diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 925abf54..6cd9e54f 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -9779,6 +9779,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \section{Change History} +\subparagraph{2018.0-beta-33} +\begin{itemize} + \item No changes to \Sprout. +\sapling{ + \item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult} + to match sapling-crypto. +} %sapling +\end{itemize} + +\introlist \subparagraph{2018.0-beta-32} 2018-10-24 @@ -11499,32 +11509,53 @@ To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use: \begin{formulae} - \item $\constraint{s_1}{s_0}{s\suband}$ - \item $\lconstraint{s_2} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband - - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\ - \mhspace{3.52em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband - \plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\ - \mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband - - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$ - \item $\lconstraint{s_2} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband - - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\ - \mhspace{3.51em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband - \plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\ - \mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband - - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$ + \item $\constraint{s_1}{s_2}{s\suband}$ + \item $\lconstraint{s_0} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband + - u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband \\ + \mhspace{3.52em} \plus u_1 \smult s\suband - u_1 \smult s_2 - u_1 \smult s_1 \plus u_1 - u_3 \smult s\suband + \plus u_3 \smult s_1 - u_5 \smult s\suband \plus u_5 \smult s_2 \plus u_7 \smult s\suband\big) = \\ + \mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband + - u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband}$ + \item $\lconstraint{s_0} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband + - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband \\ + \mhspace{3.51em} \plus \vv_1 \smult s\suband - \vv_1 \smult s_2 - \vv_1 \smult s_1 \plus \vv_1 - \vv_3 \smult s\suband + \plus \vv_3 \smult s_1 - \vv_5 \smult s\suband \plus \vv_5 \smult s_2 \plus \vv_7 \smult s\suband\big) = \\ + \mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband + - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband}$ \end{formulae} -This costs $3$ constraints for each of $84$ window lookups, plus $6$ constraints for -each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of -$750$ constraints. +For a full-length ($252$-bit) scalar this costs $3$ constraints for each of $84$ window lookups, +plus $6$ constraints for each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for +a total of $750$ constraints. -\nnote{ -It would be more efficient to use arithmetic on the Montgomery curve, as in -\crossref{cctpedersenhash}. However since there are only three instances of -fixed-base scalar multiplication in the \spendCircuit and two in the -\outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.}, -the additional complexity was not considered justified for \Sapling. -} %nnote +Fixed-base scalar multiplication is also used in two places with shorter scalars: +\begin{itemize} + \item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the + $\Value$ input to $\ValueCommit{}$, requiring + $22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints; + \item \crossref{cctmixinghash} uses a $32$-bit scalar for the + $\NotePosition$ input to $\MixingPedersenHash$, requiring + $11$ windows at a cost of $3 \smult 11 - 1 + 6 \smult 10 = 92$ constraints. +\end{itemize} + +\vspace{-1ex} +None of these costs include the cost of boolean-constraining the scalar. + +\vspace{-2ex} +\begin{nnotes} + \vspace{-0.5ex} + \item It would be more efficient to use arithmetic on the Montgomery curve, as in + \crossref{cctpedersenhash}. However since there are only three instances of + fixed-base scalar multiplication in the \spendCircuit and two in the + \outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.}, + the additional complexity was not considered justified for \Sapling. + \item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is + padded to a multiple of $3$ bits with zeros. This causes the computation + of $s\suband$ in the lookup for the most significant window to be optimized out, + which is where the ``$-\;1$'' comes from in the above cost calculations. + No further optimization is done for this lookup. +\end{nnotes} +\vspace{-5ex} \introsection