<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>The nullifier private key <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nsk</span></span></span></span></span> is removed. Its purpose in Sapling was as
recover <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ask</span></span></span></span></span> would not be able to spend funds. In practice it has not been
feasible to manage <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nsk</span></span></span></span></span> much more securely than a full viewing key, as the
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span> is now a field element instead of a curve point, making it more efficient
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span> is now derived from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">fvk</span></span></span></span></span>, instead of being derived in parallel.
This places it in a similar position within the key structure to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, and
same <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> but different <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span>s. Users still have control over whether
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span> is used when constructing a transaction.</p>
<p>When designing Sapling, we defined a <ahref="https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki">BIP 32</a>-like mechanism for generating hierarchical
deterministic wallets in <ahref="https://zips.z.cash/zip-0032">ZIP 32</a>. We decided at the time to stick closely to the design
of BIP 32, on the assumption that there were Bitcoin use cases that used both hardened and
non-hardened derivation that we might not be aware of. This decision created significant
complexity for Sapling: we needed to handle derivation separately for each component of
the expanded spending key and full viewing key (whereas for transparent addresses there is
only a single component in the spending key).</p>
<p>Non-hardened derivation enables creating a multi-level path of child addresses below some
parent address, without involving the parent spending key. The primary use case for this
is HD wallets for transparent addresses, which use the following structure defined in
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> are commitment schemes with perfect hiding, and
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> with a Pedersen commitment, and use it for
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> with Sinsemilla, and use them
<p>Note that for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, we also deviate from Sapling in two ways:</p>
<ul>
<li>We use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> instead of a full PRF. This removes an
unnecessary (large) PRF primitive from the circuit, at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rivk</span></span></span></span></span> to be
part of the full viewing key.</li>
<li>We define <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> as an integer in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">P</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>; that is, we exclude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. For
Sapling, we relied on BLAKE2s to make <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> infeasible to produce, but it was still
technically possible. For Orchard, we get this by construction:
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not a valid x-coordinate for any Pallas point.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaShortCommit</span></span></span></span></span> internally maps points to field elements by replacing the identity (which
has no affine coordinates) with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. But <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaCommit</span></span></span></span></span> is defined using incomplete addition, and
<p>The only difference is that we instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">MerkleCRH</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span> with
Sinsemilla (whereas <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">MerkleCRH</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">Sapling</span></span></span></span></span></span></span></span></span></span></span></span> used a Bowe--Hopwood Pedersen
<p>The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in
Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be
appended to the tree as a regular leaf.</p>
<ul>
<li>For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use
the all-zeroes array; the probability of a real note having a colliding note commitment
is cryptographically negligible.</li>
<li>For Sapling, where leaves are <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">u</span></span></span></span>-coordinates of Jubjub points, we use the value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>
which is not the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">u</span></span></span></span>-coordinate of any Jubjub point.</li>
</ul>
<p>Orchard note commitments are the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinates of Pallas points; thus we take the same
approach as Sapling, using a value that is not the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of any Pallas point as the
uncommitted leaf value. We use the value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span> for both Pallas and Vesta, because <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">3</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span> is
not a square in either <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.969438em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.969438em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>:</p>
<p>Note: There are also no Pallas points with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>, but we map the identity to
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">0</span><spanclass="mclose">)</span></span></span></span> within the circuit. Although <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaCommit</span></span></span></span></span> cannot return the identity
(the incomplete addition would return <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mrel">⊥</span></span></span></span> instead), it would arguably be confusing to
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is a keyed circuit-efficient PRF (such as Rescue or Poseidon).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> is unique to this output. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">Sig</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> in Sprout, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes
the nullifiers of any Orchard notes being spent in the same action. Given that an action
consists of a single spend and a single output, we set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> to be the nullifier of the
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is sender-controlled randomness. It is not required to be unique, and in practice
is derived from both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> and a sender-selected random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>:
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> is a fixed independent base.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Extract</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33222299999999994em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathbb mtight">P</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> extracts the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of a Pallas curve point.</li>
<p>The note plaintext includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rcm</span></span></span></span></span>, and
omits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (which is a public part of the action).</p>
<li>We're giving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> to the attacker and allowing it to be the sender in order
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">GH</span></span></span></span></span> is a cryptographic hash into the group (such as BLAKE2s with simplified SWU),
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span> is an elliptic curve (such as Pallas).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">KDF</span></span></span></span></span> is the note encryption key derivation function.</li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.1726709999999998em;vertical-align:-0.247em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">HashDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9256709999999999em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathit mtight">KDF</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.247em;"><span></span></span></span></span></span></span></span></span></span> is computational Diffie-Hellman using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">KDF</span></span></span></span></span> for
the key derivation, with one-time ephemeral keys. This assumption is heuristically weaker
than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> but stronger than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DL</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>.</p>
<p>We omit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathit mtight">GH</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as a security assumption because we only rely on the random oracle
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span>, not to attacker-specified inputs.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">†</span></span></span></span> We additionally assume that for any input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span><spanclass="mclose">}</span></span></span></span> gives a scalar in an adequate range for
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. (Otherwise, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> could be trivial, e.g. independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span>.)</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"style="color:red;"><spanclass="mord text"style="color:red;"><spanclass="mord"style="color:red;">⚠</span><spanclass="mord textsf"style="color:red;">Caution</span></span></span></span></span></span>: be skeptical of the claims in this table about what
problem(s) each security property depends on. They may not be accurate and are definitely
<p>The entries in this table omit the application of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Extract</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33222299999999994em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathbb mtight">P</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>,
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Hash</span></span></span></span></span> is a keyed circuit-efficient hash (such as Rescue).</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> is an fixed independent base, independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> and any others
returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">GH</span></span></span></span></span>.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is a pair of fixed independent bases (independent of all others), where
the specific choice of base depends on whether the note has zero value.</p>
</li>
<li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a base unique to this output.</p>
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes the nullifiers of any Orchard notes being spent in the same action.</li>
<li>For zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is constrained by the circuit to a fixed base independent
of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> and any others returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">GH</span></span></span></span></span>.</li>
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">addr</span></span></span></span></span>. This is true because
the circuit checks that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf">p</span><spanclass="mord"><spanclass="mord mathsf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>, and the mapping
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.70544em;vertical-align:-0.011em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">↦</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is an injection for any <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.63888em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>.
(<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> is in the base field of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span>, which must be smaller than its scalar field,
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>. This is true because the
where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> is binding (see <ahref="design/commitments.html">Commitments</a>).</li>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span></a></h3>
<p><strong>Faerie Resistance</strong> requires that nullifiers be unique. This is primarily achieved by
taking a unique value (checked for uniqueness by the public consensus rules) as an input
to the nullifier. However, it is also necessary to ensure that the transformations applied
to this value preserve its uniqueness. Meanwhile, to achieve <strong>Spend Unlinkability</strong>, we
require that the nullifier does not reveal any information about the unique value it is
derived from.</p>
<p>The design alternatives fall into two categories in terms of how they balance these
requirements:</p>
<ul>
<li>
<p>Publish a unique value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> at note creation time, and blind that value within the
<li>This is similar to the approach taken in Sprout and Sapling, which both implemented
nullifiers as PRF outputs; Sprout uses the compression function from SHA-256, while
Sapling uses BLAKE2s.</li>
</ul>
</li>
<li>
<p>Derive a unique base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> from some unique value, publish that unique base at note
creation time, and then blind the base (either additively or multiplicatively) during
<p>For <strong>Spend Unlinkability</strong>, the only value unknown to the adversary is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span>, and
the cryptographic assumptions only involve the first term (other terms like <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span>
or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.06944em;">rnf</span></span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> cannot be extracted directly from the observed nullifiers,
but can be subtracted from them). We therefore ensure that the first term does not commit
directly to the note (to avoid a DL-breaking adversary from immediately breaking <strong>SU</strong>).</p>
<p>We were considering using a design involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> with the goal of eliminating all usages
<li>Instantiating <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">PRF</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> with a traditional hash function is expensive in the
circuit.</li>
<li>We didn't want to solely rely on an algebraic hash function satisfying <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">PRF</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>
to achieve <strong>Spend Unlinkability</strong>.</li>
<p>However, those designs rely on both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathit mtight">GH</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DL</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> for
<strong>Faerie Resistance</strong>, while still requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Spend Unlinkability</strong>.
(There are two designs for which this is not the case, but they rely on
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.2605469999999999em;vertical-align:-0.293531em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9670159999999999em;"><spanstyle="top:-2.4064690000000004em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.1809080000000005em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">†</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.293531em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Note Privacy (OOB)</strong> which was not acceptable).</p>
<p>By contrast, several designs involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (including the chosen design) have weaker
assumptions for <strong>Faerie Resistance</strong> (only relying on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DL</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>), and
<strong>Spend Unlinkability</strong> does not require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">PRF</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to hold: they can fall back
on the same <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">DDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> assumption as the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> designs (along with an additional
assumption about the output of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> which is easily satisfied).</p>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span></a></h3>
<p>Most of the designs include either a multiplicative blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">θ</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>, or an
additive blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.06944em;">rnf</span></span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span>, in order to achieve perfect
effectively using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> for this purpose; a DL-breaking adversary only
perfect to statistical, but given that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is from a distribution statistically close
to uniform on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mclose">)</span></span></span></span>, this is statistically close to better than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">128</span></span></span></span></span></span></span></span></span></span></span></span>. The benefit
is that it does not require an additional scalar multiplication, making it more efficient
inside the circuit.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>'s derivation has two motivations:</p>
<li>Deriving from a random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span> enables multiple derived values to be
conveyed to the recipient within an action (such as the ephemeral secret <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">esk</span></span></span></span></span>,
per <ahref="https://zips.z.cash/zip-0212">ZIP 212</a>), while keeping the note plaintext short.</li>
<li>Mixing <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> into the derivation ensures that the sender can't repeat <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> across two
notes, which could have enabled spend linkability attacks in some designs.</li>
</ul>
<p>The note that is committed to, and which the circuit takes as input, only includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>
(i.e. the circuit does not check the derivation from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>). However, an
adversarial sender is still constrained by this derivation, because the recipient
recomputes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> during note decryption. If an action were created using an arbitrary
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> (for which the adversary did not have a corresponding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>), the
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcmspanspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcmspanspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span></a></h3>
<p>The nullifier commits to the note value via <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> for two reasons:</p>
<li>Designs that bind the nullifier to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span> require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">Coll</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to
achieve <strong>Faerie Resistance</strong> (and similarly where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Hash</span></span></span></span></span> is applied to a value
derived from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>). Adding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> to the nullifier avoids this assumption: all of
the bases used to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> are fixed and independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span>, and so
the nullifier can be viewed as a Pedersen hash where the input includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> directly.</li>
<p>The <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9223379999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">Commit</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9223379999999999em;"><spanstyle="top:-3.1362300000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.06944em;">nf</span></span></span></span></span></span></span></span></span></span></span></span></span> variants were considered to avoid directly depending on
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> (which in its native type is a base field element, not a group element). We
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> as a group element, that is only used in nullifier computation. The circuit
already needs to compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span>, so this improves performance by removing</p>
<p>We also considered variants that used a choice of fixed bases <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to provide
full viewing key (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> could be brute-forced to cancel out <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>,
causing a collision), and the other variants require assuming <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">Coll</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as
<li>Note that this constraint is unsatisfiable for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mord">⸭</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mopen">(</span><spanclass="mord">−</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mclose">)</span></span></span></span> (when <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><spanclass="mrel"><spanclass="mord vbox"><spanclass="thinbox"><spanclass="rlap"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="inner"><spanclass="mord"><spanclass="mrel"></span></span></span><spanclass="fix"></span></span></span></span></span><spanclass="mrel">=</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span>),
<p>Suppose that we represent <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span> as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">0</span><spanclass="mclose">)</span></span></span></span>. (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not an <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of a valid point because we would need <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.008548em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord mathnormal">x</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">3</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span>, and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span> is not square in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>. Also <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"styl
<p>For the doubling case, Hışıl's thesis tells us that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">λ</span></span></span></span> has to
<p>There are <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">6</span></span></span></span> fixed bases in the Orchard protocol:</p>
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.01445em;">K</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span></span>, used in deriving the nullifier;</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.946328em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span></span>, used in spend authorization;</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal">R</span></span></span></span> base for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">NoteCommit</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span></span>;</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.08222em;">V</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal">R</span></span></span></span> bases for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">ValueCommit</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span></span>; and</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal">R</span></span></span></span> base for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Commit</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">ivk</span></span></span></span></span></span></span></span></span></span></span></span></span>.</li>
<p>The scalar multiplication will be computed correctly for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">0..84</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> representing any integer in the range <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">255</span></span></span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>.</p>
<p>We range-constrain each <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3</span></span></span></span>-bit word of the scalar decomposition using a polynomial range-check constraint:
<h3><aclass="header"href="#base-field-element"id="base-field-element">Base field element</a></h3>
<p>We support using a base field element as the scalar in fixed-base multiplication. This occurs, for example, in the scalar multiplication for the nullifier computation of the Action circuit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathsf">DeriveNullifie</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.20001em;vertical-align:-0.35001em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Extract</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33222299999999994em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathbb mtight">P</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="minner"><spanclass="mopen delimcenter"style="top:0em;"><spanclass="delimsizing size1">(</span></span><spanclass="minner"><spanclass="mopen delimcenter"style="top:0em;"><spanclass="delimsizing size1">[</span></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord mathsf">PR</span><spanclass="mord"><spanclass="mord mathsf">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-2.4168920000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nfOrchard</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.2831079999999999em;"><span></span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.05555555555555555em;"></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.05555555555555555em;"></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlis
<p>Decompose the base field element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> into three-bit windows, and range-constrain each window, using the <ahref="design/circuit/gadgets/ecc/../decomposition.html#short-range-decomposition">short range decomposition</a> gadget in strict mode, with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">85</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3.</span></span></span></span></p>
<p>If <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">0..84</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is witnessed directly then no issue of canonicity arises. However, because the scalar is given as a base field element here, care must be taken to ensure a canonical representation, since <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.853208em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">255</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span>. That is, we must check that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78041em;vertical-align:-0.13597em;"></span><spanclass="mord">0</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mpunct">,</span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> the is Pallas base field modulus <spanclass="katex-display"><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.9474379999999999em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8641079999999999em;"><spanstyle="top:-3.113em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254</span></span></span></span></span></span></span></span></span><spanclass="mspace
<p>To do this, we decompose <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> into three pieces: <spanclass="katex-display"><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord text"><spanclass="mord">(252bits)</span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">∣∣</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord text"><spanclass="mord">(2bits)</span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">∣∣</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord text"><spanclass="mord">(1bit)</span></span><spanclass="mord">.</span></span></span></span></span></p>
<p>We check the correctness of this decomposition by:
If the MSB <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not set, then <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.853208em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mord">.</span></span></span></span> However, in the case where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>, we must check:</p>
<p>To check that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78041em;vertical-align:-0.13597em;"></span><spanclass="mord">0</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6891em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.008548em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">130</span></span></span></span></span></span></span></span></span><spanclass="mpunct">,</span></span></span></span> we make use of the three-bit running sum decomposition:</p>
<ul>
<li>Firstly, we constrain <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to be a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">132</span></span></span></span>-bit value by enforcing its high <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">120</span></span></span></span> bits to be all-zero. We can get <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.0444399999999998em;vertical-align:-0.35em;"></span><spanclass="mord text"><spanclass="mord textsf">alpha_0_hi_120</span></span></span></span></span> from the decomposition:
<li>Then, we constrain bits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">130..</span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">131</span></span></span></span> of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to be zeroes; in other words, we constrain the three-bit word <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">43</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mopen">[</span><spanclass="mord">129..</span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:-0.16666666666666666em;"></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">131</span><spanclass="mclose">]</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0037em;margin-right:0.05em;"><spanclass="pstrut"style="height:2
<h3><aclass="header"href="#short-signed-scalar"id="short-signed-scalar">Short signed scalar</a></h3>
<p>A short signed scalar is witnessed as a magnitude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">m</span></span></span></span> and sign <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">s</span></span></span></span> such that
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">old</span></span></span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6741079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.6741079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">new</span></span></span></span></span></span></span></span></span></span></span></span> are each already constrained to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">64</span></span></span></span> bits (by their use as inputs to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">NoteCommi</span><spanclass="mord"><spanclass="mord mathsf">t</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span></span>).</p>
<p>Decompose the magnitude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">m</span></span></span></span> into three-bit windows, and range-constrain each window, using the <ahref="design/circuit/gadgets/ecc/../decomposition.html#short-range-decomposition">short range decomposition</a> gadget in strict mode, with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">22</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3.</span></span></span></span></p>
<p>Then, we precompute multiples of the fixed base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span> for each window. This takes the form of a window table: <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord">0..</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mclose">)</span><spanclass="mopen">[</span><spanclass="mord">0..8</span><spanclass="mclose">)</span></span></span></span> such that:</p>
<p>The additional <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">2</span><spanclass="mclose">)</span></span></span></span> term lets us avoid adding the point at infinity in the case <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. We offset these accumulated terms by subtracting them in the final window, i.e. we subtract <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:2.642113em;vertical-align:-1.113777em;"></span><spanclass="mop op-limits"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:1.5283360000000004em;"><spanstyle="top:-2.122331em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mrel mtight">=</span><spanclass="mord mtight">0</span></span></span></span><spanstyle="top:-3.0000050000000003em;"><spanclass="pstrut"style="height:3em;"></span><span><spanclass="mop op-symbol small-op">∑</span></span></span><spanstyle="top:-3.950005em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">W</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">2</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:1.113777em;"><span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">3</span><spanclass="mord mathnormal mtight"style="margin-right:0.05724em;">j</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span></span></span></span>.</p>
<p>Note: Although an offset of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span></span></span></span> would naively suffice, it introduces an edge case when <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">7</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>.
In this case, the window table entries evaluate to the same point:</p>
<p>In fixed-base scalar multiplication, we sum the multiples of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span> at each window (except the last) using incomplete addition.
Since the point doubling case is not handled by incomplete addition, we avoid it by using an offset of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">2</span><spanclass="mclose">)</span><spanclass="mord">.</span></span></span></span></p>
<li>Define a Lagrange interpolation polynomial <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathcal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">x</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">)</span></span></span></span> that maps <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..8</span><spanclass="mclose">)</span></span></span></span> to the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of the multiple <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02691em;">w</span><spanclass="mclose">]</span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">]</span></span></span></span>, i.e.
<li>Find a value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> such that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.036108em;vertical-align:-0.286108em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02691em;">w</span><spanclass="mclose">]</span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mclose">]</span><spanclass="mclose"><spanclass="mclose">)</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">y</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> is a square <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathnormal">u</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span></span></span></span></span></span></span></span> in the field, but the wrong-sign <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span></span></span></span>-coordinate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="
<p>Repeating this for all <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span></span></span></span> windows, we end up with:</p>
<li>an <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.76666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">×</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">8</span></span></span></span> table <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathcal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">x</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> storing <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">8</span></span></span></span> coefficients interpolating the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">x</span><spanclass="mord">−</span></span></span></span>coordinate for each window. Each <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate interpolation polynomial will be of the form
where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..8</span><spanclass="mclose">)</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.02691em;">w</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..85</span><spanclass="mclose">)</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal">c</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>'s are the coefficients for each power of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span>; and</li>
<p>Given a decomposed scalar <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> and a fixed base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span>, we compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span> as follows:</p>
<ol>
<li>For each <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.02691em;">w</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..85</span><spanclass="mclose">)</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..8</span><spanclass="mclose">)</span></span></span></span> in the scalar decomposition, witness the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>- and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span></span></span></span>-coordinates <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord mathnormal">x</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spa
<li>For all windows but the last, use <ahref="design/circuit/gadgets/ecc/./incomplete-add.html">incomplete addition</a> to sum the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02691em;">w</span><spanclass="mclose">]</span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02691em;">w</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">]</span></span></span></span>'s, resulting in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">84</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">3</span></span></span></span></span></span></span></span><spanclass="mclose"><spanclass="mclose">)</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">84</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:2.61489em;vertical-align:-1.113777em;"></span><spanclass="mop op-limits"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:1.5011130000000001em;"><spanstyle="top:-2.122331em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mordmtight
<li>For the last window, use complete addition <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord">83</span><spanclass="mclose">]</span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">83</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">]</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mopen">[</span><spanclass="mord">84</span><spanclass="mclose">]</span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">84</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">]</span></span></span></span> and return the final result.</li>
</ol>
<blockquote>
<p>Note: complete addition is required in the final step to correctly map <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.05017em;">B</span></span></span></span> to a representation of the point at infinity, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">0</span><spanclass="mclose">)</span></span></span></span>; and also to handle a corner case for which the last step is a doubling.</p>
<h3><aclass="header"href="#signed-short-exponent"id="signed-short-exponent">Signed short exponent</a></h3>
<p>Recall that the signed short exponent is witnessed as a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.72777em;vertical-align:-0.08333em;"></span><spanclass="mord">64</span><spanclass="mord">−</span></span></span></span>bit magnitude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">m</span></span></span></span>, and a sign <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal">s</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8388800000000001em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord">−</span><spanclass="mord">1</span></span><spanclass="mord">.</span></span></span></span> Using the above algorithm, we compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">m</span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.03041em;">B</span></span></span></span>. Then, to get the final result <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.946332em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.751892em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">′</span></span></span></span></span></span></span></span></span><spanclass="mpunct">,</span></span></span></span> we conditionally negate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span> using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">↦</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">s</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style
<p>Note: this doesn't include the last row that uses <ahref="design/circuit/gadgets/ecc/./addition.html#Complete-addition">complete addition</a>. In the implementation this is allocated in a different region.</p>
<p>In the Orchard circuit we need to check <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf">p</span><spanclass="mord"><spanclass="mord mathsf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span></span></span></span> and the scalar field is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.974998em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7335400000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span></span></span></span>.</p>
<p>We're trying to compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">T</span></span></span></span> for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mclose">)</span></span></span></span>. Set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.9011879999999999em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal">t</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">254</span></span></span></span>. Then we can compute</p>
<p>Thus, given a scalar <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span>, we witness the boolean decomposition of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.9011879999999999em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal">t</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span><spanclass="mord">.</span></span></span></span> (We use big-endian bit order for convenient input into the variable-base scalar multiplication algorithm.)</p>
<p>We use an optimized double-and-add algorithm, copied from <ahref="https://github.com/zcash/zcash/issues/3924">"Faster variable-base scalar multiplication in zk-SNARK circuits"</a> with some variable name changes:</p>
<pre><codeclass="language-ignore">Acc := [2] T
for i from n-1 down to 0 {
P := k_{i+1} ? T : −T
Acc := (Acc + P) + Acc
}
return (k_0 = 0) ? (Acc - T) : Acc
</code></pre>
<p>It remains to check that the x-coordinates of each pair of points to be added are distinct.</p>
<p>When adding points in a prime-order group, we can rely on Theorem 3 from Appendix C of the <ahref="https://eprint.iacr.org/2019/1021.pdf">Halo paper</a>, which says that if we have two such points with nonzero indices wrt a given odd-prime order base, where the indices taken in the range <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">−</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span><spanclass="mord">/2..</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span><spanclass="mord">/2</span></span></span></span> are distinct disregarding sign, then they have different x-coordinates. This is helpful, because it is easier to reason about the indices of points occurring in the scalar multiplication algorithm than it is to reason about their x-coordinates directly.</p>
<p>So, the required check is equivalent to saying that the following "indexed version" of the above algorithm never asserts:</p>
<pre><codeclass="language-ignore">acc := 2
for i from n-1 down to 0 {
p = k_{i+1} ? 1 : −1
assert acc ≠ ± p
assert (acc + p) ≠ acc // X
acc := (acc + p) + acc
assert 0 < acc ≤ (q-1)/2
}
if k_0 = 0 {
assert acc ≠ 1
acc := acc - 1
}
</code></pre>
<p>The maximum value of <code>acc</code> is:</p>
<pre><codeclass="language-ignore"><--- n 1s --->
<p>The assertion labelled X obviously cannot fail because <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><spanclass="mrel"><spanclass="mord vbox"><spanclass="thinbox"><spanclass="rlap"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="inner"><spanclass="mord"><spanclass="mrel"></span></span></span><spanclass="fix"></span></span></span></span></span><spanclass="mrel">=</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. It is possible to see that acc is monotonically increasing except in the last conditional. It reaches its largest value when <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> is maximal, i.e. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">n</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.747722em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>.</p>
</blockquote>
<p>So to entirely avoid exceptional cases, we would need <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">n</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.747722em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68354em;vertical-align:-0.0391em;"></span><spanclass="mord">1</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span><spanclass="mord">/2</span></span></span></span>. But we can use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> larger by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">c</span></span></span></span> if the last <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">c</span></span></span></span> iterations use <ahref="design/circuit/gadgets/ecc/./addition.html#Complete-addition">complete addition</a>.</p>
<p>The first <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> for which the algorithm using <strong>only</strong> incomplete addition fails is going to be <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">252</span></span></span></span>, since <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">252</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">252</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68354em;vertical-align:-0.0391em;"></span><spanclass="mord">1</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">)</span><spanclass="mord">/2</span></span></span></span>. We need <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">254</span></span></span></span> to make the wraparound technique above work.</p>
<p>So the last three iterations of the loop (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2..0</span></span></span></span>) need to use <ahref="design/circuit/gadgets/ecc/./addition.html#Complete-addition">complete addition</a>, as does the conditional subtraction at the end. Writing this out using ⸭ for incomplete addition (as we do in the spec), we have:</p>
<h2><aclass="header"href="#constraint-program-for-optimized-double-and-add-incomplete-addition"id="constraint-program-for-optimized-double-and-add-incomplete-addition">Constraint program for optimized double-and-add (incomplete addition)</a></h2>
<p>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">254</span></span></span></span> down to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span>:
<p>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">254</span></span></span></span> down to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span>:</p>
Here, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.2605469999999999em;vertical-align:-0.411439em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-2.424669em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">A</span><spanclass="mpunct mtight">,</span><spanclass="mord mtight">3</span></span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord text mtight"><spanclass="mord mtight">witnessed</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.411439em;"><span></span></span></span></span></span></span></span></span></span> is assigned to a cell. This is unlike previous <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.716668em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.328331em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">A</span><spanclass="mpunct mtight">,</span><spanclass="mord mathnormal mtight">i</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>'s, which were implicitly derived from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal">λ</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">1</span><spanclass="mpunct mtight">,</span><spanclass="mord mathnormal mtight">i</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">λ</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">2</span><spanclass="mpunct mtight">,</span><spanclass="mord mathnormal mtight">i</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">x</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.328331em;"><spanstyle="top:-2.5500000000000003em;margin-left
<p>The bits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">3</span><spanclass="minner mtight">…</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> are used in three further steps, using <ahref="design/circuit/gadgets/ecc/./addition.html#Complete-addition">complete addition</a>:</p>
<p>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3</span></span></span></span> down to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>:
<p>If the least significant bit is set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathbf mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8388800000000001em;vertical-align:-0.19444em;"></span><spanclass="mord">1</span><spanclass="mpunct">,</span></span></span></span> we return the accumulator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">A</span></span></span></span>. Else, if <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathbf mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8388800000000001em;vertical-align:-0.19444em;"></span><spanclass="mord">0</span><spanclass="mpunct">,</span></span></span></span> we return <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.76666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">T</span></span></span></span> (also using complete addition).</p>
<li>the first, covering the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">hi</span></span></span></span> half for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">254</span></span></span></span> down to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">130</span></span></span></span>, with a special case at <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">130</span></span></span></span>; and</li>
<li>the second, covering the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord mathnormal">o</span></span></span></span> half for the remaining <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">129</span></span></span></span> down to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span>, with a special case at <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span>.</li>
<p>For each <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">hi</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord mathnormal">o</span></span></span></span> half, we have three sets of gates. Note that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> is going from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">255..</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">3</span></span></span></span>; <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> is NOT indexing the rows.</p>
<p>This gate is only used on the first row (before the for loop). We check that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal">λ</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal">λ</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">2</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> are initialized to values consistent with the initial <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">A</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mord">.</span></span></span></span>
<p>This gate is used on the final iteration of the for loop, handling the special case where we check that the output <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">y</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">A</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> has been witnessed correctly.
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.59444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> cannot overflow for any <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.79549em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≥</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>, because it is a weighted sum of bits only up to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">n</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">253</span></span></span></span></span></span></span></span></span></span></span></span>, which is smaller than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span></span></span></span> (and also <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span></span></span></span>).</p>
<p>Since overflow can only occur in the final step that constrains <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.59444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>, we have <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.59444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace allowbreak"></span><spanclass="mspace"style="margin-right:0.4444444444444444em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><span
<blockquote>
<p>Note: the bits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254..0</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> do not represent a value reduced modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span></span></span></span>, but rather a representation of the unreduced <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.9011879999999999em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal">t</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>.</p>
</blockquote>
<h3><aclass="header"href="#optimized-check-for-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight073354emvertical-align-00391emspanspan-classmord-mathnormal-stylemargin-right003148emkspanspan-classmspace-stylemargin-right02777777777777778emspanspan-classmrelspanspan-classmspace-stylemargin-right02777777777777778emspanspanspan-classbasespan-classstrut-styleheight1036108emvertical-align-0286108emspanspan-classmopenspanspan-classmordspan-classmord-mathnormaltspanspan-classmsupsubspan-classvlist-t-vlist-t2span-classvlist-rspan-classvlist-styleheight015139200000000003emspan-styletop-25500000000000003emmargin-left0emmargin-right005emspan-classpstrut-styleheight27emspanspan-classsizing-reset-size6-size3-mtightspan-classmord-mathnormal-mtight-stylemargin-right003588emqspanspanspanspanspan-classvlist-sspanspanspan-classvlist-rspan-classvlist-styleheight0286108emspanspanspanspanspanspanspanspan-classmpunctspanspan-classmspace-stylemargin-right016666666666666666emspanspan-classmord-mathnormalpspanspan-classmspace-stylemargin-right02222222222222222emspanspan-classmbinspanspan-classmspace-stylemargin-right02222222222222222emspanspanspan-classbasespan-classstrut-styleheight1036108emvertical-align-0286108emspanspan-classmordspan-classmord-mathnormaltspanspan-classmsupsubspan-classvlist-t-vlist-t2span-classvlist-rspan-classvlist-styleheight015139200000000003emspan-styletop-25500000000000003emmargin-left0emmargin-right005emspan-classpstrut-styleheight27emspanspan-classsizing-reset-size6-size3-mtightspan-classmord-mathnormal-mtight-stylemargin-right003588emqspanspanspanspanspan-classvlist-sspanspanspan-classvlist-rspan-classvlist-styleheight0286108emspanspanspanspanspanspanspanspan-classmclosespanspanspanspan"id="optimized-check-for-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight073354emvertical-align-00391emspanspan-classmord-mathnormal-stylemargin-right003148emkspanspan-classmspace-stylemargin-right02777777777777778emspanspan-classmrelspanspan-classmspace-stylemargin-right02777777777777778emspanspanspan-classbasespan-classstrut-styleheight1036108emvertical-align-0286108emspanspan-classmopenspanspan-classmordspan-classmord-mathnormaltspanspan-classmsupsubspan-classvlist-t-vlist-t2span-classvlist-rspan-classvlist-styleheight015139200000000003emspan-styletop-25500000000000003emmargin-left0emmargin-right005emspan-classpstrut-styleheight27emspanspan-classsizing-reset-size6-size3-mtightspan-classmord-mathnormal-mtight-stylemargin-right003588emqspanspanspanspanspan-classvlist-sspanspanspan-classvlist-rspan-classvlist-styleheight0286108emspanspanspanspanspanspanspanspan-classmpunctspanspan-classmspace-stylemargin-right016666666666666666emspanspan-classmord-mathnormalpspanspan-classmspace-stylemargin-right02222222222222222emspanspan-classmbinspanspan-classmspace-stylemargin-right02222222222222222emspanspanspan-classbasespan-classstrut-styleheight1036108emvertical-align-0286108emspanspan-classmordspan-classmord-mathnormaltspanspan-classmsupsubspan-classvlist-t-vlist-t2span-classvlist-rspan-classvlist-styleheight015139200000000003emspan-styletop-25500000000000003emmargin-left0emmargin-right005emspan-classpstrut-styleheight27emspanspan-classsizing-reset-size6-size3-mtightspan-classmord-mathnormal-mtight-stylemargin-right003588emqspanspanspanspanspan-classvlist-sspanspanspan-classvlist-rspan-classvlist-styleheight0286108emspanspanspanspanspanspanspanspan-classmclosespanspanspanspan">Optimized check for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.036108em;vertical-align:-0.286108em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass=
<p>(We can see in a different way that this is correct by observing that it checks whether <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.05555555555555555em;"></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin"><spanclass="mord"><spanclass="mord mathrm">mod</span></span></span><spanclass="mspace"style="margin-right:0.05555555555555555em;"></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.7335400000000001em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">p</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">130</span></span></span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">p</span><spanclass="mclose">)</span></span></span></span>, so the upper bound is aligned as we would expect.)</p>
</blockquote>
<p>Now, we can continue optimizing from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0em;vertical-align:0em;"></span><spanclass="mord">Ⓐ</span></span></span></span>:</p>
<p>Constraining <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">253..130</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to be all-<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> or not-all-<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> can be implemented almost "for free", as follows.</p>
<p>Finally, we can merge the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">130</span></span></span></span>-bit decompositions for the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> cases by checking that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">254</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em
where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">s</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:2.478782em;vertical-align:-0.9776689999999999em;"></span><spanclass="mop op-limits"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:1.5011130000000001em;"><spanstyle="top:-2.122331em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mrel mtight">=</span><spanclass="mord mtight">0</span></span></span></span><spanstyle="top:-3.0000050000000003em;"><spanclass="pstrut"style="height:3em;"></span><span><spanclass="mop op-symbol small-op">∑</span></span></span><spanstyle="top:-3.950005em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">129</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.9776689999999999em;"><span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathbf">s</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span><spanclass="mord">/</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">130</span></span></span></span></span></span></span></span></span></span></span></span> can be computed by another running sum. Note that the factor of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mord">1/</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">130</span></span></span></span></span></span></span></span></span></span></span></span> has no effect on the constraint, since the RHS is zero.</p>
<h4><aclass="header"href="#running-sum-range-check"id="running-sum-range-check">Running sum range check</a></h4>
<p>We make use of a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">10</span></span></span></span>-bit <ahref="design/circuit/gadgets/ecc/../decomposition.html#lookup-decomposition">lookup range check</a> in the circuit to subtract the low <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">130</span></span></span></span> bits of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord mathbf">s</span></span></span></span>. The range check subtracts the first <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">13</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">10</span></span></span></span> bits of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.63888em;vertical-align:-0.19444em;"></span><spanclass="mord mathbf">s</span><spanclass="mpunct">,</span></span></span></span> and right-shifts the result to give <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">s</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:2.478782em;vertical-align:-0.9776689999999999em;"></span><spanclass="mop op-limits"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:1.5011130000000001em;"><spanstyle="top:-2.122331em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mrel mtight">=</span><spanclass="mord mtight">0</span></span></span></span><spanstyle="top:-3.0000050000000003em;"><spanclass="pstrut"style="height:3em;"></span><span><spanclass="mop op-symbol small-op">∑</span></span></span><spanstyle="top:-3.950005em;margin-left:0em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">129</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.9776689999999999em;"><span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.824664em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.064108em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathbf">s</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:0
<p>Sinsemilla is a collision-resistant hash function and commitment scheme designed to be efficient in algebraic circuit models that support <ahref="https://zcash.github.io/halo2/design/proving-system/lookup.html">lookups</a>, such as PLONK or Halo 2.</p>
<p>The security properties of Sinsemilla are similar to Pedersen hashes; it is <strong>not</strong> designed to be used where a random oracle, PRF, or preimage-resistant hash is required. <strong>The only claimed security property of the hash function is collision-resistance for fixed-length inputs.</strong></p>
<p>Sinsemilla is roughly 4 times less efficient than the algebraic hashes Rescue and Poseidon inside a circuit, but around 19 times more efficient than Rescue outside a circuit. Unlike either of these hashes, the collision resistance property of Sinsemilla can be proven based on cryptographic assumptions that have been well-established for at least 20 years. Sinsemilla can also be used as a computationally binding and perfectly hiding commitment scheme.</p>
<p>The general approach is to split the message into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span>-bit pieces, and for each piece, select from a table of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span> bases in our cryptographic group. We combine the selected bases using a double-and-add algorithm. This ends up being provably as secure as a vector Pedersen hash, and makes advantageous use of the lookup facility supported by Halo 2.</p>
<p>This section is an outline of how Sinsemilla works: for the normative specification, refer to <ahref="https://zips.z.cash/protocol/protocol.pdf#concretesinsemillahash">§5.4.1.9 Sinsemilla Hash Function</a> in the protocol spec. The incomplete point addition operator, ⸭, that we use below is also defined there.</p>
<p>Let <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span> be a cryptographic group of prime order <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span></span></span></span>. We write <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span> additively, with identity <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.02778em;">O</span></span></span></span>, and using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal">m</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span> for scalar multiplication of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span></span></span></span> by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">m</span></span></span></span>.</p>
<p>Let <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83041em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≥</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> be an integer chosen based on efficiency considerations (the table size will be <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span>). Let <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> be an integer, fixed for each instantiation, such that messages are <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">kn</span></span></span></span> bits, where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.800362em;vertical-align:-0.13597em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.664392em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.242216em;vertical-align:-0.345em;"></span><spanclass="mord"><spanclass="mopen nulldelimiter"></span><spanclass="mfrac"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.897216em;"><spanstyle="top:-2.6550000000000002em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">2</span></span></span></span><spanstyle="top:-3.23em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="frac-line"style="border-bottom-width:0.04em;"></span></span><spanstyle="top:-3.446108em;"><spanclass="pstrut"style="height:3em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.345em;"><span></span></span></span></span></span><spanclass="mclose nulldelimiter"></span></span></span></span></span>. We use zero-padding to the next multiple of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> bits if necessary.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord text"><spanclass="mord textsf">Setup</span></span></span></span></span>: Choose <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">Q</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mopen">[</span><spanclass="mord">0..</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">]</span></span></span></span> as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.932438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span> independent, verifiably random generators of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span>, using a suitable hash into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span>, such that none of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">Q</span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mopen">[</span><spanclass="mord">0..</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.22
<blockquote>
<p>In Orchard, we define <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">Q</span></span></span></span> to be dependent on a domain separator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span></span></span></span>. The protocol specification uses <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathcal">Q</span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mclose">)</span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">Q</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathcal"style="margin-right:0.075em;">S</span><spanclass="mopen">(</span><spanclass="mord mathnormal">m</span><spanclass="mclose">)</span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mopen">[</span><spanclass="mord mathnormal">m</span><spanclass="mclose">]</span></span></span></span>.</p>
<li>Split <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span></span></span></span> into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> groups of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> bits. Interpret each group as a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span>-bit little-endian integer <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>.</li>
<li>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> up to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>:
<p>Let <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord text"><spanclass="mord textsf">ShortHash</span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mclose">)</span></span></span></span> be the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord text"><spanclass="mord textsf">Hash</span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mclose">)</span></span></span></span>. (This assumes that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a prime-order elliptic curve in short Weierstrass form, as is the case for Pallas and Vesta.)</p>
<blockquote>
<p>It is slightly more efficient to express a double-and-add <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">2</span><spanclass="mclose">]</span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span></span></span></span> as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">(</span><spanclass="mord mathnormal">A</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">A</span></span></span></span>. We also use incomplete additions: it is shown in the <ahref="https://zips.z.cash/protocol/protocol.pdf#sinsemillasecurity">Sinsemilla security argument</a> that in the case where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a prime-order short Weierstrass elliptic curve, an exceptional case for addition would lead to finding a discrete logarithm, which can be assumed to occur with negligible probability even for adversarial input.</p>
</blockquote>
<h3><aclass="header"href="#use-as-a-commitment-scheme"id="use-as-a-commitment-scheme">Use as a commitment scheme</a></h3>
<p>Choose another generator <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> independently of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8777699999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">Q</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.099108em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mopen">[</span><spanclass="mord">0..</span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord">1</span><spanclass="mclose">]</span></span></span></span>.</p>
<p>The randomness <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span></span></span></span> for a commitment is chosen uniformly on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mclose">)</span></span></span></span>.</p>
<p>Let <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord text"><spanclass="mord textsf">ShortCommit</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02778em;">r</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mclose">)</span></span></span></span> be the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span><spanclass="mord text"><spanclass="mord">-coordinate</span></span></span></span></span> of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord text"><spanclass="mord textsf">Commit</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02778em;">r</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal"style="margin-right:0.10903em;">M</span><spanclass="mclose">)</span></span></span></span>. (This again assumes that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span> is a prime-order elliptic curve in short Weierstrass form.)</p>
<p>Note that unlike a simple Pedersen commitment, this commitment scheme (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord text"><spanclass="mord textsf">Commit</span></span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord text"><spanclass="mord textsf">ShortCommit</span></span></span></span></span>) is not additively homomorphic.</p>
<p>The aim of the design is to optimize the number of bits that can be processed for each step of the algorithm (which requires a doubling and addition in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord mathbb">G</span></span></span></span>) for a given table size. Using a single table of size <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span></span></span></span> group elements, we can process <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> bits at a time.</p>
<li>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> up to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>:
<p>Rearranging gives us an expression for each word of the original message <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.849108em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.849108em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03148em;">k</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span></span></span></span>, which we can look up in the table.</p>
<p>For a little-endian decomposition as used here, the running sum is initialized to the scalar and ends at 0. For a big-endian decomposition as used in <ahref="https://hackmd.io/o9EzZBwxSWSi08kQ_fMIOw">variable-base scalar multiplication</a>, the running sum would start at 0 and end with recovering the original scalar.</p>
<p>The running sum only applies to message words within a single field element, i.e. if <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7719400000000001em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≥</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.70625em;vertical-align:-0.09514em;"></span><spanclass="mord"><spanclass="mord mathtt">PrimeField</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">::</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mord mathtt">NUM_BITS</span></span></span></span></span> then we will have several disjoint running sums. A longer message can be constructed by splitting the message words across several field elements, and then running several instances of the constraints below. An additional <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">S</span><spanclass="mord mtight">2</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> selector is set to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> for the last step of each element, except for the last element where it is set to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>.</p>
<p>In order to support chaining multiple field elements without a gap, we will use a slightly more complicated expression for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal">m</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span></span></span></span> that effectively forces <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.59444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to zero for the last step of each element, as indicated by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">S</span><spanclass="mord mtight">2</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. This allows the cell that would have been <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.59444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathbf">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">n</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to be used to reinitialize the running sum for the next element.</p>
<li>for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> up to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.66666em;vertical-align:-0.08333em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>:
<p>Note that each term of the last constraint is multiplied by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">4</span></span></span></span> relative to the constraint program given earlier. This is a small optimization that avoids divisions by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">2</span></span></span></span>.</p>
<p>By gating the lookup expression on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">S</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>, we avoid the need to fill in unused cells with dummy values to pass the lookup argument. The optimized lookup value (using a default index of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>) is:</p>
<p>This increases the degree of the lookup argument to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">6</span></span></span></span>.</p>
<p>Given a field element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span>, these gadgets decompose it into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span></span></span></span><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit windows <spanclass="katex-display"><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8913309999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8913309999999999em;"><spanstyle="top:-3.113em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">1</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8913309999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8913309999999999em;"><spanstyle="top:-3.113em;margin-right:0.05em;"><spanclass="pstrut"sty
<p>This is done using a running sum <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.85396em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal">i</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0..</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mclose">)</span><spanclass="mord">.</span></span></span></span> We initialize the running sum <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.30110799999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">0</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mpunct">,</span></span></span></span> and compute subsequent terms <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">i</span><spanclass="mbin mtight">+</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1.2480729999999998em;vertical-align:-0.35186499999999993em;"></span><spanclass="mord"><spanclass="mopen nulldelimiter"></span><spanclass="mfrac"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8962079999999999em;"><spanstyle="top:-2.648135em;"><spanclass="pstrut"style="height:3em;"></span><s
<p>Strict mode constrains the running sum output <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.58056em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">W</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to be zero, thus range-constraining the field element to be within <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">W</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span> bits.</p>
<p>In strict mode, we are also assured that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.328331em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">W</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.902771em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.328331em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">W</span><spanclass="mbin mtight">−</span><spanclass="mord mtight">1</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.208331em;"><span></span></span></span></span></span></span></span></span></span> gives us the last window in the decomposition.</p>
<p>This gadget makes use of a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit lookup table to decompose a field element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> into <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit words. Each <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit word <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03148em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">−</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8413309999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.638891em;vertical-align:-0.208331em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.04398em;">z</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.311664em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.04398em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7e
<h3><aclass="header"href="#short-range-check"id="short-range-check">Short range check</a></h3>
<p>Using two <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit lookups, we can range-constrain a field element <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span></span></span></span> to be <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> bits, where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.7719400000000001em;vertical-align:-0.13597em;"></span><spanclass="mord mathnormal">n</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mord">.</span></span></span></span> To do this:</p>
<ol>
<li>Constrain <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78041em;vertical-align:-0.13597em;"></span><spanclass="mord">0</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8413309999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span></span></span></span></span></span></span></span></span></span></span> to be within <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span> bits using a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit lookup.</li>
<li>Constrain <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78041em;vertical-align:-0.13597em;"></span><spanclass="mord">0</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.44445em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.0037em;">α</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.880431em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span><spanclass="mbin mtight">−</span><spanclass="mord mathnormal mtight">n</span></span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel"><</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.8413309999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span></span></span></span></span></span></span></span></span></span></span> to be within <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span> bits using a <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span></span></span></span>-bit lookup.</li>
<h2><aclass="header"href="#short-range-decomposition"id="short-range-decomposition">Short range decomposition</a></h2>
<p>For a short range (for instance, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.977301em;vertical-align:-0.13597em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.07153em;">K</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">≤</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">8</span></span></span></span>), we can range-constrain each word using a polynomial constraint instead of a lookup:</p>