From c5c34cf93c4c40aebd633c594ff5428ab4133817 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Wed, 17 Mar 2021 19:48:54 +0000 Subject: [PATCH] Cosmetics (spacing). Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index c9ee65fe..b502c6aa 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -6947,6 +6947,7 @@ For details of the form and encoding of \actionStatement proofs, see \crossref{h \lsubsection{In-band secret distribution\pSproutOrNothingText}{sproutinband} +\vspace{-1ex} \sprout{The}\notsprout{In \Sprout, the} secrets that need to be transmitted to a recipient of funds in order for them to later spend, are $\Value$, $\NoteUniqueRand$, and $\NoteCommitRand$. \canopy{(After \Canopy activation, @@ -6959,13 +6960,14 @@ To transmit these secrets securely to a recipient possession of the associated \incomingViewingKey $\InViewingKey$ is used to reconstruct the original \note\changed{ and \memo}. +\introlist A single \ephemeralPublicKey is shared between encryptions of the $\NNew$ \shieldedOutputs in a \joinSplitDescription. All of the resulting ciphertexts are combined to form a \notesCiphertextSprout. -\introlist For both encryption and decryption, +\vspace{-0.5ex} \begin{itemize} \item let $\Sym$ be the scheme instantiated in \crossref{concretesym}; \vspace{-0.5ex} @@ -6983,29 +6985,32 @@ For both encryption and decryption, \vspace{-1ex} Let $\KA{Sprout}$ be the \keyAgreementScheme instantiated in \crossref{concretesproutkeyagreement}. -\vspace{-0.5ex} +\vspace{-0.75ex} Let $\TransmitPublicSub{\allNew}$ be the \transmissionKeys for the intended recipient addresses of each new \note. +\vspace{-0.5ex} Let $\NotePlaintext{\allNew}$ be \Sprout \notePlaintexts defined in \crossref{notept}. \introlist -\vspace{1ex} +\vspace{0.5ex} Then to encrypt: +\vspace{-0.5ex} \begin{itemize} \changed{ - \item Generate a new $\KA{Sprout}$ (public, private) key pair -$(\EphemeralPublic, \EphemeralPrivate)$. + \item Generate a new $\KA{Sprout}$ (public, private) key pair $(\EphemeralPublic, \EphemeralPrivate)$. + \vspace{-0.5ex} \item For $i \in \setofNew$, \begin{itemize} \item Let $\TransmitPlaintext{i}$ be the \rawEncoding of $\NotePlaintext{i}$. + \vspace{-0.5ex} \item Let $\DHSecret{i} = \KAAgree{Sprout}(\EphemeralPrivate, \TransmitPublicSub{i})$. + \vspace{-0.5ex} \item Let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicSub{i})$. - \vspace{0.5ex} \item Let $\TransmitCiphertext{i} = \SymEncrypt{\TransmitKey{i}}(\TransmitPlaintext{i})$. \end{itemize} @@ -7026,8 +7031,10 @@ further security considerations, for example of how to validate a \Sprout{} \note received out-of-band, which are not addressed in this document. } +\vspace{-2ex} \lsubsubsection{Decryption\pSproutOrNothingText}{sproutdecrypt} +\vspace{-1ex} Let $\InViewingKey = (\AuthPublic, \TransmitPrivate)$ be the recipient's \incomingViewingKey, and let $\TransmitPublic$ be the corresponding \transmissionKey derived from $\TransmitPrivate$ as specified in \crossref{sproutkeycomponents}. @@ -7041,10 +7048,12 @@ component $(\EphemeralPublic, \TransmitCiphertext{i})$ as follows: \changed{ \begin{formulae} -\vspace{-0.5ex} + \vspace{-0.5ex} \item let $\DHSecret{i} = \KAAgree{Sprout}(\TransmitPrivate, \EphemeralPublic)$ + \vspace{-0.5ex} \item let $\TransmitKey{i} = \KDF{Sprout}(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublic)$ + \vspace{-0.5ex} \item return $\DecryptNoteSprout(\TransmitKey{i}, \TransmitCiphertext{i}, \cm_i, \AuthPublic).$ \end{formulae} @@ -7056,17 +7065,22 @@ is defined as follows: \begin{formulae} \item let $\TransmitPlaintext{i} = \SymDecrypt{\TransmitKey{i}}(\TransmitCiphertext{i})$ + \vspace{-0.5ex} \item if $\TransmitPlaintext{i} = \bot$, return $\bot$ + \vspace{-1.5ex} \item extract $\NotePlaintext{i} = (\NotePlaintextLeadByte_i \typecolon \byte, \Value_i \typecolon \ValueType, \NoteUniqueRand_i \typecolon \PRFOutputSprout, \NoteCommitRand_i \typecolon \NoteCommitTrapdoor{Sprout}, \Memo_i \typecolon \MemoType)$ from $\TransmitPlaintext{i}$ + \vspace{-0.5ex} \item if $\NotePlaintextLeadByte_i \neq \hexint{00}$ or $\NoteCommitment{Sprout}((\AuthPublic, \Value_i, \NoteUniqueRand_i, \NoteCommitRand_i)) \neq \cm_i$, return $\bot$, else return $\NotePlaintext{i}$. \end{formulae} } +\vspace{-0.5ex} +\introlist To test whether a \note is unspent in a particular \blockChain also requires the \spendingKey $\AuthPrivate$; the coin is unspent if and only if $\nf = \PRFnf{Sprout}{\AuthPrivate}(\NoteUniqueRand)$ is not in the \nullifierSet @@ -7090,6 +7104,7 @@ engineering rationale behind this encryption scheme. \sapling{ \extralabel{saplinginband}{\lsubsection{In-band secret distribution (\SaplingAndOrchardText)}{saplingandorchardinband}} +\vspace{-1ex} In \SaplingAndOrchard, the secrets that need to be transmitted to a recipient of funds in order for them to later spend, are $\Diversifier$, $\Value$, and $\NoteCommitRand$. A \memo (\crossref{noteptconcept}) is also transmitted. @@ -7130,8 +7145,10 @@ For both encryption and decryption, \sapling{ +\vspace{-2ex} \extralabel{saplingencrypt}{\lsubsubsection{Encryption (\SaplingAndOrchardText)}{saplingandorchardencrypt}} +\vspace{-1ex} Let $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{}$ be the \diversifiedTransmissionKey for the intended recipient address of a new \SaplingOrOrchard \note, and let $\DiversifiedTransmitBase \typecolon \KAPublicPrimeSubgroup{}$ be the corresponding @@ -7142,6 +7159,7 @@ Since \Sapling \note encryption is used only in the context of \crossref{sapling $\DiversifiedTransmitBase$ has already been calculated and is not $\bot$. Also, the \ephemeralPrivateKey $\EphemeralPrivate$ has been chosen. +\introlist Let $\OutViewingKey \typecolon \maybe{\OutViewingKeyType}$ be as described in \shortcrossref{saplingsend}\nufive{ or \shortcrossref{orchardsend}}, i.e.\ the \outgoingViewingKey of the \shieldedPaymentAddress from which the \note is being spent, or an \outgoingViewingKey associated with a \cite{ZIP-32} account, or $\bot$. @@ -7199,6 +7217,7 @@ received out-of-band, which are not addressed in this document. \sapling{ \extralabel{saplingdecryptivk}{\lsubsubsection{Decryption using an Incoming Viewing Key (\SaplingAndOrchardText)}{decryptivk}} +\vspace{-1ex} Let $\InViewingKey \typecolon \InViewingKeyTypeSapling$\notbeforenufive{ (in \Sapling)\nufive{ or $\InViewingKeyTypeOrchard$ (in \Orchard)}} be the recipient's \incomingViewingKey, as specified in \crossref{saplingkeycomponents}\nufive{ or \crossref{orchardkeycomponents}}.