cm in an Output description encodes only the u-coordinate of the note commitment, not the full curve point.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-05-22 23:28:08 +01:00 · 2018-05-22 23:28:08 +01:00 · ae491d4a4b
parent 48d9fcbc79
commit ae491d4a4b
1 changed files with 18 additions and 8 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -1129,6 +1129,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
 \newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}}
 \newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}}
 \newcommand{\cm}{\mathsf{cm}}
+\newcommand{\cmU}{\mathsf{cm}_{\kern -0.06em u}}
 \newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}}
 \newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}}
 \newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}}
@ -2327,7 +2328,7 @@ knowledge of $\AuthSignPrivate$.}
 \subsubsection{\NotePlaintexts{} and \Memos} \label{noteptconcept}

 Transmitted \notes are stored on the \blockchain in encrypted form, together with
-a \noteCommitment $\cm$.
+a representation of the \noteCommitment $\cm$.

 The \notePlaintexts in a \joinSplitDescription are encrypted to the
 respective \transmissionKeys $\TransmitPublicNew{\allNew}$.
@ -3737,6 +3738,8 @@ where
 \vspace{2ex}
 \begin{consensusrules}
  \item Elements of a \spendDescription{} \MUST have the types given above.
+  \item $\AuthSignRandomizedPublic$ \MUSTNOT be of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic}$
+        \MUSTNOT be $\ZeroJ$.
  \item The proof $\Proof{\Spend}$ \MUST be valid given a \primaryInput formed
        from the other fields except $\spendAuthSig$.
        I.e.\ it must be the case that $\SpendVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic), \Proof{\Spend}) = 1$.
@ -3757,12 +3760,13 @@ Each \transaction includes a sequence of zero or more \outputDescriptions.
 There are no signatures associated with \outputDescriptions.

 \introlist
-An \outputDescription consists of $(\cv, \cm, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
+An \outputDescription consists of $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$

 where
 \begin{itemize}
  \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the output \note;
-  \item $\cm \typecolon \NoteCommitSaplingOutput$ is the \noteCommitment for the output \note;
+  \item $\cmU \typecolon \MerkleHashSapling$ is the result of applying $\ExtractJ$ (defined
+        in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note;
  \item $\EphemeralPublic \typecolon \KASaplingPublic$ is
        a key agreement public key, used to derive the key for encryption
        of the \noteCiphertext (\crossref{saplinginband});
@ -4519,7 +4523,8 @@ $\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJOf{\DiversifiedTransm
 \snarkcondition{Merkle path validity} \label{saplingmerklepathvalidity}

 Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthSapling$,
-as defined in \crossref{merklepath}, from $\ExtractJ(\cmOld{})$ to the \anchor $\rt$.
+as defined in \crossref{merklepath}, from $\cmU = \ItoLEBSP{\MerkleHashLengthSapling}\!\big(\ExtractJ(\cmOld{})\kern-0.1em\big)$
+to the \anchor $\rt$.

 \snarkcondition{Value commitment integrity} \label{spendvaluecommitmentintegrity}

@ -4527,9 +4532,8 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.

 \snarkcondition{Small order checks} \label{spendnonsmall}

-$\AuthSignRandomizedPublic, \DiversifiedTransmitBase, \AuthSignPublic$
-are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\AuthSignRandomizedPublic} \neq \ZeroJ$
-and $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
+$\DiversifiedTransmitBase$ and $\AuthSignPublic$
+are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} \neq \ZeroJ$
 and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.

 \snarkcondition{\Nullifier{} integrity} \label{spendnullifierintegrity}
@ -4570,6 +4574,9 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr
  \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
        input bit sequence is a canonical encoding (in $\range{0}{\ParamJ{r}-1}$) of the integer
        from the previous \merkleLayer.
+  \item It is \emph{not} checked in the \spendStatement that $\AuthSignRandomizedPublic$ is not of
+        small order. However, this \emph{is} checked outside the \spendStatement, as specified in
+        \crossref{spenddesc}.
  \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$.
        ($\AuthSignBase$ is as defined in \crossref{concretespendauthsig}.)
 \end{pnotes}
@ -7802,7 +7809,7 @@ $32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the out
 $\LEBStoOSPOf{256}{\cv}$. \\ \hline

 $32$ & $\cmField$ & \type{char[32]} & The \noteCommitment for the output \note,
-$\LEBStoOSPOf{256}{\cm}$. \\ \hline
+$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ItoLEBSPOf{\MerkleHashLengthSapling}{\ExtractJ(\cm)}$. \\ \hline

 $32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of a $\JubjubCurve$ public key $\EphemeralPublic$
 (see \crossref{concretesaplingkeyagreement}). \\ \hline
@ -9010,6 +9017,9 @@ found by Brian Warner.
    \item Fail \Sapling key generation if $\InViewingKey = 0$. (This has negligible probability.)
    \item Change the notation $\RedDSAHash^{\star}$ to $\RedDSAHashToScalar$ in \crossref{concreteredjubjub},
          to avoid confusion with the $^{\Repr}$ convention for representations of group elements.
+    \item $\cmField$ encodes only the $u$-coordinate of the \noteCommitment, not the full curve point.
+    \item $\AuthSignRandomizedPublic$ is checked to be not of small order outside the \spendStatement,
+          not in the \spendStatement.
    \item Change terminology describing constraint systems.
 } %sapling
 \end{itemize}