zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add notes in each Appendix B that z_j may be sampled from {0 .. 2^{128}-1} instead of {1 .. 2^{128}-1}. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-10-05 17:42:49 +01:00
parent e539eeb9a8
commit 4da403f470
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
protocol/protocol.tex
View File

@ -14499,6 +14499,14 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\lsection{Change History}{changehistory} \lsection{Change History}{changehistory}
\historyentry{2021.2.17}{}
\begin{itemize}
\item Add notes in\sapling{ \crossref{reddsabatchvalidate}, \crossref{grothbatchverify}, and}
\crossref{ed25519batchvalidate} that $z_j$ may be sampled from $\range{0}{2^{128}-1}$
instead of $\range{1}{2^{128}-1}$.
\end{itemize}
\historyentry{2021.2.16}{2021-09-30} \historyentry{2021.2.16}{2021-09-30}
\begin{itemize} \begin{itemize}
\nufive{ \nufive{
@ -18083,6 +18091,11 @@ Define $\RedDSABatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \
The $z_j$ values \MUST be chosen independently of the \sigBatchEntries. The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefit of this approach arises partly from replacing the per-signature The performance benefit of this approach arises partly from replacing the per-signature
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch, scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
and partly from using an efficient algorithm for multiscalar multiplication such and partly from using an efficient algorithm for multiscalar multiplication such
@ -18183,6 +18196,11 @@ Define $\GrothSBatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
The $z_j$ values \MUST be chosen independently of the \proofBatchEntries. The $z_j$ values \MUST be chosen independently of the \proofBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefit of this approach arises from computing two of the three Miller loops, and The performance benefit of this approach arises from computing two of the three Miller loops, and
the final exponentation, per batch instead of per proof. For the multiplications by $z_j$, an efficient the final exponentation, per batch instead of per proof. For the multiplications by $z_j$, an efficient
algorithm for multiscalar multiplication such as Pippinger's method \cite{Bernstein2001} or the Bos--Coster algorithm for multiscalar multiplication such as Pippinger's method \cite{Bernstein2001} or the Bos--Coster
@ -18267,6 +18285,11 @@ Define $\EdSpecificBatchValidate \typecolon (\Entry{\barerange{0}{N-1}} \typecol
The $z_j$ values \MUST be chosen independently of the \sigBatchEntries. The $z_j$ values \MUST be chosen independently of the \sigBatchEntries.
\nnote{
It is also acceptable to sample each $z_j$ from $\range{0}{2^{128}-1}$, since the probability of obtaining
zero for any $z_j$ is negligible.
} %nnote
The performance benefits of this approach are the same as for \crossref{reddsabatchvalidate}. The performance benefits of this approach are the same as for \crossref{reddsabatchvalidate}.
} %canopy } %canopy