zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Macro simplifications. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-11 21:05:19 +01:00
parent 0a1a01513f
commit b2f42d987c
1 changed files with 65 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
protocol/protocol.tex
View File

@ -881,6 +881,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \vartimes\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
\newcommand{\lconstraint}[1]{\lincomb{#1}\hairspace \vartimes\mhspace{0.25em}}
\newcommand{\maybe}[1]{{#1} \union \setof{\bot}}
\newcommand{\Of}[1]{\!\left({#1}\right)\!}
% Hashes
@ -1504,9 +1505,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\Zero}{\mathcal{O}}
\newcommand{\Generator}{\mathcal{P}}
\newcommand{\Selectu}{\scalebox{1.53}{$u$}}
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
\newcommand{\Extract}{\mathsf{Extract}}
\newcommand{\GroupHash}{\mathsf{GroupHash}}
@ -1537,9 +1536,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
\newcommand{\reprG}[1]{\repr_{\GroupG{#1}}}
\newcommand{\reprGOf}[2]{\reprG{#1}\!\left({#2}\right)\!}
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
\newcommand{\PairingG}{\ParamG{\hat{e}}}
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
@ -1557,10 +1554,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}}
\newcommand{\reprSOf}[1]{\reprS\!\left({#1}\right)\!}
\newcommand{\abstS}{\abst_{\GroupS}}
\newcommand{\abstSOf}[1]{\abstS\!\left({#1}\right)\!}
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
\newcommand{\abstS}[1]{\abst_{\GroupS{#1}}}
\newcommand{\PairingS}{\ParamS{\hat{e}}}
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
@ -1579,9 +1574,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ReprJ}{\bitseq{\ellJ}}
\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}}
\newcommand{\reprJ}{\repr_{\GroupJ}}
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
\newcommand{\abstJ}{\abst_{\GroupJ}}
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
@ -1590,7 +1583,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
\newcommand{\HashOutput}{\bytes{H}}
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
@ -2365,8 +2357,8 @@ $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRa
\vspace{-1ex}
\item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases}
\bot, &\caseif \DiversifiedTransmitBase = \bot \\
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value), &\caseotherwise.
\end{cases}$
\end{formulae}
@ -3466,7 +3458,7 @@ A \representedPairing $\GroupP{}$ consists of:
\begin{itemize}
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\;
$\PairingP(\scalarmult{a}{P}, \scalarmult{b}{Q}) = \PairingP(P, Q)^{a \mult b}$;\, and
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
such that for all $Q \typecolon \GroupP{2},\;
\PairingP(P, Q) = \ParamP{\mathbf{1}}$.
@ -3647,7 +3639,7 @@ Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \righta
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
be as defined in \crossref{endian}.
Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
Define $\AuthProveBase := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$.
Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
@ -3676,7 +3668,7 @@ the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$.
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\AuthProvePublic}\kern-0.08em\big)$.
\end{tabular}
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
@ -3765,8 +3757,8 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
$\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
{\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
indistinguishable from the uniform distribution on $\SubgroupReprJ$
which is the keyspace of $\PRFnfSapling{}$.
\end{nnotes}
@ -4073,8 +4065,8 @@ the following steps:
\begin{tabular}{@{\hskip 2em}r@{\;}l}
$\cvNew{}$ &$:= \ValueCommit{\ValueCommitRandNew{}}(\ValueNew{})$ \\[1ex]
$\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
$\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\ValueNew{})$
\end{tabular}
@ -4172,10 +4164,10 @@ A \dummy{} \Sapling input \note is constructed as follows:
\item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$.
\item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and
$\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,.
$\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$\,.
\item Compute $\NoteAddressRand{} = \cmOld{}
= \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
= \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\vOld{})$.
\item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$.
\item Construct a \dummy \merklePath $\TreePath{}$ for use in the
@ -4816,8 +4808,8 @@ such that the following conditions hold:
\vspace{1ex}
\snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity}
$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\vOld{})$.
\vspace{-1ex}
@ -4841,7 +4833,7 @@ and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
\vspace{-1ex}
\begin{formulae}
\item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
\item $\AuthProvePublicRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
\vspace{-1ex}
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
\end{formulae}
@ -4858,7 +4850,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
\begin{formulae}
\item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
\vspace{-1ex}
\item $\AuthSignPublicRepr = \reprJOf{\AuthSignPublic}$\,.
\item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
\end{formulae}
\vspace{1ex}
@ -4923,7 +4915,7 @@ such that the following conditions hold:
$\cmU = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr,
\DiversifiedTransmitPublicRepr,
\vNew{})\kern-0.12em\big)$,
where $\DiversifiedTransmitBaseRepr = \reprJOf{\DiversifiedTransmitBase}$\,.
where $\DiversifiedTransmitBaseRepr = \reprJ\Of{\DiversifiedTransmitBase}$\,.
\snarkcondition{Value commitment integrity} \label{outputvaluecommitmentintegrity}
@ -5158,7 +5150,7 @@ Then to encrypt:
\item else:
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJOf{\EphemeralPublic}}$
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
\item \vspace{-2ex}
@ -5205,8 +5197,8 @@ components of the \noteCiphertext as follows:
and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
\item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
@ -5255,7 +5247,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ,
\EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
\item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
and $\DiversifiedTransmitPublic = \abstJOf{\DiversifiedTransmitPublicRepr}$
and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$
\item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
@ -5268,8 +5260,8 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
\item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
return $\bot$
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
\reprJOf{\DiversifiedTransmitPublic},
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
\reprJ\Of{\DiversifiedTransmitPublic},
\Value)\kern-0.12em\big)$.
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
\end{algorithm}
@ -5277,7 +5269,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
\vspace{-2ex}
\pnote{For a valid \transaction it must be the case that
$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJOf{\EphemeralPublic}\kern-0.15em\big)$.}
$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\big)$.}
\subsection{\Blockchain{} Scanning\pSproutOrNothing} \label{sproutscan}
@ -5798,7 +5790,8 @@ Define
\vspace{-1ex}
\begin{formulae}
\item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
\item $\DiversifyHash(\Diversifier) :=
\GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$
\end{formulae}
\vspace{-3ex}
@ -5862,7 +5855,7 @@ Let $c := 63$.
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
\begin{formulae}
\item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$.
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
\end{formulae}
\newcommand{\sj}[1]{s^{\kern 0.02em j}_{#1}}
@ -5899,7 +5892,7 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow
Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHashSapling$ by:
\begin{formulae}
\item $\PedersenHash(D, M) := \ExtractJ(\PedersenHashToPoint(D, M))$.
\item $\PedersenHash(D, M) := \ExtractJ\big(\PedersenHashToPoint\Of{D, M}\kern-0.1em\big)$.
\end{formulae}
See \crossref{cctpedersenhash} for rationale and efficient circuit implementation
@ -5971,7 +5964,7 @@ $\UncommittedSapling = \ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ is not in the r
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and the definitions of
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$
can be in the range of $\PedersenHash$ only if there exist
$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\SelectuOf{\PedersenHashToPoint(D, M)} = 1$.
$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
The latter can only be the affine-Edwards $u$-coordinate of a point in $\strut\GroupJ$.
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
@ -5991,7 +5984,7 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
Define $\NotePositionBase := \FindGroupJHashOf{\ascii{Zcash\_J\_}, \ascii{}}$.
Define $\NotePositionBase := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$.
We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
\rightarrow \GroupJ$ by:
@ -6385,8 +6378,8 @@ Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$.
\begin{lrbox}{\kdfsaplinginputbox}
\setsapling
\begin{bytefield}[bitwidth=0.07em]{544}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DHSecret{}}\hairspace}$} &
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}\hairspace}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DHSecret{}}\hairspace}$} &
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}\hairspace}$}
\end{bytefield}
\end{lrbox}
@ -6553,8 +6546,8 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
\item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$.
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
\item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$.
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR{}}}$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
\item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
\item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
@ -6568,7 +6561,7 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$.
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$.
\vspace{-0.5ex}
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
\vspace{0.5ex}
@ -6608,7 +6601,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism:
\end{tabular}
\vspace{1ex}
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
\vspace{2ex}
@ -6630,7 +6623,7 @@ $\BindingSig$ and $\SpendAuthSig$.
Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}.
Define $\AuthSignBase := \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$.
Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$.
$\SpendAuthSig$ is instantiated as $\RedJubjub$ with key re-randomization, and
with generator $\GenG{} = \AuthSignBase$.
@ -6721,7 +6714,7 @@ and adding a randomized point on the \jubjubCurve (see \crossref{jubjub}):
\begin{formulae}
\item $\WindowedPedersenCommit{r}(s) :=
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
\PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$
\end{formulae}
See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation
@ -6771,7 +6764,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
\begin{formulae}
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
\scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$
\item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
\end{formulae}
@ -6782,9 +6775,9 @@ of this function.
Define:
\begin{formulae}
\vspace{-0.5ex}
\item $\ValueCommitValueBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{v}}$
\item $\ValueCommitValueBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{v}}$
\vspace{-0.5ex}
\item $\ValueCommitRandBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{r}}$.
\item $\ValueCommitRandBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{r}}$.
\end{formulae}
\introlist
@ -7107,12 +7100,12 @@ Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell}
as in \crossref{endian}.
Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
that $\reprJOf{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where
that $\reprJ\Of{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where
$\tilde{u} = u \bmod 2$.
Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
$\reprJ$, then $\abstJOf{S} = \bot$.
$\reprJ$, then $\abstJ\Of{S} = \bot$.
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
For the set of prime-order points we write $\PrimeOrderJ$.
@ -7142,11 +7135,11 @@ other conditions on points, for example that they have order at least $\ParamJ{r
\sapling{
\subsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
Let $\Selectu\Of{(u, \varv)} = u$ and let $\Selectv\Of{(u, \varv)} = \varv$.
Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ by
\begin{formulae}
\item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\SelectuOf{P}}$.
\item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\Selectu\Of{P}}$.
\end{formulae}
\vspace{-2ex}
@ -7170,7 +7163,7 @@ Therefore, $-\varv \neq \varv$.
Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
$Q = -P$ (then $\Selectv\Of{Q} = \Selectv\Of{-P}$\,; contradiction since
$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
since $\SubgroupJ$ is of odd order \cite{KvE2013}).
\end{proof}
@ -7228,7 +7221,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
\begin{algorithm}
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
\item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
\item let $P = \abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
\item if $P = \bot$ then return $\bot$
\item let $Q = \scalarmult{\ParamJ{h}}{P}$
\item if $Q = \ZeroJ$ then return $\bot$, else return $Q$.
@ -7244,7 +7237,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
$\vphantom{a^b}\BlakeTwos{256}$ in the security analysis.
$\exclusivefun{\HashOutput \typecolon \byteseq{32}}
{\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
{\abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
is injective, and both it and its inverse are efficiently computable.
$\exclusivefun{P \typecolon \GroupJ}
@ -7262,7 +7255,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHashOf{D, M} :=
Define $\FindGroupJHash(D, M) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
\vspace{-3ex}
@ -7673,7 +7666,7 @@ The raw encoding of a \Sapling \paymentAddress consists of:
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{344}
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DiversifiedTransmitPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
@ -7795,8 +7788,8 @@ The raw encoding of a \fullViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthProvePublic}\kern 0.05em}$}
\sbitbox{256}{$32$-byte $\OutViewingKey$}
\end{bytefield}
\end{equation*}
@ -8308,7 +8301,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
\hhline{|=|=|=|=|}
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the input \note,
$\LEBStoOSPOf{256}{\reprJOf{\cv}}$. \\ \hline
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline
$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree
at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
@ -8317,7 +8310,7 @@ $32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note,
$\LEBStoOSPOf{256}{\nf}$. \\ \hline
$32$ & $\rkField$ & \type{char[32]} & The randomized public key for $\spendAuthSig$,
$\LEBStoOSPOf{256}{\reprJOf{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof
$\ProofSpend$ (see \crossref{groth}). \\ \hline
@ -8354,13 +8347,13 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
\hhline{|=|=|=|=|}
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
$\LEBStoOSPOf{256}{\reprJOf{\cv}\kern 0.05em}$. \\ \hline
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline
$32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}}$. \\ \hline
$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}}$. \\ \hline
$580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the
encrypted output \note, $\TransmitCiphertext{}$. \\ \hline
@ -9854,7 +9847,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
computed and separating it from the \authRandomizedVerifyingKey
($\AuthSignRandomizedPublic$).
\item Clarify conversions between bit and byte sequences for
$\SpendingKey$, $\reprJOf{\AuthSignPublic}$, and $\reprJOf{\AuthProvePublic}$.
$\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$.
} %sapling
\item Change the \texttt{Makefile} to avoid multiple reloads in PDF readers while
rebuilding the PDF.
@ -11039,7 +11032,7 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
\begin{algorithm}
\item // $\Base_i = \scalarmult{2^i}{B}$
\item let $\Base^u_0 = \SelectuOf{B}$
\item let $\Base^u_0 = \Selectu\Of{B}$
\item let $\Base^{\vv}_0\hairspace = B_{\vv}$
\item let $\Acc^u_0 = k_0 \bchoose B^u : 0$
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$
@ -11261,7 +11254,7 @@ implementation, and adding a randomized point:
\begin{formulae}
\item $\WindowedPedersenCommit{r}(s) =
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
\PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$
\end{formulae}
\introlist
@ -11287,7 +11280,7 @@ as follows:
\begin{formulae}
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
\scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}}\, + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$
\end{formulae}
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$
@ -11443,10 +11436,10 @@ Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and
final exponentiation respectively of the pairing computation, so that:
\begin{formulae}
\item $\PairingS(P, Q) = \FinalExpS(\MillerLoopS(P, Q))$
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
\end{formulae}
\vspace{-1ex}
where $\FinalExpS(R) = R^{t}$ for some fixed $t$.
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex}
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.