zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Terminology and notation changes. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-02-07 11:05:39 +00:00
parent d4cf9d501e
commit 137121cf30
1 changed files with 49 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
protocol/protocol.tex
View File

@ -384,8 +384,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\primaryInputs}{\term{primary inputs}} \newcommand{\primaryInputs}{\term{primary inputs}}
\newcommand{\auxiliaryInput}{\term{auxiliary input}} \newcommand{\auxiliaryInput}{\term{auxiliary input}}
\newcommand{\auxiliaryInputs}{\term{auxiliary inputs}} \newcommand{\auxiliaryInputs}{\term{auxiliary inputs}}
\newcommand{\fullnode}{\term{full node}} \newcommand{\fullValidator}{\term{full validator}}
\newcommand{\fullnodes}{\term{full nodes}} \newcommand{\fullValidators}{\term{full validators}}
\newcommand{\anchor}{\term{anchor}} \newcommand{\anchor}{\term{anchor}}
\newcommand{\anchors}{\term{anchors}} \newcommand{\anchors}{\term{anchors}}
\newcommand{\block}{\term{block}} \newcommand{\block}{\term{block}}
@ -448,9 +448,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\outputUniqueValues}{\term{$\OutputUnique$-values}} \newcommand{\outputUniqueValues}{\term{$\OutputUnique$-values}}
\newcommand{\outputUniquenessSet}{\term{$\OutputUnique$-uniqueness set}} \newcommand{\outputUniquenessSet}{\term{$\OutputUnique$-uniqueness set}}
\newcommand{\OutputUniquenessSet}{\titleterm{\titlemu-Uniqueness Set}} \newcommand{\OutputUniquenessSet}{\titleterm{\titlemu-Uniqueness Set}}
% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff \newcommand{\paymentAddress}{\term{shielded payment address}}
\newcommand{\paymentAddress}{\term{payment address}} \newcommand{\paymentAddresses}{\term{shielded payment addresses}}
\newcommand{\paymentAddresses}{\term{payment addresses}} \newcommand{\PaymentAddresses}{\titleterm{Shielded Payment Addresses}}
\newcommand{\diversifiedPaymentAddress}{\term{diversified payment address}} \newcommand{\diversifiedPaymentAddress}{\term{diversified payment address}}
\newcommand{\diversifiedPaymentAddresses}{\term{diversified payment addresses}} \newcommand{\diversifiedPaymentAddresses}{\term{diversified payment addresses}}
\newcommand{\diversifier}{\term{diversifier}} \newcommand{\diversifier}{\term{diversifier}}
@ -471,8 +471,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\transmissionKeys}{\term{transmission keys}} \newcommand{\transmissionKeys}{\term{transmission keys}}
\newcommand{\diversifiedTransmissionKey}{\term{diversified transmission key}} \newcommand{\diversifiedTransmissionKey}{\term{diversified transmission key}}
\newcommand{\diversifiedTransmissionKeys}{\term{diversified transmission keys}} \newcommand{\diversifiedTransmissionKeys}{\term{diversified transmission keys}}
\newcommand{\authSigningKey}{\term{spend authorization key}} \newcommand{\authSigningKey}{\term{spend authorizing key}}
\newcommand{\authSigningKeys}{\term{spend authorization keys}} \newcommand{\authSigningKeys}{\term{spend authorizing keys}}
\newcommand{\delegatedProvingKey}{\term{delegated proving key}} \newcommand{\delegatedProvingKey}{\term{delegated proving key}}
\newcommand{\delegatedProvingKeys}{\term{delegated proving keys}} \newcommand{\delegatedProvingKeys}{\term{delegated proving keys}}
\newcommand{\humanReadablePart}{\term{Human-Readable Part}} \newcommand{\humanReadablePart}{\term{Human-Readable Part}}
@ -558,7 +558,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\length}{\mathsf{length}} \newcommand{\length}{\mathsf{length}}
\newcommand{\mean}{\mathsf{mean}} \newcommand{\mean}{\mathsf{mean}}
\newcommand{\median}{\mathsf{median}} \newcommand{\median}{\mathsf{median}}
\newcommand{\clamp}[2]{\mathsf{clamp\,}_{#1}^{#2}} \newcommand{\bound}[2]{\mathsf{bound\,}_{#1}^{#2}}
\newcommand{\Lower}{\mathsf{lower}} \newcommand{\Lower}{\mathsf{lower}}
\newcommand{\Upper}{\mathsf{upper}} \newcommand{\Upper}{\mathsf{upper}}
\newcommand{\bitlength}{\mathsf{bitlength}} \newcommand{\bitlength}{\mathsf{bitlength}}
@ -805,7 +805,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}} \newcommand{\NoteTuple}[1]{\mathbf{n}_{#1}}
\newcommand{\NoteType}{\mathsf{Note}} \newcommand{\NoteType}{\mathsf{Note}}
\newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}} \newcommand{\NotePlaintext}[1]{\mathbf{np}_{#1}}
\newcommand{\NoteCommitRand}{\mathsf{r}} \newcommand{\NoteCommitRand}{\mathsf{\sprout{r}\notsprout{rcm}}}
\newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}} \newcommand{\NoteCommitRandLength}{\mathsf{\ell_{\NoteCommitRand}}}
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}} \newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}} \newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
@ -871,7 +871,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\MaxActualTimespan}{\mathsf{MaxActualTimespan}} \newcommand{\MaxActualTimespan}{\mathsf{MaxActualTimespan}}
\newcommand{\ActualTimespan}{\mathsf{ActualTimespan}} \newcommand{\ActualTimespan}{\mathsf{ActualTimespan}}
\newcommand{\ActualTimespanDamped}{\mathsf{ActualTimespanDamped}} \newcommand{\ActualTimespanDamped}{\mathsf{ActualTimespanDamped}}
\newcommand{\ActualTimespanClamped}{\mathsf{ActualTimespanClamped}} \newcommand{\ActualTimespanBounded}{\mathsf{ActualTimespanBounded}}
\newcommand{\Threshold}{\mathsf{Threshold}} \newcommand{\Threshold}{\mathsf{Threshold}}
\newcommand{\ThresholdBits}{\mathsf{ThresholdBits}} \newcommand{\ThresholdBits}{\mathsf{ThresholdBits}}
@ -934,7 +934,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}} \newcommand{\dataToBeSigned}{\mathsf{dataToBeSigned}}
% Merkle tree % Merkle tree
\newcommand{\MerkleDepth}{\mathsf{d_{Merkle}}}
\newcommand{\MerkleDepth}{\mathsf{MerkleDepth}}
\newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}} \newcommand{\MerkleNode}[2]{\mathsf{M}^{#1}_{#2}}
\newcommand{\MerkleSibling}{\mathsf{sibling}} \newcommand{\MerkleSibling}{\mathsf{sibling}}
\newcommand{\MerkleCRH}{\mathsf{MerkleCRH}} \newcommand{\MerkleCRH}{\mathsf{MerkleCRH}}
@ -1062,7 +1063,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}} \newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}} \newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}}
\newcommand{\GroupPHash}[1]{\mathsf{GH}^\mathbb{P}_{#1}} \newcommand{\GroupPHash}[1]{\mathsf{GroupHash}^\GroupP{#1}}
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}} \newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}} \newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}} \newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
@ -1076,7 +1077,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}} \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}} \newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}} \newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
\newcommand{\GroupGHash}[1]{\mathsf{GH}^\mathbb{G}_{#1}} \newcommand{\GroupGHash}[1]{\mathsf{GroupHash}^\GroupG{#1}}
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}} \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}} \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}} \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
@ -1090,7 +1091,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}} \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}} \newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}} \newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
\newcommand{\GroupSHash}[1]{\mathsf{GH}^\mathbb{S}_{#1}} \newcommand{\GroupSHash}[1]{\mathsf{GroupHash}^\mathbb{S}_{#1}}
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}} \newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}} \newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}} \newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
@ -1103,7 +1104,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}} \newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}} \newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
\newcommand{\GroupJ}{\mathbb{J}} \newcommand{\GroupJ}{\mathbb{J}}
\newcommand{\GroupJHash}{\mathsf{GH}^\mathbb{J}} \newcommand{\GroupJHash}[1]{\mathsf{GroupHash}^\mathbb{J}_{#1}}
\newcommand{\CurveJ}{\Curve_{\GroupJ}} \newcommand{\CurveJ}{\Curve_{\GroupJ}}
\newcommand{\ZeroJ}{\Zero_{\GroupJ}} \newcommand{\ZeroJ}{\Zero_{\GroupJ}}
\newcommand{\GenJ}{\Generator_{\GroupJ}} \newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1661,7 +1662,7 @@ $\Memo$ represents a \memo associated with this \note. The usage of the
\nsubsection{The Block Chain} \label{blockchain} \nsubsection{The Block Chain} \label{blockchain}
At a given point in time, each \fullnode is aware of a set of candidate At a given point in time, each \fullValidator is aware of a set of candidate
\blocks. These form a tree rooted at the \genesisBlock, where each node \blocks. These form a tree rooted at the \genesisBlock, where each node
in the tree refers to its parent via the $\hashPrevBlock$ \blockHeader field in the tree refers to its parent via the $\hashPrevBlock$ \blockHeader field
(see \crossref{blockheader}). (see \crossref{blockheader}).
@ -1812,7 +1813,7 @@ is denoted $\MerkleNode{h}{i}$.
\nsubsection{\NullifierSets} \label{nullifierset} \nsubsection{\NullifierSets} \label{nullifierset}
Each \fullnode maintains a \nullifierSet logically associated with each \treestate. Each \fullValidator maintains a \nullifierSet logically associated with each \treestate.
As valid \transactions containing \joinSplitTransfers are processed, the \nullifiers As valid \transactions containing \joinSplitTransfers are processed, the \nullifiers
revealed in \joinSplitDescriptions are inserted into this \nullifierSet. revealed in \joinSplitDescriptions are inserted into this \nullifierSet.
@ -4463,7 +4464,7 @@ be the constant defined in \crossref{constants}.
\item \todo{Other rules inherited from \Bitcoin.} \item \todo{Other rules inherited from \Bitcoin.}
\end{consensusrules} \end{consensusrules}
In addition, a \fullnode{} \MUSTNOT accept \blocks with $\nTimeField$ more than two hours In addition, a \fullValidator{} \MUSTNOT accept \blocks with $\nTimeField$ more than two hours
in the future according to its clock. This is not strictly a consensus rule because it is in the future according to its clock. This is not strictly a consensus rule because it is
nondeterministic, and clock time varies between nodes. Also note that a \block that is nondeterministic, and clock time varies between nodes. Also note that a \block that is
rejected by this rule at a given point in time may later be accepted. rejected by this rule at a given point in time may later be accepted.
@ -4691,7 +4692,7 @@ Define:
\hfuzz=10pt \hfuzz=10pt
\item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$. \item $\mean(S) := \left( \vsum{i=1}{\length(S)} S_i \right) \raisebox{-0.4ex}{\scalebox{1.4}{/\,}} \length(S)$.
\item $\median(S) := \sorted(S)_{\ceiling{\length(S) / 2}}$ \item $\median(S) := \sorted(S)_{\ceiling{\length(S) / 2}}$
\item $\clamp{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$ \item $\bound{\Lower}{\Upper}(x) := \maximum(\Lower, \minimum(\Upper, x)))$
\item $\trunc{x} := \begin{cases} \item $\trunc{x} := \begin{cases}
\floor{x},&\caseif x \geq 0 \\ \floor{x},&\caseif x \geq 0 \\
-\floor{-x},&\caseotherwise -\floor{-x},&\caseotherwise
@ -4704,7 +4705,7 @@ Define:
\maximum(0, \BlockHeight - \PoWMedianBlockSpan) \upto \BlockHeight - 1})$ \maximum(0, \BlockHeight - \PoWMedianBlockSpan) \upto \BlockHeight - 1})$
\item $\ActualTimespan(\BlockHeight) := \MedianTime(\BlockHeight) - \MedianTime(\BlockHeight - \PoWAveragingWindow)$ \item $\ActualTimespan(\BlockHeight) := \MedianTime(\BlockHeight) - \MedianTime(\BlockHeight - \PoWAveragingWindow)$
\item $\ActualTimespanDamped(\BlockHeight) := \AveragingWindowTimespan + \trunc{\scalebox{0.98}{\hfrac{\ActualTimespan(\BlockHeight) - \AveragingWindowTimespan}{\PoWDampingFactor}}}$ \item $\ActualTimespanDamped(\BlockHeight) := \AveragingWindowTimespan + \trunc{\scalebox{0.98}{\hfrac{\ActualTimespan(\BlockHeight) - \AveragingWindowTimespan}{\PoWDampingFactor}}}$
\item $\ActualTimespanClamped(\BlockHeight) := \clamp{\MinActualTimespan}{\MaxActualTimespan}(\ActualTimespanDamped(\BlockHeight))$ \item $\ActualTimespanBounded(\BlockHeight) := \bound{\MinActualTimespan}{\MaxActualTimespan}(\ActualTimespanDamped(\BlockHeight))$
\item $\MeanTarget(\BlockHeight) := \begin{cases} \item $\MeanTarget(\BlockHeight) := \begin{cases}
\PoWLimit, \hspace{16em}\text{if } \BlockHeight \leq \PoWAveragingWindow \\ \PoWLimit, \hspace{16em}\text{if } \BlockHeight \leq \PoWAveragingWindow \\
\mean(\listcomp{\ToTarget(\nBits(i)) \for i \from \BlockHeight - \PoWAveragingWindow \upto \BlockHeight - 1}),\\ \mean(\listcomp{\ToTarget(\nBits(i)) \for i \from \BlockHeight - \PoWAveragingWindow \upto \BlockHeight - 1}),\\
@ -4720,7 +4721,7 @@ The \targetThreshold for a given \blockHeight $\BlockHeight$ is then calculated
\item $\Threshold(\BlockHeight) \hspace{0.43em} := \hspace{0.43em} \begin{cases} \item $\Threshold(\BlockHeight) \hspace{0.43em} := \hspace{0.43em} \begin{cases}
\PoWLimit, \hspace{16em}\text{if } \BlockHeight = 0 \\ \PoWLimit, \hspace{16em}\text{if } \BlockHeight = 0 \\
\minimum(\PoWLimit, \floor{\hfrac{\MeanTarget(\BlockHeight)}{\AveragingWindowTimespan}} \minimum(\PoWLimit, \floor{\hfrac{\MeanTarget(\BlockHeight)}{\AveragingWindowTimespan}}
\mult \ActualTimespanClamped(\BlockHeight)),\\ \mult \ActualTimespanBounded(\BlockHeight)),\\
\hspace{20.7em}\text{otherwise} \hspace{20.7em}\text{otherwise}
\end{cases}$ \end{cases}$
\item $\ThresholdBits(\BlockHeight) := \ToCompact(\Threshold(\BlockHeight))$. \item $\ThresholdBits(\BlockHeight) := \ToCompact(\Threshold(\BlockHeight))$.
@ -4728,7 +4729,7 @@ The \targetThreshold for a given \blockHeight $\BlockHeight$ is then calculated
\pnote{ \pnote{
The convention used for the height parameters to $\MedianTime$, $\ActualTimespan$, The convention used for the height parameters to $\MedianTime$, $\ActualTimespan$,
$\ActualTimespanDamped$, $\ActualTimespanClamped$, $\MeanTarget$, $\Threshold$, and $\ActualTimespanDamped$, $\ActualTimespanBounded$, $\MeanTarget$, $\Threshold$, and
$\ThresholdBits$ is that these functions use only information from \blocks \emph{preceding} $\ThresholdBits$ is that these functions use only information from \blocks \emph{preceding}
the given \blockHeight. the given \blockHeight.
} }
@ -4777,9 +4778,9 @@ $\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{consta
\item $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$ \item $\SlowStartRate \typecolon \Nat := \hfrac{\MaxBlockSubsidy}{\SlowStartInterval}$
\item $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$ \item $\Halving(\BlockHeight) := \floor{\hfrac{\BlockHeight - \SlowStartShift}{\HalvingInterval}}$
\item $\BlockSubsidy(\BlockHeight) := \begin{cases} \item $\BlockSubsidy(\BlockHeight) := \begin{cases}
\SlowStartRate \mult \BlockHeight,&\!\!\text{if } \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex] \SlowStartRate \mult \BlockHeight,&\caseif \BlockHeight < \hfrac{\SlowStartInterval}{2} \\[1.4ex]
\SlowStartRate \mult (\BlockHeight + 1),&\!\!\text{if } \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex] \SlowStartRate \mult (\BlockHeight + 1),&\caseif \hfrac{\SlowStartInterval}{2} \leq \BlockHeight < \SlowStartInterval \\[1.4ex]
\floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\!\!\text{otherwise} \floor{\hfrac{\MaxBlockSubsidy}{2^{\Halving(\BlockHeight)}}},&\caseotherwise
\end{cases}$ \end{cases}$
\item $\FoundersReward(\BlockHeight) := \begin{cases} \item $\FoundersReward(\BlockHeight) := \begin{cases}
@ -5493,6 +5494,21 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introsection \introsection
\nsection{Change History} \nsection{Change History}
\subparagraph{2018.0-beta-7}
\begin{itemize}
\item Rename $\mathsf{clamp}$ to $\mathsf{bound}$ and
$\mathsf{ActualTimespanClamped}$ to $\ActualTimespanBounded$
in the difficulty adjustment algorithm, to avoid a name
collision with Curve25519 scalar ``clamping''.
\item Change uses of the term \term{full node} to \fullValidator.
A \term{full node} by definition participates in the
peer-to-peer network, whereas a \fullValidator just needs a copy
of the \blockchain from somewhere. The latter is what was meant.
\end{itemize}
\introlist
\subparagraph{2018.0-beta-6} \subparagraph{2018.0-beta-6}
\begin{itemize} \begin{itemize}
@ -6165,16 +6181,16 @@ If the base point $B$ is fixed for a given scalar multiplication $\scalarmult{k}
we can fully precompute window tables for each window position. we can fully precompute window tables for each window position.
It is most efficient to use $3$-bit fixed windows. Since the length of It is most efficient to use $3$-bit fixed windows. Since the length of
$\ParamG{s}$ is $252$ bits, we need $84$ windows. $\ParamJ{r}$ is $252$ bits, we need $84$ windows.
Let $k = \vsum{i=0}{83} k_i \smult 8^i$. Express $k$ in base $8$, i.e.\ $k = \vsum{i=0}{83} k_i \smult 8^i$.
Then $\scalarmult{k}{B} = \vsum{i=0}{83} w_{i,\,k_i}$, where Then $\scalarmult{k}{B} = \vsum{i=0}{83} w_{(B,\,i,\,k_i)}$, where
$w_{i,\,k_i} = \scalarmult{k_i \smult 8^i}{B}$. $w_{(B,\,i,\,k_i)} = \scalarmult{k_i \smult 8^i}{B}$.
We precompute all of $w_{i,\,s}$ for $i \in \range{0}{83}, s \in \range{0}{7}$. We precompute all of $w_{(B,\,i,\,s)}$ for $i \in \range{0}{83}, s \in \range{0}{7}$.
To look up a given window entry $w_{i,\,s} = (u_s, \varv_s)$, where To look up a given window entry $w_{(B,\,i,\,s)} = (u_s, \varv_s)$, where
$s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use: $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
\begin{formulae} \begin{formulae}
@ -6183,13 +6199,13 @@ $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use:
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\ - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband \\
\mhspace{2.91em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband \mhspace{2.91em} \plus u_4 \smult s\suband - u_4 \smult s_1 - u_4 \smult s_0 \plus u_4 - u_5 \smult s\suband
\plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband) = \\ \plus u_5 \smult s_0 - u_6 \smult s\suband \plus u_6 \smult s_1 \plus u_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{u_r - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband \mhspace{1.52em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_1 \plus u_0 \smult s_0 - u_0 \plus u_1 \smult s\suband
- u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$ - u_1 \smult s_0 \plus u_2 \smult s\suband - u_2 \smult s_1 - u_3 \smult s\suband}$
\item $\lincomb{s_2} \times (-\hairspace \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband \item $\lincomb{s_2} \times (-\hairspace \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\ - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband \\
\mhspace{2.91em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband \mhspace{2.91em} \plus \vv_4 \smult s\suband - \vv_4 \smult s_1 - \vv_4 \smult s_0 \plus \vv_4 - \vv_5 \smult s\suband
\plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband) = \\ \plus \vv_5 \smult s_0 - \vv_6 \smult s\suband \plus \vv_6 \smult s_1 \plus \vv_7 \smult s\suband) = \\
\mhspace{1.52em} \lincomb{\vv_r - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband \mhspace{1.52em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_1 \plus \vv_0 \smult s_0 - \vv_0 \plus \vv_1 \smult s\suband
- \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$ - \vv_1 \smult s_0 \plus \vv_2 \smult s\suband - \vv_2 \smult s_1 - \vv_3 \smult s\suband}$
\end{formulae} \end{formulae}