mirror of https://github.com/zcash/zips.git
Correct some uses of r_J that should have been r_S or q.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
dc41de37f3
commit
5524822ed5
|
|
@ -2165,7 +2165,7 @@ appropriate length given by the type of $a$.
|
|||
|
||||
\notsprout{
|
||||
$\ssqrt{a}$, where $a \typecolon \GF{q}$, means the positive
|
||||
(i.e.\ in the range $\range{0}{\hfrac{\ParamJ{r}-1}{2}}$)
|
||||
(i.e.\ in the range $\range{0}{\hfrac{q-1}{2}}$)
|
||||
square root of $a$ in $\GF{q}$. It is only used in cases where the
|
||||
square root must exist.
|
||||
|
||||
|
|
@ -4930,7 +4930,7 @@ For details of the form and encoding of \spendStatement proofs, see \crossref{gr
|
|||
|
||||
The $\ValueCommitOutput$ and $\SpendAuthSigPublic$ types also represent points, i.e. $\GroupJ$.
|
||||
\item In the Merkle path validity check, each \merkleLayer does \emph{not} check that its
|
||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamJ{r}-1}$) of the integer
|
||||
input bit sequence is a canonical encoding (in $\range{0}{\ParamS{r}-1}$) of the integer
|
||||
from the previous \merkleLayer.
|
||||
\item It is \emph{not} checked in the \spendStatement that $\AuthSignRandomizedPublic$ is not of
|
||||
small order. However, this \emph{is} checked outside the \spendStatement, as specified in
|
||||
|
|
@ -6130,10 +6130,10 @@ $(D \typecolon \byteseq{8}$, $M \typecolon \bitseq{\PosInt})$ such that $\Select
|
|||
The latter can only be the affine-Edwards $u$-coordinate of a point in $\strut\GroupJ$.
|
||||
We show that there are no points in $\GroupJ$ with affine-Edwards $u$-coordinate $1$.
|
||||
Suppose for a contradiction that $(u, \varv) \in \GroupJ$ for $u = 1$ and some
|
||||
$\varv \typecolon \GF{\ParamJ{r}}$. By writing the curve equation as
|
||||
$\varv \typecolon \GF{\ParamS{r}}$. By writing the curve equation as
|
||||
$\varv^2 = (1 - \ParamJ{a} \smult u^2) / (1 - \ParamJ{d} \smult u^2)$, and noting that
|
||||
$1 - \ParamJ{d} \smult u^2 \neq 0$, we have $\varv^2 = (1 - \ParamJ{a}) / (1 - \ParamJ{d})$.
|
||||
The right-hand-side is a nonsquare in $\GF{\ParamJ{r}}$, so there are no solutions for $\varv$
|
||||
The right-hand-side is a nonsquare in $\GF{\ParamS{r}}$, so there are no solutions for $\varv$
|
||||
(contradiction).
|
||||
\end{proof}
|
||||
} %sapling
|
||||
|
|
@ -9776,6 +9776,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
\begin{itemize}
|
||||
\item No changes to \Sprout.
|
||||
\sapling{
|
||||
\item Correct some uses of $\ParamJ{r}$ that should have been $\ParamS{r}$ or $q$.
|
||||
\item Minor changes to avoid clashing notation, affecting extractors
|
||||
$\Extractor{\Adversary}$, Edwards curves $\Edwards{a,d}$, and Montgomery curves
|
||||
$\Montgomery{A,B}$.
|
||||
|
|
@ -10848,7 +10849,7 @@ the wrong answer. We must ensure that these cases do not arise.
|
|||
We will need the theorem below about $y$-coordinates of points on
|
||||
Montgomery curves.
|
||||
|
||||
\fact{$\ParamM{A}^2 - 4$ is a nonsquare in $\GF{\ParamJ{r}}$.}
|
||||
\fact{$\ParamM{A}^2 - 4$ is a nonsquare in $\GF{\ParamS{r}}$.}
|
||||
|
||||
\begin{theorem} \label{thmmontynotzero}
|
||||
Let $P = (x, y)$ be a point other than $(0, 0)$ on a Montgomery curve $\Montgomery{A,B}$
|
||||
|
|
|
|||
Loading…
Reference in New Issue