|
|
@ -512,6 +512,8 @@ |
|
|
|
\newcommand{\ZKVerify}[1]{\mathsf{ZK.}\mathtt{Verify}_{#1}} |
|
|
|
\newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}} |
|
|
|
\newcommand{\ZKJoinSplit}{\mathsf{ZK}_{\JoinSplit}} |
|
|
|
\newcommand{\ZKJoinSplitVerify}{\ZKJoinSplit\mathsf{.Verify}} |
|
|
|
\newcommand{\ZKJoinSplitProve}{\ZKJoinSplit\mathsf{.Prove}} |
|
|
|
\newcommand{\Proof}{\pi} |
|
|
|
\newcommand{\JoinSplitProof}{\Proof_{\JoinSplit}} |
|
|
|
\newcommand{\zkproof}{\mathtt{zkproof}} |
|
|
@ -1227,7 +1229,9 @@ no information that helps to find a proof for other $(x, w)$.) |
|
|
|
|
|
|
|
The \provingSystem is instantiated in \crossref{proofs}. |
|
|
|
$\ZKJoinSplit$ refers to this \provingSystem specialized to the \joinSplitStatement |
|
|
|
given in \crossref{jsstatement}. |
|
|
|
given in \crossref{jsstatement}. In this case we omit the key subscripts on |
|
|
|
$\ZKJoinSplitVerify$ and $\ZKJoinSplitProve$, taking them to be the particular |
|
|
|
\provingKey and \verifyingKey defined by the \joinSplitParameters in \crossref{jsparameters}. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{Key Components} \label{keycomponents} |
|
|
@ -2318,8 +2322,9 @@ Many details of the \provingSystem are beyond the scope of this protocol |
|
|
|
document. For example, the \arithmeticCircuit verifying the \joinSplitStatement, |
|
|
|
or its expression as a \rankOneConstraintSystem, are not specified here. |
|
|
|
In practice it will be necessary to use the specific proving and verification keys |
|
|
|
generated for the \Zcash production \blockchain, and a \provingSystem implementation |
|
|
|
that is interoperable with the \Zcash fork of \libsnark, to ensure compatibility. |
|
|
|
generated for the \Zcash production \blockchain (see \crossref{jsparameters}), |
|
|
|
and a \provingSystem implementation that is interoperable with the \Zcash fork |
|
|
|
of \libsnark, to ensure compatibility. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{Encoding of Points} \label{pointencoding} |
|
|
@ -2434,6 +2439,20 @@ verifier \MUST check, for the encoding of each element, that: |
|
|
|
\item the encoding represents a point on the relevant curve. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\nsubsection{\JoinSplitParameters} \label{jsparameters} |
|
|
|
|
|
|
|
For the testnet in release v0.11.2.z9 and later, the $\FullHashName$ hashes of the |
|
|
|
\provingKey and \verifyingKey for the \joinSplitStatement, encoded in \libsnark |
|
|
|
format, are: |
|
|
|
|
|
|
|
\begin{verbatim} |
|
|
|
226913bbdc48b70834f8e044d194ddb61c8e15329f67cdc6014f4e5ac11a82ab z9-proving.key |
|
|
|
4c151c562fce2cdee55ac0a0f8bd9454eb69e6a0db9a8443b58b770ec29b37f5 z9-verifying.key |
|
|
|
\end{verbatim} |
|
|
|
|
|
|
|
The \Zcash production \blockchain will use parameters obtained by a multi-party |
|
|
|
computation, which has yet to be performed. |
|
|
|
|
|
|
|
|
|
|
|
\nsection{Consensus Changes from \Bitcoin} |
|
|
|
|
|
|
|