Adjust the order of operations in Sapling decryption to more closely match the implementation, and improve the notes.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-07-04 03:26:49 +01:00 · 2020-07-04 03:26:49 +01:00 · cbf4cb52f1
parent 47a2c78990
commit cbf4cb52f1
1 changed files with 22 additions and 15 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -5652,6 +5652,11 @@ from $\TransmitPlaintext{}$
  \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
        and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
  \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
+  \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
+  \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
+                                                                       \reprJ\Of{\DiversifiedTransmitPublic},
+                                                                       \Value)\kern-0.12em\big)$.
+  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$
  \canopyonwarditem{if $\NotePlaintextLeadByte \neq \hexint{01}$:}
 \canopy{
  \item \tab $\EphemeralPrivate = \ToScalar\big(\PRFexpand{\NoteSeedBytes}(\hexarray{04})\kern-0.11em\big)$
@ -5659,11 +5664,7 @@ from $\TransmitPlaintext{}$
        return $\bot$
  \item \blank
 }
-  \item let $\DiversifiedTransmitPublic = \KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$
-  \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
-                                                                       \reprJ\Of{\DiversifiedTransmitPublic},
-                                                                       \Value)\kern-0.12em\big)$.
-  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
+  \item return $\NotePlaintext{}$.
 \end{algorithm}

 \vspace{-0.5ex}
@ -5744,28 +5745,34 @@ from $\TransmitPlaintext{}$
  \item let $\NoteCommitRand = \LEOStoIPOf{256}{\NoteCommitRandBytes}$
        and $\DiversifiedTransmitBase = \DiversifyHash(\Diversifier)$
  \item if $\NoteCommitRand \geq \ParamJ{r}$ or $\DiversifiedTransmitBase = \bot$, return $\bot$
-  \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
-        return $\bot$
  \item let $\cmU' = \ExtractJ\big(\NoteCommitSapling{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase},
                                                                       \reprJ\Of{\DiversifiedTransmitPublic},
-                                                                       \Value)\kern-0.12em\big)$.
-  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$, else return $\NotePlaintext{}$.
+                                                                       \Value)\kern-0.12em\big)$
+  \item if $\LEBStoOSPOf{256}{\cmU'} \neq \cmuField$, return $\bot$
+  \item if $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) \neq \EphemeralPublic$,
+        return $\bot$
+  \item return $\NotePlaintext{}$.
 \end{algorithm}
-} %sapling

 \vspace{-0.5ex}
 \pnote{For a valid \transaction it must be the case that
 $\ephemeralKey = \LEBStoOSP{\ellJ}\big(\reprJ\Of{\EphemeralPublic}\kern-0.15em\big)$.}

-\canopyonwardnnote{From the step ``let $\TransmitPlaintext{} = \SymDecrypt{\TransmitKey{}}(\TransmitCiphertext{})$''
-onward, this procedure differs from that in \crossref{saplingdecryptivk} only in two ways:
+\vspace{-1ex}
+\nnote{Implementors should pay close attention to the similarities and differences between this procedure
+and that in \crossref{saplingdecryptivk}. \canopy{In particular:
 \begin{itemize}
  \item in this procedure, the ephemeral \privateKey $\EphemeralPrivate'$ derived from $\NoteSeedBytes$
-        is checked to be identical to that obtained from $\OutPlaintext$.
+        is checked to be identical to that obtained from $\OutPlaintext$ (when $\NotePlaintextLeadByte \neq \hexint{01}$);
  \item in this procedure, $\DiversifiedTransmitPublic$ is obtained from $\OutPlaintext$
-        rather than being derived as $\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$.
+        rather than being derived as $\KASaplingDerivePublic(\InViewingKey, \DiversifiedTransmitBase)$;
+  \item in this procedure, the check that $\KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase) = \EphemeralPublic$
+        is unconditional rather than being dependent on $\NotePlaintextLeadByte \neq \hexint{01}$, and it uses the $\EphemeralPrivate$
+        obtained from $\OutPlaintext$.
 \end{itemize}
-} %canopyonwardnnote
+} %canopy
+} %nnote
+} %sapling

 \lsubsection{Block Chain Scanning\pSproutOrNothingText}{sproutscan}