ZIP 32: update spec references.

daira · daira · commit 8827ef0815e9 · 2019-11-10T16:47:16.000Z
Signed-off-by: Daira Hopwood &lt;daira@jacaranda.org&gt;
diff --git a/zip-0032.html b/zip-0032.html
@@ -20,7 +20,7 @@
         <section id="terminology">
             <h2>Terminology</h2>
             <p>The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119. <a href="#rfc2119" id="id1" class="footnote_reference">1</a></p>
-            <p>"Jubjub" refers to the elliptic curve defined in <a href="#sapling-spec" id="id2" class="footnote_reference">8</a> section 5.4.8.3.</p>
+            <p>"Jubjub" refers to the elliptic curve defined in <a href="#sapling-jubjub" id="id2" class="footnote_reference">12</a>.</p>
         </section>
         <section id="abstract">
             <h2>Abstract</h2>
@@ -49,14 +49,14 @@ <h2>Conventions</h2>
                 <li>LEOS2IP<sub>l</sub>(<em>S</em>) is the integer in range {0..2<sup>l</sup>-1} represented in little-endian order by the byte sequence <em>S</em> of length <em>l</em>/8.</li>
                 <li>I2LEBSP<sub>l</sub>(<em>k</em>) is the sequence of <em>l</em> bits representing <em>k</em> in little-endian order.</li>
                 <li>LEBS2OSP<sub>l</sub>(<em>B</em>) is defined as follows when <em>l</em> is a multiple of 8: convert each group of 8 bits in <em>B</em> to a byte value with the least significant bit first, and concatenate the resulting bytes in the same order as the groups.</li>
-                <li>repr<sub>𝕁</sub>(<em>P</em>) is the representation of the Jubjub elliptic curve point <em>P</em> as a bit sequence, defined in <a href="#sapling-spec" id="id9" class="footnote_reference">8</a> section 5.4.8.3.</li>
+                <li>repr<sub>𝕁</sub>(<em>P</em>) is the representation of the Jubjub elliptic curve point <em>P</em> as a bit sequence, defined in <a href="#sapling-jubjub" id="id9" class="footnote_reference">12</a>.</li>
                 <li>BLAKE2b-256(<em>p</em>, <em>x</em>) refers to unkeyed BLAKE2b-256 in sequential mode, with an output digest length of 32 bytes, 16-byte personalization string <em>p</em>, and input <em>x</em>.</li>
                 <li>BLAKE2b-512(<em>p</em>, <em>x</em>) refers to unkeyed BLAKE2b-512 in sequential mode, with an output digest length of 64 bytes, 16-byte personalization string <em>p</em>, and input <em>x</em>.</li>
                 <li>PRF<sup>expand</sup>(<em>sk</em>, <em>t</em>) := BLAKE2b-512("Zcash_ExpandSeed", <em>sk</em> || <em>t</em>)</li>
                 <li>ToScalar(<em>x</em>) := LEOS2IP<sub>512</sub>(<em>x</em>) (mod <em>r</em><sub>𝕁</sub>), where <em>r</em><sub>𝕁</sub> is the order of the Jubjub large prime subgroup.</li>
-                <li>DiversifyHash(<em>d</em>) maps a diversifier <em>d</em> to a base point on the Jubjub elliptic curve, or to ⊥ if the diversifier is invalid. It is instantiated in <a href="#sapling-spec" id="id10" class="footnote_reference">8</a> section 5.4.1.6.</li>
+                <li>DiversifyHash(<em>d</em>) maps a diversifier <em>d</em> to a base point on the Jubjub elliptic curve, or to ⊥ if the diversifier is invalid. It is instantiated in <a href="#sapling-diversifyhash" id="id10" class="footnote_reference">10</a>.</li>
             </ul>
-            <p>The following algorithm standardized in <a href="#nist-sp-800-38g" id="id11" class="footnote_reference">10</a> is used:</p>
+            <p>The following algorithm standardized in <a href="#nist-sp-800-38g" id="id11" class="footnote_reference">16</a> is used:</p>
             <ul>
                 <li>FF1-AES256.Encrypt(<em>key</em>, <em>tweak</em>, <em>x</em>) refers to the FF1 encryption algorithm using AES with a 256-bit <em>key</em>, and parameters <em>radix</em> = 2, <em>minlen</em> = 88, <em>maxlen</em> = 88. It will be used only with the empty string "" as the <em>tweak</em>. <em>x</em> is a sequence of 88 bits, as is the output.</li>
             </ul>
@@ -139,7 +139,7 @@ <h4>Deriving a child extended spending key</h4>
                 </section>
                 <section id="deriving-a-child-extended-full-viewing-key">
                     <h4>Deriving a child extended full viewing key</h4>
-                    <p>Let 𝓖 be as defined in <a href="#sapling-spec" id="id16" class="footnote_reference">8</a> section 5.4.6.1 and let 𝓗 be as defined in <a href="#sapling-key-components" id="id17" class="footnote_reference">9</a>.</p>
+                    <p>Let 𝓖 be as defined in <a href="#sapling-spendauthsig" id="id16" class="footnote_reference">11</a> and let 𝓗 be as defined in <a href="#sapling-key-components" id="id17" class="footnote_reference">9</a>.</p>
                     <p>CDKfvk((<em>ak</em><sub>par</sub>, <em>nk</em><sub>par</sub>, <em>ovk</em><sub>par</sub>, <em>dk</em><sub>par</sub>, <em>c</em><sub>par</sub>), <em>i</em>) → (<em>ak</em><sub>i</sub>, <em>nk</em><sub>i</sub>, <em>ovk</em><sub>i</sub>, <em>dk</em><sub>i</sub>, <em>c</em><sub>i</sub>)</p>
                     <ul>
                         <li>Check whether <em>i</em> ≥ 2<sup>31</sup> (whether the child is a hardened key).
@@ -184,7 +184,7 @@ <h3>Sprout extended keys</h3>
             </section>
             <section id="sprout-helper-functions">
                 <h3>Sprout helper functions</h3>
-                <p>Let EncodeASK(<em>a</em><sub>sk</sub>) be the 32-byte encoding of <em>a</em><sub>sk</sub> in the raw encoding of a Sprout spending key (excluding lead bytes) as specified in <a href="#sapling-spec" id="id18" class="footnote_reference">8</a> section 5.6.8.</p>
+                <p>Let EncodeASK(<em>a</em><sub>sk</sub>) be the 32-byte encoding of <em>a</em><sub>sk</sub> in the raw encoding of a Sprout spending key (excluding lead bytes) as specified in <a href="#sprout-spending-keys" id="id18" class="footnote_reference">15</a>.</p>
                 <p>Let DecodeASK(<em>ASK</em>) be the result of clearing the 4 most significant bits of the first byte of <em>ASK</em>, and decoding the 32-byte result according to the inverse of EncodeASK.</p>
             </section>
             <section id="sprout-master-key-generation">
@@ -246,7 +246,7 @@ <h3>Sprout key path</h3>
             <h2>Specification: Fingerprints and Tags</h2>
             <section id="sapling-full-viewing-key-fingerprints-and-tags">
                 <h3>Sapling Full Viewing Key Fingerprints and Tags</h3>
-                <p>A "Sapling full viewing key fingerprint" of a full viewing key with raw encoding <em>FVK</em> (as specified in <a href="#sapling-spec" id="id23" class="footnote_reference">8</a> section 5.6.7) is given by:</p>
+                <p>A "Sapling full viewing key fingerprint" of a full viewing key with raw encoding <em>FVK</em> (as specified in <a href="#sapling-full-viewing-keys" id="id23" class="footnote_reference">14</a>) is given by:</p>
                 <blockquote>
                     <p>BLAKE2b-256("ZcashSaplingFVFP", <em>FVK</em>)</p>
                 </blockquote>
@@ -255,7 +255,7 @@ <h3>Sapling Full Viewing Key Fingerprints and Tags</h3>
             </section>
             <section id="sprout-address-fingerprints-and-tags">
                 <h3>Sprout Address Fingerprints and Tags</h3>
-                <p>A "Sprout address fingerprint" of a Sprout payment address with raw encoding <em>ADDR</em> (as specified in <a href="#sapling-spec" id="id24" class="footnote_reference">8</a> section 5.6.3, including the lead bytes) is given by:</p>
+                <p>A "Sprout address fingerprint" of a Sprout payment address with raw encoding <em>ADDR</em> (as specified in <a href="#sprout-shielded-addresses" id="id24" class="footnote_reference">13</a>, including the lead bytes) is given by:</p>
                 <blockquote>
                     <p>BLAKE2b-256("Zcash_Sprout_AFP", <em>ADDR</em>)</p>
                 </blockquote>
@@ -378,22 +378,70 @@ <h2>References</h2>
                 <tbody>
                     <tr>
                         <th>8</th>
-                        <td><a href="https://github.com/zcash/zips/blob/master/protocol/protocol.pdf">Zcash Protocol Specification, Version 2018.0-beta-25 or later [Overwinter+Sapling]</a></td>
+                        <td><a href="protocol/protocol.pdf">Zcash Protocol Specification, Version 2019.0.8 or later [Overwinter+Sapling+Blossom]</a></td>
                     </tr>
                 </tbody>
             </table>
             <table id="sapling-key-components" class="footnote">
                 <tbody>
                     <tr>
                         <th>9</th>
-                        <td><a href="https://github.com/zcash/zips/blob/master/protocol/protocol.pdf">Section 4.2.2: Sapling Key Components. Zcash Protocol Specification, Version 2018.0-beta-25 or later [Overwinter+Sapling]</a></td>
+                        <td><a href="protocol/protocol.pdf#saplingkeycomponents">Zcash Protocol Specification, Section 4.2.2 Sapling Key Components</a></td>
                     </tr>
                 </tbody>
             </table>
-            <table id="nist-sp-800-38g" class="footnote">
+            <table id="sapling-diversifyhash" class="footnote">
                 <tbody>
                     <tr>
                         <th>10</th>
+                        <td><a href="protocol/protocol.pdf#concretediversifyhash">Zcash Protocol Specification, Section 5.4.1.6 DiversifyHash Hash Function</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="sapling-spendauthsig" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>11</th>
+                        <td><a href="protocol/protocol.pdf#concretespendauthsig">Zcash Protocol Specification, Section 5.4.6.1 Spend Authorization Signature</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="sapling-jubjub" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>12</th>
+                        <td><a href="protocol/protocol.pdf#jubjub">Zcash Protocol Specification, Section 5.4.8.3 Jubjub</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="sprout-shielded-addresses" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>13</th>
+                        <td><a href="protocol/protocol.pdf#sproutpaymentaddrencoding">Zcash Protocol Specification, Section 5.6.3 Sprout Shielded Payment Addresses</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="sapling-full-viewing-keys" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>14</th>
+                        <td><a href="protocol/protocol.pdf#saplingfullviewingkeyencoding">Zcash Protocol Specification, Section 5.6.7 Sapling Full Viewing Keys</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="sprout-spending-keys" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>15</th>
+                        <td><a href="protocol/protocol.pdf#sproutspendingkeyencoding">Zcash Protocol Specification, Section 5.6.8 Sprout Spending Keys</a></td>
+                    </tr>
+                </tbody>
+            </table>
+            <table id="nist-sp-800-38g" class="footnote">
+                <tbody>
+                    <tr>
+                        <th>16</th>
                         <td><a href="https://dx.doi.org/10.6028/NIST.SP.800-38G">NIST Special Publication 800-38G -- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption</a></td>
                     </tr>
                 </tbody>
diff --git a/zip-0032.rst b/zip-0032.rst
@@ -19,7 +19,7 @@ Terminology
 The key words "MUST", "MUST NOT", and "MAY" in this document are to be interpreted as described in RFC 2119.
 [#RFC2119]_
 
-"Jubjub" refers to the elliptic curve defined in [#sapling-spec]_ section 5.4.8.3.
+"Jubjub" refers to the elliptic curve defined in [#sapling-jubjub]_.
 
 
 Abstract
@@ -81,7 +81,7 @@ Most of the notation and functions used in this ZIP are defined in the Sapling p
   same order as the groups.
 
 - repr\ :sub:`𝕁`\ (*P*) is the representation of the Jubjub elliptic curve point *P* as a bit sequence,
-  defined in [#sapling-spec]_ section 5.4.8.3.
+  defined in [#sapling-jubjub]_.
 
 - BLAKE2b-256(*p*, *x*) refers to unkeyed BLAKE2b-256 in sequential mode, with an output digest length of
   32 bytes, 16-byte personalization string *p*, and input *x*.
@@ -95,7 +95,7 @@ Most of the notation and functions used in this ZIP are defined in the Sapling p
   of the Jubjub large prime subgroup.
 
 - DiversifyHash(*d*) maps a diversifier *d* to a base point on the Jubjub elliptic curve, or to ⊥ if the
-  diversifier is invalid. It is instantiated in [#sapling-spec]_ section 5.4.1.6.
+  diversifier is invalid. It is instantiated in [#sapling-diversifyhash]_.
 
 The following algorithm standardized in [#NIST-SP-800-38G]_ is used:
 
@@ -205,7 +205,7 @@ CDKsk((*ask*\ :sub:`par`\ , *nsk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub
 
 Deriving a child extended full viewing key
 ``````````````````````````````````````````
-Let 𝓖 be as defined in [#sapling-spec]_ section 5.4.6.1 and let 𝓗 be as defined in [#sapling-key-components]_.
+Let 𝓖 be as defined in [#sapling-spendauthsig]_ and let 𝓗 be as defined in [#sapling-key-components]_.
 
 CDKfvk((*ak*\ :sub:`par`\ , *nk*\ :sub:`par`\ , *ovk*\ :sub:`par`\ , *dk*\ :sub:`par`\ , *c*\ :sub:`par`\ ), *i*) →
 (*ak*\ :sub:`i`\ , *nk*\ :sub:`i`\ , *ovk*\ :sub:`i`\ , *dk*\ :sub:`i`\ , *c*\ :sub:`i`\ )
@@ -265,7 +265,7 @@ Sprout helper functions
 -----------------------
 
 Let EncodeASK(*a*\ :sub:`sk`) be the 32-byte encoding of *a*\ :sub:`sk` in the raw encoding of a Sprout
-spending key (excluding lead bytes) as specified in [#sapling-spec]_ section 5.6.8.
+spending key (excluding lead bytes) as specified in [#sprout-spending-keys]_.
 
 Let DecodeASK(*ASK*) be the result of clearing the 4 most significant bits of the first byte of *ASK*,
 and decoding the 32-byte result according to the inverse of EncodeASK.
@@ -364,7 +364,7 @@ Sapling Full Viewing Key Fingerprints and Tags
 ----------------------------------------------
 
 A "Sapling full viewing key fingerprint" of a full viewing key with raw encoding *FVK* (as specified
-in [#sapling-spec]_ section 5.6.7) is given by:
+in [#sapling-full-viewing-keys]_) is given by:
 
   BLAKE2b-256("ZcashSaplingFVFP", *FVK*)
 
@@ -378,7 +378,7 @@ Sprout Address Fingerprints and Tags
 ------------------------------------
 
 A "Sprout address fingerprint" of a Sprout payment address with raw encoding *ADDR* (as specified in
-[#sapling-spec]_ section 5.6.3, including the lead bytes) is given by:
+[#sprout-shielded-addresses]_, including the lead bytes) is given by:
 
   BLAKE2b-256("Zcash_Sprout_AFP", *ADDR*)
 
@@ -481,7 +481,13 @@ References
 .. [#bip-0044] `BIP 44: Multi-Account Hierarchy for Deterministic Wallets <https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki>`_
 .. [#slip-0044] `SLIP 44: Registered coin types for BIP-0044 <https://github.com/satoshilabs/slips/blob/master/slip-0044.md>`_
 .. [#bip-0173] `BIP 173: Base32 address format for native v0-16 witness outputs <https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki>`_
-.. [#sapling-spec] `Zcash Protocol Specification, Version 2018.0-beta-25 or later [Overwinter+Sapling] <https://github.com/zcash/zips/blob/master/protocol/protocol.pdf>`_
-.. [#sapling-key-components] `Section 4.2.2: Sapling Key Components. Zcash Protocol Specification, Version 2018.0-beta-25 or later [Overwinter+Sapling] <https://github.com/zcash/zips/blob/master/protocol/protocol.pdf>`_
+.. [#sapling-spec] `Zcash Protocol Specification, Version 2019.0.8 or later [Overwinter+Sapling+Blossom] <protocol/protocol.pdf>`_
+.. [#sapling-key-components] `Zcash Protocol Specification, Section 4.2.2 Sapling Key Components <protocol/protocol.pdf#saplingkeycomponents>`_
+.. [#sapling-diversifyhash] `Zcash Protocol Specification, Section 5.4.1.6 DiversifyHash Hash Function <protocol/protocol.pdf#concretediversifyhash>`_
+.. [#sapling-spendauthsig] `Zcash Protocol Specification, Section 5.4.6.1 Spend Authorization Signature <protocol/protocol.pdf#concretespendauthsig>`_
+.. [#sapling-jubjub] `Zcash Protocol Specification, Section 5.4.8.3 Jubjub <protocol/protocol.pdf#jubjub>`_
+.. [#sprout-shielded-addresses] `Zcash Protocol Specification, Section 5.6.3 Sprout Shielded Payment Addresses <protocol/protocol.pdf#sproutpaymentaddrencoding>`_
+.. [#sapling-full-viewing-keys] `Zcash Protocol Specification, Section 5.6.7 Sapling Full Viewing Keys <protocol/protocol.pdf#saplingfullviewingkeyencoding>`_
+.. [#sprout-spending-keys] `Zcash Protocol Specification, Section 5.6.8 Sprout Spending Keys <protocol/protocol.pdf#sproutspendingkeyencoding>`_
 .. [#NIST-SP-800-38G] `NIST Special Publication 800-38G -- Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption <https://dx.doi.org/10.6028/NIST.SP.800-38G>`_
 
