mirror of https://github.com/zcash/zips.git
Fix a typo in appendix B.2 and clarify the costs of Groth16 batch verification.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
f3c5ed99e2
commit
7f435cd37d
|
@ -9852,6 +9852,8 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
|||
we refer to as $\Groth$.
|
||||
\item Reference Mary Maller's security proof for $\Groth$ \cite{Maller2018}.
|
||||
\item Correct [BGM2018] to \cite{BGM2017}.
|
||||
\item Fix a typo in \crossref{grothbatchverify} and clarify the costs of $\Groth$
|
||||
batch verification.
|
||||
}
|
||||
\end{itemize}
|
||||
|
||||
|
@ -12613,7 +12615,7 @@ Define $\GrothSBatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \ty
|
|||
\begin{algorithm}
|
||||
\item For each $j \in \range{0}{N-1}$:
|
||||
\item \tab Let $((\Proof{j,A},\, \Proof{j,B},\, \Proof{j,C}),\; a_{j,\,\barerange{0}{\ell}}) = \Entry{j}$.
|
||||
\item \tab Choose random $z_j \typecolon \GFstar{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
|
||||
\item \tab Choose random $z_j \typecolon \GFstar{\ParamS{r}} \leftarrowR \range{1}{2^{128}-1}$.
|
||||
\item \vspace{-2ex}
|
||||
\item \begin{tabular}{@{}l@{\;}l}
|
||||
Let $\Accum{AB}$ &$= \sproduct{j=0}{N-1}{\MillerLoopS\Of{\scalarmult{z_j}{\Proof{j,A}}, -\Proof{j,B}}}$\,. \\[1.5ex]
|
||||
|
@ -12652,10 +12654,12 @@ the cost of batched verification is therefore
|
|||
\item for each proof: the cost of decoding the proof representation to the form $\GrothSProof$,
|
||||
which requires three point decompressions and three subgroup checks (two for $\SubgroupSstar{1}$
|
||||
and one for $\SubgroupSstar{2}$);
|
||||
\item for each successfully decoded proof: a Miller loop; and a $128$-bit scalar multiplication by $z_j$;
|
||||
\item for each verification key: two Miller loops; an exponentiation in $\SubgroupS{T}$; a multiscalar
|
||||
multiplication with $N$ $128$-bit terms to compute $\Accum{\Delta}$; and a multiscalar multiplication
|
||||
with $\ell+1$ $255$-bit terms to compute $\ssum{i=0}{\ell}{\scalarmult{\Accum{\Gamma,i}}{\Psi_i}}$;
|
||||
\item for each successfully decoded proof: a Miller loop; and a $128$-bit scalar multiplication by $z_j$
|
||||
in $\SubgroupS{1}$;
|
||||
\item for each verification key: two Miller loops; an exponentiation in $\SubgroupS{T}$;
|
||||
a multiscalar multiplication in $\SubgroupS{1}$ with $N$ $128$-bit scalars to compute $\Accum{\Delta}$;
|
||||
and a multiscalar multiplication in $\SubgroupS{1}$ with $\ell+1$ $255$-bit scalars to compute
|
||||
$\ssum{i=0}{\ell}{\scalarmult{\Accum{\Gamma,i}}{\Psi_i}}$;
|
||||
\item one final exponentiation.
|
||||
\end{itemize}
|
||||
} %pnote
|
||||
|
|
Loading…
Reference in New Issue