|
|
|
@ -174,7 +174,6 @@ |
|
|
|
\newcommand{\SpendingKey}{\mathsf{addr_{sk}}} |
|
|
|
\newcommand{\PaymentAddressLeadByte}{\hexint{92}} |
|
|
|
\newcommand{\SpendingKeyLeadByte}{\hexint{??}} |
|
|
|
\newcommand{\NotePlaintextLeadByte}{\hexint{00}} |
|
|
|
\newcommand{\AuthPublic}{\mathsf{a_{pk}}} |
|
|
|
\newcommand{\AuthPrivate}{\mathsf{a_{sk}}} |
|
|
|
\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}} |
|
|
|
@ -629,7 +628,9 @@ to $\AuthPublic$, as described in the previous section. |
|
|
|
|
|
|
|
$\NoteCommitRand$ is randomly generated by the sender. \changed{$\NoteAddressRand$ |
|
|
|
is generated from a random seed $\NoteAddressPreRand$ using |
|
|
|
$\PRFrho{\NoteAddressPreRand}$.} Only a commitment to these values is disclosed |
|
|
|
$\PRFrho{\NoteAddressPreRand}$.} |
|
|
|
|
|
|
|
Only a commitment to the contents of the \note is disclosed |
|
|
|
publicly, which allows the tokens $\NoteCommitRand$ and $\NoteAddressRand$ to blind |
|
|
|
the value and recipient \emph{except} to those who possess these tokens. |
|
|
|
|
|
|
|
@ -642,19 +643,20 @@ The resulting hash $\cm = \Commitment(\NoteTuple{})$. |
|
|
|
\newsavebox{\cmbox} |
|
|
|
\begin{lrbox}{\cmbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.036em]{840} |
|
|
|
\bitbox{24}{1} & |
|
|
|
\bitbox{24}{0} & |
|
|
|
\bitbox{24}{1} & |
|
|
|
\bitbox{24}{1} & |
|
|
|
\bitbox{24}{0} & |
|
|
|
\bitbox{24}{0} & |
|
|
|
\bitbox{24}{0} & |
|
|
|
\bitbox{24}{0} & |
|
|
|
\begin{bytefield}[bitwidth=0.03em]{952} |
|
|
|
\bitbox{28}{1} & |
|
|
|
\bitbox{28}{0} & |
|
|
|
\bitbox{28}{1} & |
|
|
|
\bitbox{28}{1} & |
|
|
|
\bitbox{28}{0} & |
|
|
|
\bitbox{28}{0} & |
|
|
|
\bitbox{28}{0} & |
|
|
|
\bitbox{28}{0} & |
|
|
|
\bitbox{112}{$\zeros{112}$} & |
|
|
|
\bitbox{256}{256 bit $\AuthPublic$} & |
|
|
|
\bitbox{128}{64 bit $\Value$} & |
|
|
|
\bitbox{256}{256 bit $\NoteAddressRand$} |
|
|
|
\bitbox{256}{256 bit $\NoteCommitRand$} & |
|
|
|
\bitbox{256}{256 bit $\NoteAddressRand$} & |
|
|
|
\bitbox{256}{256 bit $\NoteCommitRand$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
@ -662,7 +664,8 @@ The resulting hash $\cm = \Commitment(\NoteTuple{})$. |
|
|
|
\hskip 1em $\cm := \FullHashbox{\cmbox}$ |
|
|
|
|
|
|
|
\subparagraph{Note:} |
|
|
|
The leading byte of the $\FullHash$ input is $\hexint{B0}$. |
|
|
|
The leading bytes of the $\FullHash$ input are $\hexint{B0}$, followed by 14 zero bytes. |
|
|
|
The zero bytes are reserved for use in a future version of the \Zcash protocol. |
|
|
|
} |
|
|
|
|
|
|
|
\subsubsection{\Nullifiers} |
|
|
|
@ -709,20 +712,20 @@ protocol extensions. |
|
|
|
|
|
|
|
The encoding of a \notePlaintext consists of, in order: |
|
|
|
\begin{equation*} |
|
|
|
\begin{bytefield}[bitwidth=0.029em]{1608} |
|
|
|
\begin{bytefield}[bitwidth=0.03em]{1608} |
|
|
|
\changed{ |
|
|
|
\bitbox{192}{8 bit $\NotePlaintextLeadByte$} |
|
|
|
\bitbox{256}{$\zeros{112}$ (14 bytes)} |
|
|
|
&}\bitbox{192}{$\Value$ (8 bytes)} & |
|
|
|
\bitbox{256}{$\NoteAddressRand$ (32 bytes)} & |
|
|
|
\bitbox{256}{$\NoteAddressRand$ (32 bytes)} |
|
|
|
\bitbox{256}{$\NoteCommitRand$ (\changed{32} bytes)} & |
|
|
|
\changed{\bitbox{800}{$\Memo$ (128 bytes)}} |
|
|
|
\changed{\bitbox{632}{$\Memo$ (128 bytes)}} |
|
|
|
\end{bytefield} |
|
|
|
\end{equation*} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\changed{ |
|
|
|
\item A byte, $\NotePlaintextLeadByte$, indicating this version of the |
|
|
|
encoding of a \notePlaintext. |
|
|
|
\item 14 zero bytes, which are reserved for use in a future version of the |
|
|
|
\Zcash protocol. |
|
|
|
} |
|
|
|
\item 8 bytes specifying $\Value$. |
|
|
|
\item 32 bytes specifying $\NoteAddressRand$. |
|
|
|
@ -879,7 +882,7 @@ Bytes & \heading{Name} & \heading{Data Type} & \heading{Description} \\ |
|
|
|
\Varies & $\nJoinSplit$ & \type{compactSize uint} & The number of \joinSplitDescriptions |
|
|
|
in $\vJoinSplit$. \\ \hline |
|
|
|
|
|
|
|
$1026 \times \nJoinSplit$ & $\vJoinSplit$ & |
|
|
|
$1052 \times \nJoinSplit$ & $\vJoinSplit$ & |
|
|
|
\type{JoinSplitDescription} \type{[$\nJoinSplit$]} & |
|
|
|
The \sequenceOfJoinSplitDescriptions in this \transaction. \\ \hline |
|
|
|
|
|
|
|
@ -926,7 +929,7 @@ output \notes $\cmNew{\allNew}$. \\ \hline |
|
|
|
\setchanged 32 &\setchanged $\ephemeralKey$ &\setchanged \type{char[32]} &\mbox{}\setchanged |
|
|
|
A Curve25519 public key $\EphemeralPublic$. \\ \hline |
|
|
|
|
|
|
|
434 & $\encCiphertexts$ & \type{char[217][$\NNew$]} & A sequence of ciphertext |
|
|
|
460 & $\encCiphertexts$ & \type{char[230][$\NNew$]} & A sequence of ciphertext |
|
|
|
components for the encrypted output \notes, $\TransmitCiphertext{\allNew}$. \\ \hline |
|
|
|
|
|
|
|
\setchanged 32 &\setchanged $\randomSeed$ &\setchanged \type{char[32]} &\mbox{}\setchanged |
|
|
|
|
Daira Hopwood