zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Correct the description of the N-ary AND optimization (not used in Sapling): 

a run of N-1 one bits in c yields an N-ary AND.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-16 12:03:34 +01:00
parent 37da8b64e4
commit 2cf4dfacef
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
protocol/protocol.tex
View File

@ -9626,6 +9626,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\intropart
\section{Change History}
\subparagraph{2018.0-beta-30}
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Minor correction to the non-normative note in \crossref{cctrange}.
} %sapling
\end{itemize}
\introlist
\subparagraph{2018.0-beta-29}
\begin{itemize}
@ -10865,10 +10875,11 @@ $k = 132$, so the cost of each such range check is $387$ constraints.
\introsection
\nnote{It is possible to optimize the computation of $\Pi_{\barerange{t}{n-2}}$ further.
Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a
run of $1$ bits in $c$. So for each run of $N$ $1$ bits, it is sufficient to compute
an \Nary{} AND: $R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints
for any $N < \ParamS{r}$; boolean-constrain the output $R$, and then add constraints
Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a run of $1$ bits
in $c$. So for each such run of $1$ bits $c_{\barerange{m}{m+N-2}}$ of length $N-1$, it is
sufficient to compute an \Nary{} AND of $a_{\barerange{m}{m+N-2}}$ and $\Pi_{m+N-1}$:
$R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints for any
$N$; boolean-constrain the output $R$, and then add constraints
\vspace{1ex}
\begin{tabular}{@{\tab}l@{\;\;}l}
@ -10880,7 +10891,7 @@ for any $N < \ParamS{r}$; boolean-constrain the output $R$, and then add constra
\vspace{-1ex}
where $\mathsf{inv}$ is witnessed as $\Big(N - \ssum{i=0}{N-1}{X_i}\Big)^{\!-1}$ if $R = 0$
or is unconstrained otherwise.
or is unconstrained otherwise. (Since $N < \ParamS{r}$, the sums cannot overflow.)
In fact the last constraint is not needed in this context because it is sufficient to
compute an upper bound on each $\Pi_m$ (i.e.\ it does not benefit a malicious prover to