diff --git a/protocol/protocol.tex b/protocol/protocol.tex index fb653596..16911099 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -342,6 +342,7 @@ \newcommand{\search}{\faSearch} \mathchardef\mhyphen="2D +\mathchardef\mcolon="3A \newcommand{\lrarrow}{\texorpdfstring{$\leftrightarrow$}{↔}} @@ -547,7 +548,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\heartwoodcolorname}{orange} \newcommand{\canopycolor}{red!50!blue!85} \newcommand{\canopycolorname}{purple} -\newcommand{\orchardcolor}{black!15!blue!65!green!65} +\newcommand{\orchardcolor}{black!25!blue!65!green!65} \newcommand{\orchardcolorname}{slate blue} \newcommand{\labelcolor}{yellow!20} @@ -726,6 +727,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\collisionResistant}{\termandindex{collision\hyp resistant}{collision resistance}} \newcommand{\collisionResistance}{\term{collision resistance}} \newcommand{\xCollisionResistance}{\termx{collision resistance}} +\newcommand{\randomOracle}{\term{random oracle}} +\newcommand{\randomOracles}{\terms{random oracle}} +\newcommand{\randomOracleAdjective}{\termandindex{random-oracle}{random oracle}} \newcommand{\shaHash}{\termandindexx{$\SHAFull$}{SHA-256}} \newcommand{\shadHash}{\termandindexx{$\SHAFulld$}{SHA-256d}} @@ -958,6 +962,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\transactionFee}{\term{transaction fee}} \newcommand{\transactionFees}{\terms{transaction fee}} \newcommand{\transactionVersion}{\termandindex{transaction version}{transaction version number}} +\newcommand{\transactionVersions}{\termandindex{transaction versions}{transaction version number}} \newcommand{\transactionVersionNumber}{\term{transaction version number}} \newcommand{\transactionVersionNumbers}{\terms{transaction version number}} \newcommand{\Transactionversion}{\termandindex{Transaction version}{transaction version number}} @@ -1282,6 +1287,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\BlakeTwobGeneric}{\mathsf{BLAKE2b}} \newcommand{\BlakeTwob}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}} \newcommand{\BlakeTwobOf}[2]{\BlakeTwob{#1}\!\left({#2}\right)} +\newcommand{\XMDBlakeTwob}{\mathsf{XMD\mcolon BLAKE2b}} +\newcommand{\XMDBlakeTwobOf}[1]{\XMDBlakeTwob\!\left({#1}\right)} \newcommand{\BlakeTwosGeneric}{\mathsf{BLAKE2s}} \newcommand{\BlakeTwos}[1]{\mathsf{BLAKE2s\kern 0.05em\mhyphen{#1}}} \newcommand{\BlakeTwosOf}[2]{\BlakeTwos{#1}\!\left({#2}\right)} @@ -1296,6 +1303,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\DefaultDiversifier}{\mathsf{DefaultDiversifier}} \newcommand{\CheckDiversifier}{\mathsf{CheckDiversifier}} \newcommand{\NotUpMySleeve}{U} +\newcommand{\msg}{\mathsf{msg}} +\newcommand{\DST}{\mathsf{DST}} +\newcommand{\leninbytes}{\mathsf{len\_in\_bytes}} +\newcommand{\binbytes}{\mathsf{b\_in\_bytes}} \newcommand{\tx}{\mathsf{tx}} \newcommand{\ReceivedSet}{\mathsf{ReceivedSet}} @@ -1372,7 +1383,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\SpendingKeyLength}{\mathsf{\ell_{\SpendingKey}}} \newcommand{\SpendingKeyType}{\bitseq{\SpendingKeyLength}} \newcommand{\AuthSignPrivate}{\mathsf{ask}} -\newcommand{\AuthSignBase}[1]{\mathcal{G}^{#1\!}} +\newcommand{\AuthSignBase}[1]{\mathcal{G}^{\mathsf{#1}\!}} \newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublicX}{\mathsf{ak}_x} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} @@ -1769,8 +1780,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\BindingSigDerivePublic}[1]{\BindingSig{#1}\mathsf{.DerivePublic}} \newcommand{\BindingSigSign}[2]{\BindingSig{#1}\mathsf{.Sign}_{#2}} \newcommand{\BindingSigValidate}[2]{\BindingSig{#1}\mathsf{.Validate}_{#2}} -\newcommand{\BindingPublic}{\mathsf{bvk}} -\newcommand{\BindingPrivate}{\mathsf{bsk}} +\newcommand{\BindingPublic}[1]{\mathsf{bvk^{#1}}} +\newcommand{\BindingPrivate}[1]{\mathsf{bsk^{#1}}} \newcommand{\RandomSeedLength}{\mathsf{\ell_{Seed}}} \newcommand{\RandomSeedType}{\bitseq{\mathsf{\ell_{Seed}}}} @@ -1948,7 +1959,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\vNew}[1]{\mathsf{v}_{#1}^\mathsf{new}} \newcommand{\vNet}[1]{\mathsf{v}_{#1}^\mathsf{net}} \newcommand{\RandomSeed}{\mathsf{randomSeed}} -\newcommand{\rt}[1]{\mathsf{rt^{#1\!}}} +\newcommand{\rt}[1]{\mathsf{rt^{#1}}} \newcommand{\TreePath}[1]{\mathsf{path}_{#1}} \newcommand{\Receive}{\mathsf{Receive}} \newcommand{\EnforceMerklePath}[1]{\mathsf{enforceMerklePath}_{~\!\!#1}} @@ -2000,13 +2011,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}} \newcommand{\reprG}[1]{\repr_{\GroupG{#1}}} \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}} +\newcommand{\abstGstar}{\abst_{\GroupGstar{}}} \newcommand{\PairingG}{\ParamG{\hat{e}}} \newcommand{\ExtractG}{\Extract_{\SubgroupG{}}} -\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}} -\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}} -\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}} +\newcommand{\SubgroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}} +\newcommand{\SubgroupGHashURSType}{\SubgroupGHash{}\mathsf{.URSType}} +\newcommand{\SubgroupGHashInput}{\SubgroupGHash{}\mathsf{.Input}} \newcommand{\URS}{\mathsf{URS}} +\newcommand{\GroupGHash}{\GroupHash^{\GroupG{}}} +\newcommand{\GroupGHashURSType}{\GroupGHash\mathsf{.URSType}} +\newcommand{\GroupGHashInput}{\GroupGHash\mathsf{.Input}} + +\newcommand{\ParamIsoG}[1]{{{#1}_{\GroupIsoG}}} +\newcommand{\ParamIsoGexp}[2]{{{#1}_{\GroupIsoG\!}^{#2}}} +\newcommand{\GroupIsoG}{\mathsf{iso}\mhyphen\kern-0.05em\mathbb{G}} +\newcommand{\GroupIsoGstar}{\GroupIsoG^{\ast}} +\newcommand{\CurveIsoG}{\Curve_{\GroupIsoG}} +\newcommand{\ZeroIsoG}{\Zero_{\GroupIsoG}} +\newcommand{\IsoMapG}{\mathsf{iso\_map}^{\GroupG{}}} +\newcommand{\IsoConstG}[1]{\mathcal{C}^{\GroupG{}}_{#1}} \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}} \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}} @@ -2083,7 +2107,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\IsoConstP}[1]{\mathcal{C}^{\GroupP}_{#1}} \newcommand{\ExtractP}{\Extract_{\GroupP}} -\newcommand{\GroupPHash}{\GroupHash^{\GroupPstar}} +\newcommand{\GroupPHash}{\GroupHash^{\GroupP}} \newcommand{\GroupPHashInput}{\GroupPHash{}\mathsf{.Input}} \newcommand{\GroupPHashURSType}{\GroupPHash{}\mathsf{.URSType}} @@ -2110,15 +2134,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\IsoConstV}[1]{\mathcal{C}^{\GroupV}_{#1}} \newcommand{\ExtractV}{\Extract_{\GroupVstar}} -\newcommand{\GroupVHash}[1]{\GroupHash^{\GroupVstar}_{#1}} -\newcommand{\GroupVHashInput}{\GroupVHash{}\mathsf{.Input}} -\newcommand{\GroupVHashURSType}{\GroupVHash{}\mathsf{.URSType}} +\newcommand{\GroupVHash}{\GroupHash^{\GroupV}} +\newcommand{\GroupVHashInput}{\GroupVHash\mathsf{.Input}} +\newcommand{\GroupVHashURSType}{\GroupVHash\mathsf{.URSType}} \newcommand{\ctEdwards}[1]{E_{\kern 0.03em\mathsf{ctEdwards}({#1})}} \newcommand{\Edwards}[1]{E_{\kern 0.03em\mathsf{Edwards}({#1})}} % only in history \newcommand{\Montgomery}[1]{E_{\mathsf{Mont}({#1})}} \newcommand{\ShortWeierstrass}[1]{E_{\mathsf{SW}({#1})}} +\newcommand{\curveNameG}{\ParamG{\mathsf{curveName}}} +\newcommand{\sqrtratioG}{\ParamG{\mathsf{sqrt\_ratio}}} +\newcommand{\num}{\mathsf{num}} +\newcommand{\xdiv}{\mathsf{div}} +\newcommand{\expandmessage}{\mathsf{expand\_message}} +\newcommand{\expandmessagexmd}{\mathsf{expand\_message\_xmd}} +\newcommand{\hashtofield}{\mathsf{hash\_to\_field}} +\newcommand{\hashtocurve}{\mathsf{hash\_to\_curve}} +\newcommand{\maptocurvesimpleswuIsoG}{\mathsf{map\_to\_curve\_simple\_swu}^{\GroupIsoG}} +\newcommand{\clearcofactor}{\mathsf{clear\_cofactor}} + \newcommand{\pack}{\mathsf{pack}} \newcommand{\Acc}{\mathsf{Acc}} @@ -2154,6 +2189,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\LEBStoOSPOf}[2]{\LEBStoOSP{#1}\!\left({#2}\right)} \newcommand{\LEOStoBSP}[1]{\mathsf{LEOS2BSP}_{#1}} \newcommand{\LEOStoBSPOf}[2]{\LEOStoBSP{#1}\!\left({#2}\right)} +\newcommand{\BEOStoIP}[1]{\mathsf{BEOS2IP}_{#1}} +\newcommand{\BEOStoIPOf}[2]{\BEOStoIP{#1}\!\left({#2}\right)} % Sapling and Orchard circuits @@ -2730,7 +2767,8 @@ a field element.) $a \xor b$ means the bitwise-exclusive-or of $a$ and $b$, and $a \band b$ means the bitwise-and of $a$ and $b$. These are -defined on integers or (equal-length) bit sequences according to context. +defined on integers (which include bits and bytes), or elementwise +on equal-length sequences of integers, according to context. \vspace{-0.5ex} $\!\vsum{i=1}{\rmN} a_i$ means the sum of $a_{\allN{}}$.\; @@ -2793,7 +2831,7 @@ The following integer constants will be instantiated in \crossref{constants}: \changed{$\NoteUniquePreRandLength$,}\sapling{ $\SpendingKeyLength$, $\DiversifierLength$, $\InViewingKeyLength{Sapling}$,\orchard{ $\InViewingKeyLength{Orchard}$,} $\OutViewingKeyLength$, $\ScalarLength{Sapling}$,\orchard{ $\ScalarLength{Orchard}$,}} - $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$} + $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\strut\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$,} $\SlowStartInterval$, $\PreBlossomHalvingInterval$, $\MaxBlockSubsidy$, $\NumFounderAddresses$, $\PoWLimit$, $\PoWAveragingWindow$, $\PoWMedianBlockSpan$, $\PoWDampingFactor$, \notblossom{and }$\PreBlossomPoWTargetSpacing$\blossom{, and $\PostBlossomPoWTargetSpacing$}. @@ -2909,7 +2947,7 @@ publically distributed; it has the same distribution as the \paymentAddress itse As mentioned above, limiting the distribution of the \paymentAddress is important for some use cases. This also helps to reduce reliance of the overall protocol on the security of the cryptosystem used for \note encryption -(see \crossref{sproutinband}\sapling{ and \crossref{saplinginband}}), +(see \crossref{sproutinband}\sapling{ and \crossref{saplingandorchardinband}}), since an adversary would have to know $\TransmitPublic$\sapling{ or some $\DiversifiedTransmitPublic$} in order to exploit a hypothetical weakness in that cryptosystem. @@ -3766,8 +3804,8 @@ $Q \typecolon \range{1}{2} \times \hSigType \rightarrow \KAPublic{Sprout} \times \Keyspace_{\allNew}$ where $Q_j(\hSig)$ is defined as follows: \begin{enumerate} \item Choose $\EphemeralPrivate$ uniformly at random from $\KAPrivate{Sprout}$. - \item Let $\EphemeralPublic := \KADerivePublic{Sprout}(\EphemeralPrivate, \TransmitBase{Sprout})$. - \item For $i \in \setofNew$, let $\Key_i := + \item Let $\EphemeralPublic = \KADerivePublic{Sprout}(\EphemeralPrivate, \TransmitBase{Sprout})$. + \item For $i \in \setofNew$, let $\Key_i = \KDF{}(i, \hSig, \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSup{j}), \EphemeralPublic, \TransmitPublicSup{j}))$. \item Return $(\EphemeralPublic, \Key_{\allNew})$. \end{enumerate} @@ -4278,24 +4316,31 @@ efficiently computable left inverse. \lsubsubsection{Group Hash}{abstractgrouphash} Given a \representedSubgroup $\SubgroupG{}$, a \defining{\familyOfGroupHashesIntoTheSubgroup}, -denoted $\GroupGHash{}$, consists of: +denoted $\SubgroupGHash{}$, consists of: \begin{itemize} - \item a type $\GroupGHashURSType$ of \uniformRandomStrings; - \item a type $\GroupGHashInput$ of inputs; + \item a type $\SubgroupGHashURSType$ of \uniformRandomStrings; + \item a type $\SubgroupGHashInput$ of inputs; \vspace{-1ex} - \item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG{}$. + \item a function $\SubgroupGHash{} \typecolon \SubgroupGHashURSType \times \SubgroupGHashInput \rightarrow \SubgroupG{}$. \end{itemize} In \crossref{concretegrouphashjubjub}, we instantiate a family of \defining{\groupHashes} into the \jubjubCurve defined by \crossref{jubjub}. \securityrequirement{ -For a randomly selected $\URS \typecolon \GroupGHashURSType$, -it must be reasonble to model $\GroupGHash{\URS}$ (restricted to inputs for which it does -not return $\bot$) as a random oracle. +For a randomly selected $\URS \typecolon \SubgroupGHashURSType$, +it must be reasonble to model $\SubgroupGHash{\URS}$ (restricted to inputs for which it does +not return $\bot$) as a \randomOracle. } %securityrequirement +\orchard{ +In \crossref{concretegrouphashpallasandvesta}, we instantiate \groupHashes into the \Pallas +and \Vesta curves. These are not strictly speaking families of \groupHashes, because they +have a trivial URS, and so the above security definition does not apply. Nevertheless, they +can be heuristically modelled as \randomOracles. +} %orchard + \begin{nnotes} \item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes: the bases $\AuthSignBase{Sapling}$ and $\AuthProveBaseSapling$ used in \Sapling key generation, @@ -4307,18 +4352,18 @@ not return $\bot$) as a random oracle. standard model as follows: \textbf{Discrete Logarithm Independence}: - For a randomly selected member $\GroupGHash{\URS}$ of the family, it is infeasible to find - a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$ + For a randomly selected member $\SubgroupGHash{\URS}$ of the family, it is infeasible to find + a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\SubgroupGHashInput}{n}$ and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$ - such that $\ssum{i = 1}{n}\!\Big(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\Big) = \ZeroG{}$. - \item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a random oracle almost surely satisfies + such that $\ssum{i = 1}{n}\!\Big(\scalarmult{x_i}{\SubgroupGHash{\URS}(m_i)}\Big) = \ZeroG{}$. + \item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a \randomOracle almost surely satisfies Discrete Logarithm Independence. Discrete Logarithm Independence implies \collisionResistance\!, - since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a + since a collision $(m_1, m_2)$ for $\SubgroupGHash{\URS}$ trivially gives a discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash{Sapling}$ in \crossref{concretediversifyhash}. We do not know how to prove the Unlinkability property defined in that section in the standard model, but in a model where $\GroupJHash{}$ (restricted to - inputs for which it does not return $\bot$) is taken as a random oracle, + inputs for which it does not return $\bot$) is taken as a \randomOracle, it is implied by the Decisional Diffie-Hellman assumption on $\SubgroupJ$. \item $\URS$ is a \defining{\uniformRandomString}; we choose it verifiably at random (see \crossref{beacon}), \emph{after} fixing the concrete @@ -4739,8 +4784,8 @@ $\joinSplitPubKey$ of the containing \transaction: \item Elements of a \joinSplitDescription{} \MUST have the types given above (for example: $0 \leq \vpubOld \leq \MAXMONEY$ and $0 \leq \vpubNew \leq \MAXMONEY$). \item The proof $\Proof{\JoinSplit}$ \MUST be valid given a \primaryInput formed - from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}((\rt{Sprout}, \nfOld{\allOld}, - \cmNew{\allNew},\changed{\vpubOld,} \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}) = 1$. + from the relevant other fields and $\hSig$ --- i.e.\ $\JoinSplitVerify{}\big(\kern-0.1em(\rt{Sprout}, \nfOld{\allOld}, + \cmNew{\allNew},\changed{\vpubOld,} \vpubNew, \hSig, \h{\allOld}), \Proof{\JoinSplit}\big) = 1$. \item Either $\vpubOld$ or $\vpubNew$ \MUST be zero. \canopyonwarditem{$\vpubOld$ \MUST be zero.} \end{consensusrules} @@ -4789,13 +4834,13 @@ where \MUSTNOT be $\ZeroJ$ and $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed from the other fields except $\spendAuthSig$ --- - i.e.\ $\SpendVerify{}((\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$. + i.e.\ $\SpendVerify{}\big(\kern-0.1em(\cv, \rt{Sapling}, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}\big) = 1$. \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, as defined in \crossref{sighash} using $\SIGHASHALL$. The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig{Sapling}$ signature over $\SigHash$ using $\AuthSignRandomizedPublic$ as the \validatingKey --- - i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. + i.e.\ $\SpendAuthSigValidate{Sapling}{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. \end{consensusrules} \vspace{-1ex} @@ -4850,7 +4895,7 @@ where \MUSTNOT be $\ZeroJ$ and $\scalarmult{\ParamJ{h}}{\EphemeralPublic}$ \MUSTNOT be $\ZeroJ$. \item The proof $\Proof{\Output}$ \MUST be valid given a \primaryInput formed from the other fields except $\TransmitCiphertext{}$ and $\OutCiphertext{}$ --- - i.e.\ $\SpendVerify{}((\cv, \cmU, \EphemeralPublic), \Proof{\Output}) = 1$. + i.e.\ $\SpendVerify{}\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$. \end{consensusrules} } %sapling @@ -4916,10 +4961,10 @@ where The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig{Orchard}$ signature over $\SigHash$ using $\AuthSignRandomizedPublic$ as the \validatingKey --- - i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. + i.e.\ $\SpendAuthSigValidate{Orchard}{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput formed from $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- - i.e.\ $\ActionVerify{}((\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}) = 1$. + i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}\big) = 1$. \end{consensusrules} \nnote{$\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ have type $\GroupPstar$, @@ -4939,7 +4984,7 @@ Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}. Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}. -Let $\RandomSeedLength and \NoteUniquePreRandLength$ be as specified in \crossref{constants}. +Let $\RandomSeedLength$ and $\NoteUniquePreRandLength$ be as specified in \crossref{constants}. Sending a \transaction containing \joinSplitDescriptions involves first generating a new $\JoinSplitSig$ key pair: @@ -5428,7 +5473,7 @@ according to client implementation. } %changed -%\sapling{ +\sapling{ \introsection \extralabel{bindingsig}{\lsubsection{Balance and Binding Signature (\SaplingText)}{saplingbalance}} @@ -5514,9 +5559,9 @@ but validators cannot check this directly because the values are hidden by the c Instead, validators calculate the \defining{\txBindingValidatingKey} as: \begin{formulae} % ¯\_(ツ)_/¯ - \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\! - \Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus - \ValueCommit{Sapling}{0}\big(\vBalance{Sapling}\big)$. + \item $\BindingPublic{Sapling} := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvOld{i}\kern 0.05em\Bigg) \combminus\! + \Bigg(\kern-0.05em\vcombsum{j=1}{m}\kern 0.2em \cvNew{j}\kern 0.05em\Bigg) \combminus + \ValueCommit{Sapling}{0}\big(\vBalance{Sapling}\big)$. \end{formulae} \vspace{-1ex} (This key is not encoded explicitly in the \transaction and must be recalculated.) @@ -5526,15 +5571,15 @@ Instead, validators calculate the \defining{\txBindingValidatingKey} as: The signer knows $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$, and so can calculate the corresponding \signingKey as: \begin{formulae} - \item $\BindingPrivate := \Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)$. + \item $\BindingPrivate{Sapling} := \Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! + \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)$. \end{formulae} \introlist \vspace{-1ex} In order to check for implementation faults, the signer \SHOULD also check that \begin{formulae} - \item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$. + \item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$. \end{formulae} \vspace{0.5ex} @@ -5543,17 +5588,17 @@ Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version with an input, using the \sighashType $\SIGHASHALL$. A validator checks balance by validating that -$\BindingSigValidate{Sapling}{\BindingPublic}(\SigHash, \bindingSig{Sapling}) = 1$. +$\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. \vspace{1ex} We now explain why this works. \vspace{1ex} -A \saplingBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of -$\BindingPublic$ with respect to $\ValueCommitRandBase{Sapling}$. -That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase{Sapling}}$. -So the value $0$ and randomness $\BindingPrivate$ is an opening of the \xPedersenCommitment -$\BindingPublic = \ValueCommit{\BindingPrivate}(0)$. +A \saplingBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate{Sapling}$ +of $\BindingPublic{Sapling}$ with respect to $\ValueCommitRandBase{Sapling}$. +That is, $\BindingPublic{Sapling} = \scalarmult{\BindingPrivate{Sapling}}{\ValueCommitRandBase{Sapling}}$. +So the value $0$ and randomness $\BindingPrivate{Sapling}$ is an opening of the \xPedersenCommitment +$\BindingPublic{Sapling} = \ValueCommit{\BindingPrivate{Sapling}}(0)$. By the binding property of the \xPedersenCommitment, it is infeasible to find another opening of this commitment to a different value. @@ -5567,27 +5612,28 @@ proofs could not have been generated without knowing $\ValueCommitRandNew{\allm} \introlist Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Sapling}}\, -\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Sapling}}$, the expression for $\BindingPublic$ above is -equivalent to: +\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Sapling}}$, the expression for $\BindingPublic{Sapling}$ +above is equivalent to: \vspace{1ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance{Sapling}}{\ValueCommitValueBase{Sapling}}\, \combplus - \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! - \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase{Sapling}}$ \\[3.5ex] - &$= \ValueCommit{Sapling}{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance{Sapling}\Bigg)$. + $\BindingPublic{Sapling}$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vOld{i}\Bigg) \grpminus\! + \Bigg(\!\vgrpsum{j=1}{m} \vNew{j}\Bigg) \grpminus \vBalance{Sapling}}{\ValueCommitValueBase{Sapling}}\, \combplus + \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandOld{i}\Bigg) \grpminus\! + \Bigg(\!\vgrpsum{j=1}{m} \ValueCommitRandNew{j}\Bigg)}{\ValueCommitRandBase{Sapling}}$ \\[3.5ex] + &$= \ValueCommit{Sapling}{\BindingPrivate{Sapling}}\Bigg(\!\vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance{Sapling}\Bigg)$. \end{tabular} \introlist Let $\vSum = \vsum{i=1}{n} \vOld{i} - \vsum{j=1}{m} \vNew{j} - \vBalance{Sapling}$. Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. -Then $\BindingPublic = \ValueCommit{Sapling}{\BindingPrivate}(\vBad)$. If the adversary were able to -find the discrete logarithm of this $\BindingPublic$ with respect to $\ValueCommitRandBase{Sapling}$, say -$\BindingPrivate'$ (as needed to create a valid \saplingBindingSignature), then $(\vBad, \BindingPrivate)$ -and $(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic$ to different values, -breaking the binding property of the \valueCommitmentScheme. +Then $\BindingPublic{Sapling} = \ValueCommit{Sapling}{\BindingPrivate{Sapling}}(\vBad)$. +If the adversary were able to find the discrete logarithm of this $\BindingPublic{Sapling}$ +with respect to $\ValueCommitRandBase{Sapling}$, say $\BindingPrivate'$ (as needed to +create a valid \saplingBindingSignature), then $(\vBad, \BindingPrivate{Sapling})$ and +$(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic{Sapling}$ to different +values, breaking the binding property of the \valueCommitmentScheme. \introlist The above argument shows only that $\Value^* = 0 \pmod{\ParamJ{r}}$; in order to show that @@ -5621,12 +5667,12 @@ to other parties that are cooperating to create the \transaction. If all of the \nnote{ The technique of checking signatures using a \validatingKey derived from a sum of \xPedersenCommitments is also used in the \Mimblewimble protocol \cite{Jedusor2016}. -The \privateKey $\BindingPrivate$ acts as a \definingquotedterm{synthetic blinding factor}, +The \privateKey $\BindingPrivate{Sapling}$ acts as a \definingquotedterm{synthetic blinding factor}, in the sense that it is synthesized from the other blinding factors (\trapdoors) $\ValueCommitRandOld{\alln}$ and $\ValueCommitRandNew{\allm}$; this technique is also used in \Bulletproofs \cite{Dalek-notes}. } %nnote -%} %sapling +} %sapling \orchard{ @@ -5661,7 +5707,7 @@ is enforced by the \defining{\orchardBindingSignature}. The rôle of this signat the total value produced) by \actionTransfers is consistent with the $\vBalance{Orchard}$ field of the \transaction{}. -\nnote{The second rôle of \saplingBindingSignatures, to prove that the signer knew the +\nnote{The other rôle of \saplingBindingSignatures, to prove that the signer knew the randomness used for commitments in order to prevent them from being replayed, is less important in \Orchard because all \actionDescriptions have a \spendAuthSignature. Still, an \orchardBindingSignature does prove that the signer knew this commitment randomness; @@ -5705,8 +5751,8 @@ but validators cannot check this directly because the values are hidden by the c \introlist Instead, validators calculate the \defining{\txBindingValidatingKey} as: \begin{formulae} - \item $\BindingPublic := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvNet{i}\kern 0.05em\Bigg) \combminus - \ValueCommit{Orchard}{0}\big(\vBalance{Orchard}\big)$. + \item $\BindingPublic{Orchard} := \Bigg(\!\vcombsum{i=1}{n}\kern 0.2em \cvNet{i}\kern 0.05em\Bigg) \combminus + \ValueCommit{Orchard}{0}\big(\vBalance{Orchard}\big)$. \end{formulae} \vspace{-1ex} (This key is not encoded explicitly in the \transaction and must be recalculated.) @@ -5715,14 +5761,14 @@ Instead, validators calculate the \defining{\txBindingValidatingKey} as: \vspace{1ex} The signer knows $\ValueCommitRandNet{\alln}$, and so can calculate the corresponding \signingKey as: \begin{formulae} - \item $\BindingPrivate := \vgrpsum{i=1}{n} \ValueCommitRandNet{i}$. + \item $\BindingPrivate{Orchard} := \vgrpsum{i=1}{n} \ValueCommitRandNet{i}$. \end{formulae} \introlist \vspace{-1ex} In order to check for implementation faults, the signer \SHOULD also check that \begin{formulae} - \item $\BindingPublic = \BindingSigDerivePublic(\BindingPrivate)$. + \item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$. \end{formulae} \vspace{0.5ex} @@ -5731,7 +5777,7 @@ Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in not associated with an input, using the \sighashType $\SIGHASHALL$. A validator checks balance by validating that -$\BindingSigValidate{Orchard}{\BindingPublic}(\SigHash, \bindingSig{Orchard}) = 1$. +$\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. \vspace{1ex} The security argument is very similar to that for \saplingBindingSignatures, but @@ -5739,11 +5785,11 @@ for completeness we spell it out, since there are minor differences due to the n value commitments, and a different bound on the net value sum $\vSum$. \vspace{1ex} -An \orchardBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate$ of -$\BindingPublic$ with respect to $\ValueCommitRandBase{Orchard}$. -That is, $\BindingPublic = \scalarmult{\BindingPrivate}{\ValueCommitRandBase{Orchard}}$. -So the value $0$ and randomness $\BindingPrivate$ is an opening of the \xPedersenCommitment -$\BindingPublic = \ValueCommit{Orchard}{\BindingPrivate}(0)$. +An \orchardBindingSignature proves knowledge of the discrete logarithm $\BindingPrivate{Orchard}$ +of $\BindingPublic{Orchard}$ with respect to $\ValueCommitRandBase{Orchard}$. +That is, $\BindingPublic{Orchard} = \scalarmult{\BindingPrivate{Orchard}}{\ValueCommitRandBase{Orchard}}$. +So the value $0$ and randomness $\BindingPrivate{Orchard}$ is an opening of the \xPedersenCommitment +$\BindingPublic{Orchard} = \ValueCommit{Orchard}{\BindingPrivate{Orchard}}(0)$. By the binding property of the \xPedersenCommitment, it is infeasible to find another opening of this commitment to a different value. @@ -5755,25 +5801,26 @@ proofs could not have been generated without knowing $\ValueCommitRandNet{\alln} \introlist Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase{Orchard}}\, -\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Orchard}}$, the expression for $\BindingPublic$ above is -equivalent to: +\combplus \scalarmult{\ValueCommitRand}{\ValueCommitRandBase{Orchard}}$, the expression for $\BindingPublic{Orchard}$ +above is equivalent to: \vspace{1ex} \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\BindingPublic$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vNet{i}\Bigg) \grpminus \vBalance{Orchard}}{\ValueCommitValueBase{Orchard}}\, \combplus - \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandNet{i}\Bigg)}{\ValueCommitRandBase{Orchard}}$ \\[3.5ex] - &$= \ValueCommit{Orchard}{\BindingPrivate}\Bigg(\!\vsum{i=1}{n} \vNet{i} - \vBalance{Orchard}\Bigg)$. + $\BindingPublic{Orchard}$ &$= \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \vNet{i}\Bigg) \grpminus \vBalance{Orchard}}{\ValueCommitValueBase{Orchard}}\, \combplus + \Biggscalarmult{\Bigg(\!\vgrpsum{i=1}{n} \ValueCommitRandNet{i}\Bigg)}{\ValueCommitRandBase{Orchard}}$ \\[3.5ex] + &$= \ValueCommit{Orchard}{\BindingPrivate{Orchard}}\Bigg(\!\vsum{i=1}{n} \vNet{i} - \vBalance{Orchard}\Bigg)$. \end{tabular} \introlist Let $\vSum = \vsum{i=1}{n} \vNet{i} - \vBalance{Orchard}$. Suppose that $\vSum = \vBad \neq 0 \pmod{\ParamJ{r}}$. -Then $\BindingPublic = \ValueCommit{Orchard}{\BindingPrivate}(\vBad)$. If the adversary were able to -find the discrete logarithm of this $\BindingPublic$ with respect to $\ValueCommitRandBase{Orchard}$, say -$\BindingPrivate'$ (as needed to create a valid \orchardBindingSignature), then $(\vBad, \BindingPrivate)$ -and $(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic$ to different values, -breaking the binding property of the \valueCommitmentScheme. +Then $\BindingPublic{Orchard} = \ValueCommit{Orchard}{\BindingPrivate{Orchard}}(\vBad)$. +If the adversary were able to find the discrete logarithm of this $\BindingPublic{Orchard}$ +with respect to $\ValueCommitRandBase{Orchard}$, say $\BindingPrivate'$ (as needed to +create a valid \orchardBindingSignature), then $(\vBad, \BindingPrivate{Orchard})$ and +$(0, \BindingPrivate')$ would be distinct openings of $\BindingPublic{Orchard}$ to different +values, breaking the binding property of the \valueCommitmentScheme. \introlist The above argument shows only that $\Value^* = 0 \pmod{\ParamP{r}}$; in order to show that @@ -6368,11 +6415,11 @@ $(\EphemeralPublic, \EphemeralPrivate)$. \item For $i \in \setofNew$, \begin{itemize} \item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$. - \item Let $\DHSecret{i} := \KAAgree{Sprout}(\EphemeralPrivate, + \item Let $\DHSecret{i} = \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSub{i})$. - \item Let $\TransmitKey{i} := \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, + \item Let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicSub{i})$. - \item Let $\TransmitCiphertext{i} := + \item Let $\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$. \end{itemize} } @@ -6889,6 +6936,11 @@ and integers: \item $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ such that $\LEOStoIPOf{\ell}{S}$ is the integer represented in little-endian order by the byte sequence $S$ of length $\ell/8$. +\notbeforeorchard{ + \item $\BEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ + such that $\BEOStoIPOf{\ell}{S}$ is the integer represented in big-endian order by the + byte sequence $S$ of length $\ell/8$. +} %notbeforeorchard \item $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ defined as follows: pad the input on the right with $8 \mult \ceiling{\ell/8} - \ell$ zero bits so that its length is a multiple of 8 bits. Then convert each group of 8 bits to a byte @@ -6950,6 +7002,11 @@ Define: \item $\SpendingKeyLength \typecolon \Nat := 256$ \item $\DiversifierLength \typecolon \Nat := 88$ \item $\InViewingKeyLength{Sapling} \typecolon \Nat := 251$ +} %sapling +\orchard{ + \item $\InViewingKeyLength{Orchard} \typecolon \Nat := 254$ +} %orchard +\sapling{ \item $\OutViewingKeyLength \typecolon \Nat := 256$ \item $\ScalarLength{Sapling} \typecolon \Nat := 252$ } %sapling @@ -7315,8 +7372,8 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHash{Orchard}(\Diversifier) :=$ -% \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ + \item $\DiversifyHash{Orchard}(\Diversifier) := + \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} The following security property and notes apply to both \Sapling and \Orchard. @@ -7359,7 +7416,7 @@ the third address was derived from. \begin{nnotes} \item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not - return $\bot$) is modelled as a random oracle from \diversifiers to points + return $\bot$) is modelled as a \randomOracle from \diversifiers to points of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability of $\DiversifyHash{Sapling}$ holds under the Decisional Diffie-Hellman assumption on the prime-order subgroup of the \jubjubCurve. @@ -7391,7 +7448,7 @@ the third address was derived from. the group hash, such as Pedersen hashes and commitments) that the discrete logarithm of the output group element with respect to any other generator is unknown. This assumption is justified if the group hash acts as a - random oracle. + \randomOracle. Essentially, \diversifiers act as handles to unknown random numbers. (The group hash inputs used with different personalizations are in different ``namespaces''.) @@ -7683,7 +7740,7 @@ Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\ran \begin{algorithm} \item pad $M$ to a multiple of $k$ bits by appending zero bits, giving $M'$. - \item let $n \typecolon \range{0}{c} := \ceiling{\hfrac{\length(M')}{k}\kern-0.1em}$ + \item let $n \typecolon \range{0}{c} = \ceiling{\hfrac{\length(M')}{k}\kern-0.1em}$ \item split $M'$ into $n$ \defining{\pieces} $M_\barerange{1}{n}$, each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$. \item let mutable $\Acc := \SinsemillaGenInit(D)$ @@ -7773,9 +7830,9 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$. % Blech. Dijkstra was right \cite{EWD-831}. Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where \begin{formulae} - \item $m := \floor{\frac{512}{n}}$; - \item $h := (i-1 \bmod m) \mult n$; - \item $T := \BlakeTwobOf{(\mathnormal{n \mult m})}{\powtag,\, S \bconcat \powcount(\floor{\frac{i-1}{m}})}$. + \item $m = \floor{\frac{512}{n}}$; + \item $h = (i-1 \bmod m) \mult n$; + \item $T = \BlakeTwobOf{(\mathnormal{n \mult m})}{\powtag,\, S \bconcat \powcount(\floor{\frac{i-1}{m}})}$. \end{formulae} Indices of bits in $T$ are 1-based. @@ -7785,7 +7842,7 @@ $\BlakeTwobOf{\ell}{p, x}$ is defined in \crossref{concreteblake2}. \securityrequirement{ $\BlakeTwobOf{\ell}{\powtag, x}$ must generate output that is sufficiently unpredictable to avoid short-cuts to the \Equihash solution process. -It would suffice to model it as a random oracle. +It would suffice to model it as a \randomOracle. } \pnote{ @@ -8277,7 +8334,7 @@ using libsodium~v1.0.15.} \sapling{ -\extralabel{concreteredjubjub}{\lsubsubsection{\RedDSAText{} and \RedJubjubText{}}{concretereddsa}} +\extralabel{concreteredjubjub}{\lsubsubsection{\RedDSAText{}\notorchard{ and \RedJubjubText{}}\notbeforeorchard{, \RedJubjubText{}, and \RedPallasText{}}}{concretereddsa}} $\RedDSA$ is a Schnorr-based \signatureScheme, optionally supporting key re-randomization as described in \crossref{abstractsigrerand}. It also supports a @@ -8450,6 +8507,16 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with: \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}. \end{itemize} +\orchard{ +\introlist +The scheme $\RedPallas$ specializes $\RedDSA$ with: +\begin{itemize} + \item $\GroupG{} := \GroupP$ as defined in \crossref{pallasandvesta}; + \item $\RedDSAHashLength := 512$; + \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedPallasH}, x}$ as defined in \crossref{concreteblake2}. +\end{itemize} +} %orchard + \vspace{-1ex} The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, different between $\BindingSig{Sapling}$\notbeforeorchard{,}\notorchard{ and} $\SpendAuthSig{Sapling}$\orchard{, $\BindingSig{Orchard}$, @@ -8462,20 +8529,20 @@ and $\SpendAuthSig{Orchard}$}. \lsubsubsubsection{Spend Authorization Signature (\SaplingAndOrchardText)}{concretespendauthsig} \vspace{-1ex} -Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. +Let $\RedJubjub$ be as defined in \crossref{concretereddsa}. Define $\AuthSignBase{Sapling} := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. -The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig{Sapling}$, is instantiated as $\RedJubjub$ -with key re-randomization, and with generator $\GenG{} = \AuthSignBase{Sapling}$. +The \defining{\spendAuthSignatureScheme} $\SpendAuthSig{Sapling}$ is instantiated as $\RedJubjub$ +with key re-randomization and with generator $\GenG{} = \AuthSignBase{Sapling}$. \orchard{ -Let $\RedPallas$ be as defined in \crossref{concreteredpallas}. +Let $\RedPallas$ be as defined in \crossref{concretereddsa}. Define $\AuthSignBase{Orchard} := \GroupPHash\Of{\ascii{z.cash:Orchard}, \ascii{G}}$. -The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig{Orchard}$, is instantiated as $\RedPallas$ -with key re-randomization, and with generator $\GenG{} = \AuthSignBase{Orchard}$. +The \defining{\spendAuthSignatureScheme} $\SpendAuthSig{Orchard}$ is instantiated as $\RedPallas$ +with key re-randomization and with generator $\GenG{} = \AuthSignBase{Orchard}$. } %orchard \vspace{0.5ex} @@ -9221,8 +9288,8 @@ $\ExtractJ$ is injective on $\SubgroupJ$. \lsubsubsubsection{Group Hash into \JubjubText}{concretegrouphashjubjub} \vspace{-1ex} -Let $\GroupGHashInput := \byteseq{8} \times \byteseqs$, and -let $\GroupGHashURSType := \byteseq{64}$. +Let $\GroupJHashInput := \byteseq{8} \times \byteseqs$, and +let $\GroupJHashURSType := \byteseq{64}$. (The input element with type $\byteseq{8}$ is intended to act as a ``personalization'' parameter to distinguish uses of the \groupHash for @@ -9255,8 +9322,8 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo \begin{pnotes} \vspace{-0.5ex} \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash{Sapling}$ and to generate independent bases - needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$); - here we show that it is sufficient to employ a simpler random oracle instantiated by + needs a \randomOracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$); + here we show that it is sufficient to employ a simpler \randomOracle instantiated by $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis. $\exclusivefun{\HashOutput \typecolon \byteseq{32}} @@ -9269,8 +9336,8 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo It follows that when $\fun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)} {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$ - is modelled as a random oracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)} - {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\setof{\bot}}$ also acts as a random oracle. + is modelled as a \randomOracle, $\exclusivefun{\big(D \typecolon \byteseq{8}, M \typecolon \byteseqs\big)} + {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\setof{\bot}}$ also acts as a \randomOracle. \item The $\BlakeTwos{256}$ chaining variable after processing $\URS$ may be precomputed. \end{pnotes} @@ -9353,7 +9420,7 @@ $\abstJ\Of{P\Repr}$ is computed as follows: \item if $y \bmod 2 = \tilde{y}$ then return $(x, y)$ else return $(x, \ParamP{q} - y)$. \end{formulae} -\pnote{$\abstPstar\Of{\ItoLEBSP{256}\big(2^{255}\big)} = \bot$, and so there is only one +\pnote{$\abstPstar\big(\ItoLEBSP{256}\big(2^{255}\big)\kern-0.1em\big) = \bot$, and so there is only one valid representation of each point on the curve. This differs from the corresponding case of $\abstJ$ for \Jubjub, for example.} @@ -9361,8 +9428,6 @@ Define $\reprVstar \typecolon \GroupVstar \rightarrow \ReprVstar$ and $\abstVstar \typecolon \ReprVstar \rightarrow \maybe{\GroupVstar}$ as above with references to $\GroupP$ replaced by $\GroupV$. -\nnote{The \defining{\swCompressedEncoding} used here is consistent with that used in \todo{...}.} - When computing square roots in $\GF{\ParamP{q}}$ or $\GF{\ParamV{q}}$ in order to decompress a point encoding, the implementation \MUSTNOT assume that the square root exists, or that the encoding represents a point on the curve. @@ -9377,32 +9442,33 @@ Define $\ExtractP \typecolon \GroupP \rightarrow \MerkleHash{Orchard}$ by \begin{formulae} \item $\ExtractP(P) := \ItoLEBSPOf{\MerkleHashLength{Orchard}}{\Selectx\Of{P}}$. \end{formulae} +} %orchard - +\orchard{ \lsubsubsubsection{Group Hash into \PallasAndVestaText}{concretegrouphashpallasandvesta} -\Orchard uses the ``simplified SWU'' algorithm for random-oracle hashing to elliptic curves +\Orchard uses the ``simplified SWU'' algorithm for \randomOracleAdjective hashing to elliptic curves with $j$-invariant $0$, consistent with \cite[section 6.6.3]{ID-hashtocurve}, based on a method by Riad Wahby and Dan Boneh \cite{WB2019}. It is adapted from work of Eric Brier, Jean-Sébastien Coron, Thomas Icart, David Madore, Hugues Randriam, and Mehdi Tibouchi in \cite{BCIMRT2010}; Andrew Shallue and Christiaan {van de Woestijne} in \cite{SvdW2006}; and Maciej Ulas in \cite{Ulas2007}. -Let $\GroupP{}$ be the represented group of points on the \pallasCurve, as defined in -\crossref{pallasandvesta}. The specification in this section may also be applied to Vesta, -substituting $\GroupV$ and $\GroupIsoV$ for all references to $\GroupP$ and $\GroupIsoP$ respectively. +Let $\GroupP$ and $\GroupV$ be the represented groups of points on the \pallasCurve and the +\vestaCurve respectively, as defined in \crossref{pallasandvesta}. Let $\GroupG{}$ be either +$\GroupP$ or $\GroupV$ according to the desired target curve. -Define $\ZeroP{}$, $\GroupPstar{}$, and $\abstPstar{}$ as in \crossref{pallasandvesta}. +Also define $\ZeroG{}$, $\GroupGstar{}$, $\ParamG{q}$, and $\abstGstar$ +by replacing $\GroupG{}$ with either $\GroupP$ or $\GroupV$, using definitions from +\crossref{pallasandvesta}. -Let $\GroupPHashInput := \byteseqs \times \byteseqs$. +Let $\curveNameG$ be $\ascii{pallas}$ when $\GroupG{} = \GroupP$, or $\ascii{vesta}$ when +$\GroupG{} = \GroupV$. -(The first input element is intended to act as a ``personalization'' parameter to -distinguish uses of the \groupHash for different purposes.) - -$\GroupPHash$ does not have a URS, i.e.\ $\GroupPHashURSType := ()$. - -The algorithm makes use of a curve $\CurveIsoP$, called \IsoPallas, that is isogenous to $\CurveP$ -(or $\CurveIsoV$, called \IsoVesta, that is isogenous to $\CurveV$). +The algorithm makes use of a curve $\CurveIsoP$, called \IsoPallas, that is isogenous\footnote{\orchard{For +a brief introduction to isogenies between elliptic curves, see \cite{Cook2019}. For deeper mathematical +background, see the notes for lectures 5, 6, and 7 at \cite{Sutherland2019}.}} to $\CurveP$; or +$\CurveIsoV$, called \IsoVesta, that is isogenous to $\CurveV$. Let $\ParamIsoP{a} := \hexint{18354a2eb0ea8c9c49be2d7258370742b74134581a27a59f92bb4b0b657a014b}$. @@ -9410,10 +9476,11 @@ Let $\ParamIsoV{a} := \hexint{267f9b2ee592271a81639c4d96f787739673928c7d01b212c5 Let $\ParamIsoP{b} = \ParamIsoV{b} := 1265$. -Let $\GroupIsoP$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoP{a} \mult x + \ParamIsoP{b}$. +Let $\CurveIsoP$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoP{a} \mult x + \ParamIsoP{b}$. -Let $\GroupIsoV$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoV{a} \mult x + \ParamIsoV{b}$. +Let $\CurveIsoV$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoV{a} \mult x + \ParamIsoV{b}$. +\introsection Let $\IsoConstP{} \typecolon \typeexp{\GF{\ParamP{q}}}{13} := [$ \vspace{-2ex} \begin{lines} @@ -9434,6 +9501,7 @@ Let $\IsoConstP{} \typecolon \typeexp{\GF{\ParamP{q}}}{13} := [$ \vspace{-2.5ex} $]$ +\introsection Let $\IsoConstV{} \typecolon \typeexp{\GF{\ParamV{q}}}{13} := [$ \vspace{-2ex} \begin{lines} @@ -9454,39 +9522,138 @@ Let $\IsoConstV{} \typecolon \typeexp{\GF{\ParamV{q}}}{13} := [$ \vspace{-2.5ex} $]$ -Let $\IsoMapP \typecolon \GroupIsoP \rightarrow \GroupP$ be the isogeny map given by: +Let $\IsoMapG \typecolon \GroupIsoG \rightarrow \GroupG{}$ be the isogeny map given by: \begin{tabular}{@{\hskip 1.5em}r@{\;}l} - $\IsoMapP\big(\ZeroIsoP\big)$ &$= \ZeroP$ \\ - $\IsoMapP\big((x, y)\big)$ &$= \left(\hfrac{\IsoConstP{1} \mult x^3 + \IsoConstP{2} \mult x^2 + \IsoConstP{3} \mult x + \IsoConstP{4}} - {x^2 + \IsoConstP{5} \mult x + \IsoConstP{6}}, - \hfrac{\big(\IsoConstP{7} \mult x^3 + \IsoConstP{8} \mult x^2 + \IsoConstP{9} \mult x + \IsoConstP{10}\big) \mult y} - {x^3 + \IsoConstP{11} \mult x^2 + \IsoConstP{12} \mult x + \IsoConstP{13}}\right)$ + $\IsoMapG\big(\ZeroIsoG\big)$ &$= \ZeroP$ \\ + $\IsoMapG\big((x, y)\big)$ &$= \left(\hfrac{\IsoConstG{1} \mult x^3 + \IsoConstG{2} \mult x^2 + \IsoConstG{3} \mult x + \IsoConstG{4}} + {x^2 + \IsoConstG{5} \mult x + \IsoConstG{6}}, + \hfrac{\big(\IsoConstG{7} \mult x^3 + \IsoConstG{8} \mult x^2 + \IsoConstG{9} \mult x + \IsoConstG{10}\big) \mult y} + {x^3 + \IsoConstG{11} \mult x^2 + \IsoConstG{12} \mult x + \IsoConstG{13}}\right)$. \end{tabular} -and similarly for $\IsoMapV \typecolon \GroupIsoV \rightarrow \GroupV$. +\vspace{3ex} +Let $\BlakeTwob{512} \typecolon \byteseq{16} \times \byteseqs \rightarrow \byteseq{\ell/8}$ be as defined in \crossref{concreteblake2}. -%Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. +Let $\BEOStoIP{}$ be as defined in \crossref{endian}. -%Let $\LEOStoIP{}$ be as defined in \crossref{endian}. - -\vspace{1ex} -Let $D \typecolon \byteseqs$ be a domain separator, and -let $M \typecolon \byteseqs$ be the hash input. - -\todo{define BLAKE2-based XOF} - -\introlist -The hash $\GroupPHash(D, M) \typecolon \GroupPstar$ is calculated as follows: +\vspace{0.5ex} +Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \typecolon \byteseqs, \DST \typecolon \byteseq{\range{0}{255}}) + \rightarrow \typeexp{\GF{\ParamG{q}}\!}{2}$ as follows: \begin{algorithm} - \item \todo{consistent with \cite{ID-hashtocurve} \texttt{hash\_to\_curve}} + \item let $\DST' = \DST \bconcat\, [\,\length(\DST)\,]$ + \item let $\msg' = \zerobytes{64} \bconcat \msg \bconcat\, [\,0, 128\,] \bconcat\, [\,0\,] \bconcat \DST'$ + \item let $b_0 = \BlakeTwob{512}\big(\zerobytes{16}, \msg'\big)$ + \item let $b_1 = \BlakeTwob{512}\big(\zerobytes{16}, b_0 \bconcat\, [\,1\,] \bconcat \DST'\big)$ + \item let $b_2 = \BlakeTwob{512}\big(\zerobytes{16}, (b_0 \xor b_1) \bconcat\, [\,2\,] \bconcat \DST'\big)$ + \item return $[\,\BEOStoIPOf{512}{b_1}\! \pmod{\ParamG{q}},\, \BEOStoIPOf{512}{b_2}\! \pmod{\ParamG{q}}\,]$. \end{algorithm} +\begin{nnotes} + \item This algorithm is intended to correspond to $\hashtofield(\msg, 2)$ defined in + \cite[section 5.3]{ID-hashtocurve}, using as its $\expandmessage$ parameter + the function $\XMDBlakeTwob$ corresponding to $\expandmessagexmd$ defined in + \cite[section 5.4.1]{ID-hashtocurve}, and with domain separation tag $\DST$. + In $\expandmessagexmd$, $\mathsf{H}$ is instantiated as $\BlakeTwob{512}$ with + $\binbytes = 64$, and we specialize to $\leninbytes = 128$ since that is the only + case we need. In the event of any discrepancy or change to the Internet Draft, + the definition here takes precedence. + \item Unlike other uses of $\BlakeTwobGeneric$ in \Zcash, zero bytes are used for the + $\BlakeTwobGeneric$ personalization, in order to follow the Internet Draft which + encodes $\DST$ in the hash inputs instead. + \item The conversion from bytes to field elements uses big-endian order, again in order + to follow the Internet Draft. + \item A minor optimization is to cache the state of the $\BlakeTwob{512}$ instance + used to compute $b_0$ after processing $\zerobytes{64}$, since this state does + not depend on the message. +\end{nnotes} + +Let $\ParamG{\lambda}$ be any fixed nonsquare in $\GF{\ParamG{q}}$. +Define $\sqrtratioG(\num, \xdiv) \typecolon \GF{\ParamG{q}} \times \GFstar{\ParamG{q}} \rightarrow \GF{\ParamG{q}}$ as follows: + +\begin{formulae} + \item $\sqrtratioG(\num, \xdiv) = \begin{cases} + \,\big(\,\optsqrt{\num / \xdiv}, &\!\!\!\!1\big), \text{ if } \num / \xdiv\text{ is square in }\GF{\ParamG{q}} \\ + \,\big(\,\optsqrt{\ParamG{\lambda} \mult \num / \xdiv}, &\!\!\!\!0\big), \text{ otherwise.} + \end{cases}$ +\end{formulae} +\vspace{-1ex} +\begin{nnotes} + \item An arbitrary square root may be chosen in either case of the definition. The result is never $\bot$. + \item The computation of $\sqrtratioG$ can be optimized as described in \todo{}. +\end{nnotes} + +Define $\ParamIsoG{Z} := -13 \pmod{\ParamG{q}}$. (This value is suitable for both \IsoPallas and \IsoVesta.) + +Precompute $\ParamIsoG{\theta} := \optsqrt{\ParamIsoG{Z} / \ParamG{\lambda}}$, which is not $\bot$.\footnote{\orchard{Both +$\ParamIsoG{Z}$ and $\ParamG{\lambda}$ are nonsquare, and so their ratio is square in $\GF{\ParamG{q}}$.}} + +Precompute $\ParamIsoG{b} / (\ParamIsoG{Z} \mult \ParamIsoG{a})$. + +By definition we have that $\CurveG{}$ is the \swCurve with equation $y^2 = x^3 + \ParamG{b}$, and +$\CurveIsoG$ is the \swCurve with equation $y^2 = x^3 + \ParamIsoG{a} \mult x + \ParamIsoG{b}$. + +\vspace{1ex} +Define $\maptocurvesimpleswuIsoG(u \typecolon \GF{\ParamG{q}}) \rightarrow \GroupIsoG$ as follows: +\vspace{-0.5ex} +\begin{algorithm} + \item let $\mathsf{Zuu} = \ParamIsoG{Z} \mult u^2$ + \item let $\mathsf{ta} = \mathsf{Zuu}^2 + \mathsf{Zuu}$ + \item let $\mathsf{x1}_\num = \ParamIsoG{b} \mult (\mathsf{ta} + 1)$ + \item let $\mathsf{x}_\xdiv = -\ParamIsoG{a} \mult \mathsf{ta}$ + \item compute $\mathsf{x}_\xdiv^2$ and $\mathsf{x}_\xdiv^3$ + \item let $\mathsf{U} = (\mathsf{ta} = 0) \bchoose \ParamIsoG{b} / (\ParamIsoG{Z} \mult \ParamIsoG{a}) : + ((\mathsf{x1}_\num^2 + \ParamIsoG{a} \mult \mathsf{x}_\xdiv^2) \mult \mathsf{x1}_\num + \ParamIsoG{b} \mult \mathsf{x}_\xdiv^3)$ + \item let $\mathsf{V} = (\mathsf{ta} = 0) \bchoose 1 : \mathsf{x}_\xdiv^3$ + \item let $\mathsf{x2}_\num = \mathsf{Zuu} \mult \mathsf{x1}_\num$ + \item let $(\mathsf{y1},\, \mathsf{is\_gx1\_square}) = \sqrtratioG(\mathsf{U}, \mathsf{V})$ + \item let $\mathsf{y2} = \ParamIsoG{\theta} \mult \mathsf{Zuu} \mult u \mult \mathsf{y1}$ + \item let $\mathsf{x}_\num = \mathsf{is\_gx1\_square} \bchoose \mathsf{x1}_\num : \mathsf{x2}_\num$ + \item let $\mathsf{y} = \mathsf{is\_gx1\_square} \bchoose \mathsf{y1} : \mathsf{y2}$ + \item return the $\CurveIsoG$ point with affine coordinates $\left(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\right)$. +\end{algorithm} + +Let $\GroupGHashInput := \byteseqs \times \byteseqs$. +The first input element acts as a domain separator to distinguish uses of the +\groupHash for different purposes; the second input element is the message. + +This hash-to-curve algorithm does not have a URS, i.e.\ $\GroupGHashURSType := ()$. + +\introlist +The hash $\GroupGHash(D \typecolon \byteseqs, M \typecolon \byteseqs) \typecolon \GroupG{}$ +is calculated as follows: + +\begin{algorithm} + \item let $\DST = D \bconcat \ascii{-} \bconcat \curveNameG \bconcat \ascii{\_XMD:BLAKE2b\_SSWU\_RO\_}$ + \item let $[\,u_0, u_1\,] = \hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg, \DST)$ + \item let $Q_i = \maptocurvesimpleswuIsoG(u_i)$ for $i \in \{0, 1\}$ + \item return $\IsoMapG(Q_0 + Q_1)$. +\end{algorithm} + +\begin{nnotes} + \item $\GroupPHash$ and $\GroupVHash$ are intended to be instantiations of + \texttt{hash\_to\_curve} using ``Simplified SWU for $AB = 0$'' described in + \cite[section 6.6.3]{ID-hashtocurve}. In the event of any discrepancy or change + to the Internet Draft, the definition here takes precedence. + \item It is not necessary to use the $\clearcofactor$ function specified in the + Internet Draft, because \Pallas and \Vesta (and therefore \IsoPallas and \IsoVesta) + are prime-order. + \item The above description incorporates optimizations from \cite{WB2019} that avoid + inversions and unnecessary square tests in the computation of $\maptocurvesimpleswuIsoG$. + In order to fully avoid inversions, the output of $\maptocurvesimpleswuIsoG$ can be + expressed in Jacobian coordinates, as can the input and output of $\IsoMapG$. + It is outside the scope of this document to describe Jacobian coordinates, but + for example, the $\CurveIsoG$ point with affine coordinates + $\big(\mathsf{x}_\num / \mathsf{x}_\xdiv, \mathsf{y}\big)$, has Jacobian coordinates + $\big(\mathsf{x}_\num \mult \mathsf{x}_\xdiv : \mathsf{y} \mult \mathsf{x}_\xdiv^3 : \mathsf{x}_\xdiv\big)$. +\end{nnotes} + \pnote{ -The use of $\GroupPHash$ for $\DiversifyHash{Orchard}$ and to generate independent bases -needs a random oracle, which the \texttt{hash\_to\_curve} algorithm in \cite{ID-hashtocurve} -is designed to provide given that the BLAKE2-based XOF satisfies the requirements of +The uses of $\GroupPHash$ for $\DiversifyHash{Orchard}$, and of both $\GroupPHash$ and +$\GroupVHash$ to generate independent bases, need a \randomOracle. The $\hashtocurve$ algorithm +in \cite{ID-hashtocurve} is designed to be indifferentiable from a \randomOracle (in the +framework of \cite{MRH2003}), given that $\XMDBlakeTwob$ satisfies the requirements of \cite[section 5.5.4]{ID-hashtocurve}. The security of the Brier et al.\ construction on which this algorithm is based is analysed in \cite{FFSTV2013} and \cite{KT2015}, with a verified proof in \cite{BGHOZ2013}. @@ -9575,7 +9742,7 @@ for the \BNPairing pairing this is: \item $\Justthebox{\bctvbox}$ \end{formulae} -The resulting proof size is 296 bytes. +The resulting proof size is $296$ bytes. \vspace{0.8ex} \introlist @@ -9644,7 +9811,7 @@ for the \BLSPairing pairing this is: \item $\Justthebox{\grothbox}$ \end{formulae} -The resulting proof size is 192 bytes. +The resulting proof size is $192$ bytes. \vspace{0.8ex} \introlist @@ -9660,7 +9827,21 @@ verifier \MUST check, for the encoding of each element, that: $\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$ in each case. \end{itemize} -} +} %sapling + + +\orchard{ +\lsubsubsubsection{\HaloTwoText}{halo2} + +For \Orchard{} \actionDescriptions in version 5 \transactions, \Zcash uses \zkSNARKs with the +\defining{\HaloTwo} \provingSystem described in \todo{}. + +\introlist +\lsubsubsubsubsection{Encoding of \HaloTwoText{} Proofs}{halo2encoding} + +\HaloTwo proofs are defined as byte sequences, and so the encoding is the proof itself. +} %orchard + \lsubsection{Encodings of Note Plaintexts and Memo Fields}{notept} @@ -9947,6 +10128,44 @@ For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}. } %sapling +\orchard{ +\lsubsubsection{\OrchardText{} Payment Addresses}{orchardpaymentaddrencoding} + +Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}. + +An \Orchard{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$ +and $\DiversifiedTransmitPublic \typecolon \KAPublic{Orchard}$. + +$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Orchard}$ \publicKey of type +$\KAPublic{Orchard}$, for use with the encryption scheme defined in \crossref{saplingandorchardinband}. +$\Diversifier$~is a sequence of $11$ bytes. These components are derived as described in +\crossref{orchardkeycomponents}. + +\introlist +The \rawEncoding of an \Orchard{} \paymentAddress consists of: +\vspace{1ex} +\begin{equation*} +\begin{bytefield}[bitwidth=0.07em]{344} + \sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprPstar\Of{\DiversifiedTransmitPublic}\kern 0.05em}$} +\end{bytefield} +\end{equation*} + +\begin{itemize} + \item $11$ bytes specifying $\Diversifier$. + \item $32$ bytes specifying the \swCompressedEncoding of + $\DiversifiedTransmitPublic$ (see \crossref{pallasandvesta}). +\end{itemize} + +When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be +considered invalid if $\abstPstar$ returns $\bot$. + +\vspace{1ex} +For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zo}. +For addresses on \Testnet, the \humanReadablePart is \ascii{ztestorchard}. +} %orchard + + \lsubsubsection{\SproutOrNothingText{} Incoming Viewing Keys}{sproutinviewingkeyencoding} \changed{ @@ -10036,7 +10255,44 @@ considered invalid if $\InViewingKey$ is not in this range. For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivks}. For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestsapling}. -} +} %sapling + + +\orchard{ +\lsubsubsection{\OrchardText{} Incoming Viewing Keys}{orchardinviewingkeyencoding} + +Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}. + +Let $\InViewingKeyLength{Orchard}$ be as defined in \crossref{constants}. + +An \Orchard{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyType{Orchard}$. + +$\InViewingKey$ is a $\KAPrivate{Orchard}$ key (restricted to $\InViewingKeyLength{Orchard}$ bits), +derived as described in \crossref{orchardkeycomponents}. +It is used with the encryption scheme defined in \crossref{saplingandorchardinband}. + +\introlist +The \rawEncoding of an \Orchard{} \incomingViewingKey consists of: +\vspace{1ex} +\begin{equation*} +\begin{bytefield}[bitwidth=0.07em]{256} + \sbitbox{256}{$256$-bit $\InViewingKey$} +\end{bytefield} +\end{equation*} + +\vspace{-1ex} +\begin{itemize} + \item $32$ bytes (little-endian) specifying $\InViewingKey$, padded with zeros in the most + significant bits. +\end{itemize} + +$\InViewingKey$ \MUST be in the range $\InViewingKeyType{Orchard}$ as specified +in \crossref{orchardkeycomponents}. That is, a decoded \incomingViewingKey{} \MUST be +considered invalid if $\InViewingKey$ is not in this range. + +For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivko}. +For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestorchard}. +} %orchard \sapling{ @@ -10305,143 +10561,216 @@ upgrade-supporting nodes \MUST allow for this. \intropart \lsection{Consensus Changes from \BitcoinText}{consensusfrombitcoin} -\vspace{-2ex} +\vspace{-1ex} \extralabel{txnencoding}{\lsubsection{Transaction Encoding and Consensus}{txnencodingandconsensus}} -The \Zcash{} \defining{\transaction} format is as follows (this should be read in the context -of consensus rules later in the section): +The \Zcash{} \defining{\transaction} format up to and including \transactionVersion $4$ is as follows +(this should be read in the context of consensus rules later in the section): -\vspace{-1ex} \begin{center} -\scalebox{\sprout{0.87}\notsprout{\notorchard{0.84}\notbeforeorchard{0.77}}}{ +\scalebox{\sprout{0.87}\notsprout{0.8}}{ \notsprout{\renewcommand{\arraystretch}{1.3}} \hbadness=10000 -\begin{tabularx}{\sprout{1.07}\notsprout{\notorchard{1.13}\notbeforeorchard{1.25}}\textwidth}{|c|c|l|p{10em}|L|} +\begin{tabularx}{\sprout{1.07}\notsprout{1.21}\textwidth}{|c|c|l|p{10em}|L|} \hline -\!\!Version$\footnotestar$\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ +\!\!Version$\footnotestar$\!\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|=|} -$\geq 1$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} +$\barerange{1}{4}$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} \item $\fOverwintered$ flag (bit $31$) \item $\versionField$ (bits $\barerange{30}{0}$) -- \transactionVersion. \end{compactitemize} \\ \hline \notsprout{ -\setoverwinter $\geq 3$ &\setoverwinter $4$ &\setoverwinter $\nVersionGroupId\!$ &\overwintertype{uint32} &\setoverwinter +\setoverwinter $\barerange{3}{4}$ &\setoverwinter $4$ &\setoverwinter $\nVersionGroupId\!$ &\overwintertype{uint32} &\setoverwinter Version group ID (nonzero). \\ \hline } -$\geq 1$ & \Varies & $\txInCount$ & \type{compactSize} & Number of \transparent inputs. \\ \hline +$\barerange{1}{4}$ & \Varies & $\txInCount$ & \type{compactSize} & Number of \transparent inputs. \\ \hline -$\geq 1$ & \Varies & $\txIn$ & $\txIn$ & \xTransparent inputs, encoded as in \Bitcoin. \\ \hline +$\barerange{1}{4}$ & \Varies & $\txIn$ & $\txIn$ & \xTransparent inputs, encoded as in \Bitcoin. \\ \hline -$\geq 1$ & \Varies & $\txOutCount$ & \type{compactSize} & Number of \transparent outputs. \\ \hline +$\barerange{1}{4}$ & \Varies & $\txOutCount$ & \type{compactSize} & Number of \transparent outputs. \\ \hline -$\geq 1$ & \Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ \hline +$\barerange{1}{4}$ & \Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ \hline -\setorchard $\barerange{1}{4}$ & $4$ & $\lockTime$ & \type{uint32} & Unix-epoch UTC time or \blockHeight, encoded as in \Bitcoin. \\ \hline +$\barerange{1}{4}$ & $4$ & $\lockTime$ & \type{uint32} & Unix-epoch UTC time or \blockHeight, encoded as in \Bitcoin. \\ \hline \notsprout{ -\setoverwinter $\geq 3$ &\setoverwinter $4$ &\setoverwinter $\nExpiryHeight$ &\overwintertype{uint32} &\setoverwinter +\setoverwinter $\barerange{3}{4}$ &\setoverwinter $4$ &\setoverwinter $\nExpiryHeight$ &\overwintertype{uint32} &\setoverwinter A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction will expire, or $0$ to disable expiry. \smash{\cite{ZIP-203}} \\ \hline -\setsapling $= 4$ &\setsapling $8$ &\setsapling $\valueBalance{Sapling}\!$ &\saplingtype{int64} &\setsapling +\setsapling $4$ &\setsapling $8$ &\setsapling $\valueBalance{Sapling}\!$ &\saplingtype{int64} &\setsapling The net value of \Sapling{} spends minus outputs. \\ \hline -\setsapling $\geq 4$ &\setsapling \Varies &\setsapling $\nShieldedSpend$ &\saplingtype{compactSize} &\setsapling +\setsapling $4$ &\setsapling \Varies &\setsapling $\nShieldedSpend$ &\saplingtype{compactSize} &\setsapling The number of \spendDescriptions in $\vShieldedSpend$. \\ \hline -\setsapling $\geq 4$ &\setsapling \Longunderstack{$(384\text{ or }362) \mult$ \\$\!\nShieldedSpend\!$} &\setsapling $\vShieldedSpend$ &\saplingtype{SpendDescription} \saplingtype{[$\nShieldedSpend$]} &\setsapling -A sequence of \spendDescriptions{}, encoded as in \crossref{spendencodingandconsensus}. \\ \hline +\setsapling $4$ &\setsapling \Longunderstack{$384 \mult$ \\$\!\nShieldedSpend\!$} &\setsapling $\vShieldedSpend$ &\saplingtype{SpendDescriptionV4} \saplingtype{[$\nShieldedSpend$]} &\setsapling +A sequence of \spendDescriptions{}, encoded per \crossref{spendencodingandconsensus}. \\ \hline -\setsapling $\geq 4$ &\setsapling \Varies &\setsapling $\nShieldedOutput\!$ &\saplingtype{compactSize} &\setsapling +\setsapling $4$ &\setsapling \Varies &\setsapling $\nShieldedOutput\!$ &\saplingtype{compactSize} &\setsapling The number of \outputDescriptions in $\vShieldedOutput$. \\ \hline -\setsapling $\geq 4$ &\setsapling \Longunderstack{$948 \mult$ \\$\!\nShieldedOutput\!$} &\setsapling $\vShieldedOutput\!$ &\saplingtype{OutputDescription} \saplingtype{[$\nShieldedOutput$]} &\setsapling -A sequence of \outputDescriptions{}, encoded as in \crossref{outputencodingandconsensus}. \\ \hline +\setsapling $4$ &\setsapling \Longunderstack{$948 \mult$ \\$\!\nShieldedOutput\!$} &\setsapling $\vShieldedOutput\!$ &\saplingtype{OutputDescription} \saplingtype{[$\nShieldedOutput$]} &\setsapling +A sequence of \outputDescriptions{}, encoded per \crossref{outputencodingandconsensus}. \\ \hline } %notsprout -\notbeforeorchard{ -\setorchard $\geq 5$ &\setorchard \Varies &\setorchard $\nShieldedAction\!$ &\orchardtype{compactSize} &\setorchard -The number of \actionDescriptions in $\vShieldedAction$. \\ \hline - -\setorchard $\geq 5$ &\setorchard \Longunderstack{$884 \mult$ \\$\!\nShieldedAction\!$} &\setorchard $\vShieldedAction\!$ &\orchardtype{ActionDescription} \orchardtype{[$\nShieldedAction$]} &\setorchard -A sequence of \actionDescriptions{}, encoded as in \crossref{actionencodingandconsensus}. \\ \hline -} %notbeforeorchard - -$\geq 2$ & \Varies & $\nJoinSplit$ & \type{compactSize} & +$\barerange{2}{4}$ & \Varies & $\nJoinSplit$ & \type{compactSize} & The number of \joinSplitDescriptions in $\vJoinSplit$. \\ \hline -\sprout{ -$\geq 2$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JoinSplitDescription}\!\! \type{[$\nJoinSplit$]} & -A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline -} %sprout -\notsprout{ $\barerange{2}{3}$ & \Longunderstack{$1802 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionBCTV14}\!\! \type{[$\nJoinSplit$]} & -A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline +A \sequenceOfJoinSplitDescriptions{} using \BCTV proofs, encoded per \crossref{joinsplitencodingandconsensus}. \\ \hline -\setsapling $\geq 4$ &\setsapling \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} &\setsapling $\vJoinSplit$ &\saplingtype{JSDescriptionGroth16}\!\! \saplingtype{[$\nJoinSplit$]} &\setsapling -A sequence of \joinSplitDescriptions using \Groth proofs, encoded as in \crossref{joinsplitencodingandconsensus}. \\ \hline +\notsprout{ +\setsapling $4$ &\setsapling \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} &\setsapling $\vJoinSplit$ &\saplingtype{JSDescriptionGroth16}\!\! \saplingtype{[$\nJoinSplit$]} &\setsapling +A sequence of \joinSplitDescriptions using \Groth proofs, encoded per \crossref{joinsplitencodingandconsensus}. \\ \hline } %notsprout -\notbeforeorchard{ -\setorchard $\geq 5\;\mathsection$ &\setorchard $8$ &\setorchard $\valueBalance{Sapling}\!$ &\orchardtype{int64} &\setorchard -The net value of \Sapling{} spends minus outputs. \\ \hline - -\setorchard $\geq 5\;\mathsection$ &\setorchard $32$ &\setorchard $\anchorField{Sapling}$ &\orchardtype{byte[32]} &\setorchard -A \merkleRoot of the \Sapling{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Sapling}}$. \\ \hline - -\setorchard $\geq 5\;\mathsection$ &\setorchard $8$ &\setorchard $\valueBalance{Orchard}\!$ &\orchardtype{int64} &\setorchard -The net value of \Orchard{} spends minus outputs. \\ \hline - -\setorchard $\geq 5\;\mathsection$ &\setorchard $32$ &\setorchard $\anchorField{Orchard}$ &\orchardtype{byte[32]} &\setorchard -A \merkleRoot of the \Orchard{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt{Orchard}}$. \\ \hline -} %notbeforeorchard - -$\geq 2\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{byte[32]} & +$\barerange{2}{4}\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{byte[32]} & An encoding of a $\JoinSplitSig$ public \validatingKey. \\ \hline -$\geq 2\;\dagger$ & $64$ & $\joinSplitSig$ & \type{byte[64]} & +$\barerange{2}{4}\;\dagger$ & $64$ & $\joinSplitSig$ & \type{byte[64]} & A signature on a prefix of the \transaction encoding, to be verified using $\joinSplitPubKey$ as specified in \crossref{sproutnonmalleability}. \\ \hline \notsprout{ -\setsapling $\geq 4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig{Sapling}$ &\saplingtype{byte[64]} &\setsapling +\setsapling $4\;\ddagger$ &\setsapling $64$ &\setsapling $\bindingSig{Sapling}$ &\saplingtype{byte[64]} &\setsapling A \saplingBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline } %notsprout -\notbeforeorchard{ -\setorchard $\geq 5\;\mathsection$ &\setorchard $64$ &\setorchard $\bindingSig{Orchard}$ &\orchardtype{byte[64]} &\setorchard -An \orchardBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline -} %notbeforeorchard \end{tabularx} \renewcommand{\arraystretch}{\defaultarraystretch} } %scalebox \end{center} -{\footnotesize -$\footnotestar$ Version constraints apply to the $\effectiveVersion$, which is equal to -$\minimum(2, \versionField)$ when $\fOverwintered = 0$ and to $\versionField$ otherwise. +\begin{tabularx}{\textwidth}{@{}l@{\hskip 1em}X@{}} +$\footnotestar$ & Version constraints apply to the $\effectiveVersion$, which is equal to +$\minimum(2, \versionField)$ when $\fOverwintered = 0$ and to $\versionField$ otherwise. \\ -\vspace{-1ex} -$\dagger$ The \joinSplitPubKey{} and \joinSplitSig{} fields are present if and only if -$\effectiveVersion \geq 2$ and $\nJoinSplit > 0$. +$\dagger$ & The \joinSplitPubKey{} and \joinSplitSig{} fields are present if and only if +$\effectiveVersion \geq 2$ and $\nJoinSplit > 0$. \\ + +\notsprout{ +\setsapling $\ddagger$ & \textcolor{\saplingcolor}{\bindingSig{Sapling} is present if and only if +$\effectiveVersion = 4$ and $\nShieldedSpend + \nShieldedOutput > 0$.} +} %notsprout +\end{tabularx} \sapling{ -\vspace{-1ex} -$\ddagger$ The \bindingSig{Sapling} field is present if and only if -$\effectiveVersion \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$. +Note that the \valueBalance{Sapling} field is always present for these \transactionVersions. } %sapling +\sprout{\vspace{3ex}} \orchard{ -\vspace{-1.5ex} -$\mathsection$ The \anchorField{Orchard} and \bindingSig{Orchard} fields are present if and only if -$\effectiveVersion \geq 5$ and $\nShieldedAction > 0$. +\introlist +The \Zcash{} \defining{\transaction} format for \transactionVersion 5 is as follows +(this should be read in the context of consensus rules later in the section): + +\vspace{-1ex} +\begin{center} +\scalebox{0.8}{ +\notsprout{\renewcommand{\arraystretch}{1.3}} +\hbadness=10000 +\begin{tabularx}{1.21\textwidth}{|c|c|l|p{10em}|L|} +\hline +\!\!Version\!\! & \heading{Bytes} & \heading{Name} & \heading{Data Type} & \heading{Description} \\ +\hhline{|=|=|=|=|=|} + +$\geq 5$ & $4$ & $\headerField$ & \type{uint32} & Contains: \begin{compactitemize} + \item $\fOverwintered$ flag (bit $31$, always set) + \item $\versionField$ (bits $\barerange{30}{0}$) -- + \transactionVersion. + \end{compactitemize} \\ \hline + +$\geq 5$ & $4$ & $\nVersionGroupId\!$ & \type{uint32} & Version group ID (nonzero). \\ \hline + +$\geq 5$ & $4$ & $\lockTime$ & \type{uint32} & Unix-epoch UTC time or \blockHeight, encoded as in \Bitcoin. \\ \hline + +$\geq 5$ & $4$ & $\nExpiryHeight$ & \type{uint32} & +A \blockHeight in the range $\range{1}{499999999}$ after which the \transaction will expire, or $0$ to disable expiry. +\smash{\cite{ZIP-203}} \\ \hline + +$\geq 5$ & \Varies & $\txInCount$ & \type{compactSize} & Number of \transparent inputs. \\ \hline + +$\geq 5$ & \Varies & $\txIn$ & $\txIn$ & \xTransparent inputs, encoded as in \Bitcoin. \\ \hline + +$\geq 5$ & \Varies & $\txOutCount$ & \type{compactSize} & Number of \transparent outputs. \\ \hline + +$\geq 5$ & \Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ \hline + +$\geq 5$ & \Varies & $\nShieldedSpend$ & \type{compactSize} & +The number of \spendDescriptions in $\vShieldedSpend$. \\ \hline + +$\geq 5$ & \Longunderstack{$362 \mult$ \\$\!\nShieldedSpend\!$} & $\vShieldedSpend$ & \type{SpendDescriptionV5} \type{[$\nShieldedSpend$]} & +A sequence of \spendDescriptions{}, encoded per \crossref{spendencodingandconsensus}. \\ \hline + +$\geq 5$ & \Varies & $\nShieldedOutput\!$ & \type{compactSize} & +The number of \outputDescriptions in $\vShieldedOutput$. \\ \hline + +$\geq 5$ & \Longunderstack{$948 \mult$ \\$\!\nShieldedOutput\!$} & $\vShieldedOutput\!$ & \type{OutputDescription} \type{[$\nShieldedOutput$]} & +A sequence of \outputDescriptions{}, encoded per \crossref{outputencodingandconsensus}. \\ \hline + +$\geq 5\;\mathsection$ & $8$ & $\valueBalance{Sapling}\!$ & \type{int64} & +The net value of \Sapling{} spends minus outputs. \\ \hline + +$\geq 5\;\mathsection$ & $32$ & $\anchorField{Sapling}$ & \type{byte[32]} & +A \merkleRoot of the \Sapling{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Sapling}\big)$. \\ \hline + +$\geq 5\;\mathsection$ & $64$ & $\bindingSig{Sapling}$ & \type{byte[64]} & +A \saplingBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline + +$\geq 5$ & \Varies &\setorchard $\nShieldedAction\!$ & \type{compactSize} & +The number of \actionDescriptions in $\vShieldedAction$. \\ \hline + +$\geq 5$ & \Longunderstack{$884 \mult$ \\$\!\nShieldedAction\!$} & $\vShieldedAction\!$ & \type{ActionDescription} \type{[$\nShieldedAction$]} & +A sequence of \actionDescriptions{}, encoded per \crossref{actionencodingandconsensus}. \\ \hline + +$\geq 5\;\mathsection$ & $8$ & $\valueBalance{Orchard}\!$ & \type{int64} & +The net value of \Orchard{} spends minus outputs. \\ \hline + +$\geq 5\;\mathsection$ & $32$ & $\anchorField{Orchard}$ & \type{byte[32]} & +A \merkleRoot of the \Orchard{} \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Orchard}\big)$. \\ \hline + +$\geq 5\;\mathsection$ & $64$ & $\bindingSig{Orchard}$ & \type{byte[64]} & +An \orchardBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline + +$\geq 5$ & \Varies & $\nJoinSplit$ & \type{compactSize} & +The number of \joinSplitDescriptions in $\vJoinSplit$. \\ \hline + +$\geq 5$ & \Longunderstack{$1698 \mult$ \\ $\nJoinSplit$} & $\vJoinSplit$ & \type{JSDescriptionGroth16}\!\! \type{[$\nJoinSplit$]} & +A sequence of \joinSplitDescriptions using \Groth proofs, encoded per \crossref{joinsplitencodingandconsensus}. \\ \hline + +$\geq 5\;\dagger$ & $32$ & $\joinSplitPubKey\!$ & \type{byte[32]} & +An encoding of a $\JoinSplitSig$ public \validatingKey. \\ \hline + +$\geq 5\;\dagger$ & $64$ & $\joinSplitSig$ & \type{byte[64]} & +A signature on a prefix of the \transaction encoding, to be verified using $\joinSplitPubKey$ as specified in +\crossref{sproutnonmalleability}. \\ \hline + +\end{tabularx} +\renewcommand{\arraystretch}{\defaultarraystretch} +} %scalebox +\end{center} + +\vspace{-2ex} +\begin{tabularx}{\textwidth}{@{}l@{\hskip 1em}X@{}} +$\dagger$ & The \joinSplitPubKey{} and \joinSplitSig{} fields are present if and only if +$\nJoinSplit > 0$. \\ + +$\ddagger$ & The \valueBalance{Sapling}, \anchorField{Sapling}, and \bindingSig{Sapling} fields +are present if and only if $\nShieldedSpend + \nShieldedOutput > 0$. If \valueBalance{Sapling} +is not present, then $\vBalance{Sapling}$ is defined to be $0$. \\ + +$\mathsection$ & The \valueBalance{Orchard}, \anchorField{Orchard}, and \bindingSig{Orchard} fields +are present if and only if $\nShieldedAction > 0$. If \valueBalance{Orchard} is not present, then +$\vBalance{Orchard}$ is defined to be $0$. +\end{tabularx} + +Note that several fields are reordered relative to prior \transactionVersions. } %orchard -} %footnotesize -\sprout{\vspace{3ex}} \begin{consensusrules} \item The \defining{\transactionVersionNumber} \MUST be greater than or equal to $1$. @@ -10462,7 +10791,7 @@ $\effectiveVersion \geq 5$ and $\nShieldedAction > 0$. \saplingonwarditem{At least one of \txOutCount, \nShieldedOutput, and \nJoinSplit{} \MUST be nonzero.} \item A \transaction with one or more \transparent inputs from \coinbaseTransactions{} \MUST have no \transparent outputs (i.e.\ \txOutCount{} \MUST be $0$). Inputs from - \coinbaseTransactions include \foundersReward outputs and \fundingStream outputs. + \coinbaseTransactions include \foundersReward outputs\canopy{ and \fundingStream outputs}. \item If $\effectiveVersion \geq 2$ and $\nJoinSplit > 0$, then: \begin{itemize} \item \joinSplitPubKey{} \MUST be a valid encoding (see \crossref{concretejssig}) of @@ -10474,7 +10803,7 @@ $\effectiveVersion \geq 5$ and $\nShieldedAction > 0$. \saplingonwarditem{If $\effectiveVersion \geq 4$ and $\nShieldedSpend + \nShieldedOutput > 0$, then: \begin{itemize} - \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{saplingbalance}; + \item let $\BindingPublic{Sapling}$ and $\SigHash$ be as defined in \crossref{saplingbalance}; \item \bindingSig{Sapling} \MUST represent a valid signature under the \txBindingValidatingKey $\BindingPublic{Sapling}$ of $\SigHash$ --- i.e.\ $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. @@ -10485,25 +10814,22 @@ $\effectiveVersion \geq 5$ and $\nShieldedAction > 0$. \orchardonwarditem{If $\effectiveVersion \geq 5$ and $\nShieldedAction > 0$, then: \begin{itemize} - \item let $\BindingPublic$ and $\SigHash$ be as defined in \crossref{orchardbalance}; + \item let $\BindingPublic{Orchard}$ and $\SigHash$ be as defined in \crossref{orchardbalance}; \item \bindingSig{Orchard} \MUST represent a valid signature under the \txBindingValidatingKey $\BindingPublic{Orchard}$ of $\SigHash$ --- i.e.\ $\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. \end{itemize}} \vspace{-1ex} - \saplingonwarditem{If $\effectiveVersion \geq 5$ and $\nShieldedAction = 0$, - then $\valueBalance{Orchard}$ \MUST be $0$.} \item The total value in \zatoshi of \transparentOutputs from a \coinbaseTransaction\heartwood{, minus - the $\valueBalance{Sapling}$ field\orchard{ if present},}\orchard{ minus the $\valueBalance{Orchard}$ - field if present,} \MUSTNOT be greater than the value in \zatoshi of \minerSubsidy plus the - \transactionFees paid by \transactions in this \block. + $\vBalance{Sapling}$,}\orchard{ minus $\vBalance{Orchard}$,} \MUSTNOT be greater than the value in + \zatoshi of \minerSubsidy plus the \transactionFees paid by \transactions in this \block. \notheartwood{ \item A \coinbaseTransaction{} \MUSTNOT have any \joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}. } \notbeforeheartwood{ \item A \coinbaseTransaction{} \MUSTNOT have any - \joinSplitDescriptions\sapling{ or \spendDescriptions}\orchard{ or \actionDescriptions}. + \joinSplitDescriptions\sapling{ or \spendDescriptions}. \preheartwooditem{\sapling{A \coinbaseTransaction also \MUSTNOT have any \outputDescriptions.}} } \item A \coinbaseTransaction for a \block at \blockHeight greater than $0$ \MUST have a script @@ -12461,7 +12787,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Add Ying Tong Lai and Kris Nuttycombe as \Zcash protocol designers. \sapling{ \item Change the specification of $\abstJ$ in \crossref{jubjub} to match the implementation. - \item Repair the argument for $\GroupJHash{\URS}$ being usable as a random oracle, which + \item Repair the argument for $\GroupJHash{\URS}$ being usable as a \randomOracle, which previously depended on $\abstJ$ being injective. \item In $\RedDSA$ verification, clarify that $\RedDSAReprR{}$ used as part of the input to $\RedDSAHashToScalar$ must be exactly as encoded in the signature. @@ -13075,10 +13401,10 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Clarify the use of \BCTV vs \Groth proofs in \joinSplitStatements. \item Clarify that the $\possqrt{a}$ notation refers to the positive square root. (This matters for the conversion in \crossref{cctconversion}.) - \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow + \item Model the group hash as a \randomOracle. This appears to be unavoidable in order to allow proving unlinkability of $\DiversifyHash{Sapling}$. Explain how this relates to the Discrete Logarithm Independence assumption used previously, and justify this modelling by showing that it - follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of + follows from treating $\BlakeTwos{256}$ as a \randomOracle in the instantiation of $\GroupJHash{}$. \item Rename $\mathsf{CRS}$ (Common Random String) to $\URS$ (\uniformRandomString), to match the terminology adopted at the first zkproof workshop held in Boston, Massachusetts diff --git a/protocol/zcash.bib b/protocol/zcash.bib index c8451382..f9bd1200 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -631,6 +631,36 @@ Proceedings of the 30th Annual International Cryptology Conference urldate={2021-01-28} } +@misc{MRH2003, + presort={MRH2003}, + author={Ueli Maurer and Renato Renner and Clemens Holenstein}, + title={Indifferentiability, Impossibility Results on Reductions, and Applications to the {R}andom {O}racle Methodology}, + url={https://eprint.iacr.org/2003/161}, + urldate={2021-02-10}, + date={2003-09}, + howpublished={Cryptology ePrint Archive: Report 2003/161. Received August~8, 2003.} +} + +@misc{Cook2019, + presort={Cook2019}, + author={John D. Cook}, + title={What is an isogeny?}, + howpublished={Blog post.}, + date={2019-04-21}, + url={https://www.johndcook.com/blog/2019/04/21/what-is-an-isogeny/}, + urldate={2021-02-10} +} + +@misc{Sutherland2019, + presort={Sutherland2019}, + author={Andrew Sutherland}, + title={MIT Open Courseware, Mathematics 18.783 Elliptic Curves, Lecture Notes}, + howpublished={Massachusetts Institute of Technology. Spring 2019.}, + date={2019-04-21}, + url={https://ocw.mit.edu/courses/mathematics/18-783-elliptic-curves-spring-2019/lecture-notes/index.htm}, + urldate={2021-02-10} +} + @misc{Certicom2010, presort={Certicom2010}, author={Certicom Research},