From cbf4cb52f190f0673140bd28f35cb2a69157fd01 Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Sat, 4 Jul 2020 03:26:49 +0100
Subject: [PATCH] Adjust the order of operations in Sapling decryption to more
 closely match the implementation, and improve the notes.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 6fa21251..2775f247 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -5652,6 +5652,11 @@ from $\TransmitPlaintext{}$
   \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
         and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
   \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
+  \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
+  \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
+                                                                       \reprJ\Of{\DiversifiedTransmitPublic},
+                                                                       \Value)\kern-0.12em\big)$.
+  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$
   \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:}
 \canopy{
   \item \tab $\EphemeralPrivate = \ToScalar\big(\PRFexpand{\NoteSeedBytes}(\hexarray{04})\kern-0.11em\big)$
@@ -5659,11 +5664,7 @@ from $\TransmitPlaintext{}$
         return $\bot$
   \item \blank
 }
-  \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
-  \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
-                                                                       \reprJ\Of{\DiversifiedTransmitPublic},
-                                                                       \Value)\kern-0.12em\big)$.
-  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
+  \item return $\NotePlaintext{}$.
 \end{algorithm}
 
 \vspace{-0.5ex}
@@ -5744,28 +5745,34 @@ from $\TransmitPlaintext{}$
   \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
         and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
   \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
-  \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
-        return $\bot$
   \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
                                                                        \reprJ\Of{\DiversifiedTransmitPublic},
-                                                                       \Value)\kern-0.12em\big)$.
-  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
+                                                                       \Value)\kern-0.12em\big)$
+  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$
+  \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
+        return $\bot$
+  \item return $\NotePlaintext{}$.
 \end{algorithm}
-} %sapling
 
 \vspace{-0.5ex}
 \pnote{For a valid \transaction it must be the case that
 $\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\big)$.}
 
-\canopyonwardnnote{From the step ``let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$''
-onward, this procedure differs from that in \crossref{saplingdecryptivk} only in two ways:
+\vspace{-1ex}
+\nnote{Implementors should pay close attention to the similarities and differences between this procedure
+and that in \crossref{saplingdecryptivk}. \canopy{In particular:
 \begin{itemize}
   \item in this procedure, the ephemeral \privateKey $\EphemeralPrivate'$ derived from $\NoteSeedBytes$
-        is checked to be identical to that obtained from $\OutPlaintext$.
+        is checked to be identical to that obtained from $\OutPlaintext$ (when $\NotePlaintextLeadByte \neq \hexint{01}$);
   \item in this procedure, $\DiversifiedTransmitPublic$ is obtained from $\OutPlaintext$
-        rather than being derived as $\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$.
+        rather than being derived as $\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$;
+  \item in this procedure, the check that $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) = \EphemeralPublic$
+        is unconditional rather than being dependent on $\NotePlaintextLeadByte \neq \hexint{01}$, and it uses the $\EphemeralPrivate$
+        obtained from $\OutPlaintext$.
 \end{itemize}
-} %canopyonwardnnote
+} %canopy
+} %nnote
+} %sapling
 
 \lsubsection{Block Chain Scanning\pSproutOrNothingText}{sproutscan}