zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add notes in each Appendix B that z_j may be sampled from {0 .. 2^{128}-1} instead of {1 .. 2^{128}-1}. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-10-05 17:42:49 +01:00
parent e539eeb9a8
commit 4da403f470
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
protocol/protocol.tex
View File

@ -14499,6 +14499,14 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\lsection{Change History}{changehistory}
\historyentry{2021.2.17}{}
\begin{itemize}
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
instead of $\range{1}{2^{128}-1}$.
\end{itemize}
\historyentry{2021.2.16}{2021-09-30}
\begin{itemize}
\nufive{
@ -18083,6 +18091,11 @@ Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \
The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefit of this approach arises partly from replacing the per-signature
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
and partly from using an efficient algorithm for multiscalar multiplication such
@ -18183,6 +18196,11 @@ Define $\GrothSBatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
The $z_j$ values \MUST be chosen independently of the \proofBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefit of this approach arises from computing two of the three Miller loops, and
the final exponentation, per batch instead of per proof. For the multiplications by $z_j$, an efficient
algorithm for multiscalar multiplication such as Pippinger's method \cite{Bernstein2001} or the Bos--Coster
@ -18267,6 +18285,11 @@ Define $\EdSpecificBatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecol
The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefits of this approach are the same as for \crossref{reddsabatchvalidate}.
} %canopy