mirror of https://github.com/zcash/zips.git
Cosmetics.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood
parent
96cfbe9232
commit
7cde004f83
|
|
@ -1149,9 +1149,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
|
|||
\newcommand{\Curve}{E}
|
||||
\newcommand{\Zero}{\mathcal{O}}
|
||||
\newcommand{\Generator}{\mathcal{P}}
|
||||
\newcommand{\Selectu}{\scalebox{1.52}{$u$}}
|
||||
\newcommand{\Selectu}{\scalebox{1.53}{$u$}}
|
||||
\newcommand{\SelectuOf}[1]{\Selectu\!\left({#1}\right)\!}
|
||||
\newcommand{\Selectv}{\scalebox{1.52}{$\varv$}}
|
||||
\newcommand{\Selectv}{\scalebox{1.53}{$\varv$}}
|
||||
\newcommand{\SelectvOf}[1]{\Selectv\!\left({#1}\right)\!}
|
||||
|
||||
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
|
||||
|
|
@ -2406,8 +2406,8 @@ $\SigVerify{\vk}(m, s) = 1$.
|
|||
\item one called $\JoinSplitSig$ (instantiated in \crossref{concretejssig}),
|
||||
which is used to sign \transactions that contain at least one
|
||||
\joinSplitDescription\sprout{.}\notsprout{;}
|
||||
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated
|
||||
in \crossref{concretespendauthsig}), which is used to sign authorizations of
|
||||
\saplingonwarditem{one called $\SpendAuthSig$ (instantiated in
|
||||
\crossref{concretespendauthsig}), which is used to sign authorizations of
|
||||
\spendDescriptions.}
|
||||
\end{itemize}
|
||||
|
||||
|
|
@ -3124,7 +3124,7 @@ $(\Diversifier, \DiversifiedTransmitPublic)$, and then performs the following st
|
|||
|
||||
\begin{enumerate}
|
||||
\item Check that $\DiversifiedTransmitPublic$ is a valid compressed representation of
|
||||
an Edwards point on the $\JubjubCurve$ curve and this point is not of small order
|
||||
an Edwards point on the \jubjubCurve and this point is not of small order
|
||||
(i.e. $\abstJOf{\DiversifiedTransmitPublic} \neq \bot$ and
|
||||
$\scalarmult{8}{\abstJOf{\DiversifiedTransmitPublic}} \neq \ZeroJ$).
|
||||
|
||||
|
|
@ -4021,7 +4021,7 @@ the same effect as using that feature.
|
|||
|
||||
$\PedersenHash$ is an algebraic hash function with collision resistance
|
||||
(for fixed input length) derived from assumed hardness of the
|
||||
Discrete Logarithm Problem on the $\JubjubCurve$ curve.
|
||||
Discrete Logarithm Problem on the \jubjubCurve.
|
||||
It is based on the work of David Chaum, Ivan Damgård, Jeroen van de Graaf,
|
||||
Jurjen Bos, George Purdy, Eugène van Heijst and Birgit Pfitzmann in
|
||||
\cite{CDG1987}, \cite{BCP1988} and \cite{CvHP1991},
|
||||
|
|
@ -4202,7 +4202,7 @@ Let $\powcount(g) := \Justthebox{\powcountbox}$.
|
|||
|
||||
\vspace{2ex}
|
||||
\introlist
|
||||
% Blech. Dijkstra was right \cite{EWD831}.
|
||||
% Blech. Dijkstra was right \cite{EWD-831}.
|
||||
Let $\EquihashGen{n, k}(S, i) := T_\barerange{h+1}{h+n}$, where
|
||||
\begin{formulae}
|
||||
\item $m := \floor{\frac{512}{n}}$;
|
||||
|
|
@ -4619,7 +4619,7 @@ The encoding of a public key is as defined in \cite{BDLSY2012}.
|
|||
$\SpendAuthSig$ is specified in \crossref{abstractsig}.
|
||||
|
||||
It is instantiated as EdJubjub, which is defined as $\EdDSA$ \cite{BJLSY2015} over the
|
||||
$\JubjubCurve$ curve which these additional constraints: \todo{...}
|
||||
\jubjubCurve which these additional constraints: \todo{...}
|
||||
|
||||
\cite{FKMSSS2016}
|
||||
} %sapling
|
||||
|
|
@ -4673,7 +4673,7 @@ The leading byte of the $\SHAFull$ input is $\hexint{B0}$.
|
|||
|
||||
We construct \quotedterm{windowed} \xPedersenCommitments by reusing the \xPedersenHash
|
||||
construction from \crossref{concretepedersenhash}, and adding a randomized point
|
||||
on the $\JubjubCurve$ curve (see \crossref{jubjub}):
|
||||
on the \jubjubCurve (see \crossref{jubjub}):
|
||||
|
||||
\begin{formulae}
|
||||
\item $\WindowedPedersenCommit{r}(D, s) :=
|
||||
|
|
@ -5100,7 +5100,7 @@ Therefore, $-\varv \neq \varv$.
|
|||
Now suppose $(u, -\varv) = Q$ is a point in $G$. Then by applying the
|
||||
doubling formula we have $\scalarmult{2}{Q} = -\scalarmult{2}{P}$.
|
||||
But also $\scalarmult{2}{(-P)} = -\scalarmult{2}{P}$. Therefore either
|
||||
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$; contradiction since
|
||||
$Q = -P$ (then $\SelectvOf{Q} = \SelectvOf{-P}$\,; contradiction since
|
||||
$-\varv \neq \varv$), or doubling is not injective on $G$ (contradiction
|
||||
since $G$ is of odd order \cite{KvE2013}).
|
||||
\end{proof}
|
||||
|
|
@ -5665,7 +5665,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
|
|||
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \GroupJ$
|
||||
and $\AuthProvePublic \typecolon \GroupJ$.
|
||||
|
||||
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the $\JubjubCurve$ curve
|
||||
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
|
||||
(see \crossref{jubjub}). They are derived as described in \crossref{saplingkeycomponents}.
|
||||
|
||||
\introlist
|
||||
|
|
@ -6017,12 +6017,12 @@ A value $\vpubOld$ that the \joinSplitTransfer removes from the \transparentValu
|
|||
$8$ & $\vpubNewField$ & \type{uint64\_t} & A value $\vpubNew$ that the \joinSplitTransfer inserts
|
||||
into the \transparentValuePool. \\ \hline
|
||||
|
||||
$32$ & $\anchorField$ & \type{char[32]} & A merkle root $\rt$ of the \SproutOrNothing
|
||||
\noteCommitmentTree at some \blockHeight in the past, or the merkle root produced by a previous
|
||||
$32$ & $\anchorField$ & \type{char[32]} & A \merkleRoot $\rt$ of the \SproutOrNothing
|
||||
\noteCommitmentTree at some \blockHeight in the past, or the \merkleRoot produced by a previous
|
||||
\joinSplitTransfer in this \transaction. \\ \hline
|
||||
|
||||
$64$ & $\nullifiersField$ & \type{char[32][$\NOld$]} & A sequence of \nullifiers of the input
|
||||
\notes $\nfOld{\allOld}$. \\ \hline
|
||||
\notes $\nfOld{\allOld}$. \\[0.4ex] \hline
|
||||
|
||||
$64$ & $\commitments$ & \type{char[32][$\NNew$]} & A sequence of \noteCommitments for the
|
||||
output \notes $\cmNew{\allNew}$. \\ \hline
|
||||
|
|
@ -7067,7 +7067,7 @@ The motivations for this change were as follows:
|
|||
We believe that Curve25519 has significant side-channel resistance,
|
||||
performance, implementation complexity, and robustness advantages
|
||||
over most other available curve choices, as explained in \cite{Bern2006}.
|
||||
\sapling{For \Sapling, the $\JubjubCurve$ curve was designed according to a
|
||||
\sapling{For \Sapling, the \jubjubCurve was designed according to a
|
||||
similar design process following the ``Safe curves'' criteria
|
||||
\cite{BL-SafeCurves} \cite{GitHub-jubjub}.
|
||||
This retains Curve25519's advantages while keeping \paymentAddress sizes
|
||||
|
|
@ -7414,7 +7414,7 @@ Daira Hopwood, Sean Bowe, and Jack Grigg.
|
|||
``roadblock'' attack.
|
||||
\sapling{
|
||||
\item Update some explanations of changes from \Zerocash for \Sapling.
|
||||
\item Add a description of the $\JubjubCurve$ curve.
|
||||
\item Add a description of the \jubjubCurve.
|
||||
\item Add an acknowledgement to George Tankersley.
|
||||
\item Add an appendix on the design of the \Sapling circuits at the
|
||||
\quadraticArithmeticProgram level.
|
||||
|
|
@ -8132,7 +8132,7 @@ has no solutions for $y$, hence $x + 1 \neq 0$.
|
|||
\end{proof}
|
||||
|
||||
(The complete twisted Edwards curve referred to in the proof is an
|
||||
isomorphic $y$-coordinate rescaling of the $\JubjubCurve$ curve.)
|
||||
isomorphic $y$-coordinate rescaling of the \jubjubCurve.)
|
||||
|
||||
|
||||
\introsection
|
||||
|
|
|
|||
Loading…
Reference in New Issue