diff --git a/protocol/protocol.tex b/protocol/protocol.tex index dd2e1087..f6e15e3a 100644 --- a/protocol/protocol.tex +++ b/protocol/protocol.tex @@ -1206,6 +1206,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg \newcommand{\JubjubScalarThreshold}{2^{251}} \newcommand{\Acc}{\mathsf{Acc}} +\newcommand{\Base}{\mathsf{Base}} +\newcommand{\Addend}{\mathsf{Addend}} \newcommand{\Sum}{\mathsf{Sum}} \newcommand{\ainv}{a_{\mathsf{inv}}} @@ -8186,20 +8188,25 @@ $750$ constraints. When the base point $B$ is not fixed, the method in the preceding section cannot be used. Instead we use a naïve double-and-add method. -\todo{change this to what is implemented by sapling-crypto.} +\introlist Given $k = \vsum{i=0}{250} k_i \smult 2^i$, we calculate $R = \scalarmult{k}{B}$ using: \begin{formulae} - \item $\Acc_u := k_{250} \bchoose B_u : 0$ - \item $\Acc_{\vv}\hairspace := k_{250} \bchoose B_{\vv} : 1$ - \item for $i$ from $249$ down to $0$: - \item \tab $\Acc := \scalarmult{2}{\Acc}$ - \item \tab let $\Sum = \Acc + B$ - \item \tab // select $\Acc$ or $\Sum$ depending on the bit $k_i$ - \item \tab $\Acc_u := k_i \bchoose \Sum_u : \Acc_u$ - \item \tab $\Acc_{\vv}\hairspace := k_i \bchoose \Sum_{\vv} : \Acc_{\vv}$ - \item let $R = \Acc$. + \item // $\Base^i = \scalarmult{2^i}{B}$ + \item let $\Base^0_u = B_u$ + \item let $\Base^0_{\vv}\hairspace = B_{\vv}$ + \item let $\Acc^0_u = k_0 \bchoose B_u : 0$ + \item let $\Acc^0_{\vv}\hairspace = k_0 \bchoose B_{\vv} : 1$ + \vspace{1ex} + \item for $i$ from $1$ up to $250$: + \item \tab let $\Base^i = \scalarmult{2}{\Base^{i-1}}$ + \vspace{1ex} + \item \tab // select $\Base^i$ or $\ZeroJ$ depending on the bit $k_i$ + \item \tab let $\Addend^i_u = k_i \bchoose \Base^i_u : 0$ + \item \tab let $\Addend^i_{\vv}\hairspace = k_i \bchoose \Base^i_{\vv} : 1$ + \item \tab let $\Acc^i = \Acc^{i-1} + \Addend^i$ + \item let $R = \Acc^{250}$. \end{formulae} This costs $5$ constraints for each of $250$ Edwards doublings, $6$ constraints for each