|
|
@ -962,6 +962,16 @@ such that bit $b$ has numeric weight $2^b$. |
|
|
|
\end{itemize} |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsection{Note Components} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item $\AuthPublic$ is a 32-byte \payingKey of the recipient. |
|
|
|
\item $\Value$ is a 64-bit unsigned integer representing the value of the |
|
|
|
\note in \zatoshi ($1$ \ZEC = $10^8$ \zatoshi). |
|
|
|
\item $\NoteAddressRand$ is a 32-byte $\PRFnf{\AuthPrivate}$ preimage. |
|
|
|
\item $\NoteCommitRand$ is a 32-byte \commitmentTrapdoor. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\nsubsection{\JoinSplitTransfers{} and Descriptions} \label{joinsplitdesc} |
|
|
|
|
|
|
|
A \joinSplitDescription is data included in a \transaction that describes a |
|
|
@ -1632,6 +1642,68 @@ additional bit to $\AuthPrivate$ to encode a new key type, or that require an |
|
|
|
additional PRF.) |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{\SymmetricEncryption} \label{concretesym} |
|
|
|
|
|
|
|
Let $\Sym$ be an \symmetricEncryptionScheme with keyspace $\Keyspace$, encrypting |
|
|
|
plaintexts in $\Plaintext$ to produce ciphertexts in $\Ciphertext$. |
|
|
|
|
|
|
|
$\SymEncrypt{} \typecolon \Keyspace \times \Plaintext \rightarrow \Ciphertext$ |
|
|
|
is the encryption algorithm. |
|
|
|
|
|
|
|
$\SymDecrypt{} \typecolon \Keyspace \times \Ciphertext \rightarrow |
|
|
|
\Plaintext \cup \setof{\bot}$ is the corresponding decryption algorithm, such that |
|
|
|
for any $\Key \in \Keyspace$ and $\Ptext \in \Plaintext$, |
|
|
|
$\SymDecrypt{\Key}(\SymEncrypt{\Key}(\Ptext)) = \Ptext$. |
|
|
|
$\bot$ is used to represent the decryption of an invalid ciphertext. |
|
|
|
|
|
|
|
\securityrequirement{ |
|
|
|
$\Sym$ must be one-time (INT-CTXT $\wedge$ IND-CPA)-secure. ``One-time'' here means |
|
|
|
that an honest protocol participant will almost surely encrypt only one message with |
|
|
|
a given key; however, the attacker may make many adaptive chosen ciphertext queries |
|
|
|
for a given key. The security notions INT-CTXT and IND-CPA are as defined in |
|
|
|
\cite{BN2007}. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{\KeyAgreement} \label{abstractkeyagreement} |
|
|
|
|
|
|
|
A \keyAgreementScheme is a cryptographic protocol in which two parties agree |
|
|
|
a shared secret, each using their private key and the other party's public key. |
|
|
|
|
|
|
|
A \keyAgreementScheme $\KA$ defines a type of public keys $\KAPublic$, a type |
|
|
|
of private keys $\KAPrivate$, and a type of shared secrets $\KASharedSecret$. |
|
|
|
|
|
|
|
Let $\KAFormatPrivate \typecolon \PRFOutput \rightarrow \KAPrivate$ be a function |
|
|
|
that converts a bit string of length $\PRFOutputLength$ to a $\KA$ private key. |
|
|
|
|
|
|
|
Let $\KADerivePublic \typecolon \KAPrivate \rightarrow \KAPublic$ be a function |
|
|
|
that derives the $\KA$ public key corresponding to a given $\KA$ public key. |
|
|
|
|
|
|
|
Let $\KAAgree \typecolon \KAPrivate \times \KAPublic \rightarrow \KASharedSecret$ |
|
|
|
be the agreement function. |
|
|
|
|
|
|
|
\securityrequirement{ |
|
|
|
$\KAFormatPrivate$ must preserve sufficient entropy from its input to be used |
|
|
|
as a secure $\KA$ private key. \todo{requirements on security of key agreement and KDF} |
|
|
|
} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
where |
|
|
|
\begin{itemize} |
|
|
|
\item $\CurveMultiply(\bytes{n}, \bytes{q})$ performs point |
|
|
|
multiplication of the Curve25519 public key represented by the byte |
|
|
|
sequence $\bytes{q}$ by the Curve25519 secret key represented by the |
|
|
|
byte sequence $\bytes{n}$, as defined in section 2 of \cite{Curve25519}; |
|
|
|
\item $\CurveBase$ is the public byte sequence representing the Curve25519 |
|
|
|
base point; |
|
|
|
\item $\Clamp(\bytes{x})$ takes a 32-byte sequence $\bytes{x}$ as input |
|
|
|
and returns a byte sequence representing a Curve25519 private key, with |
|
|
|
bits ``clamped'' as described in section 3 of \cite{Curve25519}: |
|
|
|
``clear bits $0, 1, 2$ of the first byte, clear bit $7$ of the last byte, |
|
|
|
and set bit $6$ of the last byte.'' Here the bits of a byte are numbered |
|
|
|
such that bit $b$ has numeric weight $2^b$. |
|
|
|
\end{itemize} |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{\KeyDerivation} \label{concretekdf} |
|
|
|
|
|
|
|
\newsavebox{\kdftagbox} |
|
|
@ -1669,7 +1741,9 @@ where: |
|
|
|
\hskip 1.5em $\kdfinput := \Justthebox{\kdfinputbox}$. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsubsection{Signatures} \label{concretesig} |
|
|
|
|
|
|
|
\todo{} |
|
|
|
|
|
|
|
|
|
|
|
\nsubsection{Note Components} |
|
|
|