|
|
|
@ -14,6 +14,7 @@ |
|
|
|
\RequirePackage{tabularx} |
|
|
|
\RequirePackage{hhline} |
|
|
|
\RequirePackage{comment} |
|
|
|
\RequirePackage{bold-extra} |
|
|
|
|
|
|
|
\setlength{\oddsidemargin}{-0.25in} % Left margin of 1 in + 0 in = 1 in |
|
|
|
\setlength{\textwidth}{7in} % Right margin of 8.5 in - 1 in - 6.5 in = 1 in |
|
|
|
@ -62,7 +63,7 @@ |
|
|
|
% terminology |
|
|
|
|
|
|
|
\newcommand{\term}[1]{\textsl{#1}\xspace} |
|
|
|
\newcommand{\titleterm}[1]{#1\xspace} |
|
|
|
\newcommand{\titleterm}[1]{#1} |
|
|
|
\newcommand{\termbf}[1]{\textbf{#1}\xspace} |
|
|
|
\newcommand{\conformance}[1]{\textmd{#1}\xspace} |
|
|
|
|
|
|
|
@ -139,17 +140,17 @@ |
|
|
|
\newcommand{\zeros}[1]{[0]^{#1}} |
|
|
|
\newcommand{\hexint}[1]{\mathbf{0x{#1}}} |
|
|
|
\newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} |
|
|
|
\newcommand{\ascii}[1]{\mathbf{``{#1}"}} |
|
|
|
\newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}} |
|
|
|
\newcommand{\CRH}{\mathsf{CRH}} |
|
|
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\SHA}{\mathtt{SHA256Compress}} |
|
|
|
\newcommand{\SHAName}{\term{SHA-256 compression}} |
|
|
|
\newcommand{\FullHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\FullHashName}{\term{SHA-256}} |
|
|
|
\newcommand{\BlakeHash}{\mathtt{BLAKE2b}} |
|
|
|
\newcommand{\BlakeHashName}{\term{BLAKE2b}} |
|
|
|
\newcommand{\BlakeHash}{\mathtt{BLAKE2b/256}} |
|
|
|
\newcommand{\BlakeHashName}{\term{BLAKE2b/256}} |
|
|
|
\newcommand{\BlakeFullLength}{\term{BLAKE2b}} |
|
|
|
\newcommand{\FullHashbox}[1]{\FullHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\BlakeHashbox}[2]{\BlakeHash\left({#1},\;\raisebox{-1.3ex}{\usebox{#2}}\;\right)} |
|
|
|
\newcommand{\Justthebox}[2]{\;\raisebox{#2}{\usebox{#1}}\;} |
|
|
|
\newcommand{\setof}[1]{\{{#1}\}} |
|
|
|
\newcommand{\minimum}{\mathsf{min}} |
|
|
|
@ -181,6 +182,9 @@ |
|
|
|
\newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}} |
|
|
|
\newcommand{\Value}{\mathsf{v}} |
|
|
|
\newcommand{\ValueNew}[1]{\mathsf{v^{new}_\mathnormal{#1}}} |
|
|
|
\newcommand{\pubKeyHash}{\mathsf{pubKeyHash}} |
|
|
|
\newcommand{\hSigInput}{\mathsf{hSigInput}} |
|
|
|
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}} |
|
|
|
|
|
|
|
% Notes |
|
|
|
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}} |
|
|
|
@ -195,7 +199,6 @@ |
|
|
|
\newcommand{\NoteCommitS}{\mathsf{s}} |
|
|
|
\newcommand{\nf}{\mathsf{nf}} |
|
|
|
\newcommand{\nfOld}[1]{\nf^\mathsf{old}_\mathnormal{#1}} |
|
|
|
\newcommand{\hSigtag}{\mathsf{hSigtag}} |
|
|
|
\newcommand{\Memo}{\mathsf{memo}} |
|
|
|
\newcommand{\CurveMultiply}{\mathsf{Curve25519}} |
|
|
|
\newcommand{\CurveBase}{\bytes{9}} |
|
|
|
@ -228,7 +231,6 @@ |
|
|
|
\newcommand{\PRFdk}[1]{\PRF{#1}{dk}} |
|
|
|
\newcommand{\cm}{\mathsf{cm}} |
|
|
|
\newcommand{\cmNew}[1]{\mathsf{{cm}^{new}_\mathnormal{#1}}} |
|
|
|
\newcommand{\LeadingBytes}[1]{\mathtt{LeadingBytes}_{#1}} |
|
|
|
\newcommand{\ReplacementCharacter}{\textsf{U+FFFD}} |
|
|
|
\newcommand{\CryptoBoxSeal}{\mathsf{crypto\_box\_seal}} |
|
|
|
\newcommand{\ECDSAr}{\mathsf{r}} |
|
|
|
@ -248,7 +250,6 @@ |
|
|
|
\newcommand{\anchorField}{\mathtt{anchor}} |
|
|
|
\newcommand{\joinSplitSig}{\mathtt{joinSplitSig}} |
|
|
|
\newcommand{\joinSplitPubKey}{\mathtt{joinSplitPubKey}} |
|
|
|
\newcommand{\dataToBeSigned}{\mathtt{dataToBeSigned}} |
|
|
|
\newcommand{\nullifiersField}{\mathtt{nullifiers}} |
|
|
|
\newcommand{\commitments}{\mathtt{commitments}} |
|
|
|
\newcommand{\ephemeralKey}{\mathtt{ephemeralKey}} |
|
|
|
@ -419,9 +420,6 @@ For example, the following diagrams are all equivalent: |
|
|
|
and represent the byte sequence $[\hexint{D2}, \hexint{BC}, \hexint{3A}, \hexint{12}]$. |
|
|
|
\end{comment} |
|
|
|
|
|
|
|
$\LeadingBytes{k}(x)$, where $k$ is an integer, returns the leading (initial) |
|
|
|
$k$ bytes of $x$. |
|
|
|
|
|
|
|
The notation $\allN{}$, used as a subscript, means the sequence of values |
|
|
|
with indices $1$ through $\mathrm{N}$ inclusive. For example, |
|
|
|
$\AuthPublicNew{\allNew}$ means the sequence $[\AuthPublicNew{\mathrm{1}}, |
|
|
|
@ -524,10 +522,12 @@ extensions that either increase $\NOld$ and/or $\NNew$ to 3, or that add an |
|
|
|
additional bit to $\AuthPrivate$ to encode a new key type, or that require an |
|
|
|
additional PRF.) |
|
|
|
|
|
|
|
$\BlakeHashName$ is also used to construct a Key Derivation Function and as a |
|
|
|
$\BlakeHashName$ (that is, $\BlakeFullLength$ with an output digest length of |
|
|
|
32 bytes) is also used to construct a Key Derivation Function and as a |
|
|
|
hash function for the computation of $\hSig$. The notation $\BlakeHash(p, x)$ |
|
|
|
represents the application of unkeyed $\BlakeHashName$ to a 16-byte personalization |
|
|
|
string $p$ and input $x$, as defined in \cite{blake2}. |
|
|
|
string $p$ and input $x$, as defined in \cite{blake2}. Note that $\BlakeHashName$ |
|
|
|
is not the same as $\BlakeFullLength$ truncated to 256 bits. |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -654,7 +654,7 @@ of a \note as $\PRFnf{\AuthPrivate}(\NoteAddressRand)$. A \note is spent by prov |
|
|
|
knowledge of $\NoteAddressRand$ and $\AuthPrivate$ in zero knowledge while |
|
|
|
disclosing its \nullifier $\nf$, allowing $\nf$ to be used to prevent double-spending. |
|
|
|
|
|
|
|
\subsubsection{\NotePlaintexts and \Memos} \label{notept} |
|
|
|
\subsubsection{\NotePlaintexts{} and \Memos} \label{notept} |
|
|
|
|
|
|
|
Transmitted \notes are stored on the blockchain in encrypted form, together with |
|
|
|
a \noteCommitment $\cm$. |
|
|
|
@ -715,7 +715,7 @@ The encoding of a \notePlaintext consists of, in order: |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
|
|
|
|
\subsection{\NoteCommitment Tree} |
|
|
|
\subsection{\NoteCommitment{} Tree} |
|
|
|
|
|
|
|
\begin{center} |
|
|
|
\includegraphics[scale=.4]{incremental_merkle} |
|
|
|
@ -798,7 +798,7 @@ Transaction inputs insert value into a \term{value pool}, and transaction output |
|
|
|
remove value from this pool. The remaining value in the pool is available to miners |
|
|
|
as a fee. |
|
|
|
|
|
|
|
\section{\JoinSplitTransfers and Descriptions} \label{pourdesc} |
|
|
|
\section{\JoinSplitTransfers{} and Descriptions} \label{pourdesc} |
|
|
|
|
|
|
|
A \joinSplitDescription is data included in a \transaction that describes a \joinSplitTransfer, |
|
|
|
i.e. a confidential value transfer. This kind of value transfer is the primary |
|
|
|
@ -893,32 +893,29 @@ The $\ephemeralKey$ and $\encCiphertexts$ fields together form the \notesCiphert |
|
|
|
|
|
|
|
\subsection{Computation of \hSigText} \label{hsig} |
|
|
|
|
|
|
|
\newsavebox{\hsigtagbox} |
|
|
|
\begin{lrbox}{\hsigtagbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.16em]{128} |
|
|
|
\bitbox{72}{72 bit $\ascii{ZcashhSig}$} |
|
|
|
\bitbox{56}{$\zeros{56}$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\newsavebox{\hsigbox} |
|
|
|
\begin{lrbox}{\hsigbox} |
|
|
|
\setchanged |
|
|
|
\begin{bytefield}[bitwidth=0.033em]{1024} |
|
|
|
\bitbox{256}{$\randomSeed$} |
|
|
|
\begin{bytefield}[bitwidth=0.04em]{1024} |
|
|
|
\bitbox{256}{256 bit $\randomSeed$} |
|
|
|
\bitbox{256}{\hfill 256 bit $\nfOld{\mathrm{1}}$\hfill...\;} & |
|
|
|
\bitbox{256}{256 bit $\nfOld{\NOld}$} & |
|
|
|
\bitbox{256}{$\joinSplitPubKey$} |
|
|
|
\bitbox{256}{256 bit $\pubKeyHash$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\changed{ |
|
|
|
Given a \joinSplitDescription, we define: |
|
|
|
|
|
|
|
\hskip 1em $\hSigtag := \Justthebox{\hsigtagbox}{-1.3ex}$ |
|
|
|
|
|
|
|
\hskip 1em $\hSig := \BlakeHashbox{\hSigtag}{\hsigbox}$ |
|
|
|
Given a \joinSplitDescription containing the fields $\randomSeed$ and |
|
|
|
$\nullifiersField = \nfOld{\allOld}$, and embedded in a transaction |
|
|
|
containing the field $\joinSplitPubKey$, we compute $\hSig$ for that |
|
|
|
\joinSplitDescription as follows: |
|
|
|
\begin{equation*} |
|
|
|
\begin{aligned} |
|
|
|
\pubKeyHash &:= \BlakeHash(\ascii{ZcashECDSAPubKey},\; \joinSplitPubKey) \\ |
|
|
|
\hSigInput &:= \Justthebox{\hsigbox}{-1.3ex} \\ |
|
|
|
\hSig &:= \BlakeHash(\ascii{ZcashComputehSig},\; \hSigInput) |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
|
} |
|
|
|
|
|
|
|
\subsection{Merkle root validity} |
|
|
|
@ -933,8 +930,8 @@ identified by that previous \joinSplitDescription's $\anchor$. |
|
|
|
\changed{ |
|
|
|
\Bitcoin defines several \sighashTypes that cover various parts of a transaction. |
|
|
|
In \Zcash, all of these \sighashTypes are extended to cover the \Zcash-specific |
|
|
|
fields $\nJoinSplit$, $\vJoinSplit$, and $\joinSplitPubKey$. They \emph{do not} |
|
|
|
cover the field $\joinSplitSig$. |
|
|
|
fields $\nJoinSplit$, $\vJoinSplit$, and (if present) $\joinSplitPubKey$. |
|
|
|
They \emph{do not} cover the field $\joinSplitSig$. |
|
|
|
|
|
|
|
\subparagraph{Consensus rule:} |
|
|
|
If $\nJoinSplit > 0$, the \transaction \MUSTNOT use \sighashTypes other than |
|
|
|
@ -1042,7 +1039,7 @@ This restriction helps to avoid unnecessary distinctions between \transactions |
|
|
|
according to client implementation. |
|
|
|
} |
|
|
|
|
|
|
|
\subsection{\NoteCommitments and \Nullifiers} |
|
|
|
\subsection{\NoteCommitments{} and \Nullifiers} |
|
|
|
|
|
|
|
A \transaction that contains one or more \joinSplitDescriptions, when entered into the |
|
|
|
blockchain, appends to the \noteCommitmentTree with all constituent |
|
|
|
@ -1051,7 +1048,7 @@ blockchain, appends to the \noteCommitmentTree with all constituent |
|
|
|
valid if it attempts to add a \nullifier to the \nullifierSet that already |
|
|
|
exists in the set. |
|
|
|
|
|
|
|
\subsection{\JoinSplitCircuit and Proofs} |
|
|
|
\subsection{\JoinSplitCircuit{} and Proofs} |
|
|
|
|
|
|
|
In \Zcash, $\NOld$ and $\NNew$ are both $2$. |
|
|
|
|
|
|
|
@ -1166,7 +1163,7 @@ the plaintext byte sequence, or $\bot$ indicating failure to decrypt. |
|
|
|
Define: |
|
|
|
|
|
|
|
\hskip 1.5em $\KDF(i, \hSig, \DHSecret{i}, \EphemeralPublic, \TransmitPublicNew{i}) := |
|
|
|
\LeadingBytes{32}(\BlakeHash(\kdftag, \kdfinput))$ |
|
|
|
\BlakeHash(\kdftag, \kdfinput)$ |
|
|
|
|
|
|
|
where: |
|
|
|
|
|
|
|
|
Daira Hopwood