mirror of https://github.com/zcash/zips.git
Specify G_2 more precisely.
(We use the same notation as in [BGG2016], but explicitly give the
representation of xi as a polynomial modulo t^2 + 1, which is taken from
71883bc168/src/algebra/curves/alt_bn128/alt_bn128_init.cpp (L135)
.)
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
6e63920461
commit
63e5bba91a
|
@ -2795,10 +2795,11 @@ The pairing is of type $\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$, wh
|
|||
\begin{itemize}
|
||||
\item $\GroupG{1}$ is a Barreto--Naehrig curve over $\GF{q}$ with equation
|
||||
$y^2 = x^3 + b$. This curve has embedding degree 12 with respect to $r$.
|
||||
\item $\GroupG{2}$ is the subgroup of order $r$ in the twisted Barreto-Naehrig curve
|
||||
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{x \mult i}$. We represent elements
|
||||
\item $\GroupG{2}$ is the subgroup of order $r$ in the sextic twist of $\GroupG{1}$
|
||||
over $\GF{q^2}$ with equation $y^2 = x^3 + \frac{b}{\xi}$, where
|
||||
$\xi \typecolon \GF{q^2}$. We represent elements
|
||||
of $\GF{q^2}$ as polynomials $a_1 \mult t + a_0 \typecolon \GF{q}[t]$, modulo the
|
||||
irreducible polynomial $t^2 + 1$.
|
||||
irreducible polynomial $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
|
||||
\item $\GroupG{T}$ is $\mu_r$, the subgroup of $r^\mathrm{th}$ roots of unity in
|
||||
$\GFstar{q^{12}}$.
|
||||
\end{itemize}
|
||||
|
@ -4089,6 +4090,7 @@ The errors in the proof of Ledger Indistinguishability mentioned in
|
|||
\begin{itemize}
|
||||
\item Specify the security requirements on the $\SHAName$ function in order
|
||||
for the scheme in \crossref{concretecomm} to be a secure commitment.
|
||||
\item Specify $\GroupG{2}$ more precisely.
|
||||
\end{itemize}
|
||||
|
||||
\introlist
|
||||
|
|
Loading…
Reference in New Issue