Daira Hopwood
9f948307cf
Change the type of Orchard Merkle hashes to \mathbb{P}_x, with a corresponding change to the
...
signature of MerkleCRH^Orchard. Add a note to \crossref{merklepath} clarifying that non-canonical
encodings are allowed as input to MerkleCRH^Orchard.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 21:07:10 +01:00
Daira Hopwood
67cea8589a
Add a note to \crossref{merklepath} clarifying the encoding of rt^Sapling as a primary input to
...
the Sapling spend circuit, and that non-canonical encodings are allowed as input to MerkleCRH^Sapling.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 20:39:42 +01:00
Daira Hopwood
c5589648c1
Cosmetics (vertical spacing for the non-NU5 spec).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 15:37:06 +01:00
Daira Hopwood
79d1a477db
Add Change History entry for the correction to the size of vActionsOrchard.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-18 15:37:06 +01:00
teor
3f3195eb5c
Fix Orchard Action byte size
...
Since the signature is now separate, the size is 64 bytes smaller.
2021-05-18 15:37:06 +01:00
Daira Hopwood
e9430c3752
Regenerate PDFs.
2021-05-07 16:41:22 +01:00
Daira Hopwood
74c83f6d59
Set history entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:35:22 +01:00
Daira Hopwood
205b2f5861
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:35:22 +01:00
Daira Hopwood
d0caaa2ee9
Clarify that transparent inputs are prohibited in coinbase transactions only if they have a non-null `prevout` field. closes #498
...
Co-authored-by: teor <teor@riseup.net>
Co-authored-by: Jack Grigg <jack@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:35:13 +01:00
teor
330254c9ca
Add ZIP-244 block commitments as a consensus rule. closes #499
...
It's currently just a note, which makes it look like the Heartwood rule might still apply.
Co-authored-by: teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:34:36 +01:00
Daira Hopwood
296b8e6543
Make "Discrete Logarithm Problem" and "Decisional Diffie–Hellman Problem" indexed terms.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
1db1224657
Unlinkability of diversified addresses depends on DDH, not DLP.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
4353accc0e
Add [Canopy onward] and [NU5 onward] to a couple of notes.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
e4af6e42a0
State explicitly that valueBalanceOrchard can only be negative in a coinbase transaction if
...
it has ZIP 213 shielded outputs.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
639a554a04
Change the statement of Theorem 5.4.3 to exclude ⊥ outputs from SinsemillaHashToPoint.
...
Previously the proof did not match the statement.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
d7bd67900a
Update the list of ZIPs relevant to NU5 in \crossref{networkupgrades}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
00c39b73e0
Delegate to ZIP 316 for the specification of unified payment addresses and unified viewing keys.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
38b740aad2
Caveat how the result of \cite{GG2015} applies to analysis of PRF^nfOrchard in \crossref{concreteprfs}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
4804f6040e
Add a paragraph to \crossref{truncation} covering Orchard.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
748e6f8f37
Typo.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
35c8af6e47
DJB's "High-speed cryptography" book seems completely stalled.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
58add67726
* Specify that diversifier indices for Orchard should be chosen uniquely, not randomly.
...
* Vanity diversifiers are not an issue for Orchard given that it does not have its own
payment address format, and given the use of "jumbling" (ZIP 316) in unified addresses.
Remove the corresponding note from \crossref{orchardkeycomponents}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
2cf14204ae
Clarify the definition of pad in \crossref{concretesinsemillahash} by disambiguating M^pieces from M^padded.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
ac16945288
Clarify notation by changing ℓ_rcm to ℓ^Sprout_rcm.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
3034a2a662
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
adc28d2bb1
Include ρ as an input to the derivation of ψ, esk, and rcm in Orchard.
...
This was originally intended and as described in Section 3.5 of the Orchard Book.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-05-07 16:03:16 +01:00
Daira Hopwood
76c8a4689a
Regenerate PDFs.
2021-04-23 22:39:41 +01:00
Daira Hopwood
71a19e7484
Clarify that only an outgoing cipher key is strictly needed to decrypt an outgoing ciphertext.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
27aa7c484a
Remove an unused precomputation in \crossref{concretegrouphashpallasandvesta}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
ecba2451bc
Include the diversifier key in an encoded Orchard Incoming Viewing Key.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
4dbf2f02d4
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
710fee607a
Add the nConsensusBranchId field to v5 transactions, matching the consensus branch ID
...
used for SIGHASH transaction hashes.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
10710d92a6
Explicitly say that coinbase transactions MUST NOT have transparent inputs
...
(this is a consensus rule inherited from Bitcoin which has been present since launch).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-23 22:31:37 +01:00
Daira Hopwood
2e6cdb3945
Regenerate PDFs.
2021-04-19 00:36:48 +01:00
teor
0cfeea2ecb
Use a different symbol for each v5 Sapling field cardinality rule.
...
Currently, the spec uses the double dagger symbol for both:
* present if and only if `nSpendsSapling + nOutputsSapling > 0`;
* present if and only if `nSpendsSapling > 0`.
To avoid confusion, use dagger for the first rule, and double dagger for the second rule.
Co-authored-by: teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:32:00 +01:00
Daira Hopwood
1c46e9aa5d
Add Change History entries for already committed changes.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:18:47 +01:00
Daira Hopwood
c4d7331191
Set Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
65590101a8
When creating Orchard notes, repeat with another rseed if cm is \bot.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
3d230f8d26
Type corrections for Orchard.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
15d59f11c4
Add note about non-uniformity of Orchard ivk.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
119abe37c3
ExtractP(\ZeroP) should be 0, and ExtractP^\bot(\bot) should be \bot.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
1df0f60deb
Add support for link checking to protocol/links_and_dests.py and protocol/Makefile.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
Daira Hopwood
65ebb2266d
Fix some URLs in references.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-19 00:12:37 +01:00
teor
572338f01a
Add action descriptions to the Note Commitments section intro
2021-04-13 09:45:33 -04:00
teor
151e8c9661
Typo: Decription -> Description
2021-04-12 11:07:03 +10:00
Daira Hopwood
761485e6c6
Regenerate PDFs.
2021-04-05 23:09:13 +01:00
Daira Hopwood
e23cc72ac6
Work around bug in `release` target of protocol/Makefile.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 23:03:52 +01:00
Daira Hopwood
88c338b9e1
Specify that a unified payment address MUST contain at least one shielded payment address.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 22:12:29 +01:00
Daira Hopwood
18fbfdefe5
Correct ZKSpend.Verify to ZKOutput.Verify in \crossref{outputdesc}. fixes #481
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 22:00:53 +01:00
Daira Hopwood
cc9c41a598
More clarifications to \theoremref{thmsinsemillacr}.
...
Co-authored-by: Taylor Hornby <taylor@electriccoin.co>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 21:51:59 +01:00
Daira Hopwood
1f041f955a
Add links_and_dests.py.
...
This can be used to print outgoing links and targets in the PDF, and detect a subset of errors.
It depends on the PyPDF2 library (pip3 install PyPDF2).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 21:51:05 +01:00
Daira Hopwood
4f50d5e515
Make sure that Change History entries are URL destinations. fixes #462
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 21:51:00 +01:00
Daira Hopwood
46fefcaf56
Update all references to https URLs (and the year of the Unicode Standard to 2020).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-05 21:44:19 +01:00
Daira Hopwood
404248cb92
Regenerate PDFs.
2021-04-01 02:19:32 +01:00
Daira Hopwood
a0d048ed1e
Update Change History entry date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
417076e50d
Make a note in \crossref{inbandrationale} of the divergence of ivk from a uniform scalar.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
1eec1f9832
Remove anchorSapling field when there are no Spends.
...
This corresponds to e0b08fd576
in ZIP 225.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
49f3b206f5
Fix type error in kdfinput for KDF^{Sapling,Orchard} (`ephemeralKey` is already a byte sequence).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
41580ec06d
Cosmetics in Sapling Output statement.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
c367a22098
Explicitly note that the end of the ZIP 212 grace period precedes NU5 activation.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
3a312dc5a9
Expand the set of ZIPs associated with NU5 in \crossref{networkupgrades}, and reference the Orchard and halo2 books there.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
6c3099843d
Add a caveat about reuse of rivk between PRF^expand and Commit^ivk.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
3826d43930
Correct the set of inputs to PRF^expand used for ZIP 32 and Orchard in \crossref{abstractprfs}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
de0bc97bb2
Cosmetics (page breaking).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
bb985e039a
Section \crossref{concreteorchardkdf} should be in the NU5 colour (slate blue).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Deirdre Connolly
ec6c10fc5c
Add a note to the Sending Notes (Orchard) section about using a dummy note for ρ.
...
Co-authored-by: Deirdre Connolly <deirdre@zfnd.org>
Co-authored-by: Daira Hopwood <daira@jacaranda.org>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
6c8f9fb478
Update the Sprout key component diagram in \crossref{addressesandkeys} to remove magenta highlighting.Remove magenta highlighting
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
e1f105eaa1
Add note about use of big-endian order in the encoding of BLS12-381 points.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
3a55af9b1f
Cosmetics and indexing.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
7bfdce2d6a
Write caution about linkage between the abstract and concrete protocols in \crossref{cautionlinkage}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
1097313feb
Fix errors in the Sinsemilla proofs:
...
* SinsemillaHash is defined in terms of SinsemillaHashToPoint, which also takes the D argument.
* correct errors due to 1-based indexing.
* the argument for exceptional cases got the scalars and range of j wrong.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
cce172ace8
Cosmetics (page breaking).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
Daira Hopwood
f45b6b5d66
Add Action Statement ref to flags note
...
This change makes it clearer that the note spend and creation
rules are implemented as part of the proof.
Co-authored-by: teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-04-01 02:11:35 +01:00
teor
ecb2ccd3f4
Copy outCiphertext description to the encoding tables
2021-04-01 02:11:35 +01:00
Daira Hopwood
0f427feb5b
Regenerate PDFs.
2021-03-26 19:45:47 +00:00
Daira Hopwood
f66887cdee
Fix an off-by-one error.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 19:40:57 +00:00
Daira Hopwood
3898e2f571
Regenerate PDFs.
2021-03-26 19:38:49 +00:00
Daira Hopwood
b4aac633f4
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 19:31:45 +00:00
Daira Hopwood
2f246ce24d
Other fixes to the Orchard specification, including generation of dummy notes and output notes.
...
fixes #465
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 19:17:33 +00:00
Daira Hopwood
aa86282e16
Change the specifications of note decryption to return the note and memo, rather than a note plaintext.
...
Generalize the specification of block chain scanning to support Orchard.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
c50bdbd9ce
Delete a confusing part of the definition of concatbits that we don't rely on.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
b27213dfd3
Move the definition of ⊥ to before its first use.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
cd1b4de8f9
Update the hashFinalSaplingRoot/hashLightClientRoot/hashBlockCommitments field for NU5.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
74dfa80194
Fix errors in Orchard due to cut-and-paste from Sapling.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
4d3204b8e1
Describe the recommended way to encode a Sapling or unified payment address as a QR code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
bbc6131f29
Update specification of Poseidon.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:58 +00:00
Daira Hopwood
212fdc8752
Add references for the halo2 book.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
5e55821889
NCC audit: Make the description of when fields are included in v5 transactions consistent
...
between the protocol specification and ZIP 225. Also regenerate the HTML for ZIP 225.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
55af963e53
NCC audit: Add a definition for the section symbol in \crossref{introduction}, before its first use.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
5fef9270e2
NCC audit: Correct the sizes of SpendDescriptionV5 and OutputDescriptionV5 in the version transaction format.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
bfc6a8e33c
NCC audit: Document the limitation on the domain separation string for the group hash into Pallas/Vesta.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
a68c7d24d0
NCC audit: Document that the choice of nonsquare for λ_G in \crossref{concretegrouphashpallasandvesta} makes no difference
...
to the output of map_to_curve_simple_swu.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
fa2b1c6ce9
Correct the output type of sqrt_ratio.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
ab0e248036
NCC audit: Document that the use of k = 256 in hash_to_field is intentional,
...
despite the Pallas curve only having 126-bit conjectured security against generic attacks.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
9d62142142
NCC audit: Fix a discrepancy between \crossref{concretegrouphashpallasandvesta} and \cite{ID-hashtocurve}.
...
The zero padding in expand_message_xmd should be 128 bytes (matching the input block size of
BLAKE2b), rather than 64 bytes.
See also https://github.com/zcash/pasta/pull/2 and https://github.com/zcash/pasta_curves/issues/7
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
5d15a3d91e
NCC audit: Fix type confusion between integers and field elements (including additional cases
...
not found in the audit, involving nullifiers and cm_x).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
7ccbf44c30
NCC audit: Define \mathbb{G} in \crossref{concretegrouphashpallasandvesta}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
4d983aa855
NCC audit: Make the naming of enableSpends and enableOutputs consistent.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
e5336bb536
Various rationale updates for NU5.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
8f1ff76417
Add proof of collision resistance for Sinsemilla.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
591c7e45cc
NCC audit: Restrict the definition of a short Weierstrass elliptic curve
...
to base fields of characteristic greater than 3.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
2e50a09e97
NCC audit: Correct the definition of PRFnf^Orchard by changing Poseidon to PoseidonHash.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
b7d61884e1
NCC audit: Propagate \bot from the inputs of MerkleCRH^Orchard to its output, and add an explicit
...
consensus rule that rt^Orchard computed from appending a note commitment is not \bot.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
c11c329beb
NCC audit: Propagate \bot intermediate results to the output of Sinsemilla primitives.
...
Change the output types of NoteCommitAlg^Orchard and CommitIvkAlg to reflect that these can
return \bot, and change the action statement to be satisfied if they do.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
20478ae40d
Credit Eirik Ogilvie-Wigley as a designer of the Zcash protocol. Add Andre Serrano, Brad Miller,
...
Charlie O'Keefe, David Campbell, Elena Giralt, Francisco Gindre, Joseph Van~Geffen, Josh Swihart,
Kevin Gorham, Larry Ruane, Marshall Gaucher, and Ryan Taylor to the acknowledgements.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:57 +00:00
Daira Hopwood
b14c332910
NCC audit: Correct the definition of c in \crossref{concretesinsemillahash}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:23:51 +00:00
Daira Hopwood
54a0894acf
NCC audit: fix 'reasonable' typo.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:22:50 +00:00
Daira Hopwood
02db965036
Cosmetics and trivial changes.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-26 18:22:50 +00:00
Daira Hopwood
44c45004df
Cosmetics and trivial changes.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-23 20:01:13 +00:00
Daira Hopwood
218196f8dd
Output ciphertext -> outgoing ciphertext.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-23 19:27:47 +00:00
Daira Hopwood
e1bdfce3bc
Remove specification of memo contents, which will be in ZIP 302.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-23 19:21:56 +00:00
Deirdre Connolly
75a8a944d4
s/enableSpendsOrchard/enableOutputsOrchard/ re: no new notes
2021-03-19 15:14:26 +00:00
Daira Hopwood
a859014b98
Correct the description of `length` in \crossref{unifiedpaymentaddrencoding}.
...
(It is the length of `addr`, not the length of the raw encoding; they differ for t-addrs.)
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-19 15:14:25 +00:00
Daira Hopwood
781ec6896d
Correct the type signature of DiversifyHash^Orchard in \crossref{abstracthashes}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-19 15:14:25 +00:00
Daira Hopwood
3e160d6ecb
2^16 -> 2^{16}. fixes #461
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-19 15:14:25 +00:00
Daira Hopwood
9af5978852
Remove magenta highlighting of differences from Zerocash.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-19 15:14:25 +00:00
Daira Hopwood
78e3d68539
Remove support for generating the Sprout-only specification (sprout.pdf).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-19 14:00:19 +00:00
Daira Hopwood
ebe3800b2b
Regenerate PDFs.
2021-03-17 20:00:51 +00:00
Daira Hopwood
f0fa13761e
Regenerate PDFs.
2021-03-17 19:55:50 +00:00
Daira Hopwood
3b558b2146
Set date in Change History entry for v2021.1.19.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:49 +00:00
Daira Hopwood
c5c34cf93c
Cosmetics (spacing).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:49 +00:00
Daira Hopwood
0b8a4b3d90
Correct the range of input to ValueCommit^Orchard in the action statement, and the corresponding security argument in \crossref{orchardbalance}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:48 +00:00
Daira Hopwood
e31f33c678
Fix a type error in the non-normative note at the end of \crossref{concretesinsemillacommit}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:48 +00:00
Daira Hopwood
867d0cc712
Make DiversifyHash^Orchard total, by replacing an output of the zero point with another base.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:48 +00:00
Daira Hopwood
c9b918a654
Fix a typo: 2^16 -> 2^{16}.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:48 +00:00
Daira Hopwood
17518632e1
Update the consensus rules that prevent trivial transactions (with no inputs or outputs)
...
to take into account action transfers in the v5 transaction format.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-17 19:55:48 +00:00
Daira Hopwood
cec8b904c5
Regenerate PDFs.
2021-03-17 02:11:38 +00:00
Daira Hopwood
36074af67b
Version 2021.1.18:
...
* Define unified payment addresses in place of the Bech32 form of Orchard addresses.
* Remove Sprout-specific fields from the v5 transaction format.
* The rho value for an Orchard output note was incorrectly described as being derived from
rseed, instead of being set to the nullifier from the same action description as intended
(fixes #459 ).
* The psi value is now derived using the PRF^expand input [9], instead of [10] (refs #459 ).
* Correct a note about the range of the Merkle hash inputs in \crossref{actionstatement}.
* Correct the validity condition for ak in \crossref{orchardfullviewingkeyencoding}.
* Add a definition for K^Orchard in \crossref{commitmentsandnullifiers} (fixes #460 ).
* Correct the number of full and partial rounds for Poseidon.
* Add a note explaining the origin of the 2^{65} constant in the definition of PoseidonHash.
2021-03-17 02:06:38 +00:00
Daira Hopwood
27a39088d6
Regenerate PDFs.
2021-03-15 16:27:53 +00:00
Daira Hopwood
ad032d456a
More WIP:
...
* fix the use of inputs to PRF^expand in Orchard note encryption;
* rename "hash extractor" to "coordinate extractor";
* miscellaneous minor fixes;
* set date of Change History entry.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
37d8221c4d
Mainly fixes to the Action statement.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
d79de34b4a
Update key components diagram.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
7cc31111bb
Yet more WIP. Nullifier derivation for Orchard is correct now.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
f6fb3c80d7
More WIP.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
6ac5901a42
More WIP, and rename orchard.pdf to nu5.pdf.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
dae8852187
More Orchard WIP.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
e62d57959e
More WIP.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
6453611314
* More Orchard WIP;
...
* The definition of a represented group abstraction function incorrectly required canonicity;
* Note about non-canonical encodings in the Jubjub gave incorrect values for encodings of the point of order 2;
* Change the spec of decryption with ovk to match zcashd (by adding \bot and subgroup checks);
* Add a note saying that a node impl that checkpoints on Sapling can omit verifying BCTV14 proofs.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
68cb4c6d5f
Font hack to make sure that italic bold is not too wide.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
a81cfdb693
More WIP!
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
ad9c631ee0
More WIP for Orchard, including hashing to Pallas and Vesta.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
6215dce577
More WIP
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
0b6faf673d
Update spec for Orchard up to and including section 3 (Concepts).
...
This includes the key derivation diagram in section 3.1.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
300df42bf3
More WIP for Orchard
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
c2c4160151
WIP: Orchard
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-15 16:18:54 +00:00
Daira Hopwood
7e21ab57ac
Push draft of NU5 spec.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-03-04 03:27:02 +00:00
Alessandro Coglio
08fcc0c1f0
Add a paragraph break
...
It seems that this should get its own paragraph, for symmetry with nearby paragraphs.
2021-01-15 18:09:09 -08:00
Daira Hopwood
4f1ce394fe
Regenerate PDFs.
2021-01-11 00:15:27 +00:00
Daira Hopwood
894c979a3d
protocol/Makefile: add new .pdf files if needed.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-11 00:10:37 +00:00
Daira Hopwood
adced97391
Update Change History version and date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-11 00:08:20 +00:00
Daira Hopwood
6dc375e9ec
Add (experimental, unused) support for linking consensus rules with the corresponding code.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:56:30 +00:00
Daira Hopwood
9bc9823a23
Add macros and Makefile support for building the Orchard draft specification.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:56:30 +00:00
Daira Hopwood
3751c9973d
QED-it changed the spelling of their company name to QEDIT.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:46:24 +00:00
Daira Hopwood
a5b78961f4
Clarify the encoding of block heights for the "height in coinbase" rule.
...
The description of this rule has also moved from 'Block Header Encoding and Consensus' to
'Transaction Encoding and Consensus'.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:45:53 +00:00
Daira Hopwood
0bd8580d1a
Include the activation dates of Heartwood and Canopy in 'Network Upgrades'.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:40:03 +00:00
Daira Hopwood
1ddc19ffaa
Section links in the Heartwood and Canopy versions of the specification now go to the correct document URL.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:37:16 +00:00
Daira Hopwood
34de56533f
Protocol spec: use cmap package to attempt to improve search/copy-paste on some PDF readers.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-01-10 23:32:54 +00:00
Daira Hopwood
c136527758
Regenerate PDFs.
2020-11-06 01:09:37 +00:00
Daira Hopwood
3274aa10de
Avoid undefined references when building sprout.pdf.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
9a8f72c5e3
Add release date.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
7999296d7d
Minor corrections.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
6e3c173538
Update a comment about BIPs (which is not in the rendered document).
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
c278c2f93a
Reserve transaction version 0x7FFFFFFF and version group ID 0xFFFFFFFF for experimental use.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
9257be1d1f
Add a consensus rule that the (zero-valued) coinbase transaction output of the genesis block cannot be spent.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
917dbf5c46
Add a missing consensus rule that has always been implemented in zcashd: there must be at
...
least one transparent output, Sapling output, or JoinSplit in a transaction.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
94ec65564c
Define Sprout/Sapling chain value pool balances, and include consensus rules from ZIP 209.
...
This includes updates to ZIPs 209 and 211 for consistency of terminology (also addressing
a nit from the NCC Canopy report).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
71cee89a18
Corrections to note decryption algorithms:
...
* ephemeralKey is kept as a byte sequence rather than immediately converted to a curve point;
this matters because of non-canonical encoding.
* The representation of pk_d in a note plaintext may also be non-canonical and need not be in the
prime subgroup.
* Move checking of cm_u in decryption with ivk to the end of the algorithm, to more closely match
the implementation.
* The note about decryption of outputs in mempool transactions should have been normative.
Also change ZIP 212 to say that it is aligned with this version of the protocol spec.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
775b5f3b5d
Use "let mutable" to introduce mutable variables in algorithms.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
9c9ad74fad
Acknowledge Alexandra Elbakyan for her work on Sci-Hub.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
0ed38ec775
Acknowledge Izaak Meckler, Zac Williamson, and Vitalik Buterin for discussions of the protocol.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
a5db85828c
Acknowledge Jack Gavigan as a co-designer of Sapling and of the Zcash protocol.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
924fd97422
Remove a statement that the language consisting of key and address encoding possibilities is prefix-free
...
(the raw encodings are not).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
85b8f1647b
Include a reference to [BFIJSV2010] for batch pairing verification techniques.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-11-06 01:00:58 +00:00
Daira Hopwood
36b35dbf4a
Regenerate PDFs.
2020-08-30 21:12:40 +01:00
Daira Hopwood
906838f3b6
Minor fixes to Change History.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:07:46 +01:00
Daira Hopwood
4d00112f5d
Explicitly state the consensus rule that a coinbase transaction must not spend more than is available from the block subsidy and transaction fees.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:07:34 +01:00
Daira Hopwood
c7180872a3
Specify where PRF^expand is used and with what inputs.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:06:29 +01:00
Daira Hopwood
ea59cda07f
Fix a type error in the output of PRF^nfSapling; a Sapling nullifier is a sequence of 32 bytes, not a bit sequence.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:01:51 +01:00
Daira Hopwood
b3da7a14ee
Remove a silly comment from the LaTeX source.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:01:51 +01:00
Daira Hopwood
87a0670225
protocol/Makefile: ensure that we don't release from a branch other than master or a dirty working tree.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-30 21:01:50 +01:00
Daira Hopwood
639226dd50
Regenerate PDFs.
2020-08-19 22:03:26 +01:00
Daira Hopwood
b2a7e1deb0
Fix a type error in the output of PRF^nfSapling.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-17 21:33:05 +01:00
Daira Hopwood
850e7ea019
Correct an off-by-one in an expression used in the definition of c for windowed Pedersen commitments
...
(this does not change the value of c).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-17 21:32:15 +01:00
Daira Hopwood
b83f2b9542
Regenerate PDFs.
2020-08-11 14:44:38 +01:00
Daira Hopwood
e1cac0c48a
Make the Canopy specification the default.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:56:46 +01:00
Daira Hopwood
19ba684f2c
Minor wording improvement.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:56:19 +01:00
Daira Hopwood
55c51715b5
Cosmetics.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:56:08 +01:00
Daira Hopwood
7032c07fb8
Make Halving(height) return 0 (rather than -1) for height < SlowStartShift.
...
This has no effect on consensus since the Halving function is not used in that case,
but it makes the definition match the intuitive meaning of the function.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:55:38 +01:00
Daira Hopwood
d117273977
Refine the domain of HeightForHalving from N to N^+.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:54:06 +01:00
Daira Hopwood
9dbac78f29
Rename some section titles under 'Consensus Changes from Bitcoin' to use 'Encoding and Consensus'.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:52:58 +01:00
Daira Hopwood
6fbe17da59
Updates to reflect ZIP 211: add a consensus rule on v^pub_old, and a rule about node and wallet support for sending to Sprout addresses.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:49:36 +01:00
Daira Hopwood
1d71f6cb31
Rename the type of Sapling transmission keys from KA^Sapling.PublicPrimeOrder to KA^Sapling.PublicPrimeSubgroup.
...
This type is defined as J^(r), which reflects the implementation in zcashd (subject to the point below);
it was never enforced that a transmission key (pk_d) cannot be the zero point.
Add a non-normative note saying that zcashd does not fully conform to the requirement to treat
transmission keys not in KA^Sapling.PublicPrimeSubgroup as invalid when importing payment addresses.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 13:43:00 +01:00
Daira Hopwood
e1037ff046
Wording improvements.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 01:57:49 +01:00
Daira Hopwood
d11304c7d1
Add indexing for "halving".
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 01:54:48 +01:00
Daira Hopwood
a651ad7fe7
Modify funding stream tables and notes to reflect changes in ZIP 214.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 01:52:06 +01:00
Daira Hopwood
fd2416d9ea
Set CanopyActivationHeight for Testnet.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-11 01:48:59 +01:00
Daira Hopwood
fb64b2e430
Regenerate PDFs.
2020-08-03 12:19:11 +01:00
Daira Hopwood
17def33bf8
Use abstBytes_{Ed25519} and reprBytes_{Ed25519} for conversions in Ed25519 batch signature validation, and
...
fix a missing requirement that S_j < \ell for all signatures.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-03 12:14:34 +01:00
Daira Hopwood
ff3c7c2bce
Move the footnote about (x, y) notation for Ed25519 to where this notation is first used.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-03 12:11:08 +01:00
Daira Hopwood
13b6f0e120
Delete a potentially misleading Sprout-specific comment.
...
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2020-08-03 12:10:20 +01:00