zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cosmetics (pagination in Appendix A). 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-16 12:03:55 +01:00
parent 2cf4dfacef
commit 5361fc591e
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
protocol/protocol.tex
View File

@ -10768,7 +10768,7 @@ This can be implemented in one constraint:
\end{pnotes} \end{pnotes}
\introsection \introlist
\subsubsubsection{Range check} \label{cctrange} \subsubsubsection{Range check} \label{cctrange}
Let $n \typecolon \PosInt$ be a constant, and let Let $n \typecolon \PosInt$ be a constant, and let
@ -10841,6 +10841,7 @@ Base case $m = n-1$: since $c_{n-1} = 1$, the constraint system has
just one boolean constraint on $a_{n-1}$, which fulfils the theorem since just one boolean constraint on $a_{n-1}$, which fulfils the theorem since
$A_{n-1} \leq C_{n-1}$ is always satisfied. $A_{n-1} \leq C_{n-1}$ is always satisfied.
\introlist
Inductive case $m < n-1$: Inductive case $m < n-1$:
\begin{itemize} \begin{itemize}
\item If $A_{m+1} > C_{m+1}$, then by the inductive hypothesis the constraint system \item If $A_{m+1} > C_{m+1}$, then by the inductive hypothesis the constraint system
@ -11238,7 +11239,7 @@ the additional complexity was not considered justified for \Sapling.
When the base point $B$ is not fixed, the method in the preceding section When the base point $B$ is not fixed, the method in the preceding section
cannot be used. Instead we use a naïve double-and-add method. cannot be used. Instead we use a naïve double-and-add method.
\begin{samepage} \intropart
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
\begin{algorithm} \begin{algorithm}
@ -11256,7 +11257,6 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$ \item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$
\item let $R = \Acc_{250}$. \item let $R = \Acc_{250}$.
\end{algorithm} \end{algorithm}
\end{samepage}
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each
of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections, of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections,
@ -11301,7 +11301,6 @@ as possible to be performed on the Montgomery curve. An incomplete
Montgomery addition costs $3$ constraints, in comparison with an Montgomery addition costs $3$ constraints, in comparison with an
Edwards addition which costs $6$ constraints. Edwards addition which costs $6$ constraints.
\introlist
However, we cannot do all additions on the Montgomery curve because the However, we cannot do all additions on the Montgomery curve because the
Montgomery addition is incomplete. In order to be able to prove that Montgomery addition is incomplete. In order to be able to prove that
exceptional cases do not occur, we need to ensure that the \distinctXCriterion exceptional cases do not occur, we need to ensure that the \distinctXCriterion
@ -11309,6 +11308,8 @@ from \crossref{cctmontarithmetic} is met. This requires splitting the
input into segments (each using an independent generator), calculating input into segments (each using an independent generator), calculating
an intermediate result for each segment, and then converting to the an intermediate result for each segment, and then converting to the
Edwards curve and summing the intermediate results using Edwards addition. Edwards curve and summing the intermediate results using Edwards addition.
\introlist
Abstracting away the changes of curve, this calculation can be written as: Abstracting away the changes of curve, this calculation can be written as:
\begin{formulae} \begin{formulae}
@ -11546,7 +11547,7 @@ The Initialization Vector is defined as:
\end{tabular} \end{tabular}
\vspace{2ex} \vspace{2ex}
\begin{samepage} \intropart
The full hash function applied to an $8$-byte personalization string and a single The full hash function applied to an $8$-byte personalization string and a single
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows. $64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows.
@ -11579,7 +11580,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol
\item \item
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$ \item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$
\end{formulae} \end{formulae}
\end{samepage}
In practice the message and output will be expressed as bit sequences. In the \Sapling In practice the message and output will be expressed as bit sequences. In the \Sapling
circuit, the personalization string will be constant for each use. circuit, the personalization string will be constant for each use.