mirror of https://github.com/zcash/halo2.git
[book] merkle-crh.md: formatting.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
ed20d539b2
commit
4a5a4cc437
|
@ -3,23 +3,23 @@
|
||||||
## Message decomposition
|
## Message decomposition
|
||||||
$\mathsf{SinsemillaHash}$ is used in the [$\mathsf{MerkleCRH^{Orchard}}$ hash function](https://zips.z.cash/protocol/protocol.pdf#orchardmerklecrh). The input to $\mathsf{SinsemillaHash}$ is:
|
$\mathsf{SinsemillaHash}$ is used in the [$\mathsf{MerkleCRH^{Orchard}}$ hash function](https://zips.z.cash/protocol/protocol.pdf#orchardmerklecrh). The input to $\mathsf{SinsemillaHash}$ is:
|
||||||
|
|
||||||
$$l_{\star} || \textsf{left}_{\star} || \textsf{right}_{\star}, $$
|
$${l\star} \,||\, {\textsf{left}\star} \,||\, {\textsf{right}\star},$$
|
||||||
|
|
||||||
where:
|
where:
|
||||||
- $l_{\star} = \textsf{I2LEBSP}_{10}(l) = \textsf{I2LEBSP}_{10}(\textsf{MerkleDepth}^\textsf{Orchard} - 1 - \textsf{layer})$,
|
- ${l\star} = \textsf{I2LEBSP}_{10}(l) = \textsf{I2LEBSP}_{10}(\textsf{MerkleDepth}^\textsf{Orchard} - 1 - \textsf{layer})$,
|
||||||
- $\textsf{left}_{\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{left})$,
|
- ${\textsf{left}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{left})$,
|
||||||
- $\textsf{right}_{\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{right})$,
|
- ${\textsf{right}\star} = \textsf{I2LEBSP}_{\ell_{\textsf{Merkle}}^{\textsf{Orchard}}}(\textsf{right})$,
|
||||||
|
|
||||||
where $\ell_{\textsf{Merkle}}^{\textsf{Orchard}} = 255.$ $\textsf{left}$ and $\textsf{right}$ are allowed to be non-canonical $255$-bit encodings.
|
with $\ell_{\textsf{Merkle}}^{\textsf{Orchard}} = 255.$ $\textsf{left}$ and $\textsf{right}$ are allowed to be non-canonical $255$-bit encodings.
|
||||||
|
|
||||||
We break these inputs into the following `MessagePiece`s:
|
We break these inputs into the following `MessagePiece`s:
|
||||||
|
|
||||||
$$
|
$$
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
a \text{ (250 bits)} &= a_0||a_1 \\
|
a \text{ (250 bits)} &= a_0 \,||\, a_1 \\
|
||||||
&= l_\star || (\text{bits } 0..=239 \text{ of } \textsf{ left }) \\
|
&= {l\star} \,||\, (\text{bits } 0..=239 \text{ of } \textsf{ left }) \\
|
||||||
b \text{ (20 bits)} &= b_0||b_1||b_2 \\
|
b \text{ (20 bits)} &= b_0 \,||\, b_1 \,||\, b_2 \\
|
||||||
&= (\text{bits } 240..=249 \text{ of } \textsf{left}) || (\text{bits } 250..=254 \text{ of } \textsf{left}) || (\text{bits } 0..=4 \text{ of } \textsf{right}) \\
|
&= (\text{bits } 240..=249 \text{ of } \textsf{left}) \,||\, (\text{bits } 250..=254 \text{ of } \textsf{left}) \,||\, (\text{bits } 0..=4 \text{ of } \textsf{right}) \\
|
||||||
c \text{ (250 bits)} &= \text{bits } 5..=254 \text{ of } \textsf{right}
|
c \text{ (250 bits)} &= \text{bits } 5..=254 \text{ of } \textsf{right}
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
$$
|
$$
|
||||||
|
@ -35,7 +35,7 @@ $$
|
||||||
\begin{aligned}
|
\begin{aligned}
|
||||||
z_{1,a} &= \frac{a - a_0}{2^{10}}\\
|
z_{1,a} &= \frac{a - a_0}{2^{10}}\\
|
||||||
&= a_1 \\
|
&= a_1 \\
|
||||||
\implies a_0 &= a - (z_{1,a} \cdot 2^{10}).
|
\implies a_0 &= a - z_{1,a} \cdot 2^{10}.
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
$$
|
$$
|
||||||
$l + 1$ is loaded into a fixed column at each layer of the hash. It is used both as a gate selector, and to fix the value of $l$. We check that $$a_0 = (l + 1) - 1.$$
|
$l + 1$ is loaded into a fixed column at each layer of the hash. It is used both as a gate selector, and to fix the value of $l$. We check that $$a_0 = (l + 1) - 1.$$
|
||||||
|
|
Loading…
Reference in New Issue