transaction in a block. This wording was copied from the Bitcoin Developer Reference
(https://developer.bitcoin.org/reference/transactions.html#coinbase-input-the-input-of-the-first-transaction-in-a-block),
but it does not match the implementation in zcashd that was inherited from Bitcoin Core.
Instead, a coinbase transaction should be, and now is, defined as a transaction with a
single null prevout. The specifications of consensus rules have been clarified and adjusted
(without any actual consensus change) to take this into account, as follows:
* a block MUST have at least one transaction;
* the first transaction in a block MUST be a coinbase transaction, and subsequent
transactions MUST NOT be coinbase transactions;
* a transparent input in a non-coinbase transaction MUST NOT have a null prevout;
* every non-null prevout MUST point to a unique UTXO in either a preceding block, or a
*previous* transaction in the same block (this rule was previously not given explicitly
because it was assumed to be inherited from Bitcoin);
* the rule that "A coinbase transaction MUST NOT have any transparent inputs with non-null
prevout fields" is removed as an explicit consensus rule because it is implied by the
corrected definition of coinbase transaction.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
but the type of incoming viewing keys should not include 0 because KA^Orchard.Private does not.
This is now handled by explicitly rejecting 0 as output from Commit^ivk when generating ivk
in \crossref{orchardkeycomponents}.
An encoding of ivk as 0 is also rejected in \crossref{orchardinviewingkeyencoding} when parsing
an incoming viewing key.
The action circuit needed no changes because pk_d already could not be the zero point, and
therefore the 'Diversified address integrity' condition fails when ivk = 0.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
for checkpointing, and allow nodes to impose a limitation on rollback depth. Also in
\crossref{bctv}, note that this checkpointing requirement mitigates the risks of not
performing BCTV14 zk proof verification.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
avoiding type errors and reflecting the implementation in zcashd. This eliminates all uses of P_x
(except that ak in an Orchard full viewing key is still required to be a valid Pallas affine
x-coordinate). Also clarify the coordinate system whenever we refer to coordinates.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
* Correct the proof of Theorem 5.4.6.
* Change the type of cm_old in Orchard to P rather than P*, i.e. allow the identity point.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
in a way that requires cookies (booo!). We allow this for DOI links, but for all other links we
simulate a client that never sets cookies.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
the condition SinsemillaHashToPoint(D, M) ≠ ⊥ is required in the proof.
(The case SinsemillaHashToPoint(D, M) = ⊥ is covered by \theoremref{thmsinsemillaex}.)
The proof had not been updated correctly when the statement was revised in v2021.2.0.
Also add a missing D argument to SinsemillaHashToPoint in that proof.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
exceed the capacity of each of the Sprout, Sapling, and Orchard note commitment trees.
Also add a cross-reference for constants used in \crossref{merkletree}.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This matches the number calculated by `calc_round_numbers.py` (for 128-bit security "with margin")
in Version 1.1 of the Poseidon reference implementation.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
is only available to miners as a fee in the case of non-coinbase transactions, and that the remaining
value in the transparent transaction value pool of a coinbase transaction is destroyed.
Co-authored-by: Teor <teor@riseup.net>
Signed-off-by: Daira Hopwood <daira@jacaranda.org>