the comparison against
$\reprG{}\big(\KADerivePublic{}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.1em\big)$}.
\nufive{For consistency this is also what is specified for \Orchard.}
\item Normally only \noteCiphertextsSapling of \transactions in \blocks need to be decrypted. In that case,
any received \Sapling \note is necessarily a \positionedNote, and so its $\NoteUniqueRand$
value can immediately be calculated as described in \crossref{commitmentsandnullifiers}.
To test whether a \Sapling \note is unspent in a particular \blockChain also requires
the \nullifierDerivingKey $\NullifierKeyRepr$; the coin is unspent if and only if
$\nf = \PRFnf{Sapling}{\NullifierKeyRepr}\big(\reprJ(\NoteUniqueRand)\kern-0.15em\big)$ is
not in the \nullifierSet for that \blockChain.
To test whether a \SaplingOrOrchard \note is unspent in a particular \blockChain also requires
the \nullifierDerivingKey $\NullifierKey$; the coin is unspent if and only if the \nullifier
computed as described in \crossref{commitmentsandnullifiers} is not in the \nullifierSet for
that \blockChain.
\item A \note can change from being unspent to spent as a node's view of the \bestValidBlockChain is
extended by new \transactions. Also, \blockChainReorganizations can cause a node to switch to
a different \bestValidBlockChain that does not contain the \transaction in which a \note was output.
@ -7277,7 +7317,7 @@ from $\TransmitPlaintext{}$
\ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise
\end{cases}$}
\item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
and $\DiversifiedTransmitBase = \DiversifyHash{Sapling}(\Diversifier)$
and $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$
\item if $\NoteCommitRand \geq \ParamG{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
\item \notbeforenufive{for \Sapling,} if $\DiversifiedTransmitBase \not\in \SubgroupJ$, return $\bot$
\item let $\cmstar' = \ExtractG\big(\NoteCommit{}{\NoteCommitRand}(\reprG{}\Of{\DiversifiedTransmitBase},
@ -7290,18 +7330,18 @@ from $\TransmitPlaintext{}$
\end{algorithm}
\begin{pnotes}
\item As explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint compressed encodings
of \jubjubCurve points. Therefore, an implementation \MUST use the original $\ephemeralKey$ field as
encoded in the \transaction as input to $\PRFock{}{}$ and $\KDF{Sapling}$, and in the comparison against
$\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$.
\vspace{-0.5ex}
\item As explained in the note in \crossref{jubjub}, $\abstJ$ accepts \nonCanonicalPoint
compressed encodings of \jubjubCurve points. Therefore, an implementation \MUST use the original
$\ephemeralKey$ field as encoded in the \transaction as input to $\PRFock{}{}$ and $\KDF{Sapling}$,
and in the comparison against $\reprJ\big(\KADerivePublic{Sapling}(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$.
\nufive{For consistency this is also what is specified for \Orchard.}
\prenufiveitem{$\DiversifiedTransmitPublicRepr$ can also be \nonCanonicalPoint. Since $\bot$ is returned
if $\DiversifiedTransmitBase \not\in \SubgroupJ$, the only accepted \nonCanonicalPoint encoding for
$\DiversifiedTransmitPublicRepr$ is $\ItoLEBSP{256}\big(2^{255} + 1\big)$.}
\nufiveonwarditem{This procedure returns $\bot$ if $\DiversifiedTransmitPublicRepr$ is \nonCanonicalPoint,
as specified in \cite{ZIP-216}.}
$\DiversifiedTransmitPublicRepr$ of a \Sapling \note is $\ItoLEBSP{256}\big(2^{255} + 1\big)$.}
\nufiveonwarditem{This procedure returns $\bot$ if $\DiversifiedTransmitPublicRepr$ is \nonCanonicalPoint
(which can only occur for \Sapling \notes), as specified in \cite{ZIP-216}.}
\item A previous version of this specification did not have the requirement for the decoded point
$\DiversifiedTransmitPublic$ to be in the subgroup $\SubgroupJ$ (i.e.\ the line
$\DiversifiedTransmitPublic$ of a \Sapling \note to be in the subgroup $\SubgroupJ$ (i.e.\ the line
``if $\DiversifiedTransmitBase \not\in \SubgroupJ$, return $\bot$``). That did not match the
implementation in \zcashd, which does require $\DiversifiedTransmitPublic$ to be in the subgroup.
The specification has been changed to match \zcashd.
@ -7310,7 +7350,7 @@ from $\TransmitPlaintext{}$
\notes decrypted by this procedure.
\end{pnotes}
\vspace{-1ex}
\vspace{-2ex}
\nnote{Implementors should pay close attention to the similarities and differences between this procedure
and that in \crossref{decryptivk}. \canopy{In particular:
\vspace{1ex}
@ -7384,7 +7424,7 @@ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPu
\sapling{
\extralabel{saplingscan}{\lsubsection{Block Chain Scanning (\SaplingAndOrchardText)}{scan}}
\todo{generalize}
\nufive{\todo{generalize for \Orchard}}
In \Sapling, \blockChain scanning requires only the $\NullifierKey$ and $\InViewingKey$
key components, rather than a \spendingKey as in \Sprout.
@ -9464,7 +9504,7 @@ $\ExtractJ$, $\WindowedPedersenCommitAlg$, and $\NoteCommitAlg{Sapling}$,
$\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ can be in the range of $\NoteCommitAlg{Sapling}$
only if there exist $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Sapling}$,
$D \typecolon \smash{\byteseq{8}}$, and $M \typecolon \smash{\bitseq{\PosInt}}$
such that $\Selectu\Of{\WindowedPedersenCommit{\NoteCommitRand}(D, M)} = 1$.
such that $\Selectu\Of{\WindowedPedersenCommit{\NoteCommitRand}(D, M)}$ $= 1$.
The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$.
We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$.
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
@ -10056,7 +10096,7 @@ other conditions on points, for example that they have order at least $\ParamJ{r
\sapling{
\lsubsubsubsection{Hash Extractor for \JubjubText}{concreteextractorjubjub}
\lsubsubsubsection{Coordinate Extractor for \JubjubText}{concreteextractorjubjub}
\vspace{-2ex}
Let $\Selectu\Of{(u, \varv)} = u$ and let $\Selectv\Of{(u, \varv)} = \varv$.
@ -10267,7 +10307,7 @@ $\abstJ\Of{P\Repr}$ is computed as follows:
encoding represents a point on the curve.
\end{pnotes}
\lsubsubsubsection{Hash Extractor for \PallasText}{concreteextractorpallas}
\lsubsubsubsection{Coordinate Extractor for \PallasText}{concreteextractorpallas}
\vspace{-1ex}
Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}.
@ -10525,7 +10565,7 @@ verified proof in \cite{BGHOZ2013}.
with the \defining{\BCTV} \provingSystem described in \cite{BCTV2014a}, which is a modification of
the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
A \BCTV proof consists of
A \BCTV proof comprises
$(\Proof{A} \typecolon \SubgroupGstar{1},\,
\Proof{A}' \typecolon \SubgroupGstar{1},\,
\Proof{B} \typecolon \SubgroupGstar{2},\,
@ -10641,7 +10681,7 @@ security proof of this system and its setup is given in \cite{Maller2018}.
both in \Sprout \joinSplitDescriptions and in \Sapling \spendDescriptions and \outputDescriptions.
They are generated by the \defining{\bellman} library \cite{Bowe-bellman}.
A \Groth proof consists of
A \Groth proof comprises
$(\Proof{A} \typecolon \SubgroupSstar{1},\,
\Proof{B} \typecolon \SubgroupSstar{2},\,
\Proof{C} \typecolon \SubgroupSstar{1})$.
@ -12059,21 +12099,21 @@ at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline
$32$ & $\nullifierField$ & \type{byte[32]} & The \nullifier of the input \note, $\nf$. \\ \hline
$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSig$,
$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSigField$,
$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
$192\nufive{\;\dagger}$ & $\zkproof$ & \type{byte[192]} & An encoding of the \zkSNARKProof
$\ProofSpend$ (see \crossref{groth}). \\ \hline
$64\nufive{\;\dagger}$ & $\spendAuthSig$ & \type{byte[64]} & A signature authorizing this Spend. \\ \hline
$64\nufive{\;\dagger}$ & $\spendAuthSigField$ & \type{byte[64]} & A signature authorizing this Spend. \\ \hline
\end{tabularx}
\end{center}
\nufive{$\dagger$ The $\anchorField, \zkproof, and \spendAuthSig$ fields are only present in a \spendDescription
\nufive{$\dagger$ The $\anchorField, \zkproof, and \spendAuthSigField$ fields are only present in a \spendDescription
if the \transactionVersion is $4$. For version 5 \transactions, all \spendDescriptions share the same \anchor,
which is encoded once as the $\anchorField{Sapling}$ field of the \transaction as described in
\crossref{txnencodingandconsensus}. The $\zkproof$ and $\spendAuthSig$ fields of a \spendDescription have been
\crossref{txnencodingandconsensus}. The $\zkproof$ and $\spendAuthSigField$ fields of a \spendDescription have been
moved into the $\vSpendProofsSapling$ and $\vSpendAuthSigs{Sapling}$ fields respectively of version 5 \transactions.}
\vspace{-2ex}
@ -12165,7 +12205,7 @@ minus the output \note, $\LEBStoOSPOf{256}{\reprP\Of{\cv}}$. \\ \hline
$32$ & $\nullifierField$ & \type{byte[32]} & The \nullifier of the input \note, $\nf$. \\ \hline
$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSig$,
$32$ & $\rkField$ & \type{byte[32]} & The randomized \validatingKey for $\spendAuthSigField$,
$\LEBStoOSPOf{256}{\reprP\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
$32$ & $\cmxField$ & \type{byte[32]} & The $x$-coordinate of the \noteCommitment for the output \note,
@ -13673,10 +13713,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\lsection{Change History}{changehistory}
\historyentry{2021.1.17}{}
\historyentry{2021.1.17}{2021-03-15}
\begin{itemize}
\nufive{
\item Work in progress for \NUFive specification.
\item Draft \NUFive specification.
} %nufive
\canopy{
\item In the consensus rule that a \transaction with one or more \transparent inputs from
@ -13706,9 +13746,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
are normally of type $\KAPublicPrimeSubgroup{Sapling}$, we change the
specification to match \zcashd.
\end{itemize}
\item Correct the procedure for generating dummy \Sapling notes in \crossref{saplingandorcharddummynotes}.
\item Correct the procedure for generating \dummy \Sapling \notes in \crossref{saplingdummynotes}.
\item Add a note in \crossref{bctv} describing conditions under which an implementation
that checkpoints on \Sapling can omit verifying \BCTV proofs.
\item Rename ``hash extractor'' to \coordinateExtractor. This is a more accurate name
since it is also used on commitments.
} %sapling
\item Rename \type{char} to \type{byte} in field type declarations.
\end{itemize}
@ -14080,7 +14122,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
depend on this; it is simpler to rely on knowledge soundness of the
Spend and Output proofs.
\item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}.
\item Clarify that \theoremref{thmnohashtouncommittedsapling} depends on the
\item Clarify that \theoremref{thmuncommittedsapling} depends on the
parameters of the \jubjubCurve.
} %sapling
\item Ensure that this document builds correctly and without missing
@ -14734,7 +14776,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item No changes to \Sprout.
\sapling{
\item Add instantiation of $\CRHivk$.
\item Add instantiation of a hash extractor for \Jubjub.
\item Add instantiation of a hash extractor (later renamed to \coordinateExtractor)
for \Jubjub.
\item Make the background lighter and the \Sapling green darker, for contrast.
}
\end{itemize}
@ -16801,7 +16844,7 @@ where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex}
Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \SubgroupSstar{1}$.
A $\GrothS$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$.
A $\GrothS$ proof comprises a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$.
Verification of a single $\GrothS$ proof against an instance encoded as $a_{\barerange{0}{\ell}} \typecolon \typeexp{\GF{\ParamS{r}}}{\ell+1}$
requires checking the equation