|
|
@ -329,26 +329,28 @@ is associated with this bit-packing.} |
|
|
|
\daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be |
|
|
|
253 bits?} |
|
|
|
|
|
|
|
\subsection{Payment Addresses, Viewing Keys, and Spending Keys} |
|
|
|
\subsection{Payment Addresses\changed{, Viewing Keys,} and Spending Keys} |
|
|
|
|
|
|
|
A \keyTuple $(\PaymentAddress, \ViewingKey, \SpendingKey)$ is generated |
|
|
|
A \keyTuple $(\PaymentAddress, \changed{\ViewingKey,\;} \SpendingKey)$ is generated |
|
|
|
by users who wish to receive payments under this scheme. The parts of |
|
|
|
the \keyTuple are composed from three distinct keypairs, called the |
|
|
|
\authKeypair, \transmitKeypair, and \discloseKeypair keypairs. |
|
|
|
the \keyTuple are composed from \changed{three} distinct keypairs, called the |
|
|
|
\authKeypair, \transmitKeypair \changed{, and \discloseKeypair} keypairs. |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item The \paymentAddress $\PaymentAddress$ is a pair |
|
|
|
$(\AuthPublic, \TransmitPublic)$, containing the \emph{public} |
|
|
|
components of the \authKeypair and \transmitKeypair keypairs |
|
|
|
respectively. |
|
|
|
\changed{ |
|
|
|
\item The \viewingKey $\ViewingKey$ is a pair |
|
|
|
$(\TransmitPrivate, \DisclosePrivate)$, containing the \emph{private} |
|
|
|
components of the \transmitKeypair and \discloseKeypair keypairs |
|
|
|
respectively. |
|
|
|
\item The \spendingKey $\SpendingKey$ is a triple |
|
|
|
$(\AuthPrivate, \TransmitPrivate, \DisclosePrivate)$, |
|
|
|
} |
|
|
|
\item The \spendingKey $\SpendingKey$ is a \changed{triple} |
|
|
|
$(\AuthPrivate, \TransmitPrivate\changed{, \DisclosePrivate})$, |
|
|
|
containing the \emph{private} components of the \authKeypair, |
|
|
|
\transmitKeypair, and \discloseKeypair keypairs respectively. |
|
|
|
\transmitKeypair\changed{, and \discloseKeypair} keypairs respectively. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
The following diagram depicts the relations between key components. |
|
|
@ -360,19 +362,21 @@ component derived from it. |
|
|
|
\end{center} |
|
|
|
|
|
|
|
Note that a \spendingKey holder can derive |
|
|
|
$(\AuthPublic, \TransmitPublic, \DisclosePublic)$, and a \viewingKey holder |
|
|
|
can derive $(\TransmitPublic, \DisclosePublic)$, even though these components |
|
|
|
are not formally part of the respective keys. Implementations \MAY cache |
|
|
|
these derived public components, provided that they are deleted if the |
|
|
|
corresponding private component is deleted. |
|
|
|
$(\AuthPublic, \TransmitPublic\changed{, \DisclosePublic})$, |
|
|
|
\changed{and a \viewingKey holder can derive $(\TransmitPublic, \DisclosePublic)$,} |
|
|
|
even though these components are not formally part of the respective keys. |
|
|
|
Implementations \MAY cache these derived public components, provided that |
|
|
|
they are deleted if the corresponding private component is deleted. |
|
|
|
|
|
|
|
The composition of \paymentAddresses, \viewingKeys, and \spendingKeys |
|
|
|
The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys |
|
|
|
is a cryptographic protocol detail that should not normally be |
|
|
|
exposed to users. However, user-visible operations should be provided |
|
|
|
to: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\changed{ |
|
|
|
\item obtain a \viewingKey from a \spendingKey; and |
|
|
|
} |
|
|
|
\item obtain a \paymentAddress from a \spendingKey. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
@ -403,10 +407,14 @@ the value and recipient \emph{except} to those who possess these tokens. |
|
|
|
In order to transmit the secret $\Value$, $\CoinAddressRand$, and $\CoinCommitRand$ |
|
|
|
(necessary for the recipient to later spend) \changed{and also a \memo} to the |
|
|
|
recipient \emph{without} requiring an out-of-band communication channel, the |
|
|
|
$\transmitKeypair$ public key $\TransmitPublic$ is used to encrypt these |
|
|
|
secrets to form a \coinsCiphertext. The recipient's possession of the associated |
|
|
|
\transmitKeypair public key $\TransmitPublic$ is used to encrypt these |
|
|
|
secrets. The recipient's possession of the associated |
|
|
|
$(\PaymentAddress, \SpendingKey)$ (which contains both $\AuthPublic$ and |
|
|
|
$\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}. |
|
|
|
\changed{Similarly, to transmit these values to a \viewingKey holder for outgoing |
|
|
|
\PourTransfers, the \discloseKeypair public key $\DisclosePublic$ is used to |
|
|
|
encrypt the same secrets.} |
|
|
|
The encryptions are combined to form a \coinsCiphertext. |
|
|
|
|
|
|
|
\changed{ |
|
|
|
The encryption algorithm is defined in terms of $\CryptoBox$ (i.e. |
|
|
|