zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Protocol spec: cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2019-07-23 13:09:14 +01:00
parent 9ac2beeed8
commit b684ce88e2
1 changed files with 33 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
protocol/protocol.tex
View File

@ -1053,7 +1053,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\squash}{\!\!\!}
\newcommand{\caseif}{\squash\text{if }}
\newcommand{\caseotherwise}{\squash\text{otherwise}}
\newcommand{\sidecondition}[1]{\hspace{3em}\left[{#1}\right]}
\newcommand{\sorted}{\mathsf{sorted}}
\newcommand{\length}{\mathsf{length}}
\newcommand{\truncate}[1]{\mathsf{truncate}_{#1}}
@ -4078,10 +4077,9 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}}
{\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$
is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally
indistinguishable from the uniform distribution on $\SubgroupReprJ$
which is the keyspace of $\PRFnfSapling{}$.
\item The \zcashd wallet generates \diversifiers according to \cite{ZIP-32} rather than
using the default \diversifier specified above.
indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnfSapling{}$).
\item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default
\diversifier specified above.
\end{nnotes}
\vspace{-2ex}
} %sapling
@ -5031,8 +5029,8 @@ for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}:
$(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth
$\MerkleDepthSprout$ from $\NoteCommitmentSprout(\nOld{i})$ to the \anchor $\rt$.
\textbf{Note:} Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement
in \cite[section 4.2]{BCGGMTV2014}.
\pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement
in \cite[section 4.2]{BCGGMTV2014}.}
\changed{\snarkcondition{Merkle path enforcement}{sproutmerklepathenforcement}}
for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1$.
@ -5582,6 +5580,10 @@ $\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\b
\lsubsection{\Blockchain{} Scanning\pSproutOrNothingText}{sproutscan}
Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
Let $\NoteTypeSprout$ be as defined in \crossref{notes}.
\vspace{1ex}
\introsection
The following algorithm can be used, given the \blockchain and a
@ -5589,10 +5591,6 @@ The following algorithm can be used, given the \blockchain and a
to the corresponding \paymentAddress, its \memo field, and its final status
(spent or unspent).
Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}.
Let $\NoteTypeSprout$ be as defined in \crossref{notes}.
\vspace{1ex}
Let $\InViewingKey = (\AuthPublic \typecolon \PRFOutputSprout, \TransmitPrivate \typecolon \KASproutPrivate)$
be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPublic$ be the associated
@ -5639,17 +5637,18 @@ key components, rather than a \spendingKey as in \Sprout.
Typically, these components are derived from a \fullViewingKey as described in
\crossref{saplingkeycomponents}.
The following algorithm can be used, given the \blockchain and
$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$,
to obtain each \note sent to the corresponding \paymentAddress, its \memo field,
and its final status (spent or unspent).
\vspace{1ex}
Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}.
Let $\NoteTypeSapling$ be as defined in \crossref{notes}.
\introsection
\vspace{1ex}
The following algorithm can be used, given the \blockchain and
$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$,
to obtain each \note sent to the corresponding \paymentAddress, its \memo field,
and its final status (spent or unspent).
\vspace{1ex}
\begin{algorithm}
\item Initialize $\ReceivedSet \typecolon \powerset{\NoteTypeSapling \times \MemoType} = \setof{}$.
@ -5988,9 +5987,9 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim
\securityrequirement{$\PedersenHash$ must be \collisionResistant\!.}
\vspace{1ex}
\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the
\pnote{The prefix $l$ provides domain separation between inputs at different layers of the
\noteCommitmentTree. $\NoteCommitSaplingAlg$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$,
but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} %sapling
but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.}} %sapling
\lsubsubsubsection{\hSigText{} \HashFunction}{hsigcrh}
@ -6362,9 +6361,9 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally
\begin{proof}
By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and definitions of
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$
$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$
can be in the range of $\PedersenHash$ only if there exist
$(D \typecolon \smash{\byteseq{8}}$, $M \typecolon \smash{\bitseq{\PosInt}})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
$D \typecolon \smash{\byteseq{8}}$ and $M \typecolon \smash{\bitseq{\PosInt}}$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$.
The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$.
We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$.
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
@ -9284,9 +9283,11 @@ in its \blockHeader is defined as $\floor{\hfrac{2^{256}}{\ToTarget(\nBits) + 1}
\crossref{subsidyconcepts} defines the \blockSubsidy, \minerSubsidy, and \foundersReward.
Their amounts in \zatoshi are calculated from the \blockHeight using
the formulae below. The constants $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\,
the formulae below.
Let\notbeforeblossom{ the constants} $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\,
\blossom{$\PostBlossomHalvingInterval$,\, $\BlossomActivationHeight$,\, }$\MaxBlockSubsidy$,
and $\FoundersFraction$ are instantiated in \crossref{constants}.
and $\FoundersFraction$ be as defined in \crossref{constants}.
\vspace{1ex}
\begin{formulae}
@ -11675,9 +11676,9 @@ Define $\CtEdwardsToMont \typecolon \AffineCtEdwardsJubjub \rightarrow \AffineMo
as follows:
\begin{formulae}
\item $\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv},
\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)
\sidecondition{1 - \varv \neq 0 \tand u \neq 0}$
\item \makebox[25em][l]{$\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv},\,
\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)$}
$[1 - \varv \neq 0 \tand u \neq 0]$
\end{formulae}
\introlist
@ -11685,9 +11686,9 @@ Define $\MontToCtEdwards \typecolon \AffineMontJubjub \rightarrow \AffineCtEdwar
as follows:
\begin{formulae}
\item $\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y},
\hfrac{x - 1}{x + 1}\right)
\sidecondition{x + 1 \neq 0 \tand y \neq 0}$
\item \makebox[25em][l]{$\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y},\,
\hfrac{x - 1}{x + 1}\right)$}
$[x + 1 \neq 0 \tand y \neq 0]$
\end{formulae}
\introlist
@ -12566,7 +12567,7 @@ in the sapling-crypto code:
Check & Implements & \heading{Cost} & Reference \\
\hhline{|=|=|=|=|}
$\AuthSignPublic$ is on the curve \todo{FIXME also decompressed below}
$\AuthSignPublic$ is on the curve \small\todo{FIXME also decompressed below}
& $\AuthSignPublic \typecolon \SpendAuthSigPublic$
& 4 & \shortcrossref{cctedvalidate} \\ \hline
$\AuthSignPublic$ is not small order
@ -12581,7 +12582,7 @@ Check & Implements & \heading{Cost} & Reference \\
$\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$
&
& 6 & \shortcrossref{cctedarithmetic} \\ \hline
inputize $\AuthSignRandomizedPublic$ \todo{not ccteddecompressvalidate => wrong count}
inputize $\AuthSignRandomizedPublic$ \small\todo{not ccteddecompressvalidate => wrong count}
& $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$
& 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$
@ -12594,7 +12595,7 @@ Check & Implements & \heading{Cost} & Reference \\
& \snarkref{Diversified address integrity}{spendaddressintegrity}
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$
\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated}
\small\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated}
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline
$\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$
@ -12647,7 +12648,7 @@ Check & Implements & \heading{Cost} & Reference \\
& \snarkref{Nullifier integrity}{spendnullifierintegrity}
& 98 & \shortcrossref{cctmixinghash} \\ \cline{1-1}\cline{3-4}
$\NoteAddressRandRepr = \reprJ\Of{\NoteAddressRand}$
\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated}
\small\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated}
&
& 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4}
$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$