You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: zips/draft-approval.rst
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,7 +26,7 @@ The terms "Asset" and "ZSA" in this document are to be interpreted as described
26
26
Abstract
27
27
========
28
28
29
-
This ZIP proposes transaction user controls - a mechanism allowing recipients of shielded funds to actively participate in the transfer of Assets by approving or rejecting incoming transactions.
29
+
This ZIP specifies user controls for transactions - a mechanism allowing recipients of shielded funds to actively participate in the transfer of Assets by approving or rejecting incoming transactions.
30
30
31
31
Motivation
32
32
==========
@@ -79,9 +79,9 @@ Given the Orchard address of the recipient of the output note of an Orchard Acti
79
79
2. The recipient executes the following steps:
80
80
- $m \gets H(OrchardActionDescription)$
81
81
- $r \overset{R}{\leftarrow} \mathbb{Z}_{r_{\mathbb{P}}}$, where $\mathbb{Z}_{r_{\mathbb{P}}}$ is the scalar field of Pallas [#protocol-pallas-vesta]_, and where $\overset{R}{\leftarrow}$ denotes a variable assignment uniformly at random from a given set.
82
-
- $u \gets [r]g_d$, a Pallas point
82
+
- $u \gets [r]\mathsf{g_d}$
83
83
- $C \gets H(g_d, pk_d, u, m) \mod r_{\mathbb{P}}$, an element of Pallas' scalar field, and where $H$ is a secure hash function (e.g. SHA256 or Blake2)
84
-
- $s \gets r + C * ivk \mod r_{\mathbb{P}}$, an element of Pallas' scalar field
84
+
- $s \gets r + C \cdot ivk \mod r_{\mathbb{P}}$, an element of Pallas' scalar field
85
85
- $\sigma_{approval} \gets (u, s)$
86
86
87
87
, and sends $\sigma_{approval}$ to the sender (off-chain).
@@ -96,18 +96,18 @@ In other words, we want to prove that the approval signature is generated by the
96
96
Doing so means that only the recipient of the note created in the Orchard Action can approve the payment.
97
97
98
98
To achieve this, we look into the key structure of Zcash Orchard.
99
-
We know that the Orchard address is of the form: $d | pk_d$.
99
+
We know that the Orchard address is of the form: $(\mathsf{d}, \mathsf{pk_d})$.
100
100
These 2 fields, the diversifier and the diversified address, are used by the sender when sending notes.
101
101
102
-
Looking at the Orchard key components derivations, we know that $pk_d$ is derived as:
103
-
$pk_d := KAOrchard.DerivePublic(ivk, g_d) = [ivk]g_d$, see [#protocol-orchard-keys]_ and [#protocol-key-agreement]_
102
+
Looking at the Orchard key components derivations, we know that $\mathsf{pk_d}$ is derived as:
Given that $ivk$ is derived from the spending key of the recipient of the funds, we can prove that the recipient of the funds in an Orchard Action is approving the receipt of the funds, by using a proof of knowledge of $ivk$.
106
-
Such proof of knowledge of $ivk$ can be obtained by using the Non-Interactive Schnorr Protocol.
105
+
Given that $\mathsf{ivk}$ is derived from the spending key of the recipient of the funds, we can prove that the recipient of the funds in an Orchard Action is approving the receipt of the funds, by using a proof of knowledge of $\mathsf{ivk}$.
106
+
Such proof of knowledge of $\mathsf{ivk}$ can be obtained by using the Non-Interactive Schnorr Protocol.
107
107
108
-
In fact, such proof of knowledge of $ivk$ can be obtained by using a Schnorr Signature on the Action (the message) with $ivk$ as signing/secret key and $g_d$ as group generator.
108
+
In fact, such proof of knowledge of $\mathsf{ivk}$ can be obtained by using a Schnorr Signature on the Action (the message) with $\mathsf{ivk}$ as signing/secret key and $\mathsf{g_d}$ as group generator.
109
109
110
-
**Note:** Zcash Orchard already uses a Schnorr-based signature scheme instantiated with the Pallas curve (see RedPallas [#protocol-redpallas]_).
110
+
**Note:** Zcash Orchard already uses a Schnorr-based signature scheme instantiated with the Pallas curve, $\mathsf{RedPallas}$ [#protocol-redpallas]_.
111
111
As of NU6, RedPallas is used to instantiate $SpendAuthSig^{Orchard}$ and $BindingSig^{Orchard}$.
0 commit comments