From 03513356626e831e6337d6ef0ef5c0f409168afb Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Tue, 14 Aug 2018 10:43:05 +0100 Subject: [PATCH] Minor corrections to affine Edwards variable-base multiplication in Appendix A. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 0313abc9..3b952df7 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -9630,6 +9630,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \item No changes to \Sprout. \sapling{ \item Finish \crossref{cctblake2s}. + \item Minor corrections to \crossref{cctvarscalarmult}. } %sapling \end{itemize} @@ -10535,6 +10536,9 @@ curve or coordinates. Following the notation in \cite{BL2017} we use $(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for affine coordinates on the Montgomery curve. +A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which +we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance. + \introlist The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. We use an affine representation of this curve with the formula: @@ -11118,15 +11122,14 @@ the additional complexity was not considered justified for \Sapling. When the base point $B$ is not fixed, the method in the preceding section cannot be used. Instead we use a naïve double-and-add method. -\introlist +\begin{samepage} Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: \begin{algorithm} \item // $\Base_i = \scalarmult{2^i}{B}$ - \item let $\Base^u_0 = \Selectu\Of{B}$ - \item let $\Base^{\vv}_0\hairspace = B_{\vv}$ - \item let $\Acc^u_0 = k_0 \bchoose B^u : 0$ - \item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$ + \item let $\Base_0 = B$ + \item let $\Acc^u_0 = k_0 \bchoose \Base^u_0 : 0$ + \item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose \Base^{\vv}_0 : 1$ \vspace{1ex} \item for $i$ from $1$ up to $250$: \item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$ @@ -11134,9 +11137,10 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ \item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$ \item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$ \item \tab let $\Addend^{\vv}_i\hairspace = k_i \bchoose \Base^{\vv}_i : 1$ - \item \tab let $\Acc_i = \Acc_{i-1} + \Addend^i$ + \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ \item let $R = \Acc_{250}$. \end{algorithm} +\end{samepage} This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections,