zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Generalize the distinct-x proof to allow negative indices. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-02-12 12:56:07 +00:00
parent 25fd603a7e
commit 0325aa2fd6
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
protocol/protocol.tex
View File

@ -7138,12 +7138,14 @@ The incomplete affine-Montgomery addition formulae given in
The following theorem helps to determine when these incomplete addition formulae
can be safely used:
\newcommand{\halfs}{\frac{s-1}{2}}
\introlist
\begin{theorem}
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
Let $k_{\barerange{1}{2}}$ be integers in $\range{1}{(s-1)/2}$.
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
$k_1 \neq k_2$. Then the non-unified addition constraints
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
\begin{formulae}
\item $\constraint{x_2 - x_1}{\lambda}{y_2 - y_1}$
@ -7157,18 +7159,23 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ in all cases.
\begin{proof}
The given constraints are equivalent to the Montgomery addition formulae
under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be
the zero point.) Assume for a contradiction that $x_1 = x_2$. For any
$P_1 = \scalarmult{k1}{Q}$, there can be only one other point $-P_1$ with
the zero point since $k_{\barerange{1}{2}} \neq 0 \pmod s$.)
Assume for a contradiction that $x_1 = x_2$. For any
$P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
the same $x$-coordinate. (This follows from the fact that the curve equation
determines $\pm y$ as a function of $x$.)
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{s - k_1}{Q}$.
Since $\fun{k \typecolon \range{0}{s-1}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective, either $k_2 = k_1$ (contradiction), or $k_2 = s - k_1$
(contradiction since $k_{\barerange{1}{2}}$ are in $\range{1}{(s-1)/2}$).
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
is injective and $k_{\barerange{1}{2}}$ are in $\range{-\halfs}{\halfs}$,
then $k_2 = \pm k_1$ (contradiction).
\end{proof}
The conditions of this theorem are called the \distinctXCriterion.
In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
then it is sufficient to require $k_1 \neq k_2$, since that implies
$k_1 \neq \pm k_2$.
\introlist
Affine-Montgomery doubling can be implemented as: