zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-09-30 15:20:48 +01:00
parent 97fa264611
commit bab61e8ecf
1 changed files with 20 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
protocol/protocol.tex
View File

@ -5269,29 +5269,23 @@ Let $\Output$ be as defined in \crossref{abstractzk}.
An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
where
\begin{itemize}
\vspace{-0.3ex}
\item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note;
\vspace{-0.8ex}
\item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined
in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note;
\vspace{-0.6ex}
\item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is
a key agreement \publicKey, used to derive the key for encryption
of the \noteCiphertextSapling (\crossref{saplinginband});
\vspace{-0.3ex}
\item $\TransmitCiphertext{} \typecolon \Ciphertext$ is
a ciphertext component for the encrypted output \note;
\vspace{-0.3ex}
\item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of
the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey
$\EphemeralPrivate$, hence the entire \notePlaintext;
\vspace{-0.3ex}
\item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput
$(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}.
\end{itemize}
\vspace{-2ex}
\vspace{-1ex}
\begin{consensusrules}
\item Elements of an \outputDescription \MUST be valid encodings of the types given above.
\vspace{-0.3ex}
@ -5303,7 +5297,7 @@ where
i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$.
\end{consensusrules}
\vspace{-3.5ex}
\vspace{-2ex}
\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
@ -5312,10 +5306,8 @@ $\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.}
\nufive{
\vspace{-2.5ex}
\lsubsection{Action Descriptions}{actiondesc}
\vspace{-1ex}
An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an
\defining{\actionDescription}.
Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}.
@ -5324,31 +5316,25 @@ Each version 5 \transaction includes a sequence of zero or more \defining{\actio
\introlist
Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}.
\vspace{0.5ex}
Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
\vspace{-0.25ex}
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
\vspace{-0.25ex}
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
\vspace{-0.25ex}
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
\vspace{-0.5ex}
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}.
\vspace{-0.5ex}
Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}.
\vspace{-0.25ex}
Let $\Sym$ be as defined in \crossref{abstractsym}.
\vspace{-0.25ex}
Let $\Action$ be as defined in \crossref{abstractzk}.
\vspace{1ex}
\introlist
\introsection
An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$
where
@ -5428,8 +5414,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
} %nufive
\vspace{-2ex}
\introlist
\vspace{-3ex}
\lsubsection{Sending Notes}{send}
\vspace{-1ex}
@ -5439,6 +5424,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
In order to send \Sprout \shielded value, the sender constructs a
\transaction containing one or more \joinSplitDescriptions.
\introlist
Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}.
Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}.
@ -5512,7 +5498,6 @@ Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in
Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}.
\vspace{-0.25ex}
\introlist
Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}.
\vspace{-0.25ex}
@ -5521,7 +5506,6 @@ Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}.
Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
\vspace{1ex}
\introlist
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
this payment. This may be one of:
\begin{itemize}
@ -5536,6 +5520,7 @@ this payment. This may be one of:
\end{itemize}
\vspace{-2ex}
\introlist
\pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain
forward secrecy of the payment information with respect to compromise of its own secrets.}
@ -6208,7 +6193,7 @@ $\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
operating on the prime-order subgroup of the \jubjubCurve and its scalar field.
\vspace{1.5ex}
\vspace{1ex}
\introlist
Suppose that the \transaction has:
\begin{itemize}
@ -6219,7 +6204,7 @@ Suppose that the \transaction has:
\item \saplingBalancingValue $\vBalance{Sapling}$.
\end{itemize}
\vspace{-0.5ex}
\vspace{-1ex}
In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
but validators cannot check this directly because the values are hidden by the commitments.
@ -6249,7 +6234,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
\item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$.
\end{formulae}
\vspace{0.5ex}
\vspace{-1ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4
\transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5
\transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$.
@ -6258,6 +6243,7 @@ A validator checks balance by validating that
$\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$.
\vspace{1ex}
\introlist
We now explain why this works.
\vspace{1ex}
@ -6392,11 +6378,11 @@ an \orchardBindingSignature does prove that the signer knew this commitment rand
this provides defence in depth and reduces the differences of \Orchard from \Sapling,
which may simplify security analysis.}
\vspace{2ex}
\vspace{1ex}
Instead of generating a key pair at random, we generate it as a function of the
\valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue.
\vspace{1ex}
\vspace{0.5ex}
Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\introlist
@ -6415,7 +6401,7 @@ $\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
operating on the \pallasCurve and its scalar field.
\vspace{1.5ex}
\vspace{1ex}
\introlist
Suppose that the \transaction has:
\begin{itemize}
@ -6424,7 +6410,7 @@ Suppose that the \transaction has:
\item \orchardBalancingValue $\vBalance{Orchard}$.
\end{itemize}
\vspace{-0.5ex}
\vspace{-1ex}
In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$,
but validators cannot check this directly because the values are hidden by the commitments.
@ -6450,12 +6436,11 @@ In order to check for implementation faults, the signer \SHOULD also check that
\item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$.
\end{formulae}
\vspace{0.5ex}
\introlist
A \transaction containing \actionDescriptions is necessarily a version 5 \transaction.
Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244}
as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$.
\introlist
A validator checks balance by validating that
$\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$.
@ -6572,8 +6557,8 @@ Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in
Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}.
} %notbeforenufive
\introsection
\vspace{2ex}
\introlist
\vspace{1ex}
For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh
\defining{\spendAuthRandomizer} $\AuthSignRandomizer$:
@ -7058,8 +7043,8 @@ such that the following conditions hold:
\introlist
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big),
\reprP\big(\DiversifiedTransmitPublicOld),
$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP(\DiversifiedTransmitBaseOld),
\reprP(\DiversifiedTransmitPublicOld),
\vOld{},
\NoteUniqueRandOld{},
\NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$.