mirror of https://github.com/zcash/zips.git
Modify the description of fixed-base scalar multiplication to match sapling-crypto.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2f868aca8d
commit
0835c3837e
|
@ -9779,6 +9779,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\intropart
|
||||
\section{Change History}
|
||||
|
||||
\subparagraph{2018.0-beta-33}
|
||||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Modify the description of $3$-bit window lookup in \crossref{cctfixedscalarmult}
|
||||
to match sapling-crypto.
|
||||
} %sapling
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
\subparagraph{2018.0-beta-32}
|
||||
2018-10-24
|
||||
|
||||
|
@ -11499,32 +11509,53 @@ To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
|
|||
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\constraint{s_1}{s_0}{s\suband}$
|
||||
\item $\lconstraint{s_2} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
|
||||
\mhspace{3.52em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
|
||||
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband\big) = \\
|
||||
\mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
|
||||
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
|
||||
\item $\lconstraint{s_2} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
|
||||
\mhspace{3.51em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
|
||||
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband\big) = \\
|
||||
\mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
|
||||
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
|
||||
\item $\constraint{s_1}{s_2}{s\suband}$
|
||||
\item $\lconstraint{s_0} \big(\!- u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
|
||||
- u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband \\
|
||||
\mhspace{3.52em} \plus u_1 \smult s\suband - u_1 \smult s_2 - u_1 \smult s_1 \plus u_1 - u_3 \smult s\suband
|
||||
\plus u_3 \smult s_1 - u_5 \smult s\suband \plus u_5 \smult s_2 \plus u_7 \smult s\suband\big) = \\
|
||||
\mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband
|
||||
- u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband}$
|
||||
\item $\lconstraint{s_0} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
|
||||
- \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband \\
|
||||
\mhspace{3.51em} \plus \vv_1 \smult s\suband - \vv_1 \smult s_2 - \vv_1 \smult s_1 \plus \vv_1 - \vv_3 \smult s\suband
|
||||
\plus \vv_3 \smult s_1 - \vv_5 \smult s\suband \plus \vv_5 \smult s_2 \plus \vv_7 \smult s\suband\big) = \\
|
||||
\mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband
|
||||
- \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband}$
|
||||
\end{formulae}
|
||||
|
||||
This costs $3$ constraints for each of $84$ window lookups, plus $6$ constraints for
|
||||
each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for a total of
|
||||
$750$ constraints.
|
||||
For a full-length ($252$-bit) scalar this costs $3$ constraints for each of $84$ window lookups,
|
||||
plus $6$ constraints for each of $83$ Edwards additions (as in \crossref{cctedarithmetic}), for
|
||||
a total of $750$ constraints.
|
||||
|
||||
\nnote{
|
||||
It would be more efficient to use arithmetic on the Montgomery curve, as in
|
||||
Fixed-base scalar multiplication is also used in two places with shorter scalars:
|
||||
\begin{itemize}
|
||||
\item \crossref{ccthomomorphiccommit} uses a $64$-bit scalar for the
|
||||
$\Value$ input to $\ValueCommit{}$, requiring
|
||||
$22$ windows at a cost of $3 \smult 22 - 1 + 6 \smult 21 = 191$ constraints;
|
||||
\item \crossref{cctmixinghash} uses a $32$-bit scalar for the
|
||||
$\NotePosition$ input to $\MixingPedersenHash$, requiring
|
||||
$11$ windows at a cost of $3 \smult 11 - 1 + 6 \smult 10 = 92$ constraints.
|
||||
\end{itemize}
|
||||
|
||||
\vspace{-1ex}
|
||||
None of these costs include the cost of boolean-constraining the scalar.
|
||||
|
||||
\vspace{-2ex}
|
||||
\begin{nnotes}
|
||||
\vspace{-0.5ex}
|
||||
\item It would be more efficient to use arithmetic on the Montgomery curve, as in
|
||||
\crossref{cctpedersenhash}. However since there are only three instances of
|
||||
fixed-base scalar multiplication in the \spendCircuit and two in the
|
||||
\outputCircuit\footnote{A Pedersen commitment uses fixed-base scalar multiplication as a subcomponent.},
|
||||
the additional complexity was not considered justified for \Sapling.
|
||||
} %nnote
|
||||
\item For the multiplications with $64$-bit and $32$-bit scalars, the scalar is
|
||||
padded to a multiple of $3$ bits with zeros. This causes the computation
|
||||
of $s\suband$ in the lookup for the most significant window to be optimized out,
|
||||
which is where the ``$-\;1$'' comes from in the above cost calculations.
|
||||
No further optimization is done for this lookup.
|
||||
\end{nnotes}
|
||||
\vspace{-5ex}
|
||||
|
||||
|
||||
\introsection
|
||||
|
|
Loading…
Reference in New Issue