diff --git a/protocol/protocol.tex b/protocol/protocol.tex index eb351b91..7b7388df 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -2872,6 +2872,7 @@ $\MerkleCRHSapling \typecolon \MerkleLayerSapling \times \MerkleHashSapling \tim are \hashFunctions used in \crossref{merklepath}. \sapling{$\MerkleCRHSapling$ is \collisionResistant on all its arguments, and} $\MerkleCRHSprout$ is \collisionResistant except on its first argument. + Both of these functions are instantiated in \crossref{merklecrh}. } %notsprout @@ -4639,10 +4640,12 @@ By the binding property of the \xPedersenCommitment, it is infeasible to find an opening of this commitment to a different value. Similarly, the binding property of the \valueCommitments in the \spendDescriptions and -\outputDescriptions ensures that an adversary cannot find more than one opening for any of -those commitments, i.e.\ we may assume that -$\vOld{\alln}$ and $\ValueCommitRandOld{\alln}$ are determined by $\cvOld{\alln}$, and that -$\vNew{\allm}$ and $\ValueCommitRandNew{\allm}$ are determined by $\cvNew{\allm}$. +\outputDescriptions ensures that an adversary cannot find an opening to more than one value +for any of those commitments, i.e.\ we may assume that $\vOld{\alln}$ are determined by +$\cvOld{\alln}$, and that $\vNew{\allm}$ are determined by $\cvNew{\allm}$. We may also +assume, from Knowledge Soundness of $\Groth$, that the Spend proofs could not have been +generated without knowing $\ValueCommitRandOld{\alln} \pmod{\ParamJ{r}}$, and the Output +proofs could not have been generated without knowing $\ValueCommitRandNew{\allm} \pmod{\ParamJ{r}}$. \introlist Using the fact that $\ValueCommit{\ValueCommitRand}(\Value) = \scalarmult{\Value}{\ValueCommitValueBase}\, @@ -10000,6 +10003,11 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \begin{itemize} \sapling{ + \item Correct a misstatement in the security argument in \crossref{bindingsig}: + binding for a commitment scheme does not imply that the commitment + determines its randomness. The rest of the security argument did not + depend on this; it is simpler to rely of knowledge soundness of the + Spend and Output proofs. \item Give a definition for \completeTwistedEdwardsEllipticCurves in \crossref{jubjub}. \item Clarify that \theoremref{thmnohashtouncommittedsapling} depends on the parameters of the \jubjubCurve.