Cosmetics.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2021-06-25 20:37:12 +01:00 · 2021-06-25 20:37:12 +01:00 · 4ca7409f6f
parent 5dff090737
commit 4ca7409f6f
1 changed files with 30 additions and 13 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -10727,12 +10727,14 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon


 \nufive{
+\vspace{-2ex}
 \lsubsubsubsection{\PallasAndVestaText}{pallasandvesta}

+\vspace{-1ex}
 \Orchard uses two elliptic curves, \defining{\Pallas} and \defining{\Vesta}, that form a cycle:
 the base field of each is the scalar field of the other. In \Orchard, we use \Vesta for the proof
 system (playing a similar rôle to \BLSPairing in \Sapling), and \Pallas for the application circuit
-(similar to \jubjubCurve in \Sapling). Both curves are designed to be efficiently implementable in
+(similar to \Jubjub in \Sapling). Both curves are designed to be efficiently implementable in
 \zkSNARKCircuits, although we only use \Pallas in that way for \Orchard.

 The \representedGroups $\GroupP$ and $\GroupV$ of points on \Pallas and \Vesta respectively
@ -10746,16 +10748,18 @@ called the \definingquotedterm{point at infinity}.
 For \Pallas and \Vesta we have $a = 0$ and so we will omit that term below.

 \begin{tabular}{@{}l@{\;}r@{\;}l}
-Let &$\ParamP{q}$ &$:= \hexint{40000000000000000000000000000000224698fc094cf91b992d30ed00000001}$. \\[1ex]
+Let &$\ParamP{q}$ &$:= \hexint{40000000000000000000000000000000224698fc094cf91b992d30ed00000001}$. \\[0.25ex]
 Let &$\ParamV{q}$ &$:= \hexint{40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001}$.
 \end{tabular}

+\vspace{-0.5ex}
 (\hairspace $\ParamP{q}$ and $\ParamV{q}$ are prime.)

 Let $\ParamP{r} := \ParamV{q}$ and $\ParamV{r} := \ParamP{q}$.

 Let $\ParamP{b} = \ParamV{b} := 5$.

+\vspace{0.5ex}
 Let $\GroupP$ be the group of points $(x, y)$ with zero point $\ZeroP$, on a \swCurve $\CurveP$ over
 $\GF{\ParamP{q}}$ with equation $y^2 = x^3 + \ParamP{b}$. $\GroupP$ has order $\ParamP{r}$.

@ -10811,6 +10815,7 @@ $\abstG{}\Of{P\Repr}$ is computed as follows:
        encoding represents a point on the curve.
 \end{pnotes}

+\vspace{-2ex}
 \lsubsubsubsection{Coordinate Extractor for \PallasText}{concreteextractorpallas}

 \vspace{-1ex}
@ -10821,8 +10826,11 @@ Define $\Selectx \typecolon \GroupP \rightarrow \GF{\ParamP{q}}$ and $\Selecty \
 \vspace{-1ex}
 \begin{formulae}
  \item $\Selectx\big(\ZeroP\big) = 0$
+        \vspace{-0.25ex}
  \item $\Selectx\big((x, y)\big) = x$
+        \vspace{-0.25ex}
  \item $\Selecty\big(\ZeroP\big) = 0$
+        \vspace{-0.25ex}
  \item $\Selecty\big((x, y)\big) = y$.
 \end{formulae}

@ -10836,6 +10844,7 @@ Define $\GroupPstarx$ as the set of $x$-coordinates (as integers) of points on t
 \vspace{-0.5ex}
 Define $\GroupPx := \GroupPstarx \union \setof{0}$.

+\introlist
 \vspace{1ex}
 Define $\ExtractP \typecolon \GroupP \rightarrow \GroupPx$ such that

@ -10853,14 +10862,16 @@ We also define $\ExtractPbot \typecolon \maybe{\GroupP} \rightarrow \maybe{\Grou
  \item $\ExtractPbot\big(P \typecolon \GroupP\big) = \ExtractP(P)$.
 \end{formulae}

-\vspace{-2ex}
+\vspace{-3ex}
 \nnote{$\ExtractP$ returns the type $\GroupPx$ which is precise for its range, unlike $\ExtractJ$
 which returns a bit sequence.}
 } %nufive

 \nufive{
+\vspace{-2ex}
 \lsubsubsubsection{Group Hash into \PallasAndVestaText}{concretegrouphashpallasandvesta}

+\vspace{-1ex}
 \Orchard uses the ``simplified SWU'' algorithm for \randomOracleAdjective hashing to elliptic curves
 with $j$-invariant $0$, consistent with \cite[section 6.6.3]{ID-hashtocurve}, based on a
 method by Riad Wahby and Dan Boneh \cite{WB2019}.
@ -10885,10 +10896,10 @@ $\CurveIsoV$, called \IsoVesta, that is isogenous to $\CurveV$.

 Let $\ParamIsoP{a} := \hexint{18354a2eb0ea8c9c49be2d7258370742b74134581a27a59f92bb4b0b657a014b}$.

-\vspace{-1ex}
+\vspace{-0.5ex}
 Let $\ParamIsoV{a} := \hexint{267f9b2ee592271a81639c4d96f787739673928c7d01b212c515ad7242eaa6b1}$.

-\vspace{-1ex}
+\vspace{-0.25ex}
 Let $\ParamIsoP{b} = \ParamIsoV{b} := 1265$.

 Let $\GroupIsoP$ be the group of points $(x, y)$ with zero point $\ZeroIsoP$, on a \swCurve $\CurveIsoP$
@ -12455,8 +12466,7 @@ Several fields are reordered and/or renamed relative to prior versions.}} %scale
  \item The total value in \zatoshi of \transparentOutputs from a \coinbaseTransaction\heartwood{, minus
        $\vBalance{Sapling}$,}\nufive{ minus $\vBalance{Orchard}$,} \MUSTNOT be greater than the value in
        \zatoshi of \minerSubsidy plus the \transactionFees paid by \transactions in this \block.
-  \item A \coinbaseTransaction \MUSTNOT have any \transparentInputs with non-null $\prevout$ fields,
-\notheartwood{
+  \item A \coinbaseTransaction \MUSTNOT have any \transparentInputs with non-null $\prevout$ fields,\notheartwood{
        \joinSplitDescriptions\sapling{, \spendDescriptions, or \outputDescriptions}.
 }
 \notbeforeheartwood{
@ -16554,6 +16564,7 @@ The \Sapling circuit does not use this optimization.}


 \introsection
+\vspace{-2ex}
 \lsubsubsubsection{ctEdwards [de]compression and validation}{ccteddecompressvalidate}

 \introlist
@ -16564,17 +16575,21 @@ as follows:
 \begin{algorithm}
  \item $\DecompressValidate(\tilde{u}, \varv):$
  \item \tab // Prover supplies the $u$-coordinate.
+             \vspace{-0.4ex}
  \item \tab Let $u \typecolon \GF{\ParamS{r}}$.
-             \vspace{1ex}
+             \vspace{0.8ex}
  \item \tab // \crossref{cctedvalidate}.
+             \vspace{-0.4ex}
  \item \tab Check that $(u, \varv)$ is a point on the \ctEdwardsCurve.
-             \vspace{1ex}
+             \vspace{0.8ex}
  \item \tab // \crossref{cctmodpack}.
+             \vspace{-0.4ex}
  \item \tab Unpack $u$ to $\ssum{i=0}{254} u_i \mult 2^i$, equating $\tilde{u}$ with $u_0$.
-             \vspace{1ex}
+             \vspace{0.8ex}
  \item \tab // \crossref{cctrange}.
+             \vspace{-0.4ex}
  \item \tab Check that $\ssum{i=0}{254} u_i \mult 2^i \leq \ParamS{r}-1$.
-             \vspace{1ex}
+             \vspace{0.6ex}
  \item \tab Return $(u, \varv)$.
 \end{algorithm}

@ -16585,6 +16600,7 @@ boolean-constraining $u_\barerange{0}{254}$.

 The same \quadraticConstraintProgram is used for compression and decompression.

+\vspace{-1ex}
 \nnote{
 The point-on-curve check could be omitted if $(u, \varv)$ were already known to be on the curve.
 However, the \Sapling circuit never omits it; this provides a consistency check on the elliptic
@ -16593,9 +16609,10 @@ curve arithmetic.


 \introlist
+\vspace{-1ex}
 \lsubsubsubsection{ctEdwards \lrarrow\ Montgomery conversion}{cctconversion}

-\vspace{-1ex}
+\vspace{-1.5ex}
 Define the notation $\possqrt{\,\paramdot\,}$ as in \crossref{notation}.

 Define $\CtEdwardsToMont \typecolon \AffineCtEdwardsJubjub \rightarrow \AffineMontJubjub$
@ -16608,6 +16625,7 @@ as follows:
 \end{formulae}

 \introlist
+\vspace{-0.5ex}
 Define $\MontToCtEdwards \typecolon \AffineMontJubjub \rightarrow \AffineCtEdwardsJubjub$
 as follows:

@ -17251,7 +17269,6 @@ The \windowedPedersenCommitments defined in the preceding section are
 highly efficient, but they do not support the homomorphic property we
 need when instantiating $\ValueCommitAlg{}$.

-\introsection
 In order to support this property, we also define \homomorphicPedersenCommitments
 as follows: