From b2f42d987ce07f9d4c0cc1abd2ac63a660fced41 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sat, 11 Aug 2018 21:05:19 +0100 Subject: [PATCH] Macro simplifications. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 137 ++++++++++++++++++++---------------------- 1 file changed, 65 insertions(+), 72 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 1f0b389c..7e892ead 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -881,6 +881,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\constraint}[3]{\lincomb{#1}\hairspace \vartimes\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}} \newcommand{\lconstraint}[1]{\lincomb{#1}\hairspace \vartimes\mhspace{0.25em}} \newcommand{\maybe}[1]{{#1} \union \setof{\bot}} +\newcommand{\Of}[1]{\!\left({#1}\right)\!} % Hashes @@ -1504,9 +1505,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Zero}{\mathcal{O}} \newcommand{\Generator}{\mathcal{P}} \newcommand{\Selectu}{\scalebox{1.53}{$u$}} -\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!} \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}} -\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!} \newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)} \newcommand{\Extract}{\mathsf{Extract}} \newcommand{\GroupHash}{\mathsf{GroupHash}} @@ -1537,9 +1536,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ellG}[1]{\ell_{\GroupG{#1}}} \newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}} \newcommand{\reprG}[1]{\repr_{\GroupG{#1}}} -\newcommand{\reprGOf}[2]{\reprG{#1}\!\left({#2}\right)\!} \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}} -\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!} \newcommand{\PairingG}{\ParamG{\hat{e}}} \newcommand{\ExtractG}{\Extract_{\SubgroupG}} @@ -1557,10 +1554,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}} \newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}} \newcommand{\ellS}[1]{\ell_{\GroupS{#1}}} -\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}} -\newcommand{\reprSOf}[1]{\reprS\!\left({#1}\right)\!} -\newcommand{\abstS}{\abst_{\GroupS}} -\newcommand{\abstSOf}[1]{\abstS\!\left({#1}\right)\!} +\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}} +\newcommand{\abstS}[1]{\abst_{\GroupS{#1}}} \newcommand{\PairingS}{\ParamS{\hat{e}}} \newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}} \newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}} @@ -1579,9 +1574,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ReprJ}{\bitseq{\ellJ}} \newcommand{\ReprJBytes}{\byteseq{\ellJ/8}} \newcommand{\reprJ}{\repr_{\GroupJ}} -\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!} \newcommand{\abstJ}{\abst_{\GroupJ}} -\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!} \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}} \newcommand{\ExtractJ}{\Extract_{\SubgroupJ}} @@ -1590,7 +1583,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}} \newcommand{\HashOutput}{\bytes{H}} \newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}} -\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!} \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} @@ -2365,8 +2357,8 @@ $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRa \vspace{-1ex} \item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases} \bot, &\caseif \DiversifiedTransmitBase = \bot \\ - \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, + \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \Value), &\caseotherwise. \end{cases}$ \end{formulae} @@ -3466,7 +3458,7 @@ A \representedPairing $\GroupP{}$ consists of: \begin{itemize} \item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$, $P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\; - $\PairingP(\scalarmult{a}{P}, \scalarmult{b}{Q}) = \PairingP(P, Q)^{a \mult b}$;\, and + $\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and \item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$ such that for all $Q \typecolon \GroupP{2},\; \PairingP(P, Q) = \ParamP{\mathbf{1}}$. @@ -3647,7 +3639,7 @@ Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \righta and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. -Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$. +Define $\AuthProveBase := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$. Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$. @@ -3676,7 +3668,7 @@ the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are \begin{tabular}{@{\hskip 1.7em}r@{\;}l} $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\ $\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\ - \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$. + \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\AuthProvePublic}\kern-0.08em\big)$. \end{tabular} If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$. @@ -3765,8 +3757,8 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. $\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$, is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$. Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} - {\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$ - is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally + {\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$ + is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally indistinguishable from the uniform distribution on $\SubgroupReprJ$ which is the keyspace of $\PRFnfSapling{}$. \end{nnotes} @@ -4073,8 +4065,8 @@ the following steps: \begin{tabular}{@{\hskip 2em}r@{\;}l} $\cvNew{}$ &$:= \ValueCommit{\ValueCommitRandNew{}}(\ValueNew{})$ \\[1ex] - $\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, + $\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \ValueNew{})$ \end{tabular} @@ -4172,10 +4164,10 @@ A \dummy{} \Sapling input \note is constructed as follows: \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$. and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$. \item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and - $\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,. + $\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$\,. \item Compute $\NoteAddressRand{} = \cmOld{} - = \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, + = \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \vOld{})$. \item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$. \item Construct a \dummy \merklePath $\TreePath{}$ for use in the @@ -4816,8 +4808,8 @@ such that the following conditions hold: \vspace{1ex} \snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity} -$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, +$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \vOld{})$. \vspace{-1ex} @@ -4841,7 +4833,7 @@ and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$. $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where \vspace{-1ex} \begin{formulae} - \item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$ + \item $\AuthProvePublicRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$ \vspace{-1ex} \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. \end{formulae} @@ -4858,7 +4850,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas \begin{formulae} \item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$ \vspace{-1ex} - \item $\AuthSignPublicRepr = \reprJOf{\AuthSignPublic}$\,. + \item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,. \end{formulae} \vspace{1ex} @@ -4923,7 +4915,7 @@ such that the following conditions hold: $\cmU = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \vNew{})\kern-0.12em\big)$, -where $\DiversifiedTransmitBaseRepr = \reprJOf{\DiversifiedTransmitBase}$\,. +where $\DiversifiedTransmitBaseRepr = \reprJ\Of{\DiversifiedTransmitBase}$\,. \snarkcondition{Value commitment integrity} \label{outputvaluecommitmentintegrity} @@ -5158,7 +5150,7 @@ Then to encrypt: \item else: \item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$ \item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$ - \item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJOf{\EphemeralPublic}}$ + \item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$ \item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$ \item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$ \item \vspace{-2ex} @@ -5205,8 +5197,8 @@ components of the \noteCiphertext as follows: and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$ - \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, + \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \Value)\kern-0.12em\big)$. \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$. \end{algorithm} @@ -5255,7 +5247,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ, \EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$ \item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$ - and $\DiversifiedTransmitPublic = \abstJOf{\DiversifiedTransmitPublicRepr}$ + and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$ \item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$ \item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$ \item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$ @@ -5268,8 +5260,8 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$, return $\bot$ - \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase}, - \reprJOf{\DiversifiedTransmitPublic}, + \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, \Value)\kern-0.12em\big)$. \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$. \end{algorithm} @@ -5277,7 +5269,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo \vspace{-2ex} \pnote{For a valid \transaction it must be the case that -$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJOf{\EphemeralPublic}\kern-0.15em\big)$.} +$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\big)$.} \subsection{\Blockchain{} Scanning\pSproutOrNothing} \label{sproutscan} @@ -5798,7 +5790,8 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$ + \item $\DiversifyHash(\Diversifier) := + \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} \vspace{-3ex} @@ -5862,7 +5855,7 @@ Let $c := 63$. Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by: \begin{formulae} - \item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$. + \item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$. \end{formulae} \newcommand{\sj}[1]{s^{\kern 0.02em j}_{#1}} @@ -5899,7 +5892,7 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHashSapling$ by: \begin{formulae} - \item $\PedersenHash(D, M) := \ExtractJ(\PedersenHashToPoint(D, M))$. + \item $\PedersenHash(D, M) := \ExtractJ\big(\PedersenHashToPoint\Of{D, M}\kern-0.1em\big)$. \end{formulae} See \crossref{cctpedersenhash} for rationale and efficient circuit implementation @@ -5971,7 +5964,7 @@ $\UncommittedSapling = \ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ is not in the r By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and the definitions of $\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$ can be in the range of $\PedersenHash$ only if there exist -$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\SelectuOf{\PedersenHashToPoint(D, M)} = 1$. +$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$. The latter can only be the affine-Edwards $u$-coordinate of a point in $\strut\GroupJ$. We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$. Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some @@ -5991,7 +5984,7 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from $\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as input a \xPedersenCommitment $P$, and hashes it with another input $x$. -Define $\NotePositionBase := \FindGroupJHashOf{\ascii{Zcash\_J\_}, \ascii{}}$. +Define $\NotePositionBase := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$. We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1} \rightarrow \GroupJ$ by: @@ -6385,8 +6378,8 @@ Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$. \begin{lrbox}{\kdfsaplinginputbox} \setsapling \begin{bytefield}[bitwidth=0.07em]{544} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DHSecret{}}\hairspace}$} & - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}\hairspace}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DHSecret{}}\hairspace}$} & + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}\hairspace}$} \end{bytefield} \end{lrbox} @@ -6553,8 +6546,8 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type \item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$. \item Let $r = \RedDSAHashToScalar(T \bconcat M)$. \item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$. - \item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR{}}}$. - \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}\kern 0.05em}$. + \item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$. + \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$. \item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$. \item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$. \item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$. @@ -6568,7 +6561,7 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. \item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$. - \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$. + \item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$. \vspace{-0.5ex} \item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$. \vspace{0.5ex} @@ -6608,7 +6601,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism: \end{tabular} \vspace{1ex} -A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of +A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$). \vspace{2ex} @@ -6630,7 +6623,7 @@ $\BindingSig$ and $\SpendAuthSig$. Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. -Define $\AuthSignBase := \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$. +Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. $\SpendAuthSig$ is instantiated as $\RedJubjub$ with key re-randomization, and with generator $\GenG{} = \AuthSignBase$. @@ -6721,7 +6714,7 @@ and adding a randomized point on the \jubjubCurve (see \crossref{jubjub}): \begin{formulae} \item $\WindowedPedersenCommit{r}(s) := - \PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$ + \PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$ \end{formulae} See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation @@ -6771,7 +6764,7 @@ In order to support this property, we also define \quotedterm{homomorphic} \begin{formulae} \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) := - \scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$ + \scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$ \item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$. \end{formulae} @@ -6782,9 +6775,9 @@ of this function. Define: \begin{formulae} \vspace{-0.5ex} - \item $\ValueCommitValueBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{v}}$ + \item $\ValueCommitValueBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{v}}$ \vspace{-0.5ex} - \item $\ValueCommitRandBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{r}}$. + \item $\ValueCommitRandBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{r}}$. \end{formulae} \introlist @@ -7107,12 +7100,12 @@ Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} as in \crossref{endian}. Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such -that $\reprJOf{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where +that $\reprJ\Of{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where $\tilde{u} = u \bmod 2$. Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$ be the left inverse of $\reprJ$ such that if $S$ is not in the range of -$\reprJ$, then $\abstJOf{S} = \bot$. +$\reprJ$, then $\abstJ\Of{S} = \bot$. Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$. For the set of prime-order points we write $\PrimeOrderJ$. @@ -7142,11 +7135,11 @@ other conditions on points, for example that they have order at least $\ParamJ{r \sapling{ \subsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub} -Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$. +Let $\Selectu\Of{(u, \varv)} = u$ and let $\Selectv\Of{(u, \varv)} = \varv$. Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ by \begin{formulae} - \item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\SelectuOf{P}}$. + \item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\Selectu\Of{P}}$. \end{formulae} \vspace{-2ex} @@ -7170,7 +7163,7 @@ Therefore, $-\varv \neq \varv$. Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$. But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either -$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since +$Q = -P$ (then $\Selectv\Of{Q} = \Selectv\Of{-P}$\,; contradiction since $-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction since $\SubgroupJ$ is of odd order \cite{KvE2013}). \end{proof} @@ -7228,7 +7221,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll \begin{algorithm} \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$ - \item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$ + \item let $P = \abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$ \item if $P = \bot$ then return $\bot$ \item let $Q = \scalarmult{\ParamJ{h}}{P}$ \item if $Q = \ZeroJ$ then return $\bot$, else return $Q$. @@ -7244,7 +7237,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis. $\exclusivefun{\HashOutput \typecolon \byteseq{32}} - {\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$ + {\abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$ is injective, and both it and its inverse are efficiently computable. $\exclusivefun{P \typecolon \GroupJ} @@ -7262,7 +7255,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$ such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. -Define $\FindGroupJHashOf{D, M} := +Define $\FindGroupJHash(D, M) := \first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$. \vspace{-3ex} @@ -7673,7 +7666,7 @@ The raw encoding of a \Sapling \paymentAddress consists of: \begin{equation*} \begin{bytefield}[bitwidth=0.07em]{344} \sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DiversifiedTransmitPublic}\kern 0.05em}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DiversifiedTransmitPublic}\kern 0.05em}$} \end{bytefield} \end{equation*} @@ -7795,8 +7788,8 @@ The raw encoding of a \fullViewingKey consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.05em]{512} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthProvePublic}\kern 0.05em}$} \sbitbox{256}{$32$-byte $\OutViewingKey$} \end{bytefield} \end{equation*} @@ -8308,7 +8301,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} $32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the input \note, -$\LEBStoOSPOf{256}{\reprJOf{\cv}}$. \\ \hline +$\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline $32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline @@ -8317,7 +8310,7 @@ $32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note, $\LEBStoOSPOf{256}{\nf}$. \\ \hline $32$ & $\rkField$ & \type{char[32]} & The randomized public key for $\spendAuthSig$, -$\LEBStoOSPOf{256}{\reprJOf{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline +$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline $192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof $\ProofSpend$ (see \crossref{groth}). \\ \hline @@ -8354,13 +8347,13 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ \hhline{|=|=|=|=|} $32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note, -$\LEBStoOSPOf{256}{\reprJOf{\cv}\kern 0.05em}$. \\ \hline +$\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline $32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note, $\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline $32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key, -$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}}$. \\ \hline +$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}}$. \\ \hline $580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the encrypted output \note, $\TransmitCiphertext{}$. \\ \hline @@ -9854,7 +9847,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. computed and separating it from the \authRandomizedVerifyingKey ($\AuthSignRandomizedPublic$). \item Clarify conversions between bit and byte sequences for - $\SpendingKey$, $\reprJOf{\AuthSignPublic}$, and $\reprJOf{\AuthProvePublic}$. + $\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$. } %sapling \item Change the \texttt{Makefile} to avoid multiple reloads in PDF readers while rebuilding the PDF. @@ -11039,7 +11032,7 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ \begin{algorithm} \item // $\Base_i = \scalarmult{2^i}{B}$ - \item let $\Base^u_0 = \SelectuOf{B}$ + \item let $\Base^u_0 = \Selectu\Of{B}$ \item let $\Base^{\vv}_0\hairspace = B_{\vv}$ \item let $\Acc^u_0 = k_0 \bchoose B^u : 0$ \item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$ @@ -11261,7 +11254,7 @@ implementation, and adding a randomized point: \begin{formulae} \item $\WindowedPedersenCommit{r}(s) = - \PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$ + \PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$ \end{formulae} \introlist @@ -11287,7 +11280,7 @@ as follows: \begin{formulae} \item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) = - \scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$ + \scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}}\, + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$ \end{formulae} In the case that we need for $\ValueCommit{}$, $\Value$ has $64$ @@ -11443,10 +11436,10 @@ Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and final exponentiation respectively of the pairing computation, so that: \begin{formulae} - \item $\PairingS(P, Q) = \FinalExpS(\MillerLoopS(P, Q))$ + \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$ \end{formulae} \vspace{-1ex} -where $\FinalExpS(R) = R^{t}$ for some fixed $t$. +where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$. \vspace{2ex} Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.