@ -7,14 +7,32 @@
\RequirePackage { xspace}
\RequirePackage { url}
\RequirePackage { changepage}
\RequirePackage { lmodern}
\RequirePackage [unicode,bookmarksnumbered,bookmarksopen,pdfview=Fit] { hyperref}
\RequirePackage { nameref}
\RequirePackage { enumitem}
\RequirePackage { tabularx}
\RequirePackage { hhline}
\RequirePackage { comment}
% Fonts
\RequirePackage { lmodern}
\RequirePackage { bold-extra}
\RequirePackage { quattrocento}
% Quattrocento is beautiful but doesn't have an italic face. So we scale
% New Century Schoolbook italic to fit in with slanted Quattrocento and
% match its x height.
\renewcommand { \emph } [1]{ { \fontfamily { pnc} \selectfont \scalebox { 1.045} [0.99]{ \textit { #1} } } }
% While we're at it, let's match the tt x height to Quattrocento as well.
\let \oldtexttt \texttt
\let \oldmathtt \mathtt
\renewcommand { \texttt } [1]{ \scalebox { 1.02} [1.07]{ \oldtexttt { #1} } }
\renewcommand { \mathtt } [1]{ \scalebox { 1.02} [1.07]{ $ \oldmathtt { # 1 } $ } }
% bold but not extended
\newcommand { \textbnx } [1]{ { \fontseries { b} \selectfont #1} }
\setlength { \oddsidemargin } { -0.25in} % Left margin of 1 in + 0 in = 1 in
\setlength { \textwidth } { 7in} % Right margin of 8.5 in - 1 in - 6.5 in = 1 in
@ -45,7 +63,7 @@
\renewcommand { \sectionautorefname } { \S \! }
\renewcommand { \subsectionautorefname } { \S \! }
\renewcommand { \subsubsectionautorefname } { \S \! }
\newcommand { \crossref } [1]{ \autoref { #1} \emph { `\nameref * { #1} \kern -0.1 em'} on p.\, \pageref * { #1} }
\newcommand { \crossref } [1]{ \autoref { #1} \, \emph { `\nameref * { #1} \kern -0.05 em'} on p.\, \pageref * { #1} }
\mathchardef \mhyphen ="2D
@ -63,12 +81,9 @@
\newcommand { \setchanged } { \color { \changedcolor } }
\newcommand { \changed } [1]{ \texorpdfstring { { \setchanged { #1} } } { #1} }
% bold but not extended
\newcommand { \textbnx } [1]{ { \fontseries { b} \selectfont #1} }
% terminology
\newcommand { \term } [1]{ \textsl { #1} \xspace }
\newcommand { \term } [1]{ \textsl { #1} \kern 0.05em\xspace }
\newcommand { \titleterm } [1]{ #1}
\newcommand { \termbf } [1]{ \textbf { #1} \xspace }
\newcommand { \conformance } [1]{ \textbnx { #1} \xspace }
@ -291,7 +306,8 @@
\newcommand { \vmacs } { \mathtt { vmacs} }
\newcommand { \zkproofSize } { \mathtt { zkproofSize} }
\newcommand { \zkproof } { \mathtt { zkproof} }
\newcommand { \JoinSplitCircuit } { \term { \texttt { JoinSplit} circuit} }
\newcommand { \joinSplitCircuit } { \term { JoinSplit circuit} }
\newcommand { \JoinSplitCircuit } { \titleterm { JoinSplit Circuit} }
\newcommand { \JoinSplitStatement } { \texttt { JoinSplit} }
\newcommand { \JoinSplitProof } { \pi _ { \JoinSplitStatement } }
\newcommand { \vpubOld } { \mathsf { v_ { pub} ^ { old} } }
@ -357,8 +373,8 @@ the mistake may indicate a security weakness.
\subsection { Integers, Bit Sequences, and Endianness}
All integers in \emph { \Zcash -specific} encodings are unsigned, have a fixed
bit length, and are encoded in little-endian byte order. \changed { The definition of
the encryption scheme based on $ \SymSpecific $ \cite { rfc7539} in \crossref { inband}
bit length, and are encoded in little-endian byte order. \changed { The
$ \SymSpecific $ encryption scheme \cite { rfc7539} used in \crossref { inband}
uses length fields encoded as little-endian. Also, Curve25519 public and
private keys are defined as byte sequences, which are converted from integers
using little-endian encoding.}
@ -465,12 +481,12 @@ functions.
\begin { lrbox} { \addrbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
\bitbox { 18} { 1} &
\bitbox { 18} { 1} &
\bitbox { 18} { 0} &
\bitbox { 18} { 0} &
\bitbox { 224} { 252 bit $ x $ } &
\bitbox { 56} { 8 bit $ t $ } &
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 0 $ } &
\bitbox { 18} { $ 0 $ } &
\bitbox { 224} { $ 252 $ - bit $ x $ } &
\bitbox { 56} { $ 8 $ - bit $ t $ } &
\bitbox { 200} { $ \zeros { 248 } $ }
\end { bytefield}
\end { lrbox}
@ -479,12 +495,12 @@ functions.
\begin { lrbox} { \nfbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
\bitbox { 18} { 1} &
\bitbox { 18} { 1} &
\bitbox { 18} { 1} &
\bitbox { 18} { 0} &
\bitbox { 224} { 252 bit $ \AuthPrivate $ } &
\bitbox { 256} { 256 bit $ \NoteAddressRand $ }
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 0 $ } &
\bitbox { 224} { $ 252 $ - bit $ \AuthPrivate $ } &
\bitbox { 256} { $ 256 $ - bit $ \NoteAddressRand $ }
\end { bytefield}
\end { lrbox}
@ -492,12 +508,12 @@ functions.
\begin { lrbox} { \pkbox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
\bitbox { 18} { 0} &
\bitbox { 18} { $ 0 $ } &
\bitbox { 18} { \iminusone } &
\bitbox { 18} { 0} &
\bitbox { 18} { 0} &
\bitbox { 224} { 252 bit $ \AuthPrivate $ } &
\bitbox { 256} { 256 bit $ \hSig $ }
\bitbox { 18} { $ 0 $ } &
\bitbox { 18} { $ 0 $ } &
\bitbox { 224} { $ 252 $ - bit $ \AuthPrivate $ } &
\bitbox { 256} { $ 256 $ - bit $ \hSig $ }
\end { bytefield}
\end { lrbox}
@ -505,12 +521,12 @@ functions.
\begin { lrbox} { \rhobox }
\setchanged
\begin { bytefield} [bitwidth=0.06em]{ 512}
\bitbox { 18} { 0} &
\bitbox { 18} { $ 0 $ } &
\bitbox { 18} { \iminusone } &
\bitbox { 18} { 1} &
\bitbox { 18} { 0} &
\bitbox { 224} { 252 bit $ \NoteAddressPreRand $ } &
\bitbox { 256} { 256 bit $ \hSig $ }
\bitbox { 18} { $ 1 $ } &
\bitbox { 18} { $ 0 $ } &
\bitbox { 224} { $ 252 $ - bit $ \NoteAddressPreRand $ } &
\bitbox { 256} { $ 256 $ - bit $ \hSig $ }
\end { bytefield}
\end { lrbox}
@ -595,8 +611,8 @@ base point;
\item $ \Clamp ( \bytes { x } ) $ takes a 32-byte sequence $ \bytes { x } $ as input
and returns a byte sequence representing a Curve25519 private key, with
bits ``clamped'' as described in section 3 of \cite { Curve25519} :
``clear bits 0, 1, 2 of the first byte, clear bit 7 of the last byte,
and set bit 6 of the last byte.'' Here the bits of a byte are numbered
``clear bits $ 0 , 1 , 2 $ of the first byte, clear bit $ 7 $ of the last byte,
and set bit $ 6 $ of the last byte.'' Here the bits of a byte are numbered
such that bit $ b $ has numeric weight $ 2 ^ b $ .
\end { itemize}
}
@ -631,7 +647,7 @@ to $\AuthPublic$, as described in the previous section.
\begin { itemize}
\item $ \AuthPublic $ is a 32-byte \payingKey of the recipient.
\item $ \Value $ is a 64-bit unsigned integer representing the value of the
\note in \zatoshi (1 \ZEC = $ 10 ^ 8 $ \zatoshi ).
\note in \zatoshi (1 \ZEC = 10\textsuperscript { 8} \zatoshi ).
\item $ \NoteAddressRand $ is a 32-byte $ \PRFnf { \AuthPrivate } $ preimage.
\item $ \NoteCommitRand $ is a 32-byte \COMMtrapdoor .
\end { itemize}
@ -652,18 +668,18 @@ The resulting hash $\cm = \Commitment(\NoteTuple{})$.
\begin { lrbox} { \cmbox }
\setchanged
\begin { bytefield} [bitwidth=0.036em]{ 840}
\bitbox { 24} { 1} &
\bitbox { 24} { 0} &
\bitbox { 24} { 1} &
\bitbox { 24} { 1} &
\bitbox { 24} { 0} &
\bitbox { 24} { 0} &
\bitbox { 24} { 0} &
\bitbox { 24} { 0} &
\bitbox { 256} { 256 bit $ \AuthPublic $ } &
\bitbox { 128} { 64 bit $ \Value $ } &
\bitbox { 256} { 256 bit $ \NoteAddressRand $ }
\bitbox { 256} { 256 bit $ \NoteCommitRand $ } &
\bitbox { 24} { $ 1 $ } &
\bitbox { 24} { $ 0 $ } &
\bitbox { 24} { $ 1 $ } &
\bitbox { 24} { $ 1 $ } &
\bitbox { 24} { $ 0 $ } &
\bitbox { 24} { $ 0 $ } &
\bitbox { 24} { $ 0 $ } &
\bitbox { 24} { $ 0 $ } &
\bitbox { 256} { $ 256 $ - bit $ \AuthPublic $ } &
\bitbox { 128} { $ 64 $ - bit $ \Value $ } &
\bitbox { 256} { $ 256 $ - bit $ \NoteAddressRand $ }
\bitbox { 256} { $ 256 $ - bit $ \NoteCommitRand $ } &
\end { bytefield}
\end { lrbox}
@ -686,7 +702,7 @@ disclosing its \nullifier $\nf$, allowing $\nf$ to be used to prevent double-spe
Transmitted \notes are stored on the blockchain in encrypted form, together with
a \noteCommitment $ \cm $ .
The \notePlaintexts associated with a \joinSplitDescription are encrypted to the
The \notePlaintexts in a \joinSplitDescription are encrypted to the
respective \transmissionKeys $ \TransmitPublicNew { \allNew } $ ,
and the result forms part of a \notesCiphertext (see \crossref { inband}
for further details).
@ -720,11 +736,11 @@ The encoding of a \notePlaintext consists of, in order:
\begin { equation*}
\begin { bytefield} [bitwidth=0.029em]{ 1608}
\changed {
\bitbox { 192} { 8 bit $ \NotePlaintextLeadByte $ }
& } \bitbox { 192} { $ \Value $ (8 bytes) } &
\bitbox { 256} { $ \NoteAddressRand $ (32 bytes) } &
\bitbox { 256} { $ \NoteCommitRand $ (\changed { 32} bytes)} &
\changed { \bitbox { 800} { $ \Memo $ (128 bytes)} }
\bitbox { 192} { $ 8 $ - bit $ \NotePlaintextLeadByte $ }
& } \bitbox { 192} { $ 64 $ -bit $ \Value $ } &
\bitbox { 256} { $ 256 $ -bit $ \NoteAddressRand $ } &
\bitbox { 256} { \changed { $ 256 $ } -bit $ \NoteCommitRand $ } &
\changed { \bitbox { 800} { $ \Memo $ ($ 128 $ bytes)} }
\end { bytefield}
\end { equation*}
@ -769,8 +785,8 @@ and $0 \leq i < 2^h$,
\newsavebox { \merklebox }
\begin { lrbox} { \merklebox }
\begin { bytefield} [bitwidth=0.04em]{ 512}
\bitbox { 256} { 256 bit $ \MerkleNode { h + 1 } { 2 i } $ } &
\bitbox { 256} { 256 bit $ \MerkleNode { h + 1 } { 2 i + 1 } $ }
\bitbox { 256} { $ 256 $ - bit $ \MerkleNode { h + 1 } { 2 i } $ } &
\bitbox { 256} { $ 256 $ - bit $ \MerkleNode { h + 1 } { 2 i + 1 } $ }
\end { bytefield}
\end { lrbox}
@ -864,7 +880,7 @@ as a fee.
A \joinSplitDescription is data included in a \transaction that describes a \joinSplitTransfer ,
i.e. a confidential value transfer. This kind of value transfer is the primary
\Zcash -specific operation performed by \transactions ; it uses, but should not be
confused with, the \J oinSplitCircuit used for the \zkSNARK proof and verification.
confused with, the \j oinSplitCircuit used for the \zkSNARK proof and verification.
A \joinSplitTransfer spends $ \NOld $ \notes $ \cOld { \allOld } $ and transparent input
$ \vpubOld $ , and creates $ \NNew $ \notes $ \cNew { \allNew } $ and transparent output
@ -877,7 +893,8 @@ Either $\vpubOld$ or $\vpubNew$ \MUST be zero.
\Zcash \transactions have the following additional fields:
\begin { center}
\begin { tabularx} { 0.9\textwidth } { |c|l|p{ 10.49em} |X|}
\hbadness =4000
\begin { tabularx} { 0.92\textwidth } { |c|l|p{ 10.7em} |X|}
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
@ -889,7 +906,7 @@ $1026 \times \nJoinSplit$ & $\vJoinSplit$ &
\type { JoinSplitDescription} \type { [$ \nJoinSplit $ ]} &
The \sequenceOfJoinSplitDescriptions in this \transaction . \\ \hline
33 $ \dagger $ & $ \joinSplitPubKey $ & \type { char[33]} & An encoding of a ECDSA public verification key,
33 $ \dagger $ & $ \joinSplitPubKey $ & \type { char[33]} & An encoding of an ECDSA public verification key,
using the secp256k1 curve and parameters defined in \cite { sec2-ecdsa} and
\cite { secp256k1} . \\ \hline
@ -908,7 +925,8 @@ more detail in \crossref{nonmalleability}.
Each \type { JoinSplitDescription} consists of:
\begin { center}
\begin { tabularx} { 0.9\textwidth } { |c|l|l|X|}
\hbadness =2000
\begin { tabularx} { 0.92\textwidth } { |c|l|l|X|}
\hline
Bytes & \heading { Name} & \heading { Data Type} & \heading { Description} \\
\hhline { |=|=|=|=|}
@ -958,10 +976,10 @@ The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphert
\begin { lrbox} { \hsigbox }
\setchanged
\begin { bytefield} [bitwidth=0.04em]{ 1024}
\bitbox { 256} { 256 bit $ \randomSeed $ }
\bitbox { 256} { \hfill 256 bit $ \nfOld { \mathrm { 1 } } $ \hfill ...\; } &
\bitbox { 256} { 256 bit $ \nfOld { \NOld } $ } &
\bitbox { 256} { 256 bit $ \pubKeyHash $ }
\bitbox { 256} { $ 256 $ - bit $ \randomSeed $ }
\bitbox { 256} { \hfill $ 256 $ - bit $ \nfOld { \mathrm { 1 } } $ \hfill ...\; } &
\bitbox { 256} { $ 256 $ - bit $ \nfOld { \NOld } $ } &
\bitbox { 256} { $ 256 $ - bit $ \pubKeyHash $ }
\end { bytefield}
\end { lrbox}
@ -1015,8 +1033,8 @@ omitted. Otherwise, a \transaction has a correct \joinSplitSignature if:
\item $ \joinSplitSig $ can be verified as an encoding of a signature on
$ \dataToBeSigned $ , using the ECDSA public key encoded as $ \joinSplitPubKey $ ; and
\item $ \joinSplitSig $ has an $ \ECDSAs $ value in the lower half of the possible range
(i.e. $ \ECDSAs $ must be in the range from 0x1 to \linebreak
0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0,
(i.e.$ \; \ECDSAs $ must fall into the range from \linebreak
$ \hexint { 1 } $ to $ \hexint { 7 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 5 D 576 E 7357 A 4501 DDFE 92 F 46681 B 20 A 0 } $ \linebreak
inclusive).
\end { itemize}
@ -1027,8 +1045,8 @@ If $\ECDSAs$ is not in the given range, the signature is treated as invalid.
\begin { lrbox} { \sigbox }
\setchanged
\begin { bytefield} [bitwidth=0.075em]{ 512}
\bitbox { 256} { 256 bit $ \ECDSAr $ }
\bitbox { 256} { 256 bit $ \ECDSAs $ }
\bitbox { 256} { $ 256 $ - bit $ \ECDSAr $ }
\bitbox { 256} { $ 256 $ - bit $ \ECDSAs $ }
\end { bytefield}
\end { lrbox}
@ -1036,15 +1054,15 @@ If $\ECDSAs$ is not in the given range, the signature is treated as invalid.
\begin { lrbox} { \pubkeybox }
\setchanged
\begin { bytefield} [bitwidth=0.075em]{ 264}
\bitbox { 14} { 0}
\bitbox { 14} { 0}
\bitbox { 14} { 0}
\bitbox { 14} { 0}
\bitbox { 14} { 0}
\bitbox { 14} { 0}
\bitbox { 14} { 1}
\bitbox { 56} { 1 bit $ \tilde { y } _ P $ }
\bitbox { 256} { 256 bit $ x _ P $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 0 $ }
\bitbox { 14} { $ 1 $ }
\bitbox { 56} { $ 1 $ - bit $ \tilde { y } _ P $ }
\bitbox { 256} { $ 256 $ - bit $ x _ P $ }
\end { bytefield}
\end { lrbox}
@ -1070,7 +1088,7 @@ $y$-coordinate $\tilde{y}_P$:
Note that only compressed public keys are valid.
}
The condition enforced by the \J oinSplitCircuit specified in \crossref { nonmalleablepour}
The condition enforced by the \j oinSplitCircuit specified in \crossref { nonmalleablepour}
ensures that a holder of all of $ \AuthPrivateOld { \allOld } $ for each
\joinSplitDescription has authorized the use of the private signing key corresponding
to $ \joinSplitPubKey $ to sign this \transaction .
@ -1194,8 +1212,8 @@ All of the resulting ciphertexts are combined to form a \notesCiphertext.
\begin { lrbox} { \kdftagbox }
\setchanged
\begin { bytefield} [bitwidth=0.16em]{ 128}
\bitbox { 64} { 64 bit $ \ascii { ZcashKDF } $ } &
\bitbox { 32} { 8 bit $ i \! - \! 1 $ }
\bitbox { 64} { $ 64 $ - bit $ \ascii { ZcashKDF } $ } &
\bitbox { 32} { $ 8 $ - bit $ i \! - \! 1 $ }
\bitbox { 56} { $ \zeros { 56 } $ }
\end { bytefield}
\end { lrbox}
@ -1204,10 +1222,10 @@ All of the resulting ciphertexts are combined to form a \notesCiphertext.
\begin { lrbox} { \kdfinputbox }
\setchanged
\begin { bytefield} [bitwidth=0.04em]{ 1024}
\bitbox { 256} { 256-bit $ \hSig $ }
\bitbox { 256} { 256 bit $ \DHSecret { i } $ } &
\bitbox { 256} { 256 bit $ \EphemeralPublic $ } &
\bitbox { 256} { 256 bit $ \TransmitPublicNew { i } $ } &
\bitbox { 256} { $ 256 $ -bit $ \hSig $ }
\bitbox { 256} { $ 256 $ - bit $ \DHSecret { i } $ } &
\bitbox { 256} { $ 256 $ - bit $ \EphemeralPublic $ } &
\bitbox { 256} { $ 256 $ - bit $ \TransmitPublicNew { i } $ } &
\end { bytefield}
\end { lrbox}
@ -1341,8 +1359,7 @@ the \term{raw encoding}. This byte sequence can then be further encoded using
Base58Check. The Base58Check layer is the same as for upstream \Bitcoin
addresses \cite { Base58Check} .
SHA-256 compression function outputs are always represented as sequences of 32
bytes.
$ \SHAName $ outputs are always represented as sequences of 32 bytes.
The language consisting of the following encoding possibilities is prefix-free.
@ -1357,7 +1374,7 @@ These are encoded in the same way as in \Bitcoin \cite{Base58Check}.
\subsection { Protected Payment Addresses}
A \paymentAddress consists of $ \AuthPublic $ and $ \TransmitPublic $ .
$ \AuthPublic $ is a SHA-256 compression function output.
$ \AuthPublic $ is a $ \SHAName $ output.
$ \TransmitPublic $ is a \changed { Curve25519} public key, for use with the
encryption scheme defined in \crossref { inband} .
@ -1366,9 +1383,9 @@ The raw encoding of a \paymentAddress consists of:
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 520}
\changed {
\bitbox { 72} { 8 bit $ \PaymentAddressLeadByte $ }
& } \bitbox { 256} { 256 bit $ \AuthPublic $ } &
\bitbox { 256} { \changed { 256 bit} $ \TransmitPublic $ }
\bitbox { 72} { $ 8 $ - bit $ \PaymentAddressLeadByte $ }
& } \bitbox { 256} { $ 256 $ - bit $ \AuthPublic $ } &
\bitbox { 256} { \changed { $ 256 $ } -bit $ \TransmitPublic $ }
\end { bytefield}
\end { equation*}
@ -1396,9 +1413,9 @@ The raw encoding of a \spendingKey consists of, in order:
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 264}
\changed {
\bitbox { 72} { 8 bit $ \SpendingKeyLeadByte $ }
\bitbox { 72} { $ 8 $ - bit $ \SpendingKeyLeadByte $ }
\bitbox { 32} { $ \zeros { 4 } $ } &
& } \bitbox { 252} { \changed { 252} bit $ \AuthPrivate $ }
& } \bitbox { 252} { \changed { $ 252 $ } - bit $ \AuthPrivate $ }
\end { bytefield}
\end { equation*}
@ -1596,7 +1613,7 @@ transactions into a generalized \joinSplitTransfer which always uses a ZK proof,
it does not require the nesting. A side benefit is that this reduces the
number of $ \SHA $ evaluations needed to compute each \noteCommitment from
three to two, saving a total of four $ \SHA $ evaluations in the
$ \JoinSplitCircuit $ .
\joinSplitCircuit .
Note that \Zcash \noteCommitments are not statistically hiding, and
so \Zcash does not support the ``everlasting anonymity'' property