mirror of https://github.com/zcash/zips.git
Modify the description of fixed-base scalar multiplication to match sapling-crypto.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2f868aca8d
commit
0835c3837e
|
@ -9779,6 +9779,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
\intropart
|
\intropart
|
||||||
\section{Change History}
|
\section{Change History}
|
||||||
|
|
||||||
|
\subparagraph{2018.0-beta-33}
|
||||||
|
\begin{itemize}
|
||||||
|
\item No changes to \Sprout.
|
||||||
|
\sapling{
|
||||||
|
\item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult}
|
||||||
|
to match sapling-crypto.
|
||||||
|
} %sapling
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\introlist
|
||||||
\subparagraph{2018.0-beta-32}
|
\subparagraph{2018.0-beta-32}
|
||||||
2018-10-24
|
2018-10-24
|
||||||
|
|
||||||
|
@ -11499,32 +11509,53 @@ To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
|
||||||
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
||||||
|
|
||||||
\begin{formulae}
|
\begin{formulae}
|
||||||
\item $\constraint{s_1}{s_0}{s\suband}$
|
\item $\constraint{s_1}{s_2}{s\suband}$
|
||||||
\item $\lconstraint{s_2} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
\item $\lconstraint{s_0} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
|
||||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
|
- u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband \\
|
||||||
\mhspace{3.52em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
|
\mhspace{3.52em} \plus u_1 \smult s\suband - u_1 \smult s_2 - u_1 \smult s_1 \plus u_1 - u_3 \smult s\suband
|
||||||
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\
|
\plus u_3 \smult s_1 - u_5 \smult s\suband \plus u_5 \smult s_2 \plus u_7 \smult s\suband\big) = \\
|
||||||
\mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
\mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
|
||||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
|
- u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband}$
|
||||||
\item $\lconstraint{s_2} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
\item $\lconstraint{s_0} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
|
||||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
|
- \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband \\
|
||||||
\mhspace{3.51em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
|
\mhspace{3.51em} \plus \vv_1 \smult s\suband - \vv_1 \smult s_2 - \vv_1 \smult s_1 \plus \vv_1 - \vv_3 \smult s\suband
|
||||||
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\
|
\plus \vv_3 \smult s_1 - \vv_5 \smult s\suband \plus \vv_5 \smult s_2 \plus \vv_7 \smult s\suband\big) = \\
|
||||||
\mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
\mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
|
||||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
|
- \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband}$
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
This costs $3$ constraints for each of $84$ window lookups, plus $6$ constraints for
|
For a full-length ($252$-bit) scalar this costs $3$ constraints for each of $84$ window lookups,
|
||||||
each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of
|
plus $6$ constraints for each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for
|
||||||
$750$ constraints.
|
a total of $750$ constraints.
|
||||||
|
|
||||||
\nnote{
|
Fixed-base scalar multiplication is also used in two places with shorter scalars:
|
||||||
It would be more efficient to use arithmetic on the Montgomery curve, as in
|
\begin{itemize}
|
||||||
\crossref{cctpedersenhash}. However since there are only three instances of
|
\item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the
|
||||||
fixed-base scalar multiplication in the \spendCircuit and two in the
|
$\Value$ input to $\ValueCommit{}$, requiring
|
||||||
\outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
|
$22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints;
|
||||||
the additional complexity was not considered justified for \Sapling.
|
\item \crossref{cctmixinghash} uses a $32$-bit scalar for the
|
||||||
} %nnote
|
$\NotePosition$ input to $\MixingPedersenHash$, requiring
|
||||||
|
$11$ windows at a cost of $3 \smult 11 - 1 + 6 \smult 10 = 92$ constraints.
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\vspace{-1ex}
|
||||||
|
None of these costs include the cost of boolean-constraining the scalar.
|
||||||
|
|
||||||
|
\vspace{-2ex}
|
||||||
|
\begin{nnotes}
|
||||||
|
\vspace{-0.5ex}
|
||||||
|
\item It would be more efficient to use arithmetic on the Montgomery curve, as in
|
||||||
|
\crossref{cctpedersenhash}. However since there are only three instances of
|
||||||
|
fixed-base scalar multiplication in the \spendCircuit and two in the
|
||||||
|
\outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
|
||||||
|
the additional complexity was not considered justified for \Sapling.
|
||||||
|
\item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is
|
||||||
|
padded to a multiple of $3$ bits with zeros. This causes the computation
|
||||||
|
of $s\suband$ in the lookup for the most significant window to be optimized out,
|
||||||
|
which is where the ``$-\;1$'' comes from in the above cost calculations.
|
||||||
|
No further optimization is done for this lookup.
|
||||||
|
\end{nnotes}
|
||||||
|
\vspace{-5ex}
|
||||||
|
|
||||||
|
|
||||||
\introsection
|
\introsection
|
||||||
|
|
Loading…
Reference in New Issue