Merge pull request #72 from zcash/zips63.specify-founders-reward.0

Specify block subsidy, miner subsidy, and Founders' Reward.

protocol/protocol.tex

@@ -111,6 +111,9 @@
 
 \newcommand{\hairspace}{~\!}
 
+\newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}}
+
+
 \RequirePackage[usenames,dvipsnames]{xcolor}
 % https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips
 \newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}}
@@ -204,13 +207,19 @@
 \newcommand{\BlockHeaders}{\titleterm{Block Headers}}
 \newcommand{\blockVersionNumber}{\term{block version number}}
 \newcommand{\blockTime}{\term{block time}}
+\newcommand{\blockHeight}{\term{block height}}
+\newcommand{\genesisBlock}{\term{genesis block}}
 \newcommand{\transaction}{\term{transaction}}
 \newcommand{\transactions}{\term{transactions}}
 \newcommand{\Transactions}{\titleterm{Transactions}}
+\newcommand{\transactionFee}{\term{transaction fee}}
+\newcommand{\transactionFees}{\term{transaction fees}}
 \newcommand{\transactionVersionNumber}{\term{transaction version number}}
 \newcommand{\coinbaseTransaction}{\term{coinbase transaction}}
 \newcommand{\coinbaseTransactions}{\term{coinbase transactions}}
+\newcommand{\CoinbaseTransactions}{\titleterm{Coinbase Transactions}}
 \newcommand{\transparent}{\term{transparent}}
+\newcommand{\xTransparent}{\term{Transparent}}
 \newcommand{\transparentValuePool}{\term{transparent value pool}}
 \newcommand{\xprotected}{\term{protected}}
 \newcommand{\protectedNote}{\term{protected note}}
@@ -280,8 +289,12 @@
 \newcommand{\bytes}[1]{\underline{\raisebox{-0.22ex}{}\smash{#1}}}
 \newcommand{\zeros}[1]{[0]^{#1}}
 \newcommand{\bit}{\mathds{B}}
-\newcommand{\bitseq}[1]{\bit^{#1}}
-\newcommand{\byteseqs}{\bit^{8\star}}
+\newcommand{\Nat}{\mathbb{N}}
+\newcommand{\PosInt}{\mathbb{N}^+}
+\newcommand{\Rat}{\mathbb{Q}}
+\newcommand{\typeexp}[2]{{#1}\vphantom{)}^{[{#2}]}}
+\newcommand{\bitseq}[1]{\typeexp{\bit}{#1}}
+\newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}}
 \newcommand{\concatbits}{\mathsf{concat}_\bit}
 \newcommand{\hexint}[1]{\mathbf{0x{#1}}}
 \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}}
@@ -302,14 +315,13 @@
 \newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)}
 \newcommand{\setof}[1]{\{{#1}\}}
 \newcommand{\range}[2]{\{{#1}\,..\,{#2}\}}
-\newcommand{\Nat}{\mathbb{N}}
-\newcommand{\PosInt}{\mathbb{N}^+}
 \newcommand{\minimum}{\mathsf{min}}
 \newcommand{\floor}[1]{\mathsf{floor}\!\left({#1}\right)}
 \newcommand{\ceiling}[1]{\mathsf{ceiling}\!\left({#1}\right)}
 \newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}}
 \newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}}
 \newcommand{\xor}{\oplus}
+\newcommand{\mult}{\cdot}
 \newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}
 
 % key pairs:
@@ -402,7 +414,6 @@
 % Notes
 \newcommand{\Value}{\mathsf{v}}
 \newcommand{\ValueNew}[1]{\mathsf{v^{new}_\mathnormal{#1}}}
-\newcommand{\MAXMONEY}{\mathsf{MAX\_MONEY}}
 \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
 \newcommand{\NoteType}{\mathsf{Note}}
 \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
@@ -427,6 +438,32 @@
 \newcommand{\DecryptNote}{\mathtt{DecryptNote}}
 \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}}
 
+% Money supply
+\newcommand{\MAXMONEY}{\mathsf{MAX\_MONEY}}
+\newcommand{\BlockSubsidy}{\mathsf{BlockSubsidy}}
+\newcommand{\MinerSubsidy}{\mathsf{MinerSubsidy}}
+\newcommand{\FoundersReward}{\mathsf{FoundersReward}}
+\newcommand{\SlowStartInterval}{\mathsf{SlowStartInterval}}
+\newcommand{\SlowStartShift}{\mathsf{SlowStartShift}}
+\newcommand{\SlowStartRate}{\mathsf{SlowStartRate}}
+\newcommand{\HalvingInterval}{\mathsf{HalvingInterval}}
+\newcommand{\MaxBlockSubsidy}{\mathsf{MaxBlockSubsidy}}
+\newcommand{\NumFounderAddresses}{\mathsf{NumFounderAddresses}}
+\newcommand{\FounderAddressChangeInterval}{\mathsf{FounderAddressChangeInterval}}
+\newcommand{\FoundersFraction}{\mathsf{FoundersFraction}}
+\newcommand{\BlockHeight}{\mathsf{height}}
+\newcommand{\Halving}{\mathsf{Halving}}
+\newcommand{\FounderAddress}{\mathsf{FounderAddress}}
+\newcommand{\FounderAddressList}{\mathsf{FounderAddressList}}
+\newcommand{\FounderAddressIndex}{\mathsf{FounderAddressIndex}}
+\newcommand{\ScriptHash}{\mathsf{ScriptHash}}
+
+\newcommand{\blockSubsidy}{\term{block subsidy}}
+\newcommand{\minerSubsidy}{\term{miner subsidy}}
+\newcommand{\foundersReward}{\term{Founders' Reward}}
+\newcommand{\slowStartPeriod}{\term{slow-start period}}
+\newcommand{\halvingInterval}{\term{halving interval}}
+
 % Signatures
 \newcommand{\Sig}{\mathsf{Sig}}
 \newcommand{\SigPublic}{\mathsf{Sig.Public}}
@@ -458,7 +495,7 @@
 \newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
 
 % Merkle tree
-\newcommand{\MerkleDepth}{\mathsf{d}}
+\newcommand{\MerkleDepth}{\mathsf{d_{Merkle}}}
 \newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}}
 \newcommand{\MerkleSibling}{\mathsf{sibling}}
 \newcommand{\MerkleCRH}{\mathsf{MerkleCRH}}
@@ -729,14 +766,35 @@ one valid \nullifier, and so attempting to spend a \note twice would reveal the
 
 \nsection{Notation}
 
-The notation $\hexint{}$ followed by a string of \textbf{boldface} hexadecimal
-digits means the corresponding integer converted from hexadecimal.
+The notation $\bit$ means the type of bit values, i.e. $\setof{0, 1}$.
 
-The notation $\bit$ means the set of bit values, i.e. $\setof{0, 1}$.
+The notation $\Nat$ means the set of nonnegative integers. $\PosInt$
+means the set of positive integers. $\Rat$ means the set of rationals.
+
+The notation $x \typecolon T$ is used to specify that $x$ has type $T$.
+A cartesian product type is denoted by $S \times T$, and a function type
+by $S \rightarrow T$. The type of a randomized algorithm is denoted by $S \rightarrowR T$.
+The domain of a randomized algorithm may be $()$, indicating that it requires
+no arguments. An argument to a function can determine other argument or result
+types.
+
+Initial arguments to a function or randomized algorithm may be
+written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
+$\PRF{}{} \typecolon X \times Y \rightarrow Z$, then an invocation of
+$\PRF{}{}(x, y)$ can also be written $\PRF{x}{}(y)$.
+
+The notation $\typeexp{T}{\ell}$, where $T$ is a type and $\ell$ is an integer,
+means the type of sequences of length $\ell$ with elements in $T$. For example,
 $\bitseq{\ell}$ means the set of sequences of $\ell$ bits.
+
+The notation $T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
+
 $\byteseqs$ means the set of bit sequences constrained to be of length
 a multiple of 8 bits.
 
+The notation $\hexint{}$ followed by a string of \textbf{boldface} hexadecimal
+digits means the corresponding integer converted from hexadecimal.
+
 The notation $\ascii{...}$ means the given string represented as a
 sequence of bytes in US-ASCII. For example, $\ascii{abc}$ represents the
 byte sequence $[\hexint{61}, \hexint{62}, \hexint{63}]$.
@@ -744,13 +802,13 @@ byte sequence $[\hexint{61}, \hexint{62}, \hexint{63}]$.
 The notation $a..b$, used as a subscript, means the sequence of values
 with indices $a$ through $b$ inclusive. For example,
 $\AuthPublicNew{\allNew}$ means the sequence $[\AuthPublicNew{\mathrm{1}},
-\AuthPublicNew{\mathrm{2}}, ...\;\AuthPublicNew{\NNew}]$.
+\AuthPublicNew{\mathrm{2}}, ...\,\AuthPublicNew{\NNew}]$.
 (For consistency with the notation in \cite{BCG+2014} and in \cite{BK2016},
 this specification uses 1-based indexing and inclusive ranges,
 notwithstanding the compelling arguments to the contrary made in
 \cite{EWD-831}.)
 
-The notation $\range{a}{b}$ means the set of integers from $a$ through
+The notation $\range{a}{b}$ means the set or type of integers from $a$ through
 $b$ inclusive.
 
 The notation $[f(x)$ for $x$ from $a$ up to $b\,]$ means the sequence
@@ -766,19 +824,23 @@ concatenating the elements of $S$ viewed as bit sequences. If the
 elements of $S$ are byte sequences, they are converted to bit sequences
 with the \emph{most significant} bit of each byte first.
 
-The notation $\Nat$ means the set of nonnegative integers. $\PosInt$
-means the set of positive integers.
-
 The notation $\GF{n}$ means the finite field with $n$ elements, and
 $\GFstar{n}$ means its group under multiplication.
 $\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients
 in $\GF{n}$.
 
-The notation $a \bmod q$, for integers $a \geq 0$ and $q > 0$, means the
-remainder on dividing $a$ by $q$.
+The notation $a \mult b$ means the result of multiplying $a$ and $b$.
+This may refer to multiplication of integers, rationals, or
+finite field elements according to context.
+
+The notation $a^b$, for $a$ an integer or finite field element and
+$b$ an integer, means the result of raising $a$ to the exponent $b$.
+
+The notation $a \bmod q$, for $a \typecolon \Nat$ and $q \typecolon \PosInt$,
+means the remainder on dividing $a$ by $q$.
 
 The notation $a \xor b$ means the bitwise exclusive-or of $a$ and $b$,
-defined either on integers or bit sequences depending on context.
+defined either on integers or bit sequences according to context.
 
 The notation $\vsum{i=1}{\mathrm{N}} a_i$ means the sum of $a_{\allN{}}$.\;
 $\vxor{i=1}{\mathrm{N}} a_i$ means the bitwise exclusive-or of $a_{\allN{}}$.
@@ -788,26 +850,14 @@ $\ceiling{x}$ means the smallest integer $\geq x$.
 
 The symbol $\bot$ is used to indicate unavailable information or a failed decryption.
 
-The notation $T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
-
-The notation $x \typecolon T$ is used to specify that $x$ has type $T$.
-A cartesian product type is denoted by $S \times T$, and a function type
-by $S \rightarrow T$. The type of a randomized algorithm is denoted by $S \rightarrowR T$.
-The domain of a randomized algorithm may be $()$, indicating that it requires
-no arguments. An argument to a function can determine other argument or result
-types.
-
-Initial arguments to a function or randomized algorithm may be
-written as subscripts, e.g.\ if $x \typecolon X$, $y \typecolon Y$, and
-$\PRF{}{} \typecolon X \times Y \rightarrow Z$, then an invocation of
-$\PRF{}{}(x, y)$ can also be written $\PRF{x}{}(y)$.
-
 The following integer constants will be instantiated in \crossref{constants}:
 $\MerkleDepth$, $\NOld$, $\NNew$, $\MerkleHashLength$, $\hSigLength$,
 $\PRFOutputLength$, $\NoteCommitRandLength$, $\RandomSeedLength$, $\AuthPrivateLength$,
-$\NoteAddressPreRandLength$, $\MAXMONEY$. The bit sequence constant
-$\Uncommitted \typecolon \bitseq{\MerkleHashLength}$ will also be defined in
-that section.
+$\NoteAddressPreRandLength$, $\MAXMONEY$, $\SlowStartInterval$, $\HalvingInterval$,
+$\MaxBlockSubsidy$, $\NumFounderAddresses$.
+The bit sequence constant $\Uncommitted \typecolon \bitseq{\MerkleHashLength}$
+and the rational constant $\FoundersFraction \typecolon \Rat$ will also be defined
+in that section.
 
 
 \nsection{Concepts}
@@ -955,7 +1005,7 @@ views of valid \blocks, and therefore of the sequence of \treestates in those
 \nsubsection{\JoinSplitTransfers{} and Descriptions} \label{joinsplit}
 
 A \joinSplitDescription is data included in a \transaction that describes a \joinSplitTransfer,
-i.e.\ a confidential value transfer. This kind of value transfer is the primary
+i.e.\ a \xprotected value transfer. This kind of value transfer is the primary
 \Zcash-specific operation performed by \transactions; it uses, but should not be
 confused with, the \joinSplitStatement used for the \zkSNARK proof and verification.
 
@@ -1017,21 +1067,26 @@ the \fullnode's \blockchainview, the containing transaction will be rejected, si
 it would otherwise result in a double-spend.
 
 
-\nsubsection{Coinbase Transactions}
+\nsubsection{Block Subsidy and Founders' Reward} \label{subsidyconcepts}
+
+Like \Bitcoin, \Zcash creates currency when \blocks are mined. The value created on
+mining a \block is called the \blockSubsidy. It is composed of a \minerSubsidy and a
+\foundersReward. As in \Bitcoin, the miner of a \block also receives \transactionFees.
+
+The amount of the \blockSubsidy and \minerSubsidy depends on the \blockHeight.
+The \blockHeight of the \genesisBlock is 0, and the \blockHeight of each subsequent \block in
+the \blockchain increments by 1.
+
+The calculations of the \blockSubsidy, \minerSubsidy, and \foundersReward for a
+given \blockHeight are given in \crossref{subsidies}.
+
+
+\nsubsection{\CoinbaseTransactions}
 
 The first \transaction in a block must be a \coinbaseTransaction, which should
-collect and spend any block reward and transaction fees paid by \transactions
-included in this block.
-
-\nsubsubsection{Block Subsidy and Transaction Fees}
-
-\todo{Describe money supply curve.}
-\todo{Miner's reward = transaction fees + block subsidy - founder's reward}
-
-\nsubsubsection{Coinbase outputs}
-
-\todo{Coinbase maturity rule.}
-\todo{Any tx with a coinbase input must have no \transparent outputs (vout).}
+collect and spend any \minerSubsidy and \transactionFees paid by \transactions
+included in this \block. The \coinbaseTransaction must also pay the \foundersReward
+as described in \crossref{coinbases}.
 
 
 \nsection{Abstract Protocol}
@@ -1045,7 +1100,7 @@ is a collision-resistant hash function used in \crossref{merklepath}.
 It is instantiated in \crossref{merklecrh}.
 
 \changed{
-$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times (\PRFOutput)^{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
+$\hSigCRH{} \typecolon \bitseq{\RandomSeedLength} \times \typeexp{\PRFOutput}{\NOld} \times \JoinSplitSigPublic \rightarrow \hSigType$
 is a collision-resistant hash function used in \crossref{joinsplitdesc}.
 It is instantiated in \crossref{hsigcrh}.
 
@@ -1353,9 +1408,9 @@ where
         \crossref{blockchain}, for the output \treestate of either
         a previous \block, or a previous \joinSplitTransfer in this
         \transaction.
-  \item $\nfOld{\allOld} \typecolon (\PRFOutput)^{\NOld}$ is
+  \item $\nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
         the sequence of \nullifiers for the input \notes;
-  \item $\cmNew{\allNew} \typecolon (\CommitOutput)^{\NNew}$ is
+  \item $\cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew}$ is
         the sequence of \noteCommitments for the output \notes;
   \item \changed{$\EphemeralPublic \typecolon \KAPublic$ is
         a key agreement public key, used to derive the key for encryption
@@ -1363,12 +1418,12 @@ where
   \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is
         a seed that must be chosen independently at random for each
         \joinSplitDescription};
-  \item $\h{\allOld} \typecolon (\PRFOutput)^{\NOld}$ is
+  \item $\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
         a sequence of tags that bind $\hSig$ to each
         $\AuthPrivate$ of the input \notes;
   \item $\JoinSplitProof \typecolon \ZKJoinSplitProof$ is
         the \zeroKnowledgeProof for the \joinSplitStatement;
-  \item $\TransmitCiphertext{\allNew} \typecolon (\Ciphertext)^{\NNew}$ is
+  \item $\TransmitCiphertext{\allNew} \typecolon \typeexp{\Ciphertext}{\NNew}$ is
         a sequence of ciphertext components for the encrypted output \notes.
 \end{itemize}
 
@@ -1572,22 +1627,22 @@ A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}:
 
 \begin{itemize}
   \item[] $(\rt \typecolon \MerkleHash,
-            \nfOld{\allOld} \typecolon (\PRFOutput)^{\NOld},
-            \cmNew{\allNew} \typecolon (\CommitOutput)^{\NNew},
+            \nfOld{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld},
+            \cmNew{\allNew} \typecolon \typeexp{\CommitOutput}{\NNew},
             \changed{\vpubOld \typecolon \range{0}{2^{64}-1},}\,
             \vpubNew \typecolon \range{0}{2^{64}-1},\\
            \hphantom{(}
             \hSig \typecolon \hSigType,
-            \h{\allOld} \typecolon (\PRFOutput)^{\NOld})$,
+            \h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld})$,
 \end{itemize}
 
 the prover knows an \term{auxiliary input}:
 
 \begin{itemize}
-  \item[] $(\treepath{\allOld} \typecolon ((\MerkleHash)^{\MerkleDepth})^{\NOld},
-            \nOld{\allOld} \typecolon \NoteType^{\NOld},
-            \AuthPrivateOld{\allOld} \typecolon (\bitseq{\AuthPrivateLength})^{\NOld},
-            \nNew{\allNew} \typecolon \NoteType^{\NOld}\changed{,}\\
+  \item[] $(\treepath{\allOld} \typecolon \typeexp{\typeexp{\MerkleHash}{\MerkleDepth}}{\NOld},
+            \nOld{\allOld} \typecolon \typeexp{\NoteType}{\NOld},
+            \AuthPrivateOld{\allOld} \typecolon \typeexp{\bitseq{\AuthPrivateLength}}{\NOld},
+            \nNew{\allNew} \typecolon \typeexp{\NoteType}{\NOld}\changed{,}\\
            \hphantom{(}
             \changed{\NoteAddressPreRand \typecolon \bitseq{\NoteAddressPreRandLength},
             \EnforceCommit{\allOld} \typecolon \bitseq{\NOld}})$,
@@ -1833,18 +1888,23 @@ and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint
 Define:
 
 \begin{itemize}
-  \item[] $\MerkleDepth = \changed{29}$
-  \item[] $\NOld = 2$
-  \item[] $\NNew = 2$
-  \item[] $\MerkleHashLength = 256$
-  \item[] $\hSigLength = 256$
-  \item[] $\PRFOutputLength = 256$
-  \item[] $\NoteCommitRandLength = \changed{256}$
-  \item[] $\changed{\RandomSeedLength = 256}$
-  \item[] $\AuthPrivateLength = \changed{252}$
-  \item[] $\NoteAddressPreRandLength = \changed{252}$
-  \item[] $\Uncommitted = \zeros{\MerkleHashLength}$
-  \item[] $\MAXMONEY = \changed{2.1 \times 10^{15}}$.
+  \item[] $\MerkleDepth \typecolon \Nat := \changed{29}$
+  \item[] $\NOld \typecolon \Nat := 2$
+  \item[] $\NNew \typecolon \Nat := 2$
+  \item[] $\MerkleHashLength \typecolon \Nat := 256$
+  \item[] $\hSigLength \typecolon \Nat := 256$
+  \item[] $\PRFOutputLength \typecolon \Nat := 256$
+  \item[] $\NoteCommitRandLength \typecolon \Nat := \changed{256}$
+  \item[] $\changed{\RandomSeedLength \typecolon \Nat := 256}$
+  \item[] $\AuthPrivateLength \typecolon \Nat := \changed{252}$
+  \item[] $\changed{\NoteAddressPreRandLength \typecolon \Nat := 252}$
+  \item[] $\Uncommitted \typecolon \bitseq{\MerkleHashLength} := \zeros{\MerkleHashLength}$
+  \item[] $\MAXMONEY \typecolon \Nat := \changed{2.1 \mult 10^{15}}$ (\zatoshi)
+  \item[] $\SlowStartInterval \typecolon \Nat := 20000$
+  \item[] $\HalvingInterval \typecolon \Nat := 840000$
+  \item[] $\MaxBlockSubsidy \typecolon \Nat := 1.25 \mult 10^9$ (\zatoshi)
+  \item[] $\NumFounderAddresses \typecolon \Nat := \begin{cases} 48,&\!\!\text{on mainnet} \\ 3,&\!\!\text{on testnet} \end{cases}$
+  \item[] $\FoundersFraction \typecolon \Rat := \frac{1}{5}$.
 \end{itemize}
 
 
@@ -1939,8 +1999,8 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
 Let $\EquihashGen{n, k}(S, i) := T_{h+1\hairspace..\hairspace h+n}$, where
 \begin{itemize}
   \item $m := \floor{\frac{512}{n}}$;
-  \item $h := (i-1 \bmod m)\, n$;
-  \item $T := \Blake{(n m)}(\powtag,\, S \,||\, \powcount(\floor{\frac{i-1}{m}}))$.
+  \item $h := (i-1 \bmod m) \mult n$;
+  \item $T := \Blake{(\mathnormal{n \mult m})}(\powtag,\, S \,||\, \powcount(\floor{\frac{i-1}{m}}))$.
 \end{itemize}
 
 Indices of bits in $T$ are 1-based.
@@ -2387,9 +2447,9 @@ The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, wh
   \item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation
 $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
   \item $\GroupG{2}$ is the subgroup of order $r$ in the twisted Barreto-Naehrig curve
-over $\GF{q^2}$ with equation $y^2 = x^3 + b/xi$. We represent elements of $\GF{q^2}$ as
-polynomials $a_1 t + a_0 \typecolon \GF{q}[t]$, modulo the irreducible polynomial
-$t^2 + 1$.
+over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{x \mult i}$. We represent elements
+of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the
+irreducible polynomial $t^2 + 1$.
   \item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in
 $\GFstar{q^{12}}$.
 \end{itemize}
@@ -2399,10 +2459,10 @@ Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$.
 \begin{tabular}{@{}l@{}r@{}l@{}}
 Let $\PointP{2} \typecolon \GroupG{2} =\;$
 % are these the right way round?
-&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,t\;+$ \\
-&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $,     $ \\
-&$  4082367875863433681332203403145435568316851327593401208105741076214120093531$ & $\,t\;+$ \\
-&$  8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $).    $
+&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
+&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $,           $ \\
+&$  4082367875863433681332203403145435568316851327593401208105741076214120093531$ & $\mult\, t\;+$ \\
+&$  8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $).          $
 \end{tabular}
 
 $\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively.
@@ -2462,9 +2522,9 @@ of \libsnark, to ensure compatibility.
 \end{bytefield}
 \end{lrbox}
 
-Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \rightarrow \range{0}{255}^k$
-such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes representing $n$ in
-big-endian order.
+Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \rightarrow
+\typeexp{\range{0}{255}}{k}$ such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes
+representing $n$ in big-endian order.
 
 For a point $P \typecolon \GroupG{1} = (x_P, y_P)$:
 \begin{itemize}
@@ -2477,9 +2537,9 @@ For a point $P \typecolon \GroupG{1} = (x_P, y_P)$:
 For a point $P \typecolon \GroupG{2} = (x_P, y_P)$:
 \begin{itemize}
   \item A field element $w \typecolon \GF{q^2}$ is represented as
-        a polynomial $a_{w,1} t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$.
+        a polynomial $a_{w,1} \mult t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$.
         Define $\FEtoIP \typecolon \GF{q^2} \rightarrow \range{0}{q^2\!-\!1}$ such that
-        $\FEtoIP(w) = a_{w,1} q + a_{w,0}$.
+        $\FEtoIP(w) = a_{w,1} \mult q + a_{w,0}$.
   \item Let $x = \FEtoIP(x_P)$, $y = \FEtoIP(y_P)$, and $y' = \FEtoIP(-y_P)$.
   \item Let $\tilde{y} = \begin{cases} 1, &\text{if } y > y' \\0, &\text{otherwise.} \end{cases}$
   \item $P$ is encoded as $\Justthebox{\gtwobox}$.
@@ -2572,18 +2632,18 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\
 
 \Varies & $\txInCount$ & \compactSize & Number of \transparent inputs in this transaction. \\ \hline
 
-\Varies & $\txIn$ & $\txIn$ & Transparent inputs, encoded as in \Bitcoin. \\ \hline
+\Varies & $\txIn$ & $\txIn$ & \xTransparent inputs, encoded as in \Bitcoin. \\ \hline
 
 \Varies & $\txOutCount$ & \compactSize & Number of \transparent outputs in this transaction. \\ \hline
 
-\Varies & $\txOut$ & $\txOut$ & Transparent outputs, encoded as in \Bitcoin. \\ \hline
+\Varies & $\txOut$ & $\txOut$ & \xTransparent outputs, encoded as in \Bitcoin. \\ \hline
 
 4 & $\lockTime$ & \type{uint32\_t} & A Unix epoch time or block number, encoded as in \Bitcoin. \\ \hline
 
 \Varies\;$\dagger$ & $\nJoinSplit$ & \compactSize & The number of \joinSplitDescriptions
 in $\vJoinSplit$. \\ \hline
 
-\Longunderstack{1802 $\times$ \\ $\nJoinSplit\,\dagger$} & $\vJoinSplit$ & \type{JoinSplitDescription} \type{[$\nJoinSplit$]} &
+\Longunderstack{1802 $\mult$ \\ $\nJoinSplit\,\dagger$} & $\vJoinSplit$ & \type{JoinSplitDescription} \type{[$\nJoinSplit$]} &
 A \sequenceOfJoinSplitDescriptions, each encoded as described in \crossref{joinsplitencoding}. \\ \hline
 
 32 $\ddagger$ & $\joinSplitPubKey$ & \type{char[32]} & An encoding of a $\JoinSplitSig$
@@ -2620,7 +2680,7 @@ Software that creates \transactions{} \SHOULD use version 1 for \transactions wi
 \pnote{
 A \transactionVersionNumber of 2 does not have the same meaning as in \Bitcoin, where
 it is associated with support for \ScriptOP{CHECKSEQUENCEVERIFY} as specified in \cite{BIP-68}.
-\Zcash was forked from \Bitcoin v0.11.2 and does not support BIP 68, or the related BIPs
+\Zcash was forked from \Bitcoin v0.11.2 and does not currently support BIP 68, or the related BIPs
 9, 112 and 113.
 }
 
@@ -2649,7 +2709,7 @@ this \transaction. \\ \hline
 64 & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input
 \notes $\nfOld{\allOld}$. \\ \hline
 
-64 & $\commitments$ & \type{char[32][$\NNew$]}. & A sequence of \noteCommitments for the
+64 & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the
 output \notes $\cmNew{\allNew}$. \\ \hline
 
 \setchanged 32 &\setchanged $\ephemeralKey$ &\setchanged \type{char[32]} &\mbox{}\setchanged
@@ -2792,7 +2852,7 @@ big-endian order.
 Define $\BStoIP{} \typecolon (u \typecolon \Nat) \times \bitseq{u} \rightarrow \range{0}{2^u\!-\!1}$
 such that $\BStoIP{u}$ is the inverse of $\ItoBSP{u}$.
 
-Define $\Xi_r(a, b) := \BStoIP{2^{r-1} \ell}(\concatbits(X_{i_{a..b}}))$.
+Define $\Xi_r(a, b) := \BStoIP{2^{r-1} \mult \ell}(\concatbits(X_{i_{a..b}}))$.
 
 A \validEquihashSolution is then a sequence $i \typecolon \range{1}{N}^{2^k}$ that
 satisfies the following conditions:
@@ -2805,8 +2865,8 @@ $\vxor{j=1}{2^k} X_{i_j} = 0$.
 
 For all $r \in \range{1}{k\!-\!1}$, for all $w \in \range{0}{2^{k-r}\!-\!1}$:
 \begin{itemize}
-  \item $\vxor{j=1}{2^r} X_{i_{w 2^r + j}}$ has $\frac{nr}{k+1}$ leading zeroes; and
-  \item $\Xi_r(w 2^r + 1, w 2^r + 2^{r-1}) < \Xi_r(w 2^r + 2^{r-1} + 1, w 2^r + 2^r)$.
+  \item $\vxor{j=1}{2^r} X_{i_{w \mult 2^r + j}}$ has $\frac{n \mult r}{k+1}$ leading zeroes; and
+  \item $\Xi_r(w \mult 2^r + 1, w \mult 2^r + 2^{r-1}) < \Xi_r(w \mult 2^r + 2^{r-1} + 1, w \mult 2^r + 2^r)$.
 \end{itemize}
 
 \pnote{
@@ -2888,6 +2948,79 @@ Unlike \Bitcoin, the difficulty adjustment occurs after every block.
 \todo{Describe the algorithm.}
 
 
+\nsubsection{Calculation of Block Subsidy and Founders' Reward} \label{subsidies}
+
+\crossref{subsidyconcepts} defines the \blockSubsidy, \minerSubsidy, and \foundersReward.
+Their amounts in \zatoshi are calculated from the \blockHeight using
+the formulae below. The constants $\SlowStartInterval$, $\HalvingInterval$,
+$\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{constants}.
+
+\vspace{2ex}
+\hskip 1em $\SlowStartShift \typecolon \Nat := \hfrac{\SlowStartInterval}{2}$
+
+\hskip 1em $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$
+
+\hskip 1em $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$
+
+\hskip 1em $\BlockSubsidy(\BlockHeight) := \begin{cases}
+   \SlowStartRate \mult \BlockHeight,&\!\!\text{if } \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
+   \SlowStartRate \mult (\BlockHeight + 1),&\!\!\text{if } \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
+   \floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\!\!\text{otherwise}
+\end{cases}$
+
+\hskip 1em $\FoundersReward(\BlockHeight) := \begin{cases}
+   \BlockSubsidy(\BlockHeight) \mult \FoundersFraction,&\!\!\!\text{if } \BlockHeight < \SlowStartShift + \HalvingInterval \\
+   0,&\!\!\!\text{otherwise}
+\end{cases}$
+
+\hskip 1em $\MinerSubsidy(\BlockHeight) := \BlockSubsidy(\BlockHeight) - \FoundersReward(\BlockHeight)$.
+
+
+\nsubsection{Coinbase outputs} \label{coinbases}
+
+\todo{Coinbase maturity rule.}
+\todo{Any tx with a coinbase input must have no \transparent outputs (vout).}
+
+The \foundersReward is paid by a \transparent output in the \coinbaseTransaction, to
+one of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHeight.
+
+Let $\SlowStartShift$ be defined as in the previous section.
+
+\renewcommand{\arraystretch}{0.95}
+
+For mainnet, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is \todo{}.
+
+For testnet, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is:
+
+\begin{tabular}{@{\hskip 2.5em}l@{\;}l}
+[& \ascii{2N2e2FRfP9D1dRN1oRWkH7pbFM69eGNAuQ4}, \\
+ & \ascii{2N34hYM1s153468KeHZU8Ts3acHiaatrrAj}, \\
+ & \ascii{2MtnWxFk3WQL2ry9eq9HdnFo3VhDv8kFEuA}\, ]
+\end{tabular}
+
+\renewcommand{\arraystretch}{1}
+
+Define:
+
+\begin{itemize}
+  \item[] $\FounderAddressChangeInterval := \ceiling{\hfrac{\SlowStartShift + \HalvingInterval}{\NumFounderAddresses}}$
+  \item[] $\FounderAddressIndex(\BlockHeight) := 1 + \floor{\hfrac{\BlockHeight}{\FounderAddressChangeInterval}}$.
+\end{itemize}
+
+Then the \foundersReward for \blockHeight $\BlockHeight$ \MUST be paid to
+the address with Base58Check representation given by
+$\FounderAddressList_{\,\FounderAddressIndex(\BlockHeight)}$, provided that
+$\BlockHeight < \SlowStartShift + \HalvingInterval$. No \foundersReward is required
+to be paid for $\BlockHeight \geq \SlowStartShift + \HalvingInterval$ (i.e. after
+the first halving).
+
+Each address representation in $\FounderAddressList$ denotes a \transparent
+P2SH multisig address. The payment \MUST be performed using a P2SH script
+of the form \ScriptOP{HASH160} \;$\ScriptHash$\; \ScriptOP{EQUAL},
+where $\ScriptHash$ is the standard redeem script hash for the given
+P2SH multisig address \cite{Bitcoin-Multisig}.
+
+
 \nsection{Differences from the Zerocash paper} \label{differences}
 
 \nsubsection{Transaction Structure} \label{trstructure}
@@ -3300,6 +3433,15 @@ The errors in the proof of Ledger Indistinguishability mentioned in
 
 \nsection{Change history}
 
+\subparagraph{2016.0-beta-1.4}
+
+\begin{itemize}
+    \item Specify the \blockSubsidy, \minerSubsidy, and the \foundersReward.
+    \item Specify \coinbaseTransaction outputs to \foundersReward addresses.
+    \item Improve notation (for example ``$\mult$'' for multiplication and
+          ``$\typeexp{T}{\ell}$'' for sequence types) to avoid ambiguity.
+\end{itemize}
+
 \subparagraph{2016.0-beta-1.3}
 
 \begin{itemize}

protocol/protocol.ver

@@ -1 +1 @@
-\renewcommand{\docversion}{Version 2016.0-beta-1.3}
+\renewcommand{\docversion}{Version 2016.0-beta-1.4}

protocol/zcash.bib

@@ -248,6 +248,12 @@ Received \mbox{April 13,} 2011.}
    urldate={2016-08-13}
 }
 
+@misc{Bitcoin-Multisig,
+   title={P2SH multisig (definition) --- {B}itcoin {D}eveloper {R}eference},
+   url={https://bitcoin.org/en/developer-guide#term-p2sh-multisig},
+   urldate={2016-08-19}
+}
+
 @misc{BIP-62,
    author={Pieter Wuille},
    title={Dealing with malleability},