zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix a typo in appendix B.2 and clarify the costs of Groth16 batch verification. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2019-02-22 13:42:53 +00:00
parent f3c5ed99e2
commit 7f435cd37d
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
protocol/protocol.tex
View File

@ -9852,6 +9852,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
we refer to as $\Groth$.
\item Reference Mary Maller's security proof for $\Groth$ \cite{Maller2018}.
\item Correct [BGM2018] to \cite{BGM2017}.
\item Fix a typo in \crossref{grothbatchverify} and clarify the costs of $\Groth$
batch verification.
}
\end{itemize}
@ -12613,7 +12615,7 @@ Define $\GrothSBatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
\begin{algorithm}
\item For each $j \in \range{0}{N-1}$:
\item \tab Let $((\Proof{j,A},\, \Proof{j,B},\, \Proof{j,C}),\; a_{j,\,\barerange{0}{\ell}}) = \Entry{j}$.
\item \tab Choose random $z_j \typecolon \GFstar{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \tab Choose random $z_j \typecolon \GFstar{\ParamS{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \vspace{-2ex}
\item \begin{tabular}{@{}l@{\;}l}
Let $\Accum{AB}$ &$= \sproduct{j=0}{N-1}{\MillerLoopS\Of{\scalarmult{z_j}{\Proof{j,A}}, -\Proof{j,B}}}$\,. \\[1.5ex]
@ -12652,10 +12654,12 @@ the cost of batched verification is therefore
\item for each proof: the cost of decoding the proof representation to the form $\GrothSProof$,
which requires three point decompressions and three subgroup checks (two for $\SubgroupSstar{1}$
and one for $\SubgroupSstar{2}$);
\item for each successfully decoded proof: a Miller loop; and a $128$-bit scalar multiplication by $z_j$;
\item for each verification key: two Miller loops; an exponentiation in $\SubgroupS{T}$; a multiscalar
multiplication with $N$ $128$-bit terms to compute $\Accum{\Delta}$; and a multiscalar multiplication
with $\ell+1$ $255$-bit terms to compute $\ssum{i=0}{\ell}{\scalarmult{\Accum{\Gamma,i}}{\Psi_i}}$;
\item for each successfully decoded proof: a Miller loop; and a $128$-bit scalar multiplication by $z_j$
in $\SubgroupS{1}$;
\item for each verification key: two Miller loops; an exponentiation in $\SubgroupS{T}$;
a multiscalar multiplication in $\SubgroupS{1}$ with $N$ $128$-bit scalars to compute $\Accum{\Delta}$;
and a multiscalar multiplication in $\SubgroupS{1}$ with $\ell+1$ $255$-bit scalars to compute
$\ssum{i=0}{\ell}{\scalarmult{\Accum{\Gamma,i}}{\Psi_i}}$;
\item one final exponentiation.
\end{itemize}
} %pnote