From 2cf4dfacef76a420ddf747c60c318eabe7d7b50d Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Thu, 16 Aug 2018 12:03:34 +0100 Subject: [PATCH] Correct the description of the N-ary AND optimization (not used in Sapling): a run of N-1 one bits in c yields an N-ary AND. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 5f3a181f..15e27e15 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -9626,6 +9626,16 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}. \intropart \section{Change History} +\subparagraph{2018.0-beta-30} + +\begin{itemize} + \item No changes to \Sprout. +\sapling{ + \item Minor correction to the non-normative note in \crossref{cctrange}. +} %sapling +\end{itemize} + +\introlist \subparagraph{2018.0-beta-29} \begin{itemize} @@ -10865,10 +10875,11 @@ $k = 132$, so the cost of each such range check is $387$ constraints. \introsection \nnote{It is possible to optimize the computation of $\Pi_{\barerange{t}{n-2}}$ further. -Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a -run of $1$ bits in $c$. So for each run of $N$ $1$ bits, it is sufficient to compute -an \Nary{} AND: $R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints -for any $N < \ParamS{r}$; boolean-constrain the output $R$, and then add constraints +Notice that $\Pi_m$ is only used when $m$ is the index of the last bit of a run of $1$ bits +in $c$. So for each such run of $1$ bits $c_{\barerange{m}{m+N-2}}$ of length $N-1$, it is +sufficient to compute an \Nary{} AND of $a_{\barerange{m}{m+N-2}}$ and $\Pi_{m+N-1}$: +$R = \sproduct{i=0}{N-1}{X_i}$. This can be computed in $3$ constraints for any +$N$; boolean-constrain the output $R$, and then add constraints \vspace{1ex} \begin{tabular}{@{\tab}l@{\;\;}l} @@ -10880,7 +10891,7 @@ for any $N < \ParamS{r}$; boolean-constrain the output $R$, and then add constra \vspace{-1ex} where $\mathsf{inv}$ is witnessed as $\Big(N - \ssum{i=0}{N-1}{X_i}\Big)^{\!-1}$ if $R = 0$ -or is unconstrained otherwise. +or is unconstrained otherwise. (Since $N < \ParamS{r}$, the sums cannot overflow.) In fact the last constraint is not needed in this context because it is sufficient to compute an upper bound on each $\Pi_m$ (i.e.\ it does not benefit a malicious prover to