diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 9d9d922e..aa90d129 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -5588,11 +5588,10 @@ The encoded \transaction is submitted to the peer-to-peer network. \nufive{ -\vspace{-2ex} +\vspace{-1ex} \introlist \lsubsubsection{Sending Notes (\OrchardText)}{orchardsend} -\vspace{-1ex} In order to send \Orchard \shielded value, the sender constructs a \transaction with one or more \actionDescriptions. This section describes how to produce the output-related fields of an \actionDescription. @@ -5613,12 +5612,10 @@ Let $\DiversifyHash{Orchard}$ be as specified in \crossref{abstracthashes}. \vspace{-0.25ex} Let $\ToScalar{Orchard}$ and $\ToBase{Orchard}$ be as specified in \crossref{orchardkeycomponents}. -\vspace{-0.25ex} Let $\reprP$, $\ParamP{r}$, and the \pallasCurve be as defined in \crossref{pallasandvesta}. Let $\ExtractPbot$ be as defined in \crossref{concreteextractorpallas}. -\vspace{-0.25ex} Let $\ItoLEOSP{}$ be as defined in \crossref{endian}. \vspace{0.5ex} @@ -5636,21 +5633,17 @@ and a destination \Orchard \shieldedPaymentAddress $(\Diversifier, \DiversifiedT performs the following steps: \begin{algorithm} - \vspace{-0.75ex} + \vspace{-0.5ex} \item Check that $\DiversifiedTransmitPublic$ is of type $\KAPublic{Orchard}$. \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{Orchard}(\Diversifier)$. - \vspace{-0.25ex} \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{Orchard}()$. - \vspace{-0.25ex} \item Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. - \vspace{-0.25ex} \item Let $\NoteUniqueRand = \nfOld{}$ from the same \actionDescription, and let $\NoteUniqueRandBytes = \ItoLEOSPOf{256}{\NoteUniqueRand}$. \item Derive $\EphemeralPrivate = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([4] \bconcat \NoteUniqueRandBytes)\kern-0.1em\big)$. \item Derive $\NoteCommitRand = \ToScalar{Orchard}\big(\PRFexpand{\NoteSeedBytes}([5] \bconcat \NoteUniqueRandBytes)\kern-0.11em\big)$. \item Derive $\NoteNullifierRand = \ToBase{Orchard}\big(\PRFexpand{\NoteSeedBytes}([9] \bconcat \NoteUniqueRandBytes)\kern-0.09em\big)$. \item Let $\cvNet{}$ be the \valueCommitment to the value of the input \note minus the value $\Value$ of the output \note for this \actionTransfer, using $\ValueCommitRand$, as described in \crossref{orchardbalance}. - \vspace{-0.25ex} \item Let $\cmX = \ExtractPbot\big(\NoteCommit{Orchard}{\NoteCommitRand}(\reprP\Of{\DiversifiedTransmitBase}, \reprP\Of{\DiversifiedTransmitPublic}, \Value, \NoteUniqueRand, \NoteNullifierRand)\kern-0.1em\big)$. @@ -5670,12 +5663,11 @@ performs the following steps: \item Return $(\cv, \cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \Proof{})$. \end{algorithm} -\vspace{-1.5ex} +\vspace{-0.5ex} If no real \Orchard \note is being spent in the same \actionTransfer, the sender \SHOULD create a \dummyNote to spend as described in \crossref{orcharddummynotes}, and use that \dummyNote's \nullifier as the $\NoteUniqueRand$ value. -\vspace{-0.25ex} In order to minimize information leakage, the sender \SHOULD randomize the order of \actionDescriptions in a \transaction. Other considerations relating to information leakage from the structure of \transactions are beyond the scope of this specification. @@ -5683,46 +5675,38 @@ The encoded \transaction is submitted to the peer-to-peer network. } %nufive -\vspace{-2ex} \lsubsection{Dummy Notes}{dummynotes} -\vspace{-1.5ex} \lsubsubsection{Dummy Notes (\SproutText)}{sproutdummynotes} -\vspace{-1.5ex} The fields in a \joinSplitDescription allow for $\NOld$ input \notes, and $\NNew$ output \notes. In practice, we may wish to encode a \joinSplitTransfer with fewer input or output \notes. This is achieved using \defining{\dummyNotes}. \introlist -\vspace{0.25ex} +\vspace{0.5ex} Let $\AuthPrivateLength$ and $\PRFOutputLengthSprout$ be as defined in \crossref{constants}. -\vspace{-0.25ex} \introlist Let $\PRFnf{Sprout}{}$ be as defined in \crossref{abstractprfs}. -\vspace{-0.25ex} Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{abstractcommit}. +\introlist \vspace{0.5ex} A \dummy \Sprout input \note, with index $i$ in the \joinSplitDescription, is constructed as follows: -\vspace{-0.5ex} \begin{itemize} \item Generate a new uniformly random \spendingKey $\AuthPrivateOld{i} \leftarrowR \bitseq{\AuthPrivateLength}$ and derive its \payingKey $\AuthPublicOld{i}$. - \vspace{-0.6ex} + \vspace{-0.4ex} \item Set $\vOld{i} = 0$. - \vspace{-0.8ex} + \vspace{-0.4ex} \item Choose uniformly random $\NoteUniqueRandOld{i} \leftarrowR \PRFOutputSprout$ and $\NoteCommitRandOld{i} \leftarrowR \NoteCommitGenTrapdoor{Sprout}()$. - \vspace{-0.2ex} \item Compute $\nfOld{i} = \PRFnf{Sprout}{\AuthPrivateOld{i}}(\NoteUniqueRandOld{i})$. - \vspace{-0.2ex} \item Let $\TreePath{i}$ be a \dummy \merklePath for the \auxiliaryInput to the \joinSplitStatement (this will not be checked). - \vspace{-0.2ex} \item When generating the \joinSplitProof\!\!, set $\EnforceMerklePath{i}$ to $0$. \end{itemize} @@ -7913,12 +7897,14 @@ Define: } %nufive \item $\Uncommitted{Sprout} \typecolon \bitseq{\MerkleHashLength{Sprout}} := \zeros{\MerkleHashLength{Sprout}}$ \sapling{ + \vspace{-0.25ex} \item $\Uncommitted{Sapling} \typecolon \bitseq{\MerkleHashLength{Sapling}} := \ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ } %sapling \nufive{ \vspace{-1ex} \item $\Uncommitted{Orchard} \typecolon \GroupPx := 2$ } %nufive + \vspace{0.25ex} \item $\MAXMONEY \typecolon \Nat := 2.1 \smult 10^{15}$ (\zatoshi) \blossom{ \item $\BlossomActivationHeight \typecolon \Nat := \begin{cases}