mirror of https://github.com/zcash/zips.git
Minor corrections to affine Edwards variable-base multiplication in Appendix A.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
3b16c62958
commit
0351335662
|
@ -9630,6 +9630,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Finish \crossref{cctblake2s}.
|
||||
\item Minor corrections to \crossref{cctvarscalarmult}.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
|
@ -10535,6 +10536,9 @@ curve or coordinates. Following the notation in \cite{BL2017} we use
|
|||
$(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for
|
||||
affine coordinates on the Montgomery curve.
|
||||
|
||||
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
|
||||
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
|
||||
|
||||
\introlist
|
||||
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
|
||||
We use an affine representation of this curve with the formula:
|
||||
|
@ -11118,15 +11122,14 @@ the additional complexity was not considered justified for \Sapling.
|
|||
When the base point $B$ is not fixed, the method in the preceding section
|
||||
cannot be used. Instead we use a naïve double-and-add method.
|
||||
|
||||
\introlist
|
||||
\begin{samepage}
|
||||
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
|
||||
|
||||
\begin{algorithm}
|
||||
\item // $\Base_i = \scalarmult{2^i}{B}$
|
||||
\item let $\Base^u_0 = \Selectu\Of{B}$
|
||||
\item let $\Base^{\vv}_0\hairspace = B_{\vv}$
|
||||
\item let $\Acc^u_0 = k_0 \bchoose B^u : 0$
|
||||
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$
|
||||
\item let $\Base_0 = B$
|
||||
\item let $\Acc^u_0 = k_0 \bchoose \Base^u_0 : 0$
|
||||
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose \Base^{\vv}_0 : 1$
|
||||
\vspace{1ex}
|
||||
\item for $i$ from $1$ up to $250$:
|
||||
\item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$
|
||||
|
@ -11134,9 +11137,10 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
|
|||
\item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$
|
||||
\item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$
|
||||
\item \tab let $\Addend^{\vv}_i\hairspace = k_i \bchoose \Base^{\vv}_i : 1$
|
||||
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend^i$
|
||||
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$
|
||||
\item let $R = \Acc_{250}$.
|
||||
\end{algorithm}
|
||||
\end{samepage}
|
||||
|
||||
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each
|
||||
of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections,
|
||||
|
|
Loading…
Reference in New Issue