@ -629,9 +629,9 @@ and the result forms part of a \coinsCiphertext (see \crossref{inband}
for further details).
Each \coinPlaintext (denoted $ \CoinPlaintext { } $ ) consists of
$ ( \changed { \AuthPublic , \; } \ Value , \CoinAddressRand , \CoinCommitRand \changed { , \Memo } ) $ .
$ ( \Value , \CoinAddressRand , \CoinCommitRand \changed { , \Memo } ) $ .
The first \changed { four}
The first three of these fields are as defined earlier.
\changed { $ \Memo $ is a 64-byte \memo associated with this \coin .
The usage of the $ \memo $ is by agreement between the sender and recipient of the
@ -646,9 +646,7 @@ software, but specification of such usage is not in the scope of this document.
The encoding of a \coinPlaintext consists of, in order:
\begin { equation*}
\begin { bytefield} [bitwidth=0.035em]{ 1288}
\changed {
\bitbox { 256} { $ \AuthPublic $ (32 bytes)} &
& } \bitbox { 168} { $ \Value $ (8 bytes)} &
\bitbox { 168} { $ \Value $ (8 bytes)} &
\bitbox { 256} { $ \CoinAddressRand $ (32 bytes)} &
\bitbox { 192} { $ \CoinCommitRand $ (\changed { 24} bytes)} &
\changed { \bitbox { 512} { $ \Memo $ (64 bytes)} }
@ -656,9 +654,6 @@ The encoding of a \coinPlaintext consists of, in order:
\end { equation*}
\begin { itemize}
\changed {
\item 32 bytes specifying $ \AuthPublic $ .
}
\item 8 bytes specifying $ \Value $ .
\item 32 bytes specifying $ \CoinAddressRand $ .
\item \changed { 24} bytes specifying $ \CoinCommitRand $ .
@ -1107,28 +1102,31 @@ The resulting \coinsCiphertext is $\changed{(\EphemeralPublic,
\subsection { Decryption by a Recipient}
Let $ ( \TransmitPublic , \TransmitPrivate ) $ be the recipient's \changed { Curve25519}
(public, private) key pair, and let $ \cmNew { \allNew } $ be the \coinCommitments of
each output coin. Then for each $ i \in \setofNew $ , the recipient will attempt to
decrypt that ciphertext component as follows:
Let $ \PaymentAddress = ( \AuthPublic , \TransmitPublic ) $ be the recipient's
\paymentAddress , and let $ \TransmitPrivate $ be the recipient's \changed { Curve25519}
private key. Let $ \cmNew { \allNew } $ be the \coinCommitments of each output coin.
Then for each $ i \in \setofNew $ , the recipient will attempt to decrypt that ciphertext
component as follows:
\changed {
\begin { itemize}
\item Let $ \DHSecret { i } : = \CurveMultiply ( \TransmitPrivate , \EphemeralPublic ) $ .
\item Let $ \TransmitKey { i } : = \KDF ( \DHSecret { i } , \EphemeralPublic ,
\TransmitPublicNew { i} , i)$ .
\item Return $ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } ) . $
\item Return $ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } ,
\AuthPublic ).$
\end { itemize}
$ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } ) $ is defined as follows:
$ \DecryptNote ( \TransmitKey { i } , \TransmitCiphertext { i } , \cmNew { i } , \AuthPublic ) $
is defined as follows:
\begin { itemize}
\item Let $ \TransmitPlaintext { i } : =
\SymDecrypt { \TransmitKey { i} } (\TransmitCiphertext { i} )$ .
\item If $ \TransmitPlaintext { i } = \bot $ , return $ \bot $ .
\item Extract $ \CoinPlaintext { i } = ( \AuthPublicNew { i } , \ ValueNew { i } ,
\item Extract $ \CoinPlaintext { i } = ( \ValueNew { i } ,
\CoinAddressRandNew { i} , \CoinCommitRandNew { i} , \Memo _ i)$ from $ \TransmitPlaintext { i} $ .
\item If $ \Commitment ( ( \AuthPublicNew { i } , \ValueNew { i } , \CoinAddressRandNew { i } ,
\item If $ \Commitment ( ( \AuthPublic , \ValueNew { i } , \CoinAddressRandNew { i } ,
\CoinCommitRandNew { i} )) \neq \cmNew { i} $ , return $ \bot $ , else return $ \CoinPlaintext { i} $ .
\end { itemize}
}
Daira Hopwood
8 years ago