|
|
|
@ -160,10 +160,25 @@ |
|
|
|
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Operation}} |
|
|
|
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Operations}} |
|
|
|
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}} |
|
|
|
\newcommand{\joinSplitCircuit}{\term{JoinSplit circuit}} |
|
|
|
\newcommand{\JoinSplitCircuit}{\titleterm{JoinSplit Circuit}} |
|
|
|
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}} |
|
|
|
\newcommand{\joinSplitStatements}{\term{JoinSplit statements}} |
|
|
|
\newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}} |
|
|
|
\newcommand{\statement}{\term{statement}} |
|
|
|
\newcommand{\zeroKnowledgeProof}{\term{zero-knowledge proof}} |
|
|
|
\newcommand{\ZeroKnowledgeProofs}{\titleterm{Zero-Knowledge Proofs}} |
|
|
|
\newcommand{\provingSystem}{\term{proving system}} |
|
|
|
\newcommand{\zeroKnowledgeProvingSystem}{\term{zero-knowledge proving system}} |
|
|
|
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}} |
|
|
|
\newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}} |
|
|
|
\newcommand{\zkProvingKeys}{\term{zero-knowledge proving keys}} |
|
|
|
\newcommand{\zkVerifyingKeys}{\term{zero-knowledge verifying keys}} |
|
|
|
\newcommand{\arithmeticCircuit}{\term{arithmetic circuit}} |
|
|
|
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}} |
|
|
|
\newcommand{\primary}{\term{primary}} |
|
|
|
\newcommand{\primaryInput}{\term{primary input}} |
|
|
|
\newcommand{\primaryInputs}{\term{primary inputs}} |
|
|
|
\newcommand{\auxiliaryInput}{\term{auxiliary input}} |
|
|
|
\newcommand{\auxiliaryInputs}{\term{auxiliary inputs}} |
|
|
|
\newcommand{\fullnode}{\term{full node}} |
|
|
|
\newcommand{\fullnodes}{\term{full nodes}} |
|
|
|
\newcommand{\anchor}{\term{anchor}} |
|
|
|
@ -449,6 +464,25 @@ |
|
|
|
\newcommand{\nSolution}{\mathtt{nSolution}} |
|
|
|
\newcommand{\SHAd}{\term{SHA-256d}} |
|
|
|
|
|
|
|
% Proving system |
|
|
|
\newcommand{\ZK}{\mathsf{ZK}} |
|
|
|
\newcommand{\ZKProvingKey}{\mathsf{ZK.ProvingKey}} |
|
|
|
\newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}} |
|
|
|
\newcommand{\pk}{\mathsf{pk}} |
|
|
|
\newcommand{\vk}{\mathsf{vk}} |
|
|
|
\newcommand{\ZKParameterDistribution}{\mathsf{ZK.ParameterDistribution}} |
|
|
|
\newcommand{\ZKProof}{\mathsf{ZK.Proof}} |
|
|
|
\newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}} |
|
|
|
\newcommand{\ZKAuxiliary}{\mathsf{ZK.AuxiliaryInput}} |
|
|
|
\newcommand{\ZKSatisfying}{\mathsf{ZK.SatisfyingInputs}} |
|
|
|
\newcommand{\ZKProve}[1]{\mathsf{ZK.}\mathtt{Prove}_{#1}} |
|
|
|
\newcommand{\ZKVerify}[1]{\mathsf{ZK.}\mathtt{Verify}_{#1}} |
|
|
|
\newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}} |
|
|
|
\newcommand{\ZKJoinSplit}{\mathsf{ZK}_{\JoinSplit}} |
|
|
|
\newcommand{\Proof}{\pi} |
|
|
|
\newcommand{\JoinSplitProof}{\Proof_{\JoinSplit}} |
|
|
|
\newcommand{\zkproof}{\mathtt{zkproof}} |
|
|
|
|
|
|
|
% JoinSplit |
|
|
|
\newcommand{\hSig}{\mathsf{h_{Sig}}} |
|
|
|
\newcommand{\hSigText}{\texorpdfstring{$\hSig$}{hSig}} |
|
|
|
@ -461,10 +495,10 @@ |
|
|
|
\newcommand{\setofOld}{\setof{\allOld}} |
|
|
|
\newcommand{\setofNew}{\setof{\allNew}} |
|
|
|
\newcommand{\vmacs}{\mathtt{vmacs}} |
|
|
|
\newcommand{\zkproof}{\mathtt{zkproof}} |
|
|
|
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}} |
|
|
|
\newcommand{\PointP}[1]{\mathcal{P}_{#1}} |
|
|
|
\newcommand{\GF}[1]{\mathbb{F}_{#1}} |
|
|
|
\newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}} |
|
|
|
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}} |
|
|
|
\newcommand{\ECtoOSPXL}{\mathsf{EC2OSP\mhyphen{}XL}} |
|
|
|
\newcommand{\ECtoOSPXS}{\mathsf{EC2OSP\mhyphen{}XS}} |
|
|
|
@ -472,17 +506,13 @@ |
|
|
|
\newcommand{\ItoBSP}[1]{\mathsf{I2BSP}_{#1}} |
|
|
|
\newcommand{\BStoIP}[1]{\mathsf{BS2IP}_{#1}} |
|
|
|
\newcommand{\FEtoIP}{\mathsf{FE2IP}} |
|
|
|
\newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}} |
|
|
|
\newcommand{\BNImpl}{\mathtt{ALT\_BN128}} |
|
|
|
\newcommand{\JoinSplitStatement}{\texttt{JoinSplit}} |
|
|
|
\newcommand{\JoinSplitProof}{\pi_{\text{\footnotesize\JoinSplitStatement}}} |
|
|
|
\newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}} |
|
|
|
\newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}} |
|
|
|
\newcommand{\nOld}[1]{\NoteTuple{#1}^\mathsf{old}} |
|
|
|
\newcommand{\nNew}[1]{\NoteTuple{#1}^\mathsf{new}} |
|
|
|
\newcommand{\vOld}[1]{\mathsf{v}_{#1}^\mathsf{old}} |
|
|
|
\newcommand{\vNew}[1]{\mathsf{v}_{#1}^\mathsf{new}} |
|
|
|
\newcommand{\NP}{\mathsf{NP}} |
|
|
|
\newcommand{\treepath}[1]{\mathsf{path}_{#1}} |
|
|
|
\newcommand{\Receive}{\mathsf{Receive}} |
|
|
|
|
|
|
|
@ -529,8 +559,6 @@ This specification is structured as follows: |
|
|
|
of ideal cryptographic components; |
|
|
|
\item Concrete Protocol | how the functions and encodings of the abstract |
|
|
|
protocol are instantiated; |
|
|
|
\item Zero-Knowledge Proving System | the parameters of the proving system |
|
|
|
and how proofs are encoded; |
|
|
|
\item Consensus Changes from \Bitcoin | how \Zcash differs from \Bitcoin at |
|
|
|
the consensus layer, including the Proof of Work; |
|
|
|
\item Differences from the \Zerocash protocol | a summary of changes from the |
|
|
|
@ -634,7 +662,8 @@ transactions and that therefore have smaller \noteTraceabilitySets. |
|
|
|
The notation $\hexint{}$ followed by a string of \textbf{boldface} hexadecimal |
|
|
|
digits means the corresponding integer converted from hexadecimal. |
|
|
|
|
|
|
|
The notation $\bitseq{\ell}$ means the set of sequences of $\ell$ bits. |
|
|
|
The notation $\bit$ means the set of bit values, i.e. $\setof{0, 1}$. |
|
|
|
$\bitseq{\ell}$ means the set of sequences of $\ell$ bits. |
|
|
|
$\byteseqs$ means the set of bit sequences constrained to be of length |
|
|
|
a multiple of 8 bits. |
|
|
|
|
|
|
|
@ -668,9 +697,10 @@ with the \emph{most significant} bit of each byte first. |
|
|
|
|
|
|
|
The notation $\Nat$ means the set of nonnegative integers. |
|
|
|
|
|
|
|
The notation $\GF{q}$ means the finite field with $q$ elements. |
|
|
|
$\GF{q}[z]$ means the ring of polynomials over $z$ with coefficients |
|
|
|
in $\GF{q}$. |
|
|
|
The notation $\GF{n}$ means the finite field with $n$ elements, and |
|
|
|
$\GFstar{n}$ means its group under multiplication. |
|
|
|
$\GF{n}[z]$ means the ring of polynomials over $z$ with coefficients |
|
|
|
in $\GF{n}$. |
|
|
|
|
|
|
|
The notation $a \bmod q$, for integers $a \geq 0$ and $q > 0$, means the |
|
|
|
remainder on dividing $a$ by $q$. |
|
|
|
@ -687,6 +717,8 @@ $\ceiling{x}$ means the smallest integer $\geq x$. |
|
|
|
|
|
|
|
The symbol $\bot$ is used to indicate unavailable information or a failed decryption. |
|
|
|
|
|
|
|
The notation $T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$. |
|
|
|
|
|
|
|
The notation $x \typecolon T$ is used to specify that $x$ has type $T$. |
|
|
|
A cartesian product type is denoted by $S \times T$, and a function type |
|
|
|
by $S \rightarrow T$. A subscripted argument of a function is taken to be |
|
|
|
@ -849,7 +881,7 @@ views of valid \blocks, and therefore of the sequence of \treestates in those |
|
|
|
A \joinSplitDescription is data included in a \transaction that describes a \joinSplitTransfer, |
|
|
|
i.e.\ a confidential value transfer. This kind of value transfer is the primary |
|
|
|
\Zcash-specific operation performed by \transactions; it uses, but should not be |
|
|
|
confused with, the \joinSplitCircuit used for the \zkSNARK proof and verification. |
|
|
|
confused with, the \joinSplitStatement used for the \zkSNARK proof and verification. |
|
|
|
|
|
|
|
A \joinSplitTransfer spends $\NOld$ \notes $\nOld{\allOld}$ and transparent input |
|
|
|
$\vpubOld$, and creates $\NNew$ \notes $\nNew{\allNew}$ and transparent output |
|
|
|
@ -956,8 +988,8 @@ $\PRFpk{} $&$\typecolon\; \bitseq{\AuthPrivateLength} $&$\times\; \GeneralCRHO |
|
|
|
$\PRFrho{} $&$\typecolon\; \bitseq{\NoteAddressPreRandLength} $&$\times\; \GeneralCRHOutput $&$\rightarrow \PRFOutput $ |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
These are used in \crossref{circuit}; $\PRFaddr{}$ is also used to derive a \paymentAddress |
|
|
|
from a \spendingKey in \crossref{keycomponents}. |
|
|
|
These are used in \crossref{jsstatement}; $\PRFaddr{}$ is also used to |
|
|
|
derive a \paymentAddress from a \spendingKey in \crossref{keycomponents}. |
|
|
|
They are instantiated in \crossref{concreteprfs}. |
|
|
|
|
|
|
|
\securityrequirement{ |
|
|
|
@ -1078,6 +1110,59 @@ This is not considered to be a significant security weakness. |
|
|
|
|
|
|
|
\todo{} |
|
|
|
|
|
|
|
\nsubsubsection{\ZeroKnowledgeProvingSystem} |
|
|
|
|
|
|
|
A \zeroKnowledgeProvingSystem is a cryptographic protocol that allows |
|
|
|
proving a particular \statement, dependent on \primary and \auxiliaryInputs, |
|
|
|
in zero knowledge --- that is, without revealing information about the |
|
|
|
\auxiliaryInputs other than that implied by the \statement. The type of |
|
|
|
\zeroKnowledgeProvingSystem needed by \Zcash is a \ppzkSNARK. |
|
|
|
|
|
|
|
A \ppzkSNARK instance $\ZK$ defines: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item a type of \zkProvingKeys, $\ZKProvingKey$; |
|
|
|
\item a type of \zkVerifyingKeys, $\ZKVerifyingKey$; |
|
|
|
\item a probability distribution over $\ZKProvingKey \times \ZKVerifyingKey$ of parameters, $\ZKParameterDistribution$; |
|
|
|
\item a type of \primaryInputs $\ZKPrimary$; |
|
|
|
\item a type of \auxiliaryInputs $\ZKAuxiliary$; |
|
|
|
\item a type $\ZKSatisfying \subseteq \ZKPrimary \times \ZKAuxiliary$ of inputs satisfying |
|
|
|
the \statement; |
|
|
|
\item a function $\ZKProve{} \typecolon \ZKProvingKey \times \ZKSatisfying \rightarrow \ZKProof$; |
|
|
|
\item a function $\ZKVerify{} \typecolon \ZKVerifyingKey \times \ZKPrimary \times \ZKProof \rightarrow \bit$; |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
The security requirements below are supposed to hold with overwhelming |
|
|
|
probability for $(\pk, \vk)$ sampled at random from $\ZKParameterDistribution$. |
|
|
|
|
|
|
|
\begin{securityrequirements} |
|
|
|
\item \textbf{Completeness:} An honestly generated proof will convince a verifier: |
|
|
|
for any $(x, w) \in \ZKSatisfying$, if $\ZKProve{\pk}(x, w)$ outputs $\Proof$, |
|
|
|
then $\ZKVerify{\vk}(x, \Proof) = 1$. |
|
|
|
\item \textbf{Proof of Knowledge:} For any adversary $\Adversary$ able to find an |
|
|
|
$x \typecolon \ZKPrimary$ and proof $\Proof \typecolon \ZKProof$ such that $\ZKVerify{\vk}(x, \Proof) = 1$, |
|
|
|
there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$ |
|
|
|
returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is negligable. |
|
|
|
\item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical |
|
|
|
zero knowledge. \todo{Full definition.} |
|
|
|
\end{securityrequirements} |
|
|
|
|
|
|
|
These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to |
|
|
|
state concrete rather than asymptotic security. ($\ZKProve{}$ corresponds to $P$, |
|
|
|
$\ZKVerify{}$ corresponds to $V$, and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ |
|
|
|
in the notation of that appendix.) |
|
|
|
|
|
|
|
The Proof of Knowledge definition is a way to formalize the property that it is |
|
|
|
infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without |
|
|
|
\emph{knowing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$. |
|
|
|
(It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives |
|
|
|
no information that helps to find a proof for other $(x, w)$.) |
|
|
|
|
|
|
|
The \provingSystem is instantiated in \crossref{proofs}. |
|
|
|
$\ZKJoinSplit$ refers to this \provingSystem specialized to the \joinSplitStatement |
|
|
|
given in \crossref{jsstatement}. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{Key Components} \label{keycomponents} |
|
|
|
|
|
|
|
\changed{$\AuthPrivate$ is 252 bits.} |
|
|
|
@ -1354,7 +1439,7 @@ where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}. |
|
|
|
The encoding of a public key is as defined in \cite{BDL+2012}. |
|
|
|
} |
|
|
|
|
|
|
|
The condition enforced by the \joinSplitCircuit specified in \crossref{nonmalleablepour} |
|
|
|
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour} |
|
|
|
ensures that a holder of all of $\AuthPrivateOld{\allOld}$ for each |
|
|
|
\joinSplitDescription has authorized the use of the private signing key corresponding |
|
|
|
to $\joinSplitPubKey$ to sign this \transaction. |
|
|
|
@ -1394,7 +1479,7 @@ blockchain, appends to the \noteCommitmentTree with all constituent |
|
|
|
valid if it attempts to add a \nullifier to the \nullifierSet that already |
|
|
|
exists in the set. |
|
|
|
|
|
|
|
\nsubsubsection{\JoinSplitCircuit{}} \label{circuit} |
|
|
|
\nsubsubsection{\JoinSplitStatement} \label{jsstatement} |
|
|
|
|
|
|
|
A valid instance of $\JoinSplitProof$ assures that given a \term{primary input}: |
|
|
|
|
|
|
|
@ -2104,11 +2189,11 @@ Future key representations may make use of these padding bits. |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
\nsection{Zero-Knowledge Proving System} \label{proofs} |
|
|
|
\nsubsection{\ZeroKnowledgeProvingSystem} \label{proofs} |
|
|
|
|
|
|
|
\Zcash uses \zkSNARKs generated by its fork of \libsnark \cite{libsnark-fork} |
|
|
|
with the proving system described in \cite{BCTV2015}, which is a refinement of |
|
|
|
the system in \cite{PGHR2013}. |
|
|
|
with the \provingSystem described in \cite{BCTV2015}, which is a refinement of |
|
|
|
the systems in \cite{PGHR2013} and \cite{BCGTV2013}. |
|
|
|
|
|
|
|
The pairing implementation is $\BNImpl$. |
|
|
|
|
|
|
|
@ -2123,12 +2208,13 @@ Let $b = 3$. |
|
|
|
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where: |
|
|
|
\begin{itemize} |
|
|
|
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation |
|
|
|
$y^2 = x^3 + b$. |
|
|
|
\item $\GroupG{2}$ is a twisted Barreto-Naehrig curve over $\GF{q^2}$ with equation |
|
|
|
$y^2 = x^3 + b/xi$. We represent elements of $\GF{q^2}$ as |
|
|
|
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$. |
|
|
|
\item $\GroupG{2}$ is the subgroup of order $r$ in the twisted Barreto-Naehrig curve |
|
|
|
over $\GF{q^2}$ with equation $y^2 = x^3 + b/xi$. We represent elements of $\GF{q^2}$ as |
|
|
|
polynomials $a_1 t + a_0 \typecolon \GF{q}[t]$, modulo the irreducible polynomial |
|
|
|
$t^2 + 1$. |
|
|
|
\item $\GroupG{T}$ is $\GF{q^{12}}$. |
|
|
|
\item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in |
|
|
|
$\GFstar{q^{12}}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
Let $\PointP{1} \typecolon \GroupG{1} = (1, 2)$. |
|
|
|
@ -2142,29 +2228,28 @@ Let $\PointP{2} \typecolon \GroupG{2} =\;$ |
|
|
|
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $ |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
The curves $\GroupG{1}$ and $\GroupG{2}$ both have prime order $r$, and so $\PointP{1}$ |
|
|
|
and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively. |
|
|
|
$\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively. |
|
|
|
|
|
|
|
A proof consists of a tuple |
|
|
|
$(\pi_A \typecolon \GroupG{1},\; |
|
|
|
\pi'_A \typecolon \GroupG{1},\; |
|
|
|
\pi_B \typecolon \GroupG{2},\; |
|
|
|
\pi'_B \typecolon \GroupG{1},\; |
|
|
|
\pi_C \typecolon \GroupG{1},\; |
|
|
|
\pi'_C \typecolon \GroupG{1},\; |
|
|
|
\pi_K \typecolon \GroupG{1},\; |
|
|
|
\pi_H \typecolon \GroupG{1})$. |
|
|
|
It is computed as described in \cite[Appendix B]{BCTV2015}. |
|
|
|
$(\Proof_A \typecolon \GroupG{1},\; |
|
|
|
\Proof'_A \typecolon \GroupG{1},\; |
|
|
|
\Proof_B \typecolon \GroupG{2},\; |
|
|
|
\Proof'_B \typecolon \GroupG{1},\; |
|
|
|
\Proof_C \typecolon \GroupG{1},\; |
|
|
|
\Proof'_C \typecolon \GroupG{1},\; |
|
|
|
\Proof_K \typecolon \GroupG{1},\; |
|
|
|
\Proof_H \typecolon \GroupG{1})$. |
|
|
|
It is computed using the parameters above as described in \cite[Appendix B]{BCTV2015}. |
|
|
|
|
|
|
|
\subparagraph{Note:} |
|
|
|
Many details of the proving system are beyond the scope of this protocol |
|
|
|
document. For example, the \mbox{\rankOneConstraintSystem} corresponding to the |
|
|
|
\joinSplitCircuit is not specified here. In practice it will be necessary to use |
|
|
|
the specific proving and verification keys generated for the \Zcash production |
|
|
|
\blockchain, and a proving system implementation that is interoperable with the |
|
|
|
\Zcash fork of \libsnark, to ensure compatibility. |
|
|
|
Many details of the \provingSystem are beyond the scope of this protocol |
|
|
|
document. For example, the \arithmeticCircuit verifying the \joinSplitStatement, |
|
|
|
or its expression as a \rankOneConstraintSystem, are not specified here. |
|
|
|
In practice it will be necessary to use the specific proving and verification keys |
|
|
|
generated for the \Zcash production \blockchain, and a \provingSystem implementation |
|
|
|
that is interoperable with the \Zcash fork of \libsnark, to ensure compatibility. |
|
|
|
|
|
|
|
\nsubsection{Encoding of Points} \label{pointencoding} |
|
|
|
\nsubsubsection{Encoding of Points} \label{pointencoding} |
|
|
|
|
|
|
|
\newsavebox{\gonebox} |
|
|
|
\begin{lrbox}{\gonebox} |
|
|
|
@ -2224,7 +2309,7 @@ For a point $P \typecolon \GroupG{2} = (x_P, y_P)$: |
|
|
|
\subparagraph{Non-normative notes:} |
|
|
|
\begin{itemize} |
|
|
|
\item The use of big-endian byte order is different from the encoding |
|
|
|
of other integers in this protocol. The above encodings are consistent |
|
|
|
of most other integers in this protocol. The above encodings are consistent |
|
|
|
with the definition of $\ECtoOSP{}$ for compressed curve points in |
|
|
|
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed |
|
|
|
form (i.e.\ $\ECtoOSPXL$) is used for points on $\GroupG{1}$, and the |
|
|
|
@ -2240,20 +2325,20 @@ When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress |
|
|
|
a point encoding, the implementation \MUSTNOT assume that the square root |
|
|
|
exists, or that the encoding represents a point on the curve. |
|
|
|
|
|
|
|
\nsubsection{Encoding of Zero-Knowledge Proofs} \label{proofencoding} |
|
|
|
\nsubsubsection{Encoding of \ZeroKnowledgeProofs} \label{proofencoding} |
|
|
|
|
|
|
|
\newsavebox{\proofbox} |
|
|
|
\begin{lrbox}{\proofbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.021em]{2368} |
|
|
|
\bitbox{264}{264-bit $\pi_A$} |
|
|
|
\bitbox{264}{264-bit $\pi'_A$} |
|
|
|
\bitbox{520}{520-bit $\pi_B$} |
|
|
|
\bitbox{264}{264-bit $\pi'_B$} |
|
|
|
\bitbox{264}{264-bit $\pi_C$} |
|
|
|
\bitbox{264}{264-bit $\pi'_C$} |
|
|
|
\bitbox{264}{264-bit $\pi_K$} |
|
|
|
\bitbox{264}{264-bit $\pi_H$} |
|
|
|
\bitbox{264}{264-bit $\Proof_A$} |
|
|
|
\bitbox{264}{264-bit $\Proof'_A$} |
|
|
|
\bitbox{520}{520-bit $\Proof_B$} |
|
|
|
\bitbox{264}{264-bit $\Proof'_B$} |
|
|
|
\bitbox{264}{264-bit $\Proof_C$} |
|
|
|
\bitbox{264}{264-bit $\Proof'_C$} |
|
|
|
\bitbox{264}{264-bit $\Proof_K$} |
|
|
|
\bitbox{264}{264-bit $\Proof_H$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
@ -2272,7 +2357,7 @@ verifier \MUST check, for the encoding of each element, that: |
|
|
|
\begin{itemize} |
|
|
|
\item the lead byte is of the required form; |
|
|
|
\item the remaining bytes encode a big-endian representation of an integer |
|
|
|
in $\range{0}{q\!-\!1}$ or (in the case of $\pi_B$) $\range{0}{q^2\!-\!1}$; |
|
|
|
in $\range{0}{q\!-\!1}$ or (in the case of $\Proof_B$) $\range{0}{q^2\!-\!1}$; |
|
|
|
\item the encoding represents a point on the relevant curve. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
@ -2839,7 +2924,7 @@ of $\PRFaddr{}$ was found by Daira Hopwood. |
|
|
|
\begin{itemize} |
|
|
|
\item Major reorganisation to separate the abstract cryptographic protocol |
|
|
|
from the algorithm instantiations. |
|
|
|
\item Add a section specifying the zero-knowledge proving system and the |
|
|
|
\item Add a section specifying the \zeroKnowledgeProvingSystem and the |
|
|
|
encoding of proofs. Change the encoding of points in proofs to follow |
|
|
|
IEEE Std 1363[a]. |
|
|
|
\item Add a section on consensus changes from \Bitcoin, and the specification |
|
|
|
|
Daira Hopwood
8 years ago