|
|
@ -847,7 +847,7 @@ A \transaction can contain \transparent inputs, outputs, and scripts, which all |
|
|
|
work as in \Bitcoin \cite{Bitcoin-Protocol}. It also contains a sequence of zero or |
|
|
|
more \joinSplitDescriptions. Each of these describes a \joinSplitTransfer\hairspace\footnote{ |
|
|
|
\joinSplitTransfers in \Zcash generalize ``Mint'' and ``Pour'' \transactions |
|
|
|
in \Zerocash; see \crossref{trstructure} for the differences.} |
|
|
|
in \Zerocash; see \crossref{trstructure} for differences.} |
|
|
|
which takes in a \transparent value and up to two input \notes, and produces a |
|
|
|
\transparent value and up to two output \notes. The \nullifiers of the input |
|
|
|
\notes are revealed (preventing them from being spent again) and the |
|
|
@ -1566,15 +1566,12 @@ uniformly at random from $\bitseq{\AuthPrivateLength}$. |
|
|
|
$\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived from |
|
|
|
$\AuthPrivate$ |
|
|
|
as follows:} |
|
|
|
{\hfuzz=50pt |
|
|
|
\begin{equation*} |
|
|
|
\begin{aligned} |
|
|
|
\AuthPublic &:= \changed{\PRFaddr{\AuthPrivate}(0)} \\ |
|
|
|
\TransmitPrivate &:= \changed{\KAFormatPrivate(\PRFaddr{\AuthPrivate}(1))} \\ |
|
|
|
\TransmitPublic &:= \changed{\KADerivePublic(\TransmitPrivate)} |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
|
} |
|
|
|
|
|
|
|
\begin{tabular}{@{\hskip 2em}r@{\;}l} |
|
|
|
$\AuthPublic$ &$:= \changed{\PRFaddr{\AuthPrivate}(0)}$ \\ |
|
|
|
$\TransmitPrivate$ &$:= \changed{\KAFormatPrivate(\PRFaddr{\AuthPrivate}(1))}$ \\ |
|
|
|
$\TransmitPublic$ &$:= \changed{\KADerivePublic(\TransmitPrivate)}$. |
|
|
|
\end{tabular} |
|
|
|
|
|
|
|
\nsubsection{\JoinSplitDescriptions} \label{joinsplitdesc} |
|
|
|
|
|
|
@ -2177,7 +2174,7 @@ and produces a 256-bit hash. \cite{NIST2015} |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
$\SHA$ is not the same as the $\FullHashName$ function, which hashes arbitrary-length |
|
|
|
sequences. |
|
|
|
byte sequences. |
|
|
|
} |
|
|
|
|
|
|
|
\securityrequirement{ |
|
|
@ -2275,7 +2272,8 @@ It would suffice to model it as a random oracle. |
|
|
|
} |
|
|
|
|
|
|
|
\pnote{ |
|
|
|
When $\EquihashGen{}$ is evaluated for sequential indices (as in \crossref{equihash}), |
|
|
|
When $\EquihashGen{}$ is evaluated for sequential indices, as |
|
|
|
in the Equihash solving process (\crossref{equihash}), |
|
|
|
the number of calls to $\BlakeGeneric$ can be reduced by a factor of $\floor{\frac{512}{n}}$ |
|
|
|
in the best case (which is a factor of 2 for $n = 200$). |
|
|
|
} |
|
|
@ -3580,7 +3578,7 @@ as its $\scriptPubKey$. |
|
|
|
|
|
|
|
\begin{pnotes} |
|
|
|
\item No \foundersReward is required to be paid for $\BlockHeight \geq \SlowStartShift + \HalvingInterval$ |
|
|
|
(i.e.\ after the first halving), or for $\BlockHeight = 0$ (i.e.\ the genesis block). |
|
|
|
(i.e.\ after the first halving), or for $\BlockHeight = 0$ (i.e.\ the \genesisBlock). |
|
|
|
\item The \foundersReward addresses are not treated specially in any other way, and |
|
|
|
there can be other outputs to them, in \coinbaseTransactions or otherwise. |
|
|
|
In particular, it is valid for a \coinbaseTransaction with |
|
|
|