Added some latex beautifying and minor rephrasing

AntoineRondelet · AntoineRondelet · commit cbd44bebd827 · 2025-02-16T19:08:12.000Z
diff --git a/rendered/draft-approval.html b/rendered/draft-approval.html
@@ -26,7 +26,7 @@
             <p>The terms "Asset" and "ZSA" in this document are to be interpreted as described in ZIP 227 <a id="footnote-reference-4" class="footnote_reference" href="#zip-0227">5</a>.</p>
         </section>
         <section id="abstract"><h2><span class="section-heading">Abstract</span><span class="section-anchor"> <a rel="bookmark" href="#abstract"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
-            <p>This ZIP proposes transaction user controls - a mechanism allowing recipients of shielded funds to actively participate in the transfer of Assets by approving or rejecting incoming transactions.</p>
+            <p>This ZIP specifies user controls for transactions - a mechanism allowing recipients of shielded funds to actively participate in the transfer of Assets by approving or rejecting incoming transactions.</p>
         </section>
         <section id="motivation"><h2><span class="section-heading">Motivation</span><span class="section-anchor"> <a rel="bookmark" href="#motivation"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
             <p>In the current version of Zcash, fund transfers occur without the explicit consent of recipients. While this simplicity offers convenience, it creates significant challenges for users of the network (e.g. individuals or businesses). The goal of this ZIP is to design a mechanism where the recipient of shielded funds on Zcash (for any type of ZSA) can confirm (or ‘approve’) the receipt of the funds on chain. This enhancement addresses crucial needs in the Zcash ecosystem, particularly at a time when privacy-preserving assets face increased scrutiny from major cryptocurrency exchanges. The proposed controls offer robust safeguarding solutions while maintaining Zcash’s core privacy features.</p>
@@ -57,42 +57,42 @@
         <section id="specification"><h2><span class="section-heading">Specification</span><span class="section-anchor"> <a rel="bookmark" href="#specification"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h2>
             <p>Most of the protocol is kept the same as the Orchard protocol released with NU5, except for the following.</p>
             <section id="approval-signature"><h3><span class="section-heading">Approval Signature</span><span class="section-anchor"> <a rel="bookmark" href="#approval-signature"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
-                <p>Given the Orchard address of the recipient of the output note of an Orchard Action (in the form:
-                    <span class="math">\(d | pk_d\!\)</span>
-                , see <a id="footnote-reference-7" class="footnote_reference" href="#protocol-raw-address">9</a>), and given that
-                    <span class="math">\(g_d\)</span>
-                 is a Pallas curve point, derived from
-                    <span class="math">\(d\)</span>
-                 (see <a id="footnote-reference-8" class="footnote_reference" href="#protocol-diversify-hash">10</a>) - the approval signature derivation goes as follows:</p>
+                <p>Let
+                    <span class="math">\((\mathsf{d}, \mathsf{pk_d})\)</span>
+                 be the Orchard shielded payment address of the recipient of the output note of an Orchard Action <a id="footnote-reference-7" class="footnote_reference" href="#protocol-raw-address">9</a>. Let
+                    <span class="math">\(\mathsf{g_d}\)</span>
+                 be derived from the diversifier
+                    <span class="math">\(\mathsf{d}\)</span>
+                 as in §5.4.1.6 of the protocol specification <a id="footnote-reference-8" class="footnote_reference" href="#protocol-diversify-hash">10</a>. The approval signature is derived as follows:</p>
                 <ol type="1">
                     <li>The sender sends the
-                        <span class="math">\(OrchardActionDescription\)</span>
+                        <span class="math">\(\mathtt{OrchardActionDescription}\)</span>
                      (the preimage of the message to be signed, as per <a id="footnote-reference-9" class="footnote_reference" href="#protocol-actions">8</a>) for the recipient to sign.</li>
                     <li>
                         <dl>
                             <dt>The recipient executes the following steps:</dt>
                             <dd>
                                 <ul>
                                     <li>
-                                        <span class="math">\(m \gets H(OrchardActionDescription)\)</span>
+                                        <span class="math">\(m \gets H(\mathtt{OrchardActionDescription})\)</span>
                                     </li>
                                     <li>
                                         <span class="math">\(r \overset{R}{\leftarrow} \mathbb{Z}_{r_{\mathbb{P}}}\!\)</span>
                                     , where
                                         <span class="math">\(\mathbb{Z}_{r_{\mathbb{P}}}\)</span>
                                      is the scalar field of Pallas <a id="footnote-reference-10" class="footnote_reference" href="#protocol-pallas-vesta">11</a>, and where
                                         <span class="math">\(\overset{R}{\leftarrow}\)</span>
-                                     denotes a variable assignment uniformly at random from a given set.</li>
+                                     denotes a variable assignment uniformly at random from a given set <a id="footnote-reference-11" class="footnote_reference" href="#protocol-notation">16</a>.</li>
                                     <li>
-                                        <span class="math">\(u \gets [r]g_d\!\)</span>
-                                    , a Pallas point</li>
+                                        <span class="math">\(u \gets [r] \mathsf{g_d}\)</span>
+                                    </li>
                                     <li>
-                                        <span class="math">\(C \gets H(g_d, pk_d, u, m) \mod r_{\mathbb{P}}\!\)</span>
+                                        <span class="math">\(C \gets H(g_d || pk_d || u || m) \mod r_{\mathbb{P}}\!\)</span>
                                     , an element of Pallas' scalar field, and where
                                         <span class="math">\(H\)</span>
                                      is a secure hash function (e.g. SHA256 or Blake2)</li>
                                     <li>
-                                        <span class="math">\(s \gets r + C * ivk \mod r_{\mathbb{P}}\!\)</span>
+                                        <span class="math">\(s \gets r + C \cdot \mathsf{ivk} \mod r_{\mathbb{P}}\!\)</span>
                                     , an element of Pallas' scalar field</li>
                                     <li>
                                         <span class="math">\(\sigma_{approval} \gets (u, s)\)</span>
@@ -113,28 +113,30 @@
                 <section id="rationale-for-approval-signature"><h4><span class="section-heading">Rationale for Approval Signature</span><span class="section-anchor"> <a rel="bookmark" href="#rationale-for-approval-signature"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
                     <p>To prove that the correct recipient of the output notes of an Orchard Action approves (the transfer of funds represented by) the Action, we want to show that the approval signature has been generated with a signing key that is derived from the spending key of the recipient of the output notes of the Action. In other words, we want to prove that the approval signature is generated by the network user who "knows" the spending key of the output notes of the Action. Doing so means that only the recipient of the note created in the Orchard Action can approve the payment.</p>
                     <p>To achieve this, we look into the key structure of Zcash Orchard. We know that the Orchard address is of the form:
-                        <span class="math">\(d | pk_d\!\)</span>
+                        <span class="math">\((\mathsf{d}, \mathsf{pk_d})\!\)</span>
                     . These 2 fields, the diversifier and the diversified address, are used by the sender when sending notes.</p>
                     <p>Looking at the Orchard key components derivations, we know that
-                        <span class="math">\(pk_d\)</span>
+                        <span class="math">\(\mathsf{pk_d}\)</span>
                      is derived as:
-                        <span class="math">\(pk_d := KAOrchard.DerivePublic(ivk, g_d) = [ivk]g_d\!\)</span>
-                    , see <a id="footnote-reference-11" class="footnote_reference" href="#protocol-orchard-keys">12</a> and <a id="footnote-reference-12" class="footnote_reference" href="#protocol-key-agreement">13</a></p>
+                        <span class="math">\(\mathsf{pk_d} =mathsf{KAOrchard.DerivePublic}(\mathsf{ivk}, \mathsf{g_d}) = [\mathsf{ivk}]\mathsf{g_d}\)</span>
+                     [#protocol-orchard-keys]_```</p>
                     <p>Given that
-                        <span class="math">\(ivk\)</span>
+                        <span class="math">\(\mathsf{ivk}\)</span>
                      is derived from the spending key of the recipient of the funds, we can prove that the recipient of the funds in an Orchard Action is approving the receipt of the funds, by using a proof of knowledge of
-                        <span class="math">\(ivk\!\)</span>
+                        <span class="math">\(\mathsf{ivk}\!\)</span>
                     . Such proof of knowledge of
-                        <span class="math">\(ivk\)</span>
+                        <span class="math">\(\mathsf{ivk}\)</span>
                      can be obtained by using the Non-Interactive Schnorr Protocol.</p>
                     <p>In fact, such proof of knowledge of
-                        <span class="math">\(ivk\)</span>
+                        <span class="math">\(\mathsf{ivk}\)</span>
                      can be obtained by using a Schnorr Signature on the Action (the message) with
-                        <span class="math">\(ivk\)</span>
+                        <span class="math">\(\mathsf{ivk}\)</span>
                      as signing/secret key and
-                        <span class="math">\(g_d\)</span>
+                        <span class="math">\(\mathsf{g_d}\)</span>
                      as group generator.</p>
-                    <p><strong>Note:</strong> Zcash Orchard already uses a Schnorr-based signature scheme instantiated with the Pallas curve (see RedPallas <a id="footnote-reference-13" class="footnote_reference" href="#protocol-redpallas">15</a>). As of NU6, RedPallas is used to instantiate
+                    <p><strong>Note:</strong> Zcash Orchard already uses a Schnorr-based signature scheme instantiated with the Pallas curve,
+                        <span class="math">\(\mathsf{RedPallas}\)</span>
+                     <a id="footnote-reference-12" class="footnote_reference" href="#protocol-redpallas">15</a>. As of NU6, RedPallas is used to instantiate
                         <span class="math">\(SpendAuthSig^{Orchard}\)</span>
                      and
                         <span class="math">\(BindingSig^{Orchard}\!\)</span>
@@ -149,7 +151,7 @@
                         <span class="math">\(\sigma_{approval}\)</span>
                     </li>
                     <li>
-                        <span class="math">\(OrchardActionDescription\)</span>
+                        <span class="math">\(\mathtt{OrchardActionDescription}\)</span>
                     </li>
                 </ul>
                 <p>Witness:</p>
@@ -164,7 +166,7 @@
                 <p>Circuit:</p>
                 <ul>
                     <li>
-                        <span class="math">\(C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(OrchardActionDescription))\)</span>
+                        <span class="math">\(C’ \gets H(g_d || pk_d || \sigma_{approval}.u || H(\mathtt{OrchardActionDescription}))\)</span>
                     </li>
                     <li>
                         <span class="math">\(LHS \gets [\sigma_{approval}.s]g_d\)</span>
@@ -192,7 +194,7 @@
                     <p>In this case, the Zcash miners could verify the recipient's approval by doing (for each Action in the transaction):</p>
                     <ol type="1">
                         <li>
-                            <span class="math">\(C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(OrchardActionDescription))\)</span>
+                            <span class="math">\(C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(\mathtt{OrchardActionDescription}))\)</span>
                         </li>
                         <li>
                             <span class="math">\(LHS \gets [\sigma_{approval}.sigma]g_d\)</span>
@@ -234,7 +236,7 @@
                 </section>
             </section>
             <section id="modifications-to-the-transaction-format"><h3><span class="section-heading">Modifications to the Transaction Format</span><span class="section-anchor"> <a rel="bookmark" href="#modifications-to-the-transaction-format"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
-                <p>In order to support this ZIP, the transaction format, as specified in <a id="footnote-reference-14" class="footnote_reference" href="#protocol-tx-encoding">14</a>, must be extended to add the approval signatures, as follows:</p>
+                <p>In order to support this ZIP, the transaction format, as specified in <a id="footnote-reference-13" class="footnote_reference" href="#protocol-tx-encoding">14</a>, must be extended to add the approval signatures, as follows:</p>
                 <table>
                     <thead>
                         <tr>
@@ -264,7 +266,7 @@
                 <ol type="1">
                     <li>Block a payment and deny to have received the "approval request", then accuse the sender to have failed to settle a contractual obligation.</li>
                     <li>Gain information: By receiving the
-                        <span class="math">\(OrchardActionDescription\)</span>
+                        <span class="math">\(\mathtt{OrchardActionDescription}\)</span>
                      to approve, recipients gets to see the
                         <span class="math">\(nullifier\)</span>
                      of the input note of the Orchard Action before the rest of the network.</li>
@@ -392,6 +394,14 @@
                     </tr>
                 </tbody>
             </table>
+            <table id="protocol-notation" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>16</th>
+                        <td><cite>Zcash Protocol Specification, Version 2024.5.1 [NU6]. 2 Notation</cite> &lt;<a href="https://zips.z.cash/protocol/protocol.pdf#notation">https://zips.z.cash/protocol/protocol.pdf#notation</a>&gt;</td>
+                    </tr>
+                </tbody>
+            </table>
         </section>
     </section>
 </body>
diff --git a/zips/draft-approval.rst b/zips/draft-approval.rst
@@ -73,15 +73,15 @@ Most of the protocol is kept the same as the Orchard protocol released with NU5,
 Approval Signature
 ------------------
 
-Given the Orchard address of the recipient of the output note of an Orchard Action (in the form: $d | pk_d$, see [#protocol-raw-address]_), and given that $g_d$ is a Pallas curve point, derived from $d$ (see [#protocol-diversify-hash]_) - the approval signature derivation goes as follows:
+Let $(\mathsf{d}, \mathsf{pk_d})$ be the Orchard shielded payment address of the recipient of the output note of an Orchard Action [#protocol-raw-address]_. Let $\mathsf{g_d}$ be derived from the diversifier $\mathsf{d}$ as in §5.4.1.6 of the protocol specification [#protocol-diversify-hash]_. The approval signature is derived as follows:
 
-1. The sender sends the $OrchardActionDescription$ (the preimage of the message to be signed, as per [#protocol-actions]_) for the recipient to sign.
+1. The sender sends the $\mathtt{OrchardActionDescription}$ (the preimage of the message to be signed, as per [#protocol-actions]_) for the recipient to sign.
 2. The recipient executes the following steps:
-    - $m \gets H(OrchardActionDescription)$
-    - $r \overset{R}{\leftarrow} \mathbb{Z}_{r_{\mathbb{P}}}$, where $\mathbb{Z}_{r_{\mathbb{P}}}$ is the scalar field of Pallas [#protocol-pallas-vesta]_, and where $\overset{R}{\leftarrow}$ denotes a variable assignment uniformly at random from a given set.
+    - $m \gets H(\mathtt{OrchardActionDescription})$
+    - $r \overset{R}{\leftarrow} \mathbb{Z}_{r_{\mathbb{P}}}$, where $\mathbb{Z}_{r_{\mathbb{P}}}$ is the scalar field of Pallas [#protocol-pallas-vesta]_, and where $\overset{R}{\leftarrow}$ denotes a variable assignment uniformly at random from a given set [#protocol-notation]_.
     - $u \gets [r] \mathsf{g_d}$
-    - $C \gets H(g_d, pk_d, u, m) \mod r_{\mathbb{P}}$, an element of Pallas' scalar field, and where $H$ is a secure hash function (e.g. SHA256 or Blake2)
-    - $s \gets r + C \cdot ivk \mod r_{\mathbb{P}}$, an element of Pallas' scalar field
+    - $C \gets H(g_d || pk_d || u || m) \mod r_{\mathbb{P}}$, an element of Pallas' scalar field, and where $H$ is a secure hash function (e.g. SHA256 or Blake2)
+    - $s \gets r + C \cdot \mathsf{ivk} \mod r_{\mathbb{P}}$, an element of Pallas' scalar field
     - $\sigma_{approval} \gets (u, s)$
 
 , and sends $\sigma_{approval}$ to the sender (off-chain).
@@ -118,7 +118,7 @@ The following steps are added to the Orchard Action statement:
 Instance:
 
 - $\sigma_{approval}$
-- $OrchardActionDescription$
+- $\mathtt{OrchardActionDescription}$
 
 Witness:
 
@@ -127,7 +127,7 @@ Witness:
 
 Circuit:
 
-- $C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(OrchardActionDescription))$
+- $C’ \gets H(g_d || pk_d || \sigma_{approval}.u || H(\mathtt{OrchardActionDescription}))$
 - $LHS \gets [\sigma_{approval}.s]g_d$
 - $RHS \gets \sigma_{approval}.u + [C']pk_d$
 - $LHS - RHS = 0$
@@ -144,7 +144,7 @@ Indeed, both $g_d$ and $pk_d$ of the recipient are needed by the Zcash validator
 
 In this case, the Zcash miners could verify the recipient's approval by doing (for each Action in the transaction):
 
-1. $C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(OrchardActionDescription))$
+1. $C’ \gets H(g_d, pk_d, \sigma_{approval}.u, H(\mathtt{OrchardActionDescription}))$
 2. $LHS \gets [\sigma_{approval}.sigma]g_d$
 3. $RHS \gets \sigma_{approval}.u + [C']pk_d$
 4. $LHS \stackrel{?}{=} RHS$. If not, reject transaction.
@@ -189,7 +189,7 @@ By empowering recipients to approve (or not) incoming transactions, we also give
 This could be done maliciously to, for instance:
 
 1. Block a payment and deny to have received the "approval request", then accuse the sender to have failed to settle a contractual obligation.
-2. Gain information: By receiving the $OrchardActionDescription$ to approve, recipients gets to see the $nullifier$ of the input note of the Orchard Action before the rest of the network.
+2. Gain information: By receiving the $\mathtt{OrchardActionDescription}$ to approve, recipients gets to see the $nullifier$ of the input note of the Orchard Action before the rest of the network.
 
 References
 ==========
