Changes to the protocol specification

In § 5.4.3 'Symmetric Encryption', rename \(Sym\) to \(NoteSym\) and add the following text:

Let \(\mathsf{NullSym.}\mathbf{K} := \mathbb{B}^{[256]}\) ,

\(\mathsf{NullSym.}\mathbf{P} := \mathbb{B^Y}^{\mathbb{N}}\) , and \(\mathsf{NullSym.}\mathbf{C} := \mathbb{B^Y}^{\mathbb{N}}\) .

Let \(\mathsf{NullSym.Encrypt_K}(\mathsf{P}) := \mathsf{P} || [0x00]^{16}\) .

Define \(\mathsf{NullSym.Decrypt_K}(\mathsf{C})\) as follows:

• If the last 16 bytes of \(\mathsf{C}\) are not \([0x00]^{16}\) , return \(\bot\) . Otherwise discard those 16 bytes and return the remaining prefix of \(\mathsf{C}\) .

Note: These definitions intentionally ignore the key; \(\mathsf{NullSym}\) is not a secure authenticated encryption scheme. It MUST be used only for notes in shielded coinbase outputs, which are intended to be visible as cleartext.

In § 4.20 'In-band secret distribution (Sapling and Orchard)', change:

let \(\mathsf{Sym}\) be the encryption scheme instantiated in § 5.4.3 'Symmetric Encryption'.

to

let \(\mathsf{NoteSym}\) and \(\mathsf{NullSym}\) be as instantiated in § 5.4.3 'Symmetric Encryption'.

[Pre-NU7] let \(\mathsf{Sym}\) be \(\mathsf{NoteSym}\) .

[NU7 onward] if the note to be decrypted is in an output of a version 6 or later coinbase transaction, let \(\mathsf{Sym}\) be \(\mathsf{NullSym}\) , otherwise let it be \(\mathsf{NoteSym}\) .

These changes apply identically to Mainnet and Testnet.

TODO: specify the handling of the ephemeralKey field.