|
|
|
@ -139,8 +139,6 @@ |
|
|
|
\newcommand{\SHAOrig}{\term{SHA-256}} |
|
|
|
\newcommand{\cm}{\mathsf{cm}} |
|
|
|
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}} |
|
|
|
\newcommand{\InternalHashK}{\mathsf{k}} |
|
|
|
\newcommand{\InternalHash}{\mathsf{InternalH}} |
|
|
|
\newcommand{\Leading}[1]{\mathtt{Leading}_{#1}} |
|
|
|
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}} |
|
|
|
|
|
|
|
@ -443,41 +441,20 @@ break of the IK-CCA (key privacy) property. |
|
|
|
\subsubsection{Coin Commitments} |
|
|
|
|
|
|
|
The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$ |
|
|
|
and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a |
|
|
|
multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$. |
|
|
|
|
|
|
|
\newsavebox{\ihbox} |
|
|
|
\begin{lrbox}{\ihbox} |
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512} |
|
|
|
\bitbox{256}{256 bit $\SpendAuthorityPublic$} & |
|
|
|
\bitbox{256}{256 bit $\CoinAddressRand$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\newsavebox{\ihkbox} |
|
|
|
\begin{lrbox}{\ihkbox} |
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512} |
|
|
|
\bitbox{384}{384 bit $\CoinCommitRand$} & |
|
|
|
\bitbox{128}{$\Leading{128}(\InternalHash)$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
and $\CoinCommitRand$ using the collision-resistant hash function $\FullHash$. |
|
|
|
The resulting hash $\cm = \CoinCommitment{\Coin}$. |
|
|
|
|
|
|
|
\newsavebox{\cmbox} |
|
|
|
\begin{lrbox}{\cmbox} |
|
|
|
\begin{bytefield}[bitwidth=0.08em]{512} |
|
|
|
\bitbox{64}{64 bit $\Value$} & |
|
|
|
\bitbox{192}{192 bit padding} & |
|
|
|
\bitbox{256}{256 bit $\InternalHashK$} |
|
|
|
\begin{bytefield}[bitwidth=0.045em]{832} |
|
|
|
\bitbox{256}{256 bit $\SpendAuthorityPublic$} & |
|
|
|
\bitbox{96}{64 bit $\Value$} & |
|
|
|
\bitbox{256}{256 bit $\CoinAddressRand$} |
|
|
|
\bitbox{256}{256 bit $\CoinCommitRand$} & |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\begin{equation*} |
|
|
|
\begin{aligned} |
|
|
|
\InternalHash &:= \CRHbox{\ihbox} \\ |
|
|
|
\InternalHashK &:= \CRHbox{\ihkbox} \\ |
|
|
|
\cm &:= \CRHbox{\cmbox} |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
|
$\cm := \FullHashbox{\cmbox}$ |
|
|
|
|
|
|
|
\subsubsection{Serial numbers} |
|
|
|
|
|
|
|
@ -843,7 +820,7 @@ where: |
|
|
|
\item $\Value$ is a 64-bit unsigned integer representing the value of the |
|
|
|
\coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi). |
|
|
|
\item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ preimage. |
|
|
|
\item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor. |
|
|
|
\item $\CoinCommitRand$ is a 32-byte \COMMtrapdoor. |
|
|
|
\changed{ |
|
|
|
\item $\Memo$ is a 64-byte \memo associated with this \coin. |
|
|
|
} |
|
|
|
@ -868,11 +845,11 @@ does not use it. |
|
|
|
The raw encoding of a \coinPlaintext consists of, in order: |
|
|
|
|
|
|
|
\begin{equation*} |
|
|
|
\begin{bytefield}[bitwidth=0.035em]{1224} |
|
|
|
\begin{bytefield}[bitwidth=0.04em]{1096} |
|
|
|
\bitbox{80}{\changed{$\TransmitPlaintextVersionByte$}} & |
|
|
|
\bitbox{144}{$\Value$ (8 bytes)} & |
|
|
|
\bitbox{256}{$\CoinAddressRand$ (32 bytes)} & |
|
|
|
\bitbox{384}{$\CoinCommitRand$ (48 bytes)} & |
|
|
|
\bitbox{256}{$\CoinCommitRand$ (32 bytes)} & |
|
|
|
\changed{\bitbox{512}{$\Memo$ (64 bytes)}} |
|
|
|
\end{bytefield} |
|
|
|
\end{equation*} |
|
|
|
@ -884,7 +861,7 @@ encoding of a \coinPlaintext. |
|
|
|
} |
|
|
|
\item 8 bytes specifying a big-endian encoding of $\Value$. |
|
|
|
\item 32 bytes specifying $\CoinAddressRand$. |
|
|
|
\item 48 bytes specifying $\CoinCommitRand$. |
|
|
|
\item 32 bytes specifying $\CoinCommitRand$. |
|
|
|
\changed{ |
|
|
|
\item 64 bytes specifying $\Memo$. |
|
|
|
} |
|
|
|
|
Daira Hopwood
8 years ago