|
|
@ -1238,7 +1238,7 @@ $\ZKJoinSplitVerify$ and $\ZKJoinSplitProve$, taking them to be the particular |
|
|
|
|
|
|
|
Let $\KA$ be a \keyAgreementScheme, instantiated in \crossref{concretekeyagreement}. |
|
|
|
|
|
|
|
A new \spendingKey $\AuthPrivate$ is generated by sampling a bit string |
|
|
|
A new \spendingKey $\AuthPrivate$ is generated by choosing a bit string |
|
|
|
uniformly at random from $\bitseq{\AuthPrivateLength}$. |
|
|
|
|
|
|
|
\changed{ |
|
|
@ -1933,6 +1933,7 @@ all instantiated using the $\SHAName$ function: |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\vspace{-2ex} |
|
|
|
\begin{equation*} |
|
|
|
\begin{aligned} |
|
|
|
\setchanged \PRFaddr{x}(t) &\setchanged := \CRHbox{\addrbox} \\ |
|
|
@ -2470,7 +2471,7 @@ computation, which has yet to be performed. |
|
|
|
The \Zcash \transaction format is as follows: |
|
|
|
|
|
|
|
\begin{center} |
|
|
|
\hbadness=4000 |
|
|
|
\hbadness=10000 |
|
|
|
\begin{tabularx}{0.92\textwidth}{|c|l|p{10.7em}|X|} |
|
|
|
\hline |
|
|
|
Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ |
|
|
@ -2920,7 +2921,7 @@ must be distinct. This is true regardless of whether the \nullifiers |
|
|
|
corresponded to real or dummy notes (see \crossref{dummynotes}). |
|
|
|
The \nullifiers are used as input to $\Blake{256}$ |
|
|
|
to derive a public value $\hSig$ which uniquely identifies the transaction, |
|
|
|
as described in \crossref{hsig}. ($\hSig$ was already used in \Zerocash |
|
|
|
as described in \crossref{joinsplitdesc}. ($\hSig$ was already used in \Zerocash |
|
|
|
in a way that requires it to be unique in order to maintain |
|
|
|
indistinguishability of \joinSplitDescriptions; adding the \nullifiers |
|
|
|
to the input of the hash used to calculate it has the effect of making |
|
|
@ -3163,7 +3164,7 @@ distinct openings of the \noteCommitment when Condition I or II is violated. |
|
|
|
did not actually use $\NoteCommitS$, and neither does the new |
|
|
|
instantiation of $\Commit{}$ in \Zcash. $\TransmitPublic$ is also |
|
|
|
not needed as part of a \note: it is not an input to $\Commit{}$ nor |
|
|
|
is it constrained by the \Zerocash \POUR \statement or the |
|
|
|
is it constrained by the \Zerocash \POUR{} \statement or the |
|
|
|
\Zcash \joinSplitStatement. $\cm$ can be computed from the other fields. |
|
|
|
\item The length of proof encodings given in the paper is 288 bytes. |
|
|
|
This differs from the 296 bytes specified in \crossref{proofencoding}, |
|
|
|