trying to generate pdf

protocol/protocol.tex

@@ -338,6 +338,153 @@
 \newpage
 
 
+\eli{Start restructuring}
+
+\section{Preliminaries}
+
+\subsection{Cryptographic primitives}
+
+We use $\lambda$ to denote the security parameter (later instantiated to $\lambda=128$) and measure security of cryptographic primitives in integral multiples of $\lambda$ (usually $1$). Next we list the primitives used in Zcash and their security/cryptographic assumptions. 
+
+\begin{itemize}
+	\item $\CRH$ is a collision resistant hash function with security $\lambda$ meaning that a collision is found, on expectation, in no less than $2^\lambda$ steps.
+	\item  $\PRF{x}{a}$ is a family of pseudorandom functions, parameterized by $x,a$, with security parameter $\lambda$ meaning
+	that ??? \eli{not sure what we need exactly but would be good to say it}. Additionally we assume that for any $(x,a)\neq (y,b)$ 
+	$\PRF{x}{a}$ and $\PRF{y}{b}$ are pseudo-independent, meaning \eli{?}
+	\item PKC is a public key encryption scheme with security parameter $\lambda$ meaning \eli{?}
+	\item COMM is a statistically hiding and binding commitment scheme with security parameter $\lambda$, meaning \ldots
+	\item DS is a digital signature scheme with security parameter $\lambda$ meaning \ldots
+\end{itemize}
+
+\section{Abstract description of the construction}
+
+In what follows we describe the key components of the construction along with their ``intended use'', i.e., the way they should be used by honest participants. We also address deviations from intended use and the risks of such deviations.
+
+\subsection{Keys and addresses}
+
+Users require a \keyTuple $k=(\AuthPrivate, \TransmitPrivate, \PaymentAddress)$ \eli{better name?} to use the system, where
+\begin{itemize}
+	\item $\AuthPrivate\in \{0,1\}^{\lambda}$ is the \spendingKey. 
+	It should be chosen uniformly at random (cf. Attack~\ref{attack:entropy})
+	\item $\TransmitPrivate=PKC(\AuthPrivate\circ 0)$ \eli{I actually don't know what it is and what crypto properties are used?}
+	\item $\PaymentAddress=(\AuthPublic, ?)$ is the \paymentAddress
+\end{itemize}
+
+
+
+
+\subsubsection{Attacks and mitigations}
+
+\begin{enumerate}
+	\item\label{attack:entropy} If random keys are selected from a source with limited entropy then they can be recovered in shorter time by an attacker with knowledge of the source distribution. 
+
+\end{enumerate}
+
+A \keyTuple $(\AuthPrivate, \TransmitPrivate, \PaymentAddress)$ is
+generated by users who wish to receive payments under this scheme.
+The \viewingKey $\TransmitPrivate$ and the \paymentAddress
+$\PaymentAddress = (\AuthPublic, \TransmitPublic)$ are derived from the
+\spendingKey $\AuthPrivate$.
+
+The following diagram depicts the relations between key components.
+Arrows point from a component to any other component(s) that can be derived
+from it.
+
+\begin{center}
+	\includegraphics[scale=.8]{key_components}
+\end{center}
+
+The composition of \paymentAddresses\changed{, \viewingKeys,} and \spendingKeys
+is a cryptographic protocol detail that should not normally be
+exposed to users. However, user-visible operations should be provided
+to obtain a \paymentAddress or \viewingKey from a \spendingKey.
+
+\changed{$\AuthPrivate$ is 252 bits.}
+$\AuthPublic$, $\TransmitPrivate$, and $\TransmitPublic$, are each 256 bits.
+
+\changed{$\AuthPublic$, $\TransmitPrivate$ and $\TransmitPublic$ are derived
+	as follows:}
+{\hfuzz=50pt
+	\begin{equation*}
+	\begin{aligned}
+	\AuthPublic &:= \changed{\PRFaddr{\AuthPrivate}(0)} \\
+	\TransmitPrivate &:= \changed{\Clamp(\PRFaddr{\AuthPrivate}(1))} \\
+	\TransmitPublic &:= \changed{\CurveMultiply(\TransmitPrivate, \CurveBase)}
+	\end{aligned}
+	\end{equation*}
+}
+
+\changed{
+	where
+	\begin{itemize}
+		\item $\CurveMultiply(\bytes{n}, \bytes{q})$ performs point
+		multiplication of the Curve25519 public key represented by the byte
+		sequence $\bytes{q}$ by the Curve25519 secret key represented by the
+		byte sequence $\bytes{n}$, as defined in section 2 of \cite{Curve25519};
+		\item $\CurveBase$ is the public byte sequence representing the Curve25519
+		base point;
+		\item $\Clamp(\bytes{x})$ takes a 32-byte sequence $\bytes{x}$ as input
+		and returns a byte sequence representing a Curve25519 private key, with
+		bits ``clamped'' as described in section 3 of \cite{Curve25519}:
+		``clear bits 0, 1, 2 of the first byte, clear bit 7 of the last byte,
+		and set bit 6 of the last byte.'' Here the bits of a byte are numbered
+		such that bit $b$ has numeric weight $2^b$.
+	\end{itemize}
+}
+
+Users can accept payment from multiple parties with a single \paymentAddress
+$\PaymentAddress$ and the fact that these payments are destined to
+the same payee is not revealed on the blockchain, even to the
+paying parties. \emph{However} if two parties collude to compare a
+\paymentAddress they can trivially determine they are the same. In the
+case that a payee wishes to prevent this they should create a distinct
+\paymentAddress for each payer.
+
+\subparagraph{Note:}
+It is conventional in cryptography to refer to the key used to encrypt
+a message in an asymmetric encryption scheme as the ``public key".
+However, the Curve25519 public key used as the \transmissionKey component
+of an address ($\TransmitPublic$) need not be publically distributed; it
+has the same distribution as the \paymentAddress itself. As mentioned above,
+limiting the distribution of the \paymentAddress is important for some use cases.
+This also helps to reduce reliance of the overall protocol on the security
+of Curve25519, since an adversary would have to know $\TransmitPublic$ in
+order to exploit a hypothetical Curve25519 weakness.
+
+
+
+
+
+\subsection{Transactions}
+
+\subsection{JoinSplit circuit and SNARK}
+
+\subsection{Block and blockchain}
+
+
+\section{Instantiation}
+
+
+
+
+
+
+
+
+
+
+\eli{end restructuring}
+
+
+
+
+
+
+
+
+
+
+
 \section{Introduction}
 
 \Zcash is an implementation of the \term{Decentralized Anonymous Payment}