zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Minor corrections to affine Edwards variable-base multiplication in Appendix A. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-14 10:43:05 +01:00
parent 3b16c62958
commit 0351335662
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
protocol/protocol.tex
View File

@ -9630,6 +9630,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item No changes to \Sprout. \item No changes to \Sprout.
\sapling{ \sapling{
\item Finish \crossref{cctblake2s}. \item Finish \crossref{cctblake2s}.
\item Minor corrections to \crossref{cctvarscalarmult}.
} %sapling } %sapling
\end{itemize} \end{itemize}
@ -10535,6 +10536,9 @@ curve or coordinates. Following the notation in \cite{BL2017} we use
$(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for $(u, \varv)$ for affine coordinates on the Edwards curve, and $(x, y)$ for
affine coordinates on the Montgomery curve. affine coordinates on the Montgomery curve.
A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which
we name as $(P^u, P^{\vv})$ for an affine Edwards point, for instance.
\introlist \introlist
The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$. The Montgomery curve has parameters $\ParamM{A} = 40962$ and $\ParamM{B} = 1$.
We use an affine representation of this curve with the formula: We use an affine representation of this curve with the formula:
@ -11118,15 +11122,14 @@ the additional complexity was not considered justified for \Sapling.
When the base point $B$ is not fixed, the method in the preceding section When the base point $B$ is not fixed, the method in the preceding section
cannot be used. Instead we use a naïve double-and-add method. cannot be used. Instead we use a naïve double-and-add method.
\introlist \begin{samepage}
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
\begin{algorithm} \begin{algorithm}
\item // $\Base_i = \scalarmult{2^i}{B}$ \item // $\Base_i = \scalarmult{2^i}{B}$
\item let $\Base^u_0 = \Selectu\Of{B}$ \item let $\Base_0 = B$
\item let $\Base^{\vv}_0\hairspace = B_{\vv}$ \item let $\Acc^u_0 = k_0 \bchoose \Base^u_0 : 0$
\item let $\Acc^u_0 = k_0 \bchoose B^u : 0$ \item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose \Base^{\vv}_0 : 1$
\item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose B^{\vv} : 1$
\vspace{1ex} \vspace{1ex}
\item for $i$ from $1$ up to $250$: \item for $i$ from $1$ up to $250$:
\item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$ \item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$
@ -11134,9 +11137,10 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
\item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$ \item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$
\item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$ \item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$
\item \tab let $\Addend^{\vv}_i\hairspace = k_i \bchoose \Base^{\vv}_i : 1$ \item \tab let $\Addend^{\vv}_i\hairspace = k_i \bchoose \Base^{\vv}_i : 1$
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend^i$ \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$
\item let $R = \Acc_{250}$. \item let $R = \Acc_{250}$.
\end{algorithm} \end{algorithm}
\end{samepage}
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each
of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections, of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections,