|
|
@ -165,6 +165,8 @@ |
|
|
|
\newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}} |
|
|
|
\newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}} |
|
|
|
\newcommand{\joinSplitSignature}{\term{JoinSplit signature}} |
|
|
|
\newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}} |
|
|
|
\newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}} |
|
|
|
\newcommand{\joinSplitStatement}{\term{JoinSplit statement}} |
|
|
|
\newcommand{\joinSplitStatements}{\term{JoinSplit statements}} |
|
|
|
\newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}} |
|
|
@ -419,6 +421,10 @@ |
|
|
|
|
|
|
|
% Signatures |
|
|
|
\newcommand{\JoinSplitSigAlg}{\mathsf{JoinSplitSigAlg}} |
|
|
|
\newcommand{\JoinSplitSigPublic}{\mathsf{JoinSplitSig.Public}} |
|
|
|
\newcommand{\JoinSplitSigPrivate}{\mathsf{JoinSplitSig.Private}} |
|
|
|
\newcommand{\JoinSplitSigSign}{\mathsf{JoinSplitSig.Sign}} |
|
|
|
\newcommand{\JoinSplitSigVerify}{\mathsf{JoinSplitSig.Verify}} |
|
|
|
\newcommand{\JoinSplitSigSpecific}{\mathsf{Ed25519}} |
|
|
|
\newcommand{\JoinSplitSigHashName}{\mathsf{SHA\mhyphen512}} |
|
|
|
\newcommand{\cm}{\mathsf{cm}} |
|
|
@ -1427,9 +1433,8 @@ $\MerkleNode{\MerkleDepth}{i}$ is in a tree with a given \merkleRoot $\rt = \Mer |
|
|
|
|
|
|
|
\nsubsection{Non-malleability} \label{nonmalleability} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
\Bitcoin defines several \sighashTypes that cover various parts of a transaction. |
|
|
|
In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific |
|
|
|
\changed{In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific |
|
|
|
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$. |
|
|
|
They \emph{do not} cover the field $\joinSplitSig$. |
|
|
|
|
|
|
@ -1437,10 +1442,11 @@ They \emph{do not} cover the field $\joinSplitSig$. |
|
|
|
If $\nJoinSplit > 0$, the \transaction{} \MUSTNOT use \sighashTypes other than |
|
|
|
$\SIGHASHALL$. |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
Let $\dataToBeSigned$ be the hash of the \transaction using the $\SIGHASHALL$ |
|
|
|
\sighashType. This \emph{excludes} all of the $\scriptSig$ fields in |
|
|
|
the non-\Zcash-specific parts of the \transaction. |
|
|
|
Let $\dataToBeSigned$ be the hash of the \transaction{} \changed{using the $\SIGHASHALL$ |
|
|
|
\sighashType}. \changed{This \emph{excludes} all of the $\scriptSig$ fields in |
|
|
|
the non-\Zcash-specific parts of the \transaction.} |
|
|
|
|
|
|
|
In order to ensure that a \joinSplitDescription is cryptographically bound to the |
|
|
|
\transparent inputs and outputs corresponding to $\vpubNew$ and $\vpubOld$, and |
|
|
@ -1449,40 +1455,13 @@ key pair is generated for each \transaction, and the $\dataToBeSigned$ is |
|
|
|
signed with the private signing key of this key pair. The corresponding public |
|
|
|
verification key is included in the \transaction encoding as $\joinSplitPubKey$. |
|
|
|
|
|
|
|
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012}, |
|
|
|
with the additional requirement that $\EdDSAs$ (the integer represented |
|
|
|
by $\EdDSAS$) must be less than the prime |
|
|
|
$\ell = 2^{252} + 27742317777372353535851937790883648493$, |
|
|
|
otherwise the signature is considered invalid. |
|
|
|
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally. |
|
|
|
$\JoinSplitSigAlg$ is instantiated in \crossref{concretesig}. |
|
|
|
|
|
|
|
\changed{ |
|
|
|
If $\nJoinSplit$ is zero, the $\joinSplitPubKey$ and $\joinSplitSig$ fields are |
|
|
|
omitted. Otherwise, a \transaction has a correct \joinSplitSignature if |
|
|
|
$\joinSplitSig$ can be verified as an encoding of a signature on $\dataToBeSigned$ |
|
|
|
as specified above, using the $\JoinSplitSigSpecific$ public key encoded as |
|
|
|
$\joinSplitPubKey$. |
|
|
|
} |
|
|
|
|
|
|
|
\newsavebox{\sigbox} |
|
|
|
\begin{lrbox}{\sigbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.075em]{512} |
|
|
|
\bitbox{256}{$256$-bit $\EdDSAR$} |
|
|
|
\bitbox{256}{$256$-bit $\EdDSAS$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
The encoding of a signature is: |
|
|
|
} |
|
|
|
\begin{itemize} |
|
|
|
\item[] $\Justthebox{\sigbox}$ |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}. |
|
|
|
|
|
|
|
The encoding of a public key is as defined in \cite{BDL+2012}. |
|
|
|
as specified above, using $\joinSplitPubKey$. |
|
|
|
} |
|
|
|
|
|
|
|
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour} |
|
|
@ -2086,7 +2065,36 @@ where: |
|
|
|
|
|
|
|
\nsubsubsection{Signatures} \label{concretesig} |
|
|
|
|
|
|
|
\todo{} |
|
|
|
\changed{ |
|
|
|
$\JoinSplitSigAlg$ is instantiated as $\JoinSplitSigSpecific$ \cite{BDL+2012}, |
|
|
|
with the additional requirement that $\EdDSAs$ (the integer represented |
|
|
|
by $\EdDSAS$) must be less than the prime |
|
|
|
$\ell = 2^{252} + 27742317777372353535851937790883648493$, |
|
|
|
otherwise the signature is considered invalid. |
|
|
|
$\JoinSplitSigSpecific$ is defined as using $\JoinSplitSigHashName$ internally. |
|
|
|
} |
|
|
|
|
|
|
|
\newsavebox{\sigbox} |
|
|
|
\begin{lrbox}{\sigbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.075em]{512} |
|
|
|
\bitbox{256}{$256$-bit $\EdDSAR$} |
|
|
|
\bitbox{256}{$256$-bit $\EdDSAS$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
The encoding of a signature is: |
|
|
|
} |
|
|
|
\begin{itemize} |
|
|
|
\item[] $\Justthebox{\sigbox}$ |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
where $\EdDSAR$ and $\EdDSAS$ are as defined in \cite{BDL+2012}. |
|
|
|
|
|
|
|
The encoding of a public key is as defined in \cite{BDL+2012}. |
|
|
|
} |
|
|
|
|
|
|
|
\nsubsection{Note Components} |
|
|
|
|
|
|
|