Daira Hopwood
4ef578706b
In \crossref{internalh}, add a security argument for why the SHA-256-based commitment scheme
...
NoteCommit^Sprout is binding and hiding, under reasonable assumptions about SHA256Compress.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
0cdab5071b
In \crossref{joinsplit}, clarify that balance for JoinSplit transfers is enforced by the
...
JoinSplit statement, and that there is no consensus rule to check it directly.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-19 18:09:23 +00:00
Daira Hopwood
02adb44328
Set Change History entry date, and update version year to 2022.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
b57f6d1487
Correct the note about domain separators for PRF^expand in \crossref{abstractprfs},
...
and ensure that new domain separators for deriving internal keys from ZIPs 32 and 316 are included.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
cf1995c2ed
Fix stale links, and correct the accenting of [MÁEÁ2010].
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
59a220d59e
Change the types of cm_x, Uncommitted^Orchard, and ak in Orchard to { 0 .. q_P-1 },
...
avoiding type errors and reflecting the implementation in zcashd. This eliminates all uses of P_x
(except that ak in an Orchard full viewing key is still required to be a valid Pallas affine
x-coordinate). Also clarify the coordinate system whenever we refer to coordinates.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
b6e00e0d41
Refine the security argument in the note about partitioning oracle attacks.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2022-01-03 22:15:14 +00:00
Daira Hopwood
82c4e49155
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
d6a33fc056
Add note about resistance of note encryption to partitioning oracle attacks \cite{LGR2021}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
67a4b35dcd
Add acknowledgement to Sasha Meyer.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
eab1ef1a1a
Add acknowledgement to Mihir Bellare for contributions to the science of zero-knowledge proofs.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
36252cebf6
Add "note commitment scheme" as a term.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
089a9cb8be
Make consistent use of "spending authority", and add this term to the index.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
4da403f470
Add notes in each Appendix B that z_j may be sampled from {0 .. 2^{128}-1} instead of {1 .. 2^{128}-1}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-12-01 18:09:12 +00:00
Daira Hopwood
b1a707e963
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
bab61e8ecf
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
97fa264611
* Witness g_d^new and pk_d^new in Orchard as non-identity Pallas points, rather than witnessing
...
their representations as bit sequences.
* Note that ak^P in Orchard cannot be the identity.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
7bf094e827
* Use complete addition in SinsemillaCommit.
...
* Correct the proof of Theorem 5.4.6.
* Change the type of cm_old in Orchard to P rather than P*, i.e. allow the identity point.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
06706937d5
Change the type of rt^Orchard from P_x to {0..q_P-1}. This reflects the zcashd implementation;
...
also checking rt^Orchard \in P_x would require a square root and is unnecessary.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
b8f83aac4b
Correct the consensus rule about the maximum value of outputs in a coinbase transaction:
...
it should reference the block subsidy rather than the miner subsidy.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
5688e5cbbd
Fix some cross-references.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-30 16:56:40 +01:00
Daira Hopwood
c871d448ce
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 13:26:34 +01:00
Daira Hopwood
21f384dcda
Fix URL links to \cite{BBDP2001} and \cite{BDJR2000}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 13:26:34 +01:00
Daira Hopwood
a5c4f139c9
protocol/links_and_dests.py: Some DOI links (i.e. to https://doi.org/ ) redirect to link.springer.com
...
in a way that requires cookies (booo!). We allow this for DOI links, but for all other links we
simulate a client that never sets cookies.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 13:19:33 +01:00
Daira Hopwood
0d2b01e602
Cosmetics (captialization of ZKProof).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 11:44:16 +01:00
Daira Hopwood
b7f0a0bd0d
Correct a minor error in the proof of \theoremref{thmsinsemillacr}:
...
the condition SinsemillaHashToPoint(D, M) ≠ ⊥ is required in the proof.
(The case SinsemillaHashToPoint(D, M) = ⊥ is covered by \theoremref{thmsinsemillaex}.)
The proof had not been updated correctly when the statement was revised in v2021.2.0.
Also add a missing D argument to SinsemillaHashToPoint in that proof.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 11:44:16 +01:00
Daira Hopwood
324c9ae7b9
Add \zcashdref for referencing zcashd versions (also \zebraref which is currently unused).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 11:44:16 +01:00
Daira Hopwood
7e5272e70b
Add \historyref for referencing Change History versions.
...
Also fix an incorrect reference to v2019.0-beta-40 that should be v2019.0.0.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-09-01 11:44:16 +01:00
Daira Hopwood
3ebba2652a
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:44:17 +01:00
Daira Hopwood
8f8ef49618
Add Change History entry for fixing [ZIP-239] in the References.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:43:39 +01:00
Daira Hopwood
219a4ef253
Clarify wording in the Change History entry for v2021.2.13.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:38:20 +01:00
Daira Hopwood
8718157af0
Reword the reference to a Sapling full viewing key in \crossref{saplingdummynotes}
...
(the full viewing key would include ovk, although it is not used in that section).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-08-12 21:37:35 +01:00
Daira Hopwood
045a3a9e54
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-29 17:30:21 +01:00
Daira Hopwood
a6fd0153d2
Add a consensus rule in \crossref{merkletree} that a block MUST NOT add note commitments that
...
exceed the capacity of each of the Sprout, Sapling, and Orchard note commitment trees.
Also add a cross-reference for constants used in \crossref{merkletree}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-29 17:30:21 +01:00
Daira Hopwood
1aefc848bf
Change the number of partial rounds, R_P, for Poseidon from 58 to 56.
...
This matches the number calculated by `calc_round_numbers.py` (for 128-bit security "with margin")
in Version 1.1 of the Poseidon reference implementation.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-29 15:43:24 +01:00
Daira Hopwood
411f39e231
Change the definition of inputs to the action circuit to split enableSpends and enableOutputs
...
into two field elements.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-20 06:00:31 +01:00
Daira Hopwood
36e2059de0
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
ffd97926a8
Clarify in \crossref{transactions} that the remaining value in a transparent transaction value pool
...
is only available to miners as a fee in the case of non-coinbase transactions, and that the remaining
value in the transparent transaction value pool of a coinbase transaction is destroyed.
Co-authored-by: Teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
teor
e628134536
Make heightBytes encoding match NU5 coinbase nExpiryHeight
...
Since nExpiryHeight is limited to `2^32 - 1`, heightBytes is limited to 5 bytes.
Co-authored-by: Teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
819761ef67
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
8c7b2f2a95
Add cross-references for CanopyActivationHeight, ZIP212GracePeriod, and BlockHeight.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
0ad0d3d57a
Clarify that decomposition of scalars for scalar multiplication in the action circuit MUST be canonical,
...
unless a non-canonical decomposition can be proven to result in an equivalent statement -- and clarify
for which multiplications the latter case applies.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
f97ef3ae72
Remove a spurious reference to rseed in \crossref{sproutinband}. There were no changes for Sprout in ZIP 212.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-13 15:50:46 +01:00
Daira Hopwood
fb83397ad7
Set the Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
2814e00a1a
Cosmetics and cross-referencing improvements.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
4821afe9ba
Add a clarification in \crossref{txnconsensus} that after Heartwood and before Canopy activation,
...
Sapling outputs of a coinbase transaction MUST have note plaintext lead byte equal to 0x01.
This was implied by the existing rule that such outputs MUST decrypt successfully with an
all-zero outgoing viewing key.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
172573e686
Correct an erroneous statement in \crossref{transactions} that claimed transaction IDs are not part
...
of the consensus protocol.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
55052e4e54
Add a consensus rule for version 5 or later transactions, that if `nActionsOrchard` > 0 then
...
at least one of `enableSpendsOrchard` and `enableOutputsOrchard` MUST be 1.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
3f9ede243b
Replace "must" with "MUST" in two consensus rules specified in \crossref{txnencoding}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00
Daira Hopwood
7102635fc6
Correct l to l⋆ in two places in \crossref{saplingmerklecrh}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-07-01 19:54:54 +01:00