diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 20c50ee7..2174ec5d 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -103,6 +103,7 @@ \usepackage{quattrocento} \usepackage[bb=ams]{mathalfa} \usepackage[scr]{rsfso} +\usepackage{upgreek} % Quattrocento is beautiful but doesn't have an italic face. So we scale % New Century Schoolbook italic to fit in with slanted Quattrocento and @@ -426,26 +427,8 @@ \DeclareSymbolFont{matha}{OML}{txmi}{m}{it} \DeclareMathSymbol{\varv}{\mathord}{matha}{118} -% newtxmath defines some nice characters, but has too many side effects -% and is completely incompatible with lmodern. We pull these definitions out -% of . - -% from -\makeatletter -\newif\iftx@libertine -\newif\iftx@minion -\newif\iftx@coch -\newif\iftx@ch -\newif\iftx@stxtwo -\makeatother - -\DeclareSymbolFont{lettersA}{U}{ntxmia}{m}{it} -\SetSymbolFont{lettersA}{bold}{U}{ntxmia}{b}{it} -\DeclareFontSubstitution{U}{ntxmia}{m}{it} - -\DeclareMathSymbol{\uprho}{\mathord}{lettersA}{26} -\DeclareMathSymbol{\upvarphi}{\mathord}{lettersA}{39} - +% These are defined by newtxmath, but that's a very opinionated package that causes a +% bunch of regressions (IMO) to math fonts and rendering. \DeclareSymbolFont{AMSm}{U}{ntxsym}{m}{n} \SetSymbolFont{AMSm}{bold}{U}{ntxsym}{b}{n} \DeclareFontSubstitution{U}{ntxsym}{m}{n} @@ -469,7 +452,7 @@ \newcommand{\clasp}[3][0pt]{\stackengine{0pt}{#3}{\kern#1#2}{O}{c}{F}{F}{L}} \newcommand{\plus}{\hairspace +\hairspace} -\newcommand{\vv}{\hspace{0.071em}\varv\hspace{0.064em}} +\newcommand{\spv}{\hspace{0.071em}\varv\hspace{0.064em}} \newcommand{\varvv}{\varv\kern 0.02em\varv} \newcommand{\yy}{\hspace{0.022em}y\hspace{0.021em}} @@ -10389,6 +10372,13 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \lsection{Change History}{changehistory} +\historyentry{2020.1.4}{} + +\begin{itemize} + \item Improve LaTeX portability of this specification. +\end{itemize} + + \historyentry{2020.1.3}{2020-04-22} \begin{itemize} @@ -11623,7 +11613,7 @@ $(u, \varv)$ for affine coordinates on the \ctEdwardsCurve, and $(x, y)$ for affine coordinates on the \MontgomeryCurve. A point $P$ is normally represented by two $\GF{\ParamS{r}}$ variables, which -we name as $(P^u, P^{\vv})$ for an \affineCtEdwards point, for instance. +we name as $(P^u, P^{\spv})$ for an \affineCtEdwards point, for instance. The implementations of scalar multiplication require the scalar to be represented as a bit sequence. We therefore allow the notation $\scalarmult{k\Repr}{P}$ meaning @@ -12320,12 +12310,12 @@ $s = 4 \smult s_2 + 2 \smult s_1 + s_0$, we use: \plus u_3 \smult s_1 - u_5 \smult s\suband \plus u_5 \smult s_2 \plus u_7 \smult s\suband\big) = \\ \mhspace{1.92em} \lincomb{u_s - u_0 \smult s\suband \plus u_0 \smult s_2 \plus u_0 \smult s_1 - u_0 \plus u_2 \smult s\suband - u_2 \smult s_1 \plus u_4 \smult s\suband - u_4 \smult s_2 - u_6 \smult s\suband}$ - \item $\lconstraint{s_0} \big(\!- \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband - - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband \\ - \mhspace{3.51em} \plus \vv_1 \smult s\suband - \vv_1 \smult s_2 - \vv_1 \smult s_1 \plus \vv_1 - \vv_3 \smult s\suband - \plus \vv_3 \smult s_1 - \vv_5 \smult s\suband \plus \vv_5 \smult s_2 \plus \vv_7 \smult s\suband\big) = \\ - \mhspace{1.90em} \lincomb{\vv_s - \vv_0 \smult s\suband \plus \vv_0 \smult s_2 \plus \vv_0 \smult s_1 - \vv_0 \plus \vv_2 \smult s\suband - - \vv_2 \smult s_1 \plus \vv_4 \smult s\suband - \vv_4 \smult s_2 - \vv_6 \smult s\suband}$ + \item $\lconstraint{s_0} \big(\!- \spv_0 \smult s\suband \plus \spv_0 \smult s_2 \plus \spv_0 \smult s_1 - \spv_0 \plus \spv_2 \smult s\suband + - \spv_2 \smult s_1 \plus \spv_4 \smult s\suband - \spv_4 \smult s_2 - \spv_6 \smult s\suband \\ + \mhspace{3.51em} \plus \spv_1 \smult s\suband - \spv_1 \smult s_2 - \spv_1 \smult s_1 \plus \spv_1 - \spv_3 \smult s\suband + \plus \spv_3 \smult s_1 - \spv_5 \smult s\suband \plus \spv_5 \smult s_2 \plus \spv_7 \smult s\suband\big) = \\ + \mhspace{1.90em} \lincomb{\spv_s - \spv_0 \smult s\suband \plus \spv_0 \smult s_2 \plus \spv_0 \smult s_1 - \spv_0 \plus \spv_2 \smult s\suband + - \spv_2 \smult s_1 \plus \spv_4 \smult s\suband - \spv_4 \smult s_2 - \spv_6 \smult s\suband}$ \end{formulae} For a full-length ($252$-bit) scalar this costs $3$ constraints for each of $84$ window lookups, @@ -12375,14 +12365,14 @@ Given $k = \ssum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ \item // $\Base_i = \scalarmult{2^i}{B}$ \item let $\Base_0 = B$ \item let $\Acc^u_0 = k_0 \bchoose \Base^u_0 : 0$ - \item let $\Acc^{\vv}_0\hairspace = k_0 \bchoose \Base^{\vv}_0 : 1$ + \item let $\Acc^{\spv}_0\hairspace = k_0 \bchoose \Base^{\spv}_0 : 1$ \vspace{1ex} \item for $i$ from $1$ up to $250$: \item \tab let $\Base_i = \scalarmult{2}{\Base_{i-1}}$ \vspace{1ex} \item \tab // select $\Base_i$ or $\ZeroJ$ depending on the bit $k_i$ \item \tab let $\Addend^u_i = k_i \bchoose \Base^u_i : 0$ - \item \tab let $\Addend^{\vv}_i\hairspace = k_i \bchoose \Base^{\vv}_i : 1$ + \item \tab let $\Addend^{\spv}_i\hairspace = k_i \bchoose \Base^{\spv}_i : 1$ \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ \item let $R = \Acc_{250}$. \end{algorithm}