diff --git a/protocol/protocol.tex b/protocol/protocol.tex index c8a9f543..47cbb352 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1053,7 +1053,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\squash}{\!\!\!} \newcommand{\caseif}{\squash\text{if }} \newcommand{\caseotherwise}{\squash\text{otherwise}} -\newcommand{\sidecondition}[1]{\hspace{3em}\left[{#1}\right]} \newcommand{\sorted}{\mathsf{sorted}} \newcommand{\length}{\mathsf{length}} \newcommand{\truncate}[1]{\mathsf{truncate}_{#1}} @@ -4078,10 +4077,9 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} {\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$ is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally - indistinguishable from the uniform distribution on $\SubgroupReprJ$ - which is the keyspace of $\PRFnfSapling{}$. - \item The \zcashd wallet generates \diversifiers according to \cite{ZIP-32} rather than - using the default \diversifier specified above. + indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnfSapling{}$). + \item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default + \diversifier specified above. \end{nnotes} \vspace{-2ex} } %sapling @@ -5031,8 +5029,8 @@ for each $i \in \setofOld$ \changed{$\mid$ $\EnforceMerklePath{i} = 1$}: $(\TreePath{i}, \NotePosition_i)$ is a valid \merklePath (see \crossref{merklepath}) of depth $\MerkleDepthSprout$ from $\NoteCommitmentSprout(\nOld{i})$ to the \anchor $\rt$. -\textbf{Note:} Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement -in \cite[section 4.2]{BCGGMTV2014}. +\pnote{Merkle path validity covers conditions 1.\,(a) and 1.\,(d) of the NP \statement +in \cite[section 4.2]{BCGGMTV2014}.} \changed{\snarkcondition{Merkle path enforcement}{sproutmerklepathenforcement}} for each $i \in \setofOld$, if $\vOld{i} \neq 0$ then $\EnforceMerklePath{i} = 1$. @@ -5582,6 +5580,10 @@ $\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\b \lsubsection{\Blockchain{} Scanning\pSproutOrNothingText}{sproutscan} +Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}. + +Let $\NoteTypeSprout$ be as defined in \crossref{notes}. + \vspace{1ex} \introsection The following algorithm can be used, given the \blockchain and a @@ -5589,10 +5591,6 @@ The following algorithm can be used, given the \blockchain and a to the corresponding \paymentAddress, its \memo field, and its final status (spent or unspent). -Let $\PRFOutputLengthSprout$ be as defined in \crossref{constants}. - -Let $\NoteTypeSprout$ be as defined in \crossref{notes}. - \vspace{1ex} Let $\InViewingKey = (\AuthPublic \typecolon \PRFOutputSprout, \TransmitPrivate \typecolon \KASproutPrivate)$ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPublic$ be the associated @@ -5639,17 +5637,18 @@ key components, rather than a \spendingKey as in \Sprout. Typically, these components are derived from a \fullViewingKey as described in \crossref{saplingkeycomponents}. -The following algorithm can be used, given the \blockchain and -$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$, -to obtain each \note sent to the corresponding \paymentAddress, its \memo field, -and its final status (spent or unspent). - \vspace{1ex} Let $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. Let $\NoteTypeSapling$ be as defined in \crossref{notes}. \introsection +\vspace{1ex} +The following algorithm can be used, given the \blockchain and +$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$, +to obtain each \note sent to the corresponding \paymentAddress, its \memo field, +and its final status (spent or unspent). + \vspace{1ex} \begin{algorithm} \item Initialize $\ReceivedSet \typecolon \powerset{\NoteTypeSapling \times \MemoType} = \setof{}$. @@ -5988,9 +5987,9 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim \securityrequirement{$\PedersenHash$ must be \collisionResistant\!.} \vspace{1ex} -\textbf{Note:}\;\; The prefix $l$ provides domain separation between inputs at different layers of the +\pnote{The prefix $l$ provides domain separation between inputs at different layers of the \noteCommitmentTree. $\NoteCommitSaplingAlg$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$, -but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} %sapling +but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.}} %sapling \lsubsubsubsection{\hSigText{} \HashFunction}{hsigcrh} @@ -6362,9 +6361,9 @@ Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally \begin{proof} By injectivity of $\ItoLEBSP{\MerkleHashLengthSapling}$ and definitions of -$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\smash{\MerkleHashLengthSapling}}{1}$ +$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ can be in the range of $\PedersenHash$ only if there exist -$(D \typecolon \smash{\byteseq{8}}$, $M \typecolon \smash{\bitseq{\PosInt}})$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$. +$D \typecolon \smash{\byteseq{8}}$ and $M \typecolon \smash{\bitseq{\PosInt}}$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$. The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$. We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$. Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some @@ -9284,9 +9283,11 @@ in its \blockHeader is defined as $\floor{\hfrac{2^{256}}{\ToTarget(\nBits) + 1} \crossref{subsidyconcepts} defines the \blockSubsidy, \minerSubsidy, and \foundersReward. Their amounts in \zatoshi are calculated from the \blockHeight using -the formulae below. The constants $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\, +the formulae below. + +Let\notbeforeblossom{ the constants} $\SlowStartInterval$,\, $\PreBlossomHalvingInterval$,\, \blossom{$\PostBlossomHalvingInterval$,\, $\BlossomActivationHeight$,\, }$\MaxBlockSubsidy$, -and $\FoundersFraction$ are instantiated in \crossref{constants}. +and $\FoundersFraction$ be as defined in \crossref{constants}. \vspace{1ex} \begin{formulae} @@ -11675,9 +11676,9 @@ Define $\CtEdwardsToMont \typecolon \AffineCtEdwardsJubjub \rightarrow \AffineMo as follows: \begin{formulae} - \item $\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv}, - \scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right) - \sidecondition{1 - \varv \neq 0 \tand u \neq 0}$ + \item \makebox[25em][l]{$\CtEdwardsToMont(u, \varv) = \left(\hfrac{1 + \varv}{1 - \varv},\, + \scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{1 + \varv}{(1 - \varv) \mult u}\right)$} + $[1 - \varv \neq 0 \tand u \neq 0]$ \end{formulae} \introlist @@ -11685,9 +11686,9 @@ Define $\MontToCtEdwards \typecolon \AffineMontJubjub \rightarrow \AffineCtEdwar as follows: \begin{formulae} - \item $\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y}, - \hfrac{x - 1}{x + 1}\right) - \sidecondition{x + 1 \neq 0 \tand y \neq 0}$ + \item \makebox[25em][l]{$\MontToCtEdwards(x, y) = \left(\scalebox{0.8}{$\ssqrt{-40964}$} \mult \hfrac{x}{y},\, + \hfrac{x - 1}{x + 1}\right)$} + $[x + 1 \neq 0 \tand y \neq 0]$ \end{formulae} \introlist @@ -12566,7 +12567,7 @@ in the sapling-crypto code: Check & Implements & \heading{Cost} & Reference \\ \hhline{|=|=|=|=|} - $\AuthSignPublic$ is on the curve \todo{FIXME also decompressed below} + $\AuthSignPublic$ is on the curve \small\todo{FIXME also decompressed below} & $\AuthSignPublic \typecolon \SpendAuthSigPublic$ & 4 & \shortcrossref{cctedvalidate} \\ \hline $\AuthSignPublic$ is not small order @@ -12581,7 +12582,7 @@ Check & Implements & \heading{Cost} & Reference \\ $\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$ & & 6 & \shortcrossref{cctedarithmetic} \\ \hline - inputize $\AuthSignRandomizedPublic$ \todo{not ccteddecompressvalidate => wrong count} + inputize $\AuthSignRandomizedPublic$ \small\todo{not ccteddecompressvalidate => wrong count} & $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ & 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$ @@ -12594,7 +12595,7 @@ Check & Implements & \heading{Cost} & Reference \\ & \snarkref{Diversified address integrity}{spendaddressintegrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline $\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$ - \todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated} + \small\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated} & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline $\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$ @@ -12647,7 +12648,7 @@ Check & Implements & \heading{Cost} & Reference \\ & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 98 & \shortcrossref{cctmixinghash} \\ \cline{1-1}\cline{3-4} $\NoteAddressRandRepr = \reprJ\Of{\NoteAddressRand}$ - \todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated} + \small\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated} & & 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4} $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$