Modify the description of fixed-base scalar multiplication to match sapling-crypto.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2018-11-13 22:06:36 +00:00 · 2018-11-13 22:06:36 +00:00 · 0835c3837e
parent 2f868aca8d
commit 0835c3837e
1 changed files with 54 additions and 23 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -9779,6 +9779,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \intropart
 \section{Change History}

+\subparagraph{2018.0-beta-33}
+\begin{itemize}
+    \item No changes to \Sprout.
+\sapling{
+    \item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult}
+          to match sapling-crypto.
+} %sapling
+\end{itemize}
+
+\introlist
 \subparagraph{2018.0-beta-32}
 2018-10-24

@ -11499,32 +11509,53 @@ To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
 $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:

 \begin{formulae}
-  \item $\constraint{s_1}{s_0}{s\suband}$
-  \item $\lconstraint{s_2} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
-                                  - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
-         \mhspace{3.52em}     \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
-                              \plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\
-         \mhspace{1.92em}  \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
-                                  - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
-  \item $\lconstraint{s_2} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
-                                  - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
-         \mhspace{3.51em}     \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
-                              \plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\
-         \mhspace{1.90em}  \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
-                                  - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
+  \item $\constraint{s_1}{s_2}{s\suband}$
+  \item $\lconstraint{s_0} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
+                                  - u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband \\
+         \mhspace{3.52em}     \plus u_1 \smult s\suband - u_1 \smult s_2 - u_1 \smult s_1 \plus u_1 - u_3 \smult s\suband
+                              \plus u_3 \smult s_1 - u_5 \smult s\suband \plus u_5 \smult s_2 \plus u_7 \smult s\suband\big) = \\
+         \mhspace{1.92em}  \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
+                                  - u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband}$
+  \item $\lconstraint{s_0} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
+                                  - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband \\
+         \mhspace{3.51em}     \plus \vv_1 \smult s\suband - \vv_1 \smult s_2 - \vv_1 \smult s_1 \plus \vv_1 - \vv_3 \smult s\suband
+                              \plus \vv_3 \smult s_1 - \vv_5 \smult s\suband \plus \vv_5 \smult s_2 \plus \vv_7 \smult s\suband\big) = \\
+         \mhspace{1.90em}  \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
+                                  - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband}$
 \end{formulae}

-This costs $3$ constraints for each of $84$ window lookups, plus $6$ constraints for
-each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of
-$750$ constraints.
+For a full-length ($252$-bit) scalar this costs $3$ constraints for each of $84$ window lookups,
+plus $6$ constraints for each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for
+a total of $750$ constraints.

-\nnote{
-It would be more efficient to use arithmetic on the Montgomery curve, as in
-\crossref{cctpedersenhash}. However since there are only three instances of
-fixed-base scalar multiplication in the \spendCircuit and two in the
-\outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
-the additional complexity was not considered justified for \Sapling.
-} %nnote
+Fixed-base scalar multiplication is also used in two places with shorter scalars:
+\begin{itemize}
+  \item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the
+        $\Value$ input to $\ValueCommit{}$, requiring
+        $22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints;
+  \item \crossref{cctmixinghash} uses a $32$-bit scalar for the
+        $\NotePosition$ input to $\MixingPedersenHash$, requiring
+        $11$ windows at a cost of $3 \smult 11 - 1 + 6 \smult 10 = 92$ constraints.
+\end{itemize}
+
+\vspace{-1ex}
+None of these costs include the cost of boolean-constraining the scalar.
+
+\vspace{-2ex}
+\begin{nnotes}
+        \vspace{-0.5ex}
+  \item It would be more efficient to use arithmetic on the Montgomery curve, as in
+        \crossref{cctpedersenhash}. However since there are only three instances of
+        fixed-base scalar multiplication in the \spendCircuit and two in the
+        \outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
+        the additional complexity was not considered justified for \Sapling.
+  \item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is
+        padded to a multiple of $3$ bits with zeros. This causes the computation
+        of $s\suband$ in the lookup for the most significant window to be optimized out,
+        which is where the ``$-\;1$'' comes from in the above cost calculations.
+        No further optimization is done for this lookup.
+\end{nnotes}
+\vspace{-5ex}


 \introsection