|
|
|
@ -1862,9 +1862,16 @@ $\JoinSplitSigVerify{\text{\small\joinSplitPubKey}}(\dataToBeSigned, \joinSplitS |
|
|
|
% FIXME: distinguish pubkey and signature from their encodings. |
|
|
|
} |
|
|
|
|
|
|
|
The condition enforced by the \joinSplitStatement specified in \crossref{nonmalleablepour} |
|
|
|
ensures that a holder of all of $\AuthPrivateOld{\allOld}$ for each |
|
|
|
\joinSplitDescription has authorized the use of the private signing key corresponding |
|
|
|
Let $\hSig$ be computed as specified in \crossref{joinsplitdesc}, and let |
|
|
|
$\PRFpk{}$ be as defined in \crossref{abstractprfs}. |
|
|
|
|
|
|
|
For each $i \in \setofOld$, the creator of a \joinSplitDescription calculates |
|
|
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$. |
|
|
|
|
|
|
|
The correctness of $\h{\allOld}$ is enforced by the \joinSplitStatement |
|
|
|
specified in \crossref{nonmalleablejs}. This ensures that a holder of all of |
|
|
|
the $\AuthPrivateOld{\allOld}$ for every \joinSplitDescription in the |
|
|
|
\transaction has authorized the use of the private signing key corresponding |
|
|
|
to $\joinSplitPubKey$ to sign this \transaction. |
|
|
|
|
|
|
|
|
|
|
|
@ -1971,7 +1978,7 @@ $\nfOld{i} = \PRFnf{\AuthPrivateOld{i}}(\NoteAddressRandOld{i})$. |
|
|
|
for each $i \in \setofOld$: |
|
|
|
$\AuthPublicOld{i} = \changed{\PRFaddr{\AuthPrivateOld{i}}(0)}$. |
|
|
|
|
|
|
|
\subparagraph{Non-malleability} \label{nonmalleablepour} |
|
|
|
\subparagraph{Non-malleability} \label{nonmalleablejs} |
|
|
|
|
|
|
|
for each $i \in \setofOld$: |
|
|
|
$\h{i} = \PRFpk{\AuthPrivateOld{i}}(i, \hSig)$. |
|
|
|
@ -3148,7 +3155,11 @@ components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \ |
|
|
|
\end{tabularx} |
|
|
|
\end{center} |
|
|
|
|
|
|
|
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext. |
|
|
|
The $\vmacs$ field encodes $\h{\allOld}$ which are computed as described in |
|
|
|
\crossref{nonmalleability}. |
|
|
|
|
|
|
|
The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphertext, |
|
|
|
which is computed as described in \crossref{inband}. |
|
|
|
|
|
|
|
Consensus rules applying to a \joinSplitDescription are given in \crossref{joinsplitdesc}. |
|
|
|
|
|
|
|
@ -4143,6 +4154,13 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\introlist |
|
|
|
\nsection{Change history} |
|
|
|
|
|
|
|
\subparagraph{2017.0-beta-2.7} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Clarify the computation of $\h{i}$ in a \joinSplitStatement. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\subparagraph{2017.0-beta-2.6} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
|
Daira Hopwood
7 years ago