mirror of https://github.com/zcash/zips.git
Add back some information that was lost in a previous refactoring.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
0e3aee41ac
commit
dc4e99389e
|
|
@ -482,6 +482,14 @@ A \coin (denoted $\Coin{}$) is a tuple $\changed{(\AuthPublic, \Value,
|
|||
spendable by the recipient who holds the $\authKeypair$ key pair
|
||||
$(\AuthPublic, \AuthPrivate)$ such that
|
||||
$\AuthPublic = \PRFaddr{\AuthPrivate}(0)$.
|
||||
|
||||
\begin{itemize}
|
||||
\item $\AuthPublic$ is a 32-byte \authKeypair public key of the recipient.
|
||||
\item $\Value$ is a 64-bit unsigned integer representing the value of the
|
||||
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
|
||||
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\AuthPrivate}$ preimage.
|
||||
\item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
|
||||
\end{itemize}
|
||||
|
||||
$\CoinCommitRand$ is randomly generated by the sender. \changed{$\CoinAddressRand$
|
||||
is generated from a random seed $\CoinAddressPreRand$ using
|
||||
|
|
@ -489,6 +497,10 @@ $\PRFrho{\CoinAddressPreRand}$.} Only a commitment to these values is disclosed
|
|||
publicly, which allows the tokens $\CoinCommitRand$ and $\CoinAddressRand$ to blind
|
||||
the value and recipient \emph{except} to those who possess these tokens.
|
||||
|
||||
Note that the value $\CoinCommitS$ described as being part of a \coin in the
|
||||
\Zerocash paper \cite{ZerocashOakland} is not encoded because the instantiation
|
||||
of $\COMM{\CoinCommitS}$ does not use it.
|
||||
|
||||
\subsubsection{Coin Commitments}
|
||||
|
||||
The underlying $\Value$ and $\AuthPublic$ are blinded with $\CoinAddressRand$
|
||||
|
|
@ -535,6 +547,31 @@ $\PRFsn{\AuthPrivate}(\CoinAddressRand)$. A \coin is spent by proving
|
|||
knowledge of $\CoinAddressRand$ and $\AuthPrivate$ in zero knowledge while
|
||||
disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.
|
||||
|
||||
\subsubsection{Coin plaintexts and memo fields}
|
||||
|
||||
Transmitted coins are stored on the blockchain in encrypted form, together with
|
||||
a \coinCommitment $\cm$.
|
||||
|
||||
The \coinPlaintexts associated with a \PourDescription are encrypted to the
|
||||
respective \transmitKeypair keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
|
||||
and the result forms part of a \coinsCiphertext (see section
|
||||
``In-band secret distribution'' for further details).
|
||||
|
||||
Each \coinPlaintext (denoted $\CoinPlaintext{}$) consists of
|
||||
$(\changed{\AuthPublic,\;}\Value, \CoinAddressRand, \CoinCommitRand\changed{, \Memo})$.
|
||||
|
||||
The first \changed{four} of these fields are as defined earlier.
|
||||
\changed{$\Memo$ is a 64-byte \memo associated with this \coin.
|
||||
|
||||
The usage of the $\memo$ is by agreement between the sender and recipient of the
|
||||
\coin. It should be encoded as a UTF-8 human-readable string \cite{Unicode}, padded
|
||||
with zero bytes. Wallet software is expected to strip any trailing zero bytes and
|
||||
then display the resulting UTF-8 string to the recipient user, where applicable.
|
||||
Incorrect UTF-8-encoded byte sequences should be displayed as replacement characters
|
||||
(\ReplacementCharacter). This does not preclude uses of the \memo by automated
|
||||
software, but specification of such usage is not in the scope of this document.
|
||||
}
|
||||
|
||||
\subsection{Coin Commitment Tree}
|
||||
|
||||
\begin{center}
|
||||
|
|
|
|||
Loading…
Reference in New Issue