From 0e65f7fc9c00ad986bf041cdc16de932a13d091f Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Sun, 30 Oct 2016 02:03:51 +0000 Subject: [PATCH] Clarify the discussion of proof size. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 40a3804c..5c25ea09 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -3636,9 +3636,13 @@ distinct openings of the \noteCommitment when Condition I or II is violated. \Zcash \joinSplitStatement. $\cm$ can be computed from the other fields. \item The length of proof encodings given in the paper is 288 bytes. This differs from the 296 bytes specified in \crossref{proofencoding}, - because the paper did not take into account the need to encode compressed - $y$-coordinates. The fork of \libsnark used by \Zcash uses a different - format to upstream \libsnark, in order to follow \cite{IEEE2004}. + because both the $x$-coordinate and compressed $y$-coordinate of each + point need to be represented. Although it is possible to encode a proof + in 288 bytes by making use of the fact that elements of $\GF{q}$ can + be represented in 254 bits, we prefer to use the standard formats for points + defined in \cite{IEEE2004}. The fork of \libsnark used by \Zcash uses + this standard encoding rather than the less efficient (uncompressed) one + used by upstream \libsnark. \item The range of monetary values differs. In \Zcash, this range is $\range{0}{\MAXMONEY}$; in \Zerocash it is $\range{0}{2^{64}-1}$. (The \joinSplitStatement still only directly enforces that the sum @@ -3675,6 +3679,12 @@ The errors in the proof of Ledger Indistinguishability mentioned in \nsection{Change history} +\subparagraph{2016.0-beta-1.10} + +\begin{itemize} + \item Clarify the discussion of proof size in ``Differences from the \Zerocash paper''. +\end{itemize} + \subparagraph{2016.0-beta-1.9} \begin{itemize}