|
|
@ -3636,9 +3636,13 @@ distinct openings of the \noteCommitment when Condition I or II is violated. |
|
|
|
\Zcash \joinSplitStatement. $\cm$ can be computed from the other fields. |
|
|
|
\item The length of proof encodings given in the paper is 288 bytes. |
|
|
|
This differs from the 296 bytes specified in \crossref{proofencoding}, |
|
|
|
because the paper did not take into account the need to encode compressed |
|
|
|
$y$-coordinates. The fork of \libsnark used by \Zcash uses a different |
|
|
|
format to upstream \libsnark, in order to follow \cite{IEEE2004}. |
|
|
|
because both the $x$-coordinate and compressed $y$-coordinate of each |
|
|
|
point need to be represented. Although it is possible to encode a proof |
|
|
|
in 288 bytes by making use of the fact that elements of $\GF{q}$ can |
|
|
|
be represented in 254 bits, we prefer to use the standard formats for points |
|
|
|
defined in \cite{IEEE2004}. The fork of \libsnark used by \Zcash uses |
|
|
|
this standard encoding rather than the less efficient (uncompressed) one |
|
|
|
used by upstream \libsnark. |
|
|
|
\item The range of monetary values differs. In \Zcash, this range is |
|
|
|
$\range{0}{\MAXMONEY}$; in \Zerocash it is $\range{0}{2^{64}-1}$. |
|
|
|
(The \joinSplitStatement still only directly enforces that the sum |
|
|
@ -3675,6 +3679,12 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
|
|
|
|
\nsection{Change history} |
|
|
|
|
|
|
|
\subparagraph{2016.0-beta-1.10} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Clarify the discussion of proof size in ``Differences from the \Zerocash paper''. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\subparagraph{2016.0-beta-1.9} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|