mirror of https://github.com/zcash/zips.git
Update algorithm for variable-base scalar multiplication to what is
implemented in sapling-crypto. Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
34bae57edb
commit
77ee3b4fc4
|
|
@ -1206,6 +1206,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\JubjubScalarThreshold}{2^{251}}
|
||||
|
||||
\newcommand{\Acc}{\mathsf{Acc}}
|
||||
\newcommand{\Base}{\mathsf{Base}}
|
||||
\newcommand{\Addend}{\mathsf{Addend}}
|
||||
\newcommand{\Sum}{\mathsf{Sum}}
|
||||
\newcommand{\ainv}{a_{\mathsf{inv}}}
|
||||
|
||||
|
|
@ -8186,20 +8188,25 @@ $750$ constraints.
|
|||
|
||||
When the base point $B$ is not fixed, the method in the preceding section
|
||||
cannot be used. Instead we use a naïve double-and-add method.
|
||||
\todo{change this to what is implemented by sapling-crypto.}
|
||||
|
||||
\introlist
|
||||
Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using:
|
||||
|
||||
\begin{formulae}
|
||||
\item $\Acc_u := k_{250} \bchoose B_u : 0$
|
||||
\item $\Acc_{\vv}\hairspace := k_{250} \bchoose B_{\vv} : 1$
|
||||
\item for $i$ from $249$ down to $0$:
|
||||
\item \tab $\Acc := \scalarmult{2}{\Acc}$
|
||||
\item \tab let $\Sum = \Acc + B$
|
||||
\item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$
|
||||
\item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$
|
||||
\item \tab $\Acc_{\vv}\hairspace := k_i \bchoose \Sum_{\vv} : \Acc_{\vv}$
|
||||
\item let $R = \Acc$.
|
||||
\item // $\Base^i = \scalarmult{2^i}{B}$
|
||||
\item let $\Base^0_u = B_u$
|
||||
\item let $\Base^0_{\vv}\hairspace = B_{\vv}$
|
||||
\item let $\Acc^0_u = k_0 \bchoose B_u : 0$
|
||||
\item let $\Acc^0_{\vv}\hairspace = k_0 \bchoose B_{\vv} : 1$
|
||||
\vspace{1ex}
|
||||
\item for $i$ from $1$ up to $250$:
|
||||
\item \tab let $\Base^i = \scalarmult{2}{\Base^{i-1}}$
|
||||
\vspace{1ex}
|
||||
\item \tab // select $\Base^i$ or $\ZeroJ$ depending on the bit $k_i$
|
||||
\item \tab let $\Addend^i_u = k_i \bchoose \Base^i_u : 0$
|
||||
\item \tab let $\Addend^i_{\vv}\hairspace = k_i \bchoose \Base^i_{\vv} : 1$
|
||||
\item \tab let $\Acc^i = \Acc^{i-1} + \Addend^i$
|
||||
\item let $R = \Acc^{250}$.
|
||||
\end{formulae}
|
||||
|
||||
This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each
|
||||
|
|
|
|||
Loading…
Reference in New Issue