|
|
@ -805,10 +805,11 @@ If $\ECDSAs$ is not in the given range, the signature is treated as invalid. |
|
|
|
|
|
|
|
\newsavebox{\pubkeybox} |
|
|
|
\begin{lrbox}{\pubkeybox} |
|
|
|
\begin{bytefield}[bitwidth=0.075em]{520} |
|
|
|
\bitbox{80}{8 bit $\hexint{04}$} |
|
|
|
\bitbox{256}{256 bit xxx} |
|
|
|
\bitbox{256}{256 bit xxx} |
|
|
|
\begin{bytefield}[bitwidth=0.075em]{264} |
|
|
|
\bitbox{64}{$\zeros{6}$} |
|
|
|
\bitbox{18}{1} |
|
|
|
\bitbox{56}{1 bit $\tilde{y}_P$} |
|
|
|
\bitbox{256}{256 bit $x_P$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
@ -820,13 +821,19 @@ The encoding of a signature is: |
|
|
|
|
|
|
|
where $\ECDSAr$ and $\ECDSAs$ are as defined in \cite{sec2-ecdsa}. |
|
|
|
|
|
|
|
The encoding of a public key is: |
|
|
|
The encoding of a public key is as defined in section E.2.3.2 of \cite{std1363} |
|
|
|
for a compressed elliptic curve point with $x$-coordinate $x_P$ and compressed |
|
|
|
$y$-coordinate $\tilde{y}_P$: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item[] $\Justthebox{\pubkeybox}{-1.3ex}$ |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
The $\pourPubKey$ is cryptographically bound to $\PourProof$. |
|
|
|
Note that only compressed public keys are valid. |
|
|
|
|
|
|
|
The condition \crossref{nonmalleablepour} in the \zkSNARK statement ensures |
|
|
|
that a holder of all of $\AuthPrivateOld{\allOld}$ has authorized the use of |
|
|
|
the private key corresponding to $\pourPubKey$ to sign this transaction. |
|
|
|
|
|
|
|
|
|
|
|
\subsection{Balance} |
|
|
@ -903,7 +910,7 @@ $\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$. |
|
|
|
for each $i \in \setofOld$: |
|
|
|
$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$. |
|
|
|
|
|
|
|
\subparagraph{Non-malleability} |
|
|
|
\subparagraph{Non-malleability} \label{nonmalleablepour} |
|
|
|
|
|
|
|
for each $i \in \setofOld$: |
|
|
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$. |
|
|
|