We use $\lambda$ to denote the security parameter (later instantiated to $\lambda=128$) and measure security of cryptographic primitives in integral multiples of $\lambda$ (usually $1$). Next we list the primitives used in Zcash and their security/cryptographic assumptions.
\begin{itemize}
\item$\CRH$ is a collision resistant hash function with security $\lambda$ meaning that a collision is found, on expectation, in no less than $2^\lambda$ steps.
\item$\PRF{x}{a}$ is a family of pseudorandom functions, parameterized by $x,a$, with security parameter $\lambda$ meaning
that ??? \eli{not sure what we need exactly but would be good to say it}. Additionally we assume that for any $(x,a)\neq(y,b)$
$\PRF{x}{a}$ and $\PRF{y}{b}$ are pseudo-independent, meaning \eli{?}
\item PKC is a public key encryption scheme with security parameter $\lambda$ meaning \eli{?}
\item COMM is a statistically hiding and binding commitment scheme with security parameter $\lambda$, meaning \ldots
\item DS is a digital signature scheme with security parameter $\lambda$ meaning \ldots
\end{itemize}
\section{Abstract description of the construction}
In what follows we describe the key components of the construction along with their ``intended use'', i.e., the way they should be used by honest participants. We also address deviations from intended use and the risks of such deviations.
\subsection{Keys and addresses}
Users require a \keyTuple$k=(\AuthPrivate, \TransmitPrivate, \PaymentAddress)$\eli{better name?} to use the system, where
\begin{itemize}
\item$\AuthPrivate\in\{0,1\}^{\lambda}$ is the \spendingKey.
It should be chosen uniformly at random (cf. Attack~\ref{attack:entropy})
\item$\TransmitPrivate=PKC(\AuthPrivate\circ0)$\eli{I actually don't know what it is and what crypto properties are used?}
\item$\PaymentAddress=(\AuthPublic, ?)$ is the \paymentAddress
\end{itemize}
\subsubsection{Attacks and mitigations}
\begin{enumerate}
\item\label{attack:entropy} If random keys are selected from a source with limited entropy then they can be recovered in shorter time by an attacker with knowledge of the source distribution.
\end{enumerate}
A \keyTuple$(\AuthPrivate, \TransmitPrivate, \PaymentAddress)$ is
generated by users who wish to receive payments under this scheme.
The \viewingKey$\TransmitPrivate$ and the \paymentAddress
$\PaymentAddress=(\AuthPublic, \TransmitPublic)$ are derived from the
\spendingKey$\AuthPrivate$.
The following diagram depicts the relations between key components.
Arrows point from a component to any other component(s) that can be derived
from it.
\begin{center}
\includegraphics[scale=.8]{key_components}
\end{center}
The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys
is a cryptographic protocol detail that should not normally be
exposed to users. However, user-visible operations should be provided
to obtain a \paymentAddress or \viewingKey from a \spendingKey.
\changed{$\AuthPrivate$ is 252 bits.}
$\AuthPublic$, $\TransmitPrivate$, and $\TransmitPublic$, are each 256 bits.
\changed{$\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived