|
|
@ -95,8 +95,10 @@ |
|
|
|
\newcommand{\CoinAddressRand}{\mathsf{\uprho}} |
|
|
|
\newcommand{\CoinAddressRandOld}[1]{\mathsf{\uprho^{old}_\mathnormal{#1}}} |
|
|
|
\newcommand{\CoinAddressRandNew}[1]{\mathsf{\uprho^{new}_\mathnormal{#1}}} |
|
|
|
\newcommand{\CoinAddressPreRand}{\mathsf{\upvarphi}} |
|
|
|
\newcommand{\CoinCommitS}{\mathsf{s}} |
|
|
|
\newcommand{\TransmitPlaintextVersionByte}{\mathbf{0x00}} |
|
|
|
\newcommand{\hSigInputVersionByte}{\mathbf{0x00}} |
|
|
|
\newcommand{\Memo}{\mathsf{memo}} |
|
|
|
\newcommand{\CryptoBox}{\mathsf{crypto\_box}} |
|
|
|
\newcommand{\CryptoBoxOpen}{\mathsf{crypto\_box\_open}} |
|
|
@ -109,12 +111,13 @@ |
|
|
|
\newcommand{\TransmitDecrypt}[1]{\mathsf{Decrypt}_{#1}} |
|
|
|
\newcommand{\CRH}{\mathsf{CRH}} |
|
|
|
\newcommand{\CRHbox}[1]{\CRH\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\CryptoBoxSealHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\CryptoBoxSealHashbox}[1]{\CryptoBoxSealHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\FullHash}{\mathtt{SHA256}} |
|
|
|
\newcommand{\FullHashbox}[1]{\FullHash\left(\;\raisebox{-1.3ex}{\usebox{#1}}\;\right)} |
|
|
|
\newcommand{\PRF}[2]{\mathsf{{PRF}^{#2}_\mathnormal{#1}}} |
|
|
|
\newcommand{\PRFaddr}[1]{\PRF{#1}{addr}} |
|
|
|
\newcommand{\PRFsn}[1]{\PRF{#1}{sn}} |
|
|
|
\newcommand{\PRFpk}[1]{\PRF{#1}{pk}} |
|
|
|
\newcommand{\PRFrho}[1]{\PRF{#1}{\CoinAddressRand}} |
|
|
|
\newcommand{\SHA}{\mathtt{SHA256Compress}} |
|
|
|
\newcommand{\SHAName}{\term{SHA-256 compression}} |
|
|
|
\newcommand{\SHAOrig}{\term{SHA-256}} |
|
|
@ -264,6 +267,17 @@ independent. |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\newsavebox{\rhobox} |
|
|
|
\begin{lrbox}{\rhobox} |
|
|
|
\begin{bytefield}[bitwidth=0.065em]{512} |
|
|
|
\bitbox{242}{256 bit $\CoinAddressPreRand$} & |
|
|
|
\bitbox{14}{1} & |
|
|
|
\bitbox{14}{0} & |
|
|
|
\bitbox{14}{$i$} & |
|
|
|
\bitbox{228}{$\Trailing{253}(\hSig)$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
\nathan{Note: If we change input arity (i.e. $\NOld$), we need to be aware of how it |
|
|
|
is associated with this bit-packing.} |
|
|
|
|
|
|
@ -271,7 +285,8 @@ is associated with this bit-packing.} |
|
|
|
\begin{aligned} |
|
|
|
\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\ |
|
|
|
\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\ |
|
|
|
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} |
|
|
|
\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\ |
|
|
|
\CoinAddressRandNew{i} &:= \PRFrho{\CoinAddressPreRand}(i, \hSig) &= \CRHbox{\rhobox} |
|
|
|
\end{aligned} |
|
|
|
\end{equation*} |
|
|
|
|
|
|
@ -349,7 +364,7 @@ Define: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item[] $\Nonce(i, \EphemeralPublic, \TransmitPublicNew{i}) = |
|
|
|
\CryptoBoxSealHashbox{\noncebox}$. |
|
|
|
\FullHashbox{\noncebox}$. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
Then to encrypt: |
|
|
@ -381,7 +396,7 @@ will be ignored. |
|
|
|
This is a variation on the $\CryptoBoxSeal$ algorithm defined in libsodium |
|
|
|
\cite{cryptoboxseal}, but with a single ephemeral key used for all encryptions in a |
|
|
|
given \PourDescription, and with the nonce for each ciphertext component depending |
|
|
|
on the index $i$. Also, $\CryptoBoxSealHash$ (the full hash, not the compression |
|
|
|
on the index $i$. Also, $\FullHash$ (the full hash, not the compression |
|
|
|
function) is used instead of $\mathsf{blake2b}$. |
|
|
|
|
|
|
|
\subsubsection{Coin Commitments} |
|
|
@ -536,9 +551,7 @@ some block height in the past, or the merkle root produced by a previous pour in |
|
|
|
this transaction. \sean{We need to be more specific here.} |
|
|
|
|
|
|
|
\item $\scriptSig$ which is a \script that creates conditions for acceptance of a |
|
|
|
\PourDescription in a transaction. The $\SHA$ hash of this value is $\hSig$. |
|
|
|
|
|
|
|
\daira{Why $\SHA$ and not $\SHAOrig$? The script is variable-length.} |
|
|
|
\PourDescription in a transaction. |
|
|
|
|
|
|
|
\item $\scriptPubKey$ which is a \script used to satisfy the conditions of the |
|
|
|
$\scriptSig$. |
|
|
@ -561,6 +574,25 @@ $\PourDescription$. |
|
|
|
|
|
|
|
\end{list} |
|
|
|
|
|
|
|
\subparagraph{Computation of $\hSig$} |
|
|
|
|
|
|
|
\newsavebox{\hsigbox} |
|
|
|
\begin{lrbox}{\hsigbox} |
|
|
|
\begin{bytefield}[bitwidth=0.045em]{808} |
|
|
|
\bitbox{80}{$\hSigInputVersionByte$} & |
|
|
|
\bitbox{256}{256 bit $\snOld{0}$} & |
|
|
|
\bitbox{24}{...} & |
|
|
|
\bitbox{256}{256 bit $\snOld{\NOld-1}$} & |
|
|
|
\bitbox{256}{$\scriptPubKey$} |
|
|
|
\end{bytefield} |
|
|
|
\end{lrbox} |
|
|
|
|
|
|
|
Given a \PourDescription, we define: |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item[] $\hSig := \FullHashbox{\hsigbox}$ |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\subparagraph{Merkle root validity} |
|
|
|
|
|
|
|
A $\PourDescription$ is valid if $\rt$ is a Coin commitment tree root found in |
|
|
@ -597,8 +629,8 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$. |
|
|
|
A valid instance of $\PourProof$ assures that given a \term{primary input} |
|
|
|
$(\rt, \snOld{1..\NOld}, \cmNew{1..\NNew}, \vpubOld, \vpubNew, \hSig, \h{1..\NOld})$, |
|
|
|
a witness of \term{auxiliary input} |
|
|
|
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{1..\NOld}, \cNew{1..\NNew})$ |
|
|
|
exists, where: |
|
|
|
$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{1..\NOld}, |
|
|
|
\cNew{1..\NNew}, \CoinAddressPreRand)$ exists, where: |
|
|
|
|
|
|
|
\begin{list}{}{} |
|
|
|
|
|
|
@ -636,6 +668,10 @@ $\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$. |
|
|
|
|
|
|
|
for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$ |
|
|
|
|
|
|
|
\subparagraph{Uniqueness of $\CoinAddressRandNew{i}$} |
|
|
|
|
|
|
|
for each $i \in \{1..\NNew\}$: $\CoinAddressRandNew{i}$ = $\PRFrho{\CoinAddressPreRand}(i, \hSig)$ |
|
|
|
|
|
|
|
\subparagraph{Commitment integrity} |
|
|
|
|
|
|
|
for each $i \in \{1..\NNew\}$: $\cmNew{i}$ = $\CoinCommitment{\cNew{i}}$ |
|
|
|