mirror of https://github.com/zcash/zips.git
Add instantiation of hash extractor for Jubjub.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
0dcb3d5bc8
commit
39bb59e4d0
|
@ -222,6 +222,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newtheorem{theorem}{Theorem}
|
\newtheorem{theorem}{Theorem}
|
||||||
\numberwithin{theorem}{subsection}
|
\numberwithin{theorem}{subsection}
|
||||||
|
|
||||||
|
\newtheorem*{lemma*}{Lemma}
|
||||||
|
|
||||||
|
|
||||||
% Terminology
|
% Terminology
|
||||||
|
|
||||||
|
@ -1076,7 +1078,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
|
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
|
||||||
\newcommand{\abstP}[1]{\abst_{\GroupP{#1}}}
|
\newcommand{\abstP}[1]{\abst_{\GroupP{#1}}}
|
||||||
\newcommand{\PairingP}{\ParamP{\hat{e}}}
|
\newcommand{\PairingP}{\ParamP{\hat{e}}}
|
||||||
\newcommand{\ExtractP}{\ParamP{\mathsf{Extract}}}
|
|
||||||
|
|
||||||
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
|
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
|
||||||
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
|
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
|
||||||
|
@ -1104,7 +1105,6 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
||||||
\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}}
|
\newcommand{\reprS}[1]{\repr_{\GroupG{#1}}}
|
||||||
\newcommand{\abstS}[1]{\abst_{\GroupG{#1}}}
|
\newcommand{\abstS}[1]{\abst_{\GroupG{#1}}}
|
||||||
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
\newcommand{\PairingS}{\ParamS{\hat{e}}}
|
||||||
\newcommand{\ExtractS}{\ParamS{\mathsf{Extract}}}
|
|
||||||
|
|
||||||
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
|
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
|
||||||
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
|
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
|
||||||
|
@ -2408,7 +2408,7 @@ we write $\scalarmult{k}{G}$ for $\vsum{i = 1}{k} G$.
|
||||||
|
|
||||||
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
|
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
|
||||||
$\ExtractG \typecolon \GroupG{} \rightarrow \bitseq{\ell}$ for some $\ell \typecolon \Nat$,
|
$\ExtractG \typecolon \GroupG{} \rightarrow \bitseq{\ell}$ for some $\ell \typecolon \Nat$,
|
||||||
such that $\ExtractG$ is injective on the subgroup generated by $\GenG{}$.
|
such that $\ExtractG$ is injective on the subgroup of $\GroupG{}$ of order $\ParamG{r}$.
|
||||||
|
|
||||||
\pnote{
|
\pnote{
|
||||||
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
|
Unlike the representation function $\reprG{}$, $\ExtractG$ need not have an
|
||||||
|
@ -4291,6 +4291,60 @@ other conditions on points, for example that they are not the zero point, or are
|
||||||
large prime-order subgroup.
|
large prime-order subgroup.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
\sapling{
|
||||||
|
\nsubsubsubsection{\HashExtractor{} for \Jubjub} \label{grouphashjubjub}
|
||||||
|
|
||||||
|
Let $\mathcal{U}((u, \varv)) = u$ and let $\mathcal{V}((u, \varv)) = \varv$.
|
||||||
|
|
||||||
|
Let $\ExtractJ \typecolon \GroupJ \rightarrow \bitseq{255}$ be defined as:
|
||||||
|
|
||||||
|
\begin{formulae}
|
||||||
|
\item $\ExtractJ((u, \varv)) = \ItoBSP{255}(u)$.
|
||||||
|
\end{formulae}
|
||||||
|
|
||||||
|
Let $G$ be the subgroup of $\GroupJ$ of order $\ParamJ{r}$ (an odd prime).
|
||||||
|
|
||||||
|
Facts: the point $(0, 1) = \ZeroJ$, and the point $(0, -1)$ has order 2 in $\GroupJ$.
|
||||||
|
|
||||||
|
% <https://github.com/zcash/zcash/issues/2234#issuecomment-333360977>
|
||||||
|
\begin{lemma*}
|
||||||
|
Let $P = (u, \varv) \typecolon G$. Then $(u, -\varv)$ is not a point in $G$.
|
||||||
|
\end{lemma*}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
If $P = \ZeroJ$ then $(u, -\varv) = (0, -1)$ which is not in $G$.
|
||||||
|
Else, $P$ is of odd-prime order. Note that $\varv \neq 0$.
|
||||||
|
(If $\varv = 0$ then $a \mult u^2 = 1$, and so applying the doubling formula
|
||||||
|
gives $\scalarmult{2}{P} = (0, -1)$, then $\scalarmult{4}{P} = (0, 1) = \ZeroJ$;
|
||||||
|
contradiction since then $P$ would not be of odd prime order.)
|
||||||
|
Therefore, $-\varv \neq \varv$.
|
||||||
|
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
||||||
|
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||||
|
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||||
|
$Q = -P$ (then $\mathcal{V}(Q) = \mathcal{V}(-P)$; contradiction since
|
||||||
|
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
||||||
|
since $G$ is of odd order).
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
|
\begin{theorem}
|
||||||
|
$\ExtractJ$ is injective on $G$.
|
||||||
|
\end{theorem}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
By writing the curve equation as
|
||||||
|
$\varv^2 = (1 - a \smult u^2) / (1 - d \smult u^2)$, and noting that the
|
||||||
|
potentially exceptional case $1 - d \smult u^2 = 0$ does not occur for a
|
||||||
|
complete twisted Edwards curve, we see that for a given $u$ there can be at
|
||||||
|
most two possible solutions for $\varv$, and that if there are two solutions
|
||||||
|
they can be written as $\varv$ and $-\varv$. In that case by the lemma, at
|
||||||
|
most one of $(u, \varv)$ and $(u, -\varv)$ is in $G$. Therefore, $\mathcal{U}$
|
||||||
|
is injective on points in $G$, hence so is $\ExtractJ$.
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
\nsubsubsection{\ZeroKnowledgeProvingSystems}
|
\nsubsubsection{\ZeroKnowledgeProvingSystems}
|
||||||
|
|
||||||
\nsubsubsubsection{\PHGRProvingSystem} \label{phgr}
|
\nsubsubsubsection{\PHGRProvingSystem} \label{phgr}
|
||||||
|
@ -6286,6 +6340,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
||||||
\item No changes to \Sprout.
|
\item No changes to \Sprout.
|
||||||
\sapling{
|
\sapling{
|
||||||
\item Add instantiation of $\CRHivk$.
|
\item Add instantiation of $\CRHivk$.
|
||||||
|
\item Add instantiation of a hash extractor for \Jubjub.
|
||||||
\item Make the background lighter and the \Sapling green darker, for contrast.
|
\item Make the background lighter and the \Sapling green darker, for contrast.
|
||||||
}
|
}
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
Loading…
Reference in New Issue