zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Generalization needed for Sapling: represented groups and pairings. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2017-12-02 01:03:17 +00:00
parent 2d80ec90d3
commit 4a94c063c4
1 changed files with 433 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

554
protocol/protocol.tex
View File

@ -22,6 +22,7 @@
\RequirePackage{cleveref}
\RequirePackage{nameref}
\RequirePackage{etoolbox}
\RequirePackage{subdepth}
\RequirePackage[style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,backref=true,backrefstyle=none,backend=biber]{biblatex}
\addbibresource{zcash.bib}
@ -250,6 +251,21 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\provingSystem}{\term{proving system}}
\newcommand{\zeroKnowledgeProvingSystem}{\term{zero-knowledge proving system}}
\newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}}
\newcommand{\representedGroup}{\term{represented group}}
\newcommand{\representedGroups}{\term{represented groups}}
\newcommand{\RepresentedGroup}{\titleterm{Represented Group}}
\newcommand{\hashExtractor}{\term{hash extractor}}
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
\newcommand{\groupHash}{\term{group hash}}
\newcommand{\groupHashes}{\term{group hashes}}
\newcommand{\GroupHash}{\titleterm{Group Hash}}
\newcommand{\representedPairing}{\term{represented pairing}}
\newcommand{\RepresentedPairing}{\titleterm{Represented Pairing}}
\newcommand{\RepresentedGroupsAndPairings}{\titleterm{Represented Groups and Pairings}}
\newcommand{\BNCurve}{\mathsf{BN\mhyphen{}254}}
\newcommand{\BLSCurve}{\mathsf{BLS12\mhyphen{}381}}
\newcommand{\BNRepresentedPairing}{\titleterm{BN-254}}
\newcommand{\BLSRepresentedPairing}{\titleterm{BLS12-381}}
\newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}}
\newcommand{\provingKey}{\term{proving key}}
\newcommand{\zkProvingKeys}{\term{zero-knowledge proving keys}}
@ -424,8 +440,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\xor}{\oplus}
\newcommand{\band}{\binampersand}
\newcommand{\mult}{\cdot}
\newcommand{\scalarmult}[2]{\boldsymbol{[}{#1}\boldsymbol{]}\hairspace{#2}}
\newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow}
\newcommand{\leftarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\leftarrow}
\newcommand{\union}{\cup}
\newcommand{\intersection}{\cap}
% key pairs:
\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
@ -727,13 +746,52 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\setofOld}{\setof{\allOld}}
\newcommand{\setofNew}{\setof{\allNew}}
\newcommand{\vmacs}{\mathtt{vmacs}}
\newcommand{\Curve}{E}
\newcommand{\Zero}{\mathcal{O}}
\newcommand{\Generator}{\mathcal{P}}
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}}
\newcommand{\GroupPHash}[1]{\mathsf{GH}^\mathbb{P}_{#1}}
\newcommand{\CurveP}[1]{\Curve_{\mathbb{P}_{#1}}}
\newcommand{\ZeroP}[1]{\Zero_{\mathbb{P}_{#1}}}
\newcommand{\GenP}[1]{\Generator_{\mathbb{P}_{#1}}}
\newcommand{\ellP}[1]{\ell_{\mathbb{P}_{#1}}}
\newcommand{\PairingP}{\ParamP{\hat{e}}}
\newcommand{\ExtractP}{\ParamP{\mathsf{Extract}}}
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}}
\newcommand{\PointP}[1]{\mathcal{P}_{#1}}
\newcommand{\GroupGHash}[1]{\mathsf{GH}^\mathbb{G}_{#1}}
\newcommand{\CurveG}[1]{\Curve_{\mathbb{G}_{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\mathbb{G}_{#1}}}
\newcommand{\GenG}[1]{\Generator_{\mathbb{G}_{#1}}}
\newcommand{\ellG}[1]{\ell_{\mathbb{G}_{#1}}}
\newcommand{\PairingG}{\ParamG{\hat{e}}}
\newcommand{\ExtractG}{\ParamG{\mathsf{Extract}}}
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}}
\newcommand{\GroupSHash}[1]{\mathsf{GH}^\mathbb{S}_{#1}}
\newcommand{\CurveS}[1]{\Curve_{\mathbb{S}_{#1}}}
\newcommand{\ZeroS}[1]{\Zero_{\mathbb{S}_{#1}}}
\newcommand{\GenS}[1]{\Generator_{\mathbb{S}_{#1}}}
\newcommand{\ellS}[1]{\ell_{\mathbb{S}_{#1}}}
\newcommand{\PairingS}{\ParamS{\hat{e}}}
\newcommand{\ExtractS}{\ParamS{\mathsf{Extract}}}
\newcommand{\repr}{\mathsf{repr}}
\newcommand{\abst}{\mathsf{abst}}
\newcommand{\xP}{{x_{\hspace{-0.12em}P}}}
\newcommand{\yP}{{y_{\hspace{-0.03em}P}}}
\newcommand{\AtInfinity}[1]{\mathcal{O}_{#1}}
\newcommand{\GF}[1]{\mathbb{F}_{#1}}
\newcommand{\GF}[1]{\mathbb{F}_{\!#1}}
\newcommand{\GFstar}[1]{\mathbb{F}^\ast_{#1}}
\newcommand{\ECtoOSP}{\mathsf{EC2OSP}}
\newcommand{\ECtoOSPXL}{\mathsf{EC2OSP\mhyphen{}XL}}
@ -741,6 +799,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ItoOSP}[1]{\mathsf{I2OSP}_{#1}}
\newcommand{\ItoBSP}[1]{\mathsf{I2BSP}_{#1}}
\newcommand{\FEtoIP}{\mathsf{FE2IP}}
\newcommand{\FEtoIPP}{\mathsf{FE2IPP}}
\newcommand{\BNImpl}{\mathtt{ALT\_BN128}}
\newcommand{\vpubOld}{\mathsf{v_{pub}^{old}}}
\newcommand{\vpubNew}{\mathsf{v_{pub}^{new}}}
@ -986,7 +1045,9 @@ $\length(S)$ means the length of (number of elements in) $S$.
$T \subseteq U$ indicates that $T$ is an inclusive subset or subtype of $U$.
$\byteseqs$ means the set of bit sequences constrained to be of length
$S \union T$ means the type corresponding to the set union of $S$ and $T$.
$\byteseqs$ means the type of bit sequences constrained to be of length
a multiple of 8 bits.
$\hexint{}$ followed by a string of \textbf{boldface} hexadecimal
@ -1583,6 +1644,96 @@ be a function satisfying the security requirements below.
\end{securityrequirements}
\introlist
\nsubsubsection{\RepresentedGroup} \label{abstractgroup}
A \representedGroup $\GroupG{}$ consists of:
\begin{itemize}
\item a subgroup order parameter $\ParamG{r} \typecolon \PosInt$, which must be prime;
\item a cofactor parameter $\ParamG{h} \typecolon \PosInt$;
\item a group $\GroupG{}$ of order $\ParamG{h} \mult \ParamG{r}$, written additively
with operation $+ \typecolon \GroupG{} \times \GroupG{} \rightarrow \GroupG{}$,
and additive identity $\ZeroG{}$;
\item a generator $\GenG{}$ of the subgroup of $\GroupG{}$ of order $\ParamG{r}$;
\item a bit-length parameter $\ellG{} \typecolon \Nat$;
\item a representation function $\repr_{\GroupG{}} \typecolon
\GroupG{} \rightarrow \bitseq{\ellG{}}$;
\item an abstraction function $\abst_{\GroupG{}} \typecolon
\bitseq{\ellG{}} \rightarrow \GroupG{} \union \setof{\bot}$;
\end{itemize}
\vspace{-2ex}
such that $\abst_{\GroupG{}}$ is the left inverse of $\repr_{\GroupG{}}$, i.e.
for all $P \in \GroupG{}$, $\abst_{\GroupG{}}(\repr_{\GroupG{}}(P)) = P$, and
for all $S$ not in the image of $\repr_{\GroupG{}}$, $\abst_{\GroupG{}}(S) = \bot$.
We extend the $\vsum{}{}$ notation to addition on group elements.
\vspace{-3ex}
For $G \typecolon \GroupG{}$ and $s \typecolon \Nat$ (or $s \typecolon \GF{\ParamG{r}}$)
we write $\scalarmult{s}{G}$ for $\vsum{i = 1}{s} G$.
\vspace{1ex}
\sapling{
\introlist
\nsubsubsection{\HashExtractor} \label{abstractextractor}
A \hashExtractor for a \representedGroup $\GroupG{}$ is a function
$\ExtractG \typecolon \GroupG{} \rightarrow \bitseq{\ell}$ for some $\ell \typecolon \Nat$,
such that $\ExtractG$ is injective on the subgroup generated by $\GenG{}$.
\pnote{
Unlike the representation function $\repr_{\GroupG{}}$, $\ExtractG$ need not have an
efficiently computable left inverse.
}
}
\introlist
\nsubsubsection{\GroupHash} \label{abstractgrouphash}
Given a represented group $\GroupG{}$ and a type $\Index$, a
\term{family of group hashes into $\GroupG{}$} is a function
$\GroupGHash{} \typecolon \Index \times \bitseq{\ell} \rightarrow \GroupG{}$.
\begin{securityrequirements}
\item \textbf{Discrete Logarithm Independence:} For a randomly selected member
$\GroupGHash{U}$ of the family, it is infeasible to find
a sequence of distinct inputs $m_{\alln} \typecolon \typeexp{\bitseq{\ell}}{n}$
and a sequence of nonzero scalars $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
such that $\vsum{i = 1}{n}(\scalarmult{x_i}{\GroupGHash{U}(m_i)}) = \ZeroG{}$.
\end{securityrequirements}
Note that this property implies (and is stronger than) collision-resistance,
since a collision $(m_1, m_2)$ for $\GroupGHash{U}$ trivially gives a discrete
logarithm relation with $x_1 = 1$ and $x_2 = -1$.
\introlist
\nsubsubsection{\RepresentedPairing} \label{abstractpairing}
A \representedPairing $\GroupP{}$ consists of:
\begin{itemize}
\item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime;
\item two \representedGroups $\GroupP{1..2}$, both of order $\ParamP{r}$;
\item a group $\GroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation
$\mult \typecolon \GroupP{T} \times \GroupP{T} \rightarrow \GroupP{T}$
and multiplicative identity $\ParamP{\mathbf{1}}$;
\item a pairing function
$\PairingP \typecolon \GroupP{1} \times \GroupP{2} \rightarrow \GroupP{T}$
satisfying:
\begin{itemize}
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,
$\PairingP(\scalarmult{a}{P}, \scalarmult{b}{Q}) = \PairingP(P, Q)^{a \mult b}$, and
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$
such that for all $Q \typecolon \GroupP{2},
\PairingP(P, Q) = \ParamP{\mathbf{1}}$;
\end{itemize}
\end{itemize}
\nsubsubsection{\ZeroKnowledgeProvingSystem} \label{abstractzk}
A \zeroKnowledgeProvingSystem is a cryptographic protocol that allows
@ -2614,6 +2765,274 @@ The leading byte of the $\FullHash$ input is $\hexint{B0}$.
\end{securityrequirements}
\nsubsubsection{\RepresentedGroupsAndPairings} \label{concretepairing}
\nsubsubsubsection{\BNRepresentedPairing} \label{bnpairing}
The \representedPairing $\BNCurve$ is defined in this section.
\introlist
Let $\ParamG{q} = 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
Let $\ParamG{r} = 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
Let $\ParamG{b} = 3$.
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
Let $\GroupG{1}$ be the group of points on a Barreto--Naehrig curve $\CurveG{1}$ over
$\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
This curve has embedding degree 12 with respect to $\ParamG{r}$.
Let $\GroupG{2}$ be the subgroup of order $r$ in the sextic twist $\CurveG{2}$ of
$\GroupG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
where $\xi \typecolon \GF{\ParamGexp{q}{2}}$.
We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\GroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$.
Let $\PairingG$ be the optimized ate pairing of type
$\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
(which is the additive identity) in $\GroupG{i}$, and let
$\GroupGstar{i} = \GroupG{i} \setminus \setof{\ZeroG{i}}$.
Let $\GenG{1} \typecolon \GroupGstar{1} = (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenG{2} \typecolon \GroupGstar{2} =\;$
% are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
&$ 4082367875863433681332203403145435568316851327593401208105741076214120093531$ & $\mult\, t\;+$ \\
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular}
$\GenG{1}$ and $\GenG{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively.
\newsavebox{\gonebox}
\begin{lrbox}{\gonebox}
\setchanged
\begin{bytefield}[bitwidth=0.045em]{264}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{256}{$256$-bit $\ItoOSP{32}(x)$}
\end{bytefield}
\end{lrbox}
\newsavebox{\gtwobox}
\begin{lrbox}{\gtwobox}
\setchanged
\begin{bytefield}[bitwidth=0.045em]{520}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{512}{$512$-bit $\ItoOSP{64}(x)$}
\end{bytefield}
\end{lrbox}
Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \rightarrow
\typeexp{\range{0}{255}}{k}$ such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes
representing $n$ in big-endian order.
\introlist
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
\begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
integers $x$ and $y \typecolon \range{0}{q\!-\!1}$.
\item Let $\tilde{y} = y \bmod 2$.
\item $P$ is encoded as $\Justthebox{\gonebox}$.
\end{itemize}
\introlist
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
\begin{itemize}
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
\range{0}{\ParamGexp{q}{2}\!-\!1}$ such that
$\FEtoIP(a_{w,1} \mult t + a_{w,0}) = a_{w,1} \mult q + a_{w,0}$.
\item Let $x = \FEtoIP(\xP)$, $y = \FEtoIP(\yP)$, and $y' = \FEtoIP(-\yP)$.
\item Let $\tilde{y} = \begin{cases}
1, &\caseif y > y' \\
0, &\caseotherwise.
\end{cases}$
\item $P$ is encoded as $\Justthebox{\gtwobox}$.
\end{itemize}
\introlist
\subparagraph{Non-normative notes:}
\begin{itemize}
\item The use of big-endian byte order is different from the encoding
of most other integers in this protocol.
The encodings for $\GroupGstar{1, 2}$ are consistent with the
definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
(i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$,
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
$\GroupGstar{2}$.
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
have no defined encodings in this protocol.
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
\item Algorithms for decompressing points from the above encodings are
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
verified to be of order $\ParamG{r}$, and therefore in $\GroupGstar{2}$,
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
\end{itemize}
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
order to decompress a point encoding, the implementation \MUSTNOT assume that
the square root exists, or that the encoding represents a point on the curve.
\newsavebox{\sonebox}
\begin{lrbox}{\sonebox}
\setsapling
\begin{bytefield}[bitwidth=0.045em]{384}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{381}{$381$-bit $\ItoBSP{381}(x)$}
\end{bytefield}
\end{lrbox}
\newsavebox{\stwobox}
\begin{lrbox}{\stwobox}
\setsapling
\begin{bytefield}[bitwidth=0.045em]{768}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{381}{$381$-bit $\ItoBSP{381}(x_1)$}
\bitbox{384}{$384$-bit $\ItoBSP{384}(x_2)$}
\end{bytefield}
\end{lrbox}
\sapling{
\nsubsubsubsection{\BLSRepresentedPairing} \label{blspairing}
The \representedPairing $\BLSCurve$ is defined in this section. Parameters are taken from
\cite{Bowe2017}.
\introlist
Let $\ParamS{q} =\;$\scalebox{0.812}[1]{$4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787$}.
Let $\ParamS{r} = 52435875175126190479447740508185965837690552500527637822603658699938581184513$.
Let $\ParamS{u} = -15132376222941642752$.
Let $\ParamS{b} = 4$.
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
Let $\GroupS{1}$ be the group of points on a Barreto--Lynn--Scott curve $\CurveS{1}$ over
$\GF{\ParamS{q}}$ with equation $y^2 = x^3 + \ParamS{b}$.
This curve has embedding degree 12 with respect to $\ParamS{r}$.
Let $\GroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
$\GroupS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
$i \typecolon \GF{\ParamSexp{q}{2}}$.
We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $i$ is given by \todo{$?$}.
Let $\GroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$.
Let $\PairingS$ be the optimized ate pairing of type
$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$,
and let $\GroupSstar{i} = \GroupS{i} \setminus \setof{\ZeroS{i}}$.
\introlist
Let $\GenS{1} \typecolon \GroupSstar{1} = (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenS{2} \typecolon \GroupSstar{2} =\;$
% are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
&$ 4082367875863433681332203403145435568316851327593401208105741076214120093531$ & $\mult\, t\;+$ \\
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular}
$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively.
\introlist
For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
\begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as
integers $x$ and $y \typecolon \range{0}{\ParamS{q}\!-\!1}$.
\item Let $\tilde{y} = \begin{cases}
1, &\caseif y > \ParamS{q}-y \\
0, &\caseotherwise.
\end{cases}$
\item $P$ is encoded as $\Justthebox{\sonebox}$.
\end{itemize}
\introlist
For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
\begin{itemize}
\item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow
\typeexp{\range{0}{\ParamS{q}\!-\!1}}{2}$ such that
$\FEtoIPP(a_{w,1} \mult t + a_{w,0}) = [a_{w,1}, a_{w,0}]$.
\item Let $x = \FEtoIPP(\xP)$, $y = \FEtoIPP(\yP)$, and $y' = \FEtoIPP(-\yP)$.
\item Let $\tilde{y} = \begin{cases}
1, &\caseif y > y' \text{ lexicographically} \\
0, &\caseotherwise.
\end{cases}$
\item $P$ is encoded as $\Justthebox{\stwobox}$.
\end{itemize}
\introlist
\subparagraph{Non-normative notes:}
\begin{itemize}
\item The use of big-endian byte order is different from the encoding
of most other integers in this protocol.
The encodings for $\GroupSstar{1, 2}$ are specific to \Zcash.
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
have no defined encodings in this protocol.
\item Algorithms for decompressing points from the encodings of
$\GroupSstar{1, 2}$ are defined analogously to those for
$\GroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
the SORT compressed form (not the LSB compressed form) is used
for $\GroupGstar{1}$.
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
\end{itemize}
When computing square roots in $\GF{\ParamS{q}}$ or $\GF{\ParamSexp{q}{2}}$
in order to decompress a point encoding, the implementation \MUSTNOT assume
that the square root exists, or that the encoding represents a point on the
curve.
}
\nsubsection{\NotePlaintexts{} and \Memos} \label{notept}
Transmitted \notes are stored on the blockchain in encrypted form, together with
@ -2854,47 +3273,10 @@ with the \provingSystem described in \cite{BCTV2015}, which is a refinement of
the systems in \cite{PGHR2013} and \cite{BCGTV2013}.
The pairing implementation is $\BNImpl$.
\introlist
Let $q = 21888242871839275222246405745257275088696311157297823662689037894645226208583$.
Let $r = 21888242871839275222246405745257275088548364400416034343698204186575808495617$.
Let $b = 3$.
(\hairspace $q$ and $r$ are prime.)
\introlist
The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, where:
\begin{itemize}
\item $\GroupG{1}$ is the group of points on a Barreto--Naehrig curve $E_1$ over $\GF{q}$
with equation $y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist $E_2$ of $\GroupG{1}$
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where
$\xi \typecolon \GF{q^2}$. We represent elements
of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the
irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
\item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in
$\GFstar{q^{12}}$.
\end{itemize}
For $i \typecolon \range{1}{2}$, let $\AtInfinity{i}$ be the point at infinity in $\GroupG{i}$,
and let $\GroupGstar{i} = \GroupG{i} \setminus \setof{\AtInfinity{i}}$.
\introlist
Let $\PointP{1} \typecolon \GroupGstar{1} = (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}}
Let $\PointP{2} \typecolon \GroupGstar{2} =\;$
% are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
&$ 4082367875863433681332203403145435568316851327593401208105741076214120093531$ & $\mult\, t\;+$ \\
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular}
$\PointP{1}$ and $\PointP{2}$ are generators of $\GroupG{1}$ and $\GroupG{2}$ respectively.
A proof consists of a tuple
$(\Proof_A \typecolon \GroupGstar{1},\;
@ -2917,96 +3299,17 @@ and a \provingSystem implementation that is interoperable with the \Zcash fork
of \libsnark, to ensure compatibility.
}
\nsubsubsection{Encoding of Points} \label{pointencoding}
\newsavebox{\gonebox}
\begin{lrbox}{\gonebox}
\setchanged
\begin{bytefield}[bitwidth=0.05em]{264}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{256}{$256$-bit $\ItoOSP{32}(x)$}
\end{bytefield}
\end{lrbox}
\newsavebox{\gtwobox}
\begin{lrbox}{\gtwobox}
\setchanged
\begin{bytefield}[bitwidth=0.05em]{520}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{20}{$0$}
\bitbox{20}{$1$}
\bitbox{80}{$1$-bit $\tilde{y}$}
\bitbox{512}{$512$-bit $\ItoOSP{64}(x)$}
\end{bytefield}
\end{lrbox}
Define $\ItoOSP{} \typecolon (k \typecolon \Nat) \times \range{0}{256^k\!-\!1} \rightarrow
\typeexp{\range{0}{255}}{k}$ such that $\ItoOSP{\ell}(n)$ is the sequence of $\ell$ bytes
representing $n$ in big-endian order.
\introlist
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
\begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
integers $x$ and $y \typecolon \range{0}{q\!-\!1}$.
\item Let $\tilde{y} = y \bmod 2$.
\item $P$ is encoded as $\Justthebox{\gonebox}$.
\end{itemize}
\introlist
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
\begin{itemize}
\item A field element $w \typecolon \GF{q^2}$ is represented as
a polynomial $a_{w,1} \mult t + a_{w,0} \typecolon \GF{q}[t]$ modulo $t^2 + 1$.
Define $\FEtoIP \typecolon \GF{q^2} \rightarrow \range{0}{q^2\!-\!1}$ such that
$\FEtoIP(w) = a_{w,1} \mult q + a_{w,0}$.
\item Let $x = \FEtoIP(\xP)$, $y = \FEtoIP(\yP)$, and $y' = \FEtoIP(-\yP)$.
\item Let $\tilde{y} = \begin{cases}
1, &\caseif y > y' \\
0, &\caseotherwise.
\end{cases}$
\item $P$ is encoded as $\Justthebox{\gtwobox}$.
\end{itemize}
\introlist
\subparagraph{Non-normative notes:}
\begin{itemize}
\item The use of big-endian byte order is different from the encoding
of most other integers in this protocol. The above encodings are consistent
with the definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed
form (i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$, and the
SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in $\GroupGstar{2}$.
\item The points at infinity $\AtInfinity{1}$ and $\AtInfinity{2}$ never occur
in proofs and have no defined encodings in this protocol.
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
\item Algorithms for decompressing points from the above encodings are
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$.
\item A point $P \typecolon (\GF{q^2})^2 = (\xP, \yP)$ known to satisfy the
$E_2$ curve equation $\yP^2$ = $\xP^3 + \frac{b}{\xi}$ can be verified to be
of order $r$, and therefore in $\GroupGstar{2}$, by checking that
$\hfrac{\#E_2}{r} \mult P \neq \AtInfinity{2}$.
\end{itemize}
When computing square roots in $\GF{q}$ or $\GF{q^2}$ in order to decompress
a point encoding, the implementation \MUSTNOT assume that the square root
exists, or that the encoding represents a point on the curve.
\introlist
\nsubsubsection{Encoding of \ZeroKnowledgeProofs} \label{proofencoding}
@ -4229,6 +4532,15 @@ The errors in the proof of Ledger Indistinguishability mentioned in
\introlist
\nsection{Change history}
\subparagraph{2017.0-beta-2.8}
\begin{itemize}
\item Correct the non-normative note describing how to check the order
of $\Proof{B}$.
\saplingonlyitem{Initial version of draft \Sapling protocol specification.}
\end{itemize}
\introlist
\subparagraph{2017.0-beta-2.7}
\begin{itemize}