From d18edb4abc4055a41121eef23415708d17de0154 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Fri, 8 Feb 2019 22:59:38 +0000 Subject: [PATCH] Rename zk-SNARK Parameters sections according to the proving system. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index c4897733..ed7196d3 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -578,8 +578,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\verifyingKeys}{\term{verifying keys}} \newcommand{\zkVerifyingKeys}{\term{zero-knowledge verifying keys}} \newcommand{\joinSplitParameters}{\term{JoinSplit parameters}} -\newcommand{\SproutZKParameters}{\titleterm{\notsprout{\Sprout }zk-SNARK Parameters}} -\newcommand{\SaplingZKParameters}{\titleterm{\Sapling zk-SNARK Parameters}} +\newcommand{\BCTVZKParameters}{\titleterm{BCTV14 zk-SNARK Parameters}} +\newcommand{\GrothZKParameters}{\titleterm{Groth16 zk-SNARK Parameters}} \newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}} \newcommand{\primary}{\term{primary}} \newcommand{\primaryInput}{\term{primary input}} @@ -3613,7 +3613,7 @@ $\JoinSplit$ refers to this \provingSystem with the $\BNCurve$ pairing, specialized to the \joinSplitStatement given in \crossref{joinsplitstatement}. In this case we omit the key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$, taking them to be the particular \provingKey and \verifyingKey defined by the -\joinSplitParameters in \crossref{sproutparameters}. +\joinSplitParameters in \crossref{bctvparameters}. } %sprout \sapling{ \introlist @@ -3637,17 +3637,17 @@ These specializations are: $\JoinSplit$ for the \Sprout $\BLSCurve$); $\Spend$ for the \Sapling \spendStatement; and $\Output$ for the \Sapling \outputStatement. -We omit the key subscripts on $\JoinSplitProve$ and +We omit key subscripts on $\JoinSplitProve$ and $\JoinSplitVerify$, taking them to be either the $\BCTV$ \provingKey -and \verifyingKey defined in \crossref{sproutparameters}, or the +and \verifyingKey defined in \crossref{bctvparameters}, or the \texttt{sprout-groth16.params} $\Groth$ \provingKey and \verifyingKey -defined in \crossref{saplingparameters}, according to whether the proof +defined in \crossref{grothparameters}, according to whether the proof appears in a \block before or after \Sapling activation. We also omit subscripts on $\SpendProve$, $\SpendVerify$, $\OutputProve$, and $\OutputVerify$, taking them to be the relevant $\Groth$ \provingKeys and -\verifyingKeys defined in \crossref{saplingparameters}. +\verifyingKeys defined in \crossref{grothparameters}. } %sapling @@ -7601,7 +7601,7 @@ other details of the \provingSystem are beyond the scope of this protocol document. For example, certain details of the translations of the \spendStatement and \outputStatement to \quadraticArithmeticPrograms are not specified in this document. In practice it will be necessary to use the specific proving and verification keys -generated for the \Zcash production \blockchain (see \crossref{saplingparameters}), +generated for the \Zcash production \blockchain (see \crossref{grothparameters}), and a \provingSystem implementation that is interoperable with the \bellman library used by \Zcash, to ensure compatibility. } @@ -8111,7 +8111,7 @@ For \spendingKeys on the test network, the \humanReadablePart is \ascii{secret-s \introlist -\subsection{\SproutZKParameters} \label{sproutparameters} +\subsection{\BCTVZKParameters} \label{bctvparameters} For the \Zcash production \blockchain and testnet, the $\SHAFull$ hashes of the \provingKey and \verifyingKey for the \SproutOrZcash \joinSplitCircuit, encoded in @@ -8129,7 +8129,7 @@ activation.} \sapling{ \introsection -\subsection{\SaplingZKParameters} \label{saplingparameters} +\subsection{\GrothZKParameters} \label{grothparameters} \bellman \cite{Bowe-bellman} encodes the \provingKey and \verifyingKey for a \zkSNARKCircuit in a single parameters file. The $\BlakeTwob{512}$ hashes of this file @@ -8157,7 +8157,7 @@ Let $\URS := \ascii{096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b4 This value is used in the definition of $\GroupJHash{}$ in \crossref{concretegrouphashjubjub}, and in the multi-party computation to obtain the \Sapling parameters given in -\crossref{saplingparameters}. +\crossref{grothparameters}. It is derived as described in \cite{Bowe2018}: @@ -9803,6 +9803,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \item Correct [SBB2019] to \cite{SWB2019}. \item The $\BCTV$ vulnerability affected Soundness as well as Knowledge Soundness. +\sapling{ + \item Rename zk-SNARK Parameters sections to be named according to the proving + system ($\BCTV$ or $\Groth$), not the shielded protocol construction + (\Sprout or \Sapling). +} \end{itemize} \introlist