mirror of https://github.com/zcash/zips.git
Cosmetics (pagination in Appendix A).
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
2cf4dfacef
commit
5361fc591e
|
@ -10768,7 +10768,7 @@ This can be implemented in one constraint:
|
|||
\end{pnotes}
|
||||
|
||||
|
||||
\introsection
|
||||
\introlist
|
||||
\subsubsubsection{Range check} \label{cctrange}
|
||||
|
||||
Let $n \typecolon \PosInt$ be a constant, and let
|
||||
|
@ -10841,6 +10841,7 @@ Base case $m = n-1$: since $c_{n-1} = 1$, the constraint system has
|
|||
just one boolean constraint on $a_{n-1}$, which fulfils the theorem since
|
||||
$A_{n-1} \leq C_{n-1}$ is always satisfied.
|
||||
|
||||
\introlist
|
||||
Inductive case $m < n-1$:
|
||||
\begin{itemize}
|
||||
\item If $A_{m+1} > C_{m+1}$, then by the inductive hypothesis the constraint system
|
||||
|
@ -11238,7 +11239,7 @@ the additional complexity was not considered justified for \Sapling.
|
|||
When the base point $B$ is not fixed, the method in the preceding section
|
||||
cannot be used. Instead we use a naïve double-and-add method.
|
||||
|
||||
\begin{samepage}
|
||||
\intropart
|
||||
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
|
||||
|
||||
\begin{algorithm}
|
||||
|
@ -11256,7 +11257,6 @@ Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$
|
|||
\item \tab let $\Acc_i = \Acc_{i-1} + \Addend_i$
|
||||
\item let $R = \Acc_{250}$.
|
||||
\end{algorithm}
|
||||
\end{samepage}
|
||||
|
||||
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each
|
||||
of $250$ Edwards additions, and $2$ constraints for each of $251$ point selections,
|
||||
|
@ -11301,7 +11301,6 @@ as possible to be performed on the Montgomery curve. An incomplete
|
|||
Montgomery addition costs $3$ constraints, in comparison with an
|
||||
Edwards addition which costs $6$ constraints.
|
||||
|
||||
\introlist
|
||||
However, we cannot do all additions on the Montgomery curve because the
|
||||
Montgomery addition is incomplete. In order to be able to prove that
|
||||
exceptional cases do not occur, we need to ensure that the \distinctXCriterion
|
||||
|
@ -11309,6 +11308,8 @@ from \crossref{cctmontarithmetic} is met. This requires splitting the
|
|||
input into segments (each using an independent generator), calculating
|
||||
an intermediate result for each segment, and then converting to the
|
||||
Edwards curve and summing the intermediate results using Edwards addition.
|
||||
|
||||
\introlist
|
||||
Abstracting away the changes of curve, this calculation can be written as:
|
||||
|
||||
\begin{formulae}
|
||||
|
@ -11546,7 +11547,7 @@ The Initialization Vector is defined as:
|
|||
\end{tabular}
|
||||
|
||||
\vspace{2ex}
|
||||
\begin{samepage}
|
||||
\intropart
|
||||
The full hash function applied to an $8$-byte personalization string and a single
|
||||
$64$-byte block, in sequential mode with $32$-byte output, can be expressed as follows.
|
||||
|
||||
|
@ -11579,7 +11580,6 @@ Define $\BlakeTwos{256} \typecolon (p \typecolon \byteseq{8}) \times (x \typecol
|
|||
\item
|
||||
\item return $\LEBStoOSPOf{256}{\concatbits\Of{\listcomp{\ItoLEBSPOf{32}{h_i \xor v_i \xor v_{i+8}} \for i \from 0 \upto 7}}}$
|
||||
\end{formulae}
|
||||
\end{samepage}
|
||||
|
||||
In practice the message and output will be expressed as bit sequences. In the \Sapling
|
||||
circuit, the personalization string will be constant for each use.
|
||||
|
|
Loading…
Reference in New Issue