From 4da403f470c1708c807938359c284022fcb48f6f Mon Sep 17 00:00:00 2001
From: Daira Hopwood <daira@jacaranda.org>
Date: Tue, 5 Oct 2021 17:42:49 +0100
Subject: [PATCH] Add notes in each Appendix B that z_j may be sampled from {0
 .. 2^{128}-1} instead of {1 .. 2^{128}-1}.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---
 protocol/protocol.tex | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index 31397464..d765ff12 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -14499,6 +14499,14 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
 \lsection{Change History}{changehistory}
 
 
+\historyentry{2021.2.17}{}
+\begin{itemize}
+    \item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
+          \crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
+          instead of $\range{1}{2^{128}-1}$.
+\end{itemize}
+
+
 \historyentry{2021.2.16}{2021-09-30}
 \begin{itemize}
 \nufive{
@@ -18083,6 +18091,11 @@ Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \
 
 The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
 
+\nnote{
+It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
+zero for any $z_j$ is negligible.
+} %nnote
+
 The performance benefit of this approach arises partly from replacing the per-signature
 scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
 and partly from using an efficient algorithm for multiscalar multiplication such
@@ -18183,6 +18196,11 @@ Define $\GrothSBatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
 
 The $z_j$ values \MUST be chosen independently of the \proofBatchEntries.
 
+\nnote{
+It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
+zero for any $z_j$ is negligible.
+} %nnote
+
 The performance benefit of this approach arises from computing two of the three Miller loops, and
 the final exponentation, per batch instead of per proof. For the multiplications by $z_j$, an efficient
 algorithm for multiscalar multiplication such as Pippinger's method \cite{Bernstein2001} or the Bos--Coster
@@ -18267,6 +18285,11 @@ Define $\EdSpecificBatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecol
 
 The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
 
+\nnote{
+It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
+zero for any $z_j$ is negligible.
+} %nnote
+
 The performance benefits of this approach are the same as for \crossref{reddsabatchvalidate}.
 } %canopy