mirror of https://github.com/zcash/zips.git
Cosmetics (spacing).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
0b8a4b3d90
commit
c5c34cf93c
|
|
@ -6947,6 +6947,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h
|
|||
|
||||
\lsubsection{In-band secret distribution\pSproutOrNothingText}{sproutinband}
|
||||
|
||||
\vspace{-1ex}
|
||||
\sprout{The}\notsprout{In \Sprout, the} secrets that need to be transmitted
|
||||
to a recipient of funds in order for them to later spend, are $\Value$,
|
||||
$\NoteUniqueRand$, and $\NoteCommitRand$. \canopy{(After \Canopy activation,
|
||||
|
|
@ -6959,13 +6960,14 @@ To transmit these secrets securely to a recipient
|
|||
possession of the associated \incomingViewingKey $\InViewingKey$ is used to
|
||||
reconstruct the original \note\changed{ and \memo}.
|
||||
|
||||
\introlist
|
||||
A single \ephemeralPublicKey is shared between encryptions of the $\NNew$
|
||||
\shieldedOutputs in a \joinSplitDescription. All of the resulting ciphertexts
|
||||
are combined to form a \notesCiphertextSprout.
|
||||
|
||||
\introlist
|
||||
For both encryption and decryption,
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\begin{itemize}
|
||||
\item let $\Sym$ be the scheme instantiated in \crossref{concretesym};
|
||||
\vspace{-0.5ex}
|
||||
|
|
@ -6983,29 +6985,32 @@ For both encryption and decryption,
|
|||
\vspace{-1ex}
|
||||
Let $\KA{Sprout}$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\vspace{-0.75ex}
|
||||
Let $\TransmitPublicSub{\allNew}$ be the \transmissionKeys
|
||||
for the intended recipient addresses of each new \note.
|
||||
|
||||
\vspace{-0.5ex}
|
||||
Let $\NotePlaintext{\allNew}$ be \Sprout \notePlaintexts
|
||||
defined in \crossref{notept}.
|
||||
|
||||
\introlist
|
||||
\vspace{1ex}
|
||||
\vspace{0.5ex}
|
||||
Then to encrypt:
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\begin{itemize}
|
||||
\changed{
|
||||
\item Generate a new $\KA{Sprout}$ (public, private) key pair
|
||||
$(\EphemeralPublic, \EphemeralPrivate)$.
|
||||
\item Generate a new $\KA{Sprout}$ (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$.
|
||||
\vspace{-0.5ex}
|
||||
\item For $i \in \setofNew$,
|
||||
\begin{itemize}
|
||||
\item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$.
|
||||
\vspace{-0.5ex}
|
||||
\item Let $\DHSecret{i} = \KAAgree{Sprout}(\EphemeralPrivate,
|
||||
\TransmitPublicSub{i})$.
|
||||
\vspace{-0.5ex}
|
||||
\item Let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublicSub{i})$.
|
||||
\vspace{0.5ex}
|
||||
\item Let $\TransmitCiphertext{i} =
|
||||
\SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$.
|
||||
\end{itemize}
|
||||
|
|
@ -7026,8 +7031,10 @@ further security considerations, for example of how to validate a \Sprout{}
|
|||
\note received out-of-band, which are not addressed in this document.
|
||||
}
|
||||
|
||||
\vspace{-2ex}
|
||||
\lsubsubsection{Decryption\pSproutOrNothingText}{sproutdecrypt}
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\InViewingKey = (\AuthPublic, \TransmitPrivate)$ be the recipient's \incomingViewingKey,
|
||||
and let $\TransmitPublic$ be the corresponding \transmissionKey derived from
|
||||
$\TransmitPrivate$ as specified in \crossref{sproutkeycomponents}.
|
||||
|
|
@ -7041,10 +7048,12 @@ component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows:
|
|||
|
||||
\changed{
|
||||
\begin{formulae}
|
||||
\vspace{-0.5ex}
|
||||
\vspace{-0.5ex}
|
||||
\item let $\DHSecret{i} = \KAAgree{Sprout}(\TransmitPrivate, \EphemeralPublic)$
|
||||
\vspace{-0.5ex}
|
||||
\item let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic,
|
||||
\TransmitPublic)$
|
||||
\vspace{-0.5ex}
|
||||
\item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i,
|
||||
\AuthPublic).$
|
||||
\end{formulae}
|
||||
|
|
@ -7056,17 +7065,22 @@ is defined as follows:
|
|||
\begin{formulae}
|
||||
\item let $\TransmitPlaintext{i} =
|
||||
\SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$
|
||||
\vspace{-0.5ex}
|
||||
\item if $\TransmitPlaintext{i} = \bot$, return $\bot$
|
||||
\vspace{-1.5ex}
|
||||
\item extract $\NotePlaintext{i} = (\NotePlaintextLeadByte_i \typecolon \byte,
|
||||
\Value_i \typecolon \ValueType,
|
||||
\NoteUniqueRand_i \typecolon \PRFOutputSprout,
|
||||
\NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout},
|
||||
\Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$
|
||||
\vspace{-0.5ex}
|
||||
\item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitment{Sprout}((\AuthPublic, \Value_i, \NoteUniqueRand_i,
|
||||
\NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$.
|
||||
\end{formulae}
|
||||
}
|
||||
|
||||
\vspace{-0.5ex}
|
||||
\introlist
|
||||
To test whether a \note is unspent in a particular \blockChain also requires
|
||||
the \spendingKey $\AuthPrivate$; the coin is unspent if and only if
|
||||
$\nf = \PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$ is not in the \nullifierSet
|
||||
|
|
@ -7090,6 +7104,7 @@ engineering rationale behind this encryption scheme.
|
|||
\sapling{
|
||||
\extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}}
|
||||
|
||||
\vspace{-1ex}
|
||||
In \SaplingAndOrchard, the secrets that need to be transmitted to a recipient of funds
|
||||
in order for them to later spend, are $\Diversifier$, $\Value$, and $\NoteCommitRand$.
|
||||
A \memo (\crossref{noteptconcept}) is also transmitted.
|
||||
|
|
@ -7130,8 +7145,10 @@ For both encryption and decryption,
|
|||
|
||||
|
||||
\sapling{
|
||||
\vspace{-2ex}
|
||||
\extralabel{saplingencrypt}{\lsubsubsection{Encryption (\SaplingAndOrchardText)}{saplingandorchardencrypt}}
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{}$ be the
|
||||
\diversifiedTransmissionKey for the intended recipient address of a new \SaplingOrOrchard \note,
|
||||
and let $\DiversifiedTransmitBase \typecolon \KAPublicPrimeSubgroup{}$ be the corresponding
|
||||
|
|
@ -7142,6 +7159,7 @@ Since \Sapling \note encryption is used only in the context of \crossref{sapling
|
|||
$\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey
|
||||
$\EphemeralPrivate$ has been chosen.
|
||||
|
||||
\introlist
|
||||
Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \shortcrossref{saplingsend}\nufive{ or
|
||||
\shortcrossref{orchardsend}}, i.e.\ the \outgoingViewingKey of the \shieldedPaymentAddress from which the \note is being
|
||||
spent, or an \outgoingViewingKey associated with a \cite{ZIP-32} account, or $\bot$.
|
||||
|
|
@ -7199,6 +7217,7 @@ received out-of-band, which are not addressed in this document.
|
|||
\sapling{
|
||||
\extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}}
|
||||
|
||||
\vspace{-1ex}
|
||||
Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\notbeforenufive{ (in \Sapling)\nufive{ or
|
||||
$\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's \incomingViewingKey, as specified in
|
||||
\crossref{saplingkeycomponents}\nufive{ or \crossref{orchardkeycomponents}}.
|
||||
|
|
|
|||
Loading…
Reference in New Issue