zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-09-30 15:20:48 +01:00
parent 97fa264611
commit bab61e8ecf
1 changed files with 20 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
protocol/protocol.tex
View File

@ -5269,29 +5269,23 @@ Let $\Output$ be as defined in \crossref{abstractzk}.
An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$ An \outputDescription comprises $(\cv, \cmU, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofOutput)$
where where
\begin{itemize} \begin{itemize}
\vspace{-0.3ex}
\item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note; \item $\cv \typecolon \ValueCommitOutput{Sapling}$ is the \valueCommitment to the value of the output \note;
\vspace{-0.8ex}
\item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined \item $\cmU \typecolon \MerkleHash{Sapling}$ is the result of applying $\ExtractJ$ (defined
in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note; in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note;
\vspace{-0.6ex}
\item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is \item $\EphemeralPublic \typecolon \KAPublic{Sapling}$ is
a key agreement \publicKey, used to derive the key for encryption a key agreement \publicKey, used to derive the key for encryption
of the \noteCiphertextSapling (\crossref{saplinginband}); of the \noteCiphertextSapling (\crossref{saplinginband});
\vspace{-0.3ex}
\item $\TransmitCiphertext{} \typecolon \Ciphertext$ is \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is
a ciphertext component for the encrypted output \note; a ciphertext component for the encrypted output \note;
\vspace{-0.3ex}
\item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of
the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient the \outgoingCipherKey (which can be derived from a \fullViewingKey) to recover the recipient
\diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey
$\EphemeralPrivate$, hence the entire \notePlaintext; $\EphemeralPrivate$, hence the entire \notePlaintext;
\vspace{-0.3ex}
\item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput \item $\ProofOutput \typecolon \OutputProof$ is a \zkSNARKProof with \primaryInput
$(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}. $(\cv, \cmU, \EphemeralPublic)$ for the \outputStatement defined in \crossref{outputstatement}.
\end{itemize} \end{itemize}
\vspace{-2ex} \vspace{-1ex}
\begin{consensusrules} \begin{consensusrules}
\item Elements of an \outputDescription \MUST be valid encodings of the types given above. \item Elements of an \outputDescription \MUST be valid encodings of the types given above.
\vspace{-0.3ex} \vspace{-0.3ex}
@ -5303,7 +5297,7 @@ where
i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$. i.e.\ $\OutputVerify\big(\kern-0.1em(\cv, \cmU, \EphemeralPublic), \Proof{\Output}\big) = 1$.
\end{consensusrules} \end{consensusrules}
\vspace{-3.5ex} \vspace{-2ex}
\nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect \nnote{The rule that $\cv$ and $\EphemeralPublic$ \MUST not be small-order, has the effect
of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}. of also preventing \nonCanonicalFieldElement encodings of these fields\nufive{, as required by \cite{ZIP-216}}.
That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and That is, it is necessarily the case that $\reprJ\Of{\abstJ\Of{\cv}\kern0.05em} = \cv$ and
@ -5312,10 +5306,8 @@ $\reprJ\Of{\abstJ\Of{\EphemeralPublic}\kern0.05em} = \EphemeralPublic$.}
\nufive{ \nufive{
\vspace{-2.5ex}
\lsubsection{Action Descriptions}{actiondesc} \lsubsection{Action Descriptions}{actiondesc}
\vspace{-1ex}
An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an An \actionTransfer, as specified in \crossref{actions}, is encoded in \transactions as an
\defining{\actionDescription}. \defining{\actionDescription}.
Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}. Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}.
@ -5324,31 +5316,25 @@ Each version 5 \transaction includes a sequence of zero or more \defining{\actio
\introlist \introlist
Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}. Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}.
\vspace{0.5ex}
Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}. Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}.
\vspace{-0.25ex}
Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}.
\vspace{-0.25ex}
Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. Let $\GroupPx$ and $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
\vspace{-0.25ex}
Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}.
\vspace{-0.5ex}
Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}. Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}.
\vspace{-0.5ex}
Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}. Let $\KA{Orchard}$ be as defined in \crossref{abstractkeyagreement}.
\vspace{-0.25ex}
Let $\Sym$ be as defined in \crossref{abstractsym}. Let $\Sym$ be as defined in \crossref{abstractsym}.
\vspace{-0.25ex}
Let $\Action$ be as defined in \crossref{abstractzk}. Let $\Action$ be as defined in \crossref{abstractzk}.
\vspace{1ex} \vspace{1ex}
\introlist \introsection
An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, An \actionDescription comprises $(\cvNet{}, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig,
\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$ \cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpends, \enableOutputs,$ $\Proof{})$
where where
@ -5428,8 +5414,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
} %nufive } %nufive
\vspace{-2ex} \vspace{-3ex}
\introlist
\lsubsection{Sending Notes}{send} \lsubsection{Sending Notes}{send}
\vspace{-1ex} \vspace{-1ex}
@ -5439,6 +5424,7 @@ $\Proof{}$ is aggregated with other Action proofs and encoded in the $\proofsOrc
In order to send \Sprout \shielded value, the sender constructs a In order to send \Sprout \shielded value, the sender constructs a
\transaction containing one or more \joinSplitDescriptions. \transaction containing one or more \joinSplitDescriptions.
\introlist
Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}. Let $\JoinSplitSig$ be as specified in \crossref{abstractsig}.
Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}. Let $\NoteCommitAlg{Sprout}$ be as specified in \crossref{abstractcommit}.
@ -5512,7 +5498,6 @@ Let $\ValueCommitAlg{Sapling}$ and $\NoteCommitAlg{Sapling}$ be as specified in
Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}. Let $\KA{Sapling}$ be as specified in \crossref{abstractkeyagreement}.
\vspace{-0.25ex} \vspace{-0.25ex}
\introlist
Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}. Let $\DiversifyHash{Sapling}$ be as specified in \crossref{abstracthashes}.
\vspace{-0.25ex} \vspace{-0.25ex}
@ -5521,7 +5506,6 @@ Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}.
Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
\vspace{1ex} \vspace{1ex}
\introlist
Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt Let $\OutViewingKey$ be a \Sapling \outgoingViewingKey that is intended to be able to decrypt
this payment. This may be one of: this payment. This may be one of:
\begin{itemize} \begin{itemize}
@ -5536,6 +5520,7 @@ this payment. This may be one of:
\end{itemize} \end{itemize}
\vspace{-2ex} \vspace{-2ex}
\introlist
\pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain \pnote{Choosing $\OutViewingKey = \bot$ is useful if the sender prefers to obtain
forward secrecy of the payment information with respect to compromise of its own secrets.} forward secrecy of the payment information with respect to compromise of its own secrets.}
@ -6208,7 +6193,7 @@ $\BindingSig{Sapling}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as $\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
operating on the prime-order subgroup of the \jubjubCurve and its scalar field. operating on the prime-order subgroup of the \jubjubCurve and its scalar field.
\vspace{1.5ex} \vspace{1ex}
\introlist \introlist
Suppose that the \transaction has: Suppose that the \transaction has:
\begin{itemize} \begin{itemize}
@ -6219,7 +6204,7 @@ Suppose that the \transaction has:
\item \saplingBalancingValue $\vBalance{Sapling}$. \item \saplingBalancingValue $\vBalance{Sapling}$.
\end{itemize} \end{itemize}
\vspace{-0.5ex} \vspace{-1ex}
In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$, In a correctly constructed \transaction, $\vBalance{Sapling} = \ssum{i=1}{n} \vOld{i} - \ssum{j=1}{m} \vNew{j}$,
but validators cannot check this directly because the values are hidden by the commitments. but validators cannot check this directly because the values are hidden by the commitments.
@ -6249,7 +6234,7 @@ In order to check for implementation faults, the signer \SHOULD also check that
\item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$. \item $\BindingPublic{Sapling} = \BindingSigDerivePublic{Sapling}(\BindingPrivate{Sapling})$.
\end{formulae} \end{formulae}
\vspace{0.5ex} \vspace{-1ex}
Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4 Let $\SigHash$ be the \sighashTxHash as defined in \cite{ZIP-243} for a version 4
\transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5 \transaction\nufive{ or \cite{ZIP-244} as modified by \cite{ZIP-225} for a version 5
\transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$. \transaction}, not associated with an input, using the \sighashType $\SIGHASHALL$.
@ -6258,6 +6243,7 @@ A validator checks balance by validating that
$\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$. $\BindingSigValidate{Sapling}{\BindingPublic{Sapling}}(\SigHash, \bindingSig{Sapling}) = 1$.
\vspace{1ex} \vspace{1ex}
\introlist
We now explain why this works. We now explain why this works.
\vspace{1ex} \vspace{1ex}
@ -6392,11 +6378,11 @@ an \orchardBindingSignature does prove that the signer knew this commitment rand
this provides defence in depth and reduces the differences of \Orchard from \Sapling, this provides defence in depth and reduces the differences of \Orchard from \Sapling,
which may simplify security analysis.} which may simplify security analysis.}
\vspace{2ex} \vspace{1ex}
Instead of generating a key pair at random, we generate it as a function of the Instead of generating a key pair at random, we generate it as a function of the
\valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue. \valueCommitments in the \actionDescriptions of the \transaction, and the \orchardBalancingValue.
\vspace{1ex} \vspace{0.5ex}
Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}.
\introlist \introlist
@ -6415,7 +6401,7 @@ $\BindingSig{Orchard}$, $\combplus$, and $\grpplus$ are instantiated in \crossre
$\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as $\grpminus$, and $\sgrpsum{i=1\vphantom{p}}{\rmN}$, which in this section are to be interpreted as
operating on the \pallasCurve and its scalar field. operating on the \pallasCurve and its scalar field.
\vspace{1.5ex} \vspace{1ex}
\introlist \introlist
Suppose that the \transaction has: Suppose that the \transaction has:
\begin{itemize} \begin{itemize}
@ -6424,7 +6410,7 @@ Suppose that the \transaction has:
\item \orchardBalancingValue $\vBalance{Orchard}$. \item \orchardBalancingValue $\vBalance{Orchard}$.
\end{itemize} \end{itemize}
\vspace{-0.5ex} \vspace{-1ex}
In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$, In a correctly constructed \transaction, $\vBalance{Orchard} = \ssum{i=1}{n} \vNet{i}$,
but validators cannot check this directly because the values are hidden by the commitments. but validators cannot check this directly because the values are hidden by the commitments.
@ -6450,12 +6436,11 @@ In order to check for implementation faults, the signer \SHOULD also check that
\item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$. \item $\BindingPublic{Orchard} = \BindingSigDerivePublic{Orchard}(\BindingPrivate{Orchard})$.
\end{formulae} \end{formulae}
\vspace{0.5ex}
\introlist
A \transaction containing \actionDescriptions is necessarily a version 5 \transaction. A \transaction containing \actionDescriptions is necessarily a version 5 \transaction.
Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244} Let $\SigHash$ be the \sighashTxHash for a version 5 \transaction as defined in \cite{ZIP-244}
as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$. as modified by \cite{ZIP-225}, not associated with an input, using the \sighashType $\SIGHASHALL$.
\introlist
A validator checks balance by validating that A validator checks balance by validating that
$\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$. $\BindingSigValidate{Orchard}{\BindingPublic{Orchard}}(\SigHash, \bindingSig{Orchard}) = 1$.
@ -6572,8 +6557,8 @@ Let $\AuthSignPrivate$ be the \defining{\spendAuthPrivateKey} as defined in
Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}. Let $\SpendAuthSig{}$ be $\SpendAuthSig{Sapling}$\nufive{ or $\SpendAuthSig{Orchard}$ as applicable}.
} %notbeforenufive } %notbeforenufive
\introsection \introlist
\vspace{2ex} \vspace{1ex}
For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh For each \spendDescription\nufive{ or \actionDescription}, the signer chooses a fresh
\defining{\spendAuthRandomizer} $\AuthSignRandomizer$: \defining{\spendAuthRandomizer} $\AuthSignRandomizer$:
@ -7058,8 +7043,8 @@ such that the following conditions hold:
\introlist \introlist
\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} \snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity}
$\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP\big(\DiversifiedTransmitBaseOld\big), $\NoteCommit{Orchard}{\NoteCommitRandOld{}}(\reprP(\DiversifiedTransmitBaseOld),
\reprP\big(\DiversifiedTransmitPublicOld), \reprP(\DiversifiedTransmitPublicOld),
\vOld{}, \vOld{},
\NoteUniqueRandOld{}, \NoteUniqueRandOld{},
\NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$. \NoteNullifierRandOld) \in \setof{\cmOld{}, \bot}$.