From bf03ab51fc78aa4b614ee8fc0d05809edd15bc83 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Sat, 21 Apr 2018 07:20:42 +0100
Subject: [PATCH] Specify KA^Sapling.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index fb303f45..840e6560 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -5830,13 +5830,24 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}.
 \sapling{
 \subsubsubsection{\Sapling \KeyAgreement} \label{concretesaplingkeyagreement}
 
-The \keyAgreementScheme specified in \crossref{abstractkeyagreement} is
-instantiated using Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
-as follows.
+$\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagreement}.
 
-Let $\KASaplingPublic$ and $\KASaplingSharedSecret$ be the type of compressed
-$\JubjubCurve$ points $\CompressedEdwardsJubjub$, and let $\KASaplingPrivate$ be
-the type of $\JubjubCurve$ secret keys. \todo{expand this}
+It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
+as follows:
+
+Let $\GroupJ$ and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
+
+Define $\KASaplingPublic := \GroupJ$.
+
+Define $\KASaplingSharedSecret := \GroupJ$.
+
+Define $\KASaplingPrivate := \GF{\ParamJ{r}}$.
+
+Define $\KASaplingFormatPrivate(x) := x$.
+
+Define $\KASaplingDerivePublic(\sk, B) := \scalarmult{\sk}{B}$.
+
+Define $\KASaplingAgree(\sk, P) := \scalarmult{\ParamJ{h} \mult \sk}{P}$.
 } %sapling