From 39bb59e4d07f21d0d107322e00a2347244995617 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Thu, 8 Feb 2018 01:23:18 +0000 Subject: [PATCH] Add instantiation of hash extractor for Jubjub. Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 61 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index c8cf13c1..6221d5e3 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -222,6 +222,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newtheorem{theorem}{Theorem} \numberwithin{theorem}{subsection} +\newtheorem*{lemma*}{Lemma} + % Terminology @@ -1076,7 +1078,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\reprP}[1]{\repr_{\GroupP{#1}}} \newcommand{\abstP}[1]{\abst_{\GroupP{#1}}} \newcommand{\PairingP}{\ParamP{\hat{e}}} -\newcommand{\ExtractP}{\ParamP{\mathsf{Extract}}} \newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}} \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}} @@ -1104,7 +1105,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\reprS}[1]{\repr_{\GroupG{#1}}} \newcommand{\abstS}[1]{\abst_{\GroupG{#1}}} \newcommand{\PairingS}{\ParamS{\hat{e}}} -\newcommand{\ExtractS}{\ParamS{\mathsf{Extract}}} \newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}} \newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}} @@ -2408,7 +2408,7 @@ we write $\scalarmult{k}{G}$ for $\vsum{i = 1}{k} G$. A \hashExtractor for a \representedGroup $\GroupG{}$ is a function $\ExtractG \typecolon \GroupG{} \rightarrow \bitseq{\ell}$ for some $\ell \typecolon \Nat$, -such that $\ExtractG$ is injective on the subgroup generated by $\GenG{}$. +such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order $\ParamG{r}$. \pnote{ Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an @@ -4291,6 +4291,60 @@ other conditions on points, for example that they are not the zero point, or are large prime-order subgroup. } + +\sapling{ +\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{grouphashjubjub} + +Let $\mathcal{U}((u, \varv)) = u$ and let $\mathcal{V}((u, \varv)) = \varv$. + +Let $\ExtractJ \typecolon \GroupJ \rightarrow \bitseq{255}$ be defined as: + +\begin{formulae} + \item $\ExtractJ((u, \varv)) = \ItoBSP{255}(u)$. +\end{formulae} + +Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime). + +Facts: the point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order 2 in $\GroupJ$. + +% +\begin{lemma*} +Let $P = (u, \varv) \typecolon G$. Then $(u, -\varv)$ is not a point in $G$. +\end{lemma*} + +\begin{proof} +If $P = \ZeroJ$ then $(u, -\varv) = (0, -1)$ which is not in $G$. +Else, $P$ is of odd-prime order. Note that $\varv \neq 0$. +(If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula +gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$; +contradiction since then $P$ would not be of odd prime order.) +Therefore, $-\varv \neq \varv$. +Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the +doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$. +But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either +$Q = -P$ (then $\mathcal{V}(Q) = \mathcal{V}(-P)$; contradiction since +$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction +since $G$ is of odd order). +\end{proof} + +\begin{theorem} +$\ExtractJ$ is injective on $G$. +\end{theorem} + +\begin{proof} +By writing the curve equation as +$\varv^2 = (1 - a \smult u^2) / (1 - d \smult u^2)$, and noting that the +potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a +complete twisted Edwards curve, we see that for a given $u$ there can be at +most two possible solutions for $\varv$, and that if there are two solutions +they can be written as $\varv$ and $-\varv$. In that case by the lemma, at +most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\mathcal{U}$ +is injective on points in $G$, hence so is $\ExtractJ$. +\end{proof} + +} + + \nsubsubsection{\ZeroKnowledgeProvingSystems} \nsubsubsubsection{\PHGRProvingSystem} \label{phgr} @@ -6286,6 +6340,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg. \item No changes to \Sprout. \sapling{ \item Add instantiation of $\CRHivk$. + \item Add instantiation of a hash extractor for \Jubjub. \item Make the background lighter and the \Sapling green darker, for contrast. } \end{itemize}