mirror of https://github.com/zcash/zips.git
Macro simplifications.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0a1a01513f
commit
b2f42d987c
|
@ -881,6 +881,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \vartimes\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
|
\newcommand{\constraint}[3]{\lincomb{#1}\hairspace \vartimes\hairspace \lincomb{#2}\hairspace =\hairspace \lincomb{#3}}
|
||||||
\newcommand{\lconstraint}[1]{\lincomb{#1}\hairspace \vartimes\mhspace{0.25em}}
|
\newcommand{\lconstraint}[1]{\lincomb{#1}\hairspace \vartimes\mhspace{0.25em}}
|
||||||
\newcommand{\maybe}[1]{{#1} \union \setof{\bot}}
|
\newcommand{\maybe}[1]{{#1} \union \setof{\bot}}
|
||||||
|
\newcommand{\Of}[1]{\!\left({#1}\right)\!}
|
||||||
|
|
||||||
|
|
||||||
% Hashes
|
% Hashes
|
||||||
|
@ -1504,9 +1505,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\Zero}{\mathcal{O}}
|
\newcommand{\Zero}{\mathcal{O}}
|
||||||
\newcommand{\Generator}{\mathcal{P}}
|
\newcommand{\Generator}{\mathcal{P}}
|
||||||
\newcommand{\Selectu}{\scalebox{1.53}{$u$}}
|
\newcommand{\Selectu}{\scalebox{1.53}{$u$}}
|
||||||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
|
||||||
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
||||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
|
||||||
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
|
\newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)}
|
||||||
\newcommand{\Extract}{\mathsf{Extract}}
|
\newcommand{\Extract}{\mathsf{Extract}}
|
||||||
\newcommand{\GroupHash}{\mathsf{GroupHash}}
|
\newcommand{\GroupHash}{\mathsf{GroupHash}}
|
||||||
|
@ -1537,9 +1536,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
|
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
|
||||||
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
|
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
|
||||||
\newcommand{\reprG}[1]{\repr_{\GroupG{#1}}}
|
\newcommand{\reprG}[1]{\repr_{\GroupG{#1}}}
|
||||||
\newcommand{\reprGOf}[2]{\reprG{#1}\!\left({#2}\right)\!}
|
|
||||||
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
|
||||||
\newcommand{\abstGOf}[2]{\abstG{#1}\!\left({#2}\right)\!}
|
|
||||||
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
\newcommand{\PairingG}{\ParamG{\hat{e}}}
|
||||||
|
|
||||||
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
|
\newcommand{\ExtractG}{\Extract_{\SubgroupG}}
|
||||||
|
@ -1557,10 +1554,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
|
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
|
||||||
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
|
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
|
||||||
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
|
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
|
||||||
\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}}
|
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
|
||||||
\newcommand{\reprSOf}[1]{\reprS\!\left({#1}\right)\!}
|
\newcommand{\abstS}[1]{\abst_{\GroupS{#1}}}
|
||||||
\newcommand{\abstS}{\abst_{\GroupS}}
|
|
||||||
\newcommand{\abstSOf}[1]{\abstS\!\left({#1}\right)\!}
|
|
||||||
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
||||||
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
|
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
|
||||||
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
|
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
|
||||||
|
@ -1579,9 +1574,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\ReprJ}{\bitseq{\ellJ}}
|
\newcommand{\ReprJ}{\bitseq{\ellJ}}
|
||||||
\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}}
|
\newcommand{\ReprJBytes}{\byteseq{\ellJ/8}}
|
||||||
\newcommand{\reprJ}{\repr_{\GroupJ}}
|
\newcommand{\reprJ}{\repr_{\GroupJ}}
|
||||||
\newcommand{\reprJOf}[1]{\reprJ\!\left({#1}\right)\!}
|
|
||||||
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
\newcommand{\abstJ}{\abst_{\GroupJ}}
|
||||||
\newcommand{\abstJOf}[1]{\abstJ\!\left({#1}\right)\!}
|
|
||||||
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
|
||||||
|
|
||||||
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
|
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
|
||||||
|
@ -1590,7 +1583,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
|
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
|
||||||
\newcommand{\HashOutput}{\bytes{H}}
|
\newcommand{\HashOutput}{\bytes{H}}
|
||||||
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
|
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}}
|
||||||
\newcommand{\FindGroupJHashOf}[1]{\FindGroupJHash\!\left({#1}\right)\!}
|
|
||||||
|
|
||||||
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
|
||||||
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
|
||||||
|
@ -2365,8 +2357,8 @@ $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRa
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases}
|
\item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases}
|
||||||
\bot, &\caseif \DiversifiedTransmitBase = \bot \\
|
\bot, &\caseif \DiversifiedTransmitBase = \bot \\
|
||||||
\NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\Value), &\caseotherwise.
|
\Value), &\caseotherwise.
|
||||||
\end{cases}$
|
\end{cases}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
@ -3466,7 +3458,7 @@ A \representedPairing $\GroupP{}$ consists of:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
|
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
|
||||||
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\;
|
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\;
|
||||||
$\PairingP(\scalarmult{a}{P}, \scalarmult{b}{Q}) = \PairingP(P, Q)^{a \mult b}$;\, and
|
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
|
||||||
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
|
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
|
||||||
such that for all $Q \typecolon \GroupP{2},\;
|
such that for all $Q \typecolon \GroupP{2},\;
|
||||||
\PairingP(P, Q) = \ParamP{\mathbf{1}}$.
|
\PairingP(P, Q) = \ParamP{\mathbf{1}}$.
|
||||||
|
@ -3647,7 +3639,7 @@ Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \righta
|
||||||
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
|
and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$
|
||||||
be as defined in \crossref{endian}.
|
be as defined in \crossref{endian}.
|
||||||
|
|
||||||
Define $\AuthProveBase := \FindGroupJHashOf{\ascii{Zcash\_H\_}, \ascii{}}$.
|
Define $\AuthProveBase := \FindGroupJHash\Of{\ascii{Zcash\_H\_}, \ascii{}}$.
|
||||||
|
|
||||||
Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
|
Define $\ToScalar(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamJ{r}}$.
|
||||||
|
|
||||||
|
@ -3676,7 +3668,7 @@ the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are
|
||||||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||||
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
|
$\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\
|
||||||
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
||||||
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJOf{\AuthSignPublic}, \reprJOf{\AuthProvePublic}\kern-0.08em\big)$.
|
\plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\AuthProvePublic}\kern-0.08em\big)$.
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
|
If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$.
|
||||||
|
@ -3765,8 +3757,8 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
||||||
$\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
$\ToScalar(\PRFexpand{\SpendingKey}([1])) : \SpendingKey \leftarrowR \SpendingKeyType$,
|
||||||
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
|
is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||||
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
||||||
{\reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
|
{\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
|
||||||
is bijective, the distribution of $\reprJOf{\AuthProvePublic}$ will be computationally
|
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
|
||||||
indistinguishable from the uniform distribution on $\SubgroupReprJ$
|
indistinguishable from the uniform distribution on $\SubgroupReprJ$
|
||||||
which is the keyspace of $\PRFnfSapling{}$.
|
which is the keyspace of $\PRFnfSapling{}$.
|
||||||
\end{nnotes}
|
\end{nnotes}
|
||||||
|
@ -4073,8 +4065,8 @@ the following steps:
|
||||||
|
|
||||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||||
$\cvNew{}$ &$:= \ValueCommit{\ValueCommitRandNew{}}(\ValueNew{})$ \\[1ex]
|
$\cvNew{}$ &$:= \ValueCommit{\ValueCommitRandNew{}}(\ValueNew{})$ \\[1ex]
|
||||||
$\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
|
$\cmNew{}$ &$:= \NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\ValueNew{})$
|
\ValueNew{})$
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
|
@ -4172,10 +4164,10 @@ A \dummy{} \Sapling input \note is constructed as follows:
|
||||||
\item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
|
\item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$.
|
||||||
and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$.
|
and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$.
|
||||||
\item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and
|
\item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and
|
||||||
$\AuthProvePublicRepr = \reprJOf{\AuthProvePublic}$\,.
|
$\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$\,.
|
||||||
\item Compute $\NoteAddressRand{} = \cmOld{}
|
\item Compute $\NoteAddressRand{} = \cmOld{}
|
||||||
= \NoteCommitSapling{\NoteCommitRand}(\reprJOf{\DiversifiedTransmitBase},
|
= \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\vOld{})$.
|
\vOld{})$.
|
||||||
\item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$.
|
\item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$.
|
||||||
\item Construct a \dummy \merklePath $\TreePath{}$ for use in the
|
\item Construct a \dummy \merklePath $\TreePath{}$ for use in the
|
||||||
|
@ -4816,8 +4808,8 @@ such that the following conditions hold:
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity}
|
\snarkcondition{Note commitment integrity} \label{spendnotecommitmentintegrity}
|
||||||
|
|
||||||
$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJOf{\DiversifiedTransmitBase},
|
$\cmOld{} = \NoteCommitSapling{\NoteCommitRandOld{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\vOld{})$.
|
\vOld{})$.
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
|
@ -4841,7 +4833,7 @@ and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$.
|
||||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\AuthProvePublicRepr = \reprJOf{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
|
\item $\AuthProvePublicRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
|
\item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
@ -4858,7 +4850,7 @@ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBas
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
|
\item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\item $\AuthSignPublicRepr = \reprJOf{\AuthSignPublic}$\,.
|
\item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
|
@ -4923,7 +4915,7 @@ such that the following conditions hold:
|
||||||
$\cmU = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr,
|
$\cmU = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseRepr,
|
||||||
\DiversifiedTransmitPublicRepr,
|
\DiversifiedTransmitPublicRepr,
|
||||||
\vNew{})\kern-0.12em\big)$,
|
\vNew{})\kern-0.12em\big)$,
|
||||||
where $\DiversifiedTransmitBaseRepr = \reprJOf{\DiversifiedTransmitBase}$\,.
|
where $\DiversifiedTransmitBaseRepr = \reprJ\Of{\DiversifiedTransmitBase}$\,.
|
||||||
|
|
||||||
\snarkcondition{Value commitment integrity} \label{outputvaluecommitmentintegrity}
|
\snarkcondition{Value commitment integrity} \label{outputvaluecommitmentintegrity}
|
||||||
|
|
||||||
|
@ -5158,7 +5150,7 @@ Then to encrypt:
|
||||||
\item else:
|
\item else:
|
||||||
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
|
\item \tab let $\cvField = \LEBStoOSP{\ellJ}\big(\reprJ(\cvNew{})\kern-0.12em\big)$
|
||||||
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
|
\item \tab let $\cmField = \LEBStoOSP{256}\big(\ExtractJ(\cmNew{})\kern-0.15em\big)$
|
||||||
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJOf{\EphemeralPublic}}$
|
\item \tab let $\ephemeralKey = \LEBStoOSPOf{\ellJ}{\reprJ\Of{\EphemeralPublic}}$
|
||||||
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
|
\item \tab let $\OutCipherKey = \PRFock{\OutViewingKey}(\cvField, \cmField, \ephemeralKey)$
|
||||||
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
|
\item \tab let $\OutPlaintext = \LEBStoOSPOf{\ellJ + 256}{\reprJ(\DiversifiedTransmitPublicNew) \,\bconcat\, \ItoLEBSPOf{256}{\EphemeralPrivate}\kern-0.12em}$
|
||||||
\item \vspace{-2ex}
|
\item \vspace{-2ex}
|
||||||
|
@ -5205,8 +5197,8 @@ components of the \noteCiphertext as follows:
|
||||||
and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
|
||||||
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||||
\item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
|
\item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
|
||||||
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
|
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\Value)\kern-0.12em\big)$.
|
\Value)\kern-0.12em\big)$.
|
||||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||||
\end{algorithm}
|
\end{algorithm}
|
||||||
|
@ -5255,7 +5247,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
||||||
\item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ,
|
\item extract $(\DiversifiedTransmitPublicRepr \typecolon \ReprJ,
|
||||||
\EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
|
\EphemeralPrivateBytes \typecolon \EphemeralPrivateBytesType)$ from $\OutPlaintext$
|
||||||
\item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
|
\item let $\EphemeralPrivate = \LEOStoIPOf{256}{\EphemeralPrivateBytes}$
|
||||||
and $\DiversifiedTransmitPublic = \abstJOf{\DiversifiedTransmitPublicRepr}$
|
and $\DiversifiedTransmitPublic = \abstJ\Of{\DiversifiedTransmitPublicRepr}$
|
||||||
\item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$
|
\item if $\EphemeralPrivate \geq \ParamJ{r}$ or $\DiversifiedTransmitPublic \notin \KASaplingPublicPrimeOrder$, return $\bot$
|
||||||
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
|
\item let $\DHSecret{} = \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
|
||||||
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
|
\item let $\TransmitKey{} = \KDFSapling(\DHSecret{}, \EphemeralPublic)$
|
||||||
|
@ -5268,8 +5260,8 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
||||||
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
\item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
|
||||||
\item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
|
\item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
|
||||||
return $\bot$
|
return $\bot$
|
||||||
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJOf{\DiversifiedTransmitBase},
|
\item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRandNew{}}(\reprJ\Of{\DiversifiedTransmitBase},
|
||||||
\reprJOf{\DiversifiedTransmitPublic},
|
\reprJ\Of{\DiversifiedTransmitPublic},
|
||||||
\Value)\kern-0.12em\big)$.
|
\Value)\kern-0.12em\big)$.
|
||||||
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
\item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmField$, return $\bot$, else return $\NotePlaintext{}$.
|
||||||
\end{algorithm}
|
\end{algorithm}
|
||||||
|
@ -5277,7 +5269,7 @@ The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as fo
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
\pnote{For a valid \transaction it must be the case that
|
\pnote{For a valid \transaction it must be the case that
|
||||||
$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJOf{\EphemeralPublic}\kern-0.15em\big)$.}
|
$\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\big)$.}
|
||||||
|
|
||||||
|
|
||||||
\subsection{\Blockchain{} Scanning\pSproutOrNothing} \label{sproutscan}
|
\subsection{\Blockchain{} Scanning\pSproutOrNothing} \label{sproutscan}
|
||||||
|
@ -5798,7 +5790,8 @@ Define
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\DiversifyHash(\Diversifier) := \GroupJHash{\NotUpMySleeve}(\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier})$
|
\item $\DiversifyHash(\Diversifier) :=
|
||||||
|
\GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{-3ex}
|
\vspace{-3ex}
|
||||||
|
@ -5862,7 +5855,7 @@ Let $c := 63$.
|
||||||
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
|
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PedersenGen{D}{i} := \FindGroupJHashOf{D, \Justthebox{\gencountbox}}$.
|
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\newcommand{\sj}[1]{s^{\kern 0.02em j}_{#1}}
|
\newcommand{\sj}[1]{s^{\kern 0.02em j}_{#1}}
|
||||||
|
@ -5899,7 +5892,7 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow
|
||||||
Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHashSapling$ by:
|
Finally, define $\PedersenHash \typecolon \byteseq{8} \times \bitseq{\PosInt} \rightarrow \MerkleHashSapling$ by:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PedersenHash(D, M) := \ExtractJ(\PedersenHashToPoint(D, M))$.
|
\item $\PedersenHash(D, M) := \ExtractJ\big(\PedersenHashToPoint\Of{D, M}\kern-0.1em\big)$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
See \crossref{cctpedersenhash} for rationale and efficient circuit implementation
|
See \crossref{cctpedersenhash} for rationale and efficient circuit implementation
|
||||||
|
@ -5971,7 +5964,7 @@ $\UncommittedSapling = \ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ is not in the r
|
||||||
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and the definitions of
|
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and the definitions of
|
||||||
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$
|
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$
|
||||||
can be in the range of $\PedersenHash$ only if there exist
|
can be in the range of $\PedersenHash$ only if there exist
|
||||||
$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\SelectuOf{\PedersenHashToPoint(D, M)} = 1$.
|
$(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
|
||||||
The latter can only be the affine-Edwards $u$-coordinate of a point in $\strut\GroupJ$.
|
The latter can only be the affine-Edwards $u$-coordinate of a point in $\strut\GroupJ$.
|
||||||
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
|
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
|
||||||
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
||||||
|
@ -5991,7 +5984,7 @@ A mixing \xPedersenHash is used to compute $\NoteAddressRand$ from
|
||||||
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
$\cm$ and $\NotePosition$ in \crossref{commitmentsandnullifiers}. It takes as
|
||||||
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
input a \xPedersenCommitment $P$, and hashes it with another input $x$.
|
||||||
|
|
||||||
Define $\NotePositionBase := \FindGroupJHashOf{\ascii{Zcash\_J\_}, \ascii{}}$.
|
Define $\NotePositionBase := \FindGroupJHash\Of{\ascii{Zcash\_J\_}, \ascii{}}$.
|
||||||
|
|
||||||
We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
|
We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
|
||||||
\rightarrow \GroupJ$ by:
|
\rightarrow \GroupJ$ by:
|
||||||
|
@ -6385,8 +6378,8 @@ Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$.
|
||||||
\begin{lrbox}{\kdfsaplinginputbox}
|
\begin{lrbox}{\kdfsaplinginputbox}
|
||||||
\setsapling
|
\setsapling
|
||||||
\begin{bytefield}[bitwidth=0.07em]{544}
|
\begin{bytefield}[bitwidth=0.07em]{544}
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DHSecret{}}\hairspace}$} &
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DHSecret{}}\hairspace}$} &
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}\hairspace}$}
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}\hairspace}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{lrbox}
|
\end{lrbox}
|
||||||
|
|
||||||
|
@ -6553,8 +6546,8 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type
|
||||||
\item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$.
|
\item Choose a byte sequence $T$ uniformly at random on $\byteseq{(\RedDSAHashLength+128)/8}$.
|
||||||
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
|
\item Let $r = \RedDSAHashToScalar(T \bconcat M)$.
|
||||||
\item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$.
|
\item Let $\RedDSASigR{} = \scalarmult{r}{\GenG{}}$.
|
||||||
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSASigR{}}}$.
|
\item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$.
|
||||||
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
|
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSADerivePublic(\sk)}\kern 0.05em}$.
|
||||||
\item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
|
\item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$.
|
||||||
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
|
\item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.16em}$.
|
||||||
\item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
|
\item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$.
|
||||||
|
@ -6568,7 +6561,7 @@ Define $\RedDSAVerify{} \typecolon (\vk \typecolon \RedDSAPublic) \times (M \typ
|
||||||
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
let $\RedDSAReprS{}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
|
||||||
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
|
\item Let $\RedDSASigR{} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{})\kern-0.1em\big)$, and
|
||||||
let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
|
let $\RedDSASigS{} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{})$.
|
||||||
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk}}$.
|
\item Let $\vkBytes{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\vk}}$.
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
|
\item Let $\RedDSASigc{} = \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M)$.
|
||||||
\vspace{0.5ex}
|
\vspace{0.5ex}
|
||||||
|
@ -6608,7 +6601,7 @@ As required, $\RedDSADerivePublic$ is a group homomorphism:
|
||||||
\end{tabular}
|
\end{tabular}
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprGOf{}{\vk}$\, of
|
A $\RedDSA$ public key $\vk$ can be encoded as a bit sequence $\reprG{}\Of{\vk}$\, of
|
||||||
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
|
length $\ellG{}$ bits (or as a corresponding byte sequence $\vkBytes{}$ by then applying $\LEBStoOSP{\ellG{}}$).
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
|
@ -6630,7 +6623,7 @@ $\BindingSig$ and $\SpendAuthSig$.
|
||||||
|
|
||||||
Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}.
|
Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}.
|
||||||
|
|
||||||
Define $\AuthSignBase := \FindGroupJHashOf{\ascii{Zcash\_G\_}, \ascii{}}$.
|
Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$.
|
||||||
|
|
||||||
$\SpendAuthSig$ is instantiated as $\RedJubjub$ with key re-randomization, and
|
$\SpendAuthSig$ is instantiated as $\RedJubjub$ with key re-randomization, and
|
||||||
with generator $\GenG{} = \AuthSignBase$.
|
with generator $\GenG{} = \AuthSignBase$.
|
||||||
|
@ -6721,7 +6714,7 @@ and adding a randomized point on the \jubjubCurve (see \crossref{jubjub}):
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\WindowedPedersenCommit{r}(s) :=
|
\item $\WindowedPedersenCommit{r}(s) :=
|
||||||
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
|
\PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation
|
See \crossref{cctwindowedcommit} for rationale and efficient circuit implementation
|
||||||
|
@ -6771,7 +6764,7 @@ In order to support this property, we also define \quotedterm{homomorphic}
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) :=
|
||||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
|
\scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$
|
||||||
\item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
|
\item $\ValueCommitGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamJ{r}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
|
@ -6782,9 +6775,9 @@ of this function.
|
||||||
Define:
|
Define:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
\item $\ValueCommitValueBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{v}}$
|
\item $\ValueCommitValueBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{v}}$
|
||||||
\vspace{-0.5ex}
|
\vspace{-0.5ex}
|
||||||
\item $\ValueCommitRandBase := \FindGroupJHashOf{\ascii{Zcash\_cv}, \ascii{r}}$.
|
\item $\ValueCommitRandBase := \FindGroupJHash\Of{\ascii{Zcash\_cv}, \ascii{r}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -7107,12 +7100,12 @@ Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell}
|
||||||
as in \crossref{endian}.
|
as in \crossref{endian}.
|
||||||
|
|
||||||
Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
|
Define $\reprJ \typecolon \GroupJ \rightarrow \ReprJ$ such
|
||||||
that $\reprJOf{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where
|
that $\reprJ\Of{u, \varv} = \ItoLEBSPOf{256}{\varv + 2^{255} \smult \tilde{u}}$, where
|
||||||
$\tilde{u} = u \bmod 2$.
|
$\tilde{u} = u \bmod 2$.
|
||||||
|
|
||||||
Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
|
Let $\abstJ \typecolon \ReprJ \rightarrow \maybe{\GroupJ}$
|
||||||
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
be the left inverse of $\reprJ$ such that if $S$ is not in the range of
|
||||||
$\reprJ$, then $\abstJOf{S} = \bot$.
|
$\reprJ$, then $\abstJ\Of{S} = \bot$.
|
||||||
|
|
||||||
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
|
||||||
For the set of prime-order points we write $\PrimeOrderJ$.
|
For the set of prime-order points we write $\PrimeOrderJ$.
|
||||||
|
@ -7142,11 +7135,11 @@ other conditions on points, for example that they have order at least $\ParamJ{r
|
||||||
\sapling{
|
\sapling{
|
||||||
\subsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
|
\subsubsubsection{\HashExtractor{} for \Jubjub} \label{concreteextractorjubjub}
|
||||||
|
|
||||||
Let $\SelectuOf{(u, \varv)} = u$ and let $\SelectvOf{(u, \varv)} = \varv$.
|
Let $\Selectu\Of{(u, \varv)} = u$ and let $\Selectv\Of{(u, \varv)} = \varv$.
|
||||||
|
|
||||||
Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ by
|
Define $\ExtractJ \typecolon \SubgroupJ \rightarrow \MerkleHashSapling$ by
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\SelectuOf{P}}$.
|
\item $\ExtractJ(P) := \ItoLEBSPOf{\MerkleHashLengthSapling}{\Selectu\Of{P}}$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
@ -7170,7 +7163,7 @@ Therefore, $-\varv \neq \varv$.
|
||||||
Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
|
Now suppose $(u, -\varv) = Q$ is a point in $\SubgroupJ$. Then by applying the
|
||||||
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||||
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||||
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
|
$Q = -P$ (then $\Selectv\Of{Q} = \Selectv\Of{-P}$\,; contradiction since
|
||||||
$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
|
$-\varv \neq \varv$), or doubling is not injective on $\SubgroupJ$ (contradiction
|
||||||
since $\SubgroupJ$ is of odd order \cite{KvE2013}).
|
since $\SubgroupJ$ is of odd order \cite{KvE2013}).
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
@ -7228,7 +7221,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
|
||||||
|
|
||||||
\begin{algorithm}
|
\begin{algorithm}
|
||||||
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
|
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
|
||||||
\item let $P = \abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
|
\item let $P = \abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em}$
|
||||||
\item if $P = \bot$ then return $\bot$
|
\item if $P = \bot$ then return $\bot$
|
||||||
\item let $Q = \scalarmult{\ParamJ{h}}{P}$
|
\item let $Q = \scalarmult{\ParamJ{h}}{P}$
|
||||||
\item if $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
\item if $Q = \ZeroJ$ then return $\bot$, else return $Q$.
|
||||||
|
@ -7244,7 +7237,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
|
||||||
$\vphantom{a^b}\BlakeTwos{256}$ in the security analysis.
|
$\vphantom{a^b}\BlakeTwos{256}$ in the security analysis.
|
||||||
|
|
||||||
$\exclusivefun{\HashOutput \typecolon \byteseq{32}}
|
$\exclusivefun{\HashOutput \typecolon \byteseq{32}}
|
||||||
{\abstJOf{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
|
{\abstJ\Of{\LEOStoBSP{256}(\HashOutput)\kern-0.12em} \typecolon \GroupJ}{\bot}$
|
||||||
is injective, and both it and its inverse are efficiently computable.
|
is injective, and both it and its inverse are efficiently computable.
|
||||||
|
|
||||||
$\exclusivefun{P \typecolon \GroupJ}
|
$\exclusivefun{P \typecolon \GroupJ}
|
||||||
|
@ -7262,7 +7255,7 @@ Define $\first \typecolon (\byte \rightarrow \maybe{T}) \rightarrow \maybe{T}$
|
||||||
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
|
||||||
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
|
||||||
|
|
||||||
Define $\FindGroupJHashOf{D, M} :=
|
Define $\FindGroupJHash(D, M) :=
|
||||||
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$.
|
||||||
|
|
||||||
\vspace{-3ex}
|
\vspace{-3ex}
|
||||||
|
@ -7673,7 +7666,7 @@ The raw encoding of a \Sapling \paymentAddress consists of:
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{bytefield}[bitwidth=0.07em]{344}
|
\begin{bytefield}[bitwidth=0.07em]{344}
|
||||||
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
|
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\DiversifiedTransmitPublic}\kern 0.05em}$}
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
|
|
||||||
|
@ -7795,8 +7788,8 @@ The raw encoding of a \fullViewingKey consists of:
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\begin{equation*}
|
\begin{equation*}
|
||||||
\begin{bytefield}[bitwidth=0.05em]{512}
|
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthSignPublic}\kern 0.05em}$}
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$}
|
||||||
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJOf{\AuthProvePublic}\kern 0.05em}$}
|
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthProvePublic}\kern 0.05em}$}
|
||||||
\sbitbox{256}{$32$-byte $\OutViewingKey$}
|
\sbitbox{256}{$32$-byte $\OutViewingKey$}
|
||||||
\end{bytefield}
|
\end{bytefield}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
|
@ -8308,7 +8301,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
|
||||||
\hhline{|=|=|=|=|}
|
\hhline{|=|=|=|=|}
|
||||||
|
|
||||||
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the input \note,
|
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the input \note,
|
||||||
$\LEBStoOSPOf{256}{\reprJOf{\cv}}$. \\ \hline
|
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}}$. \\ \hline
|
||||||
|
|
||||||
$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree
|
$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot of the \Sapling \noteCommitmentTree
|
||||||
at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
|
at some \blockHeight in the past, $\LEBStoOSPOf{256}{\rt}$. \\ \hline
|
||||||
|
@ -8317,7 +8310,7 @@ $32$ & $\nullifierField$ & \type{char[32]} & The \nullifier of the input \note,
|
||||||
$\LEBStoOSPOf{256}{\nf}$. \\ \hline
|
$\LEBStoOSPOf{256}{\nf}$. \\ \hline
|
||||||
|
|
||||||
$32$ & $\rkField$ & \type{char[32]} & The randomized public key for $\spendAuthSig$,
|
$32$ & $\rkField$ & \type{char[32]} & The randomized public key for $\spendAuthSig$,
|
||||||
$\LEBStoOSPOf{256}{\reprJOf{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
|
$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignRandomizedPublic}\kern 0.05em}$. \\ \hline
|
||||||
|
|
||||||
$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof
|
$192$ & $\zkproof$ & \type{char[192]} & An encoding of the \zeroKnowledgeProof
|
||||||
$\ProofSpend$ (see \crossref{groth}). \\ \hline
|
$\ProofSpend$ (see \crossref{groth}). \\ \hline
|
||||||
|
@ -8354,13 +8347,13 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
|
||||||
\hhline{|=|=|=|=|}
|
\hhline{|=|=|=|=|}
|
||||||
|
|
||||||
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
|
$32$ & $\cvField$ & \type{char[32]} & A \valueCommitment to the value of the output \note,
|
||||||
$\LEBStoOSPOf{256}{\reprJOf{\cv}\kern 0.05em}$. \\ \hline
|
$\LEBStoOSPOf{256}{\reprJ\Of{\cv}\kern 0.05em}$. \\ \hline
|
||||||
|
|
||||||
$32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
|
$32$ & $\cmField$ & \type{char[32]} & The $u$-coordinate of the \noteCommitment for the output \note,
|
||||||
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline
|
$\LEBStoOSPOf{256}{\cmU}$ where $\cmU = \ExtractJ(\cm)$. \\ \hline
|
||||||
|
|
||||||
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
|
$32$ & $\ephemeralKey$ & \type{char[32]} & An encoding of an ephemeral $\JubjubCurve$ public key,
|
||||||
$\LEBStoOSPOf{256}{\reprJOf{\EphemeralPublic}}$. \\ \hline
|
$\LEBStoOSPOf{256}{\reprJ\Of{\EphemeralPublic}}$. \\ \hline
|
||||||
|
|
||||||
$580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the
|
$580$ & $\encCiphertext$ & \type{char[580]} & A ciphertext component for the
|
||||||
encrypted output \note, $\TransmitCiphertext{}$. \\ \hline
|
encrypted output \note, $\TransmitCiphertext{}$. \\ \hline
|
||||||
|
@ -9854,7 +9847,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
computed and separating it from the \authRandomizedVerifyingKey
|
computed and separating it from the \authRandomizedVerifyingKey
|
||||||
($\AuthSignRandomizedPublic$).
|
($\AuthSignRandomizedPublic$).
|
||||||
\item Clarify conversions between bit and byte sequences for
|
\item Clarify conversions between bit and byte sequences for
|
||||||
$\SpendingKey$, $\reprJOf{\AuthSignPublic}$, and $\reprJOf{\AuthProvePublic}$.
|
$\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$.
|
||||||
} %sapling
|
} %sapling
|
||||||
\item Change the \texttt{Makefile} to avoid multiple reloads in PDF readers while
|
\item Change the \texttt{Makefile} to avoid multiple reloads in PDF readers while
|
||||||
rebuilding the PDF.
|
rebuilding the PDF.
|
||||||
|
@ -11039,7 +11032,7 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
|
||||||
|
|
||||||
\begin{algorithm}
|
\begin{algorithm}
|
||||||
\item // $\Base_i = \scalarmult{2^i}{B}$
|
\item // $\Base_i = \scalarmult{2^i}{B}$
|
||||||
\item let $\Base^u_0 = \SelectuOf{B}$
|
\item let $\Base^u_0 = \Selectu\Of{B}$
|
||||||
\item let $\Base^{\vv}_0\hairspace = B_{\vv}$
|
\item let $\Base^{\vv}_0\hairspace = B_{\vv}$
|
||||||
\item let $\Acc^u_0 = k_0 \bchoose B^u : 0$
|
\item let $\Acc^u_0 = k_0 \bchoose B^u : 0$
|
||||||
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$
|
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$
|
||||||
|
@ -11261,7 +11254,7 @@ implementation, and adding a randomized point:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\WindowedPedersenCommit{r}(s) =
|
\item $\WindowedPedersenCommit{r}(s) =
|
||||||
\PedersenHashToPoint(\ascii{Zcash\_PH}, s) + \scalarmult{r}{\FindGroupJHashOf{\ascii{Zcash\_PH}, \ascii{r}}}$
|
\PedersenHashToPoint\Of{\ascii{Zcash\_PH}, s}\, + \scalarmult{r}{\FindGroupJHash\Of{\ascii{Zcash\_PH}, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -11287,7 +11280,7 @@ as follows:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
\item $\HomomorphicPedersenCommit{\ValueCommitRand}(D, \Value) =
|
||||||
\scalarmult{\Value}{\FindGroupJHashOf{D, \ascii{v}}} + \scalarmult{\ValueCommitRand}{\FindGroupJHashOf{D, \ascii{r}}}$
|
\scalarmult{\Value}{\FindGroupJHash\Of{D, \ascii{v}}}\, + \scalarmult{\ValueCommitRand}{\FindGroupJHash\Of{D, \ascii{r}}}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$
|
In the case that we need for $\ValueCommit{}$, $\Value$ has $64$
|
||||||
|
@ -11443,10 +11436,10 @@ Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS
|
||||||
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and
|
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and
|
||||||
final exponentiation respectively of the pairing computation, so that:
|
final exponentiation respectively of the pairing computation, so that:
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\PairingS(P, Q) = \FinalExpS(\MillerLoopS(P, Q))$
|
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
where $\FinalExpS(R) = R^{t}$ for some fixed $t$.
|
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{2ex}
|
||||||
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.
|
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$.
|
||||||
|
|
Loading…
Reference in New Issue