diff --git a/protocol/orchard.pdf b/protocol/orchard.pdf deleted file mode 100644 index b406ca9e..00000000 Binary files a/protocol/orchard.pdf and /dev/null differ diff --git a/protocol/protocol.tex b/protocol/protocol.tex index f0e7fbb4..9ddd2e31 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -219,10 +219,25 @@ \renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or \mathsection\or \mathparagraph\else\@ctrerr\fi}} \makeatother +\newcommand{\cedilla}[1]{#1\!\!¸\kern0.088em} + +% biblatex really doesn't want to support Unicode citation labels, but I will not be beaten. +% +\NewDocumentCommand{\citesub}{m}{% + \saveexpandmode\noexpandarg + \def\tempstring{#1}% + \xStrSubstitute{\tempstring}{MAEA2010}{MAEÁ2010}[\tempstring]% + \xStrSubstitute{\tempstring}{Hisil2010}{Hı\cedilla{s}ıl2010}[\tempstring]% + \tempstring + \restoreexpandmode +} +\newcommand*{\xStrSubstitute}{% + \expandafter\StrSubstitute\expandafter +} + % Fix the height of citation link underlines. -% Also, biblatex really doesn't want to support Unicode citation labels, but I will not be beaten. \newcommand{\linkstrut}{\rule[-0.4ex]{0ex}{\fontcharht\font`X}} -\DeclareFieldFormat{labelalpha}{\linkstrut\smash{\StrSubstitute{#1}{MAEA2010}{MAEÁ2010}}} +\DeclareFieldFormat{labelalpha}{\linkstrut\smash{\citesub{#1}}} \DeclareFieldFormat{postnote}{\linkstrut\smash{#1}} \let\oldcite\cite \renewcommand{\cite}[2][]{\raisebox{0ex}{\oldcite[{#1}]{#2}}} @@ -686,6 +701,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CanopyText}{\textbf{Canopy}} \newcommand{\Orchard}{\termbf{Orchard}} \newcommand{\OrchardText}{\textbf{Orchard}} +\newcommand{\SaplingOrOrchard}{\Sapling\orchard{ or \Orchard}} +\newcommand{\SaplingAndOrchard}{\Sapling\orchard{ and \Orchard}} +\newcommand{\SaplingAndOrchardText}{\SaplingText\notbeforeorchard{ and \OrchardText}} \newcommand{\Bitcoin}{\termbf{Bitcoin}} \newcommand{\BitcoinText}{\textbf{Bitcoin}} \newcommand{\CryptoNote}{\termbf{CryptoNote}} @@ -799,6 +817,14 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\outputStatement}{\term{Output statement}} \newcommand{\outputStatements}{\terms{Output statement}} \newcommand{\outputProof}{\term{Output proof}} +\newcommand{\actionDescription}{\term{Action description}} +\newcommand{\actionDescriptions}{\terms{Action description}} +\newcommand{\action}{\term{Action}} +\newcommand{\actions}{\terms{Actions}} +\newcommand{\actionCircuit}{\term{Action circuit}} +\newcommand{\actionStatement}{\term{Action statement}} +\newcommand{\actionStatements}{\terms{Action statement}} +\newcommand{\actionProof}{\term{Action proof}} \newcommand{\bindingSignature}{\term{binding signature}} \newcommand{\bindingSignatures}{\terms{binding signature}} \newcommand{\bindingSignatureScheme}{\term{binding signature scheme}} @@ -831,8 +857,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\representedPairing}{\term{represented pairing}} \newcommand{\BCTV}{\termsf{BCTV14}} \newcommand{\Groth}{\termsf{Groth16}} +\newcommand{\HaloTwo}{\termsf{Halo2}} +\newcommand{\PLONK}{\termsf{PLONK}} \newcommand{\BCTVText}{\texorpdfstring{$\mathsf{BCTV14}$}{BCTV14}} \newcommand{\GrothText}{\texorpdfstring{$\mathsf{Groth16}$}{Groth16}} +\newcommand{\HaloTwoText}{\texorpdfstring{$\mathsf{Halo2}$}{Halo2}} \newcommand{\BNPairing}{\termandindexx{$\mathsf{BN\mhyphen254}$}{BN-254}} \newcommand{\BLSPairing}{\termandindexx{$\mathsf{BLS12\mhyphen381}$}{BLS12-381}} \newcommand{\BNPairingText}{\texorpdfstring{$\mathsf{BN\mhyphen254}$}{BN-254}} @@ -840,6 +869,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Jubjub}{\termandindexx{$\mathsf{Jubjub}$}{Jubjub}} \newcommand{\jubjubCurve}{\indexlink{Jubjub curve}{Jubjub}{$\mathsf{Jubjub}$}} \newcommand{\JubjubText}{\texorpdfstring{$\mathsf{Jubjub}$}{Jubjub}} +\newcommand{\Pallas}{\termandindexx{$\mathsf{Pallas}$}{Pallas}} +\newcommand{\pallasCurve}{\indexlink{Pallas curve}{Pallas}{$\mathsf{Pallas}$}} +\newcommand{\PallasText}{\texorpdfstring{$\mathsf{Pallas}$}{Pallas}} +\newcommand{\IsoPallas}{\termandindexx{$\mathsf{iso}\kern0.05em\mhyphen\kern-0.05em\mathsf{Pallas}$}{iso-Pallas}} +\newcommand{\Vesta}{\termandindexx{$\mathsf{Vesta}$}{Vesta}} +\newcommand{\vestaCurve}{\indexlink{Vesta curve}{Vesta}{$\mathsf{Vesta}$}} +\newcommand{\VestaText}{\texorpdfstring{$\mathsf{Vesta}$}{Vesta}} +\newcommand{\IsoVesta}{\termandindexx{$\mathsf{iso}\kern0.05em\mhyphen\kern-0.05em\mathsf{Vesta}$}{iso-Vesta}} +\newcommand{\PallasAndVestaText}{\texorpdfstring{$\mathsf{Pallas}$ and $\mathsf{Vesta}$}{Pallas and Vesta}} \newcommand{\completeTwistedEdwardsEllipticCurve}{\term{complete twisted Edwards elliptic curve}} \newcommand{\completeTwistedEdwardsEllipticCurves}{\terms{complete twisted Edwards elliptic curve}} \newcommand{\xCtEdwards}{\term{ctEdwards}} @@ -855,6 +893,14 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\MontgomeryCurves}{\termandindex{Montgomery curves}{Montgomery elliptic curve}} \newcommand{\affineMontgomery}{\termandindex{affine-Montgomery}{Montgomery affine coordinates}} \newcommand{\xAffineMontgomery}{\termandindex{Affine-Montgomery}{Montgomery affine coordinates}} +\newcommand{\swEllipticCurve}{\term{short Weierstrass elliptic curve}} +\newcommand{\swEllipticCurves}{\terms{short Weierstrass elliptic curve}} +\newcommand{\swCurve}{\termandindex{short Weierstrass curve}{short Weierstrass elliptic curve}} +\newcommand{\swCurves}{\termandindex{short Weierstrass curves}{short Weierstrass elliptic curve}} +\newcommand{\swCompressedEncoding}{\term{short Weierstrass compressed encoding}} +\newcommand{\swCompressedEncodings}{\terms{short Weierstrass compressed encoding}} +\newcommand{\affineSW}{\termandindex{affine-short-Weierstrass}{short Weierstrass affine coordinates}} +\newcommand{\xAffineSW}{\termandindex{Affine-short-Weierstrass}{short Weierstrass affine coordinates}} \newcommand{\uniformRandomString}{\term{Uniform Random String}} \newcommand{\uniformRandomStrings}{\terms{Uniform Random String}} \newcommand{\provingKey}{\termandindex{proving key}{proving key (for a zk-SNARK)}} @@ -928,8 +974,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\transparentTxValuePool}{\termandindex{transparent transaction value pool}{transaction value pool (transparent)}} % There is no Sprout transaction value pool, since JoinSplits are balanced individually. \newcommand{\SaplingTxValuePool}{\termandindex{\textbf{Sapling} transaction value pool}{transaction value pool (Sapling)}} +\newcommand{\OrchardTxValuePool}{\termandindex{\textbf{Orchard} transaction value pool}{transaction value pool (Orchard)}} \newcommand{\SproutChainValuePoolBalance}{\termandindex{\textbf{Sprout} chain value pool balance}{chain value pool balance (Sprout)}} \newcommand{\SaplingChainValuePoolBalance}{\termandindex{\textbf{Sapling} chain value pool balance}{chain value pool balance (Sapling)}} +\newcommand{\OrchardChainValuePoolBalance}{\termandindex{\textbf{Orchard} chain value pool balance}{chain value pool balance (Orchard)}} \newcommand{\shielded}{\term{shielded}} \newcommand{\xShielded}{\termx{shielded}} \newcommand{\blockChain}{\term{block chain}} @@ -996,9 +1044,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\notePlaintexts}{\terms{note plaintext}} \newcommand{\notePlaintextLeadByte}{\term{note plaintext lead byte}} \newcommand{\notePlaintextLeadBytes}{\terms{note plaintext lead byte}} -\newcommand{\noteCiphertext}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Sapling)}} -\newcommand{\noteCiphertexts}{\termandindex{transmitted note ciphertexts}{transmitted note ciphertext (Sapling)}} -\newcommand{\notesCiphertext}{\termandindex{transmitted notes ciphertext}{transmitted notes ciphertext (Sprout)}} +\newcommand{\notesCiphertextSprout}{\termandindex{transmitted notes ciphertext}{transmitted notes ciphertext (Sprout)}} +\newcommand{\noteCiphertextSapling}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Sapling)}} +\newcommand{\noteCiphertextsSapling}{\termandindex{transmitted note ciphertexts}{transmitted note ciphertext (Sapling)}} +\newcommand{\noteCiphertextOrchard}{\termandindex{transmitted note ciphertext}{transmitted note ciphertext (Orchard)}} +\newcommand{\noteCiphertextsOrchard}{\termandindex{transmitted note ciphertexts}{transmitted note ciphertext (Orchard)}} \newcommand{\noteOrNotesCiphertext}{\termnoindex{transmitted note(s) ciphertext}} \newcommand{\outputCiphertext}{\term{Output ciphertext}} \newcommand{\outputCiphertexts}{\terms{Output ciphertext}} @@ -1069,6 +1119,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\windowedPedersenCommitments}{\terms{windowed Pedersen commitment}} \newcommand{\homomorphicPedersenCommitment}{\term{homomorphic Pedersen commitment}} \newcommand{\homomorphicPedersenCommitments}{\terms{homomorphic Pedersen commitment}} +\newcommand{\xSinsemillaHash}{\term{Sinsemilla hash}} +\newcommand{\xSinsemillaHashes}{\termes{Sinsemilla hash}} +\newcommand{\xSinsemillaCommitment}{\term{Sinsemilla commitment}} +\newcommand{\xSinsemillaCommitments}{\terms{Sinsemilla commitment}} +\newcommand{\chunks}{\termandindex{chunks}{chunk (of a Pedersen hash input)}} +\newcommand{\segments}{\termandindex{segments}{segment (of a Pedersen hash input)}} +\newcommand{\pieces}{\termandindex{pieces}{piece (of a Sinsemilla hash input)}} \newcommand{\distinctXCriterion}{\term{distinct-$x$ criterion}} \newcommand{\Nary}{\mbox{$N$-ary}} @@ -1229,8 +1286,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\CRHivkText}{\texorpdfstring{$\CRHivk$}{CRHivk}} \newcommand{\CRHivkOutput}{\CRHivk\mathsf{.Output}} \newcommand{\CRHivkBox}[1]{\CRHivk\!\left(\Justthebox{#1}\right)} +\newcommand{\CommitIvk}[1]{\mathsf{Commit}^{\InViewingKey}_{#1}} \newcommand{\DiversifyHash}{\mathsf{DiversifyHash}} -\newcommand{\DiversifyHashText}{\texorpdfstring{$\DiversifyHash$}{DiversifyHash}} +\newcommand{\DiversifyHashSapling}{\DiversifyHash^\mathsf{Sapling}} +\newcommand{\DiversifyHashSaplingText}{\texorpdfstring{$\DiversifyHashSapling$}{DiversifyHashSapling}} +\newcommand{\DiversifyHashOrchard}{\DiversifyHash^\mathsf{Orchard}} +\newcommand{\DiversifyHashOrchardText}{\texorpdfstring{$\DiversifyHashOrchard$}{DiversifyHashOrchard}} \newcommand{\DefaultDiversifier}{\mathsf{DefaultDiversifier}} \newcommand{\CheckDiversifier}{\mathsf{CheckDiversifier}} \newcommand{\NotUpMySleeve}{U} @@ -1247,8 +1308,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PaymentAddressLeadByte}{\hexint{16}} \newcommand{\PaymentAddressSecondByte}{\hexint{9A}} \newcommand{\InViewingKey}{\mathsf{ivk}} -\newcommand{\InViewingKeyLength}{\ell_{\InViewingKey}} -\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLength}} +\newcommand{\InViewingKeyRandom}{\mathsf{rivk}} +\newcommand{\InViewingKeyLengthSapling}{\ell^\mathsf{Sapling}_{\InViewingKey}\!} +\newcommand{\InViewingKeyTypeSapling}{\binaryrange{\InViewingKeyLengthSapling}} +\newcommand{\InViewingKeyLengthOrchard}{\ell^\mathsf{Orchard}_{\InViewingKey}\!} +\newcommand{\InViewingKeyTypeOrchard}{\binaryrange{\InViewingKeyLengthOrchard}} \newcommand{\InViewingKeyRepr}{{\InViewingKey\Repr}} \newcommand{\InViewingKeyLeadByte}{\hexint{A8}} \newcommand{\InViewingKeySecondByte}{\hexint{AB}} @@ -1284,7 +1348,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}} \newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}} \newcommand{\AddressPublicNew}[1]{\mathsf{addr^{new}_{pk,\mathnormal{#1}}}} -\newcommand{\ScalarLength}{\ell_{\mathsf{scalar}}} +\newcommand{\ScalarLengthSapling}{\ell^{\mathsf{Sapling}}_{\mathsf{scalar}}} +\newcommand{\ScalarLengthOrchard}{\ell^{\mathsf{Orchard}}_{\mathsf{scalar}}} \newcommand{\enc}{\mathsf{enc}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\EphemeralPublic}{\mathsf{epk}} @@ -1303,13 +1368,14 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\TransmitPrivateSup}[1]{\mathsf{sk}^{#1}_\mathsf{enc}} \newcommand{\TransmitBase}{\mathsf{g}} -% Sapling +% Sapling and Orchard \newcommand{\SpendingKey}{\mathsf{sk}} \newcommand{\SpendingKeyLength}{\mathsf{\ell_{\SpendingKey}}} \newcommand{\SpendingKeyType}{\bitseq{\SpendingKeyLength}} \newcommand{\AuthSignPrivate}{\mathsf{ask}} -\newcommand{\AuthSignBase}{\mathcal{G}} +\newcommand{\AuthSignBaseSapling}{\mathcal{G}^\GroupJ} +\newcommand{\AuthSignBaseOrchard}{\mathcal{G}^\GroupP} \newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} @@ -1319,27 +1385,35 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthSignRandomizerRepr}{{\AuthSignRandomizer\Repr}} \newcommand{\AuthProvePrivate}{\mathsf{nsk}} \newcommand{\AuthProvePrivateRepr}{{\AuthProvePrivate\Repr}} -\newcommand{\AuthProveBase}{\mathcal{H}} -\newcommand{\AuthProvePublic}{\mathsf{nk}} -\newcommand{\AuthProvePublicRepr}{{\AuthProvePublic\Repr}} +\newcommand{\AuthProveBase}{\mathcal{H}^\GroupJ} +\newcommand{\NullifierKey}{\mathsf{nk}} +\newcommand{\NullifierKeyRepr}{{\NullifierKey\Repr}} +\newcommand{\NullifierBaseOrchard}{\mathcal{K}^\GroupP} \newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} \newcommand{\OutCipherKey}{\mathsf{ock}} \newcommand{\NotePosition}{\mathsf{pos}} \newcommand{\NotePositionRepr}{{\NotePosition\Repr}} -\newcommand{\NotePositionBase}{\mathcal{J}} +\newcommand{\NotePositionBase}{\mathcal{J}^\GroupJ} \newcommand{\NotePositionTypeSprout}{\binaryrange{\MerkleDepthSprout}} \newcommand{\NotePositionTypeSapling}{\binaryrange{\MerkleDepthSapling}} +\newcommand{\NotePositionTypeOrchard}{\binaryrange{\MerkleDepthOrchard}} \newcommand{\Diversifier}{\mathsf{d}} \newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}} \newcommand{\DiversifierType}{\bitseq{\DiversifierLength}} \newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}} \newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}} +\newcommand{\DiversifiedTransmitBaseOld}{\mathsf{g^{old}_d}} +\newcommand{\DiversifiedTransmitBaseOldRepr}{\mathsf{g\Repr^{old}_d}} \newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}} +\newcommand{\DiversifiedTransmitBaseNewRepr}{\mathsf{g\Repr^{new}_d}} \newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}} \newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}} +\newcommand{\DiversifiedTransmitPublicOld}{\mathsf{pk^{old}_d}} +\newcommand{\DiversifiedTransmitPublicOldRepr}{\mathsf{pk\Repr^{old}_d}} \newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}} +\newcommand{\DiversifiedTransmitPublicNewRepr}{\mathsf{pk\Repr^{new}_d}} \newcommand{\vOldRepr}{\MakeRepr{\mathsf{v}}{\mathsf{old}}} % PRFs @@ -1353,10 +1427,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PRFpk}[1]{\PRF{#1}{pk}} \newcommand{\PRFrho}[1]{\PRF{#1}{\NoteAddressRand}} \newcommand{\PRFnfSapling}[1]{\PRF{#1}{nf\kern-0.01em Sapling}} +\newcommand{\PRFnfOrchard}[1]{\PRF{#1}{nf\kern-0.01em Orchard}} \newcommand{\PRFOutputLengthSprout}{\mathsf{\ell_{PRF\notsprout{Sprout}}}} \newcommand{\PRFOutputSprout}{\bitseq{\PRFOutputLengthSprout}} \newcommand{\PRFOutputLengthNfSapling}{\mathsf{\ell_{PRFnfSapling}}} \newcommand{\PRFOutputNfSapling}{\byteseq{\PRFOutputLengthNfSapling/8}} +\newcommand{\PRFOutputNfOrchard}{\GF{\ParamP{q}}} \newcommand{\PRFOutputLengthExpand}{\mathsf{\ell_{PRFexpand}}} \newcommand{\PRFOutputExpand}{\byteseq{\PRFOutputLengthExpand/8}} \newcommand{\PRFInputExpand}{\byteseqs} @@ -1365,8 +1441,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\UncommittedSprout}{\optSprout{\mathsf{Uncommitted}}} \newcommand{\UncommittedSapling}{\mathsf{Uncommitted^{Sapling}}} +\newcommand{\UncommittedOrchard}{\mathsf{Uncommitted^{Orchard}}} \newcommand{\NoteCommitmentSprout}{\optSprout{\mathsf{NoteCommitment}}} \newcommand{\NoteCommitmentSapling}{\mathsf{NoteCommitment^{Sapling}}} +\newcommand{\NoteCommitmentOrchard}{\mathsf{NoteCommitment^{Orchard}}} \newcommand{\CommitAlg}{\mathsf{COMM}} \newcommand{\Commit}[1]{\CommitAlg_{#1}} @@ -1387,6 +1465,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteCommitSaplingGenTrapdoor}{\NoteCommitSaplingAlg\mathsf{.GenTrapdoor}} \newcommand{\NoteCommitSaplingInput}{\NoteCommitSaplingAlg\mathsf{.Input}} \newcommand{\NoteCommitSaplingOutput}{\NoteCommitSaplingAlg\mathsf{.Output}} +\newcommand{\NoteCommitOrchardAlg}{\mathsf{NoteCommit}^{\mathsf{Orchard}}} +\newcommand{\NoteCommitOrchard}[1]{\NoteCommitOrchardAlg_{\vphantom{l}#1}} +\newcommand{\NoteCommitOrchardTrapdoor}{\NoteCommitOrchardAlg\mathsf{.Trapdoor}} +\newcommand{\NoteCommitOrchardTrapdoorBytes}{\byteseq{32}} +\newcommand{\NoteCommitOrchardGenTrapdoor}{\NoteCommitOrchardAlg\mathsf{.GenTrapdoor}} +\newcommand{\NoteCommitOrchardInput}{\NoteCommitOrchardAlg\mathsf{.Input}} +\newcommand{\NoteCommitOrchardOutput}{\NoteCommitOrchardAlg\mathsf{.Output}} \newcommand{\ValueCommitAlg}{\mathsf{ValueCommit}} \newcommand{\ValueCommit}[1]{\ValueCommitAlg_{#1}} \newcommand{\ValueCommitTrapdoor}{\ValueCommitAlg\mathsf{.Trapdoor}} @@ -1453,11 +1538,19 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\KASaplingDerivePublic}{\KASapling\mathsf{.DerivePublic}} \newcommand{\KASaplingAgree}{\KASapling\mathsf{.Agree}} +\newcommand{\KAOrchard}{\mathsf{KA^{Orchard}}} +\newcommand{\KAOrchardPublic}{\KAOrchard\mathsf{.Public}} +\newcommand{\KAOrchardPrivate}{\KAOrchard\mathsf{.Private}} +\newcommand{\KAOrchardSharedSecret}{\KAOrchard\mathsf{.SharedSecret}} +\newcommand{\KAOrchardDerivePublic}{\KAOrchard\mathsf{.DerivePublic}} +\newcommand{\KAOrchardAgree}{\KAOrchard\mathsf{.Agree}} + % KDF \newcommand{\KDF}{\mathsf{KDF}} \newcommand{\KDFSprout}{\optSprout{\KDF}} \newcommand{\KDFSapling}{\mathsf{KDF^{Sapling}}} +\newcommand{\KDFOrchard}{\mathsf{KDF^{Orchard}}} \newcommand{\kdftag}{\mathsf{kdftag}} \newcommand{\kdfinput}{\mathsf{kdfinput}} @@ -1477,6 +1570,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}} \newcommand{\NoteTypeSprout}{\optSprout{\mathsf{Note}}} \newcommand{\NoteTypeSapling}{\mathsf{Note^{Sapling}}} +\newcommand{\NoteTypeOrchard}{\mathsf{Note^{Orchard}}} \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}} \newcommand{\OutPlaintext}{\mathbf{op}} \newcommand{\NoteSeedBytes}{\mathsf{rseed}} @@ -1499,8 +1593,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\cv}{\mathsf{cv}} \newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}} \newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}} +\newcommand{\cvBalance}[1]{\cv^\mathsf{balance}_{#1}} \newcommand{\cm}{\mathsf{cm}} \newcommand{\cmU}{\cm_{\kern -0.06em u}} +\newcommand{\cmX}{\cm_{\kern -0.06em x}} \newcommand{\cmOld}[1]{\cm^\mathsf{old}_{#1}} \newcommand{\cmNew}[1]{\cm^\mathsf{new}_{#1}} \newcommand{\snOld}[1]{\mathsf{sn}^\mathsf{old}_{#1}} @@ -1512,6 +1608,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\MemoType}{\byteseq{\MemoByteLength}} \newcommand{\DecryptNoteSprout}{\mathtt{DecryptNote\notsprout{Sprout}}} \newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}} +\newcommand{\DecryptNoteOrchard}{\mathtt{DecryptNoteOrchard}} \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}} % Money supply @@ -1726,21 +1823,26 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\MerkleDepth}{\mathsf{MerkleDepth}} \newcommand{\MerkleDepthSprout}{\optSprout{\MerkleDepth}} \newcommand{\MerkleDepthSapling}{\MerkleDepth^\mathsf{Sapling}} +\newcommand{\MerkleDepthOrchard}{\MerkleDepth^\mathsf{Orchard}} \newcommand{\MerkleDepthSproutOrSapling}{\MerkleDepth^\mathsf{Sprout\sapling{,Sapling}}} \newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}} \newcommand{\MerkleSibling}{\mathsf{sibling}} \newcommand{\MerkleCRH}{\mathsf{MerkleCRH}} \newcommand{\MerkleCRHSprout}{\optSprout{\MerkleCRH}} \newcommand{\MerkleCRHSapling}{\MerkleCRH^\mathsf{Sapling}} +\newcommand{\MerkleCRHOrchard}{\MerkleCRH^\mathsf{Orchard}} \newcommand{\MerkleHashLength}{\mathsf{\ell_{Merkle}}} \newcommand{\MerkleHashLengthSprout}{\mathsf{\ell_{\sprout{Merkle}\notsprout{MerkleSprout}}}} \newcommand{\MerkleHashLengthSapling}{\mathsf{\ell_{MerkleSapling}}} +\newcommand{\MerkleHashLengthOrchard}{\mathsf{\ell_{MerkleOrchard}}} \newcommand{\MerkleHash}{\bitseq{\MerkleHashLength}} \newcommand{\MerkleHashSprout}{\bitseq{\MerkleHashLengthSprout}} \newcommand{\MerkleHashSapling}{\bitseq{\MerkleHashLengthSapling}} +\newcommand{\MerkleHashOrchard}{\bitseq{\MerkleHashLengthOrchard}} \newcommand{\MerkleLayer}{\range{0}{\MerkleDepth-1}} \newcommand{\MerkleLayerSprout}{\range{0}{\MerkleDepthSprout-1}} \newcommand{\MerkleLayerSapling}{\range{0}{\MerkleDepthSapling-1}} +\newcommand{\MerkleLayerOrchard}{\range{0}{\MerkleDepthOrchard-1}} % Transactions @@ -1850,10 +1952,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\OutputVerify}{\Output\mathsf{.Verify}} \newcommand{\OutputProve}{\Output\mathsf{.Prove}} \newcommand{\OutputProof}{\Output\mathsf{.Proof}} +\newcommand{\Action}{\mathsf{ZKAction}} +\newcommand{\ActionVerify}{\Action\mathsf{.Verify}} +\newcommand{\ActionProve}{\Action\mathsf{.Prove}} +\newcommand{\ActionProof}{\Action\mathsf{.Proof}} \newcommand{\Proof}[1]{\pi_{\!{#1}}} \newcommand{\ProofJoinSplit}{\pi_\JoinSplit} \newcommand{\ProofSpend}{\pi_\Spend} \newcommand{\ProofOutput}{\pi_\Output} +\newcommand{\ProofAction}{\pi_\Action} \newcommand{\zkproof}{\mathtt{zkproof}} \newcommand{\POUR}{\texttt{POUR}} \newcommand{\Prob}[2]{\mathrm{Pr}\scalebox{0.88}{\ensuremath{ @@ -1894,27 +2001,30 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Generator}{\mathcal{P}} \newcommand{\Selectu}{\scalebox{1.53}{$u$}} \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}} +\newcommand{\Selectx}{\scalebox{1.53}{$x$}} \newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)} \newcommand{\Extract}{\mathsf{Extract}} \newcommand{\GroupHash}{\mathsf{GroupHash}} \newcommand{\FindGroupHash}{\mathsf{FindGroupHash}} \newcommand{\Accum}[1]{\mathsf{Accum}_{#1}} -\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}} -\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}} -\newcommand{\GroupP}[1]{\mathbb{P}_{#1}} -\newcommand{\GroupPstar}[1]{\GroupP{#1}^{\ast}} -\newcommand{\SubgroupP}[1]{\GroupP{#1}^{\subgroupr}} -\newcommand{\SubgroupPstar}[1]{\GroupP{#1}^{\subgroupr\ast}} -\newcommand{\SubgroupReprP}{\MakeRepr{\GroupP{}}{\subgroupr}} -\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}} -\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}} -\newcommand{\OneP}{\ParamP{\mathbf{1}}} -\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}} -\newcommand{\ellP}[1]{\ell_{\GroupP{#1}}} -\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}} -\newcommand{\abstP}[1]{\abst_{\GroupP{#1}}} -\newcommand{\PairingP}{\ParamP{\hat{e}}} +\newcommand{\bbPair}{\mbox{$\mathbb{P}\kern -0.1em\overlap{0.0001em}{\scalebox{0.7}{$\mathbb{AIR}$}}$}} +\newcommand{\sbbPair}{\scalebox{0.7}{\bbPair}} +\newcommand{\ParamPair}[1]{{{#1}_{\sbbPair}}} +\newcommand{\ParamPairexp}[2]{{{#1}_{\sbbPair\!}}^{#2}} +\newcommand{\GroupPair}[1]{\bbPair_{#1}} +\newcommand{\GroupPairstar}[1]{\GroupPair{#1}^{\ast}} +\newcommand{\SubgroupPair}[1]{\GroupPair{#1}^{\subgroupr}} +\newcommand{\SubgroupPairstar}[1]{\GroupPair{#1}^{\subgroupr\ast}} +\newcommand{\SubgroupReprPair}{\MakeRepr{\GroupPair{}}{\subgroupr}} +\newcommand{\CurvePair}[1]{\Curve_{\GroupPair{#1}}} +\newcommand{\ZeroPair}[1]{\Zero_{\GroupPair{#1}}} +\newcommand{\OnePair}{\ParamPair{\mathbf{1}}} +\newcommand{\GenPair}[1]{\Generator_{\GroupPair{#1}}} +\newcommand{\ellPair}[1]{\ell_{\GroupPair{#1}}} +\newcommand{\reprPair}[1]{\repr_{\GroupPair{#1}}} +\newcommand{\abstPair}[1]{\abst_{\GroupPair{#1}}} +\newcommand{\PairingPair}{\ParamPair{\hat{e}}} \newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}} \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}} @@ -1989,9 +2099,63 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} +\newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}} +\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}} +\newcommand{\GroupP}{\mathbb{P}} +\newcommand{\GroupPstar}{\GroupP^{\ast}} +\newcommand{\CurveP}{\Curve_{\GroupP}} +\newcommand{\ZeroP}{\Zero_{\GroupP}} +\newcommand{\ellP}{\ell_{\GroupP}} +\newcommand{\ReprPstar}{\bitseq{\ellP}} +\newcommand{\ReprPstarBytes}{\byteseq{\ellP/8}} +\newcommand{\reprPstar}{\repr_{\GroupPstar}} +\newcommand{\abstPstar}{\abst_{\GroupPstar}} +\newcommand{\SignedScalarLimitP}{\frac{\ParamP{r}-1}{2}} + +\newcommand{\ParamIsoP}[1]{{{#1}_{\GroupIsoP}}} +\newcommand{\ParamIsoPexp}[2]{{{#1}_{\GroupIsoP\!}^{#2}}} +\newcommand{\GroupIsoP}{\mathsf{iso}\mhyphen\kern-0.05em\mathbb{P}} +\newcommand{\GroupIsoPstar}{\GroupIsoP^{\ast}} +\newcommand{\CurveIsoP}{\Curve_{\GroupIsoP}} +\newcommand{\ZeroIsoP}{\Zero_{\GroupIsoP}} +\newcommand{\IsoMapP}{\mathsf{iso\_map}^{\GroupP}} +\newcommand{\IsoConstP}[1]{\mathcal{C}^{\GroupP}_{#1}} + +\newcommand{\ExtractP}{\Extract_{\GroupP}} +\newcommand{\GroupPHash}{\GroupHash^{\GroupPstar}} +\newcommand{\GroupPHashInput}{\GroupPHash{}\mathsf{.Input}} +\newcommand{\GroupPHashURSType}{\GroupPHash{}\mathsf{.URSType}} + +\newcommand{\ParamV}[1]{{{#1}_\mathbb{\hskip 0.01em V}}} +\newcommand{\ParamVexp}[2]{{{#1}_\mathbb{\hskip 0.01em V}\!}^{#2}} +\newcommand{\GroupV}{\mathbb{V}} +\newcommand{\GroupVstar}{\GroupV^{\ast}} +\newcommand{\CurveV}{\Curve_{\GroupV}} +\newcommand{\ZeroV}{\Zero_{\GroupV}} +\newcommand{\ellV}{\ell_{\GroupV}} +\newcommand{\ReprVstar}{\bitseq{\ellV}} +\newcommand{\ReprVstarBytes}{\byteseq{\ellV/8}} +\newcommand{\reprVstar}{\repr_{\GroupVstar}} +\newcommand{\abstVstar}{\abst_{\GroupVstar}} +\newcommand{\SignedScalarLimitV}{\frac{\ParamV{r}-1}{2}} + +\newcommand{\ParamIsoV}[1]{{{#1}_{\GroupIsoV}}} +\newcommand{\ParamIsoVexp}[2]{{{#1}_{\GroupIsoV\!}^{#2}}} +\newcommand{\GroupIsoV}{\mathsf{iso}\mhyphen\kern-0.15em\mathbb{V}} +\newcommand{\GroupIsoVstar}{\GroupIsoV^{\ast}} +\newcommand{\CurveIsoV}{\Curve_{\GroupIsoV}} +\newcommand{\ZeroIsoV}{\Zero_{\GroupIsoV}} +\newcommand{\IsoMapV}{\mathsf{iso\_map}^{\GroupV}} +\newcommand{\IsoConstV}[1]{\mathcal{C}^{\GroupV}_{#1}} + +\newcommand{\ExtractV}{\Extract_{\GroupVstar}} +\newcommand{\GroupVHash}[1]{\GroupHash^{\GroupVstar}_{#1}} +\newcommand{\GroupVHashInput}{\GroupVHash{}\mathsf{.Input}} + \newcommand{\ctEdwards}[1]{E_{\kern 0.03em\mathsf{ctEdwards}({#1})}} \newcommand{\Edwards}[1]{E_{\kern 0.03em\mathsf{Edwards}({#1})}} % only in history \newcommand{\Montgomery}[1]{E_{\mathsf{Mont}({#1})}} +\newcommand{\ShortWeierstrass}[1]{E_{\mathsf{SW}({#1})}} \newcommand{\pack}{\mathsf{pack}} @@ -2029,7 +2193,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\LEOStoBSP}[1]{\mathsf{LEOS2BSP}_{#1}} \newcommand{\LEOStoBSPOf}[2]{\LEOStoBSP{#1}\!\left({#2}\right)} -% Sapling circuits +% Sapling and Orchard circuits \newcommand{\DecompressValidate}{\mathsf{DecompressValidate}} \newcommand{\MontToCtEdwards}{\mathsf{MontToCtEdwards}} @@ -2037,6 +2201,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AffineCtEdwardsJubjub}{\mathsf{AffineCtEdwardsJubjub}} \newcommand{\AffineMontJubjub}{\mathsf{AffineMontJubjub}} \newcommand{\CompressedCtEdwardsJubjub}{\mathsf{CompressedCtEdwardsJubjub}} +\newcommand{\AffineSWPallas}{\mathsf{AffineSWPallas}} +\newcommand{\CompressedSWPallas}{\mathsf{CompressedSWPallas}} +\newcommand{\AffineSWVesta}{\mathsf{AffineSWVesta}} +\newcommand{\CompressedSWVesta}{\mathsf{CompressedSWVesta}} \newcommand{\PedersenHash}{\mathsf{PedersenHash}} \newcommand{\PedersenGenAlg}{\mathcal{I}} \newcommand{\PedersenGen}[2]{\PedersenGenAlg^{\kern -0.05em{#1}}_{\kern 0.1em {#2}}} @@ -2052,6 +2220,12 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Digits}{\mathsf{Digits}} \newcommand{\PedersenRangeOffset}{\mathsf{\Delta}} \newcommand{\Sign}{\mathsf{\Theta}} +\newcommand{\SinsemillaHash}{\mathsf{SinsemillaHash}} +\newcommand{\SinsemillaGenInit}{\mathcal{Q}} +\newcommand{\SinsemillaGenBase}{\mathcal{S}} +\newcommand{\SinsemillaHashToPoint}{\mathsf{SinsemillaHashToPoint}} +\newcommand{\SinsemillaCommitAlg}{\mathsf{SinsemillaCommit}} +\newcommand{\SinsemillaCommit}[1]{\SinsemillaCommitAlg_{#1}} % Consensus rules @@ -2267,10 +2441,10 @@ This specification is structured as follows: \item Differences from the \Zerocash protocol — a summary of changes from the protocol in \cite{BCGGMTV2014}. \notsprout{ - \item Appendix: Circuit Design — details of how the \Sapling circuit is defined -as a \quadraticConstraintProgram. + \item Appendix: Circuit Design — details of how the \Sapling\orchard{ and \Orchard} + circuits are defined as \quadraticConstraintPrograms. \item Appendix: Batching Optimizations — improvements to the efficiency of -validating multiple signatures and verifying multiple proofs. + validating multiple signatures and verifying multiple proofs. } \end{itemize} @@ -2296,9 +2470,9 @@ please file an issue at \url{https://github.com/zcash/zips/issues} or contact The following overview is intended to give a concise summary of the ideas behind the protocol, for an audience already familiar with \blockChain-based cryptocurrencies such as \Bitcoin. It is imprecise in some aspects and is not -part of the normative protocol specification. \notsprout{This overview applies -to both \Sprout and \Sapling, differences in the cryptographic constructions -used notwithstanding.} +part of the normative protocol specification. \notsprout{This overview applies to +\notorchard{both \Sprout and \Sapling}\notbeforeorchard{\Sprout, \Sapling, and \Orchard}, +differences in the cryptographic constructions used notwithstanding.} \introsection Value in \Zcash is either \defining{\transparent or \shielded}. Transfers of \transparent @@ -2318,7 +2492,7 @@ To each \note there is cryptographically associated a \noteCommitment. Once the \transaction creating a \note has been mined, the \note is associated with a fixed \notePosition in a tree of \noteCommitments, and with a \nullifier\footnoteref{notesandnullifiers} unique to that \note. Computing the \nullifier requires the associated private -\spendingKey\sapling{ (or the \nullifierDerivingKey for \Sapling{} \notes)}. +\spendingKey\sapling{ (or the \nullifierDerivingKey for \SaplingOrOrchard{} \notes)}. It is infeasible to correlate the \noteCommitment or \notePosition with the corresponding \nullifier without knowledge of at least this \sprout{\spendingKey}\notsprout{key}. An unspent valid \note, at a given point @@ -2342,7 +2516,8 @@ Together these describe \defining{\shieldedTransfers} which take in \defining{\s and/or produce \defining{\shieldedOutput} \notes. (For \Sprout, each \joinSplitDescription handles up to two \shieldedInputs and up to two \shieldedOutputs. For \Sapling, each \shieldedInput or \shieldedOutput -has its own description.) +has its own description.\notbeforeorchard{ For \Orchard, each \actionDescription +handles up to one \shieldedInput and up to one \shieldedOutput.}) It is also possible for value to be transferred between the \transparent and \shielded domains. } @@ -2391,11 +2566,11 @@ and for each \shieldedOutput, \end{itemize} For \Sprout, the \joinSplitStatement also includes an explicit balance check. -For \Sapling, the \valueCommitments corresponding to the inputs and outputs are -checked to balance (together with any net \transparent input or output) +For \SaplingAndOrchard, the \valueCommitments corresponding to the inputs and +outputs are checked to balance (together with any net \transparent input or output) outside the \zkSNARK. -In addition, various measures (differing between \Sprout and \Sapling) are +In addition, various measures (differing between \Sprout and \SaplingOrOrchard) are used to ensure that the \transaction cannot be modified by a party not authorized to do so. } %notsprout @@ -2414,9 +2589,10 @@ intended recipient, who can use the \receivingKey to scan the \blockChain for \notes addressed to them and then decrypt those \notes. \sapling{ -In \Sapling, for each \spendingKey there is a \fullViewingKey that allows +In \SaplingAndOrchard, for each \spendingKey there is a \fullViewingKey that allows recognizing both incoming and outgoing \notes without having spend authority. -This is implemented by an additional ciphertext in each \outputDescription. +This is implemented by an additional ciphertext in each +\outputDescription\orchard{ or \actionDescription}. } The basis of the privacy properties of \Zcash is that when a \note is spent, @@ -2645,12 +2821,13 @@ decryption or validity check. The following integer constants will be instantiated in \crossref{constants}: \begin{formulae} \item \begin{flushleft} - $\MerkleDepthSprout$,\sapling{ $\MerkleDepthSapling$,} $\NOld$, $\NNew$, - $\ValueLength$, $\MerkleHashLengthSprout$,\sapling{ $\MerkleHashLengthSapling$,} + $\MerkleDepthSprout$,\sapling{ $\MerkleDepthSapling$,}\orchard{ $\MerkleDepthOrchard$,} $\NOld$, $\NNew$, + $\ValueLength$, $\MerkleHashLengthSprout$,\sapling{ $\MerkleHashLengthSapling$,}\orchard{ $\MerkleHashLengthOrchard$,} $\hSigLength$, $\PRFOutputLengthSprout$,\sapling{ $\PRFOutputLengthExpand$, $\PRFOutputLengthNfSapling$,} $\NoteCommitRandLength$, \changed{$\RandomSeedLength$,} $\AuthPrivateLength$, \changed{$\NoteAddressPreRandLength$,}\sapling{ $\SpendingKeyLength$, $\DiversifierLength$, - $\InViewingKeyLength$, $\OutViewingKeyLength$, $\ScalarLength$,} + $\InViewingKeyLengthSapling$,\orchard{ $\InViewingKeyLengthOrchard$,} $\OutViewingKeyLength$, + $\ScalarLengthSapling$,\orchard{ $\ScalarLengthOrchard$,}} $\MAXMONEY$,\blossom{ $\BlossomActivationHeight$,}\canopy{ $\CanopyActivationHeight$, $\ZIPTwoOneTwoGracePeriod$} $\SlowStartInterval$, $\PreBlossomHalvingInterval$, $\MaxBlockSubsidy$, $\NumFounderAddresses$, $\PoWLimit$, $\PoWAveragingWindow$, $\PoWMedianBlockSpan$, $\PoWDampingFactor$, @@ -2659,9 +2836,10 @@ The following integer constants will be instantiated in \crossref{constants}: \end{formulae} \sprout{The bit sequence constant $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout}$,} -\notsprout{The bit sequence constants $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout}$ -\sapling{and $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling}$},} -and rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and +\notsprout{The bit sequence constants $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout}$, +\sapling{$\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling}$,} +\orchard{and $\UncommittedOrchard \typecolon$ $\bitseq{\MerkleHashLengthOrchard}$,} +and the rational constants $\FoundersFraction$, $\PoWMaxAdjustDown$, and $\PoWMaxAdjustUp$ will also be defined in that section. \notsprout{ @@ -2680,7 +2858,7 @@ Users who wish to receive payments in the \Zcash protocol must have a \introlist The following diagram depicts the relations between key -components\notsprout{ in \Sprout}\sapling{ and \Sapling}. +components\notsprout{ in \Sprout}\sapling{ and \Sapling}\orchard{ and \Orchard}. Arrows point from a component to any other component(s) that can be derived from it. Double lines indicate that the same component is used in multiple abstractions. @@ -2701,7 +2879,7 @@ $\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from the \defining{An \expandedSpendingKey is composed of a \authSigningKey $\AuthSignPrivate$, a \authNullifierKey $\AuthProvePrivate$, and an \outgoingViewingKey $\OutViewingKey$. From these components we can derive an \authProvingKey $(\AuthSignPublic, \AuthProvePrivate)$, -a \fullViewingKey $(\AuthSignPublic, \AuthProvePublic, \OutViewingKey)$, +a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \OutViewingKey)$, an \incomingViewingKey $\InViewingKey$, and a set of \diversifiedPaymentAddresses $\DiversifiedPaymentAddress = (\Diversifier, \DiversifiedTransmitPublic)$, as described in \crossref{saplingkeycomponents}. @@ -2719,7 +2897,7 @@ Two methods of doing so are defined: } %saplingonward \vspace{-2ex} -\nnote{In \zcashd, all \Sapling keys and addresses are derived according to \cite{ZIP-32}.} +\nnote{In \zcashd, all \SaplingAndOrchard{} keys and addresses are derived according to \cite{ZIP-32}.} } %saplingonward \vspace{2ex} @@ -2739,11 +2917,12 @@ case that a payee wishes to prevent this they should create a distinct \paymentAddress for each payer. \saplingonward{ -\Sapling provides a mechanism to allow the efficient creation of -\diversifiedPaymentAddresses with the same spending authority. A group of -such addresses shares the same \fullViewingKey and \incomingViewingKey, and -so creating as many unlinkable addresses as needed does not increase the cost -of scanning the \blockChain for relevant \transactions. +\notorchard{\Sapling provides}\notbeforeorchard{\Sapling and \Orchard provide} +a mechanism to allow the efficient creation of \diversifiedPaymentAddresses +with the same spending authority. A group of such addresses shares the same +\fullViewingKey and \incomingViewingKey, and so creating as many unlinkable +addresses as needed does not increase the cost of scanning the \blockChain for +relevant \transactions. } %saplingonward \vspace{-1ex} @@ -2773,8 +2952,8 @@ to $\AuthPublic$, as described in the previous section. } %sprout \notsprout{ A \defining{\note} (denoted $\NoteTuple{}$) can be a \Sprout{} \note\sapling{ or a -\Sapling{} \note}. In either case it represents that a value $\Value$ is -spendable by the recipient who holds the \spendingKey corresponding +\Sapling{} \note}\orchard{ or an \Orchard{} \note}. In each case it represents that +a value $\Value$ is spendable by the recipient who holds the \spendingKey corresponding to a given \paymentAddress. } %notsprout @@ -2790,6 +2969,12 @@ Let $\NoteCommitSaplingAlg$ be as defined in \crossref{concretesaplingnotecommit Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. } %sapling +\orchard{ +Let $\NoteCommitOrchardAlg$ be as defined in \crossref{concreteorchardnotecommit}. + +Let $\KAOrchard$ be as defined in \crossref{concreteorchardkeyagreement}. +} %orchard + \vspace{2ex} \introlist A \SproutOrNothing{} \note is a tuple $\changed{(\AuthPublic, @@ -2838,6 +3023,31 @@ Let $\NoteTypeSapling$ be the type of a \Sapling{} \note, i.e. \end{formulae} } %sapling +\orchard{ +\vspace{1ex} +\introlist +An \Orchard{} \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, +\Value, \NoteCommitRand, \todo{...})$, where: +\begin{itemize} + \item $\Diversifier \typecolon \DiversifierType$ + is the \diversifier of the recipient's \paymentAddress; + \item $\DiversifiedTransmitPublic \typecolon \KAOrchardPublic$ + is the \diversifiedTransmissionKey of the recipient's \paymentAddress; + \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer + representing the value of the \note in \zatoshi; + \item $\NoteCommitRand \typecolon \NoteCommitOrchardTrapdoor$ + is a random \commitmentTrapdoor as defined in \crossref{abstractcommit}. + \item \todo{other fields} +\end{itemize} + +\introlist +Let $\NoteTypeOrchard$ be the type of an \Orchard{} \note, i.e. +\begin{formulae} + \item $\NoteTypeOrchard := \DiversifierType \times \KAOrchardPublic \times \range{0}{\MAXMONEY} + \times \NoteCommitOrchardTrapdoor \times \todo{...}$. +\end{formulae} +} %orchard + Creation of new \notes is described in \crossref{send}. When \notes are sent, only a commitment (see \crossref{abstractcommit}) to the above values is disclosed publically, and added to a data structure called the \noteCommitmentTree. @@ -2857,17 +3067,16 @@ $\NoteTuple{} = \changed{(\AuthPublic, \Value, \NoteAddressRand, \NoteCommitRand \vspace{-1.5ex} where $\NoteCommitSprout{}$ is instantiated in \crossref{concretesproutnotecommit}. - \sapling{ \vspace{2ex} \introlist -Let $\DiversifyHash$ be as defined in \crossref{concretediversifyhash}. +Let $\DiversifyHashSapling$ be as defined in \crossref{concretediversifyhash}. A \Sapling{} \defining{\noteCommitment} on a \note $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ is computed as \begin{formulae} - \item $\DiversifiedTransmitBase := \DiversifyHash(\Diversifier)$ + \item $\DiversifiedTransmitBase := \DiversifyHashSapling(\Diversifier)$ \vspace{-1ex} \item $\NoteCommitmentSapling(\NoteTuple{}) := \begin{cases} \bot, &\caseif \DiversifiedTransmitBase = \bot \\ @@ -2890,19 +3099,59 @@ For a \positionedNote, we can compute the value $\NoteAddressRand$ as described in \crossref{commitmentsandnullifiers}. } %sapling +\orchard{ \vspace{2ex} -A \nullifier (denoted $\nf$) is derived from the $\NoteAddressRand$ value -of a \note and the recipient's -\spendingKey $\AuthPrivate$\sapling{ or \defining{\nullifierDerivingKey} $\AuthProvePublic$}. -This computation uses a \pseudoRandomFunction (see \crossref{abstractprfs}), +\introlist +Let $\DiversifyHashOrchard$ be as defined in \crossref{concretediversifyhash}. + +An \Orchard{} \defining{\noteCommitment} on a \note +$\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand, \todo{...})$ +is computed as + +\begin{formulae} + \item $\DiversifiedTransmitBase := \DiversifyHashOrchard(\Diversifier)$ + \vspace{-1ex} + \item $\NoteCommitmentOrchard(\NoteTuple{}) := \begin{cases} + \bot, &\caseif \DiversifiedTransmitBase = \bot \\ + \NoteCommitOrchard{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, + \reprJ\Of{\DiversifiedTransmitPublic}, + \Value), &\caseotherwise. + \end{cases}$ +\end{formulae} +\vspace{-1.5ex} +where $\NoteCommitOrchard{}$ is instantiated in \crossref{concretesinsemillacommit}. + +Unlike in \Sapling, the definition of an \Orchard{} \note includes the +$\NoteAddressRand$ field; the \note's position in the \noteCommitmentTree does +not need to be known in order to compute this value. +} %orchard + +The \nullifier of a \note is denoted $\nf$. + +\vspace{2ex} +A \nullifier for a \Sprout \note is derived from the $\NoteAddressRand$ value and +the recipient's \spendingKey $\AuthPrivate$. + +\sapling{ +A \nullifier for a \Sapling \note is derived from the $\NoteAddressRand$ value and +the recipient's \nullifierDerivingKey $\NullifierKey$. +} + +\orchard{ +A \nullifier for an \Orchard \note is derived from the $\NoteAddressRand$ value, +the recipient's \nullifierDerivingKey $\NullifierKey$, and the \noteCommitment}. +} + +The \nullifier computation uses a \pseudoRandomFunction (see \crossref{abstractprfs}), as described in \crossref{commitmentsandnullifiers}. A \note is spent by proving knowledge of -$(\NoteAddressRand, \AuthPrivate)$\sapling{ or $(\NoteAddressRand, \AuthSignPublic, \AuthProvePrivate)$} +$(\NoteAddressRand, \AuthPrivate)$\sapling{ or $(\NoteAddressRand, \AuthSignPublic, +\AuthProvePrivate)$}\orchard{ or $(\NoteAddressRand, \AuthSignPublic, \NullifierKey)$} in zero knowledge while publically disclosing its \nullifier $\nf$, -allowing $\nf$ to be used to prevent double-spending. \sapling{In the case -of \Sapling, a \spendAuthSignature is also required, in order to demonstrate -knowledge of $\AuthSignPrivate$.} +allowing $\nf$ to be used to prevent double-spending. \sapling{For \SaplingAndOrchard, +a \spendAuthSignature is also required, in order to demonstrate knowledge of +$\AuthSignPrivate$.} \lsubsubsection{Note Plaintexts and Memo Fields}{noteptconcept} @@ -2928,7 +3177,7 @@ The \notePlaintext in each \outputDescription is encrypted to the \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$. \introlist -Each \Sapling{} \defining{\notePlaintext} (denoted $\NotePlaintext{}$) consists of +Each \SaplingOrOrchard{} \defining{\notePlaintext} (denoted $\NotePlaintext{}$) consists of \begin{formulae} \item $(\NotePlaintextLeadByte \typecolon \byte, @@ -2951,7 +3200,7 @@ The usage of the \memo is by agreement between the sender and recipient of the \ Encodings are given in \crossref{notept}. The result of encryption forms part of a \noteOrNotesCiphertext. -For further details, see \crossref{sproutinband}\sapling{ and \crossref{saplinginband}}. +For further details, see \crossref{sproutinband}\sapling{ and \crossref{saplingandorchardinband}}. \lsubsection{The Block Chain}{blockchain} @@ -3259,7 +3508,7 @@ Other networks using variants of the \Zcash protocol may exist, but are not desc \lsubsubsection{Hash Functions}{abstracthashes} Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$, -\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLength$, $\DiversifierLength$,} +\sapling{$\MerkleDepthSapling$, $\MerkleHashLengthSapling$, $\InViewingKeyLengthSapling$, $\DiversifierLength$,} $\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}. \sapling{ @@ -3310,12 +3559,19 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling{} \note. It is also in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. -$\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction +$\DiversifyHashSapling \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability security property described in that section. It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. } %sapling +\orchard{ +$\DiversifyHashOrchard \typecolon \DiversifierType \rightarrow \GroupPstar$ is a \hashFunction +instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability +security property described in that section. It is used to derive a \diversifiedBase +from a \diversifier in \crossref{orchardkeycomponents}. +} + \introsection \lsubsubsection{Pseudo Random Functions}{abstractprfs} @@ -3822,7 +4078,8 @@ the computational binding security requirement.} the computational binding security requirement. \sapling{(In fact, this is feasible for $\NoteCommitSaplingAlg$ and $\ValueCommitAlg$ because \trapdoors are equivalent modulo $\ParamJ{r}$, and the range of a \trapdoor - for those algorithms is $\binaryrange{\ScalarLength}$ where $2^{\ScalarLength} > \ParamJ{r}$.)} + for those algorithms is $\binaryrange{\ScalarLengthSapling}$ where + $2^{\ScalarLengthSapling} > \ParamJ{r}$.)} \end{pnotes} } %notsprout @@ -3845,16 +4102,16 @@ instantiated in \crossref{concretesproutnotecommit}. \sapling{ \vspace{2ex} -Let $\ScalarLength$ be as defined in \crossref{constants}. +Let $\ScalarLengthSapling$ be as defined in \crossref{constants}. Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist Define: \begin{formulae} - \item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLength}$ and + \item $\NoteCommitSaplingTrapdoor := \binaryrange{\ScalarLengthSapling}$ and $\NoteCommitSaplingOutput := \GroupJ$; - \item $\ValueCommitTrapdoor := \binaryrange{\ScalarLength}$ and + \item $\ValueCommitTrapdoor := \binaryrange{\ScalarLengthSapling}$ and $\ValueCommitOutput := \GroupJ$. \end{formulae} @@ -3967,7 +4224,7 @@ not return $\bot$) as a random oracle. \begin{nnotes} \item $\GroupJHash{}$ is used to obtain generators of the \jubjubCurve for various purposes: - the bases $\AuthSignBase$ and $\AuthProveBase$ used in \Sapling key generation, + the bases $\AuthSignBaseSapling$ and $\AuthProveBase$ used in \Sapling key generation, the \xPedersenHash defined in \crossref{concretepedersenhash}, and the commitment schemes defined in \crossref{concretewindowedcommit} and in \crossref{concretehomomorphiccommit}. @@ -3984,7 +4241,7 @@ not return $\bot$) as a random oracle. Discrete Logarithm Independence. Discrete Logarithm Independence implies \collisionResistance\!, since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a discrete logarithm relation with $x_1 = 1$ and $x_2 = -1$. - \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHash$ in \crossref{concretediversifyhash}. + \item $\GroupJHash{}$ is also used to instantiate $\DiversifyHashSapling$ in \crossref{concretediversifyhash}. We do not know how to prove the Unlinkability property defined in that section in the standard model, but in a model where $\GroupJHash{}$ (restricted to inputs for which it does not return $\bot$) is taken as a random oracle, @@ -4001,26 +4258,26 @@ not return $\bot$) as a random oracle. \introlist \lsubsubsection{Represented Pairing}{abstractpairing} -A \defining{\representedPairing} $\GroupP{}$ consists of: +A \defining{\representedPairing} $\GroupPair{}$ consists of: \begin{itemize} - \item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime; - \item two \representedSubgroups $\SubgroupP{1, 2}$, both of order $\ParamP{r}$; - \item a group $\SubgroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\, - $\mult \typecolon \SubgroupP{T} \times \SubgroupP{T} \rightarrow \SubgroupP{T}$ - and group identity $\ParamP{\mathbf{1}}$; - \item three generators $\GenP{1, 2, T}$ of $\SubgroupP{1, 2, T}$ respectively; + \item a group order parameter $\ParamPair{r} \typecolon \PosInt$ which must be prime; + \item two \representedSubgroups $\SubgroupPair{1, 2}$, both of order $\ParamPair{r}$; + \item a group $\SubgroupPair{T}$ of order $\ParamPair{r}$, written multiplicatively with operation\, + $\mult \typecolon \SubgroupPair{T} \times \SubgroupPair{T} \rightarrow \SubgroupPair{T}$ + and group identity $\ParamPair{\mathbf{1}}$; + \item three generators $\GenPair{1, 2, T}$ of $\SubgroupPair{1, 2, T}$ respectively; \item a pairing function - $\PairingP \typecolon \SubgroupP{1} \times \SubgroupP{2} \rightarrow \SubgroupP{T}$ + $\PairingPair \typecolon \SubgroupPair{1} \times \SubgroupPair{2} \rightarrow \SubgroupPair{T}$ satisfying: \begin{itemize} \item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$, - $P \typecolon \SubgroupP{1}$, and $Q \typecolon \SubgroupP{2}$,\; - $\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and - \item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPstar{1}$ - such that for all $Q \typecolon \SubgroupP{2},\; - \PairingP\Of{P, Q} = \OneP$. + $P \typecolon \SubgroupPair{1}$, and $Q \typecolon \SubgroupPair{2}$,\; + $\PairingPair\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingPair\Of{P, Q}^{a \mult b}$;\, and + \item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPairstar{1}$ + such that for all $Q \typecolon \SubgroupPair{2},\; + \PairingPair\Of{P, Q} = \OnePair$. \end{itemize} \end{itemize} @@ -4116,7 +4373,7 @@ taking them to be the particular \provingKey and \verifyingKey defined by the } %sprout \sapling{ \introlist -\Zcash uses two \provingSystems: +\Zcash uses \notorchard{two}\orchard{three} \provingSystems: \begin{itemize} \item \BCTV (\crossref{bctv}) is used with the \BNPairing pairing (\crossref{bnpairing}), @@ -4129,6 +4386,9 @@ taking them to be the particular \provingKey and \verifyingKey defined by the (\crossref{spendstatement}) and \outputStatement (\crossref{outputstatement}). It is also used to prove and verify the \joinSplitStatement after \Sapling activation. + \orchardonwarditem \HaloTwo (\crossref{halo}) is used with the \vestaCurve + to prove and verify the \Orchard{} \actionStatement + (\crossref{actionstatement}). \end{itemize} These specializations are: $\JoinSplit$ for the \Sprout @@ -4189,7 +4449,7 @@ Let $\KASapling$ be a \keyAgreementScheme, instantiated in \crossref{concretesap Let $\CRHivk$ be a \hashFunction, instantiated in \crossref{concretecrhivk}. -Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediversifyhash}. +Let $\DiversifyHashSapling$ be a \hashFunction, instantiated in \crossref{concretediversifyhash}. Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. @@ -4223,14 +4483,14 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. \vspace{1ex} -$\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and +$\AuthSignPublic \typecolon \SubgroupJstar$, $\NullifierKey \typecolon \SubgroupJ$, and the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: \vspace{-0.5ex} \begin{tabular}{@{\hskip 1.7em}r@{\;}l} $\AuthSignPublic$ &$:= \SpendAuthSigDerivePublic(\AuthSignPrivate)$ \\ - $\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\ - \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\AuthProvePublic}\kern-0.08em\big)$. + $\NullifierKey$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\ + \plap{$\InViewingKey$}{$\OutViewingKey$} &$:= \CRHivk\big(\reprJ\Of{\AuthSignPublic}, \reprJ\Of{\NullifierKey}\kern-0.08em\big)$. \end{tabular} If $\InViewingKey = 0$, discard this key and repeat with a new $\SpendingKey$. @@ -4244,7 +4504,7 @@ authority. A group of such addresses shares the same \fullViewingKey and To create a new \diversifiedPaymentAddress given an \incomingViewingKey $\InViewingKey$, repeatedly pick a \defining{\diversifier} $\Diversifier$ uniformly at random from $\DiversifierType$ until the \defining{\diversifiedBase} -$\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ is not $\bot$. +$\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ is not $\bot$. Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitPublic$: \begin{formulae} @@ -4268,7 +4528,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define: \vspace{-0.5ex} \begin{formulae} \item $\CheckDiversifier(\Diversifier \typecolon \DiversifierType) := \begin{cases} - \bot, &\caseif \DiversifyHash(\Diversifier) = \bot \\ + \bot, &\caseif \DiversifyHashSapling(\Diversifier) = \bot \\ \Diversifier, &\caseotherwise \end{cases}$ \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) := @@ -4315,7 +4575,7 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. is computationally indistinguishable from the uniform distribution on $\GF{\ParamJ{r}}$. Since $\fun{\AuthProvePrivate \typecolon \GF{\ParamJ{r}}^{\vphantom{X}}} {\reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}} \typecolon \SubgroupReprJ}$ - is bijective, the distribution of $\reprJ\Of{\AuthProvePublic}$ will be computationally + is bijective, the distribution of $\reprJ\Of{\NullifierKey}$ will be computationally indistinguishable from uniform on $\SubgroupReprJ$ (which is the keyspace of $\PRFnfSapling{}$). \item The \zcashd wallet picks \diversifiers as in \cite{ZIP-32}, rather than using the default \diversifier specified above. @@ -4367,7 +4627,7 @@ where the sequence of \noteCommitments for the output \notes; \item \changed{$\EphemeralPublic \typecolon \KASproutPublic$ is a key agreement \publicKey, used to derive the key for encryption - of the \notesCiphertext (\crossref{sproutinband})}; + of the \notesCiphertextSprout (\crossref{sproutinband})}; \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is a seed that must be chosen independently at random for each \joinSplitDescription}; @@ -4386,7 +4646,7 @@ where \end{itemize} \introlist -The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext. +The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertextSprout. The value $\hSig$ is also computed from \changed{$\RandomSeed$, $\nfOld{\allOld}$, and} the $\joinSplitPubKey$ of the containing \transaction: @@ -4493,7 +4753,7 @@ where in \crossref{concreteextractorjubjub}) to the \noteCommitment for the output \note; \item $\EphemeralPublic \typecolon \KASaplingPublic$ is a key agreement \publicKey, used to derive the key for encryption - of the \noteCiphertext (\crossref{saplinginband}); + of the \noteCiphertextSapling (\crossref{saplinginband}); \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is a ciphertext component for the encrypted output \note; \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of @@ -4514,6 +4774,76 @@ where } %sapling +\orchard{ +\lsubsection{Action Descriptions}{actiondesc} + +An \action, as specified in \crossref{actions}, is encoded in \transactions as an \defining{\actionDescription}. + +Each version 5 \transaction includes a sequence of zero or more \defining{\actionDescriptions}. +(Version 4 \transactions cannot contain \actionDescriptions.) + +Each \actionDescription is authorized by a signature, called the \defining{\spendAuthSignature}. + +Let $\MerkleHashLengthOrchard$ be as defined in \crossref{constants}. + +Let $\ValueCommitOutput$ be as defined in \crossref{abstractcommit}. + +Let $\SpendAuthSig$ be as defined in \crossref{spendauthsig}. + +Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}. + +Let $\Sym$ be as defined in \crossref{abstractsym}. + +Let $\Action$ be as defined in \crossref{abstractzk}. + +\vspace{1ex} +\introlist +An \actionDescription consists of $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \spendAuthSig, +\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$ +where +\vspace{1ex} +\begin{itemize} + \item $\cv \typecolon \ValueCommitOutput$ is the \valueCommitment to the value of the input \note + minus the value of the output \note \todo{check consistency with \valueBalance}; + \item $\rt \typecolon \MerkleHashOrchard$ is an \anchor, as defined in + \crossref{blockchain}, for the output \treestate of a previous \block; + \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; + \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ is a randomized \validatingKey + that should be used to validate $\spendAuthSig$; + \item $\spendAuthSig \typecolon \SpendAuthSigSignature$ is + as specified in \crossref{spendauthsig}. + \item $\cmX \typecolon \MerkleHashOrchard$ is the result of applying $\ExtractP$ (defined + in \crossref{concreteextractorpallas}) to the \noteCommitment for the output \note; + \item $\EphemeralPublic \typecolon \KAOrchardPublic$ is + a key agreement \publicKey, used to derive the key for encryption + of the \noteCiphertextOrchard (\crossref{saplinginband}); + \item $\TransmitCiphertext{} \typecolon \Ciphertext$ is + a ciphertext component for the encrypted output \note; + \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of + a \fullViewingKey to recover the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ + and the \ephemeralPrivateKey $\EphemeralPrivate$ (and therefore the entire \notePlaintext); + \item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput + $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ for the \actionStatement + defined in \crossref{actionstatement}; +\end{itemize} + +\begin{consensusrules} + \item Elements of an \actionDescription{} \MUST be canonical encodings of the types given above. + \item $\cv$, $\AuthSignRandomizedPublic$, and $\EphemeralPublic$ \MUSTNOT be $\ZeroP$. + \todo{is it even possible to represent $\ZeroP$ as a compressed point encoding?} + \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, + as defined in \crossref{sighash} using $\SIGHASHALL$. + + The \spendAuthSignature{} \MUST be a valid $\SpendAuthSig$ signature over $\SigHash$ + using $\AuthSignRandomizedPublic$ as the \validatingKey --- + i.e.\ $\SpendAuthSigValidate{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. + \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput formed + from $(\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- + i.e.\ $\ActionVerify{}((\cv, \rt, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}) = 1$. +\end{consensusrules} +} %orchard + + \introlist \lsubsection{Sending Notes}{send} @@ -4547,7 +4877,7 @@ Then it creates each output \note with index $i \typecolon \setofNew$: \end{itemize} $\NotePlaintext{\allNew}$ are then encrypted to the recipient \transmissionKeys -$\TransmitPublicSub{\allNew}$, giving the \notesCiphertext +$\TransmitPublicSub{\allNew}$, giving the \notesCiphertextSprout $(\EphemeralPublic, \TransmitCiphertext{\allNew})$, as described in \crossref{sproutinband}. In order to minimize information leakage, the sender \SHOULD randomize the order @@ -4574,22 +4904,36 @@ node or wallet implementation. \sapling{ \introlist -\lsubsubsection{Sending Notes (\SaplingText)}{saplingsend} +\extralabel{saplingsend}{\lsubsubsection{Sending Notes (\SaplingAndOrchardText)}{saplingororchardsend}} -In order to send \Sapling{} \shielded value, the sender constructs a \transaction +In order to send \SaplingOrOrchard{} \shielded value, the sender constructs a \transaction containing one or more \outputDescriptions. -Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}. +Let $\ValueCommitAlg$, $\NoteCommitSaplingAlg$\orchard{, and $\NoteCommitOrchardAlg$} be as +specified in \crossref{abstractcommit}. -Let $\KASapling$ be as defined in \crossref{abstractkeyagreement}. +\orchard{ +Let $\KASapling$\orchard{ and $\KAOrchard$} be as defined in \crossref{abstractkeyagreement}. +} %orchard -Let $\DiversifyHash$ be as defined in \crossref{abstracthashes}. +\notbeforeorchard{ +Let $\DiversifyHash$ be $\DiversifyHashSapling$ for a \Sapling{} \note, or +$\DiversifyHashOrchard$ for an \Orchard{} \note. These functions are defined in +\crossref{abstracthashes}. +} %notbeforeorchard +\notorchard{ +Let $\DiversifyHash$ be $\DiversifyHashSapling$ as defined in \crossref{abstracthashes}. +} %notorchard Let $\reprJ$, $\ParamJ{r}$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. +\orchard{ +Let $\reprPstar$ and $\ParamP{r}$ be as defined in \crossref{pallas}. +} %orchard + \vspace{1ex} -Let $\OutViewingKey$ be an \outgoingViewingKey that is intended to be able to decrypt -this payment. This may be one of: +Let $\OutViewingKey$ be an \outgoingViewingKey\orchard{ (for the same shielded protocol as the \note)} +that is intended to be able to decrypt this payment. This may be one of: \begin{itemize} \item the \outgoingViewingKey for the address (or one of the addresses) from which the payment was sent; @@ -4614,16 +4958,19 @@ if $\BlockHeight \geq \CanopyActivationHeight$. \introlist \vspace{2ex} For each \outputDescription, the sender selects a value $\Value \typecolon \range{0}{\MAXMONEY}$ -and a destination \Sapling{} \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, and then -performs the following steps: +and a destination \SaplingOrOrchard{} \paymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$, +and then performs the following steps: \vspace{0.5ex} \begin{algorithm} - \item Check that $\DiversifiedTransmitPublic$ is of type $\KASaplingPublicPrimeSubgroup$, i.e.\ it - is a valid \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and - $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. + \item Check that $\DiversifiedTransmitPublic$ is of the correct type. For $\Sapling$ this type + is $\KASaplingPublicPrimeSubgroup$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid + \ctEdwardsCurve point on the \jubjubCurve (as defined in \crossref{jubjub}), and + $\scalarmult{\ParamJ{r}}{\DiversifiedTransmitPublic} = \ZeroJ$. \orchard{For \Orchard + this type is $\KAOrchardPublic$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid + \swCurve point on the \pallasCurve (as defined in \crossref{pallas}).} - \item Calculate $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ + \item Calculate $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ and check that $\DiversifiedTransmitBase \neq \bot$. \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor()$. @@ -4655,9 +5002,9 @@ performs the following steps: \item Encrypt $\NotePlaintext{}$ to the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ with \diversifiedBase $\DiversifiedTransmitBase$, and to the - \outgoingViewingKey $\OutViewingKey$, giving the \noteCiphertext + \outgoingViewingKey $\OutViewingKey$, giving the \noteCiphertextSapling $(\EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext)$. - This procedure is described in \crossref{saplingencrypt}; it also uses + This procedure is described in \crossref{saplingandorchardencrypt}; it also uses $\cv$ and $\cm$ to derive the \outgoingCipherKey, and takes $\EphemeralPrivate$ as an input. @@ -4714,7 +5061,7 @@ zero value, and sent to a random \paymentAddress. \sapling{ \introsection -\lsubsubsection{Dummy Notes (\SaplingText)}{saplingdummynotes} +\lsubsubsection{Dummy Notes (\SaplingAndOrchardText)}{saplingdummynotes} In \Sapling there is no need to use \dummyNotes simply in order to fill otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless @@ -4743,13 +5090,13 @@ A \dummy{} \Sapling input \note is constructed as follows: \item Set $\vOld{} = 0$, and set $\NotePosition = 0$. \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitSaplingGenTrapdoor()$. and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$. - \item Compute $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and - $\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$\,. + \item Compute $\NullifierKey = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ and + $\NullifierKeyRepr = \reprJ\Of{\NullifierKey}$\,. \item Compute $\NoteAddressRand{} = \cmOld{} = \NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, \vOld{})$. - \item Compute $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\reprJ(\NoteAddressRand))$. + \item Compute $\nfOld{} = \PRFnfSapling{\NullifierKeyRepr}(\reprJ(\NoteAddressRand))$. \item Construct a \dummy \merklePath $\TreePath{}$ for use in the \auxiliaryInput to the \spendStatement (this will not be checked, because $\vOld{} = 0$). \end{itemize} @@ -5215,8 +5562,8 @@ The resulting $\spendAuthSig$ and $\ProofSpend$ are included in the \spendDescri If the spender is computationally or memory-limited, step 4 (and only step 4) \MAY be delegated to a different party that is capable of performing the \zkSNARKProof. In this case privacy will be lost to that party since it needs $\AuthSignPublic$ and the \authProvingKey $\AuthProvePrivate$; -this allows also deriving the $\AuthProvePublic$ component of the \fullViewingKey. Together -$\AuthSignPublic$ and $\AuthProvePublic$ are sufficient to recognize spent \notes and to +this allows also deriving the $\NullifierKey$ component of the \fullViewingKey. Together +$\AuthSignPublic$ and $\NullifierKey$ are sufficient to recognize spent \notes and to recognize and decrypt incoming \notes. However, the other party will not obtain spending authority for other \transactions, since it is not able to create a \spendAuthSignature by itself. } %pnote @@ -5264,7 +5611,7 @@ is derived as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$, where $\AuthPrivate$ is \vspace{2ex} \sapling{ For a \Sapling{} \note, the \nullifier is derived as -$\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$, where $\AuthProvePublicRepr$ +$\PRFnfSapling{\NullifierKeyRepr}(\NoteAddressRandRepr)$, where $\NullifierKeyRepr$ is a representation of the \nullifierDerivingKey associated with the \note and $\NoteAddressRandRepr = \reprJ(\NoteAddressRand)$. } %sapling @@ -5363,7 +5710,7 @@ For details of the form and encoding of proofs, see \crossref{bctv}. \lsubsubsection{Spend Statement (\SaplingText)}{spendstatement} \vspace{-1ex} -Let $\MerkleHashLengthSapling$, $\PRFOutputLengthNfSapling$, and $\ScalarLength$ be +Let $\MerkleHashLengthSapling$, $\PRFOutputLengthNfSapling$, and $\ScalarLengthSapling$ be as defined in \crossref{constants}. \vspace{-0.5ex} @@ -5404,12 +5751,12 @@ the prover knows an \auxiliaryInput: \hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\ \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ + \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ \hparen\cmOld{} \typecolon \GroupJ,\\ - \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\ + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling},\\ \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ - \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$ + \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}\cparen$ \end{formulae} \vspace{-1.5ex} such that the following conditions hold: @@ -5433,10 +5780,10 @@ are not of small order, i.e.\ $\scalarmult{\ParamJ{h}}{\DiversifiedTransmitBase} and $\scalarmult{\ParamJ{h}}{\AuthSignPublic} \neq \ZeroJ$. \snarkcondition{Nullifier integrity}{spendnullifierintegrity} -$\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ where +$\nfOld{} = \PRFnfSapling{\NullifierKeyRepr}(\NoteAddressRandRepr)$ where \vspace{-1ex} \begin{formulae} - \item $\AuthProvePublicRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$ + \item $\NullifierKeyRepr = \reprJ\Of{\scalarmult{\AuthProvePrivate}{\AuthProveBase}}$ \vspace{-1ex} \item $\NoteAddressRandRepr = \reprJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. \end{formulae} @@ -5448,7 +5795,7 @@ $\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \ $\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where \vspace{-1ex} \begin{formulae} - \item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$ + \item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \NullifierKeyRepr)$ \vspace{-1ex} \item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,. \end{formulae} @@ -5468,8 +5815,8 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr small order. However, this \emph{is} checked outside the \spendStatement, as specified in \crossref{spenddesc}. \item It is \emph{not} checked that $\ValueCommitRandOld{} < \ParamJ{r}$ or that $\NoteCommitRandOld{} < \ParamJ{r}$. - \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBase}$. - ($\AuthSignBase$ is as defined in \crossref{concretespendauthsig}.) + \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling}$. + ($\AuthSignBaseSapling$ is as defined in \crossref{concretespendauthsig}.) \end{pnotes} } %sapling @@ -5478,7 +5825,7 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr \introsection \lsubsubsection{Output Statement (\SaplingText)}{outputstatement} -Let $\MerkleHashLengthSapling$ and $\ScalarLength$ be +Let $\MerkleHashLengthSapling$ and $\ScalarLengthSapling$ be as defined in \crossref{constants}. Let $\ValueCommitAlg$ and $\NoteCommitSaplingAlg$ be as specified in \crossref{abstractcommit}. @@ -5502,9 +5849,9 @@ the prover knows an \auxiliaryInput: \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex] \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$ + \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling})$ \end{formulae} \vspace{-1ex} such that the following conditions hold: @@ -5542,6 +5889,126 @@ For details of the form and encoding of \outputStatement proofs, see \crossref{g } %sapling +\orchard{ +\lsubsubsection{Action Statement (\OrchardText)}{actionstatement} + +\vspace{-1ex} +Let $\MerkleHashLengthOrchard$ and $\ScalarLengthOrchard$ be as defined in \crossref{constants}. + +\vspace{-0.5ex} +Let $\ValueCommitAlg$ and $\NoteCommitOrchardAlg$ be as specified in \crossref{abstractcommit}. + +\vspace{-0.5ex} +Let $\SpendAuthSig$ be as defined in \crossref{concretespendauthsig}. + +\vspace{-0.5ex} +Let $\GroupP$, $\GroupPstar$, $\reprPstar$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. + +\intropart +\vspace{0.5ex} +A valid instance of a \defining{\actionStatement}, $\ProofAction$, assures that given a \primaryInput: + +\vspace{-1ex} +\begin{formulae} + \item $\oparen\rt \typecolon \MerkleHashOrchard,\\ + \hparen\cvBalance{} \typecolon \ValueCommitOutput,\\ + \hparen\nfOld{} \typecolon \PRFOutputNfOrchard,\\ + \hparen\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic,\\ + \hparen\cmX \typecolon \MerkleHashOrchard,\\ + \hparen\EphemeralPublic \typecolon \GroupPstar\cparen$, +\end{formulae} + +\vspace{-2ex} +\introlist +the prover knows an \auxiliaryInput: + +\vspace{-1ex} +\begin{formulae} + \item $\oparen\TreePath{} \typecolon \typeexp{\MerkleHash}{\MerkleDepthOrchard},\\ + \hparen\NotePosition \typecolon \NotePositionTypeOrchard,\vspace{0.4ex}\\ + \hparen\DiversifiedTransmitBaseOld \typecolon \GroupPstar,\\ + \hparen\DiversifiedTransmitPublicOld \typecolon \GroupPstar,\vspace{0.6ex}\\ + \hparen\vOld{} \typecolon \ValueType,\\ + \hparen\cmOld{} \typecolon \GroupPstar,\\ + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthOrchard},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthOrchard},\\ + \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ + \hparen\DiversifiedTransmitBaseNew \typecolon \GroupPstar,\\[0.5ex] + \hparen\DiversifiedTransmitPublicNewRepr \typecolon \ReprPstar,\\ + \hparen\vNew{} \typecolon \ValueType,\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthOrchard},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthOrchard},\\ + \hparen\ValueCommitRand{} \typecolon \binaryrange{\ScalarLengthOrchard}\cparen$ +\end{formulae} +\vspace{-1.5ex} +such that the following conditions hold: + +\vspace{0.5ex} +\snarkcondition{Old note commitment integrity}{actionoldnotecommitmentintegrity} +$\cmOld{} = \NoteCommitOrchard{\NoteCommitRandOld{}}(\reprPstar\Of{\DiversifiedTransmitBaseOld}, + \reprPstar\Of{\DiversifiedTransmitPublicOld}, + \vOld{})$. + +\snarkcondition{Merkle path validity}{actionmerklepathvalidity} +Either $\vOld{} = 0$; or $(\TreePath{}, \NotePosition)$ is a valid \merklePath of depth $\MerkleDepthOrchard$, +as defined in \crossref{merklepath}, from $\cmOld{}$ to the \anchor $\rt$. + +\snarkcondition{Value commitment integrity}{actionvaluecommitmentintegrity} +$\cvBalance{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{} - \vNew{})$. + +\snarkcondition{Non-zero point checks}{actionnonzero} +$\DiversifiedTransmitBaseOld$ and $\DiversifiedTransmitBaseNew$ and $\AuthSignPublic$ are not $\ZeroP$. +\todo{express this in the type} + +\snarkcondition{Nullifier integrity}{actionnullifierintegrity} +$\nfOld{} = \scalarmult{(\PRFnfOrchard{\NullifierKeyRepr}(\NoteAddressRandRepr) + \psi) \bmod \ParamP{q}}{\NullifierBaseOrchard} + \cmOld{}$. + +\snarkcondition{Spend authority}{actionspendauthority} +$\AuthSignRandomizedPublic = \SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic)$. + +\snarkcondition{Diversified address integrity}{actionaddressintegrity} +$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where +\vspace{-1ex} +\begin{formulae} + \item $\InViewingKey = \CommitIvk{\InViewingKeyRandom}(\AuthSignPublicRepr, \NullifierKeyRepr)$ + \vspace{-1ex} + \item $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic}$\,. +\end{formulae} + +\vspace{1ex} +\snarkcondition{New note commitment integrity}{actionnewnotecommitmentintegrity} +$\cmU = \ExtractP\big(\NoteCommitOrchard{\NoteCommitRandNew{}}(\DiversifiedTransmitBaseNewRepr, + \DiversifiedTransmitPublicNewRepr, + \vNew{})\kern-0.12em\big)$, + +where $\DiversifiedTransmitBaseNewRepr = \reprJ\Of{\DiversifiedTransmitBaseNew}$\,. + +\vspace{0.5ex} +\snarkcondition{Ephemeral public key integrity}{actionepkintegrity} +$\EphemeralPublic = \scalarmult{\EphemeralPrivate}{\DiversifiedTransmitBaseNew}$. + +For details of the form and encoding of \actionStatement proofs, see \crossref{halo2}. + +\begin{pnotes} + \item Public and \auxiliaryInputs{} \MUST be constrained to have the types specified. In particular, + see \crossref{cctswdecompressvalidate}, for required validity checks on compressed + representations of \pallasCurve points. + + The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupP$. + \item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its + input bit sequence is a canonical encoding (in $\range{0}{\ParamP{r}-1}$) of the integer + from the previous \merkleLayer. + \item Unlike \Sapling, it \emph{is} checked in the \actionStatement that $\AuthSignRandomizedPublic$ + is not the zero point. + \item It is \emph{not} checked that $\ValueCommitRand{} < \ParamP{r}$ or that $\NoteCommitRandOld{} < \ParamP{r}$ + or that $\NoteCommitRandNew{} < \ParamP{r}$. + \item $\SpendAuthSigRandomizePublic(\AuthSignRandomizer, \AuthSignPublic) = \AuthSignPublic + \scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling}$. + ($\AuthSignBaseSapling$ is as defined in \crossref{concretespendauthsig}.) + \item The validity of $\DiversifiedTransmitPublicRepr$ is \emph{not} checked in this circuit. +\end{pnotes} +} %orchard + + \lsubsection{In-band secret distribution\pSproutOrNothingText}{sproutinband} \sprout{The}\notsprout{In \Sprout, the} secrets that need to be transmitted @@ -5557,7 +6024,7 @@ reconstruct the original \note\changed{ and \memo}. A single \ephemeralPublicKey is shared between encryptions of the $\NNew$ \shieldedOutputs in a \joinSplitDescription. All of the resulting ciphertexts -are combined to form a \notesCiphertext. +are combined to form a \notesCiphertextSprout. \introlist For both encryption and decryption, @@ -5603,7 +6070,7 @@ $(\EphemeralPublic, \EphemeralPrivate)$. \end{itemize} \vspace{-2ex} -The resulting \defining{\notesCiphertext} is $\changed{(\EphemeralPublic, +The resulting \defining{\notesCiphertextSprout} is $\changed{(\EphemeralPublic, \TransmitCiphertext{\allNew})}$. \pnote{ @@ -5678,9 +6145,9 @@ engineering rationale behind this encryption scheme. \sapling{ -\lsubsection{In-band secret distribution (\SaplingText)}{saplinginband} +\extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}} -In \Sapling, the secrets that need to be transmitted to a recipient of funds +In \SaplingAndOrchard, the secrets that need to be transmitted to a recipient of funds in order for them to later spend, are $\Diversifier$, $\Value$, and $\NoteCommitRand$. A \memo (\crossref{noteptconcept}) is also transmitted. @@ -5690,7 +6157,7 @@ $\DiversifiedTransmitPublic$ is used to encrypt them. The recipient's possession of the associated \incomingViewingKey $\InViewingKey$ is used to reconstruct the original \note and \memo. -Unlike in a \Sprout{} \joinSplitDescription, each \Sapling{} \shieldedOutput +Unlike in a \Sprout{} \joinSplitDescription, each \SaplingOrOrchard{} \shieldedOutput is encrypted by a fresh \ephemeralPublicKey. \vspace{0.5ex} @@ -5711,18 +6178,18 @@ For both encryption and decryption, \sapling{ -\lsubsubsection{Encryption (\SaplingText)}{saplingencrypt} +\extralabel{saplingencrypt}{\lsubsubsection{Encryption (\SaplingAndOrchardText)}{saplingandorchardencrypt}} Let $\DiversifiedTransmitPublic \typecolon \KASaplingPublicPrimeSubgroup$ be the \diversifiedTransmissionKey for the intended recipient address of a new \Sapling{} \note, and let $\DiversifiedTransmitBase \typecolon \KASaplingPublicPrimeSubgroup$ be the corresponding -\diversifiedBase computed as $\DiversifyHash(\Diversifier)$. +\diversifiedBase computed as $\DiversifyHashSapling(\Diversifier)$. -Since \Sapling{} \note encryption is used only in the context of \crossref{saplingsend}, we may assume that -$\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey -$\EphemeralPrivate$ has been chosen. +Since \SaplingAndOrchard{} \note encryption is used only in the context of +\crossref{saplingororchardsend}, we may assume that $\DiversifiedTransmitBase$ has already been +calculated and is not $\bot$. Also, the \ephemeralPrivateKey $\EphemeralPrivate$ has been chosen. -Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \crossref{saplingsend}, +Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \crossref{saplingororchardsend}, i.e.\ the \outgoingViewingKey of the \paymentAddress from which the \note is being spent, or an \outgoingViewingKey associated with a \cite{ZIP-32} account, or $\bot$. @@ -5761,7 +6228,7 @@ Then to encrypt: \item let $\OutCiphertext = \SymEncrypt{\OutCipherKey}(\OutPlaintext)$ \end{algorithm} -The resulting \defining{\noteCiphertext} is $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$. +The resulting \defining{\noteCiphertextSapling} is $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$. \pnote{ It is technically possible to replace $\TransmitCiphertext{}$ for a given \note @@ -5776,12 +6243,12 @@ received out-of-band, which are not addressed in this document. \sapling{ -\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingText)}{saplingdecryptivk} +\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{saplingdecryptivk} Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$ be the recipient's \incomingViewingKey, as specified in \crossref{saplingkeycomponents}. -Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext from the +Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertextSapling from the \outputDescription{}. Let $\cmuField$ be that field of the \outputDescription (encoding the $u$-coordinate of the \noteCommitment). @@ -5793,7 +6260,7 @@ Let $\BlockHeight$ be the \blockHeight of the \block containing this \transactio \introlist The recipient will attempt to decrypt the $\ephemeralKey$ and $\TransmitCiphertext{}$ -components of the \noteCiphertext as follows: +components of the \noteCiphertextSapling as follows: \begin{algorithm} \vspace{-0.5ex} \item let $\EphemeralPublic = \abstJ\Of{\ephemeralKey}$ @@ -5816,7 +6283,7 @@ from $\TransmitPlaintext{}$ \ToScalar\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ - and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ + and $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:} \canopy{ @@ -5840,17 +6307,17 @@ from $\TransmitPlaintext{}$ \transaction as input to $\KDFSapling$\canopy{, and (if \Canopy is active and $\NotePlaintextLeadByte \neq \hexint{01}$) in the comparison against $\reprJ\big(\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)\kern-0.12em\big)$}. - \item Normally only \noteCiphertexts of \transactions in \blocks need to be decrypted. In that case, + \item Normally only \noteCiphertextsSapling of \transactions in \blocks need to be decrypted. In that case, any received \Sapling{} \note is necessarily a \positionedNote, and so its $\NoteAddressRand$ value can immediately be calculated as described in \crossref{commitmentsandnullifiers}. To test whether a \Sapling{} \note is unspent in a particular \blockChain also requires - the \nullifierDerivingKey $\AuthProvePublicRepr$; the coin is unspent if and only if - $\nf = \PRFnfSapling{\AuthProvePublicRepr}\big(\reprJ(\NoteAddressRand)\kern-0.15em\big)$ is + the \nullifierDerivingKey $\NullifierKeyRepr$; the coin is unspent if and only if + $\nf = \PRFnfSapling{\NullifierKeyRepr}\big(\reprJ(\NoteAddressRand)\kern-0.15em\big)$ is not in the \nullifierSet for that \blockChain. \item A \note can change from being unspent to spent as a node's view of the \bestValidBlockChain is extended by new \transactions. Also, \blockChainReorganizations can cause a node to switch to a different \bestValidBlockChain that does not contain the \transaction in which a \note was output. - \item A client \MAY attempt to decrypt a \noteCiphertext of a \transaction in the \mempool\canopy{, + \item A client \MAY attempt to decrypt a \noteCiphertextSapling of a \transaction in the \mempool\canopy{, using the next \blockHeight for $\BlockHeight$}. However, in that case it \MUSTNOT assume that the \transaction will be mined and \MUST treat the decrypted information as provisional. It will not be able to calculate the $\NoteAddressRand$ value. @@ -5860,7 +6327,7 @@ from $\TransmitPlaintext{}$ \sapling{ -\lsubsubsection{Decryption using a Full Viewing Key (\SaplingText)}{saplingdecryptovk} +\lsubsubsection{Decryption using a Full Viewing Key (\SaplingAndOrchardText)}{saplingdecryptovk} \vspace{-0.5ex} Let $\OutViewingKey \typecolon \OutViewingKeyType$ be the \outgoingViewingKey, as specified @@ -5868,13 +6335,13 @@ in \crossref{saplingkeycomponents}, that is to be used for decryption. (If $\OutViewingKey = \bot$ was used for encryption, the payment is not decryptable by this method.) -Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertext, +Let $(\ephemeralKey, \TransmitCiphertext{}, \OutCiphertext)$ be the \noteCiphertextSapling, and let $\cvField$ and $\cmuField$ be those fields of the \outputDescription (encoding the \valueCommitment and the $u$-coordinate of the \noteCommitment). \introsection \vspace{0.5ex} -The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertext as follows: +The \outgoingViewingKey holder will attempt to decrypt the \noteCiphertextSapling as follows: \introlist \vspace{-0.5ex} @@ -5907,7 +6374,7 @@ from $\TransmitPlaintext{}$ \ToScalar\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big),&\caseotherwise \end{cases}$} \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$ - and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$ + and $\DiversifiedTransmitBase = \DiversifyHashSapling(\Diversifier)$ \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$ \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, \reprJ\Of{\DiversifiedTransmitPublic}, @@ -5928,7 +6395,7 @@ from $\TransmitPlaintext{}$ \item $\DiversifiedTransmitPublicRepr$ can also be non-canonical. The decoded point $\DiversifiedTransmitPublic$ is \emph{not} checked to be in the subgroup $\SubgroupJ$. \item The comments in \crossref{saplingdecryptivk} concerning calculation of $\NoteAddressRand$, detection - of spent \notes, and decryption of \noteCiphertexts for \transactions in the \mempool also apply to + of spent \notes, and decryption of \noteCiphertextsSapling for \transactions in the \mempool also apply to \notes decrypted by this procedure. \end{pnotes} @@ -5978,10 +6445,10 @@ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPu \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \joinSplitDescription in $\tx$: - \item \tab \tab let $(\EphemeralPublic, \TransmitCiphertext{\allNew})$ be the \notesCiphertext + \item \tab \tab let $(\EphemeralPublic, \TransmitCiphertext{\allNew})$ be the \notesCiphertextSprout of the \joinSplitDescription \item \tab \tab for $i$ in $\allNew$: - \item \tab \tab \tab Attempt to decrypt the \notesCiphertext component + \item \tab \tab \tab Attempt to decrypt the \notesCiphertextSprout component $(\EphemeralPublic, \TransmitCiphertext{i})$ using $\InViewingKey$ with the \vspace{-1.2ex} \item \tab \tab \tab algorithm in \crossref{sproutdecrypt}. If this succeeds giving $\NotePlaintext{}$: @@ -6003,9 +6470,9 @@ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPu \sapling{ -\lsubsection{Block Chain Scanning (\SaplingText)}{saplingscan} +\lsubsection{Block Chain Scanning (\SaplingAndOrchardText)}{saplingscan} -In \Sapling, \blockChain scanning requires only the $\AuthProvePublic$ and $\InViewingKey$ +In \Sapling, \blockChain scanning requires only the $\NullifierKey$ and $\InViewingKey$ key components, rather than a \spendingKey as in \Sprout. Typically, these components are derived from a \fullViewingKey as described in @@ -6021,7 +6488,7 @@ Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. \introsection \vspace{1ex} The following algorithm can be used, given the \blockChain and -$(\AuthProvePublic \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$, +$(\NullifierKey \typecolon \SubgroupJ, \InViewingKey \typecolon \InViewingKeyTypeSapling)$, to obtain each \note sent to the corresponding \paymentAddress, its \memo field, and its final status (spent or unspent). @@ -6033,12 +6500,12 @@ and its final status (spent or unspent). \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \outputDescription in $\tx$ with \notePosition $\NotePosition$: - \item \tab \tab Attempt to decrypt the \noteCiphertext components + \item \tab \tab Attempt to decrypt the \noteCiphertextSapling components $\EphemeralPublic$ and $\TransmitCiphertext{}$ using $\InViewingKey$ with the algorithm\vspace{-1.2ex}% \item \tab \tab in \crossref{saplingdecryptivk}. If this succeeds giving $\NotePlaintext{}$: \item \tab \tab \tab Extract $\NoteTuple{}$ and $\Memo \typecolon \MemoType$ from $\NotePlaintext{}$ \item \tab \tab \tab Add $(\NoteTuple{}, \Memo)$ to $\ReceivedSet$ - \item \tab \tab \tab Calculate the nullifier $\nf$ of $\NoteTuple{}$ using $\AuthProvePublic$ + \item \tab \tab \tab Calculate the nullifier $\nf$ of $\NoteTuple{}$ using $\NullifierKey$ and $\NotePosition$ as described in \crossref{notes}. \item \tab \tab \tab Add the mapping $\nf \rightarrow \NoteTuple{}$ to $\NullifierMap$. \item \blank @@ -6051,7 +6518,7 @@ and its final status (spent or unspent). \begin{nnotes} \item The above algorithm does not use the $\OutViewingKey$ key component, or the $\OutCiphertext$ - \noteCiphertext component. When scanning the whole \blockChain, these are indeed not necessary. + \noteCiphertextSapling component. When scanning the whole \blockChain, these are indeed not necessary. The advantage of supporting decryption using $\OutViewingKey$ as described in \crossref{saplingdecryptovk}, is that it allows recovering information about the \notePlaintexts sent in a \transaction from that \transaction alone. @@ -6059,7 +6526,7 @@ and its final status (spent or unspent). decryption of $\OutCiphertext$ components for each \transaction, in order to obtain information about \notes that were spent in the scanned period but received outside it. \item The above algorithm does not detect \notes that were sent ``out-of-band'' or with incorrect - \noteCiphertexts. It is possible to detect whether such \notes were spent only if their \nullifiers + \noteCiphertextsSapling. It is possible to detect whether such \notes were spent only if their \nullifiers are known. \end{nnotes} } %sapling @@ -6146,6 +6613,9 @@ Define: \sapling{ \item $\MerkleHashLengthSapling \typecolon \Nat := 255$ } %sapling +\orchard{ + \item $\MerkleHashLengthOrchard \typecolon \Nat := 255$ +} %orchard \item $\hSigLength \typecolon \Nat := 256$ \item $\PRFOutputLengthSprout \typecolon \Nat := 256$ \sapling{ @@ -6159,14 +6629,20 @@ Define: \sapling{ \item $\SpendingKeyLength \typecolon \Nat := 256$ \item $\DiversifierLength \typecolon \Nat := 88$ - \item $\InViewingKeyLength \typecolon \Nat := 251$ + \item $\InViewingKeyLengthSapling \typecolon \Nat := 251$ \item $\OutViewingKeyLength \typecolon \Nat := 256$ - \item $\ScalarLength \typecolon \Nat := 252$ + \item $\ScalarLengthSapling \typecolon \Nat := 252$ } %sapling +\orchard{ + \item $\ScalarLengthOrchard \typecolon \Nat := 254$ +} %orchard \item $\UncommittedSprout \typecolon \bitseq{\MerkleHashLengthSprout} := \zeros{\MerkleHashLengthSprout}$ \sapling{ \item $\UncommittedSapling \typecolon \bitseq{\MerkleHashLengthSapling} := \ItoLEBSPOf{\MerkleHashLengthSapling}{1}$ } %sapling +\orchard{ + \item $\UncommittedOrchard \typecolon \bitseq{\MerkleHashLengthOrchard} := \ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$ +} %orchard \item $\MAXMONEY \typecolon \Nat := \changed{2.1 \smult 10^{15}}$ (\zatoshi) \blossom{ \item $\BlossomActivationHeight \typecolon \Nat := \begin{cases} @@ -6440,7 +6916,7 @@ $\BlakeTwobOf{256}{\ascii{ZcashComputehSig}, x}$ must be \collisionResistant on \setsapling \begin{bytefield}[bitwidth=0.05em]{512} \sbitbox{256}{$\LEBStoOSPOf{256}{\AuthSignPublicRepr}$} & - \sbitbox{256}{$\LEBStoOSPOf{256}{\AuthProvePublicRepr}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\NullifierKeyRepr}$} \end{bytefield} \end{lrbox} @@ -6458,8 +6934,8 @@ and for its use in the \spendStatement see \crossref{spendstatement}. It is defined as follows: \begin{formulae} - \item $\CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr) := - \LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk},\; \crhInput}} \bmod 2^{\InViewingKeyLength}$ + \item $\CRHivk(\AuthSignPublicRepr, \NullifierKeyRepr) := + \LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk},\; \crhInput}} \bmod 2^{\InViewingKeyLengthSapling}$ \end{formulae} \vspace{-2ex} @@ -6473,7 +6949,7 @@ $\BlakeTwobOf{256}{p, x}$ is defined in \crossref{concreteblake2}. \vspace{-1ex} \securityrequirement{ -$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLength}$ +$\LEOStoIPOf{256}{\BlakeTwosOf{256}{\ascii{Zcashivk}, x}} \bmod 2^{\InViewingKeyLengthSapling}$ must be \collisionResistant on a $64$-byte input $x$. Note that this does not follow from \collisionResistance of $\BlakeTwos{256}$ (and the best possible concrete security is that of a $251$-bit hash @@ -6492,11 +6968,11 @@ the same effect as using that feature. } %sapling -\sapling{ +%\sapling{ \introlist -\lsubsubsubsection{\DiversifyHashText{} Hash Function}{concretediversifyhash} +\lsubsubsubsection{\DiversifyHashSaplingText\orchard{ and \DiversifyHashOrchardText} Hash Function\notbeforeorchard{s}}{concretediversifyhash} -$\DiversifyHash$ is used to derive a \diversifiedBase from a \diversifier in +$\DiversifyHashSapling$ is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. Let $\GroupJHash{}$ and $U$ be as defined in \crossref{concretegrouphashjubjub}. @@ -6505,10 +6981,27 @@ Define \vspace{-1ex} \begin{formulae} - \item $\DiversifyHash(\Diversifier) := + \item $\DiversifyHashSapling(\Diversifier) := \GroupJHash{\NotUpMySleeve}\Of{\ascii{Zcash\_gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ \end{formulae} +%\orchard{ +$\DiversifyHashOrchard$ is used to derive a \diversifiedBase from a \diversifier in +\crossref{orchardkeycomponents}. + +Let $\GroupPHash{}$ be as defined in \crossref{concretegrouphashpallasandvesta}. + +Define + +\vspace{-1ex} +\begin{formulae} + \item $\DiversifyHashOrchard(\Diversifier) :=$ +% \GroupPHash\Of{\ascii{z.cash:Orchard-gd}, \LEBStoOSPOf{\DiversifierLength}{\Diversifier}\kern-0.1em}$ +\end{formulae} + +The following security property and notes apply to both \Sapling and \Orchard. +%} %orchard + \vspace{-2ex} \securityrequirement{ \textbf{Unlinkability:} Given two randomly selected @@ -6525,8 +7018,8 @@ the third address was derived from. % \item An adversary chooses two (not necessarily distinct) \diversifiers % $\Diversifier_{1,2} \typecolon \DiversifierType$. % \item Define $\OracleNewAddress_i(\Diversifier' \typecolon \DiversifierType) := \begin{cases} -% \bot, &\caseif \DiversifyHash(\Diversifier') = \bot \\ -% (\Diversifier', \scalarmult{\InViewingKey_i}{\DiversifyHash(\Diversifier')}), &\caseotherwise +% \bot, &\caseif \DiversifyHashSapling(\Diversifier') = \bot \\ +% (\Diversifier', \scalarmult{\InViewingKey_i}{\DiversifyHashSapling(\Diversifier')}), &\caseotherwise % \end{cases}$. % \item Define $\OracleDH_i(\EphemeralPrivate \typecolon \GF{\ParamJ{r}}, % \DiversifiedTransmitBase \typecolon \GroupJ) := \begin{cases} @@ -6548,7 +7041,7 @@ the third address was derived from. \item Suppose that $\GroupJHash{}$ (restricted to inputs for which it does not return $\bot$) is modelled as a random oracle from \diversifiers to points of order $\ParamJ{r}$ on the \jubjubCurve. In this model, Unlinkability - of $\DiversifyHash$ holds under the Decisional Diffie-Hellman assumption on the + of $\DiversifyHashSapling$ holds under the Decisional Diffie-Hellman assumption on the prime-order subgroup of the \jubjubCurve. To prove this, consider the ElGamal encryption scheme \cite{ElGamal1985} @@ -6562,11 +7055,11 @@ the third address was derived from. distribution of ElGamal ciphertexts obtained by encrypting $\ZeroJ$ under $\pk$. \todo{check whether this is justified.} Then, the definition of \keyPrivacy (IK-CPA as defined in \cite[Definition 1]{BBDP2001}) - for ElGamal corresponds to the definition of Unlinkability for $\DiversifyHash$. - (IK-CCA corresponds to the potentially stronger requirement that $\DiversifyHash$ + for ElGamal corresponds to the definition of Unlinkability for $\DiversifyHashSapling$. + (IK-CCA corresponds to the potentially stronger requirement that $\DiversifyHashSapling$ remains Unlinkable when given Diffie-Hellman key agreement oracles for each of the candidate \diversifiedPaymentAddresses.) - So if ElGamal is \keyPrivate, then $\DiversifyHash$ is Unlinkable under the + So if ElGamal is \keyPrivate, then $\DiversifyHashSapling$ is Unlinkable under the same conditions. \cite[Appendix A]{BBDP2001} gives a security proof for \keyPrivacy (both IK-CPA and IK-CCA) of ElGamal under the Decisional Diffie-Hellman @@ -6624,7 +7117,7 @@ the third address was derived from. privacy properties). Implementations \SHOULD avoid providing such a ``chosen \diversifier'' oracle. \end{nnotes} -} %sapling +%} %sapling \sapling{ @@ -6680,7 +7173,7 @@ Define $\PedersenHashToPoint(D \typecolon \byteseq{8}, M \typecolon \bitseq{\Pos \begin{algorithm} \item Pad $M$ to a multiple of $3$ bits by appending zero bits, giving $M'$. \item Let $n = \ceiling{\hfrac{\length(M')}{3 \mult c}}$. - \item Split $M'$ into $n$ \defining{\quotedtermandindex{segments}{segments (of a Pedersen hash input)}} $M_\barerange{1}{n}$ + \item Split $M'$ into $n$ \defining{\segments} $M_\barerange{1}{n}$ so that $M' = \concatbits(M_\barerange{1}{n})$, and each of $M_\barerange{1}{n-1}$ is of length $3 \smult c$ bits. ($M_n$ may be shorter.) @@ -6694,7 +7187,7 @@ $\PedersenEncode{\paramdot} \typecolon \bitseq{3 \mult \range{1}{c}} \rightarrow \begin{algorithm} \item Let $k_i = \length(M_i)/3$. - \item Split $M_i$ into $3$-bit \defining{\quotedtermandindex{chunks}{chunks (of a Pedersen hash input)}} $m_\barerange{1}{k_i}$ + \item Split $M_i$ into $3$-bit \defining{\chunks} $m_\barerange{1}{k_i}$ so that $M_i = \concatbits(m_\barerange{1}{k_i})$. \item Write each $m_j$ as $[\sj{0}, \sj{1}, \sj{2}]$, and let $\enc(m_j) = (1 - 2 \smult \sj{2}) \mult (1 + \sj{0} + 2 \smult \sj{1}) \typecolon \Int$. @@ -6823,6 +7316,112 @@ See \crossref{cctmixinghash} for efficient circuit implementation of this functi } %sapling +\orchard{ +\introlist +\lsubsubsubsection{Sinsemilla Hash Function}{concretesinsemillahash} + +\defining{$\SinsemillaHash$} is an algebraic \hashFunction with +\collisionResistance (for fixed input length) derived from assumed hardness +of the Discrete Logarithm Problem. It is designed by Sean Bowe and Daira Hopwood. +The motivation for introducing a new discrete-log-based hash function (rather than +using $\PedersenHash$) is to make efficient use of the lookups available in recent +proof systems including \HaloTwo. + +$\SinsemillaHash$ is used in the definition of $\SinsemillaCommit{}$ +(\crossref{concretesinsemillacommit}), and for the \Orchard{} \incrementalMerkleTree +(\crossref{orchardmerklecrh}). + +Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, $\ParamP{r}$, and $\ParamP{b}$ be as defined in +\crossref{pallasandvesta}. + +Let $\ExtractP \typecolon \GroupP \rightarrow \MerkleHashOrchard$ be as +defined in \crossref{concreteextractorpallas}. + +Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. + +Let $\UncommittedOrchard$ be as defined in \crossref{constants}. + +Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ +be as defined in \crossref{endian}. + +\vspace{1ex} +Let $k = 11$. + +Let $c$ be the largest integer such that $2^n \leq \hfrac{\ParamP{r}-1}{2}$, +i.e.\ $c := 253$. + +Define $\SinsemillaGenInit \typecolon \byteseqs \rightarrow \GroupPstar$ and +$\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by: + +\begin{tabular}{@{\hskip 1.5em}r@{\;}l} + $\SinsemillaGenInit(D)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)$ \\ + $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \LEBStoOSPOf{32}{\ItoLEBSPOf{32}{j}}\kern-0.25em\big)$. +\end{tabular} + +Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\range{0}{k \mult c}}) \rightarrow \GroupP$ as follows: + +\begin{algorithm} + \item pad $M$ to a multiple of $k$ bits by appending zero bits, giving $M'$. + \item let $n \typecolon \range{0}{c} := \ceiling{\hfrac{\length(M')}{k}\kern-0.1em}$ + \item split $M'$ into $n$ \defining{\pieces} $M_\barerange{1}{n}$, + each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$. + \item let mutable $\Acc := \SinsemillaGenInit(D)$ + \item for $i$ from $1$ up to $n$: + \item \tab set $\Acc := \scalarmult{2}{\Acc} + \SinsemillaGenBase(M_i)$ + \item \blank + \item return $\Acc$. +\end{algorithm} + +\introlist +\vspace{-1ex} +Finally, define $\SinsemillaHash \typecolon \byteseqs \times \bitseq{\range{0}{k \mult c}} \rightarrow \MerkleHashOrchard$ by: + +\begin{formulae} + \item $\SinsemillaHash(D, M) := \ExtractP\big(\SinsemillaHashToPoint\Of{D, M}\kern-0.1em\big)$. +\end{formulae} + +See \todo{...} for rationale and efficient circuit implementation of these functions. + +\securityrequirement{ +$\SinsemillaHash$ and $\SinsemillaHashToPoint$ are required to be \collisionResistant +between inputs of fixed length, for a given personalization input $D$. +No other security properties commonly associated with \hashFunctions are needed. +} + +\begin{nnotes} + \item These \hashFunctions are \emph{not} \collisionResistant across variable-length inputs for the + same $D$ (that is, it is assumed that a single input length will be used for any given $D$). + \item The intermediate value $\scalarmult{2}{\GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)}$ for the first + iteration of the loop can be precomputed, if $D$ is known in advance. +\end{nnotes} + +\todo{Security proof} + +\introlist +\theoremlabel{thmnohashtouncommittedorchard} +\begin{theorem}[$\UncommittedOrchard$ is not in the range of $\SinsemillaHash$]\end{theorem} + +\begin{proof} +$\UncommittedOrchard$ is defined as $\ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$. +By injectivity of $\ItoLEBSP{\MerkleHashLengthOrchard}$ and definitions of +$\SinsemillaHash$ and $\ExtractP$, $\ItoLEBSPOf{\MerkleHashLengthOrchard}{2}$ +can be in the range of $\SinsemillaHash$ only if there exist +$D \typecolon \byteseqs$ and $M \typecolon \bitseq{\smash{\PosInt}}$ such that +$\Selectx\Of{\SinsemillaHashToPoint(D, M)} = 2$. $\Selectx\Of{\SinsemillaHashToPoint(D, M)}$ +can only be $0$ or the \affineSW $x$-coordinate of a point in $\GroupP$. +But $0 \neq 2 \pmod{\ParamP{q}}$, and there are no points in $\GroupP$ with +\affineSW $x$-coordinate $2 \pmod{\ParamP{q}}$, since $2^3 + \ParamP{b} = 13$ +is not square in $\GF{\ParamP{q}}$. +\end{proof} + +\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$. +We do not choose $\UncommittedOrchard = 0$ because we define $\Selectx\Of{\ZeroP} = 0$, +and it is technically possible (with negligible probability) that +$\SinsemillaHashToPoint$ could return $\ZeroP$.} +} %orchard + + \introlist \lsubsubsubsection{Equihash Generator}{equihashgen} @@ -6992,7 +7591,7 @@ be necessary.}) \begin{lrbox}{\nfsaplingbox} \setsapling \begin{bytefield}[bitwidth=0.038em]{512} - \sbitbox{256}{$\LEBStoOSPOf{256}{\AuthProvePublicRepr}$} & + \sbitbox{256}{$\LEBStoOSPOf{256}{\NullifierKeyRepr}$} & \sbitbox{256}{$\LEBStoOSPOf{256}{\NoteAddressRandRepr}$} \end{bytefield} \end{lrbox} @@ -7044,16 +7643,16 @@ $\PRFnfSapling{}$ is used to derive the \nullifier for a \Sapling{} \note. It is instantiated using the $\BlakeTwosGeneric$ \hashFunction defined in \crossref{concreteblake2}: \begin{formulae} - \item $\PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr) := \BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$. + \item $\PRFnfSapling{\NullifierKeyRepr}(\NoteAddressRandRepr) := \BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$. \end{formulae} \vspace{-2ex} \securityrequirement{ $\BlakeTwosOf{256}{\ascii{Zcash\_nf}, \Justthebox{\nfsaplingbox}}$ must be a \collisionResistant \xPRF for output range $\byteseq{32}$ when keyed by the bits -corresponding to $\AuthProvePublicRepr$, with input in the bits corresponding to +corresponding to $\NullifierKeyRepr$, with input in the bits corresponding to $\NoteAddressRandRepr$. Note that -{$\AuthProvePublicRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing +{$\NullifierKeyRepr$}{$\typecolon$}{$\SubgroupReprJ$} % {$...$} hack needed for reasonable spacing is a representation of a point in the $\ParamJ{r}$-order subgroup of the \jubjubCurve, and therefore is not uniformly distributed on $\ReprJ$. $\SubgroupReprJ$ is defined in \crossref{jubjub}. @@ -7539,10 +8138,10 @@ $\BindingSig$ and $\SpendAuthSig$. \vspace{-1ex} Let $\RedJubjub$ be as defined in \crossref{concreteredjubjub}. -Define $\AuthSignBase := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. +Define $\AuthSignBaseSapling := \FindGroupJHash\Of{\ascii{Zcash\_G\_}, \ascii{}}$. The \defining{\spendAuthSignatureScheme}, $\SpendAuthSig$, is instantiated as $\RedJubjub$ -with key re-randomization, and with generator $\GenG{} = \AuthSignBase$. +with key re-randomization, and with generator $\GenG{} = \AuthSignBaseSapling$. \vspace{0.5ex} See \crossref{spendauthsig} for details on the use of this \signatureScheme. @@ -7732,6 +8331,49 @@ which is equivalent to: } +\orchard{ +\introsection +\lsubsubsubsection{Sinsemilla commitments}{concretesinsemillacommit} + +\crossref{concretesinsemillahash} defines a \xSinsemillaHash construction. +We construct \defining{\xSinsemillaCommitments} by reusing that construction, +and adding a randomized point on the \pallasCurve (see \crossref{pallasandvesta}): + +\begin{formulae} + \item $\SinsemillaCommit{r}(D, M) := + \SinsemillaHashToPoint(D \bconcat \ascii{-M}, M) + \scalarmult{r}{\GroupPHash\Of{D \bconcat \ascii{-r}, \ascii{}}}$ +\end{formulae} + +See \todo{...} for rationale and efficient circuit implementation of this function. + +The commitment scheme $\NoteCommitOrchard{}$ specified in \crossref{abstractcommit} is +instantiated as follows using $\SinsemillaCommitAlg$: + +\begin{formulae} + \item $\NoteCommitOrchard{\NoteCommitRand}(\DiversifiedTransmitBaseRepr, \DiversifiedTransmitPublicRepr, \Value) := + \SinsemillaCommit{\NoteCommitRand}\left(\ascii{z.cash:NoteCommitOrchard}, + \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr \bconcat \ItoLEBSPOf{64}{\Value}\right)$ + \item $\NoteCommitOrchardGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. +\end{formulae} + +\vspace{-1ex} +\begin{securityrequirements} + \item $\SinsemillaCommitAlg$, and hence $\NoteCommitOrchardAlg$, must be + computationally binding and at least computationally hiding \commitmentSchemes. +\end{securityrequirements} + +\vspace{-1ex} +(They are in fact unconditionally hiding \commitmentSchemes.) + +\begin{pnotes} + \item $\MerkleCRHOrchard$ is also defined in terms of $\SinsemillaHashToPoint$ + (see \crossref{merklecrh}). \todo{discuss layer prefix, if needed} + \item The arguments to $\NoteCommitOrchard{}$ are the same order as their encodings in + the input to $\SinsemillaCommit{}$; this is different to $\NoteCommitSapling{}$. +\end{pnotes} +} %orchard + + \introsection \lsubsubsection{Represented Groups and Pairings}{concretepairing} @@ -8119,15 +8761,14 @@ Define $\SubgroupReprJ := \bigsetof{\reprJ(P) \typecolon \ReprJ \suchthat P \in the $\EdDSASigR{}$ element of a signature. \item \cite[``Encoding and parsing curve points'']{BJLSY2015} gives algorithms for decompressing points from the encoding of $\GroupJ$. + \item The specification of $\abstJ$ above requires ``strict'' parsing of integers as + defined in \cite[``Encoding and parsing integers'']{BJLSY2015}. \end{nnotes} When computing square roots in $\GF{\ParamJ{q}}$ in order to decompress a point encoding, the implementation \MUSTNOT assume that the square root exists, or that the encoding represents a point on the curve. -This specification requires ``strict'' parsing as defined in -\cite[``Encoding and parsing integers'']{BJLSY2015}. - Note that algorithms elsewhere in this specification that use \Jubjub may impose other conditions on points, for example that they have order at least $\ParamJ{r}$. } @@ -8229,7 +8870,7 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as fo \vspace{-1ex} \begin{pnotes} \vspace{-0.5ex} - \item The use of $\GroupJHash{\URS}$ for $\DiversifyHash$ and to generate independent bases + \item The use of $\GroupJHash{\URS}$ for $\DiversifyHashSapling$ and to generate independent bases needs a random oracle (for inputs on which $\GroupJHash{\URS}$ does not return $\bot$); here we show that it is sufficient to employ a simpler random oracle instantiated by $\vphantom{a^b}\BlakeTwos{256}$ in the security analysis. @@ -8265,6 +8906,210 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon } %sapling +\orchard{ +\lsubsubsubsection{\PallasAndVestaText}{pallasandvesta} + +\Orchard uses two elliptic curves, \defining{\Pallas} and \defining{\Vesta}, that form a cycle: +the base field of each is the scalar field of the other. In \Orchard, we use \Vesta for the proof +system (playing a similar rôle to \BLSPairing in \Sapling), and \Pallas for the application circuit +(similar to \jubjubCurve in \Sapling). Both curves are designed to be efficiently implementable in +\zkSNARKCircuits, although we only use \Pallas in that way for \Orchard. + +The \representedGroups $\GroupP$ and $\GroupV$ of points on \Pallas and \Vesta respectively +are defined in this section. + +A \defining{\swEllipticCurve}, as defined for example in \cite[Definition 2.3.1]{Hisil2010}, is an +elliptic curve $E$ over a field $\GF{q}$, parameterized by $a, b \typecolon \GF{q}$ such that +$4 \mult a^3 + 27 \mult b^2 \neq 0$, with equation $E : y^2 = x^3 + a \mult x + b$. The curve has +a distinguished zero point $\Zero$, also called the \definingquotedterm{point at infinity}. +For \Pallas and \Vesta we have $a = 0$ and so we will omit that term below. + +\begin{tabular}{@{}l@{\;}r@{\;}l} +Let &$\ParamP{q}$ &$:= \hexint{40000000000000000000000000000000224698fc094cf91b992d30ed00000001}$. \\[1ex] +Let &$\ParamV{q}$ &$:= \hexint{40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001}$. +\end{tabular} + +(\hairspace $\ParamP{q}$ and $\ParamV{q}$ are prime.) + +Let $\ParamP{r} := \ParamV{q}$ and $\ParamV{r} := \ParamP{q}$. + +Let $\ParamP{b} = \ParamV{b} := 5$. + +Let $\GroupP$ be the group of points $(x, y)$ with zero point $\ZeroP$, on a \swCurve $\CurveP$ over +$\GF{\ParamP{q}}$ with equation $y^2 = x^3 + \ParamP{b}$. $\GroupP$ has order $\ParamP{r}$. + +Let $\GroupV$ be the group of points $(x, y)$ with zero point $\ZeroV$, on a \swCurve $\CurveV$ over +$\GF{\ParamV{q}}$ with equation $y^2 = x^3 + \ParamV{b}$. $\GroupV$ has order $\ParamV{r}$. + +For the set of points on \Pallas of order $\ParamP{r}$ (which excludes $\ZeroP$), we write $\GroupPstar$. + +For the set of points on \Vesta of order $\ParamV{r}$ (which excludes $\ZeroV$), we write $\GroupVstar$. + +Let $\ellP = \ellV := 256$. + +\introlist +Define $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ +as in \crossref{endian}, and similarly for +$\LEBStoIP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \binaryrange{\ell}$. + +Define $\reprPstar \typecolon \GroupPstar \rightarrow \ReprPstar$ such +that $\reprPstar\Of{x, y} = \ItoLEBSP{256}\big(x + 2^{255} \smult \tilde{y}\big)$, where +$\tilde{y} = y \bmod 2$. + +\vspace{-1ex} +Define $\abstPstar \typecolon \ReprPstar \rightarrow \maybe{\GroupP}$ such that +$\abstJ\Of{P\Repr}$ is computed as follows: +\begin{formulae} + \item let ${x\Repr} \typecolon \bitseq{255}$ be the first $255$ bits of $P\Repr$ and + let $\tilde{y} \typecolon \bit$ be the last bit. + \item if $\LEBStoIPOf{255}{x\Repr} \geq \ParamP{q}$ then return $\bot$, otherwise + let $x \typecolon \GF{\ParamP{q}} = \LEBStoIPOf{255}{x\Repr} \pmod{\ParamP{q}}$. + \item let $y = \optsqrt{x^3 + \ParamP{b}}$. + \item if $y = \bot$, or if $y = 0$ and $\tilde{y} = 1$, return $\bot$. + \item if $y \bmod 2 = \tilde{y}$ then return $(x, y)$ else return $(x, \ParamP{q} - y)$. +\end{formulae} + +\pnote{$\abstPstar\Of{\ItoLEBSP{256}\big(2^{255}\big)} = \bot$, and so there is only one +valid representation of each point on the curve. This differs from the corresponding case +of $\abstJ$ for \Jubjub, for example.} + +Define $\reprVstar \typecolon \GroupVstar \rightarrow \ReprVstar$ and +$\abstVstar \typecolon \ReprVstar \rightarrow \maybe{\GroupVstar}$ as above with references to +$\GroupP$ replaced by $\GroupV$. + +\nnote{The \defining{\swCompressedEncoding} used here is consistent with that used in \todo{...}.} + +When computing square roots in $\GF{\ParamP{q}}$ or $\GF{\ParamV{q}}$ in order to decompress a +point encoding, the implementation \MUSTNOT assume that the square root exists, or that the encoding +represents a point on the curve. + + +\lsubsubsubsection{Hash Extractor for \PallasText}{concreteextractorpallas} + +\vspace{-2ex} +Let $\Selectx\Of{(x, y)} = x$ and let $\Selectx\Of{\ZeroP} = 0$. + +Define $\ExtractP \typecolon \GroupP \rightarrow \MerkleHashOrchard$ by +\begin{formulae} + \item $\ExtractP(P) := \ItoLEBSPOf{\MerkleHashLengthOrchard}{\Selectx\Of{P}}$. +\end{formulae} + + +\lsubsubsubsection{Group Hash into \PallasAndVestaText}{concretegrouphashpallasandvesta} + +\Orchard uses the ``simplified SWU'' algorithm for random-oracle hashing to elliptic curves +with $j$-invariant $0$, consistent with \cite[section 6.6.3]{ID-hashtocurve}, based on a +method by Riad Wahby and Dan Boneh \cite{WB2019}. +It is adapted from work of Eric Brier, Jean-Sébastien Coron, Thomas Icart, David Madore, +Hugues Randriam, and Mehdi Tibouchi in \cite{BCIMRT2010}; Andrew Shallue and Christiaan {van de Woestijne} +in \cite{SvdW2006}; and Maciej Ulas in \cite{Ulas2007}. + +Let $\GroupP{}$ be the represented group of points on the \pallasCurve, as defined in +\crossref{pallasandvesta}. The specification in this section may also be applied to Vesta, +substituting $\GroupV$ and $\GroupIsoV$ for all references to $\GroupP$ and $\GroupIsoP$ respectively. + +Define $\ZeroP{}$, $\GroupPstar{}$, and $\abstPstar{}$ as in \crossref{pallasandvesta}. + +Let $\GroupPHashInput := \byteseqs \times \byteseqs$. + +(The first input element is intended to act as a ``personalization'' parameter to +distinguish uses of the \groupHash for different purposes.) + +$\GroupPHash$ does not have a URS, i.e.\ $\GroupPHashURSType := ()$. + +The algorithm makes use of a curve $\CurveIsoP$, called \IsoPallas, that is isogenous to $\CurveP$ +(or $\CurveIsoV$, called \IsoVesta, that is isogenous to $\CurveV$). + +Let $\ParamIsoP{a} := \hexint{18354a2eb0ea8c9c49be2d7258370742b74134581a27a59f92bb4b0b657a014b}$. + +Let $\ParamIsoV{a} := \hexint{267f9b2ee592271a81639c4d96f787739673928c7d01b212c515ad7242eaa6b1}$. + +Let $\ParamIsoP{b} = \ParamIsoV{b} := 1265$. + +Let $\GroupIsoP$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoP{a} \mult x + \ParamIsoP{b}$. + +Let $\GroupIsoV$ be the \swEllipticCurve with equation $y^2 = x^3 + \ParamIsoV{a} \mult x + \ParamIsoV{b}$. + +Let $\IsoConstP{} \typecolon \typeexp{\GF{\ParamP{q}}}{13} := [$ +\vspace{-2ex} +\begin{lines} + \item[] $\hexint{0e38e38e38e38e38e38e38e38e38e38e4081775473d8375b775f6034aaaaaaab},$ + \item[] $\hexint{3509afd51872d88e267c7ffa51cf412a0f93b82ee4b994958cf863b02814fb76},$ + \item[] $\hexint{17329b9ec525375398c7d7ac3d98fd13380af066cfeb6d690eb64faef37ea4f7},$ + \item[] $\hexint{1c71c71c71c71c71c71c71c71c71c71c8102eea8e7b06eb6eebec06955555580},$ + \item[] $\hexint{1d572e7ddc099cff5a607fcce0494a799c434ac1c96b6980c47f2ab668bcd71f},$ + \item[] $\hexint{325669becaecd5d11d13bf2a7f22b105b4abf9fb9a1fc81c2aa3af1eae5b6604},$ + \item[] $\hexint{1a12f684bda12f684bda12f684bda12f7642b01ad461bad25ad985b5e38e38e4},$ + \item[] $\hexint{1a84d7ea8c396c47133e3ffd28e7a09507c9dc17725cca4ac67c31d8140a7dbb},$ + \item[] $\hexint{3fb98ff0d2ddcadd303216cce1db9ff11765e924f745937802e2be87d225b234},$ + \item[] $\hexint{025ed097b425ed097b425ed097b425ed0ac03e8e134eb3e493e53ab371c71c4f},$ + \item[] $\hexint{0c02c5bcca0e6b7f0790bfb3506defb65941a3a4a97aa1b35a28279b1d1b42ae},$ + \item[] $\hexint{17033d3c60c68173573b3d7f7d681310d976bbfabbc5661d4d90ab820b12320a},$ + \item[] $\hexint{40000000000000000000000000000000224698fc094cf91b992d30ecfffffde5}$ +\end{lines} +\vspace{-2.5ex} +$]$ + +Let $\IsoConstV{} \typecolon \typeexp{\GF{\ParamV{q}}}{13} := [$ +\vspace{-2ex} +\begin{lines} + \item[] $\hexint{38e38e38e38e38e38e38e38e38e38e390205dd51cfa0961a43cd42c800000001},$ + \item[] $\hexint{1d935247b4473d17acecf10f5f7c09a2216b8861ec72bd5d8b95c6aaf703bcc5},$ + \item[] $\hexint{18760c7f7a9ad20ded7ee4a9cdf78f8fd59d03d23b39cb11aeac67bbeb586a3d},$ + \item[] $\hexint{31c71c71c71c71c71c71c71c71c71c71e1c521a795ac8356fb539a6f0000002b},$ + \item[] $\hexint{0a2de485568125d51454798a5b5c56b2a3ad678129b604d3b7284f7eaf21a2e9},$ + \item[] $\hexint{14735171ee5427780c621de8b91c242a30cd6d53df49d235f169c187d2533465},$ + \item[] $\hexint{12f684bda12f684bda12f684bda12f685601f4709a8adcb36bef1642aaaaaaab},$ + \item[] $\hexint{2ec9a923da239e8bd6767887afbe04d121d910aefb03b31d8bee58e5fb81de63},$ + \item[] $\hexint{19b0d87e16e2578866d1466e9de10e6497a3ca5c24e9ea634986913ab4443034},$ + \item[] $\hexint{1ed097b425ed097b425ed097b425ed098bc32d36fb21a6a38f64842c55555533},$ + \item[] $\hexint{2f44d6c801c1b8bf9e7eb64f890a820c06a767bfc35b5bac58dfecce86b2745e},$ + \item[] $\hexint{3d59f455cafc7668252659ba2b546c7e926847fb9ddd76a1d43d449776f99d2f},$ + \item[] $\hexint{40000000000000000000000000000000224698fc0994a8dd8c46eb20fffffde5}$ +\end{lines} +\vspace{-2.5ex} +$]$ + +Let $\IsoMapP \typecolon \GroupIsoP \rightarrow \GroupP$ be the isogeny map given by: + +\begin{tabular}{@{\hskip 1.5em}r@{\;}l} + $\IsoMapP\big(\ZeroIsoP\big)$ &$= \ZeroP$ \\ + $\IsoMapP\big((x, y)\big)$ &$= \left(\hfrac{\IsoConstP{1} \mult x^3 + \IsoConstP{2} \mult x^2 + \IsoConstP{3} \mult x + \IsoConstP{4}} + {x^2 + \IsoConstP{5} \mult x + \IsoConstP{6}}, + \hfrac{\big(\IsoConstP{7} \mult x^3 + \IsoConstP{8} \mult x^2 + \IsoConstP{9} \mult x + \IsoConstP{10}\big) \mult y} + {x^3 + \IsoConstP{11} \mult x^2 + \IsoConstP{12} \mult x + \IsoConstP{13}}\right)$ +\end{tabular} + +and similarly for $\IsoMapV \typecolon \GroupIsoV \rightarrow \GroupV$. + +%Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}. + +%Let $\LEOStoIP{}$ be as defined in \crossref{endian}. + +\vspace{1ex} +Let $D \typecolon \byteseqs$ be a domain separator, and +let $M \typecolon \byteseqs$ be the hash input. + +\todo{define BLAKE2-based XOF} + +\introlist +The hash $\GroupPHash(D, M) \typecolon \GroupPstar$ is calculated as follows: + +\begin{algorithm} + \item \todo{consistent with \cite{ID-hashtocurve} \texttt{hash\_to\_curve}} +\end{algorithm} + +\pnote{ +The use of $\GroupPHash$ for $\DiversifyHashOrchard$ and to generate independent bases +needs a random oracle, which the \texttt{hash\_to\_curve} algorithm in \cite{ID-hashtocurve} +is designed to provide given that the BLAKE2-based XOF satisfies the requirements of +\cite[section 5.5.4]{ID-hashtocurve}. The security of the Brier et al.\ construction on +which this algorithm is based is analysed in \cite{FFSTV2013} and \cite{KT2015}, with a +verified proof in \cite{BGHOZ2013}. +} %pnote +} %orchard + + \lsubsubsection{Zero-Knowledge Proving Systems}{concretezk} \lsubsubsubsection{\BCTVText}{bctv} @@ -8778,11 +9623,11 @@ cause the first four characters of the Base58Check encoding to be fixed as Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. -Let $\InViewingKeyLength$ be as defined in \crossref{constants}. +Let $\InViewingKeyLengthSapling$ be as defined in \crossref{constants}. A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeSapling$. -$\InViewingKey$ is a $\KASaplingPrivate$ key (restricted to $\InViewingKeyLength$ bits), +$\InViewingKey$ is a $\KASaplingPrivate$ key (restricted to $\InViewingKeyLengthSapling$ bits), derived as described in \crossref{saplingkeycomponents}. It is used with the encryption scheme defined in \crossref{saplinginband}. @@ -8816,9 +9661,9 @@ For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktests Let $\KASapling$ be as defined in \crossref{concretesaplingkeyagreement}. A \Sapling{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \SubgroupJstar$, -$\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$. +$\NullifierKey \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$. -$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve +$\AuthSignPublic$ and $\NullifierKey$ are points on the \jubjubCurve (see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}. \introlist @@ -8827,7 +9672,7 @@ The \rawEncoding of a \Sapling{} \fullViewingKey consists of: \begin{equation*} \begin{bytefield}[bitwidth=0.05em]{512} \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthProvePublic}\kern 0.05em}$} + \sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\NullifierKey}\kern 0.05em}$} \sbitbox{256}{$32$-byte $\OutViewingKey$} \end{bytefield} \end{equation*} @@ -8836,13 +9681,13 @@ The \rawEncoding of a \Sapling{} \fullViewingKey consists of: \begin{itemize} \item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\AuthSignPublic$ (see \crossref{jubjub}). - \item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\AuthProvePublic$. + \item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\NullifierKey$. \item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$. \end{itemize} When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$ -for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$, -or if $\AuthProvePublic \notin \SubgroupJ$. +for either $\AuthSignPublic$ or $\NullifierKey$, or if $\AuthSignPublic \notin \SubgroupJstar$, +or if $\NullifierKey \notin \SubgroupJ$. For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zviews}. For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtestsapling}. @@ -9396,7 +10241,7 @@ $\dagger$ \BCTV proofs are used when the \transactionVersion is $2$ or $3$, i.e. \Sapling activation.} } -The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext, +The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertextSprout, which is computed as described in \crossref{sproutinband}. Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}. @@ -9491,7 +10336,7 @@ $\ProofOutput$ (see \crossref{groth}). \\ \hline \vspace{-2ex} The $\ephemeralKey$, $\encCiphertext$, and $\outCiphertext$ fields together form the -\noteCiphertext, which is computed as described in \crossref{saplinginband}. +\noteCiphertextSapling, which is computed as described in \crossref{saplinginband}. \vspace{-2ex} \consensusrule{$\LEOStoIPOf{256}{\cmuField}$ \MUST be less than $\ParamJ{q}$.} @@ -10494,7 +11339,7 @@ A variation on the attack attempts to cause the \nullifier of a sent \note to be repeated, without repeating $\NoteAddressRand$. However, since the \nullifier is computed as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$\sapling{ (or -$\PRFnfSapling{\AuthProvePublic}(\NoteAddressRandRepr)$ for \Sapling)}, +$\PRFnfSapling{\NullifierKey}(\NoteAddressRandRepr)$ for \Sapling)}, this is only possible if the adversary finds a collision across both inputs on $\PRFnf{}$\sapling{ (or $\PRFnfSapling{}$)}, which is assumed to be infeasible --- see \crossref{abstractprfs}. @@ -10863,7 +11708,7 @@ Virza. The designers of the \Zcash protocol are the \Zerocash inventors and also Daira Hopwood, Sean Bowe, Jack Grigg, Simon Liu, Taylor Hornby, Nathan Wilcox, Zooko Wilcox, Jay Graber, Ariel Gabizon, George Tankersley, -Ying Tong Lai, Kris Nuttycombe, and Jack Gavigan. +Ying Tong Lai, Kris Nuttycombe, Jack Gavigan, and Steven Smith. The \Equihash proof-of-work algorithm was designed by Alex Biryukov and Dmitry Khovratovich. @@ -10876,7 +11721,7 @@ Filippo Valsorda, Zaki Manian, Tracy Hu, Brian Warner, Mary Maller, Michael Dixon, Andrew Poelstra, Eirik Ogilvie-Wigley, Benjamin Winston, Kobi Gurkan, Weikeng Chen, Henry de Valence, Deirdre Connolly, Chelsea Komlo, Zancas Wilcox, Jane Lusby, Teor, Izaak Meckler, Zac Williamson, Vitalik Buterin, -Jakub Zalewski. and no doubt others. +Jakub Zalewski, Oana Ciobotaru, and no doubt others. We would also like to thank the designers and developers of \Bitcoin. \Zcash has benefited from security audits performed by NCC Group, Coinspect, @@ -10901,6 +11746,9 @@ Daira Hopwood, Sean Bowe, Jack Grigg, and Jack Gavigan. A potential attack linking \diversifiedPaymentAddresses, avoided in the adopted design, was found by Brian Warner. +The design of \Orchard is primarily due to Daira Hopwood, Sean Bowe, Jack Grigg, +Kris Nuttycombe, Ying Tong Lai, and Steven Smith. + \notsprout{ The observation in \crossref{concretediversifyhash} that \diversifiedPaymentAddress unlinkability can be proven in the same way @@ -10910,12 +11758,20 @@ as \keyPrivacy for ElGamal, is due to Mary Maller. We thank Ariel Gabizon for teaching us the techniques of \cite{BFIJSV2010} \notsprout{used in \crossref{grothbatchverify}}, by applying them to \BCTV. +The arithmetization used by \HaloTwo is based on that used by \PLONK \cite{GWC2019}, +which was designed by Ariel Gabizon, Zachary Williamson, and Oana Ciobotaru. + Numerous people have contributed to the science of zero-knowledge proving systems, but we would particularly like to acknowledge the work of Shafi Goldwasser, Silvio Micali, Oded Goldreich, Charles Rackoff, Rosario Gennaro, Bryan Parno, Jon Howell, Craig Gentry, Mariana Raykova, Jens Groth, Rafail Ostrovsky, and Amit Sahai. +We thank the organizers of the ZKProof standardization effort and workshops; +and also Anna Rose and Fredrik Harrysson for their work on the Zero Knowledge Podcast, +ZK Summits, and ZK Study Club. These efforts have enriched the zero knowledge +community immeasurably. + Many of the ideas used in \Zcash{} ---including the use of zero-knowledge proofs to resolve the tension between privacy and auditability, Merkle trees over note commitments\notsprout{ (using Pedersen hashes as in \Sapling)}, @@ -10936,6 +11792,12 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \lsection{Change History}{changehistory} +\historyentry{2021.1.17}{} +\begin{itemize} + \item Work in progress for \Orchard specification. +\end{itemize} + + \historyentry{2021.1.16}{2021-01-11} \begin{itemize} \item Add macros and \Makefile support for building the \Orchard draft specification. @@ -11676,7 +12538,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. when encrypting \Sapling notes. \item Add a consensus rule that $\valueBalance$ is in the range $\range{-\MAXMONEY}{\MAXMONEY}$. \item Enforce stronger constraints on the types of key components $\DiversifiedTransmitPublic$, - $\AuthSignPublic$, and $\AuthProvePublic$. + $\AuthSignPublic$, and $\NullifierKey$. \item Correct the conformance rule for \fOverwintered{} (it must not be set before \Overwinter has activated, not before \Sapling has activated). \item Correct the argument that $\vSum$ is in range in \crossref{saplingbalance}. @@ -11696,7 +12558,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Clarify that the $\possqrt{a}$ notation refers to the positive square root. (This matters for the conversion in \crossref{cctconversion}.) \item Model the group hash as a random oracle. This appears to be unavoidable in order to allow - proving unlinkability of $\DiversifyHash$. Explain how this relates to the Discrete Logarithm + proving unlinkability of $\DiversifyHashSapling$. Explain how this relates to the Discrete Logarithm Independence assumption used previously, and justify this modelling by showing that it follows from treating $\BlakeTwos{256}$ as a random oracle in the instantiation of $\GroupJHash{}$. @@ -11731,7 +12593,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item Fix the description of the \balancingValue in \crossref{saplingbalance}. \item Correct a type error in \crossref{concretegrouphashjubjub}. \item Correct a type error in $\RedDSASign{}$ in \crossref{concreteredjubjub}. - \item Ensure $\AuthSignBase$ is defined in \crossref{concretespendauthsig}. + \item Ensure $\AuthSignBaseSapling$ is defined in \crossref{concretespendauthsig}. \item Make the \validatingKey prefix part of the input to the \hashFunction in $\RedDSA$, not part of the message. \item Correct the statement about $\FindGroupJHash$ never returning $\bot$. @@ -11838,7 +12700,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. computed and separating it from the \authRandomizedValidatingKey ($\AuthSignRandomizedPublic$). \item Clarify conversions between bit and byte sequences for - $\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\AuthProvePublic}$. + $\SpendingKey$, $\reprJ\Of{\AuthSignPublic}$, and $\reprJ\Of{\NullifierKey}$. } %sapling \item Change the \Makefile to avoid multiple reloads in PDF readers while rebuilding the PDF. @@ -13673,12 +14535,12 @@ The auxiliary input is \hparen\DiversifiedTransmitBase \typecolon \GroupJ,\\ \hparen\DiversifiedTransmitPublic \typecolon \GroupJ,\vspace{0.6ex}\\ \hparen\vOld{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ + \hparen\ValueCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ \hparen\cmOld{} \typecolon \GroupJ,\\ - \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength},\\ + \hparen\NoteCommitRandOld{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling},\\ \hparen\AuthSignPublic \typecolon \SpendAuthSigPublic,\\ - \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}\cparen$. + \hparen\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}\cparen$. \end{formulae} \introlist @@ -13691,7 +14553,7 @@ represent \jubjubCurve points. However, \item $\cvOld{}$ will be constrained to an output of $\ValueCommit{}$; \item $\cmOld{}$ will be constrained to an output of $\NoteCommitSapling{}$; \item $\AuthSignRandomizedPublic$ will be constrained to - $\scalarmult{\AuthSignRandomizer}{\AuthSignBase} + \AuthSignPublic$; + $\scalarmult{\AuthSignRandomizer}{\AuthSignBaseSapling} + \AuthSignPublic$; \item $\DiversifiedTransmitPublic$ will be constrained to $\scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ \end{itemize} @@ -13699,13 +14561,13 @@ represent \jubjubCurve points. However, so $\cvOld{}$, $\cmOld{}$, $\AuthSignRandomizedPublic$, and $\DiversifiedTransmitPublic$ do not need to be explicitly checked to be on the curve. -In addition, $\AuthProvePublicRepr$ and $\NoteAddressRandRepr$ used in +In addition, $\NullifierKeyRepr$ and $\NoteAddressRandRepr$ used in \textbf{Nullifier integrity} are compressed representations of \jubjubCurve points. \todo{explain why these are implemented as \crossref{ccteddecompressvalidate} even though the statement spec doesn't explicitly say to do validation.} -Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\AuthProvePublic$, +Therefore we have $\DiversifiedTransmitBase$, $\AuthSignPublic$, $\NullifierKey$, and $\NoteAddressRand$ that need to be constrained to valid \jubjubCurve points as described in \crossref{ccteddecompressvalidate}. @@ -13726,10 +14588,10 @@ Check & Implements & \heading{Cost} & Reference \\ $\AuthSignPublic$ is not small order & \snarkref{Small order checks}{spendnonsmall} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline - $\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLength}$ - & $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLength}$ + $\AuthSignRandomizerRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\AuthSignRandomizer \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBase}$ + $\AuthSignRandomizer' = \scalarmult{\AuthSignRandomizerRepr}{\AuthSignBaseSapling}$ & \snarkref{Spend authority}{spendauthority} & 750 & \shortcrossref{cctfixedscalarmult} \\ \cline{1-1}\cline{3-4} $\AuthSignRandomizedPublic = \AuthSignRandomizer' + \AuthSignPublic$ @@ -13738,20 +14600,20 @@ Check & Implements & \heading{Cost} & Reference \\ inputize $\AuthSignRandomizedPublic$ \small\todo{not ccteddecompressvalidate => wrong count} & $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic$ & 392? & \shortcrossref{ccteddecompressvalidate} \\ \hline - $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLength}$ - & $\AuthProvePrivate \typecolon \binaryrange{\ScalarLength}$ + $\AuthProvePrivateRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\AuthProvePrivate \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline - $\AuthProvePublic = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$ + $\NullifierKey = \scalarmult{\AuthProvePrivateRepr}{\AuthProveBase}$ & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 750 & \shortcrossref{cctfixedscalarmult} \\ \hline $\AuthSignPublicRepr = \reprJ\Of{\AuthSignPublic \typecolon \GroupJ}$ & \snarkref{Diversified address integrity}{spendaddressintegrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline - $\AuthProvePublicRepr = \reprJ\Of{\AuthProvePublic}$ - \small\todo{spec doesn't say to validate $\AuthProvePublic$ since it's calculated} + $\NullifierKeyRepr = \reprJ\Of{\NullifierKey}$ + \small\todo{spec doesn't say to validate $\NullifierKey$ since it's calculated} & \snarkref{Nullifier integrity}{spendnullifierintegrity} & 392 & \shortcrossref{ccteddecompressvalidate} \\ \hline - $\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \AuthProvePublic)\kern-0.08em\big)\;\dagger$ + $\InViewingKeyRepr = \ItoLEBSP{251}\big(\CRHivk(\AuthSignPublic, \NullifierKey)\kern-0.08em\big)\;\dagger$ & \snarkref{Diversified address integrity}{spendaddressintegrity} & 21006 & \shortcrossref{cctblake2s} \\ \hline $\DiversifiedTransmitBase$ is on the curve @@ -13766,8 +14628,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\vOldRepr \typecolon \bitseq{64}$ & $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \hline - $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLength}$ - & $\ValueCommitRand \typecolon \binaryrange{\ScalarLength}$ + $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\ValueCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$ & \snarkref{Value commitment integrity}{spendvaluecommitmentintegrity} @@ -13775,8 +14637,8 @@ Check & Implements & \heading{Cost} & Reference \\ inputize $\cv$ & & ? & \\ \hline - $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLength}$ - & $\NoteCommitRand \typecolon \binaryrange{\ScalarLength}$ + $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\NoteCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ % = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) @@ -13804,7 +14666,7 @@ Check & Implements & \heading{Cost} & Reference \\ \small\todo{spec doesn't say to validate $\NoteAddressRand$ since it's calculated} & & 392 & \shortcrossref{ccteddecompressvalidate} \\ \cline{1-1}\cline{3-4} - $\nfOld{} = \PRFnfSapling{\AuthProvePublicRepr}(\NoteAddressRandRepr)$ + $\nfOld{} = \PRFnfSapling{\NullifierKeyRepr}(\NoteAddressRandRepr)$ & & 21006 & \shortcrossref{cctblake2s} \\ \hline \raggedright pack $\nfOld{\barerange{0}{253}}$ and $\nfOld{\barerange{254}{255}}$ into two $\GF{\ParamS{r}}$ inputs @@ -13845,9 +14707,9 @@ The auxiliary input is \item $(\DiversifiedTransmitBase \typecolon \GroupJ,\\[0.5ex] \hparen\DiversifiedTransmitPublicRepr \typecolon \ReprJ,\\ \hparen\vNew{} \typecolon \ValueType,\\ - \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLength},\\ - \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLength})$ + \hparen\ValueCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\NoteCommitRandNew{} \typecolon \binaryrange{\ScalarLengthSapling},\\ + \hparen\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling})$ \end{formulae} $\ValueCommitOutput$ is of type $\GroupJ$, so we have $\cvNew{}$, $\EphemeralPublic$, @@ -13883,8 +14745,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\vOldRepr \typecolon \bitseq{64}$ & $\vOld{} \typecolon \binaryrange{64}$ & 64 & \shortcrossref{cctboolean} \\ \hline - $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLength}$ - & $\ValueCommitRand \typecolon \binaryrange{\ScalarLength}$ + $\ValueCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\ValueCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\cv = \ValueCommit{\ValueCommitRand}(\vOld{})$ & \snarkref{Value commitment integrity}{outputvaluecommitmentintegrity} @@ -13898,8 +14760,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\DiversifiedTransmitBase$ is not small order & \snarkref{Small order checks}{outputnonsmall} & 16 & \shortcrossref{cctednonsmallorder} \\ \hline - $\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLength}$ - & $\EphemeralPrivate \typecolon \binaryrange{\ScalarLength}$ + $\EphemeralPrivateRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\EphemeralPrivate \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\EphemeralPublic = \scalarmult{\EphemeralPrivateRepr}{\DiversifiedTransmitBase}$ & \snarkref{Ephemeral public key integrity}{outputepkintegrity} @@ -13910,8 +14772,8 @@ Check & Implements & \heading{Cost} & Reference \\ $\DiversifiedTransmitPublicRepr \typecolon \ReprJ$ & $\DiversifiedTransmitPublicRepr \typecolon \ReprJ$ & 256 & \shortcrossref{cctboolean} \\ \hline - $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLength}$ - & $\NoteCommitRand \typecolon \binaryrange{\ScalarLength}$ + $\NoteCommitRandRepr \typecolon \bitseq{\ScalarLengthSapling}$ + & $\NoteCommitRand \typecolon \binaryrange{\ScalarLengthSapling}$ & 252 & \shortcrossref{cctboolean} \\ \hline $\cm = \NoteCommitSapling{\NoteCommitRand}(\DiversifiedTransmitBase, \DiversifiedTransmitPublic, \vOld{})$ % = \WindowedPedersenCommit{\NoteCommitRand}(\vOldRepr \bconcat \DiversifiedTransmitBaseRepr \bconcat \DiversifiedTransmitPublicRepr) diff --git a/protocol/zcash.bib b/protocol/zcash.bib index e5e7390f..c8451382 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -176,6 +176,16 @@ Last revised May~31, 2016.} urldate={2018-02-10} } +@misc{GWC2019, + presort={GWC2019}, + author={Ariel Gabizon and Zachary Williamson and Oana Ciobotaru}, + title={{PLONK}: {P}ermutations over {L}agrange-bases for {O}ecumenical {N}oninteractive arguments of {K}nowledge}, + url={https://eprint.iacr.org/2019/953}, + urldate={2021-01-28}, + howpublished={Cryptology ePrint Ar\-chive: Report 2019/953. +Last revised September~3, 2020.} +} + % Capitalized De/Di is correct @inproceedings{DSDCOPS2001, presort={DSDCOPS2001}, @@ -187,7 +197,7 @@ Proceedings of the 21st Annual International Cryptology Conference volume={2139}, series={Lecture Notes in Computer Science}, editor={Joe Kilian}, - pages={566-598}, + pages={566--598}, year={2001}, publisher={Springer}, isbn={978-3-540-42456-7}, @@ -265,6 +275,16 @@ Conference on Computer and Communications Security}, urldate={2019-01-09} } +@phdthesis{Hisil2010, + presort={Hisil2010}, + author={Hüseyin Hı\cedilla{s}ıl}, + title={Elliptic Curves, Group Law, and Efficient Computation}, + year={2010}, + school={Queensland University of Technology}, + url={https://eprints.qut.edu.au/33233/}, + urldate={2021-01-26} +} + @inproceedings{Bernstein2006, presort={Bernstein2006}, author={Daniel Bernstein}, @@ -507,6 +527,110 @@ Received May~21, 2016.} urldate={2016-09-14} } +@misc{ID-hashtocurve, + presort={ID-hashtocurve}, + author={Armando Faz-Hernández and Sam Scott and Nick Sullivan and Riad Wahby and Christopher Wood}, + title={Internet {D}raft: {H}ashing to Elliptic Curves, version 10}, + howpublished={Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG). Work in progress. Last revised December~22, 2020.}, + url={https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-10.html}, + urldate={2021-01-27} +} + +@misc{WB2019, + presort={WB2019}, + author={Riad Wahby and Dan Boneh}, + title={Fast and simple constant-time hashing to the {BLS12-381} elliptic curve}, + url={https://eprint.iacr.org/2019/403}, + urldate={2021-01-27}, + howpublished={Cryptology ePrint Archive: Report 2018/403. Last revised September~30, 2019.} +} + +@inproceedings{BCIMRT2010, + presort={BCIMRT2010}, + author={Eric Brier and Jean-Sébastien Coron and Thomas Icart and David Madore and Hugues Randriam and Mehdi Tibouchi}, + title={Efficient Indifferentiable Hashing into Ordinary Elliptic Curves}, + booktitle={Advances in Cryptology - CRYPTO~2010. +Proceedings of the 30th Annual International Cryptology Conference +(Santa Barbara, California, USA, August~15--19, 2010)}, + volume={6223}, + series={Lecture Notes in Computer Science}, + editor={Tal Rabin}, + pages={237--254}, + year={2010}, + publisher={Springer}, + isbn={978-3-642-14623-7}, + doi={10.1007/978-3-642-14623-7_13}, + url={https://www.iacr.org/archive/crypto2010/62230238/62230238.pdf}, + urldate={2021-01-27} +} + +@inproceedings{SvdW2006, + presort={SvdW2006}, + author={Andrew Shallue and Christiaan E. van de Woestijne}, + title={Construction of Rational Points on Elliptic Curves over Finite Fields}, + booktitle={Algorithmic Number Theory: 7th International Symposium, ANTS-VII (Berlin, Germany, July~23--28, 2006)}, + volume={4076}, + series={Lecture Notes in Computer Science}, + editor={F. Hess and S. Pauli and M. Pohst}, + pages={510--524}, + year={2006}, + publisher={Springer}, + isbn={978-3-540-36076-6}, + doi={10.1007/11792086_36}, + url={https://digitalcommons.iwu.edu/math_scholarship/72/}, + urldate={2021-01-28} +} + +@article{Ulas2007, + presort={Ulas2007}, + author={Maciej Ulas}, + title={Rational Points on Certain Hyperelliptic Curves over Finite Fields}, + series={Bulletin of the Polish Academy of Sciences - Mathematics}, + volume={55}, + number={2}, + pages={97--104}, + year={2007}, + doi={10.4064/ba55-2-1}, + url={https://www.impan.pl/shop/publication/transaction/download/product/85475}, + urldate={2021-01-27} +} + +@article{FFSTV2013, + presort={FFSTV2013}, + author={Reza Farashahi and Pierre-Alain Fouque and Igor Shparlinski and Mehdi Tibouchi and J. Felipe Voloch}, + title={Indifferentiable deterministic hashing to elliptic and hyperelliptic curves}, + journal={Mathematics of Computation}, + volume={82}, + pages={491--512}, + year={2013}, + doi={10.1090/S0025-5718-2012-02606-8}, + url={https://www.ams.org/journals/mcom/2013-82-281/S0025-5718-2012-02606-8/}, + urldate={2021-01-27} +} + +@inproceedings{KT2015, + presort={KT2015}, + author={Taechan Kim and Mehdi Tibouchi}, + title={Improved Elliptic Curve Hashing and Point Representation}, + booktitle={Proceedings of WCC2015 - 9th International Workshop on Coding and Cryptography (Paris, France, April 2015)}, + editor={Anne Canteaut and Gaëtan Leurent and Maria Naya-Plasencia}, + url={https://hal.inria.fr/hal-01275711}, + urldate={2021-01-28} +} + +@article{BGHOZ2013, + presort={BGHOZ2013}, + author={Gilles Barthe and Benjamin Grégoire and Sylvain Heraud and Frederico Olmedo and Santiago Zanella-Béguelin}, + title={Verified indifferentiable hashing into elliptic curves}, + journal={Journal of Computer Security, Security and Trust Principles}, + volume={21}, + number={6}, + pages={881--917}, + year={2013}, + url={https://software.imdea.org/~szanella/Zanella.2012.POST.pdf}, + urldate={2021-01-28} +} + @misc{Certicom2010, presort={Certicom2010}, author={Certicom Research},