zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add instantiation of hash extractor for Jubjub. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-02-08 01:23:18 +00:00
parent 0dcb3d5bc8
commit 39bb59e4d0
1 changed files with 58 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
protocol/protocol.tex
View File

@ -222,6 +222,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newtheorem{theorem}{Theorem}
\numberwithin{theorem}{subsection}
\newtheorem*{lemma*}{Lemma}
% Terminology
@ -1076,7 +1078,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
\newcommand{\abstP}[1]{\abst_{\GroupP{#1}}}
\newcommand{\PairingP}{\ParamP{\hat{e}}}
\newcommand{\ExtractP}{\ParamP{\mathsf{Extract}}}
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
@ -1104,7 +1105,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}}
\newcommand{\abstS}[1]{\abst_{\GroupG{#1}}}
\newcommand{\PairingS}{\ParamS{\hat{e}}}
\newcommand{\ExtractS}{\ParamS{\mathsf{Extract}}}
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
@ -2408,7 +2408,7 @@ we write $\scalarmult{k}{G}$ for $\vsum{i = 1}{k} G$.
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
$\ExtractG \typecolon \GroupG{} \rightarrow \bitseq{\ell}$ for some $\ell \typecolon \Nat$,
such that $\ExtractG$ is injective on the subgroup generated by $\GenG{}$.
such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order $\ParamG{r}$.
\pnote{
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
@ -4291,6 +4291,60 @@ other conditions on points, for example that they are not the zero point, or are
large prime-order subgroup.
}
\sapling{
\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{grouphashjubjub}
Let $\mathcal{U}((u, \varv)) = u$ and let $\mathcal{V}((u, \varv)) = \varv$.
Let $\ExtractJ \typecolon \GroupJ \rightarrow \bitseq{255}$ be defined as:
\begin{formulae}
\item $\ExtractJ((u, \varv)) = \ItoBSP{255}(u)$.
\end{formulae}
Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime).
Facts: the point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order 2 in $\GroupJ$.
% <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
\begin{lemma*}
Let $P = (u, \varv) \typecolon G$. Then $(u, -\varv)$ is not a point in $G$.
\end{lemma*}
\begin{proof}
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1)$ which is not in $G$.
Else, $P$ is of odd-prime order. Note that $\varv \neq 0$.
(If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula
gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$;
contradiction since then $P$ would not be of odd prime order.)
Therefore, $-\varv \neq \varv$.
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
$Q = -P$ (then $\mathcal{V}(Q) = \mathcal{V}(-P)$; contradiction since
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
since $G$ is of odd order).
\end{proof}
\begin{theorem}
$\ExtractJ$ is injective on $G$.
\end{theorem}
\begin{proof}
By writing the curve equation as
$\varv^2 = (1 - a \smult u^2) / (1 - d \smult u^2)$, and noting that the
potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a
complete twisted Edwards curve, we see that for a given $u$ there can be at
most two possible solutions for $\varv$, and that if there are two solutions
they can be written as $\varv$ and $-\varv$. In that case by the lemma, at
most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\mathcal{U}$
is injective on points in $G$, hence so is $\ExtractJ$.
\end{proof}
}
\nsubsubsection{\ZeroKnowledgeProvingSystems}
\nsubsubsubsection{\PHGRProvingSystem} \label{phgr}
@ -6286,6 +6340,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
\item No changes to \Sprout.
\sapling{
\item Add instantiation of $\CRHivk$.
\item Add instantiation of a hash extractor for \Jubjub.
\item Make the background lighter and the \Sapling green darker, for contrast.
}
\end{itemize}