From 5361fc591edf1492a43f47466f08d7e47b90cb2d Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Thu, 16 Aug 2018 12:03:55 +0100 Subject: [PATCH] Cosmetics (pagination in Appendix A). Signed-off-by: Daira Hopwood --- protocol/protocol.tex | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/protocol/protocol.tex b/protocol/protocol.tex index 15e27e15..0802d60b 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -10768,7 +10768,7 @@ This can be implemented in one constraint: \end{pnotes} -\introsection +\introlist \subsubsubsection{Range check} \label{cctrange} Let $n \typecolon \PosInt$ be a constant, and let @@ -10841,6 +10841,7 @@ Base case $m = n-1$: since $c_{n-1} = 1$, the constraint system has just one boolean constraint on $a_{n-1}$, which fulfils the theorem since $A_{n-1} \leq C_{n-1}$ is always satisfied. +\introlist Inductive case $m < n-1$: \begin{itemize} \item If $A_{m+1} > C_{m+1}$, then by the inductive hypothesis the constraint system @@ -11238,7 +11239,7 @@ the additional complexity was not considered justified for \Sapling. When the base point $B$ is not fixed, the method in the preceding section cannot be used. Instead we use a naïve double-and-add method. -\begin{samepage} +\intropart Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: \begin{algorithm} @@ -11256,7 +11257,6 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ \item let $R = \Acc_{250}$. \end{algorithm} -\end{samepage} This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections, @@ -11301,7 +11301,6 @@ as possible to be performed on the Montgomery curve. An incomplete Montgomery addition costs $3$ constraints, in comparison with an Edwards addition which costs $6$ constraints. -\introlist However, we cannot do all additions on the Montgomery curve because the Montgomery addition is incomplete. In order to be able to prove that exceptional cases do not occur, we need to ensure that the \distinctXCriterion @@ -11309,6 +11308,8 @@ from \crossref{cctmontarithmetic} is met. This requires splitting the input into segments (each using an independent generator), calculating an intermediate result for each segment, and then converting to the Edwards curve and summing the intermediate results using Edwards addition. + +\introlist Abstracting away the changes of curve, this calculation can be written as: \begin{formulae} @@ -11546,7 +11547,7 @@ The Initialization Vector is defined as: \end{tabular} \vspace{2ex} -\begin{samepage} +\intropart The full hash function applied to an $8$-byte personalization string and a single $64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows. @@ -11579,7 +11580,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol \item \item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ \end{formulae} -\end{samepage} In practice the message and output will be expressed as bit sequences. In the \Sapling circuit, the personalization string will be constant for each use.