\crossref{concretehomomorphiccommit} saying that an implementation of
HomomorphicPedersenCommit^Sapling MAY resample the commitment trapdoor
until the resulting commitment is not the zero point, in order to avoid
it being rejected as the cv field of a Spend description or Output
description.
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
is not of small order is technically redundant with a check in the Spend
circuit ...". The small-order check excludes the zero point, which the
Spend authority check that this claim was intending to reference does not.
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
values and Nullifiers" to more accurately reflect its contents.
* Split some of the content of the section "Notes" into subsections
"Note Commitments" and "Nullifiers". Make the descriptions of how
note commitments and nullifiers are used more precise and explicit,
and add forward references where helpful.
* Remove redundancy in the definition of note plaintexts between
\crossref{noteptconcept} and \crossref{noteptencoding}.
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
of the input in case of Orchard), were accidentally swapped in the
protocol specification relative to ZIP 212. The implementation in zcashd
correctly followed ZIP 212, using [4] to derive rcm and [5] to derive esk.
[Note added 2023-12-07: This commit, which is between spec versions
2022.3.8 and 2023.4.0, does not accurately reflect what was deployed.
In fact the domain separators for Sapling were implemented according to
ZIP 212, but the ones for Orchard were implemented according to the spec,
i.e. swapped relative to Sapling. This has been documented in spec
version 2023.4.0.]
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
was incorrectly given as $\mathbb{J}^{(r)*}$, rather than the correct
$\mathbb{J}^{(r)*} \cup \{\bot\}$.
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
\crossref{inbandrationale}, we now use the fact that g_d has order greater
than the maximum value of ivk, rather than assuming that g_d is a non-zero
point in the prime-order subgroup. (In the case of Sapling, the circuits
only enforce that g_d is not a small-order point, not that it is in the
prime-order subgroup. It is true that honestly generated addresses have
prime-order g_d which would have been sufficient for the security argument
against this class of attacks, but the chosen fix is more direct.)
Signed-off-by: Daira Emma Hopwood <daira@jacaranda.org>
with a Bech32 encoding for a Sapling payment address and with a Bech32m
encoding for a unified payment address.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
that is not applicable to Orchard (since cv for an Action Description
depends on both the spent and output notes).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
checkpoints on the Canopy activation block MAY validate Ed25519 signatures using
the post-Canopy rules for the whole chain.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
Daira-Emma Hopwood
Andrew Arnott
teor