zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

More Orchard WIP. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-15 16:16:40 +00:00
parent e62d57959e
commit dae8852187
2 changed files with 344 additions and 278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

602
protocol/protocol.tex
View File

@ -454,6 +454,12 @@
\DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{} \DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{}
\DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE} \DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE}
% We just want one fivedots symbol from MnSymbol.
\DeclareSymbolFont{MnSyC}{U}{MnSymbolC}{m}{n}
\DeclareFontFamily{U}{MnSymbolC}{}
\DeclareFontShape{U}{MnSymbolC}{m}{n}{<->MnSymbolC10}{}
\DeclareMathSymbol{\fivedots}{\mathbin}{MnSyC}{15}
% $v$ is too close to $u$. % $v$ is too close to $u$.
% <https://tex.stackexchange.com/questions/130569/sharp-or-angled-v-in-math-mode-varv> % <https://tex.stackexchange.com/questions/130569/sharp-or-angled-v-in-math-mode-varv>
\DeclareSymbolFont{matha}{OML}{txmi}{m}{it} \DeclareSymbolFont{matha}{OML}{txmi}{m}{it}
@ -1253,6 +1259,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\grpzero}{\Zero_{\subgrpplus}} \newcommand{\grpzero}{\Zero_{\subgrpplus}}
\newcommand{\grpminus}{\bigboxminus{1.8ex}\,} \newcommand{\grpminus}{\bigboxminus{1.8ex}\,}
\newcommand{\grpneg}{\bigboxminus{1.8ex}} \newcommand{\grpneg}{\bigboxminus{1.8ex}}
\newcommand{\incompleteadd}{\,\fivedots\,}
\newcommand{\vartimes}{\bigvartimes{1.8ex}} \newcommand{\vartimes}{\bigvartimes{1.8ex}}
\newcommand{\band}{\binampersand} \newcommand{\band}{\binampersand}
\newcommand{\bor}{\lor} \newcommand{\bor}{\lor}
@ -1862,6 +1869,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\vOutputProofsSapling}{\mathtt{vOutputProofsSapling}} \newcommand{\vOutputProofsSapling}{\mathtt{vOutputProofsSapling}}
\newcommand{\nActionsOrchard}{\mathtt{nActionsOrchard}} \newcommand{\nActionsOrchard}{\mathtt{nActionsOrchard}}
\newcommand{\vActionsOrchard}{\mathtt{vActionsOrchard}} \newcommand{\vActionsOrchard}{\mathtt{vActionsOrchard}}
\newcommand{\flagsOrchard}{\mathtt{flagsOrchard}}
\newcommand{\sizeProofsOrchard}{\mathtt{sizeProofsOrchard}} \newcommand{\sizeProofsOrchard}{\mathtt{sizeProofsOrchard}}
\newcommand{\proofsOrchard}{\mathtt{proofsOrchard}} \newcommand{\proofsOrchard}{\mathtt{proofsOrchard}}
\newcommand{\vSpendAuthSigsOrchard}{\mathtt{vSpendAuthSigsOrchard}} \newcommand{\vSpendAuthSigsOrchard}{\mathtt{vSpendAuthSigsOrchard}}
@ -8029,6 +8037,7 @@ Let $k := 10$.
Let $c$ be the largest integer such that $2^n \leq \hfrac{\ParamP{r}-1}{2}$, Let $c$ be the largest integer such that $2^n \leq \hfrac{\ParamP{r}-1}{2}$,
i.e.\ $c := 253$. i.e.\ $c := 253$.
\introlist
Define $\SinsemillaGenInit \typecolon \byteseqs \rightarrow \GroupPstar$ and Define $\SinsemillaGenInit \typecolon \byteseqs \rightarrow \GroupPstar$ and
$\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by: $\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by:
@ -8037,6 +8046,21 @@ $\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by:
$\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \LEBStoOSPOf{32}{\ItoLEBSPOf{32}{j}}\kern-0.25em\big)$. $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \LEBStoOSPOf{32}{\ItoLEBSPOf{32}{j}}\kern-0.25em\big)$.
\end{tabular} \end{tabular}
\vspace{1ex}
\introlist
Define $\incompleteadd \typecolon \GroupP \times \GroupP \rightarrow \maybe{\GroupP}$ as incomplete addition on the \Pallas curve:
\begin{tabular}{@{\hskip 1.5em}r@{\;}l@{\;}l@{\;}l}
$\ZeroP$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\
$\ZeroP$ &$\incompleteadd$ &$(x', y')$ &$= \bot$ \\
$(x, y)$ &$\incompleteadd$ &$\ZeroP$ &$= \bot$ \\
$(x, y)$ &$\incompleteadd$ &$(x', y')$ &$= \begin{cases}
\bot, &\caseif x = x' \\
(x, y) + (x', y'), &\caseotherwise\text{.}
\end{cases}$
\end{tabular}
\introlist
Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\range{0}{k \mult c}}) \rightarrow \GroupP$ as follows: Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\range{0}{k \mult c}}) \rightarrow \GroupP$ as follows:
\begin{algorithm} \begin{algorithm}
@ -8046,7 +8070,8 @@ Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\ran
each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$. each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$.
\item let mutable $\Acc := \SinsemillaGenInit(D)$ \item let mutable $\Acc := \SinsemillaGenInit(D)$
\item for $i$ from $1$ up to $n$: \item for $i$ from $1$ up to $n$:
\item \tab set $\Acc := \scalarmult{2}{\Acc} + \SinsemillaGenBase(\LEBStoIP{k}(M_i))$ \vspace{-1ex}
\item \tab set $\Acc := \Big(\Acc \incompleteadd \SinsemillaGenBase\big(\LEBStoIP{k}(M_i)\kern-0.1em\big)\kern-0.15em\Big) \incompleteadd \Acc$
\item \blank \item \blank
\item return $\Acc$. \item return $\Acc$.
\end{algorithm} \end{algorithm}
@ -8059,7 +8084,7 @@ Finally, define $\SinsemillaHash \typecolon \byteseqs \times \bitseq{\range{0}{k
\item $\SinsemillaHash(D, M) := \ExtractP\big(\SinsemillaHashToPoint\Of{D, M}\kern-0.1em\big)$. \item $\SinsemillaHash(D, M) := \ExtractP\big(\SinsemillaHashToPoint\Of{D, M}\kern-0.1em\big)$.
\end{formulae} \end{formulae}
See \todo{...} for rationale and efficient circuit implementation of these functions. See \cite[section TODO ``Sinsemilla'']{Zcash-Orchard} for rationale and efficient circuit implementation of these functions.
\securityrequirement{ \securityrequirement{
$\SinsemillaHash$ and $\SinsemillaHashToPoint$ are required to be \collisionResistant $\SinsemillaHash$ and $\SinsemillaHashToPoint$ are required to be \collisionResistant
@ -8100,7 +8125,7 @@ $\SinsemillaHashToPoint$ could return $\ZeroP$.}
} %orchard } %orchard
%\orchard{ \orchard{
\introlist \introlist
\lsubsubsubsection{\PoseidonHashText{} Function}{poseidonhash} \lsubsubsubsection{\PoseidonHashText{} Function}{poseidonhash}
@ -8165,7 +8190,7 @@ is specified as:
on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from
an ideal PRF. an ideal PRF.
\end{nnotes} \end{nnotes}
%} %orchard } %orchard
\introlist \introlist
@ -9300,7 +9325,7 @@ instantiated as follows using $\SinsemillaCommitAlg$:
\begin{formulae} \begin{formulae}
\item $\CommitIvk{\CommitIvkRand}(\AuthSignPublicX, \NullifierKey) := \item $\CommitIvk{\CommitIvkRand}(\AuthSignPublicX, \NullifierKey) :=
\SinsemillaShortCommit{\NoteCommitRand}\left(\ascii{z.cash:Orchard-CommitIvk}, \SinsemillaShortCommit{\NoteCommitRand}\left(\ascii{z.cash:Orchard-CommitIvk},
\ItoLEBSP{\ScalarLength{Orchard}}(\AuthSignPublicRepr) \bconcat \ItoLEBSP{\ScalarLength{Orchard}}\NullifierKeyRepr\right)$ \ItoLEBSP{\ScalarLength{Orchard}}(\AuthSignPublicRepr) \bconcat \ItoLEBSP{\ScalarLength{Orchard}}\NullifierKeyRepr\right) \mod{\ParamP{r}}$
\item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$.
\end{formulae} \end{formulae}
@ -10492,7 +10517,9 @@ for example), and requirements specific to Bitcoin's Segwit addresses.}
\introsection \introsection
\lsubsubsection{Transparent Addresses}{transparentaddrencoding} \lsubsubsection{Transparent Encodings}{transparentencodings}
\lsubsubsubsection{Transparent Addresses}{transparentaddrencoding}
\defining{\xTransparentAddresses} are either P2SH (Pay to Script Hash) addresses \cite{BIP-13} \defining{\xTransparentAddresses} are either P2SH (Pay to Script Hash) addresses \cite{BIP-13}
or P2PKH (Pay to Public Key Hash) addresses \cite{Bitcoin-P2PKH}. or P2PKH (Pay to Public Key Hash) addresses \cite{Bitcoin-P2PKH}.
@ -10553,13 +10580,15 @@ The \rawEncoding of a P2PKH address consists of:
\end{pnotes} \end{pnotes}
\lsubsubsection{Transparent Private Keys}{transparentkeyencoding} \lsubsubsubsection{Transparent Private Keys}{transparentkeyencoding}
These are encoded in the same way as in \Bitcoin \cite{Bitcoin-Base58}, These are encoded in the same way as in \Bitcoin \cite{Bitcoin-Base58},
for both \Mainnet and \Testnet. for both \Mainnet and \Testnet.
\lsubsubsection{\SproutText{} Payment Addresses}{sproutpaymentaddrencoding} \lsubsubsection{\SproutText{} Encodings}{sproutencodings}
\lsubsubsubsection{\SproutText{} Payment Addresses}{sproutpaymentaddrencoding}
Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}.
@ -10602,91 +10631,10 @@ For addresses on \Mainnet, the lead bytes and encoded length
cause the first two characters of the Base58Check encoding to be fixed as cause the first two characters of the Base58Check encoding to be fixed as
\ascii{zc}. For \Testnet, the first two characters are fixed as \ascii{zc}. For \Testnet, the first two characters are fixed as
\ascii{zt}. \ascii{zt}.
} } %pnote
\sapling{ \lsubsubsubsection{\SproutText{} Incoming Viewing Keys}{sproutinviewingkeyencoding}
\lsubsubsection{\SaplingText{} Payment Addresses}{saplingpaymentaddrencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
and $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$.
$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Sapling}$ \publicKey of type
$\KAPublicPrimeSubgroup{Sapling}$, for use with the encryption scheme defined in
\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes.
These components are derived as described in \crossref{saplingkeycomponents}.
\introlist
The \rawEncoding of a \Sapling \paymentAddress consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{344}
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
\begin{itemize}
\item $11$ bytes specifying $\Diversifier$.
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of
$\DiversifiedTransmitPublic$ (see \crossref{jubjub}).
\end{itemize}
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
is not in the prime-order subgroup $\SubgroupJ$.
\vspace{-2ex}
\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on
address validation when importing \paymentAddresses.}
\vspace{1ex}
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}.
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
} %sapling
\orchard{
\lsubsubsection{\OrchardText{} Payment Addresses}{orchardpaymentaddrencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
and $\DiversifiedTransmitPublic \typecolon \KAPublic{Orchard}$.
$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Orchard}$ \publicKey of type
$\KAPublic{Orchard}$, for use with the encryption scheme defined in \crossref{saplingandorchardinband}.
$\Diversifier$~is a sequence of $11$ bytes. These components are derived as described in
\crossref{orchardkeycomponents}.
\introlist
The \rawEncoding of an \Orchard \paymentAddress consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{344}
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprP\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
\begin{itemize}
\item $11$ bytes specifying $\Diversifier$.
\item $32$ bytes specifying the \swCompressedEncoding of
$\DiversifiedTransmitPublic$ (see \crossref{pallasandvesta}).
\end{itemize}
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
considered invalid if $\abstP$ returns $\bot$.
\vspace{1ex}
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zo}.
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestorchard}.
} %orchard
\lsubsubsection{\SproutText{} Incoming Viewing Keys}{sproutinviewingkeyencoding}
\changed{ \changed{
Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}. Let $\KA{Sprout}$ be as defined in \crossref{concretesproutkeyagreement}.
@ -10741,158 +10689,7 @@ cause the first four characters of the Base58Check encoding to be fixed as
\ascii{ZiVt}.}} %changed \ascii{ZiVt}.}} %changed
\sapling{ \lsubsubsubsection{\SproutText{} Spending Keys}{sproutspendingkeyencoding}
\lsubsubsection{\SaplingText{} Incoming Viewing Keys}{saplinginviewingkeyencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
Let $\InViewingKeyLength{Sapling}$ be as defined in \crossref{constants}.
A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeSapling$.
$\InViewingKey$ is a $\KAPrivate{Sapling}$ key (restricted to $\InViewingKeyLength{Sapling}$ bits),
derived as described in \crossref{saplingkeycomponents}.
It is used with the encryption scheme defined in \crossref{saplinginband}.
\introlist
The \rawEncoding of a \Sapling \incomingViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{256}
\sbitbox{256}{$256$-bit $\InViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes (little-endian) specifying $\InViewingKey$, padded with zeros in the most
significant bits.
\end{itemize}
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeSapling$ as specified
in \crossref{saplingkeycomponents}. That is, a decoded \incomingViewingKey \MUST be
considered invalid if $\InViewingKey$ is not in this range.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivks}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestsapling}.
} %sapling
\orchard{
\lsubsubsection{\OrchardText{} Incoming Viewing Keys}{orchardinviewingkeyencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeOrchard$.
$\InViewingKey$ is a $\KAPrivate{Orchard}$ key (restricted to the range $\range{0}{\ParamP{q}-1}$),
derived as described in \crossref{orchardkeycomponents}.
It is used with the encryption scheme defined in \crossref{saplingandorchardinband}.
\introlist
The \rawEncoding of an \Orchard \incomingViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{256}
\sbitbox{256}{$256$-bit $\InViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes (little-endian) specifying $\InViewingKey$, padded with zeros in the most
significant bits.
\end{itemize}
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeOrchard$ as specified
in \crossref{orchardkeycomponents}. That is, a decoded \incomingViewingKey \MUST be
considered invalid if $\InViewingKey$ is not in this range.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivko}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestorchard}.
} %orchard
\sapling{
\lsubsubsection{\SaplingText{} Full Viewing Keys}{saplingfullviewingkeyencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
A \Sapling{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
$\NullifierKey \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
$\AuthSignPublic$ and $\NullifierKey$ are points on the \jubjubCurve
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
\introlist
The \rawEncoding of a \Sapling \fullViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\NullifierKey}\kern 0.05em}$}
\sbitbox{256}{$32$-byte $\OutViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\AuthSignPublic$
(see \crossref{jubjub}).
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\NullifierKey$.
\item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
\end{itemize}
When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$
for either $\AuthSignPublic$ or $\NullifierKey$, or if $\AuthSignPublic \notin \SubgroupJstar$,
or if $\NullifierKey \notin \SubgroupJ$.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zviews}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtestsapling}.
}
\sapling{
\lsubsubsection{\OrchardText{} Full Viewing Keys}{orchardfullviewingkeyencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \GroupPstar$,
$\NullifierKey \typecolon \NullifierKeyTypeOrchard$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
$\AuthSignPublic$ and $\NullifierKey$ are points on the \jubjubCurve
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
\introlist
The \rawEncoding of a \Sapling \fullViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\NullifierKey}\kern 0.05em}$}
\sbitbox{256}{$32$-byte $\OutViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\AuthSignPublic$
(see \crossref{jubjub}).
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\NullifierKey$.
\item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
\end{itemize}
When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$
for either $\AuthSignPublic$ or $\NullifierKey$, or if $\AuthSignPublic \notin \SubgroupJstar$,
or if $\NullifierKey \notin \SubgroupJ$.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zviews}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtestsapling}.
}
\introsection
\lsubsubsection{\SproutText{} Spending Keys}{sproutspendingkeyencoding}
A \Sprout{} \defining{\spendingKey} consists of $\AuthPrivate$, which is a sequence of A \Sprout{} \defining{\spendingKey} consists of $\AuthPrivate$, which is a sequence of
\changed{$252$} bits (see \crossref{sproutkeycomponents}). \changed{$252$} bits (see \crossref{sproutkeycomponents}).
@ -10941,7 +10738,128 @@ The zero padding occupies the most significant 4 bits of the third byte.
\sapling{ \sapling{
\lsubsubsection{\SaplingText{} Spending Keys}{saplingspendingkeyencoding} \lsubsubsection{\SaplingText{} Encodings}{saplingencodings}
\lsubsubsubsection{\SaplingText{} Payment Addresses}{saplingpaymentaddrencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
and $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$.
$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Sapling}$ \publicKey of type
$\KAPublicPrimeSubgroup{Sapling}$, for use with the encryption scheme defined in
\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes.
These components are derived as described in \crossref{saplingkeycomponents}.
\introlist
The \rawEncoding of a \Sapling \paymentAddress consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{344}
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
\begin{itemize}
\item $11$ bytes specifying $\Diversifier$.
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of
$\DiversifiedTransmitPublic$ (see \crossref{jubjub}).
\end{itemize}
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$
is not in the prime-order subgroup $\SubgroupJ$.
\vspace{-2ex}
\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on
address validation when importing \paymentAddresses.}
\vspace{1ex}
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}.
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestsapling}.
} %sapling
\sapling{
\lsubsubsubsection{\SaplingText{} Incoming Viewing Keys}{saplinginviewingkeyencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
Let $\InViewingKeyLength{Sapling}$ be as defined in \crossref{constants}.
A \Sapling{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeSapling$.
$\InViewingKey$ is a $\KAPrivate{Sapling}$ key (restricted to $\InViewingKeyLength{Sapling}$ bits),
derived as described in \crossref{saplingkeycomponents}.
It is used with the encryption scheme defined in \crossref{saplinginband}.
\introlist
The \rawEncoding of a \Sapling \incomingViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{256}
\sbitbox{256}{$256$-bit $\InViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes (little-endian) specifying $\InViewingKey$, padded with zeros in the most
significant bits.
\end{itemize}
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeSapling$ as specified
in \crossref{saplingkeycomponents}. That is, a decoded \incomingViewingKey \MUST be
considered invalid if $\InViewingKey$ is not in this range.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivks}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestsapling}.
} %sapling
\sapling{
\lsubsubsubsection{\SaplingText{} Full Viewing Keys}{saplingfullviewingkeyencoding}
Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}.
A \Sapling{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
$\NullifierKey \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
$\AuthSignPublic$ and $\NullifierKey$ are points on the \jubjubCurve
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
\introlist
The \rawEncoding of a \Sapling \fullViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprJ\Of{\NullifierKey}\kern 0.05em}$}
\sbitbox{256}{$32$-byte $\OutViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\AuthSignPublic$
(see \crossref{jubjub}).
\item $32$ bytes specifying the \ctEdwardsCompressedEncoding of $\NullifierKey$.
\item $32$ bytes specifying the \outgoingViewingKey $\OutViewingKey$.
\end{itemize}
When decoding this representation, the key \MUST be considered invalid if $\abstJ$ returns $\bot$
for either $\AuthSignPublic$ or $\NullifierKey$, or if $\AuthSignPublic \notin \SubgroupJstar$,
or if $\NullifierKey \notin \SubgroupJ$.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zviews}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtestsapling}.
} %sapling
\sapling{
\lsubsubsubsection{\SaplingText{} Spending Keys}{saplingspendingkeyencoding}
A \Sapling{} \defining{\spendingKey} consists of $\SpendingKey \typecolon \SpendingKeyType$ A \Sapling{} \defining{\spendingKey} consists of $\SpendingKey \typecolon \SpendingKeyType$
(see \crossref{saplingkeycomponents}). (see \crossref{saplingkeycomponents}).
@ -10961,7 +10879,144 @@ The \rawEncoding of a \Sapling \spendingKey consists of:
For \spendingKeys on \Mainnet, the \humanReadablePart is \ascii{secret-spending-key-main}. For \spendingKeys on \Mainnet, the \humanReadablePart is \ascii{secret-spending-key-main}.
For \spendingKeys on \Testnet, the \humanReadablePart is \ascii{secret-spending-key-test}. For \spendingKeys on \Testnet, the \humanReadablePart is \ascii{secret-spending-key-test}.
} } %sapling
\orchard{
\lsubsubsection{\OrchardText{} Encodings}{orchardencodings}
\lsubsubsubsection{\OrchardText{} Payment Addresses}{orchardpaymentaddrencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$
and $\DiversifiedTransmitPublic \typecolon \KAPublic{Orchard}$.
$\DiversifiedTransmitPublic$ is an encoding of a $\KA{Orchard}$ \publicKey of type
$\KAPublic{Orchard}$, for use with the encryption scheme defined in \crossref{saplingandorchardinband}.
$\Diversifier$~is a sequence of $11$ bytes. These components are derived as described in
\crossref{orchardkeycomponents}.
\introlist
The \rawEncoding of an \Orchard \paymentAddress consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{344}
\sbitbox{120}{$\LEBStoOSPOf{88}{\Diversifier}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprP\Of{\DiversifiedTransmitPublic}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
\begin{itemize}
\item $11$ bytes specifying $\Diversifier$.
\item $32$ bytes specifying the \swCompressedEncoding of
$\DiversifiedTransmitPublic$ (see \crossref{pallasandvesta}).
\end{itemize}
When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be
considered invalid if $\abstP$ returns $\bot$.
\vspace{1ex}
For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zo}.
For addresses on \Testnet, the \humanReadablePart is \ascii{ztestorchard}.
} %orchard
\orchard{
\lsubsubsubsection{\OrchardText{} Incoming Viewing Keys}{orchardinviewingkeyencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\incomingViewingKey} consists of $\InViewingKey \typecolon \InViewingKeyTypeOrchard$.
$\InViewingKey$ is a $\KAPrivate{Orchard}$ key (restricted to the range $\range{0}{\ParamP{q}-1}$),
derived as described in \crossref{orchardkeycomponents}.
It is used with the encryption scheme defined in \crossref{saplingandorchardinband}.
\introlist
The \rawEncoding of an \Orchard \incomingViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{256}
\sbitbox{256}{$256$-bit $\InViewingKey$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes (little-endian) specifying $\InViewingKey$, padded with zeros in the most
significant bits.
\end{itemize}
$\InViewingKey$ \MUST be in the range $\InViewingKeyTypeOrchard$ as specified
in \crossref{orchardkeycomponents}. That is, a decoded \incomingViewingKey \MUST be
considered invalid if $\InViewingKey$ is not in this range.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zivko}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zivktestorchard}.
} %orchard
\orchard{
\lsubsubsubsection{\OrchardText{} Full Viewing Keys}{orchardfullviewingkeyencoding}
Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}.
An \Orchard{} \defining{\fullViewingKey} consists of $\AuthSignPublic \typecolon \GroupPstar$
and $\NullifierKey \typecolon \NullifierKeyTypeOrchard$.
$\AuthSignPublic$ and $\NullifierKey$ are points on the \pallasCurve (see
\crossref{pallasandvesta}). $\NullifierKey$ is a field element in $\GF{\ParamP{q}}$.
They are derived as described in \crossref{orchardkeycomponents}.
\introlist
The \rawEncoding of an \Orchard \fullViewingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.05em]{512}
\sbitbox{256}{$\LEBStoOSPOf{256}{\reprP\Of{\AuthSignPublic}\kern 0.05em}$}
\sbitbox{256}{$\LEBStoOSPOf{256}{\ItoLEBSPOf{256}{\NullifierKey}\kern 0.05em}$}
\end{bytefield}
\end{equation*}
\vspace{-1ex}
\begin{itemize}
\item $32$ bytes specifying the \swCompressedEncoding of $\AuthSignPublic$
(see \crossref{pallasandvesta}).
\item $32$ bytes specifying the $\NullifierKey$.
\end{itemize}
When decoding this representation, the key \MUST be considered invalid if $\abstP$ returns $\bot$
for $\AuthSignPublic$, or if $\AuthSignPublic = \ZeroP$, or if $\NullifierKey$ is not a canonically
encoded field element.
For \incomingViewingKeys on \Mainnet, the \humanReadablePart is \ascii{zviewo}.
For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtestorchard}.
} %orchard
\orchard{
\lsubsubsubsection{\OrchardText{} Spending Keys}{orchardspendingkeyencoding}
An \Orchard{} \defining{\spendingKey} consists of $\SpendingKey \typecolon \SpendingKeyType$
(see \crossref{saplingkeycomponents}).
\introlist
The \rawEncoding of an \Orchard \spendingKey consists of:
\vspace{1ex}
\begin{equation*}
\begin{bytefield}[bitwidth=0.07em]{256}
\sbitbox{256}{$\LEBStoOSPOf{256}{\SpendingKey}$}
\end{bytefield}
\end{equation*}
\begin{itemize}
\item $32$ bytes specifying $\SpendingKey$.
\end{itemize}
For \spendingKeys on \Mainnet, the \humanReadablePart is \ascii{secret-orchard-sk-main}.
For \spendingKeys on \Testnet, the \humanReadablePart is \ascii{secret-orchard-sk-test}.
} %orchard
\introlist \introlist
@ -11221,14 +11276,14 @@ Note that the \valueBalance{Sapling} field is always present for these \transact
} %sapling } %sapling
\sprout{\vspace{3ex}} \sprout{\vspace{3ex}}
%\orchard{ \orchard{
\introlist \introlist
The \Zcash{} \defining{\transaction} format for \transactionVersion 5 is as follows The \Zcash{} \defining{\transaction} format for \transactionVersion 5 is as follows
(this should be read in the context of consensus rules later in the section): (this should be read in the context of consensus rules later in the section):
\vspace{-1ex} \vspace{-2ex}
\begin{center} \begin{center}
%\scalebox{0.8}{ \scalebox{0.78}{
\notsprout{\renewcommand{\arraystretch}{1.3}} \notsprout{\renewcommand{\arraystretch}{1.3}}
\hbadness=10000 \hbadness=10000
\begin{tabularx}{1.21\textwidth}{|c|c|l|p{10em}|L|} \begin{tabularx}{1.21\textwidth}{|c|c|l|p{10em}|L|}
@ -11289,42 +11344,45 @@ The net value of \Sapling{} spends minus outputs. \\ \hline
$\geq 5\;\mathsection$ & $32$ & $\anchorField{Sapling}$ & \type{byte[32]} & $\geq 5\;\mathsection$ & $32$ & $\anchorField{Sapling}$ & \type{byte[32]} &
A \merkleRoot of the \Sapling \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Sapling}\big)$. \\ \hline A \merkleRoot of the \Sapling \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Sapling}\big)$. \\ \hline
%$\geq 5$ & \Longunderstack{$192 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendProofsSapling$ & \type{byte[$192 \mult \nSpendsSapling$]} & $\geq 5$ & \Longunderstack{$192 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendProofsSapling$ & \type{byte[$192 \mult \nSpendsSapling$]} &
%Encodings of the \zkSNARKProofs for each \Sapling \spendDescription. \\ \hline Encodings of the \zkSNARKProofs for each \Sapling \spendDescription. \\ \hline
%$\geq 5$ & \Longunderstack{$64 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendAuthSigsSapling$ & \type{byte[$64 \mult \nSpendsSapling$]} & $\geq 5$ & \Longunderstack{$64 \mult$ \\$\!\nSpendsSapling\!$} & $\vSpendAuthSigsSapling$ & \type{byte[$64 \mult \nSpendsSapling$]} &
%Authorizing signatures for each \Sapling \outputDescription. \\ \hline Authorizing signatures for each \Sapling \outputDescription. \\ \hline
%$\geq 5$ & \Longunderstack{$192 \mult$ \\$\!\nOutputsSapling\!$} & $\vOutputProofsSapling$ & \type{byte[$192 \mult \nOutputsSapling$]} & $\geq 5$ & \Longunderstack{$192 \mult$ \\$\!\nOutputsSapling\!$} & $\vOutputProofsSapling$ & \type{byte[$192 \mult \nOutputsSapling$]} &
%Encodings of the \zkSNARKProofs for each \Sapling \outputDescription. \\ \hline Encodings of the \zkSNARKProofs for each \Sapling \outputDescription. \\ \hline
%$\geq 5\;\mathsection$ & $64$ & $\bindingSig{Sapling}$ & \type{byte[64]} & $\geq 5\;\mathsection$ & $64$ & $\bindingSig{Sapling}$ & \type{byte[64]} &
%A \saplingBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline A \saplingBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline
%$\geq 5$ & \Varies &\setorchard $\nActionsOrchard\!$ & \type{compactSize} & $\geq 5$ & \Varies &\setorchard $\nActionsOrchard\!$ & \type{compactSize} &
%The number of \actionDescriptions in $\vActionsOrchard$. \\ \hline The number of \actionDescriptions in $\vActionsOrchard$. \\ \hline
%$\geq 5$ & \Longunderstack{$884 \mult$ \\$\!\nActionsOrchard\!$} & $\vActionsOrchard\!$ & \type{ActionDescription} \type{[$\nActionsOrchard$]} & $\geq 5$ & \Longunderstack{$884 \mult$ \\$\!\nActionsOrchard\!$} & $\vActionsOrchard$ & \type{ActionDescription} \type{[$\nActionsOrchard$]} &
%A sequence of \actionDescriptions{}, encoded per \crossref{actionencodingandconsensus}. \\ \hline A sequence of \actionDescriptions{}, encoded per \crossref{actionencodingandconsensus}. \\ \hline
%$\geq 5\;\mathsection$ & $8$ & $\valueBalance{Orchard}\!$ & \type{int64} & $\geq 5\;\mathsection$ & $8$ & $\flagsOrchard$ & \type{byte} &
%The net value of \Orchard{} spends minus outputs. \\ \hline \todo{...} \\ \hline
%$\geq 5\;\mathsection$ & $32$ & $\anchorField{Orchard}$ & \type{byte[32]} & $\geq 5\;\mathsection$ & $8$ & $\valueBalance{Orchard}\!$ & \type{int64} &
%A \merkleRoot of the \Orchard \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Orchard}\big)$. \\ \hline The net value of \Orchard{} spends minus outputs. \\ \hline
%$\geq 5\; & \Varies & $\nProofsOrchard$ & \type{compactSize} & The length of the aggregated \zkSNARKProof $\geq 5\;\mathsection$ & $32$ & $\anchorField{Orchard}$ & \type{byte[32]} &
%$\ProofAction$ (see \crossref{halo2}). \\ \hline A \merkleRoot of the \Orchard \noteCommitmentTree at some \blockHeight in the past, $\LEBStoOSP{256}\big(\rt{Orchard}\big)$. \\ \hline
%$\geq 5\; & $2208$ & $\vProofsOrchard$ & \type{byte[2208]} & An encoding of the aggregated \zkSNARKProof $\geq 5\;\mathsection$ & \Varies & $\sizeProofsOrchard$ & \type{compactSize} & The length of the aggregated \zkSNARKProof
%$\ProofAction$ (see \crossref{halo2}). \\ \hline $\ProofAction$. \\ \hline
%$\geq 5\;\mathsection$ & $64$ & $\bindingSig{Orchard}$ & \type{byte[64]} & $\geq 5\;\mathsection$ & $2208$ & $\proofsOrchard$ & \type{byte[2208]} & An encoding of the aggregated \zkSNARKProof
%An \orchardBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline $\ProofAction$ (see \crossref{halo2}). \\ \hline
$\geq 5\;\mathsection$ & $64$ & $\bindingSig{Orchard}$ & \type{byte[64]} &
An \orchardBindingSignature on the \sighashTxHash, to be verified as specified in \crossref{concretebindingsig}. \\ \hline
\end{tabularx} \end{tabularx}
\renewcommand{\arraystretch}{\defaultarraystretch} \renewcommand{\arraystretch}{\defaultarraystretch}
%} %scalebox } %scalebox
\end{center} \end{center}
\vspace{-2ex} \vspace{-2ex}
@ -11342,7 +11400,7 @@ If \valueBalance{Orchard} is not present, then $\vBalance{Orchard}$ is defined t
\end{tabularx} \end{tabularx}
Note that several fields are reordered relative to prior \transactionVersions. Note that several fields are reordered relative to prior \transactionVersions.
%} %orchard } %orchard
\begin{consensusrules} \begin{consensusrules}
\item The \defining{\transactionVersionNumber} \MUST be greater than or equal to $1$. \item The \defining{\transactionVersionNumber} \MUST be greater than or equal to $1$.

8
protocol/zcash.bib
View File

@ -1777,3 +1777,11 @@ Proceedings of the 19th Annual International Cryptology Conference
url={https://www.zfnd.org/about/contracts/2019_ECC_ZFND_TM_agreement.pdf}, url={https://www.zfnd.org/about/contracts/2019_ECC_ZFND_TM_agreement.pdf},
urldate={2020-07-05} urldate={2020-07-05}
} }
@misc{Zcash-Orchard,
presort={Zcash-Orchard},
author={Daira Hopwood and Sean Bowe and Jack Grigg and Kris Nuttycombe and Ying Tong Lai and Steven Smith},
title={The {O}rchard Book},
url={https://zcash.github.io/orchard/},
urldate={2021-03-02}
}