mirror of https://github.com/zcash/zips.git
Generalize the distinct-x proof to allow negative indices.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
25fd603a7e
commit
0325aa2fd6
|
@ -7138,12 +7138,14 @@ The incomplete affine-Montgomery addition formulae given in
|
|||
The following theorem helps to determine when these incomplete addition formulae
|
||||
can be safely used:
|
||||
|
||||
\newcommand{\halfs}{\frac{s-1}{2}}
|
||||
|
||||
\introlist
|
||||
\begin{theorem}
|
||||
Let $Q$ be a point of odd-prime order $s$ on a Montgomery curve $E_{\ParamM{A},\ParamM{B}} / \GF{\ParamS{r}}$.
|
||||
Let $k_{\barerange{1}{2}}$ be integers in $\range{1}{(s-1)/2}$.
|
||||
Let $k_{\barerange{1}{2}}$ be integers in $\rangenozero{-\halfs}{\halfs}$.
|
||||
Let $P_i = \scalarmult{k_i}{Q} = (x_i, y_i)$ for $i \in \range{1}{2}$, with
|
||||
$k_1 \neq k_2$. Then the non-unified addition constraints
|
||||
$k_1 \neq \pm k_2$. Then the non-unified addition constraints
|
||||
|
||||
\begin{formulae}
|
||||
\item $\constraint{x_2 - x_1}{\lambda}{y_2 - y_1}$
|
||||
|
@ -7157,18 +7159,23 @@ implement the affine-Montgomery addition $P_1 + P_2 = (x_3, y_3)$ in all cases.
|
|||
\begin{proof}
|
||||
The given constraints are equivalent to the Montgomery addition formulae
|
||||
under the side condition $x_1 \neq x_2$. (Note that neither $P_i$ can be
|
||||
the zero point.) Assume for a contradiction that $x_1 = x_2$. For any
|
||||
$P_1 = \scalarmult{k1}{Q}$, there can be only one other point $-P_1$ with
|
||||
the zero point since $k_{\barerange{1}{2}} \neq 0 \pmod s$.)
|
||||
Assume for a contradiction that $x_1 = x_2$. For any
|
||||
$P_1 = \scalarmult{k_1}{Q}$, there can be only one other point $-P_1$ with
|
||||
the same $x$-coordinate. (This follows from the fact that the curve equation
|
||||
determines $\pm y$ as a function of $x$.)
|
||||
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{s - k_1}{Q}$.
|
||||
Since $\fun{k \typecolon \range{0}{s-1}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
|
||||
is injective, either $k_2 = k_1$ (contradiction), or $k_2 = s - k_1$
|
||||
(contradiction since $k_{\barerange{1}{2}}$ are in $\range{1}{(s-1)/2}$).
|
||||
But $-P_1 = \scalarmult{-1}{\scalarmult{k_1}{Q}} = \scalarmult{-k_1}{Q}$.
|
||||
Since $\fun{k \typecolon \range{-\halfs}{\halfs}}{\scalarmult{k}{Q} \typecolon \GroupJ}$
|
||||
is injective and $k_{\barerange{1}{2}}$ are in $\range{-\halfs}{\halfs}$,
|
||||
then $k_2 = \pm k_1$ (contradiction).
|
||||
\end{proof}
|
||||
|
||||
The conditions of this theorem are called the \distinctXCriterion.
|
||||
|
||||
In particular, if $k_{\barerange{1}{2}}$ are integers in $\range{1}{\halfs}$
|
||||
then it is sufficient to require $k_1 \neq k_2$, since that implies
|
||||
$k_1 \neq \pm k_2$.
|
||||
|
||||
\introlist
|
||||
Affine-Montgomery doubling can be implemented as:
|
||||
|
||||
|
|
Loading…
Reference in New Issue