From f6fb3c80d71b61412e16d01baede07d5178a11b4 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Mon, 15 Mar 2021 16:17:17 +0000 Subject: [PATCH] More WIP. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 571 ++++++++++++++++++++++++++++-------------- protocol/zcash.bib | 29 ++- 2 files changed, 414 insertions(+), 186 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 4e85296b..40f61254 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1036,6 +1036,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\diversifier}{\term{diversifier}} \newcommand{\diversifiers}{\terms{diversifier}} \newcommand{\diversifierKey}{\term{diversifier key}} +\newcommand{\diversifierIndex}{\term{diversifier index}} \newcommand{\incomingViewingKey}{\term{incoming viewing key}} \newcommand{\incomingViewingKeys}{\terms{incoming viewing key}} \newcommand{\outgoingViewingKey}{\term{outgoing viewing key}} @@ -1416,6 +1417,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\AuthSignPrivate}{\mathsf{ask}} \newcommand{\AuthSignBase}[1]{\mathcal{G}^{\mathsf{#1}\!}} \newcommand{\AuthSignPublic}{\mathsf{ak}} +\newcommand{\AuthSignPublicPoint}{\mathsf{ak}^\GroupP} \newcommand{\AuthSignPublicRepr}{{\AuthSignPublic\Repr}} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} \newcommand{\AuthSignRandomizedPublicRepr}{{\AuthSignRandomizedPublic\Repr}} @@ -1443,6 +1445,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\DiversifierKey}{\mathsf{dk}} \newcommand{\DiversifierKeyLength}{\mathsf{\ell_{\DiversifierKey}}} \newcommand{\DiversifierKeyType}{\byteseq{\DiversifierKeyLength/8}} +\newcommand{\DiversifierIndex}{\mathsf{index}} \newcommand{\CommitIvkRandom}{\mathsf{rivk}} \newcommand{\FVK}{\mathsf{FVK}} \newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}} @@ -1478,6 +1481,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\PRFOutputExpand}{\byteseq{\PRFOutputLengthExpand/8}} \newcommand{\PRFInputExpand}{\byteseqs} +% PRPs + +\newcommand{\PRP}[2]{\mathsf{{PRP}^{#2}_\mathnormal{#1}}} +\newcommand{\PRPd}[1]{\PRP{#1}{d}} + % Commitments \newcommand{\Uncommitted}[1]{\mathsf{Uncommitted}^\mathsf{#1\kern-0.1em}} @@ -1534,6 +1542,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Oracle}{\mathsf{O}} \newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}} +\newcommand{\FFOne}{\mathsf{FF1}} +\newcommand{\FFOneAESAlg}{\mathsf{FF1\mhyphen{}AES256}} +\newcommand{\FFOneAES}[1]{\FFOneAESAlg_{#1}} +\newcommand{\AES}{\mathsf{AES}} + % Key agreement \newcommand{\KA}[1]{\mathsf{KA}^\mathsf{#1\kern-0.1em}} @@ -1603,7 +1616,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\cv}{\mathsf{cv}} \newcommand{\cvOld}[1]{\cv^\mathsf{old}_{#1}} \newcommand{\cvNew}[1]{\cv^\mathsf{new}_{#1}} -\newcommand{\cvNet}[1]{\cv^\mathsf{net}_{#1}} +\newcommand{\cvNet}{\cv^\mathsf{net}} \newcommand{\cm}{\mathsf{cm}} \newcommand{\cmU}{\cm_{\kern -0.06em u}} \newcommand{\cmX}{\cm_{\kern -0.06em x}} @@ -1623,6 +1636,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\DecryptNoteSapling}{\mathtt{DecryptNoteSapling}} \newcommand{\DecryptNoteOrchard}{\mathtt{DecryptNoteOrchard}} \newcommand{\ReplacementCharacter}{\textsf{U+FFFD}} +\newcommand{\maybeSapling}{\notnufive{Sapling}} % Money supply @@ -2022,7 +2036,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\Generator}{\mathcal{P}} \newcommand{\Selectu}{\scalebox{1.53}{$u$}} \newcommand{\Selectv}{\scalebox{1.53}{$\varv$}} -\newcommand{\Selectx}{\scalebox{1.53}{$x$}} \newcommand{\subgroupr}{(\kern-0.075emr\kern-0.075em)} \newcommand{\Extract}{\mathsf{Extract}} \newcommand{\GroupHash}{\mathsf{GroupHash}} @@ -2137,7 +2150,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\ParamP}[1]{{{#1}_\mathbb{\hskip 0.01em P}}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{\hskip 0.01em P}\!}^{#2}} \newcommand{\GroupP}{\mathbb{P}} +\newcommand{\GroupPx}{\GroupP_x} \newcommand{\GroupPstar}{\GroupP^{\ast}} +\newcommand{\GroupPstarx}{\GroupP^{\ast}_x} \newcommand{\CurveP}{\Curve_{\GroupP}} \newcommand{\ZeroP}{\Zero_{\GroupP}} \newcommand{\ellP}{\ell_{\GroupP}} @@ -2229,6 +2244,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\FEtoIPP}{\mathsf{FE2IPP}} \newcommand{\ItoLEBSP}[1]{\mathsf{I2LEBSP}_{#1}} \newcommand{\ItoLEBSPOf}[2]{\ItoLEBSP{#1}\!\left({#2}\right)} +\newcommand{\ItoLEOSP}[1]{\mathsf{I2LEOSP}_{#1}} +\newcommand{\ItoLEOSPOf}[2]{\ItoLEOSP{#1}\!\left({#2}\right)} \newcommand{\ItoBEBSP}[1]{\mathsf{I2BEBSP}_{#1}} \newcommand{\ItoBEBSPOf}[2]{\ItoBEBSP{#1}\!\left({#2}\right)} \newcommand{\LEBStoIP}[1]{\mathsf{LEBS2IP}_{#1}} @@ -3025,8 +3042,8 @@ to a given \paymentAddress. \vspace{1ex} Let \sprout{$\MAXMONEY$ and $\PRFOutputLengthSprout$} -\notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$, and $\DiversifierLength$}} -be as defined in \crossref{constants}. +\notsprout{$\MAXMONEY$, $\PRFOutputLengthSprout$\sapling{, $\PRFOutputLengthNfSapling$,\notnufive{ and} +$\DiversifierLength$}}\nufive{, and $\ValueLength$} be as defined in \crossref{constants}. Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{concretesproutnotecommit}. @@ -3034,12 +3051,17 @@ Let $\NoteCommitAlg{Sprout}$ be as defined in \crossref{concretesproutnotecommit Let $\NoteCommitAlg{Sapling}$ be as defined in \crossref{concretesaplingnotecommit}. Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. -} %sapling + +Let $\DiversifyHash{Sapling}$ be as defined in \crossref{concretediversifyhash}.} %sapling \nufive{ Let $\NoteCommitAlg{Orchard}$ be as defined in \crossref{concreteorchardnotecommit}. Let $\KA{Orchard}$ be as defined in \crossref{concreteorchardkeyagreement}. + +Let $\DiversifyHash{Orchard}$ be as defined in \crossref{concretediversifyhash}. + +Let $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. } %nufive \vspace{2ex} @@ -3101,7 +3123,7 @@ An \Orchard \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \vspace{-0.5ex} \item $\DiversifiedTransmitPublic \typecolon \KAPublic{Orchard}$ is the \diversifiedTransmissionKey of the recipient's \paymentAddress; - \item $\Value \typecolon \range{0}{\MAXMONEY}$ is an integer + \item $\Value \typecolon \ValueType$ is an integer representing the value of the \note in \zatoshi; \vspace{-0.5ex} \item $\NoteUniqueRand \typecolon \NoteUniqueRandTypeOrchard$ @@ -3117,7 +3139,7 @@ An \Orchard \note is a tuple $(\Diversifier, \DiversifiedTransmitPublic, \introlist Let $\NoteType{Orchard}$ be the type of an \Orchard \note, i.e. \begin{formulae} - \item $\NoteType{Orchard} := \DiversifierType \times \KAPublic{Orchard} \times \range{0}{\MAXMONEY} + \item $\NoteType{Orchard} := \DiversifierType \times \KAPublic{Orchard} \times \ValueType \times \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType \times \NoteCommitTrapdoor{Orchard}$. \end{formulae} } %nufive @@ -3129,7 +3151,7 @@ This allows the value and recipient to be kept private, while the commitment is used by the \zkSNARKProof when the \note is spent, to check that it exists on the \blockChain. -\vspace{1ex} +\vspace{2ex} \introlist A \Sprout{} \defining{\noteCommitment} on a \note $\NoteTuple{} = \changed{(\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand)}$ is computed as @@ -3143,10 +3165,8 @@ $\NoteTuple{} = \changed{(\AuthPublic, \Value, \NoteUniqueRand, \NoteCommitRand) where $\NoteCommit{Sprout}{}$ is instantiated in \crossref{concretesproutnotecommit}. \sapling{ -\vspace{1ex} +\vspace{2ex} \introlist -Let $\DiversifyHash{Sapling}$ be as defined in \crossref{concretediversifyhash}. - A \Sapling{} \defining{\noteCommitment} on a \note $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteCommitRand)$ is computed as @@ -3176,10 +3196,8 @@ $\NoteUniqueRand$ as described in \crossref{commitmentsandnullifiers}. } %sapling \nufive{ -\vspace{1ex} +\vspace{2ex} \introlist -Let $\DiversifyHash{Orchard}$ be as defined in \crossref{concretediversifyhash}. - An \Orchard{} \defining{\noteCommitment} on a \note $\NoteTuple{} = (\Diversifier, \DiversifiedTransmitPublic, \Value, \NoteUniqueRand, \NoteNullifierRand, \NoteCommitRand)$ is computed as @@ -3520,7 +3538,6 @@ As with \Sapling, interstitial \treestates are not necessary for \Orchard, becau \actionTransfer in a given \transaction cannot spend any of the \shieldedOutputs of the same \transaction. } - \begin{consensusrules} \item The \actionTransfers of a \transaction \MUST be consistent with its $\vBalance{Orchard}$ value as specified in \crossref{orchardbalance}. @@ -3531,6 +3548,7 @@ the same \transaction. } %nufive +\introsection \lsubsection{Note Commitment Trees}{merkletree} \vspace{-2ex} @@ -3779,12 +3797,12 @@ $\PRFnf{Orchard}{} $&$\typecolon\; \NullifierKeyTypeOrchard $&$\times\; \N $\PRFexpand{}$ is used in the following places: \begin{itemize} \item \crossref{saplingkeycomponents}, with inputs $[0]$, $[1]$, $[2]$, and $[3, i \typecolon \byte]$; - \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $\hexint{81}$ + \nufiveonwarditem{in \crossref{orchardkeycomponents}, with inputs $[6]$, $[7]$, $[8]$, and $[\hexint{81}]$ (the last of these is also specified in \cite{ZIP-32});} - \item when sending and receiving \SaplingOrOrchard \notes, with inputs $[4]$ and $[5]$ - (see \crossref{saplingandorchardsend} and \crossref{saplingandorchardinband}); + \item in the processes of sending (\crossref{saplingandorchardsend}) and of receiving (\crossref{saplingandorchardinband}) + \SaplingOrOrchard \notes, with inputs $[4]$ and $[5]$; \item in \cite{ZIP-32}, with inputs $[0]$, $[1]$, $[2]$ (intentionally matching \shortcrossref{saplingkeycomponents}), - $[t \typecolon \range{16}{22}]$, and $\hexint{80}$. + $[t \typecolon \range{16}{22}]$, and $[\hexint{80}]$. \end{itemize} $\PRFock{Sapling}{}$\notnufive{ is}\nufive{ and $\PRFock{Orchard}{}$ are} used in \crossref{saplingandorchardinband}. @@ -3813,6 +3831,31 @@ $\PRFnf{Orchard}{}$ is used in \crossref{actionstatement}. previous versions of this specification.} +\nufive{ +\introsection +\lsubsubsection{Pseudo Random Permutations}{abstractprps} + +$\PRP{x}{}$ denotes a \defining{\pseudoRandomPermutation} keyed by $x$. + +Let $\DiversifierKeyLength$ and $\DiversifierLength$ be as defined in \crossref{constants}. + +\vspace{1ex} +One \pseudoRandomPermutation is used for \Orchard, to generate \diversifiers from a \diversifierKey +and index (an identical construction is also used for \Sapling in \cite{ZIP-32}): + +\begin{formulae} + \item $\PRPd{} \typecolon \DiversifierKeyType \times \DiversifierType \rightarrow \DiversifierType$. +\end{formulae} + +It is instantiated in \crossref{concreteprps}. + +\vspace{-2ex} +\securityrequirement{ +$\PRPd{}$ is a keyed \pseudoRandomPermutation as defined in \cite{BKR2001}. +} %securityrequirement +} %nufive + + \introsection \lsubsubsection{Symmetric Encryption}{abstractsym} @@ -3934,6 +3977,7 @@ with $\KA{Sprout}$ and derives keys for $\SymEncrypt{}$. \end{formulae} \sapling{ +\introlist $\KDF{Sapling}$ takes as input the shared Diffie--Hellman secret $\DHSecret{}$ and the \ephemeralPublicKey $\EphemeralPublic$. (It does not have inputs taking the place of the output index, $\hSig$, or $\TransmitPublic$.) It is suitable for use @@ -3944,6 +3988,18 @@ with $\KA{Sapling}$ and derives keys for $\SymEncrypt{}$. \end{formulae} } %sapling +\nufive{ +\introlist +As in \Sapling, $\KDF{Orchard}$ takes as input the shared Diffie--Hellman secret +$\DHSecret{}$ and the \ephemeralPublicKey $\EphemeralPublic$. It is suitable for use +with $\KA{Orchard}$ and derives keys for $\SymEncrypt{}$. + +\begin{formulae} + \item $\KDF{Orchard} \typecolon \KASharedSecret{Orchard} \times \byteseq{\ellP/8} \rightarrow \Keyspace$ +\end{formulae} +} %nufive + +\vspace{-1.5ex} \begin{securityrequirements} \item The asymmetric encryption scheme in \crossref{sproutinband}, constructed from $\KA{Sprout}$, $\KDF{Sprout}$ and $\Sym$, is required to be IND-CCA2-secure @@ -3959,9 +4015,11 @@ with $\KA{Sapling}$ and derives keys for $\SymEncrypt{}$. } %notsprout +\vspace{-1ex} \introlist \lsubsubsection{Signature}{abstractsig} +\vspace{-1ex} A \defining{\signatureScheme} $\Sig$ defines: \begin{itemize} @@ -3987,11 +4045,14 @@ $\SigValidate{\vk}(m, s) = 1$. \begin{itemize} \item one used for signatures that can be validated by script operations such as \ScriptOP{CHECKSIG} and \ScriptOP{CHECKMULTISIG} as in \Bitcoin; + \vspace{-0.5ex} \item one called $\JoinSplitSig$ which is used to sign \transactions that contain at least one \joinSplitDescription (instantiated in \crossref{concretejssig})\sprout{.}\notsprout{;} + \vspace{-0.5ex} \saplingonwarditem{one called $\SpendAuthSig{}$ which is used to sign authorizations of \spendTransfers (instantiated in \crossref{concretespendauthsig});} + \vspace{-0.5ex} \saplingonwarditem{one called $\BindingSig{}$. A \saplingBindingSignature is used to enforce balance of \spendTransfers and \outputTransfers, and to prevent their replay across \transactions. \nufive{Similarly, an \orchardBindingSignature @@ -4000,6 +4061,7 @@ $\SigValidate{\vk}(m, s) = 1$. \crossref{concretebindingsig}.} \end{itemize} +\vspace{-1ex} The signature scheme used in script operations is instantiated by \ECDSA on the \secpCurve. \changed{$\JoinSplitSig$ is instantiated by \EdSpecific.} \sapling{$\SpendAuthSig{}$ and $\BindingSig{}$ are instantiated by $\RedDSA$; on the @@ -4122,9 +4184,9 @@ $Q \typecolon \powerset{\SigMessage \times \SigSignature}$ initialized to $\seto that records queried messages and corresponding signatures. \begin{algorithm} - \item $\Oracle_{\sk} :=$ var $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$ + \item $\Oracle_{\sk} :=$ let mutable $Q \leftarrow \setof{}$ in $\fun{(m \typecolon \SigMessage, \SigRandomizer \typecolon \SigRandom)}{}$ \item \tab let $\sigma = \SigSign{\SigRandomizePrivate(\SigRandomizer, \sk)}(m)$ - \item \tab $Q \leftarrow Q \union \setof{(m, \sigma)}$ + \item \tab set $Q \leftarrow Q \union \setof{(m, \sigma)}$ \item \tab return $\sigma \typecolon \SigSignature$. \end{algorithm} @@ -4288,7 +4350,7 @@ instantiated in \crossref{concretesproutnotecommit}. \vspace{2ex} Let $\ScalarLength{Sapling}$ be as defined in \crossref{constants}. -Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. +Let $\SubgroupJ$, $\ellJ$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}. \introlist Define: @@ -4322,7 +4384,7 @@ in an \outputDescription.} \vspace{2ex} Let $\ScalarLength{Orchard}$ be as defined in \crossref{constants}. -Let $\GroupP$, $\GroupPstar$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. +Let $\GroupP$, $\GroupPx$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. \introlist Define: @@ -4340,7 +4402,7 @@ Define: $\NoteCommitAlg{Orchard} $&$\typecolon\; \NoteCommitTrapdoor{Orchard} \times \ReprP \times \ReprP \times \ValueType$ \\[-1ex] &\hspace{21.2em}$\times\; \NoteUniqueRandTypeOrchard \times \NoteNullifierRandType $&$\rightarrow \NoteCommitOutput{Orchard}$ \\ $\ValueCommitAlg{Orchard} $&$\typecolon\; \ValueCommitTrapdoor{Orchard} \times \ValueCommitTypeOrchard $&$\rightarrow \ValueCommitOutput{Orchard}$ \\ - $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GF{\ParamP{q}} \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$ + $\CommitIvkAlg $&$\typecolon\; \CommitIvkTrapdoor \times \GroupPx \times \NullifierKeyTypeOrchard $&$\rightarrow \CommitIvkOutput$ \end{tabular} $\NoteCommitAlg{Orchard}$ and $\CommitIvkAlg$ are instantiated in \crossref{concreteorchardnotecommit}. @@ -4365,8 +4427,8 @@ A \defining{\representedGroup} $\GroupG{}$ consists of: $\abstG{}\big(\reprG{}(P)\kern-0.1em\big) = P$. \end{itemize} -\vspace{-3ex} -\nnote{Ideally, we would also have that for all $S$ not in the image of $\reprG{}$, $\abstG{}(S) = \bot$. +\vspace{-2ex} +\pnote{Ideally, we would also have that for all $S$ not in the image of $\reprG{}$, $\abstG{}(S) = \bot$. This may not be true in all cases, i.e.\ there can be \defining{\nonCanonicalPoint} encodings $P\Repr$ such that $\reprG{}\big(\abstG{}(P\Repr)\kern-0.1em\big) \neq P\Repr$.} @@ -4408,9 +4470,9 @@ $\scalarmult{a}{G}$ meaning $\scalarmult{a \bmod \ParamG{r}}{G}$ as defined abov \vspace{-1ex} A \defining{\hashExtractor} for a \representedGroup $\GroupG{}$ is a function -$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$, -such that $\ExtractG$ is injective on $\SubgroupG{}$ (the subgroup of $\GroupG{}$ -of order $\ParamG{r}$). +$\ExtractG \typecolon \SubgroupG{} \rightarrow T$ for some type $T$. + +\todo{\hashExtractor is a bad name, because it extracts commitments as well as hashes.} \pnote{ Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an @@ -4685,8 +4747,12 @@ as follows:} \sapling{ \lsubsubsection{\SaplingText{} Key Components}{saplingkeycomponents} -Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, and $\DiversifierLength$ -be as defined in \crossref{constants}. +Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\InViewingKeyLength{Sapling}$, +$\OutViewingKeyLength$, and $\DiversifierLength$ be as defined in \crossref{constants}. + +\vspace{-0.5ex} +Let $\SubgroupJ$, $\SubgroupJstar$, $\SubgroupReprJ$, $\reprJ$, and $\ParamJ{r}$ be as defined in +\crossref{jubjub}, and let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. Let $\PRFexpand{}$ and $\PRFock{Sapling}{}$, instantiated in \crossref{concreteprfs}, be \pseudoRandomFunctions. @@ -4702,9 +4768,6 @@ be a \hashFunction. Let $\SpendAuthSig{Sapling}$, instantiated in \crossref{concretespendauthsig}, be a \rerandomizableSignatureScheme. -Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and -let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. - Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. @@ -4731,6 +4794,7 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. \vspace{1ex} +\introlist $\AuthSignPublic \typecolon \SubgroupJstar$, $\NullifierKey \typecolon \SubgroupJ$, and the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: @@ -4839,9 +4903,19 @@ if this happens, discard the key and repeat with a different $\SpendingKey$. Let $\PRFOutputLengthExpand$, $\SpendingKeyLength$, $\OutViewingKeyLength$, $\DiversifierLength$, and $\DiversifierKeyLength$ be as defined in \crossref{constants}. +Let $\GroupP$, $\GroupPx$, $\reprP$, $\ellP$, $\ParamP{q}$, and $\ParamP{r}$ be as defined in +\crossref{pallasandvesta}. + +Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. + +Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. + Let $\PRFexpand{}$ and $\PRFock{Orchard}{}$, instantiated in \crossref{concreteprfs}, be \pseudoRandomFunctions. +Let $\PRPd{} \typecolon \DiversifierKeyType \times \DiversifierType \rightarrow \DiversifierType$ +be as defined in \crossref{concreteprps}. + Let $\KA{Orchard}$, instantiated in \crossref{concreteorchardkeyagreement}, be a \keyAgreementScheme. @@ -4854,12 +4928,7 @@ be a \hashFunction. Let $\SpendAuthSig{Orchard}$ instantiated in \crossref{concretespendauthsig} be a \rerandomizableSignatureScheme. -Let $\reprP$, $\GroupP$, $\ParamP{r}$, and $\ReprP$ be as defined in \crossref{pallasandvesta}. -and let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. - -Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ -and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ -be as defined in \crossref{endian}. +Let $\ItoLEBSP{}$, $\ItoLEOSP{}$, and $\LEOStoIP{}$ be as defined in \crossref{endian}. Define $\ToBase{Orchard}(x \typecolon \PRFOutputExpand) := \LEOStoIPOf{\PRFOutputLengthExpand}{x} \pmod{\ParamP{q}}$. @@ -4870,7 +4939,7 @@ A new \Orchard \spendingKey $\SpendingKey$ is generated by choosing a bit sequen uniformly at random from $\SpendingKeyType$. From this \spendingKey, the \authSigningKey $\AuthSignPrivate \typecolon \GFstar{\ParamP{r}}$, -the \authValidatingKey $\AuthSignPublic \typecolon \GroupP$, +the \authValidatingKey $\AuthSignPublic \typecolon \GroupPx$, the \nullifierDerivingKey $\NullifierKey \typecolon \NullifierKeyTypeOrchard$, the \commitIvkRandomness $\CommitIvkRand \typecolon \CommitIvkRandType$, the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeOrchard$, @@ -4878,19 +4947,18 @@ and the \outgoingViewingKey $\OutViewingKey \typecolon \OutViewingKeyType$ are d as follows: \begin{algorithm} - \item let mutable $\AuthSignPrivate := \ToScalar{Orchard}(\PRFexpand{\SpendingKey}([6]))$ + \item let mutable $\AuthSignPrivate \leftarrow \ToScalar{Orchard}(\PRFexpand{\SpendingKey}([6]))$ \item let $\NullifierKey = \ToBase{Orchard}(\PRFexpand{\SpendingKey}([7]))$ \item let $\CommitIvkRand = \ToScalar{Orchard}(\PRFexpand{\SpendingKey}([8]))$ \item if $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. - \item let mutable $\AuthSignPublic := \SpendAuthSigDerivePublic{Orchard}(\AuthSignPrivate)$ - \item if the last bit of $\reprP(\AuthSignPublic)$ is $1$: - \item \tab set $\AuthSignPrivate := -\AuthSignPrivate$ - \item \tab set $\AuthSignPublic := -\AuthSignPublic$ + \item let $\AuthSignPublicPoint = \SpendAuthSigDerivePublic{Orchard}(\AuthSignPrivate)$ + \item if the last bit (that is, the $\tilde{y}$ bit) of $\reprP(\AuthSignPublicPoint)$ is $1$: + \item \tab set $\AuthSignPrivate \leftarrow -\AuthSignPrivate$ \item \blank + \item let $\AuthSignPublic = \ExtractP(\AuthSignPublicPoint)$ \item let $\InViewingKey = \CommitIvk{\CommitIvkRand}\big(\AuthSignPublic, \NullifierKey\big)$ - \item let $K = \ItoLEBSP{\SpendingKeyLength}(\CommitIvkRand)$ - \item let $B = \reprP(\AuthSignPublic) \bconcat \ItoLEBSPOf{256}{\NullifierKey}$ - \item let $R = \PRFexpand{K}\Of{[\hexint{82}] \bconcat \LEBStoOSPOf{512}{\mathsf{B}}}$ + \item let $K = \ItoLEBSPOf{\SpendingKeyLength}{\CommitIvkRand}$ + \item let $R = \PRFexpand{K}\Of{[\hexint{82}] \bconcat \ItoLEOSPOf{256}{\AuthSignPublic} \bconcat \ItoLEOSPOf{256}{\NullifierKey}}$ \item let $\DiversifierKey$ be the first $\DiversifierKeyLength/8$ bytes of $R$ and let $\OutViewingKey$ be the remaining $\OutViewingKeyLength/8$ bytes of $R$. \end{algorithm} @@ -4902,18 +4970,19 @@ authority. A group of such addresses shares the same \fullViewingKey, \introlist To create a new \diversifiedPaymentAddress given an \incomingViewingKey -$\InViewingKey$, pick a \defining{\diversifier} $\Diversifier$ uniformly at +$\InViewingKey$, pick a \defining{\diversifierIndex} $\DiversifierIndex$ uniformly at random from $\DiversifierType$. Then calculate the \defining{\diversifiedTransmissionKey} $\DiversifiedTransmitPublic$: \begin{formulae} - \item $\DiversifiedTransmitBase := \DiversifyHash{Orchard}(\Diversifier)$. + \item $\Diversifier := \PRPd{\DiversifierKey}(\DiversifierIndex)$ + \item $\DiversifiedTransmitBase := \DiversifyHash{Orchard}(\Diversifier)$ \item $\DiversifiedTransmitPublic := \KADerivePublic{Orchard}(\InViewingKey, \DiversifiedTransmitBase)$. \end{formulae} \vspace{-1ex} The resulting \diversifiedPaymentAddress is -$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling})$. +$(\Diversifier \typecolon \DiversifierType, \DiversifiedTransmitPublic \typecolon \KAPublic{Orchard})$. \vspace{1ex} For each \spendingKey, there is also a \defining{\defaultDiversifiedPaymentAddress} @@ -4922,7 +4991,7 @@ with a ``random-looking'' \diversifier, which is derived as specified in \cite{Z \begin{pnotes} \item The protocol does not prevent using the \diversifier $\Diversifier$ to produce \quotedtermnoindex{vanity} addresses that start with a meaningful string when - encoded in Bech32 (see \crossref{saplingpaymentaddrencoding}). + encoded in Bech32 (see \crossref{orchardpaymentaddrencoding}). Users and writers of software that generates addresses should be aware that this provides weaker privacy properties than a randomly chosen \diversifier, since a vanity address can obviously be distinguished, and might leak more @@ -5031,6 +5100,8 @@ Each \spendDescription is authorized by a signature, called the \defining{\spend Let $\MerkleHashLength{Sapling}$ and $\PRFOutputLengthNfSapling$ be as defined in \crossref{constants}. +Let $\ZeroJ$, $\abstJ$, $\reprJ$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. + Let $\ValueCommitOutput{Sapling}$ be as defined in \crossref{abstractcommit}. Let $\SpendAuthSig{Sapling}$ be as defined in \crossref{spendauthsig}. @@ -5072,6 +5143,7 @@ where The \spendAuthSignature \MUST be a valid $\SpendAuthSig{Sapling}$ signature over $\SigHash$ using $\AuthSignRandomizedPublic$ as the \validatingKey --- i.e.\ $\SpendAuthSigValidate{Sapling}{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. + \nufiveonward{As specified in \crossref{concretereddsa}, the validation of the $\RedDSAReprR{}$ component of the signature changes to prohibit \nonCanonicalPoint encodings.} \end{consensusrules} @@ -5091,10 +5163,12 @@ An \outputTransfer, as specified in \crossref{spendsandoutputs}, is encoded in Each \transaction includes a sequence of zero or more \outputDescriptions. There are no signatures associated with \outputDescriptions. -Let $\ValueCommitOutput{Sapling}$ be as defined in \crossref{abstractcommit}. - Let $\MerkleHashLength{Sapling}$ be as defined in \crossref{constants}. +Let $\ZeroJ$, $\abstJ$, $\reprJ$, and $\ParamJ{h}$ be as defined in \crossref{jubjub}. + +Let $\ValueCommitOutput{Sapling}$ be as defined in \crossref{abstractcommit}. + Let $\KA{Sapling}$ be as defined in \crossref{abstractkeyagreement}. Let $\Sym$ be as defined in \crossref{abstractsym}. @@ -5149,6 +5223,10 @@ Each \actionDescription is authorized by a signature, called the \defining{\spen Let $\MerkleHashLength{Orchard}$ be as defined in \crossref{constants}. +Let $\GroupPx$ and $\ParamP{q}$ be as defined in \crossref{pallasandvesta}. + +Let $\ExtractP$ be as defined in \crossref{concreteextractorpallas}. + Let $\ValueCommitOutput{Orchard}$ be as defined in \crossref{abstractcommit}. Let $\SpendAuthSig{Orchard}$ be as defined in \crossref{spendauthsig}. @@ -5162,7 +5240,7 @@ Let $\Action$ be as defined in \crossref{abstractzk}. \vspace{1ex} \introlist An \actionDescription consists of $(\cvNet, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \spendAuthSig, -\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \ProofAction)$ +\cmX, \EphemeralPublic, \TransmitCiphertext{}, \OutCiphertext, \enableSpend, \enableOutput,$ $\ProofAction)$ where \vspace{1ex} \begin{itemize} @@ -5173,10 +5251,10 @@ where \item $\nf \typecolon \PRFOutputNfOrchard$ is the \nullifier for the input \note; \item $\AuthSignRandomizedPublic \typecolon \SpendAuthSigPublic{Orchard}$ is a randomized \validatingKey that should be used to validate $\spendAuthSig$; - \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is - as specified in \crossref{spendauthsig}. - \item $\cmX \typecolon \MerkleHash{Orchard}$ is the result of applying $\ExtractP$ (defined - in \crossref{concreteextractorpallas}) to the \noteCommitment for the output \note; + \item $\spendAuthSig \typecolon \SpendAuthSigSignature{Orchard}$ is a \spendAuthSignature, + validated as specified in \crossref{spendauthsig}; + \item $\cmX \typecolon \GroupPx$ is the result of applying $\ExtractP$ to the \noteCommitment for + the output \note; \item $\EphemeralPublic \typecolon \KAPublic{Orchard}$ is a key agreement \publicKey, used to derive the key for encryption of the \noteCiphertextOrchard (\crossref{saplinginband}); @@ -5185,11 +5263,21 @@ where \item $\OutCiphertext{} \typecolon \Ciphertext$ is a ciphertext component that allows the holder of a \fullViewingKey to recover the recipient \diversifiedTransmissionKey $\DiversifiedTransmitPublic$ and the \ephemeralPrivateKey $\EphemeralPrivate$ (and therefore the entire \notePlaintext); + \item $\enableSpend \typecolon \bit$ is a flag that is set in order to enable non-zero-valued + spends in this action; + \item $\enableOutput \typecolon \bit$ is a flag that is set in order to enable non-zero-valued + outputs in this action; \item $\ProofAction \typecolon \ActionProof$ is a \zkSNARKProof with \primaryInput - $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ for the \actionStatement - defined in \crossref{actionstatement}; + $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend,$ $\enableOutput)$ + for the \actionStatement defined in \crossref{actionstatement}. \end{itemize} +\pnote{The $\rt{Orchard}$, $\enableSpend$, and $\enableOutput$ components are the same for all +\actionTransfers in a \transaction. They are encoded once in the \transaction body (specified in +\crossref{txnencodingandconsensus}), not in the $\type{ActionDescription}$ structure. +$\ProofAction$ is aggregated with other Action proofs and encoded in the $\proofsOrchard$ field of a +\transaction.} + \begin{consensusrules} \item Elements of an \actionDescription \MUST be canonical encodings of the types given above. \item Let $\SigHash$ be the \sighashTxHash of this \transaction, not associated with an input, @@ -5200,9 +5288,9 @@ where i.e.\ $\SpendAuthSigValidate{Orchard}{\AuthSignRandomizedPublic}(\SigHash, \spendAuthSig) = 1$. As specified in \crossref{concretereddsa}, validation of the $\RedDSAReprR{}$ component of the signature prohibits \nonCanonicalPoint encodings. - \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput formed - from $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic)$ --- - i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic), \Proof{\Action}\big) = 1$. + \item The proof $\Proof{\Action}$ \MUST be valid given a \primaryInput + $(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput)$ --- + i.e.\ $\ActionVerify\big(\kern-0.1em(\cv, \rt{Orchard}, \nf, \AuthSignRandomizedPublic, \cmX, \EphemeralPublic, \enableSpend, \enableOutput), \Proof{\Action}\big) = 1$. \end{consensusrules} \nnote{$\cv$ and $\AuthSignRandomizedPublic$ can be the zero point $\ZeroP$.} @@ -5284,7 +5372,7 @@ In order to send \SaplingOrOrchard \shielded value, the sender constructs a \tra containing one or more \outputDescriptions. Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\nufive{, -$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as specified in +$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as in \crossref{abstractcommit}. Let $\KA{Sapling}$\nufive{ and $\KA{Orchard}$} be as specified in \crossref{abstractkeyagreement}. @@ -5309,6 +5397,9 @@ Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. Let $\repr$ be $\reprJ$ for a \Sapling \note, or $\reprP$ for an \Orchard \note. } %nufive +Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +be as defined in \crossref{endian}. + \vspace{1ex} Let $\OutViewingKey$ be an \outgoingViewingKey\nufive{ (for the same shielded protocol as the \note)} that is intended to be able to decrypt this payment. This may be one of: @@ -5346,31 +5437,31 @@ and then performs the following steps: this type is $\KAPublic{Orchard}$, i.e.\ $\DiversifiedTransmitPublic$ MUST be a valid \swCurve point other than $\ZeroP$ on the \pallasCurve (as defined in \crossref{pallasandvesta}).} - \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{}(\Diversifier)$ + \item Calculate $\DiversifiedTransmitBase = \DiversifyHash{\maybeSapling}(\Diversifier)$ and check that $\DiversifiedTransmitBase \neq \bot$. - \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{}()$. + \item Choose a uniformly random \commitmentTrapdoor $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{\maybeSapling}()$. \canopy{ \item If $\NotePlaintextLeadByte = \hexint{01}$: } - \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KAPrivate{Sapling} \setminus \setof{0}$. + \item \canopy{\tab} Choose a uniformly random \ephemeralPrivateKey $\EphemeralPrivate \leftarrowR \KAPrivate{\maybeSapling} \setminus \setof{0}$. \item \canopy{\tab} Choose a uniformly random \commitmentTrapdoor $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{}()$. - \item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=\ } \NoteCommitRandBytes := \LEBStoOSPOf{256}{\ItoLEBSP{256}(\NoteCommitRand)\kern-0.12em}$. + \item \canopy{\tab} Set $\canopy{\NoteSeedBytes :=\ } \NoteCommitRandBytes := \ItoLEOSP{256}(\NoteCommitRand)$. \canopy{ \item else: \item \tab Choose uniformly random $\NoteSeedBytes \leftarrowR \NoteSeedBytesType$. - \item \tab Derive $\EphemeralPrivate = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. - \item \tab Derive $\NoteCommitRandBytes = \ToScalar{}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. + \item \tab Derive $\EphemeralPrivate = \ToScalar{\maybeSapling}\big(\PRFexpand{\NoteSeedBytes}([4])\kern-0.1em\big)$. + \item \tab Derive $\NoteCommitRandBytes = \ToScalar{\maybeSapling}\big(\PRFexpand{\NoteSeedBytes}([5])\kern-0.11em\big)$. \item \vspace{-4ex} } \item Calculate \begin{tabular}{@{\hskip 2em}r@{\;}l} - $\cv$ &$:= \ValueCommit{}{\ValueCommitRand}(\Value)$ \\ - $\cm$ &$:= \NoteCommit{}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, - \reprMaybeJ\Of{\DiversifiedTransmitPublic}, - \Value)$ + $\cv$ &$:= \ValueCommit{\maybeSapling}{\ValueCommitRand}(\Value)$ \\ + $\cm$ &$:= \NoteCommit{\maybeSapling}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, + \reprMaybeJ\Of{\DiversifiedTransmitPublic}, + \Value)$ \end{tabular} \item Let $\NotePlaintext{} = (\NotePlaintextLeadByte, \Diversifier, \Value, \NoteCommitRandBytesOrSeedBytes, \Memo)$. @@ -5441,18 +5532,40 @@ zero value, and sent to a random \paymentAddress. \sapling{ \introsection -\lsubsubsection{Dummy Notes (\SaplingAndOrchardText)}{saplingdummynotes} +\extralabel{saplingdummynotes}{\lsubsubsection{Dummy Notes (\SaplingAndOrchardText)}{saplingandorcharddummynotes}} In \SaplingAndOrchard there is no need to use \dummyNotes simply in order to fill otherwise unused inputs as in the case of a \joinSplitDescription; nevertheless it may be useful for privacy to obscure the number of real \shieldedInputs from \Sapling \notes\nufive{ and from \Orchard \notes}. -\todo{generalize for \Orchard} - \vspace{0.5ex} Let $\SpendingKeyLength$ be as defined in \crossref{constants}. +Let $\ValueCommitAlg{Sapling}$, $\NoteCommitAlg{Sapling}$\nufive{, +$\ValueCommitAlg{Orchard}$, and $\NoteCommitAlg{Orchard}$} be as in +\crossref{abstractcommit}. + +Let $\DiversifyHash{Sapling}$\nufive{ and $\DiversifyHash{Orchard}$} be as specified in +\crossref{abstracthashes}. + +Let $\ToScalar{Sapling}$ be as specified in \crossref{saplingkeycomponents}\nufive{ and +let $\ToScalar{Orchard}$ be as specified in \crossref{orchardkeycomponents}}. + +\nufive{ +When we use $\ValueCommitAlg{}$, $\NoteCommitAlg{}$, $\KA{}$, $\DiversifyHash{}$, or $\ToScalar{}$ +without the \textsf{Sapling} or \textsf{Orchard} suffix, we mean the corresponding \Sapling or \Orchard +instantiation according to the type of \note being sent. +} + +Let $\reprJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. + +\nufive{ +Let $\reprP$ and $\ParamP{r}$ be as defined in \crossref{pallasandvesta}. + +Let $\repr$ be $\reprJ$ for a \Sapling \note, or $\reprP$ for an \Orchard \note. +} %nufive + Let $\ParamJ{r}$ and $\reprJ$ be as defined in \crossref{jubjub}. Let $\AuthProveBaseSapling$ be as defined in \crossref{saplingkeycomponents}. @@ -5463,22 +5576,25 @@ Let $\NoteCommitAlg{Sapling}$ be as defined in \crossref{abstractcommit}. \introlist \vspace{0.5ex} -A \dummy \Sapling input \note is constructed as follows: +A \dummy \SaplingOrOrchard input \note is constructed as follows: \vspace{-0.5ex} \begin{itemize} \item Choose uniformly random $\SpendingKey \leftarrowR \SpendingKeyType$. - \item Generate a new \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ - for $\SpendingKey$ as described in \crossref{saplingkeycomponents}. + \item Generate a \fullViewingKey $(\AuthSignPublic, \NullifierKey, \CommitIvkRand)$ and a + \diversifiedPaymentAddress $(\Diversifier, \DiversifiedTransmitPublic)$ + for $\SpendingKey$ as described in \crossref{saplingkeycomponents}\nufive{ or + \crossref{orchardkeycomponents}}. \item Set $\vOld{} = 0$, and set $\NotePosition = 0$. - \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{Sapling}()$. - and $\AuthProvePrivate \leftarrowR \GF{\ParamJ{r}}$. - \item Compute $\NullifierKey = \scalarmult{\AuthProvePrivate}{\AuthProveBaseSapling}$ and - $\NullifierKeyRepr = \reprJ\Of{\NullifierKey}$\,. - \item Compute $\NoteUniqueRand{} = \cmOld{} - = \NoteCommit{Sapling}{\NoteCommitRand}(\reprJ\Of{\DiversifiedTransmitBase}, - \reprJ\Of{\DiversifiedTransmitPublic}, - \vOld{})$. - \item Compute $\nfOld{} = \PRFnf{Sapling}{\NullifierKeyRepr}(\reprJ(\NoteUniqueRand))$. + \item Choose uniformly random $\ValueCommitRand \leftarrowR \ValueCommitGenTrapdoor{\maybeSapling}()$. + \item Choose uniformly random $\NoteCommitRand \leftarrowR \NoteCommitGenTrapdoor{\maybeSapling}()$. + \item Let $\cvOld{} = \ValueCommit{\maybeSapling}{\ValueCommitRand}(\vOld{})$. + \item Let $\cmOld{} = \NoteCommit{\maybeSapling}{\NoteCommitRand}(\reprMaybeJ\Of{\DiversifiedTransmitBase}, + \reprMaybeJ\Of{\DiversifiedTransmitPublic}, + \vOld{})$. + \item Let $\NotePosition = 0$. + \item Let $\NoteUniqueRandRepr = \reprMaybeJ\big(\MixingPedersenHash(\cmOld{}, \NotePosition)\kern-0.12em\big)$. + \item Let $\NullifierKeyRepr = \reprMaybeJ(\NullifierKey)$. + \item Let $\nfOld{} = \PRFnf{Sapling}{\NullifierKeyRepr}(\NoteUniqueRandRepr)$. \item Construct a \dummy \merklePath $\TreePath{}$ for use in the \auxiliaryInput to the \spendStatement (this will not be checked, because $\vOld{} = 0$). \end{itemize} @@ -7078,9 +7194,9 @@ be the \incomingViewingKey corresponding to $\AuthPrivate$, and let $\TransmitPu \vspace{1ex} \begin{algorithm} - \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sprout} \times \MemoType} := \setof{}$ - \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sprout}} := \setof{}$ - \item let mutable $\NullifierMap \typecolon \PRFOutputSprout \rightarrow \NoteType{Sprout} :=$ the empty mapping + \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sprout} \times \MemoType} \leftarrow \setof{}$ + \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sprout}} \leftarrow \setof{}$ + \item let mutable $\NullifierMap \typecolon \PRFOutputSprout \rightarrow \NoteType{Sprout} \leftarrow$ the empty mapping \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \joinSplitDescription in $\tx$: @@ -7135,9 +7251,9 @@ and its final status (spent or unspent). \vspace{1ex} \begin{algorithm} - \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sapling} \times \MemoType} := \setof{}$ - \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sapling}} := \setof{}$ - \item let mutable $\NullifierMap \typecolon \PRFOutputNfSapling \rightarrow \NoteType{Sapling} :=$ the empty mapping + \item let mutable $\ReceivedSet \typecolon \powerset{\NoteType{Sapling} \times \MemoType} \leftarrow \setof{}$ + \item let mutable $\SpentSet \typecolon \powerset{\NoteType{Sapling}} \leftarrow \setof{}$ + \item let mutable $\NullifierMap \typecolon \PRFOutputNfSapling \rightarrow \NoteType{Sapling} \leftarrow$ the empty mapping \vspace{1ex} \item for each \transaction $\tx$: \item \tab for each \outputDescription in $\tx$ with \notePosition $\NotePosition$: @@ -7201,6 +7317,9 @@ and integers: \item $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$, such that $\ItoLEBSPOf{\ell}{x}$ is the sequence of $\ell$ bits representing $x$ in little-endian order; + \item $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$, + such that $\ItoLEBSPOf{\ell}{x}$ is the sequence of $\ceiling{\ell/8}$ bytes representing $x$ in + little-endian order; \item $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ such that $\ItoBEBSPOf{\ell}{x}$ is the sequence of $\ell$ bits representing $x$ in big-endian order. @@ -7238,9 +7357,9 @@ concatenating these bit sequences, and then treating each subsequence of 8 bits as a byte with the bits ordered from \emph{most significant} to \emph{least significant}. Thus the \emph{most significant} bit in each byte is toward the left of a diagram. \sapling{(This convention is used only in -descriptions of the $\Sprout$ design; in the $\Sapling$ additions, bit/byte -sequence conversions are always specified explicitly.)} Where bit fields are -used, the text will clarify their position in each case. +descriptions of the $\Sprout$ design; in the $\SaplingAndOrchard$ additions, +bit/byte sequence conversions are always specified explicitly.)} Where bit fields +are used, the text will clarify their position in each case. \introsection \lsubsection{Constants}{constants} @@ -7526,7 +7645,33 @@ $\MerkleCRH{Sapling} \typecolon \MerkleLayer{Sapling} \times \MerkleHash{Sapling \vspace{1ex} \pnote{The prefix $l$ provides domain separation between inputs at different layers of the \noteCommitmentTree. $\NoteCommitAlg{Sapling}$, like $\PedersenHash$, is defined in terms of $\PedersenHashToPoint$, -but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.}} %sapling +but using a prefix that cannot collide with a layer prefix, as noted in \crossref{concretewindowedcommit}.} +} %sapling + + +\nufive{ +\vspace{-2ex} +\lsubsubsubsubsection{$\MerkleCRH{Orchard}$ Hash Function}{orchardmerklecrh} + +\vspace{-2ex} +Let $\SinsemillaHash$ be as specified in \crossref{concretesinsemillahash}. + +$\MerkleCRH{Orchard} \typecolon \MerkleLayer{Orchard} \times \MerkleHash{Orchard} \times \MerkleHash{Orchard} +\rightarrow \MerkleHash{Orchard}$ is defined as follows: + +\begin{formulae} + \item $\MerkleCRH{Orchard}(\mathsf{layer}, \mathsf{left}, \mathsf{right}) := \SinsemillaHash(\ascii{z.cash:Orchard-MerkleCRH}, + l \bconcat \mathsf{left} \bconcat \mathsf{right})$ + \item where $l = \ItoLEBSP{10}\big(\MerkleDepth{Orchard} - 1 - \mathsf{layer}\big)$. +\end{formulae} + +\vspace{-2ex} +\securityrequirement{$\SinsemillaHash$ must be \collisionResistant\!.} + +\vspace{1ex} +\pnote{The prefix $l$ provides domain separation between inputs at different layers of the +\noteCommitmentTree.} +} %nufive \lsubsubsubsection{\hSigText{} Hash Function}{hsigcrh} @@ -7761,10 +7906,11 @@ the third address was derived from. the fact that they are not derived from the same \incomingViewingKey) does not appreciably reduce the anonymity set. - In \cite{ZIP-32} an $88$-bit \defining{\pseudoRandomPermutation}, keyed differently for - each node of the derivation tree, is used to select new \diversifiers. - This resolves the potential problem, provided that the input to the - \pseudoRandomPermutation does not repeat for a given node. + In \cite{ZIP-32}\nufive{ and \crossref{orchardkeycomponents}} an $88$-bit + \defining{\pseudoRandomPermutation}, keyed differently for each node of the + derivation tree, is used to select new \diversifiers. This resolves the + potential problem, provided that the input to the \pseudoRandomPermutation + does not repeat for a given node. \item If the holder of an \incomingViewingKey permits an adversary to ask for a new address for that \incomingViewingKey with a given \diversifier, then it can @@ -7915,27 +8061,6 @@ zero, the proof can be adapted straightforwardly to show that $\PedersenHashToPo is \collisionResistant under the same assumptions and security bounds. Because $\ExtractJ$ is injective, it follows that $\PedersenHash$ is equally \collisionResistant\!. - -\introlist -\theoremlabel{thmnohashtouncommittedsapling} -\begin{theorem}[$\Uncommitted{Sapling}$ is not in the range of $\PedersenHash$]\end{theorem} - -\begin{proof} -$\Uncommitted{Sapling}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$. -By injectivity of $\ItoLEBSP{\MerkleHashLength{Sapling}}$ and definitions of -$\PedersenHash$ and $\ExtractJ$, $\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ -can be in the range of $\PedersenHash$ only if there exist -$D \typecolon \smash{\byteseq{8}}$ and $M \typecolon \smash{\bitseq{\PosInt}}$ such that $\Selectu\Of{\PedersenHashToPoint(D, M)} = 1$. -The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$. -We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$. -Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some -$\varv \typecolon \GF{\ParamS{r}}$. By writing the curve equation as -$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that -$1 - \ParamJ{d} \smult u^2 \neq 0$ because $\ParamJ{d}$ is nonsquare, -we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$. -The right-hand-side is a nonsquare in $\GF{\ParamS{r}}$ (for the \jubjubCurve parameters), -so there are no solutions for $\varv$ (contradiction). -\end{proof} } %sapling @@ -7997,7 +8122,7 @@ Let $\GroupPHash$ be as defined in \crossref{concretegrouphashpallasandvesta}. Let $\Uncommitted{Orchard}$ be as defined in \crossref{constants}. -Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ be as defined in \crossref{endian}. @@ -8013,7 +8138,7 @@ $\SinsemillaGenBase \typecolon \binaryrange{k} \rightarrow \GroupPstar$ by: \begin{tabular}{@{\hskip 1.5em}r@{\;}l} $\SinsemillaGenInit(D)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaQ}, D\big)$ \\ - $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \LEBStoOSPOf{32}{\ItoLEBSPOf{32}{j}}\kern-0.25em\big)$. + $\SinsemillaGenBase(j)$ &$:= \GroupPHash\!\big(\ascii{z.cash:SinsemillaS}, \ItoLEOSPOf{32}{j}\big)$. \end{tabular} \vspace{1ex} @@ -8038,10 +8163,10 @@ Define $\SinsemillaHashToPoint(D \typecolon \byteseqs, M \typecolon \bitseq{\ran \item let $n \typecolon \range{0}{c} = \ceiling{\hfrac{\length(M')}{k}\kern-0.1em}$ \item split $M'$ into $n$ \defining{\pieces} $M_\barerange{1}{n}$, each of length $k$ bits, so that $M' = \concatbits(M_\barerange{1}{n})$. - \item let mutable $\Acc := \SinsemillaGenInit(D)$ + \item let mutable $\Acc \leftarrow \SinsemillaGenInit(D)$ \item for $i$ from $1$ up to $n$: \vspace{-1ex} - \item \tab set $\Acc := \Big(\Acc \incompleteadd \SinsemillaGenBase\big(\LEBStoIP{k}(M_i)\kern-0.1em\big)\kern-0.15em\Big) \incompleteadd \Acc$ + \item \tab set $\Acc \leftarrow \Big(\Acc \incompleteadd \SinsemillaGenBase\big(\LEBStoIP{k}(M_i)\kern-0.1em\big)\kern-0.15em\Big) \incompleteadd \Acc$ \item \blank \item return $\Acc$. \end{algorithm} @@ -8070,28 +8195,6 @@ No other security properties commonly associated with \hashFunctions are needed. \end{nnotes} \todo{Security proof} - -\introlist -\theoremlabel{thmnohashtouncommittedorchard} -\begin{theorem}[$\Uncommitted{Orchard}$ is not in the range of $\SinsemillaHash$]\end{theorem} - -\begin{proof} -$\Uncommitted{Orchard}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$. -By injectivity of $\ItoLEBSP{\MerkleHashLength{Orchard}}$ and definitions of -$\SinsemillaHash$ and $\ExtractP$, $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ -can be in the range of $\SinsemillaHash$ only if there exist -$D \typecolon \byteseqs$ and $M \typecolon \bitseq{\smash{\PosInt}}$ such that -$\Selectx\Of{\SinsemillaHashToPoint(D, M)} = 2$. $\Selectx\Of{\SinsemillaHashToPoint(D, M)}$ -can only be $0$ or the \affineSW $x$-coordinate of a point in $\GroupP$. -But $0 \neq 2 \pmod{\ParamP{q}}$, and there are no points in $\GroupP$ with -\affineSW $x$-coordinate $2 \pmod{\ParamP{q}}$, since $2^3 + \ParamP{b} = 13$ -is not square in $\GF{\ParamP{q}}$. -\end{proof} - -\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$. -We do not choose $\Uncommitted{Orchard} = 0$ because we define $\Selectx\Of{\ZeroP} = 0$, -and it is technically possible (with negligible probability) that -$\SinsemillaHashToPoint$ could return $\ZeroP$.} } %nufive @@ -8486,6 +8589,26 @@ block count and $64$-bit nonce as in the original definition of $\SymCipher$. } } %changed +\nufive{ +\lsubsubsection{Pseudo Random Permutations}{concreteprps} + +Let $\DiversifierKeyLength$ and $\DiversifierLength$ be as defined in \crossref{constants}. + +$\PRPd{} \typecolon \DiversifierKeyType \times \DiversifierType \rightarrow \DiversifierType$ +is a \pseudoRandomPermutation specified in \crossref{abstractprps}. In this specification, +it is used to generate \diversifiers for \Orchard \paymentAddresses in +\crossref{orchardkeycomponents}. (\cite{ZIP-32} uses an identical construction to +generate \diversifiers for \Sapling \paymentAddresses.) + +Let $\FFOneAES{K}(\mathit{tweak}, x)$ be the $\FFOne$ format-preserving +encryption algorithm \cite{NIST2016} using $\AES$ with a $256$-bit key $K$, and +parameters $\mathit{radix} = 2, \mathit{minlen} = 88, \mathit{maxlen} = 88$. +It will be used only with the empty string $\ascii{}$ as the $\mathit{tweak}$. +$x$ is a sequence of $88$ bits, as is the output. + +Define $\PRPd{K}(\Diversifier) := \FFOneAES{K}(\ascii{}, \Diversifier)$. +} %nufive + \lsubsubsection{Key Agreement And Derivation}{concretekaandkdf} \lsubsubsubsection{\SproutText{} Key Agreement}{concretesproutkeyagreement} @@ -8711,10 +8834,10 @@ curve's prime-order subgroup). Let $\EdDSABase$ be the base point given in \cite{BDLSY2012}. -Define $\ItoLEBSP{}$, $\LEBStoOSP{}$, $\LEOStoBSP{}$, and $\LEBStoIP{}$ as in \crossref{endian}. +Define $\ItoLEOSP{}$, $\LEOStoBSP{}$, and $\LEBStoIP{}$ as in \crossref{endian}. Define $\reprBytesEdSpecific \typecolon \GroupEdSpecific \rightarrow \ReprEdSpecificBytes$ such -that $\reprBytesEdSpecific\Of{x, y} = \LEBStoOSP{256}\Of{\ItoLEBSP{256}\big(y + 2^{255} \smult \tilde{x}\big)\!}$\kern0.05em, where +that $\reprBytesEdSpecific\Of{x, y} = \ItoLEOSP{256}\big(y + 2^{255} \smult \tilde{x}\big)$, where $\tilde{x} = x \bmod 2$.\notsprout{\footnotewithlabel{coordinatenames}{\changed{Here we use the $(x, y)$ naming of coordinates in \cite{BDLSY2012}, which is different from the $(u, \varv)$ naming used for coordinates of \ctEdwardsCurves in \crossref{jubjub} and in \crossref{ecbackground}.}}} @@ -8842,6 +8965,12 @@ The \bindingSignatureScheme $\BindingSig{Orchard}$ is instantiated by $\RedPalla key re-randomization, using parameters defined in \crossref{concretebindingsig}. } %nufive +Let $\ItoLEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \bitseq{\ell}$ +and $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +and $\LEOStoIP{} \typecolon (\ell \typecolon \Nat \suchthat \ell \bmod 8 = 0) \times \byteseq{\ell/8} \rightarrow \binaryrange{\ell}$ +and $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +be as defined in \crossref{endian}. + \introlist \vspace{1ex} We first describe the scheme $\RedDSA$ over a general \representedGroup. @@ -8921,7 +9050,7 @@ Define $\RedDSASign{} \typecolon (\sk \typecolon \RedDSAPrivate) \times (M \type \item Let $\RedDSAReprR{} = \LEBStoOSPOf{\ellG{}}{\reprG{}\Of{\RedDSASigR{}}\kern 0.05em}$. \vspace{-0.5ex} \item Let $\RedDSASigS{} = (r + \RedDSAHashToScalar(\RedDSAReprR{} \bconcat \vkBytes{} \bconcat M) \mult \sk) \bmod \ParamG{r}$. - \item Let $\RedDSAReprS{} = \LEBStoOSPOf{\bitlength(\ParamG{r})}{\ItoLEBSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}\kern-0.12em}$. + \item Let $\RedDSAReprS{} = \ItoLEOSPOf{\bitlength(\ParamG{r})}{\RedDSASigS{}}$. \item Return $\RedDSAReprR{} \bconcat \RedDSAReprS{}$. \end{algorithm} @@ -9173,6 +9302,29 @@ instantiated as follows using $\WindowedPedersenCommitAlg$: \item The arguments to $\NoteCommitAlg{Sapling}$ are in a different order to their encodings in $\WindowedPedersenCommit{}$. There is no particularly good reason for this. \end{pnotes} + +\introlist +\theoremlabel{thmnocommittouncommittedsapling} +\begin{theorem}[$\Uncommitted{Sapling}$ is not in the range of $\,\NoteCommitAlg{Sapling}$]\end{theorem} + +\begin{proof} +$\Uncommitted{Sapling}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$. +By injectivity of $\ItoLEBSP{\MerkleHashLength{Sapling}}$ and definitions of +$\ExtractJ$, $\WindowedPedersenCommitAlg$, and $\NoteCommitAlg{Sapling}$, +$\ItoLEBSPOf{\MerkleHashLength{Sapling}}{1}$ can be in the range of $\NoteCommitAlg{Sapling}$ +only if there exist $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Sapling}$, +$D \typecolon \smash{\byteseq{8}}$, and $M \typecolon \smash{\bitseq{\PosInt}}$ +such that $\Selectu\Of{\WindowedPedersenCommit{\NoteCommitRand}(D, M)} = 1$. +The latter can only be the \affineCtEdwards $u$-coordinate of a point in $\strut\GroupJ$. +We show that there are no points in $\GroupJ$ with \affineCtEdwards $u$-coordinate $1$. +Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some +$\varv \typecolon \GF{\ParamS{r}}$. By writing the curve equation as +$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that +$1 - \ParamJ{d} \smult u^2 \neq 0$ because $\ParamJ{d}$ is nonsquare, +we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$. +The right-hand-side is a nonsquare in $\GF{\ParamS{r}}$ (for the \jubjubCurve parameters), +so there are no solutions for $\varv$ (contradiction). +\end{proof} } %sapling @@ -9294,8 +9446,8 @@ instantiated as follows using $\SinsemillaCommitAlg$: \begin{formulae} \item $\CommitIvk{\CommitIvkRand}(\AuthSignPublic, \NullifierKey) := - \SinsemillaShortCommit{\NoteCommitRand}\left(\ascii{z.cash:Orchard-CommitIvk}, - \ItoLEBSP{\ScalarLength{Orchard}}(\AuthSignPublicRepr) \bconcat \ItoLEBSP{\ScalarLength{Orchard}}\NullifierKeyRepr\right) \mod{\ParamP{r}}$ + \SinsemillaShortCommit{\CommitIvkRand}\left(\ascii{z.cash:Orchard-CommitIvk}, + \ItoLEBSP{\ScalarLength{Orchard}}(\AuthSignPublicRepr) \bconcat \ItoLEBSP{\ScalarLength{Orchard}}\NullifierKeyRepr\right) \pmod{\ParamP{r}}$ \item $\CommitIvkGenTrapdoor()$ generates the uniform distribution on $\GF{\ParamP{r}}$. \end{formulae} @@ -9315,6 +9467,29 @@ instantiated as follows using $\SinsemillaCommitAlg$: \item The arguments to $\NoteCommitAlg{Orchard}$ are the same order as their encodings in the input to $\SinsemillaCommit{}$; this is different to $\NoteCommitAlg{Sapling}$. \end{pnotes} + +\introlist +\theoremlabel{thmnocommittouncommittedorchard} +\begin{theorem}[$\Uncommitted{Orchard}$ is not in the range of $\,\NoteCommitAlg{Orchard}$]\end{theorem} + +\begin{proof} +$\Uncommitted{Orchard}$ is defined as $\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$. +By injectivity of $\ItoLEBSP{\MerkleHashLength{Orchard}}$ and definitions of +$\ExtractP$, $\SinsemillaShortCommitAlg$, and $\NoteCommitAlg{Orchard}$, +$\ItoLEBSPOf{\MerkleHashLength{Orchard}}{2}$ can be in the range of $\NoteCommitAlg{Orchard}$ +only if there exist $\NoteCommitRand \typecolon \NoteCommitTrapdoor{Orchard}$, +$D \typecolon \byteseqs$, and $M \typecolon \bitseq{\smash{\PosInt}}$ such that +$\ExtractP\Of{\SinsemillaCommit{\NoteCommitRand}(D, M)} = 2$. $\ExtractP\Of{\SinsemillaHashToPoint(D, M)}$ +can only be $0$ or the \affineSW $x$-coordinate of a point in $\GroupP$. +But $0 \neq 2 \pmod{\ParamP{q}}$, and there are no points in $\GroupP$ with +\affineSW $x$-coordinate $2 \pmod{\ParamP{q}}$, since $2^3 + \ParamP{b} = 13$ +is not square in $\GF{\ParamP{q}}$. +\end{proof} + +\nnote{There are also no points in $\GroupP$ with \affineSW $x$-coordinate $0 \pmod{\ParamP{q}}$. +We do not choose $\Uncommitted{Orchard} = 0$ because we define $\ExtractP\Of{\ZeroP} = 0$, +and it is technically possible (with negligible probability) that +$\SinsemillaHashToPoint$ could return $\ZeroP$.} } %nufive @@ -9906,6 +10081,7 @@ Define $\reprG{} \typecolon \GroupG{} \rightarrow \ReprG{}$ such that \end{tabular} \vspace{1ex} +\introlist Define $\abstG{} \typecolon \ReprG{} \rightarrow \maybe{\GroupG{}}$ such that $\abstJ\Of{P\Repr}$ is computed as follows: \begin{formulae} @@ -9933,23 +10109,30 @@ $\abstJ\Of{P\Repr}$ is computed as follows: \lsubsubsubsection{Hash Extractor for \PallasText}{concreteextractorpallas} \vspace{-1ex} -Let $\ItoLEBSP{}$ be as defined in \crossref{endian}; let $\MerkleHashLength{Orchard}$ be as defined -in \crossref{constants}, and let $\GroupP$ be as defined in \crossref{pallasandvesta}. +Let $\GroupP$, $\ZeroP$, $\ParamP{q}$, and $\ParamP{b}$ be as defined in \crossref{pallasandvesta}. -\vspace{1ex} -Let $\Selectx\big(\kern-0.1em(x, y)\kern-0.1em\big) = x$ and let $\Selectx\big(\ZeroP\big) = 0$. +Define $\GroupPstarx$ be the set of $x$-coordinates of points on the \pallasCurve, +i.e.\ $\setof{x \typecolon \GF{\ParamP{q}} \suchthat x^3 + \ParamP{b}\text{ is square in }\GF{\ParamP{q}}}$. -Define $\ExtractP \typecolon \GroupP \rightarrow \MerkleHash{Orchard}$ by +Define $\GroupPx := \GroupPstarx \union \setof{0}$. + +\vspace{2ex} +Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that + +\vspace{-1ex} \begin{formulae} - \item $\ExtractP(P) := \ItoLEBSP{\MerkleHashLength{Orchard}}\big(\Selectx(P)\kern-0.12em\big)$. + \item $\ExtractP\big(\ZeroP\big) = 0$ + \item $\ExtractP\big((x, y)\big) = x$. \end{formulae} + +\vspace{-2ex} +\nnote{$\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$ +which returns a bit sequence.} } %nufive \nufive{ -\vspace{-2ex} \lsubsubsubsection{Group Hash into \PallasAndVestaText}{concretegrouphashpallasandvesta} -\vspace{-1ex} \Orchard uses the ``simplified SWU'' algorithm for \randomOracleAdjective hashing to elliptic curves with $j$-invariant $0$, consistent with \cite[section 6.6.3]{ID-hashtocurve}, based on a method by Riad Wahby and Dan Boneh \cite{WB2019}. @@ -10047,6 +10230,7 @@ Let $\BlakeTwob{512} \typecolon \byteseq{16} \times \byteseqs \rightarrow \bytes Let $\BEOStoIP{}$ be as defined in \crossref{endian}. \vspace{0.5ex} +\introlist Define $\hashtofield_{\XMDBlakeTwob}^{\typeexp{\GF{\ParamG{q}}\!}{2}}(\msg \typecolon \byteseqs, \DST \typecolon \byteseq{\range{0}{255}}) \rightarrow \typeexp{\GF{\ParamG{q}}\!}{2}$ as follows: @@ -10714,12 +10898,19 @@ The zero padding occupies the most significant 4 bits of the third byte. Let $\KA{Sapling}$ be as defined in \crossref{concretesaplingkeyagreement}. +Let $\DiversifierLength$ be as defined in \crossref{constants}. + +Let $\SubgroupJ$, $\abstJ$, and $\reprJ$ be as defined in \crossref{jubjub}. + +Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +be as defined in \crossref{endian}. + A \Sapling{} \defining{\paymentAddress} consists of $\Diversifier \typecolon \DiversifierType$ and $\DiversifiedTransmitPublic \typecolon \KAPublicPrimeSubgroup{Sapling}$. $\DiversifiedTransmitPublic$ is an encoding of a $\KA{Sapling}$ \publicKey of type $\KAPublicPrimeSubgroup{Sapling}$, for use with the encryption scheme defined in -\crossref{saplinginband}. $\Diversifier$~is a sequence of $11$ bytes. +\crossref{saplinginband}. $\Diversifier$~is a \diversifier. These components are derived as described in \crossref{saplingkeycomponents}. \introlist @@ -10739,12 +10930,12 @@ The \rawEncoding of a \Sapling \paymentAddress consists of: \end{itemize} When decoding the representation of $\DiversifiedTransmitPublic$, the address \MUST be -considered invalid if $\abstJ$ returns $\bot$ or if the resulting $\DiversifiedTransmitPublic$ -is not in the prime-order subgroup $\SubgroupJ$. +considered invalid if $\abstJ$ returns $\bot$. -\vspace{-2ex} -\nnote{\zcashd currently (as of version 3.1.0) does not fully conform to this requirement on -address validation when importing \paymentAddresses.} +\nufive{\cite{ZIP-216} specifies that the address \MUST also be considered invalid if the +resulting $\DiversifiedTransmitPublic$ is not in the prime-order subgroup $\SubgroupJ$, or +if it is a non-canonical encoding as defined in \crossref{abstractgroup}. This \MAY be +enforced in advance of activation of \NUFive.} \vspace{1ex} For addresses on \Mainnet, the \defining{\humanReadablePart} (as defined in \cite{ZIP-173}) is \ascii{zs}. @@ -10903,12 +11094,15 @@ $\InViewingKey$ is a $\KAPrivate{Orchard}$ key (restricted to the range $\range{ derived as described in \crossref{orchardkeycomponents}. It is used with the encryption scheme defined in \crossref{saplingandorchardinband}. +Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +be as defined in \crossref{endian}. + \introlist The \rawEncoding of an \Orchard \incomingViewingKey consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.07em]{256} - \sbitbox{256}{$256$-bit $\InViewingKey$} + \sbitbox{256}{$\ItoLEOSPOf{256}{\InViewingKey}$} \end{bytefield} \end{equation*} @@ -10940,14 +11134,17 @@ $\NullifierKey$ is the \nullifierDerivingKey, a field element in $\GF{\ParamP{q} $\CommitIvkRandom$ is the \commitIvkRandomness, a field element in $\GF{\ParamP{r}}$. They are derived as described in \crossref{orchardkeycomponents}. +Let $\ItoLEOSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ +be as defined in \crossref{endian}. + \introlist The \rawEncoding of an \Orchard \fullViewingKey consists of: \vspace{1ex} \begin{equation*} \begin{bytefield}[bitwidth=0.05em]{512} - \sbitbox{256}{$\LEBStoOSPOf{256}{\reprP\Of{\AuthSignPublic}\kern 0.05em}$} - \sbitbox{256}{$\LEBStoOSPOf{256}{\ItoLEBSPOf{256}{\NullifierKey}\kern 0.05em}$} - \sbitbox{256}{$\LEBStoOSPOf{256}{\ItoLEBSPOf{256}{\CommitIvkRandom}\kern 0.05em}$} + \sbitbox{256}{$\ItoLEOSPOf{256}{\AuthSignPublic}$} + \sbitbox{256}{$\ItoLEOSPOf{256}{\NullifierKey}$} + \sbitbox{256}{$\ItoLEOSPOf{256}{\CommitIvkRandom}$} \end{bytefield} \end{equation*} @@ -10971,7 +11168,7 @@ For \incomingViewingKeys on \Testnet, the \humanReadablePart is \ascii{zviewtest \lsubsubsubsection{\OrchardText{} Spending Keys}{orchardspendingkeyencoding} An \Orchard{} \defining{\spendingKey} consists of $\SpendingKey \typecolon \SpendingKeyType$ -(see \crossref{saplingkeycomponents}). +(see \crossref{orchardkeycomponents}). \introlist The \rawEncoding of an \Orchard \spendingKey consists of: @@ -13289,6 +13486,9 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. (It is also not true of $\abstBytesEdSpecific$, but \EdSpecific is not strictly defined as a \representedGroup in this specification.)} \sapling{ + \item Correct \theoremref{thmnocommittouncommittedsapling}, which was proving the wrong thing. + It needs to prove that $\NoteCommitAlg{Sapling}$ does not return $\Uncommitted{Sapling}$, + but was previously proving that $\PedersenHash$ does not return that value. \item The note about non-canonical encodings in \crossref{jubjub} gave incorrect values for the encodings of the point of order $2$, by omitting a $\ParamJ{q}$ term. \item The specification of decryption in \crossref{decryptovk} differed from its implementation @@ -13303,6 +13503,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. are normally of type $\KAPublicPrimeSubgroup{Sapling}$, we change the specification to match \zcashd. \end{itemize} + \item Correct the procedure for generating dummy \Sapling notes in \crossref{saplingandorcharddummynotes}. \item Add a note in \crossref{bctv} describing conditions under which an implementation that checkpoints on \Sapling can omit verifying \BCTV proofs. } %sapling @@ -15929,21 +16130,21 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol \listcomp{\LEOStoIPOf{32}{\BlakeParamBlock_{\barerange{4 \mult i}{4 \mult i\,+\,3}}} \xor \BlakeIV_i \for i \from 0 \upto 7}$ \item let $m \typecolon \typeexp{\binaryrange{32}}{16} = \listcomp{\LEOStoIPOf{32}{x_{\barerange{4 \mult i}{4 \mult i\,+\,3}}} \for i \from 0 \upto 15}$ - \item let mutable $v \typecolon \typeexp{\binaryrange{32}}{16} := + \item let mutable $v \typecolon \typeexp{\binaryrange{32}}{16} \leftarrow h \bconcat\,[\,\BlakeIV_0, \BlakeIV_1, \BlakeIV_2, \BlakeIV_3, t_0 \xor \BlakeIV_4, t_1 \xor \BlakeIV_5, f_0 \xor \BlakeIV_6, f_1 \xor \BlakeIV_7\,]$ \vspace{1ex} \item for $r$ from $0$ up to $9$: \vspace{-2ex} \item \begin{tabular}{@{\tab set\;}T@{}T@{}T@{}U@{}T@{}T@{}T@{}T@{}T@{}U@{}U} - (v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}&) := G(v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}, &m_{\sigma_{r, 0}}, &m_{\sigma_{r, 1}}&) \\ - (v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}&) := G(v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}, &m_{\sigma_{r, 2}}, &m_{\sigma_{r, 3}}&) \\ - (v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}&) := G(v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}, &m_{\sigma_{r, 4}}, &m_{\sigma_{r, 5}}&) \\ - (v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}&) := G(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}, &m_{\sigma_{r, 6}}, &m_{\sigma_{r, 7}}&) \\[1ex] - (v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}&) := G(v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}, &m_{\sigma_{r, 8}}, &m_{\sigma_{r, 9}}&) \\ - (v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}&) := G(v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}, &m_{\sigma_{r,10}}, &m_{\sigma_{r,11}}&) \\ - (v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}&) := G(v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}, &m_{\sigma_{r,12}}, &m_{\sigma_{r,13}}&) \\ - (v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}&) := G(v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}, &m_{\sigma_{r,14}}, &m_{\sigma_{r,15}}&) \\ + (v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}&) \leftarrow G(v_{ 0}, &v_{ 4}, &v_{ 8}, &v_{12}, &m_{\sigma_{r, 0}}, &m_{\sigma_{r, 1}}&) \\ + (v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}&) \leftarrow G(v_{ 1}, &v_{ 5}, &v_{ 9}, &v_{13}, &m_{\sigma_{r, 2}}, &m_{\sigma_{r, 3}}&) \\ + (v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}&) \leftarrow G(v_{ 2}, &v_{ 6}, &v_{10}, &v_{14}, &m_{\sigma_{r, 4}}, &m_{\sigma_{r, 5}}&) \\ + (v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}&) \leftarrow G(v_{ 3}, &v_{ 7}, &v_{11}, &v_{15}, &m_{\sigma_{r, 6}}, &m_{\sigma_{r, 7}}&) \\[1ex] + (v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}&) \leftarrow G(v_{ 0}, &v_{ 5}, &v_{10}, &v_{15}, &m_{\sigma_{r, 8}}, &m_{\sigma_{r, 9}}&) \\ + (v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}&) \leftarrow G(v_{ 1}, &v_{ 6}, &v_{11}, &v_{12}, &m_{\sigma_{r,10}}, &m_{\sigma_{r,11}}&) \\ + (v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}&) \leftarrow G(v_{ 2}, &v_{ 7}, &v_{ 8}, &v_{13}, &m_{\sigma_{r,12}}, &m_{\sigma_{r,13}}&) \\ + (v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}&) \leftarrow G(v_{ 3}, &v_{ 4}, &v_{ 9}, &v_{14}, &m_{\sigma_{r,14}}, &m_{\sigma_{r,15}}&) \\ \end{tabular} \item \vspace{-1ex} \item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ diff --git a/protocol/zcash.bib b/protocol/zcash.bib index e87e9b6d..d2b84230 100644 --- a/protocol/zcash.bib +++ b/protocol/zcash.bib @@ -459,7 +459,18 @@ Received March~20, 2012.} year={2015}, doi={10.6028/NIST.FIPS.180-4}, url={https://csrc.nist.gov/publications/detail/fips/180/4/final}, - urldate={2018-02-14} + urldate={2021-03-08} +} + +@misc{NIST2016, + presort={NIST2016}, + author={NIST}, + title={{NIST} {SP} 800-38G --- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption}, + month={03}, + year={2016}, + doi={10.6028/NIST.SP.800-38G}, + url={https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38G.pdf}, + urldate={2021-03-08} } @misc{RIPEMD160, @@ -550,6 +561,22 @@ Proceedings of the 35th Annual International Cryptology Conference Received August~3, 2015.} } +@article{BKR2001, + presort={BKR2001}, + author={Mihir Bellare and Joe Kilian and Phillip Rogaway}, + title={The Security of the {C}ipher {B}lock {C}haining {M}essage {A}uthentication {C}ode}, + journal={Journal of Computer and System Sciences}, + volume={61}, + number={3}, + pages={362--399}, + date={2000-12}, + publisher={Academic Press}, + doi={https://doi.org/10.1006/jcss.1999.1694}, + url={https://cseweb.ucsd.edu/~mihir/papers/cbc.pdf}, + urldate={2021-03-08}, + addendum={Updated September~12, 2001.} +} + @misc{KR2020, presort={KR2020}, author={Nathan Keller and Asaf Rosemarin},