mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
fc71b29163
commit
d029d67779
|
|
@ -2688,10 +2688,10 @@ $(m^*, \sigma^*) \not\in \Oracle_{\sk}\mathsf{.}Q$.
|
|||
by removing the need for two oracles (since the oracle for original keys,
|
||||
called $\Oracle_1$ in \cite{FKMSSS2016}, is a special case of the oracle for
|
||||
randomized keys).
|
||||
\item The fact that
|
||||
\item Since
|
||||
$\left(\SigRandomizePublic(\pk, \SigRandomness), \SigRandomizePrivate(\sk, \SigRandomness)\right) :
|
||||
\SigRandomness \leftarrowR \SigRandom$ is identically distributed to $\SigGen()$,
|
||||
implies that the combination of a re-randomized public key and signature(s)
|
||||
the combination of a re-randomized public key and signature(s)
|
||||
under that key do not reveal the key from which it was re-randomized.
|
||||
\item Since $\SigRandomizePrivate(\paramdot, \SigRandomness)$ is injective and
|
||||
easily invertible, knowledge of $\SigRandomizePrivate(\sk, \SigRandomness)$
|
||||
|
|
@ -3050,7 +3050,7 @@ are derived as follows:
|
|||
\introlist
|
||||
$\AuthSignPublic$, $\AuthProvePublic$, and $\InViewingKey$ are then derived as follows:
|
||||
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
\begin{tabular}{@{\hskip 1.7em}r@{\;}l}
|
||||
$\AuthSignPublic$ &$:= \scalarmult{\AuthSignPrivate}{\AuthSignBase}$ \\
|
||||
$\AuthProvePublic$ &$:= \scalarmult{\AuthProvePrivate}{\AuthProveBase}$ \\
|
||||
$\InViewingKey$ &$:= \CRHivkBox{\crhivkinputbox}$.
|
||||
|
|
@ -3345,14 +3345,8 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
|
|||
\NoteCommitSapling{\NoteCommitRandNew{\OutputIndex}}(\reprJOf{\DiversifiedTransmitBase},
|
||||
\reprJOf{\DiversifiedTransmitPublic},
|
||||
\ValueNew{\OutputIndex})$ \\[1ex]
|
||||
$\EphemeralPublic$ &$:= \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$.
|
||||
\end{tabular}
|
||||
|
||||
\item Calculate $\DHSecret{} \typecolon \AffineEdwardsJubjub$ using an
|
||||
Edwards scalar multiplication with cofactor 8:
|
||||
|
||||
\begin{tabular}{@{\hskip 2em}r@{\;}l}
|
||||
$\DHSecret{}$ &$:= \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$
|
||||
$\EphemeralPublic$ &$:= \KASaplingDerivePublic(\EphemeralPrivate, \DiversifiedTransmitBase)$ \\
|
||||
$\DHSecret{}$ &$:= \KASaplingAgree(\EphemeralPrivate, \DiversifiedTransmitPublic)$.
|
||||
\end{tabular}
|
||||
|
||||
\item Let $\Key := \KDFSapling(\OutputIndex, \DHSecret{}, \EphemeralPublic)$.
|
||||
|
|
@ -3663,7 +3657,6 @@ For details of the form and encoding of proofs, see \crossref{phgr}.
|
|||
|
||||
|
||||
\sapling{
|
||||
\vspace{50ex}
|
||||
\introsection
|
||||
\subsubsection{\SpendStatement{} (\Sapling)} \label{spendstatement}
|
||||
|
||||
|
|
@ -3707,8 +3700,8 @@ $\pack(\cmOld{}) = \NoteCommitSapling{\NoteCommitRandOld{}}(\DiversifiedTransmit
|
|||
|
||||
\snarkcondition{Merkle path validity} \label{saplingmerklepathvalidity}
|
||||
|
||||
$\treepath{}$ must be a valid \merklePath of depth $\MerkleDepthSapling$, as defined in
|
||||
\crossref{merklepath}, from $\cmOld{}$ to \noteCommitmentTree root $\rt$.
|
||||
$\treepath{}$ is a valid \merklePath, as defined in \crossref{merklepath}, of depth
|
||||
$\MerkleDepthSapling$ from $\cmOld{}$ to the \anchor $\rt$.
|
||||
|
||||
\snarkcondition{Value commitment integrity} \label{saplingvaluecommitmentintegrity}
|
||||
|
||||
|
|
@ -3716,45 +3709,36 @@ $\cvOld{} = \ValueCommit{\ValueCommitRandOld{}}(\vOld{})$.
|
|||
|
||||
\snarkcondition{Point validity checks} \label{saplingpointvalidity}
|
||||
|
||||
$\AuthSignRandomizedPublicOld, \AuthSignPublic, \DiversifiedTransmitBase \in \GroupJ$.
|
||||
|
||||
$\scalarmult{8}{\AuthSignRandomizedPublicOld} \neq \ZeroJ$.
|
||||
|
||||
$\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$.
|
||||
|
||||
$\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$.
|
||||
$\AuthSignRandomizedPublicOld, \AuthSignPublic, \DiversifiedTransmitBase \in \GroupJ$ and
|
||||
are not of small order, i.e.\ $\scalarmult{8}{\AuthSignRandomizedPublicOld} \neq \ZeroJ$
|
||||
and $\scalarmult{8}{\AuthSignPublic} \neq \ZeroJ$
|
||||
and $\scalarmult{8}{\DiversifiedTransmitBase} \neq \ZeroJ$.
|
||||
|
||||
\snarkcondition{\Nullifier{} integrity} \label{saplingnullifierintegrity}
|
||||
|
||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublic}(\NoteAddressRand)$.
|
||||
|
||||
where
|
||||
$\nfOld{} = \PRFnfSapling{\AuthProvePublic}(\NoteAddressRand)$ where
|
||||
|
||||
\begin{formulae}
|
||||
\item $\AuthProvePublic = \scalarmult{\AuthProvePrivate}{\AuthProveBase}$
|
||||
\item $\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$
|
||||
\item $\NoteAddressRand = \MixingPedersenHash(\cmOld{}, \NotePosition)$.
|
||||
\end{formulae}
|
||||
|
||||
\snarkcondition{Spend authority} \label{saplingspendauthority}
|
||||
|
||||
$\AuthSignRandomizedPublicOld = \AuthSignPublic + \scalarmult{\AuthSignRandomness}{\AuthSignBase}$
|
||||
|
||||
where
|
||||
$\AuthSignRandomizedPublicOld = \AuthSignPublic + \scalarmult{\AuthSignRandomness}{\AuthSignBase}$ where
|
||||
|
||||
\begin{formulae}
|
||||
\item $\AuthSignRandomizedPublicOld \typecolon \GroupJ = \abstJOf{\AuthSignRandomizedPublicOldRepr}$
|
||||
\item $\AuthSignPublic \typecolon \GroupJ = \abstJOf{\AuthSignPublicRepr}$
|
||||
\item $\AuthSignRandomizedPublicOld \typecolon \GroupJ = \abstJOf{\strut\smash{\AuthSignRandomizedPublicOldRepr}}$
|
||||
\item $\AuthSignPublic \typecolon \GroupJ = \abstJOf{\AuthSignPublicRepr}$.
|
||||
\end{formulae}
|
||||
|
||||
\snarkcondition{Diversified address integrity} \label{saplingaddressintegrity}
|
||||
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$
|
||||
|
||||
where
|
||||
$\DiversifiedTransmitPublic = \scalarmult{\InViewingKey}{\DiversifiedTransmitBase}$ where
|
||||
|
||||
\begin{formulae}
|
||||
\item $\InViewingKey = \CRHivk(\AuthSignPublicRepr, \AuthProvePublicRepr)$
|
||||
\item $\DiversifiedTransmitBase = \abstJOf{\DiversifiedTransmitBaseRepr}$
|
||||
\item $\DiversifiedTransmitBase = \abstJOf{\DiversifiedTransmitBaseRepr}$.
|
||||
\end{formulae}
|
||||
|
||||
|
||||
|
|
@ -4464,6 +4448,7 @@ We define $\MixingPedersenHash \typecolon \GroupJ \times \range{0}{\ParamJ{r}-1}
|
|||
\item $\MixingPedersenHash(P, x) := P + \scalarmult{x}{\NotePositionBase}$.
|
||||
\end{formulae}
|
||||
|
||||
\vspace{-3ex}
|
||||
\securityrequirement{
|
||||
The function
|
||||
\begin{formulae}
|
||||
|
|
@ -4474,6 +4459,7 @@ The function
|
|||
must be \collisionResistant on $(r, M, x)$.
|
||||
}
|
||||
|
||||
\vspace{2ex}
|
||||
See \crossref{cctmixinghash} for efficient circuit implementation of this function.
|
||||
} %sapling
|
||||
|
||||
|
|
@ -6226,7 +6212,7 @@ The encoding of $\joinSplitPubKey$ and the data to be signed are specified in
|
|||
\end{consensusrules}
|
||||
|
||||
In addition, consensus rules associated with each \joinSplitDescription (\crossref{joinsplitencoding})\sapling{,
|
||||
\spendDescription (\crossref{spendencoding}), and \outputDescription (\crossref{outputencoding})}
|
||||
each \spendDescription (\crossref{spendencoding}), and each \outputDescription (\crossref{outputencoding})}
|
||||
\MUST be followed.
|
||||
|
||||
\begin{pnotes}
|
||||
|
|
@ -6384,7 +6370,7 @@ Consensus rules applying to a \spendDescription are given in \crossref{spenddesc
|
|||
|
||||
Let $\LEBStoOSP{}{}$ be as defined in \crossref{endian}.
|
||||
|
||||
An abstract \outputDescription, as described in \crossref{spendsandoutputs}, is encoded in
|
||||
An abstract \outputDescription, described in \crossref{spendsandoutputs}, is encoded in
|
||||
a \transaction as an instance of an \type{OutputDescription} type as follows:
|
||||
|
||||
\begin{center}
|
||||
|
|
|
|||
Loading…
Reference in New Issue