mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
97fa264611
commit
bab61e8ecf
|
@ -5269,29 +5269,23 @@ Let $\Output$ be as defined in \crossref{abstractzk}.
|
||||||
An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
|
An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
|
||||||
where
|
where
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\vspace{-0.3ex}
|
|
||||||
\item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note;
|
\item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note;
|
||||||
\vspace{-0.8ex}
|
|
||||||
\item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined
|
\item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined
|
||||||
in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note;
|
in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note;
|
||||||
\vspace{-0.6ex}
|
|
||||||
\item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is
|
\item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is
|
||||||
a key agreement \publicKey, used to derive the key for encryption
|
a key agreement \publicKey, used to derive the key for encryption
|
||||||
of the \noteCiphertextSapling (\crossref{saplinginband});
|
of the \noteCiphertextSapling (\crossref{saplinginband});
|
||||||
\vspace{-0.3ex}
|
|
||||||
\item $\TransmitCiphertext{} \typecolon \Ciphertext$ is
|
\item $\TransmitCiphertext{} \typecolon \Ciphertext$ is
|
||||||
a ciphertext component for the encrypted output \note;
|
a ciphertext component for the encrypted output \note;
|
||||||
\vspace{-0.3ex}
|
|
||||||
\item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of
|
\item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of
|
||||||
the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient
|
the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient
|
||||||
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey
|
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey
|
||||||
$\EphemeralPrivate$, hence the entire \notePlaintext;
|
$\EphemeralPrivate$, hence the entire \notePlaintext;
|
||||||
\vspace{-0.3ex}
|
|
||||||
\item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput
|
\item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput
|
||||||
$(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}.
|
$(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-1ex}
|
||||||
\begin{consensusrules}
|
\begin{consensusrules}
|
||||||
\item Elements of an \outputDescription \MUST be valid encodings of the types given above.
|
\item Elements of an \outputDescription \MUST be valid encodings of the types given above.
|
||||||
\vspace{-0.3ex}
|
\vspace{-0.3ex}
|
||||||
|
@ -5303,7 +5297,7 @@ where
|
||||||
i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$.
|
i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$.
|
||||||
\end{consensusrules}
|
\end{consensusrules}
|
||||||
|
|
||||||
\vspace{-3.5ex}
|
\vspace{-2ex}
|
||||||
\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect
|
\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect
|
||||||
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
|
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
|
||||||
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
|
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
|
||||||
|
@ -5312,10 +5306,8 @@ $\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.}
|
||||||
|
|
||||||
|
|
||||||
\nufive{
|
\nufive{
|
||||||
\vspace{-2.5ex}
|
|
||||||
\lsubsection{Action Descriptions}{actiondesc}
|
\lsubsection{Action Descriptions}{actiondesc}
|
||||||
|
|
||||||
\vspace{-1ex}
|
|
||||||
An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an
|
An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an
|
||||||
\defining{\actionDescription}.
|
\defining{\actionDescription}.
|
||||||
Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}.
|
Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}.
|
||||||
|
@ -5324,31 +5316,25 @@ Each version 5 \transaction includes a sequence of zero or more \defining{\actio
|
||||||
\introlist
|
\introlist
|
||||||
Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}.
|
Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}.
|
||||||
|
|
||||||
|
\vspace{0.5ex}
|
||||||
Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
|
Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
|
||||||
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
|
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
|
||||||
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
|
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
|
||||||
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
|
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
|
||||||
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}.
|
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}.
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
|
||||||
Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}.
|
Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
|
||||||
Let $\Sym$ be as defined in \crossref{abstractsym}.
|
Let $\Sym$ be as defined in \crossref{abstractsym}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
|
||||||
Let $\Action$ be as defined in \crossref{abstractzk}.
|
Let $\Action$ be as defined in \crossref{abstractzk}.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\introlist
|
\introsection
|
||||||
An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
|
An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
|
||||||
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$
|
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$
|
||||||
where
|
where
|
||||||
|
@ -5428,8 +5414,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
|
||||||
} %nufive
|
} %nufive
|
||||||
|
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-3ex}
|
||||||
\introlist
|
|
||||||
\lsubsection{Sending Notes}{send}
|
\lsubsection{Sending Notes}{send}
|
||||||
|
|
||||||
\vspace{-1ex}
|
\vspace{-1ex}
|
||||||
|
@ -5439,6 +5424,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
|
||||||
In order to send \Sprout \shielded value, the sender constructs a
|
In order to send \Sprout \shielded value, the sender constructs a
|
||||||
\transaction containing one or more \joinSplitDescriptions.
|
\transaction containing one or more \joinSplitDescriptions.
|
||||||
|
|
||||||
|
\introlist
|
||||||
Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}.
|
Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}.
|
||||||
|
|
||||||
Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}.
|
Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}.
|
||||||
|
@ -5512,7 +5498,6 @@ Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in
|
||||||
Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}.
|
Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
\vspace{-0.25ex}
|
||||||
\introlist
|
|
||||||
Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}.
|
Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}.
|
||||||
|
|
||||||
\vspace{-0.25ex}
|
\vspace{-0.25ex}
|
||||||
|
@ -5521,7 +5506,6 @@ Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}.
|
||||||
Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
\introlist
|
|
||||||
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
|
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
|
||||||
this payment. This may be one of:
|
this payment. This may be one of:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -5536,6 +5520,7 @@ this payment. This may be one of:
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\vspace{-2ex}
|
\vspace{-2ex}
|
||||||
|
\introlist
|
||||||
\pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain
|
\pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain
|
||||||
forward secrecy of the payment information with respect to compromise of its own secrets.}
|
forward secrecy of the payment information with respect to compromise of its own secrets.}
|
||||||
|
|
||||||
|
@ -6208,7 +6193,7 @@ $\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
|
||||||
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
|
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
|
||||||
operating on the prime-order subgroup of the \jubjubCurve and its scalar field.
|
operating on the prime-order subgroup of the \jubjubCurve and its scalar field.
|
||||||
|
|
||||||
\vspace{1.5ex}
|
\vspace{1ex}
|
||||||
\introlist
|
\introlist
|
||||||
Suppose that the \transaction has:
|
Suppose that the \transaction has:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -6219,7 +6204,7 @@ Suppose that the \transaction has:
|
||||||
\item \saplingBalancingValue $\vBalance{Sapling}$.
|
\item \saplingBalancingValue $\vBalance{Sapling}$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
\vspace{-1ex}
|
||||||
In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
|
In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
|
||||||
but validators cannot check this directly because the values are hidden by the commitments.
|
but validators cannot check this directly because the values are hidden by the commitments.
|
||||||
|
|
||||||
|
@ -6249,7 +6234,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
|
||||||
\item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$.
|
\item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{0.5ex}
|
\vspace{-1ex}
|
||||||
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4
|
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4
|
||||||
\transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5
|
\transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5
|
||||||
\transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$.
|
\transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$.
|
||||||
|
@ -6258,6 +6243,7 @@ A validator checks balance by validating that
|
||||||
$\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$.
|
$\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
|
\introlist
|
||||||
We now explain why this works.
|
We now explain why this works.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{1ex}
|
||||||
|
@ -6392,11 +6378,11 @@ an \orchardBindingSignature does prove that the signer knew this commitment rand
|
||||||
this provides defence in depth and reduces the differences of \Orchard from \Sapling,
|
this provides defence in depth and reduces the differences of \Orchard from \Sapling,
|
||||||
which may simplify security analysis.}
|
which may simplify security analysis.}
|
||||||
|
|
||||||
\vspace{2ex}
|
\vspace{1ex}
|
||||||
Instead of generating a key pair at random, we generate it as a function of the
|
Instead of generating a key pair at random, we generate it as a function of the
|
||||||
\valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue.
|
\valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue.
|
||||||
|
|
||||||
\vspace{1ex}
|
\vspace{0.5ex}
|
||||||
Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
|
Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
|
@ -6415,7 +6401,7 @@ $\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
|
||||||
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
|
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
|
||||||
operating on the \pallasCurve and its scalar field.
|
operating on the \pallasCurve and its scalar field.
|
||||||
|
|
||||||
\vspace{1.5ex}
|
\vspace{1ex}
|
||||||
\introlist
|
\introlist
|
||||||
Suppose that the \transaction has:
|
Suppose that the \transaction has:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -6424,7 +6410,7 @@ Suppose that the \transaction has:
|
||||||
\item \orchardBalancingValue $\vBalance{Orchard}$.
|
\item \orchardBalancingValue $\vBalance{Orchard}$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\vspace{-0.5ex}
|
\vspace{-1ex}
|
||||||
In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$,
|
In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$,
|
||||||
but validators cannot check this directly because the values are hidden by the commitments.
|
but validators cannot check this directly because the values are hidden by the commitments.
|
||||||
|
|
||||||
|
@ -6450,12 +6436,11 @@ In order to check for implementation faults, the signer \SHOULD also check that
|
||||||
\item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$.
|
\item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$.
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\vspace{0.5ex}
|
|
||||||
\introlist
|
|
||||||
A \transaction containing \actionDescriptions is necessarily a version 5 \transaction.
|
A \transaction containing \actionDescriptions is necessarily a version 5 \transaction.
|
||||||
Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244}
|
Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244}
|
||||||
as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$.
|
as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$.
|
||||||
|
|
||||||
|
\introlist
|
||||||
A validator checks balance by validating that
|
A validator checks balance by validating that
|
||||||
$\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$.
|
$\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$.
|
||||||
|
|
||||||
|
@ -6572,8 +6557,8 @@ Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in
|
||||||
Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}.
|
Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}.
|
||||||
} %notbeforenufive
|
} %notbeforenufive
|
||||||
|
|
||||||
\introsection
|
\introlist
|
||||||
\vspace{2ex}
|
\vspace{1ex}
|
||||||
For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh
|
For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh
|
||||||
\defining{\spendAuthRandomizer} $\AuthSignRandomizer$:
|
\defining{\spendAuthRandomizer} $\AuthSignRandomizer$:
|
||||||
|
|
||||||
|
@ -7058,8 +7043,8 @@ such that the following conditions hold:
|
||||||
|
|
||||||
\introlist
|
\introlist
|
||||||
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
|
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
|
||||||
$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big),
|
$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP(\DiversifiedTransmitBaseOld),
|
||||||
\reprP\big(\DiversifiedTransmitPublicOld),
|
\reprP(\DiversifiedTransmitPublicOld),
|
||||||
\vOld{},
|
\vOld{},
|
||||||
\NoteUniqueRandOld{},
|
\NoteUniqueRandOld{},
|
||||||
\NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$.
|
\NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$.
|
||||||
|
|
Loading…
Reference in New Issue