diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 9c5e35dd..eee20326 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -5269,29 +5269,23 @@ Let $\Output$ be as defined in \crossref{abstractzk}. An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$ where \begin{itemize} - \vspace{-0.3ex} \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note; - \vspace{-0.8ex} \item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note; - \vspace{-0.6ex} \item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is a key agreement \publicKey, used to derive the key for encryption of the \noteCiphertextSapling (\crossref{saplinginband}); - \vspace{-0.3ex} \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is a ciphertext component for the encrypted output \note; - \vspace{-0.3ex} \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey $\EphemeralPrivate$, hence the entire \notePlaintext; - \vspace{-0.3ex} \item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput $(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}. \end{itemize} -\vspace{-2ex} +\vspace{-1ex} \begin{consensusrules} \item Elements of an \outputDescription \MUST be valid encodings of the types given above. \vspace{-0.3ex} @@ -5303,7 +5297,7 @@ where i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$. \end{consensusrules} -\vspace{-3.5ex} +\vspace{-2ex} \nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}. That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and @@ -5312,10 +5306,8 @@ $\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.} \nufive{ -\vspace{-2.5ex} \lsubsection{Action Descriptions}{actiondesc} -\vspace{-1ex} An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an \defining{\actionDescription}. Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}. @@ -5324,31 +5316,25 @@ Each version 5 \transaction includes a sequence of zero or more \defining{\actio \introlist Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}. +\vspace{0.5ex} Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}. -\vspace{-0.25ex} Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. -\vspace{-0.25ex} Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. -\vspace{-0.25ex} Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. -\vspace{-0.5ex} Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}. -\vspace{-0.5ex} Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}. -\vspace{-0.25ex} Let $\Sym$ be as defined in \crossref{abstractsym}. -\vspace{-0.25ex} Let $\Action$ be as defined in \crossref{abstractzk}. \vspace{1ex} -\introlist +\introsection An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, \cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$ where @@ -5428,8 +5414,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc } %nufive -\vspace{-2ex} -\introlist +\vspace{-3ex} \lsubsection{Sending Notes}{send} \vspace{-1ex} @@ -5439,6 +5424,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc In order to send \Sprout \shielded value, the sender constructs a \transaction containing one or more \joinSplitDescriptions. +\introlist Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}. Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}. @@ -5512,7 +5498,6 @@ Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}. \vspace{-0.25ex} -\introlist Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}. \vspace{-0.25ex} @@ -5521,7 +5506,6 @@ Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}. Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \vspace{1ex} -\introlist Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt this payment. This may be one of: \begin{itemize} @@ -5536,6 +5520,7 @@ this payment. This may be one of: \end{itemize} \vspace{-2ex} +\introlist \pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain forward secrecy of the payment information with respect to compromise of its own secrets.} @@ -6208,7 +6193,7 @@ $\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossre $\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as operating on the prime-order subgroup of the \jubjubCurve and its scalar field. -\vspace{1.5ex} +\vspace{1ex} \introlist Suppose that the \transaction has: \begin{itemize} @@ -6219,7 +6204,7 @@ Suppose that the \transaction has: \item \saplingBalancingValue $\vBalance{Sapling}$. \end{itemize} -\vspace{-0.5ex} +\vspace{-1ex} In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$, but validators cannot check this directly because the values are hidden by the commitments. @@ -6249,7 +6234,7 @@ In order to check for implementation faults, the signer \SHOULD also check that \item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$. \end{formulae} -\vspace{0.5ex} +\vspace{-1ex} Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4 \transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5 \transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$. @@ -6258,6 +6243,7 @@ A validator checks balance by validating that $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. \vspace{1ex} +\introlist We now explain why this works. \vspace{1ex} @@ -6392,11 +6378,11 @@ an \orchardBindingSignature does prove that the signer knew this commitment rand this provides defence in depth and reduces the differences of \Orchard from \Sapling, which may simplify security analysis.} -\vspace{2ex} +\vspace{1ex} Instead of generating a key pair at random, we generate it as a function of the \valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue. -\vspace{1ex} +\vspace{0.5ex} Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \introlist @@ -6415,7 +6401,7 @@ $\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossre $\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as operating on the \pallasCurve and its scalar field. -\vspace{1.5ex} +\vspace{1ex} \introlist Suppose that the \transaction has: \begin{itemize} @@ -6424,7 +6410,7 @@ Suppose that the \transaction has: \item \orchardBalancingValue $\vBalance{Orchard}$. \end{itemize} -\vspace{-0.5ex} +\vspace{-1ex} In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$, but validators cannot check this directly because the values are hidden by the commitments. @@ -6450,12 +6436,11 @@ In order to check for implementation faults, the signer \SHOULD also check that \item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$. \end{formulae} -\vspace{0.5ex} -\introlist A \transaction containing \actionDescriptions is necessarily a version 5 \transaction. Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244} as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$. +\introlist A validator checks balance by validating that $\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. @@ -6572,8 +6557,8 @@ Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}. } %notbeforenufive -\introsection -\vspace{2ex} +\introlist +\vspace{1ex} For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh \defining{\spendAuthRandomizer} $\AuthSignRandomizer$: @@ -7058,8 +7043,8 @@ such that the following conditions hold: \introlist \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} -$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big), - \reprP\big(\DiversifiedTransmitPublicOld), +$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP(\DiversifiedTransmitBaseOld), + \reprP(\DiversifiedTransmitPublicOld), \vOld{}, \NoteUniqueRandOld{}, \NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$.