|
|
@ -109,8 +109,10 @@ |
|
|
|
\newcommand{\CoinAddressRand}{\mathsf{\uprho}} |
|
|
|
\newcommand{\CoinAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}} |
|
|
|
\newcommand{\CoinAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}} |
|
|
|
\newcommand{\CoinAddressPreRand}{\mathsf{\upvarphi}} |
|
|
|
\newcommand{\CoinCommitS}{\mathsf{s}} |
|
|
|
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}} |
|
|
|
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}} |
|
|
|
\newcommand{\Memo}{\mathsf{memo}} |
|
|
|
\newcommand{\CryptoBox}{\mathsf{crypto\_box}} |
|
|
|
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}} |
|
|
@ -124,13 +126,14 @@ |
|
|
|
\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}} |
|
|
|
\newcommand{\CRH}{\mathsf{CRH}} |
|
|
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\CryptoBoxSealHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\CryptoBoxSealHashbox}[1]{\CryptoBoxSealHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\FullHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\FullHashbox}[1]{\FullHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\Justthebox}[1]{\;\raisebox{-1.3ex}{\usebox{#1}}\;} |
|
|
|
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}} |
|
|
|
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}} |
|
|
|
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}} |
|
|
|
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}} |
|
|
|
\newcommand{\PRFrho}[1]{\PRF{#1}{\CoinAddressRand}} |
|
|
|
\newcommand{\SHA}{\mathtt{SHA256Compress}} |
|
|
|
\newcommand{\SHAName}{\term{SHA-256 compression}} |
|
|
|
\newcommand{\SHAOrig}{\term{SHA-256}} |
|
|
@ -230,16 +233,17 @@ is used which takes a 512-bit block and produces a 256-bit hash. This is |
|
|
|
different from the $\SHAOrig$ function, which hashes arbitrary-length strings. |
|
|
|
\cite{sha256} |
|
|
|
|
|
|
|
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Three \emph{independent} |
|
|
|
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, and $\PRFpk{x}$. |
|
|
|
It is required that $\PRFsn{x}$ be collision-resistant across all $x$ --- i.e. it |
|
|
|
should not be feasible to find $(x, y) \neq (x', y')$ such that |
|
|
|
$\PRFsn{x}(y) = \PRFsn{x'}(y')$. |
|
|
|
$\PRF{x}{}$ is a pseudo-random function seeded by $x$. Four \emph{independent} |
|
|
|
$\PRF{x}{}$ are needed in our scheme: $\PRFaddr{x}$, $\PRFsn{x}$, $\PRFpk{x}$, and |
|
|
|
$\PRFrho{x}$. It is required that $\PRFsn{x}$ and $\PRFrho{x}$ be |
|
|
|
collision-resistant across all $x$ --- i.e. it should not be feasible to find |
|
|
|
$(x, y) \neq (x', y')$ such that $\PRFsn{x}(y) = \PRFsn{x'}(y')$, and similarly |
|
|
|
for $\PRFrho{}$. |
|
|
|
|
|
|
|
In \Zcash, the $\SHAName$ function is used to construct all three of these |
|
|
|
functions. The bits $\mathtt{00}$, $\mathtt{01}$ and $\mathtt{10}$ are included |
|
|
|
(respectively) within the blocks that are hashed, ensuring that the functions are |
|
|
|
independent. |
|
|
|
In \Zcash, the $\SHAName$ function is used to construct all four of these |
|
|
|
functions. The bits $\mathtt{00}$, $\mathtt{01}$, $\mathtt{10}$, and $\mathtt{11}$ |
|
|
|
are included (respectively) within the blocks that are hashed, ensuring that the |
|
|
|
functions are independent. |
|
|
|
|
|
|
|
\newsavebox{\addrbox} |
|
|
|
\begin{lrbox}{\addrbox} |
|
|
@ -272,6 +276,17 @@ independent. |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\newsavebox{\rhobox} |
|
|
|
\begin{lrbox}{\rhobox} |
|
|
|
\begin{bytefield}[bitwidth=0.065em]{512} |
|
|
|
\bitbox{242}{256 bit $\CoinAddressPreRand$} & |
|
|
|
\bitbox{14}{1} & |
|
|
|
\bitbox{14}{0} & |
|
|
|
\bitbox{14}{$i$} & |
|
|
|
\bitbox{228}{$\Trailing{253}(\hSig)$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\nathan{Note: If we change input arity (i.e. $\NOld$), we need to be aware of how it |
|
|
|
is associated with this bit-packing.} |
|
|
|
|
|
|
@ -279,7 +294,8 @@ is associated with this bit-packing.} |
|
|
|
\begin{aligned} |
|
|
|
\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\ |
|
|
|
\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\ |
|
|
|
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} |
|
|
|
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\ |
|
|
|
\CoinAddressRandNew{i} &:= \PRFrho{\CoinAddressPreRand}(i, \hSig) &= \CRHbox{\rhobox} |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
|
|
|
|
@ -322,10 +338,13 @@ A \coin (denoted $\Coin$) is a tuple $\changed{(\SpendAuthorityPublic, \Value, |
|
|
|
\CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is |
|
|
|
spendable by the recipient who holds the $\spendAuthority$ key pair |
|
|
|
$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that |
|
|
|
$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$. $\CoinAddressRand$ and |
|
|
|
$\CoinCommitRand$ are tokens randomly generated by the sender. Only a hash of |
|
|
|
these values is disclosed publicly, which allows these random tokens to blind the |
|
|
|
value and recipient \emph{except} to those who possess these tokens. |
|
|
|
$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$. |
|
|
|
|
|
|
|
$\CoinCommitRand$ is randomly generated by the sender; $\CoinAddressRand$ |
|
|
|
is generated from a random seed $\CoinAddressPreRand$ using |
|
|
|
$\PRFrho{\CoinAddressPreRand}$. Only a commitment to these values is disclosed |
|
|
|
publicly, which allows the tokens $\CoinCommitRand$ and $\CoinAddressRand$ to blind |
|
|
|
the value and recipient \emph{except} to those who possess these tokens. |
|
|
|
|
|
|
|
\subsubsection{In-band secret distribution} |
|
|
|
|
|
|
@ -369,7 +388,7 @@ be their \coinPlaintexts. |
|
|
|
Define: |
|
|
|
\begin{equation*} |
|
|
|
\begin{aligned} |
|
|
|
\Prenonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \CryptoBoxSealHashbox{\prenoncebox} \\ |
|
|
|
\Prenonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \FullHashbox{\prenoncebox} \\ |
|
|
|
\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}) &:= \Justthebox{\noncebox} |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
@ -409,10 +428,10 @@ will be ignored. |
|
|
|
This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium |
|
|
|
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a |
|
|
|
given \PourDescription, and with the nonce for each ciphertext component depending |
|
|
|
on the index $i$. Also, $\CryptoBoxSealHash$ (the full hash, not the compression |
|
|
|
function) is used instead of $\mathsf{blake2b}$. The particular nonce construction |
|
|
|
is chosen so that a known-nonce distinguisher for $\mathsf{Salsa20}$ would not |
|
|
|
directly lead to a break of the IK-CCA (key privacy) property. |
|
|
|
on the index $i$. Also, $\FullHash$ (the full hash, not the compression function) is |
|
|
|
used instead of $\mathsf{blake2b}$. The particular nonce construction is chosen so |
|
|
|
that a known-nonce distinguisher for $\mathsf{Salsa20}$ would not directly lead to a |
|
|
|
break of the IK-CCA (key privacy) property. |
|
|
|
} |
|
|
|
|
|
|
|
\subsubsection{Coin Commitments} |
|
|
@ -571,9 +590,7 @@ some block height in the past, or the merkle root produced by a previous pour in |
|
|
|
this transaction. \sean{We need to be more specific here.} |
|
|
|
|
|
|
|
\item $\scriptSig$ which is a \script that creates conditions for acceptance of a |
|
|
|
\PourDescription in a transaction. The $\SHA$ hash of this value is $\hSig$. |
|
|
|
|
|
|
|
\daira{Why $\SHA$ and not $\SHAOrig$? The script is variable-length.} |
|
|
|
\PourDescription in a transaction. |
|
|
|
|
|
|
|
\item $\scriptPubKey$ which is a \script used to satisfy the conditions of the |
|
|
|
$\scriptSig$. |
|
|
@ -598,6 +615,25 @@ $\PourDescription$. |
|
|
|
|
|
|
|
\end{list} |
|
|
|
|
|
|
|
\subparagraph{Computation of $\hSig$} |
|
|
|
|
|
|
|
\newsavebox{\hsigbox} |
|
|
|
\begin{lrbox}{\hsigbox} |
|
|
|
\begin{bytefield}[bitwidth=0.045em]{808} |
|
|
|
\bitbox{80}{$\hSigInputVersionByte$} & |
|
|
|
\bitbox{256}{256 bit $\snOld{0}$} & |
|
|
|
\bitbox{24}{...} & |
|
|
|
\bitbox{256}{256 bit $\snOld{\NOld-1}$} & |
|
|
|
\bitbox{256}{$\scriptPubKey$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
Given a \PourDescription, we define: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item[] $\hSig := \FullHashbox{\hsigbox}$ |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\subparagraph{Merkle root validity} |
|
|
|
|
|
|
|
A \PourDescription is valid if $\rt$ is a \coinCommitmentTree root found in |
|
|
@ -644,7 +680,7 @@ A valid instance of $\PourProof$ assures that given a \term{primary input} |
|
|
|
$(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;} |
|
|
|
\vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input} |
|
|
|
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{\mathrm{1}..\NOld}, |
|
|
|
\cNew{1..\NNew})$ exists, where: |
|
|
|
\cNew{1..\NNew}, \CoinAddressPreRand)$ exists, where: |
|
|
|
|
|
|
|
\begin{list}{}{} |
|
|
|
|
|
|
@ -682,6 +718,10 @@ $\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$. |
|
|
|
|
|
|
|
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$ |
|
|
|
|
|
|
|
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$} |
|
|
|
|
|
|
|
for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$ |
|
|
|
|
|
|
|
\subparagraph{Commitment integrity} |
|
|
|
|
|
|
|
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment{\cNew{i}}$ |
|
|
|