mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
2d2508d06c
commit
be7df83b10
|
|
@ -4993,15 +4993,17 @@ if this happens, discard the key and repeat with a different $\SpendingKey$.
|
|||
\introsection
|
||||
\lsubsubsection{\OrchardText{} Key Components}{orchardkeycomponents}
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$,
|
||||
and $\DiversifierKeyLength$ be as defined in \crossref{constants}.
|
||||
|
||||
Let $\GroupP$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in
|
||||
\crossref{pallasandvesta}.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
\vspace{-0.35ex}
|
||||
Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
|
|
@ -5014,11 +5016,11 @@ Let $\DeriveInternalFVKOrchard$ be as defined in \cite[Orchard internal key deri
|
|||
Let $\PRPd{} \typecolon \DiversifierKeyType \times \DiversifierType \rightarrow \DiversifierType$
|
||||
be as defined in \crossref{concreteprps}.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
\vspace{-0.35ex}
|
||||
Let $\KA{Orchard}$, instantiated in \crossref{concreteorchardkeyagreement},
|
||||
be a \keyAgreementScheme.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
\vspace{-0.35ex}
|
||||
Let $\CommitIvk{}$, instantiated in \crossref{concretesinsemillacommit},
|
||||
be a \commitmentScheme.
|
||||
|
||||
|
|
@ -5029,13 +5031,13 @@ Let $\DiversifyHash{Orchard}$ be as defined in \crossref{concretediversifyhash}.
|
|||
Let $\SpendAuthSig{Orchard}$ instantiated in \crossref{concretespendauthsig}
|
||||
be a \rerandomizableSignatureScheme.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, and $\LEOStoIP{}$ be as defined in \crossref{endian}.
|
||||
|
||||
\vspace{0.5ex}
|
||||
\introlist
|
||||
Define $\ToBase{Orchard}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamP{q}}$.
|
||||
|
||||
\vspace{-0.25ex}
|
||||
\vspace{-1.5ex}
|
||||
Define $\ToScalar{Orchard}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamP{r}}$.
|
||||
|
||||
\introlist
|
||||
|
|
@ -5053,27 +5055,27 @@ the \outgoingViewingKey $\OutViewingKey \typecolon \OutViewingKeyType$, and corr
|
|||
|
||||
\begin{algorithm}
|
||||
\item let mutable $\AuthSignPrivate \leftarrow \ToScalar{Orchard}\big(\PRFexpand{\SpendingKey}([6])\kern-0.1em\big)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.4ex}
|
||||
\item let $\NullifierKey = \ToBase{Orchard}\big(\PRFexpand{\SpendingKey}([7])\kern-0.1em\big)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.4ex}
|
||||
\item let $\CommitIvkRand = \ToScalar{Orchard}\big(\PRFexpand{\SpendingKey}([8])\kern-0.1em\big)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.3ex}
|
||||
\item if $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$.
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.3ex}
|
||||
\item let $\AuthSignPublicPoint = \SpendAuthSigDerivePublic{Orchard}(\AuthSignPrivate)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.3ex}
|
||||
\item if the last bit (that is, the $\tilde{y}$ bit) of $\reprP(\AuthSignPublicPoint)$ is $1$:
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.4ex}
|
||||
\item \tab set $\AuthSignPrivate \leftarrow -\AuthSignPrivate$
|
||||
\item \blank
|
||||
\vspace{0.2ex}
|
||||
\item let $\AuthSignPublic = \ExtractP(\AuthSignPublicPoint)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.4ex}
|
||||
\item let $\InViewingKey = \CommitIvk{\CommitIvkRand}\big(\AuthSignPublic, \NullifierKey\big)$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.3ex}
|
||||
\item if $\InViewingKey \in \setof{0, \bot}$, discard this key and repeat with a new $\SpendingKey$.
|
||||
\vspace{-0.2ex}
|
||||
\item let $K = \ItoLEBSPOf{\SpendingKeyLength}{\CommitIvkRand}$
|
||||
\vspace{-0.2ex}
|
||||
\vspace{-0.5ex}
|
||||
\item let $R = \PRFexpand{K}\big([\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}\kern-0.25em\big)$
|
||||
\vspace{-0.2ex}
|
||||
\item let $\DiversifierKey$ be the first $\DiversifierKeyLength/8$ bytes of $R$ and
|
||||
|
|
@ -12036,9 +12038,10 @@ instead use a \unifiedPaymentAddress as defined in \cite{ZIP-316}.
|
|||
\vspace{-1ex}
|
||||
\lsubsubsubsection{\OrchardText{} Raw Incoming Viewing Keys}{orchardinviewingkeyencoding}
|
||||
|
||||
\vspace{-2ex}
|
||||
\vspace{-2.5ex}
|
||||
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
An \Orchard{} \defining{\incomingViewingKey} consists of a \diversifierKey $\DiversifierKey$,
|
||||
and a $\KAPrivate{Orchard}$ key $\InViewingKey$ restricted to the range $\InViewingKeyTypeOrchard$.
|
||||
It is derived as described in \crossref{orchardkeycomponents}, and is used with the
|
||||
|
|
@ -12049,7 +12052,6 @@ Let $\ItoLEOSP{}$ be as defined in \crossref{endian}.
|
|||
\introlist
|
||||
\vspace{0.5ex}
|
||||
The \rawEncoding of an \Orchard \incomingViewingKey consists of:
|
||||
\vspace{0.5ex}
|
||||
\begin{equation*}
|
||||
\begin{bytefield}[bitwidth=0.07em]{256}
|
||||
\sbitbox{256}{$\DiversifierKey$}
|
||||
|
|
@ -12057,12 +12059,13 @@ The \rawEncoding of an \Orchard \incomingViewingKey consists of:
|
|||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
\vspace{-1.5ex}
|
||||
\vspace{-2.5ex}
|
||||
\begin{itemize}
|
||||
\item $32$ bytes specifying $\DiversifierKey$.
|
||||
\item $32$ bytes (little-endian) specifying $\InViewingKey$.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-1.5ex}
|
||||
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeOrchard$ as specified
|
||||
in \crossref{orchardkeycomponents}. That is, a decoded \incomingViewingKey \MUST be
|
||||
considered invalid if $\InViewingKey$ is not in this range.
|
||||
|
|
@ -12076,9 +12079,10 @@ instead use a \unifiedIncomingViewingKey as defined in \cite{ZIP-316}.
|
|||
\vspace{-1ex}
|
||||
\lsubsubsubsection{\OrchardText{} Raw Full Viewing Keys}{orchardfullviewingkeyencoding}
|
||||
|
||||
\vspace{-2ex}
|
||||
\vspace{-2.5ex}
|
||||
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}.
|
||||
|
||||
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \AuthSignPublicTypeOrchard$,
|
||||
|
|
@ -12095,7 +12099,6 @@ Let $\ItoLEOSP{}$ be as defined in \crossref{endian}.
|
|||
\introlist
|
||||
\vspace{0.5ex}
|
||||
The \rawEncoding of an \Orchard \fullViewingKey consists of:
|
||||
\vspace{0.5ex}
|
||||
\begin{equation*}
|
||||
\begin{bytefield}[bitwidth=0.05em]{512}
|
||||
\sbitbox{256}{$\ItoLEOSPOf{256}{\AuthSignPublic}$}
|
||||
|
|
@ -12104,7 +12107,7 @@ The \rawEncoding of an \Orchard \fullViewingKey consists of:
|
|||
\end{bytefield}
|
||||
\end{equation*}
|
||||
|
||||
\vspace{-1.5ex}
|
||||
\vspace{-2.5ex}
|
||||
\begin{itemize}
|
||||
\item $32$ bytes (little-endian) specifying $\AuthSignPublic$.
|
||||
\item $32$ bytes (little-endian) specifying $\NullifierKey$.
|
||||
|
|
@ -12112,7 +12115,7 @@ The \rawEncoding of an \Orchard \fullViewingKey consists of:
|
|||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\vspace{-1ex}
|
||||
\vspace{-1.5ex}
|
||||
When decoding this representation, the key \MUST be considered invalid if $\AuthSignPublic$,
|
||||
$\NullifierKey$, or $\CommitIvkRand$ are not canonically encoded elements of their respective
|
||||
fields, or if $\AuthSignPublic$ is not a valid \Pallas $x$-coordinate, or if either the
|
||||
|
|
@ -18561,6 +18564,7 @@ The performance benefits of this approach are the same as for \crossref{reddsaba
|
|||
\phantompart{Index}{index}
|
||||
|
||||
\begin{flushleft}
|
||||
\vfuzz=14pt
|
||||
\printindex
|
||||
\end{flushleft}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue