Merge pull request #441 from daira/orchard-circuit

NU5 specification
2021-03-15 16:22:53 +00:00 · 2021-03-15 16:22:53 +00:00 · bed110f816
parent 7cf44fe6bc ad032d456a
commit bed110f816
6 changed files with 7050 additions and 1892 deletions
--- a/protocol/Makefile
+++ b/protocol/Makefile
@ -18,10 +18,10 @@ NOCRUFT?=|perl -pe 's|[{\<\(]\/[^ ]* ?||g;s|^.* has been referenced but does not

 .PHONY: all all-specs release
 all: .Makefile.uptodate
-	$(MAKE) orchard canopy heartwood blossom sapling sprout
+	$(MAKE) nu5 canopy heartwood blossom sapling sprout

 all-specs: .Makefile.uptodate
-	$(MAKE) orchard.pdf canopy.pdf heartwood.pdf blossom.pdf sapling.pdf sprout.pdf
+	$(MAKE) nu5.pdf canopy.pdf heartwood.pdf blossom.pdf sapling.pdf sprout.pdf

 release:
 ifeq ($(shell git tag --points-at HEAD |wc -l),0)
@ -56,8 +56,8 @@ heartwood.pdf: protocol.tex zcash.bib incremental_merkle.png key_components_sapl
 canopy.pdf: protocol.tex zcash.bib incremental_merkle.png key_components_sapling.png
 	$(MAKE) canopy

-orchard.pdf: protocol.tex zcash.bib incremental_merkle.png key_components_sapling.png
-	$(MAKE) orchard
+nu5.pdf: protocol.tex zcash.bib incremental_merkle.png key_components_sapling.png
+	$(MAKE) nu5

 .PHONY: auxsprout
 auxsprout:
@ -120,17 +120,17 @@ canopy:
 	mv -f aux/canopy.pdf .
 	cp -f canopy.pdf protocol.pdf

-.PHONY: auxorchard
-auxorchard:
-	printf '\\toggletrue{isorchard}\n\\renewcommand{\\docversion}{Version %s [\\OrchardSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver
+.PHONY: auxnu5
+auxnu5:
+	printf '\\toggletrue{isnufive}\n\\renewcommand{\\docversion}{Version %s [\\NUFiveSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver
 	mkdir -p aux
-	rm -f aux/orchard.*
-	$(LATEXMK) -jobname=orchard -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT)
+	rm -f aux/nu5.*
+	$(LATEXMK) -jobname=nu5 -auxdir=aux -outdir=aux $(EXTRAOPT) protocol $(NOCRUFT)

-.PHONY: orchard
-orchard:
-	$(MAKE) auxorchard
-	mv -f aux/orchard.pdf .
+.PHONY: nu5
+nu5:
+	$(MAKE) auxnu5
+	mv -f aux/nu5.pdf .

 .PHONY: nolatexmk-sprout
 nolatexmk-sprout:
@ -193,18 +193,18 @@ nolatexmk-canopy:
 	sh mymakeindex.sh -o canopy.ind canopy.idx
 	$(LATEX) -jobname=canopy protocol.tex || { touch incremental_merkle.png; exit 1; }

-.PHONY: nolatexmk-orchard
-nolatexmk-orchard:
-	printf '\\toggletrue{isorchard}\n\\renewcommand{\\docversion}{Version %s [\\OrchardSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver
+.PHONY: nolatexmk-nu5
+nolatexmk-nu5:
+	printf '\\toggletrue{isnufive}\n\\renewcommand{\\docversion}{Version %s [\\NUFiveSpec]}' "$$(git describe --tags --abbrev=6)" |tee protocol.ver
 	# If $(LATEX) fails, touch an input so that 'make' won't think it is up-to-date next time.
-	rm -f orchard.aux orchard.bbl orchard.blg orchard.brf orchard.bcf
-	$(LATEX) -jobname=orchard protocol.tex || { touch incremental_merkle.png; exit 1; }
-	biber orchard
-	$(LATEX) -jobname=orchard protocol.tex || { touch incremental_merkle.png; exit 1; }
-	$(LATEX) -jobname=orchard protocol.tex || { touch incremental_merkle.png; exit 1; }
-	sh mymakeindex.sh -o orchard.ind orchard.idx
-	$(LATEX) -jobname=orchard protocol.tex || { touch incremental_merkle.png; exit 1; }
+	rm -f nu5.aux nu5.bbl nu5.blg nu5.brf nu5.bcf
+	$(LATEX) -jobname=nu5 protocol.tex || { touch incremental_merkle.png; exit 1; }
+	biber nu5
+	$(LATEX) -jobname=nu5 protocol.tex || { touch incremental_merkle.png; exit 1; }
+	$(LATEX) -jobname=nu5 protocol.tex || { touch incremental_merkle.png; exit 1; }
+	sh mymakeindex.sh -o nu5.ind nu5.idx
+	$(LATEX) -jobname=nu5 protocol.tex || { touch incremental_merkle.png; exit 1; }

 .PHONY: clean
 clean:
-	rm -f aux/* html/* protocol.ver protocol.pdf orchard.pdf canopy.pdf heartwood.pdf blossom.pdf sapling.pdf sprout.pdf
+	rm -f aux/* html/* protocol.ver protocol.pdf nu5.pdf canopy.pdf heartwood.pdf blossom.pdf sapling.pdf sprout.pdf
--- a/protocol/key_components_orchard.png
+++ b/protocol/key_components_orchard.png
--- a/protocol/key_components_orchard.svg
+++ b/protocol/key_components_orchard.svg
--- a/protocol/orchard.pdf
+++ b/protocol/orchard.pdf
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
--- a/protocol/zcash.bib
+++ b/protocol/zcash.bib
@ -176,6 +176,16 @@ Last revised May~31, 2016.}
   urldate={2018-02-10}
 }

+@misc{GWC2019,
+   presort={GWC2019},
+   author={Ariel Gabizon and Zachary Williamson and Oana Ciobotaru},
+   title={{PLONK}: {P}ermutations over {L}agrange-bases for {O}ecumenical {N}oninteractive arguments of {K}nowledge},
+   url={https://eprint.iacr.org/2019/953},
+   urldate={2021-01-28},
+   howpublished={Cryptology ePrint Ar\-chive: Report 2019/953.
+Last revised September~3, 2020.}
+}
+
 % Capitalized De/Di is correct <https://www.thoughtco.com/italian-capitalization-rules-2011478>
@inproceedings{DSDCOPS2001,
   presort={DSDCOPS2001},
@ -187,7 +197,7 @@ Proceedings of the 21st Annual International Cryptology Conference
   volume={2139},
   series={Lecture Notes in Computer Science},
   editor={Joe Kilian},
-   pages={566-598},
+   pages={566--598},
   year={2001},
   publisher={Springer},
   isbn={978-3-540-42456-7},
@ -265,6 +275,16 @@ Conference on Computer and Communications Security},
   urldate={2019-01-09}
 }

+@phdthesis{Hisil2010,
+   presort={Hisil2010},
+   author={Hüseyin Hı\cedilla{s}ıl},
+   title={Elliptic Curves, Group Law, and Efficient Computation},
+   year={2010},
+   school={Queensland University of Technology},
+   url={https://eprints.qut.edu.au/33233/},
+   urldate={2021-01-26}
+}
+
@inproceedings{Bernstein2006,
   presort={Bernstein2006},
   author={Daniel Bernstein},
@ -439,7 +459,18 @@ Received March~20, 2012.}
   year={2015},
   doi={10.6028/NIST.FIPS.180-4},
   url={https://csrc.nist.gov/publications/detail/fips/180/4/final},
-   urldate={2018-02-14}
+   urldate={2021-03-08}
+}
+
+@misc{NIST2016,
+   presort={NIST2016},
+   author={NIST},
+   title={{NIST} {SP} 800-38G --- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption},
+   month={03},
+   year={2016},
+   doi={10.6028/NIST.SP.800-38G},
+   url={https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf},
+   urldate={2021-03-08}
 }

@misc{RIPEMD160,
@ -460,6 +491,115 @@ Received March~20, 2012.}
   urldate={2016-08-14}
 }

+@misc{GKRRS2019,
+   presort={GKRRS2019},
+   author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger},
+   title={Poseidon: A New Hash Function for Zero-Knowledge Proof Systems},
+   url={https://eprint.iacr.org/2019/458},
+   urldate={2021-02-28},
+   howpublished={Cryptology ePrint Archive: Report 2019/458.
+Last updated December~16, 2020.}
+}
+
+@misc{BDPA2007,
+   presort={BDPA2007},
+   author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}},
+   title={Sponge functions},
+   url={https://www.researchgate.net/publication/242285874_Sponge_Functions},
+   urldate={2021-03-01},
+   howpublished={ECRYPT Hash Workshop (May 2007), also available as a public comment to NIST
+as part of the Hash Algorithm Requirements and Evaluation Criteria for the SHA-3 competition.}
+}
+
+@misc{BDPA2011,
+   presort={BDPA2011},
+   author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}},
+   title={Cryptographic sponge functions},
+   url={https://keccak.team/files/CSF-0.1.pdf},
+   urldate={2021-03-01},
+   howpublished={Team Keccak web page, \url{https://keccak.team/sponge\_duplex.html}. Version 0.1, January~14, 2011.}
+}
+
+@misc{ADMA2015,
+   presort={ADMA2015},
+   author={Elena Andreeva and Joan Daemen and Bart Mennink and Gilles {Van Assche}},
+   title={Security of Keyed Sponge Constructions Using a Modular Proof Approach},
+   url={https://keccak.team/files/ModularKeyedSponge.pdf},
+   urldate={2021-03-01},
+   howpublished={Team Keccak web page, \url{https://keccak.team/papers.html}.},
+   addendum={Originally published in \textsl{Fast Software Encryption - Proceeedings of the 22nd International Workshop
+(Istanbul, Turkey, March~8--11, 2015)}, pages 364--384; Springer, 2015. Note that the pre-proceedings version contained
+an oversight in the analysis of the outer-keyed sponge.}
+}
+
+@inproceedings{GPT2015,
+   presort={GPT2015},
+   author={Peter Gazi and Krzysztof Pietrzak and Stefano Tessaro},
+   title={The Exact {PRF} Security of Truncation: {T}ight Bounds for Keyed Sponges and Truncated {CBC}},
+   booktitle={Advances in Cryptology - CRYPTO~2015.
+Proceedings of the 35th Annual International Cryptology Conference
+(Santa Barbara, California, USA, August~16--20, 2015), Part I},
+   volume={9215},
+   series={Lecture Notes in Computer Science},
+   editor={Rosario Gennaro and Matthew Robshaw},
+   pages={368--387},
+   date={2015-08-01},
+   publisher={Springer},
+   isbn={978-3-662-47989-6},
+   doi={10.1007/978-3-662-47989-6\_18},
+   url={https://iacr.org/cryptodb/data/paper.php?pubkey=27279},
+   urldate={2021-03-01}
+}
+
+@misc{GG2015,
+   presort={GG2015},
+   author={Shoni Gilboa and Shay Gueron},
+   title={Distinguishing a truncated random permutation from a random function},
+   url={https://eprint.iacr.org/2015/773},
+   urldate={2021-03-01},
+   howpublished={Cryptology ePrint Archive: Report 2015/773.
+Received August~3, 2015.}
+}
+
+@article{BKR2001,
+   presort={BKR2001},
+   author={Mihir Bellare and Joe Kilian and Phillip Rogaway},
+   title={The Security of the {C}ipher {B}lock {C}haining {M}essage {A}uthentication {C}ode},
+   journal={Journal of Computer and System Sciences},
+   volume={61},
+   number={3},
+   pages={362--399},
+   date={2000-12},
+   publisher={Academic Press},
+   doi={https://doi.org/10.1006/jcss.1999.1694},
+   url={https://cseweb.ucsd.edu/~mihir/papers/cbc.pdf},
+   urldate={2021-03-08},
+   addendum={Updated September~12, 2001.}
+}
+
+@misc{KR2020,
+   presort={KR2020},
+   author={Nathan Keller and Asaf Rosemarin},
+   title={Mind the Middle Layer: {T}he {HADES} Design Strategy Revisited},
+   url={https://eprint.iacr.org/2020/179},
+   urldate={2021-03-01},
+   howpublished={Cryptology ePrint Archive: Report 2020/179.
+Received February~13, 2020.}
+}
+
+@misc{BCD+2020,
+   presort={BCD+2020},
+   author={Tim Beyne and Anne Canteaut and Itai Dinur and Maria Eichlseder and Gregor Leander and Gaëtan Leurent and
+María Naya-Plasencia and Léo Perrin and Yu Sasaki and Yosuke Todo and Friedrich Wiemer},
+   title={Out of Oddity --- New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems},
+   url={https://eprint.iacr.org/2020/188},
+   urldate={2021-03-01},
+   howpublished={Cryptology ePrint Archive: Report 2020/188.
+Last revised November~11, 2020.},
+   addendum={Originally published (with major differences) in \textsl{Advances in Cryptology - CRYPTO~2020}, Vol.~12172 pages 299--328;
+Lecture Notes in Computer Science; Springer, 2020.}
+}
+
@misc{AGRRT2017,
   presort={AGRRT2017},
   author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and
@ -507,6 +647,140 @@ Received May~21, 2016.}
   urldate={2016-09-14}
 }

+@misc{ID-hashtocurve,
+   presort={ID-hashtocurve},
+   author={Armando Faz-Hernández and Sam Scott and Nick Sullivan and Riad Wahby and Christopher Wood},
+   title={Internet {D}raft: {H}ashing to Elliptic Curves, version 10},
+   howpublished={Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG). Work in progress. Last revised December~22, 2020.},
+   url={https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html},
+   urldate={2021-01-27}
+}
+
+@misc{WB2019,
+   presort={WB2019},
+   author={Riad Wahby and Dan Boneh},
+   title={Fast and simple constant-time hashing to the {BLS12-381} elliptic curve},
+   url={https://eprint.iacr.org/2019/403},
+   urldate={2021-01-27},
+   howpublished={Cryptology ePrint Archive: Report 2018/403. Last revised September~30, 2019.}
+}
+
+@inproceedings{BCIMRT2010,
+   presort={BCIMRT2010},
+   author={Eric Brier and Jean-Sébastien Coron and Thomas Icart and David Madore and Hugues Randriam and Mehdi Tibouchi},
+   title={Efficient Indifferentiable Hashing into Ordinary Elliptic Curves},
+   booktitle={Advances in Cryptology - CRYPTO~2010.
+Proceedings of the 30th Annual International Cryptology Conference
+(Santa Barbara, California, USA, August~15--19, 2010)},
+   volume={6223},
+   series={Lecture Notes in Computer Science},
+   editor={Tal Rabin},
+   pages={237--254},
+   year={2010},
+   publisher={Springer},
+   isbn={978-3-642-14623-7},
+   doi={10.1007/978-3-642-14623-7_13},
+   url={https://www.iacr.org/archive/crypto2010/62230238/62230238.pdf},
+   urldate={2021-01-27}
+}
+
+@inproceedings{SvdW2006,
+   presort={SvdW2006},
+   author={Andrew Shallue and Christiaan E. van de Woestijne},
+   title={Construction of Rational Points on Elliptic Curves over Finite Fields},
+   booktitle={Algorithmic Number Theory: 7th International Symposium, ANTS-VII (Berlin, Germany, July~23--28, 2006)},
+   volume={4076},
+   series={Lecture Notes in Computer Science},
+   editor={F. Hess and S. Pauli and M. Pohst},
+   pages={510--524},
+   year={2006},
+   publisher={Springer},
+   isbn={978-3-540-36076-6},
+   doi={10.1007/11792086_36},
+   url={https://digitalcommons.iwu.edu/math_scholarship/72/},
+   urldate={2021-01-28}
+}
+
+@article{Ulas2007,
+   presort={Ulas2007},
+   author={Maciej Ulas},
+   title={Rational Points on Certain Hyperelliptic Curves over Finite Fields},
+   series={Bulletin of the Polish Academy of Sciences - Mathematics},
+   volume={55},
+   number={2},
+   pages={97--104},
+   year={2007},
+   doi={10.4064/ba55-2-1},
+   url={https://www.impan.pl/shop/publication/transaction/download/product/85475},
+   urldate={2021-01-27}
+}
+
+@article{FFSTV2013,
+   presort={FFSTV2013},
+   author={Reza Farashahi and Pierre-Alain Fouque and Igor Shparlinski and Mehdi Tibouchi and J. Felipe Voloch},
+   title={Indifferentiable deterministic hashing to elliptic and hyperelliptic curves},
+   journal={Mathematics of Computation},
+   volume={82},
+   pages={491--512},
+   year={2013},
+   doi={10.1090/S0025-5718-2012-02606-8},
+   url={https://www.ams.org/journals/mcom/2013-82-281/S0025-5718-2012-02606-8/},
+   urldate={2021-01-27}
+}
+
+@inproceedings{KT2015,
+   presort={KT2015},
+   author={Taechan Kim and Mehdi Tibouchi},
+   title={Improved Elliptic Curve Hashing and Point Representation},
+   booktitle={Proceedings of WCC2015 - 9th International Workshop on Coding and Cryptography (Paris, France, April 2015)},
+   editor={Anne Canteaut and Gaëtan Leurent and Maria Naya-Plasencia},
+   url={https://hal.inria.fr/hal-01275711},
+   urldate={2021-01-28}
+}
+
+@article{BGHOZ2013,
+   presort={BGHOZ2013},
+   author={Gilles Barthe and Benjamin Grégoire and Sylvain Heraud and Frederico Olmedo and Santiago Zanella-Béguelin},
+   title={Verified indifferentiable hashing into elliptic curves},
+   journal={Journal of Computer Security, Security and Trust Principles},
+   volume={21},
+   number={6},
+   pages={881--917},
+   year={2013},
+   url={https://software.imdea.org/~szanella/Zanella.2012.POST.pdf},
+   urldate={2021-01-28}
+}
+
+@misc{MRH2003,
+   presort={MRH2003},
+   author={Ueli Maurer and Renato Renner and Clemens Holenstein},
+   title={Indifferentiability, Impossibility Results on Reductions, and Applications to the {R}andom {O}racle Methodology},
+   url={https://eprint.iacr.org/2003/161},
+   urldate={2021-02-10},
+   date={2003-09},
+   howpublished={Cryptology ePrint Archive: Report 2003/161. Received August~8, 2003.}
+}
+
+@misc{Cook2019,
+   presort={Cook2019},
+   author={John D. Cook},
+   title={What is an isogeny?},
+   howpublished={Blog post.},
+   date={2019-04-21},
+   url={https://www.johndcook.com/blog/2019/04/21/what-is-an-isogeny/},
+   urldate={2021-02-10}
+}
+
+@misc{Sutherland2019,
+   presort={Sutherland2019},
+   author={Andrew Sutherland},
+   title={MIT Open Courseware, Mathematics 18.783 Elliptic Curves, Lecture Notes},
+   howpublished={Massachusetts Institute of Technology. Spring 2019.},
+   date={2019-04-21},
+   url={https://ocw.mit.edu/courses/mathematics/18-783-elliptic-curves-spring-2019/lecture-notes/index.htm},
+   urldate={2021-02-10}
+}
+
@misc{Certicom2010,
   presort={Certicom2010},
   author={Certicom Research},
@ -1005,6 +1279,15 @@ Last revised February~5, 2018.}
   urldate={2020-05-27}
 }

+@misc{ZIP-216,
+   presort={ZIP-0216},
+   author={Jack Grigg and Daira Hopwood},
+   title={Require Canonical Point Encodings},
+   howpublished={Zcash Improvement Proposal 216. Created February~11, 2021.},
+   url={https://zips.z.cash/zip-0216},
+   urldate={2021-02-25}
+}
+
@misc{ZIP-221,
   presort={ZIP-0221},
   author={Jack Grigg},
@ -1027,9 +1310,18 @@ Last revised February~5, 2018.}
   presort={ZIP-0224},
   author={Daira Hopwood and Jack Grigg and Sean Bowe and Kris Nuttycombe and Ying Tong Lai},
   title={Orchard Shielded Protocol},
-   howpublished={Zcash Improvement Proposal 224. Reserved.},
-   url={https://zips.z.cash/zip-0224},
-   urldate={2021-01-10}
+   howpublished={Zcash Improvement Proposal 224. Created February~27, 2021.},
+   url={https://zips.z.cash/zip-0225},
+   urldate={2021-03-21}
+}
+
+@misc{ZIP-225,
+   presort={ZIP-0225},
+   author={Daira Hopwood and Jack Grigg and Sean Bowe and Kris Nuttycombe and Ying Tong Lai},
+   title={Version 5 Transaction Format},
+   howpublished={Zcash Improvement Proposal 225. Created February~28, 2021.},
+   url={https://zips.z.cash/zip-0225},
+   urldate={2021-03-21}
 }

@misc{ZIP-243,
@ -1043,9 +1335,9 @@ Last revised February~5, 2018.}

@misc{ZIP-244,
   presort={ZIP-0244},
-   author={Kris Nuttycombe},
-   title={Transaction Signature Validation for Transparent {Z}cash Extensions},
-   howpublished={Zcash Improvement Proposal 244. Reserved.},
+   author={Kris Nuttycombe and Daira Hopwood},
+   title={Transaction Identifier Non-Malleability},
+   howpublished={Zcash Improvement Proposal 244. Created January~6, 2021.},
   url={https://zips.z.cash/zip-0244},
   urldate={2021-01-10}
 }
@ -1053,8 +1345,8 @@ Last revised February~5, 2018.}
@misc{ZIP-245,
   presort={ZIP-0245},
   author={Daira Hopwood and Kris Nuttycombe},
-   title={Transaction Non-Malleability},
-   howpublished={Zcash Improvement Proposal 245. Reserved.},
+   title={Transaction Identifier Digests & Signature Validation for {T}ransparent {Z}cash {E}xtensions},
+   howpublished={Zcash Improvement Proposal 245. Created January~13, 2021.},
   url={https://zips.z.cash/zip-0245},
   urldate={2021-01-10}
 }
@ -1090,7 +1382,7 @@ Last revised February~5, 2018.}
   presort={ZIP-0302},
   author={Jay Graber and Jack Grigg},
   title={Standardized Memo Field Format},
-   howpublished={Zcash Improvement Proposal 302 (in progress).},
+   howpublished={Zcash Improvement Proposal 302. Reserved.},
   url={https://github.com/zcash/zips/pull/105},
   urldate={2020-02-13}
 }
@ -1514,10 +1806,18 @@ Proceedings of the 19th Annual International Cryptology Conference
 }

@misc{ECCZF2019,
-  presort={ECCZF2019},
-  author={Electric Coin Company and Zcash Foundation},
-  title={Zcash {T}rademark {D}onation and {L}icense {A}greement},
-  date={2019-11-06},
-  url={https://www.zfnd.org/about/contracts/2019_ECC_ZFND_TM_agreement.pdf},
-  urldate={2020-07-05}
+   presort={ECCZF2019},
+   author={Electric Coin Company and Zcash Foundation},
+   title={Zcash {T}rademark {D}onation and {L}icense {A}greement},
+   date={2019-11-06},
+   url={https://www.zfnd.org/about/contracts/2019_ECC_ZFND_TM_agreement.pdf},
+   urldate={2020-07-05}
+}
+
+@misc{Zcash-Orchard,
+   presort={Zcash-Orchard},
+   author={Daira Hopwood and Sean Bowe and Jack Grigg and Kris Nuttycombe and Ying Tong Lai and Steven Smith},
+   title={The {O}rchard Book},
+   url={https://zcash.github.io/orchard/},
+   urldate={2021-03-02}
 }