mirror of https://github.com/zcash/zips.git
Protocol spec: cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
9ac2beeed8
commit
b684ce88e2
|
@ -1053,7 +1053,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\squash}{\!\!\!}
|
||||
\newcommand{\caseif}{\squash\text{if }}
|
||||
\newcommand{\caseotherwise}{\squash\text{otherwise}}
|
||||
\newcommand{\sidecondition}[1]{\hspace{3em}\left[{#1}\right]}
|
||||
\newcommand{\sorted}{\mathsf{sorted}}
|
||||
\newcommand{\length}{\mathsf{length}}
|
||||
\newcommand{\truncate}[1]{\mathsf{truncate}_{#1}}
|
||||
|
@ -4078,10 +4077,9 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
|||
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
|
||||
{\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
|
||||
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
|
||||
indistinguishable from the uniform distribution on $\SubgroupReprJ$
|
||||
which is the keyspace of $\PRFnfSapling{}$.
|
||||
\item The \zcashd wallet generates \diversifiers according to \cite{ZIP-32} rather than
|
||||
using the default \diversifier specified above.
|
||||
indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnfSapling{}$).
|
||||
\item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default
|
||||
\diversifier specified above.
|
||||
\end{nnotes}
|
||||
\vspace{-2ex}
|
||||
} %sapling
|
||||
|
@ -5031,8 +5029,8 @@ for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}:
|
|||
$(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth
|
||||
$\MerkleDepthSprout$ from $\NoteCommitmentSprout(\nOld{i})$ to the \anchor $\rt$.
|
||||
|
||||
\textbf{Note:} Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement
|
||||
in \cite[section 4.2]{BCGGMTV2014}.
|
||||
\pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement
|
||||
in \cite[section 4.2]{BCGGMTV2014}.}
|
||||
|
||||
\changed{\snarkcondition{Merkle path enforcement}{sproutmerklepathenforcement}}
|
||||
for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1$.
|
||||
|
@ -5582,6 +5580,10 @@ $\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\b
|
|||
|
||||
\lsubsection{\Blockchain{} Scanning\pSproutOrNothingText}{sproutscan}
|
||||
|
||||
Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\NoteTypeSprout$ be as defined in \crossref{notes}.
|
||||
|
||||
\vspace{1ex}
|
||||
\introsection
|
||||
The following algorithm can be used, given the \blockchain and a
|
||||
|
@ -5589,10 +5591,6 @@ The following algorithm can be used, given the \blockchain and a
|
|||
to the corresponding \paymentAddress, its \memo field, and its final status
|
||||
(spent or unspent).
|
||||
|
||||
Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\NoteTypeSprout$ be as defined in \crossref{notes}.
|
||||
|
||||
\vspace{1ex}
|
||||
Let $\InViewingKey = (\AuthPublic \typecolon \PRFOutputSprout, \TransmitPrivate \typecolon \KASproutPrivate)$
|
||||
be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPublic$ be the associated
|
||||
|
@ -5639,17 +5637,18 @@ key components, rather than a \spendingKey as in \Sprout.
|
|||
Typically, these components are derived from a \fullViewingKey as described in
|
||||
\crossref{saplingkeycomponents}.
|
||||
|
||||
The following algorithm can be used, given the \blockchain and
|
||||
$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$,
|
||||
to obtain each \note sent to the corresponding \paymentAddress, its \memo field,
|
||||
and its final status (spent or unspent).
|
||||
|
||||
\vspace{1ex}
|
||||
Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\NoteTypeSapling$ be as defined in \crossref{notes}.
|
||||
|
||||
\introsection
|
||||
\vspace{1ex}
|
||||
The following algorithm can be used, given the \blockchain and
|
||||
$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$,
|
||||
to obtain each \note sent to the corresponding \paymentAddress, its \memo field,
|
||||
and its final status (spent or unspent).
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{algorithm}
|
||||
\item Initialize $\ReceivedSet \typecolon \powerset{\NoteTypeSapling \times \MemoType} = \setof{}$.
|
||||
|
@ -5988,9 +5987,9 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
|
|||
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
|
||||
|
||||
\vspace{1ex}
|
||||
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
|
||||
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
|
||||
\noteCommitmentTree. $\NoteCommitSaplingAlg$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$,
|
||||
but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} %sapling
|
||||
but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.}} %sapling
|
||||
|
||||
|
||||
\lsubsubsubsection{\hSigText{} \HashFunction}{hsigcrh}
|
||||
|
@ -6362,9 +6361,9 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally
|
|||
|
||||
\begin{proof}
|
||||
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and definitions of
|
||||
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$
|
||||
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$
|
||||
can be in the range of $\PedersenHash$ only if there exist
|
||||
$(D \typecolon \smash{\byteseq{8}}$, $M \typecolon \smash{\bitseq{\PosInt}})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
|
||||
$D \typecolon \smash{\byteseq{8}}$ and $M \typecolon \smash{\bitseq{\PosInt}}$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
|
||||
The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$.
|
||||
We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$.
|
||||
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
||||
|
@ -9284,9 +9283,11 @@ in its \blockHeader is defined as $\floor{\hfrac{2^{256}}{\ToTarget(\nBits) + 1}
|
|||
|
||||
\crossref{subsidyconcepts} defines the \blockSubsidy, \minerSubsidy, and \foundersReward.
|
||||
Their amounts in \zatoshi are calculated from the \blockHeight using
|
||||
the formulae below. The constants $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\,
|
||||
the formulae below.
|
||||
|
||||
Let\notbeforeblossom{ the constants} $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\,
|
||||
\blossom{$\PostBlossomHalvingInterval$,\, $\BlossomActivationHeight$,\, }$\MaxBlockSubsidy$,
|
||||
and $\FoundersFraction$ are instantiated in \crossref{constants}.
|
||||
and $\FoundersFraction$ be as defined in \crossref{constants}.
|
||||
|
||||
\vspace{1ex}
|
||||
\begin{formulae}
|
||||
|
@ -11675,9 +11676,9 @@ Define $\CtEdwardsToMont \typecolon \AffineCtEdwardsJubjub \rightarrow \AffineMo
|
|||
as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv},
|
||||
\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)
|
||||
\sidecondition{1 - \varv \neq 0 \tand u \neq 0}$
|
||||
\item \makebox[25em][l]{$\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv},\,
|
||||
\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)$}
|
||||
$[1 - \varv \neq 0 \tand u \neq 0]$
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
|
@ -11685,9 +11686,9 @@ Define $\MontToCtEdwards \typecolon \AffineMontJubjub \rightarrow \AffineCtEdwar
|
|||
as follows:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y},
|
||||
\hfrac{x - 1}{x + 1}\right)
|
||||
\sidecondition{x + 1 \neq 0 \tand y \neq 0}$
|
||||
\item \makebox[25em][l]{$\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y},\,
|
||||
\hfrac{x - 1}{x + 1}\right)$}
|
||||
$[x + 1 \neq 0 \tand y \neq 0]$
|
||||
\end{formulae}
|
||||
|
||||
\introlist
|
||||
|
@ -12566,7 +12567,7 @@ in the sapling-crypto code:
|
|||
Check & Implements & \heading{Cost} & Reference \\
|
||||
\hhline{|=|=|=|=|}
|
||||
|
||||
$\AuthSignPublic$ is on the curve \todo{FIXME also decompressed below}
|
||||
$\AuthSignPublic$ is on the curve \small\todo{FIXME also decompressed below}
|
||||
& $\AuthSignPublic \typecolon \SpendAuthSigPublic$
|
||||
& 4 & \shortcrossref{cctedvalidate} \\ \hline
|
||||
$\AuthSignPublic$ is not small order
|
||||
|
@ -12581,7 +12582,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
|
||||
&
|
||||
& 6 & \shortcrossref{cctedarithmetic} \\ \hline
|
||||
inputize $\AuthSignRandomizedPublic$ \todo{not ccteddecompressvalidate => wrong count}
|
||||
inputize $\AuthSignRandomizedPublic$ \small\todo{not ccteddecompressvalidate => wrong count}
|
||||
& $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$
|
||||
& 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
|
||||
|
@ -12594,7 +12595,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
& \snarkref{Diversified address integrity}{spendaddressintegrity}
|
||||
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$
|
||||
\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated}
|
||||
\small\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated}
|
||||
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
|
||||
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
|
||||
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$
|
||||
|
@ -12647,7 +12648,7 @@ Check & Implements & \heading{Cost} & Reference \\
|
|||
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
|
||||
& 98 & \shortcrossref{cctmixinghash} \\ \cline{1-1}\cline{3-4}
|
||||
$\NoteAddressRandRepr = \reprJ\Of{\NoteAddressRand}$
|
||||
\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated}
|
||||
\small\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated}
|
||||
&
|
||||
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4}
|
||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$
|
||||
|
|
Loading…
Reference in New Issue