zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Notational changes: 

- Use a superscript (r) to mark the subgroup order, instead of a subscript.
- Use G^{(r)∗} for the set of r_G-order points in G.
(r)
- Mark the subgroup order in pairing groups, e.g. use G_1^{(r)} instead of G_1.
- Make the bit-representation indicator (five-pointed star) an affix instead of a superscript.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2018-08-12 16:24:15 +01:00
parent b605fe1061
commit 81598de991
1 changed files with 188 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
protocol/protocol.tex
View File

@ -528,6 +528,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\representedGroup}{\term{represented group}} \newcommand{\representedGroup}{\term{represented group}}
\newcommand{\representedGroups}{\term{represented groups}} \newcommand{\representedGroups}{\term{represented groups}}
\newcommand{\RepresentedGroup}{\titleterm{Represented Group}} \newcommand{\RepresentedGroup}{\titleterm{Represented Group}}
\newcommand{\representedSubgroup}{\term{represented subgroup}}
\newcommand{\representedSubgroups}{\term{represented subgroups}}
\newcommand{\hashExtractor}{\term{hash extractor}} \newcommand{\hashExtractor}{\term{hash extractor}}
\newcommand{\HashExtractor}{\titleterm{Hash Extractor}} \newcommand{\HashExtractor}{\titleterm{Hash Extractor}}
\newcommand{\groupHash}{\term{group hash}} \newcommand{\groupHash}{\term{group hash}}
@ -964,9 +966,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\enc}{\mathsf{enc}} \newcommand{\enc}{\mathsf{enc}}
\newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}} \newcommand{\DHSecret}[1]{\mathsf{sharedSecret}_{#1}}
\newcommand{\EphemeralPublic}{\mathsf{epk}} \newcommand{\EphemeralPublic}{\mathsf{epk}}
\newcommand{\ReprNoKern}{\star} \newcommand{\Repr}{\star}
\newcommand{\Repr}{\kern-0.03em\ReprNoKern} \newcommand{\MakeRepr}[2]{{#1}\rlap{\raisebox{-0.32ex}{$\Repr$}}\rule{0ex}{2.2ex}^{#2}}
\newcommand{\EphemeralPublicRepr}{\EphemeralPublic^{\Repr}} \newcommand{\EphemeralPublicRepr}{\EphemeralPublic\Repr}
\newcommand{\EphemeralPrivate}{\mathsf{esk}} \newcommand{\EphemeralPrivate}{\mathsf{esk}}
\newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}} \newcommand{\EphemeralPrivateBytes}{\bytes{\EphemeralPrivate}}
\newcommand{\EphemeralPrivateBytesType}{\byteseq{32}} \newcommand{\EphemeralPrivateBytesType}{\byteseq{32}}
@ -985,15 +987,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\AuthSignPrivate}{\mathsf{ask}} \newcommand{\AuthSignPrivate}{\mathsf{ask}}
\newcommand{\AuthSignBase}{\mathcal{G}} \newcommand{\AuthSignBase}{\mathcal{G}}
\newcommand{\AuthSignPublic}{\mathsf{ak}} \newcommand{\AuthSignPublic}{\mathsf{ak}}
\newcommand{\AuthSignPublicRepr}{\AuthSignPublic^{\Repr}} \newcommand{\AuthSignPublicRepr}{\AuthSignPublic\Repr}
\newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}} \newcommand{\AuthSignRandomizedPublic}{\mathsf{rk}}
\newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic^{\Repr}} \newcommand{\AuthSignRandomizedPublicRepr}{\AuthSignRandomizedPublic\Repr}
\newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}} \newcommand{\AuthSignRandomizedPrivate}{\mathsf{rsk}}
\newcommand{\AuthSignRandomizer}{\alpha} \newcommand{\AuthSignRandomizer}{\alpha}
\newcommand{\AuthProvePrivate}{\mathsf{nsk}} \newcommand{\AuthProvePrivate}{\mathsf{nsk}}
\newcommand{\AuthProveBase}{\mathcal{H}} \newcommand{\AuthProveBase}{\mathcal{H}}
\newcommand{\AuthProvePublic}{\mathsf{nk}} \newcommand{\AuthProvePublic}{\mathsf{nk}}
\newcommand{\AuthProvePublicRepr}{\AuthProvePublic^{\Repr}} \newcommand{\AuthProvePublicRepr}{\AuthProvePublic\Repr}
\newcommand{\OutViewingKey}{\mathsf{ovk}} \newcommand{\OutViewingKey}{\mathsf{ovk}}
\newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}} \newcommand{\OutViewingKeyLength}{\mathsf{\ell_{\OutViewingKey}}}
\newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}} \newcommand{\OutViewingKeyType}{\byteseq{\OutViewingKeyLength/8}}
@ -1006,10 +1008,10 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}} \newcommand{\DiversifierLength}{\mathsf{\ell_{\Diversifier}}}
\newcommand{\DiversifierType}{\bitseq{\DiversifierLength}} \newcommand{\DiversifierType}{\bitseq{\DiversifierLength}}
\newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}} \newcommand{\DiversifiedTransmitBase}{\mathsf{g_d}}
\newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g^{\Repr}_d}} \newcommand{\DiversifiedTransmitBaseRepr}{\mathsf{g\Repr_d}}
\newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}} \newcommand{\DiversifiedTransmitBaseNew}{\mathsf{g^{new}_d}}
\newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}} \newcommand{\DiversifiedTransmitPublic}{\mathsf{pk_d}}
\newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk^{\Repr}_d}} \newcommand{\DiversifiedTransmitPublicRepr}{\mathsf{pk\Repr_d}}
\newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}} \newcommand{\DiversifiedTransmitPublicNew}{\mathsf{pk^{new}_d}}
% PRFs % PRFs
@ -1154,7 +1156,7 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}} \newcommand{\NoteCommitRandOld}[1]{\NoteCommitRand^\mathsf{old}_{#1}}
\newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}} \newcommand{\NoteCommitRandNew}[1]{\NoteCommitRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressRand}{\mathsf{\uprho}} \newcommand{\NoteAddressRand}{\mathsf{\uprho}}
\newcommand{\NoteAddressRandRepr}{\NoteAddressRand^{\Repr}} \newcommand{\NoteAddressRandRepr}{\NoteAddressRand\Repr}
\newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}} \newcommand{\NoteAddressRandOld}[1]{\NoteAddressRand^\mathsf{old}_{#1}}
\newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}} \newcommand{\NoteAddressRandNew}[1]{\NoteAddressRand^\mathsf{new}_{#1}}
\newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}} \newcommand{\NoteAddressPreRand}{\mathsf{\upvarphi}}
@ -1515,9 +1517,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}} \newcommand{\ParamP}[1]{{{#1}_\mathbb{P}}}
\newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}} \newcommand{\ParamPexp}[2]{{{#1}_\mathbb{P}\!}^{#2}}
\newcommand{\GroupP}[1]{\mathbb{P}_{#1}} \newcommand{\GroupP}[1]{\mathbb{P}_{#1}}
\newcommand{\GroupPstar}[1]{\mathbb{P}^\ast_{#1}} \newcommand{\GroupPstar}[1]{\GroupP{#1}^{\ast}}
\newcommand{\SubgroupP}[1]{\GroupP{#1}^{\subgroupr}}
\newcommand{\SubgroupPstar}[1]{\GroupP{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprP}{\MakeRepr{\GroupP{}}{\subgroupr}}
\newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}} \newcommand{\CurveP}[1]{\Curve_{\GroupP{#1}}}
\newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}} \newcommand{\ZeroP}[1]{\Zero_{\GroupP{#1}}}
\newcommand{\OneP}{\ParamP{\mathbf{1}}}
\newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}} \newcommand{\GenP}[1]{\Generator_{\GroupP{#1}}}
\newcommand{\ellP}[1]{\ell_{\GroupP{#1}}} \newcommand{\ellP}[1]{\ell_{\GroupP{#1}}}
\newcommand{\reprP}[1]{\repr_{\GroupP{#1}}} \newcommand{\reprP}[1]{\repr_{\GroupP{#1}}}
@ -1527,11 +1533,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}} \newcommand{\ParamG}[1]{{{#1}_\mathbb{G}}}
\newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}} \newcommand{\ParamGexp}[2]{{{#1}_\mathbb{G}\!}^{#2}}
\newcommand{\GroupG}[1]{\mathbb{G}_{#1}} \newcommand{\GroupG}[1]{\mathbb{G}_{#1}}
\newcommand{\GroupGstar}[1]{\mathbb{G}^\ast_{#1}} \newcommand{\GroupGstar}[1]{\GroupG{#1}^{\ast}}
\newcommand{\SubgroupG}{\mathbb{G}_{\subgroupr}} \newcommand{\SubgroupG}[1]{\GroupG{#1}^{\subgroupr}}
\newcommand{\SubgroupReprG}{\SubgroupG^{\ReprNoKern}} \newcommand{\SubgroupGstar}[1]{\GroupG{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprG}{\MakeRepr{\GroupG{}}{\subgroupr}}
\newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}} \newcommand{\CurveG}[1]{\Curve_{\GroupG{#1}}}
\newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}} \newcommand{\ZeroG}[1]{\Zero_{\GroupG{#1}}}
\newcommand{\OneG}{\ParamG{\mathbf{1}}}
\newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}} \newcommand{\GenG}[1]{\Generator_{\GroupG{#1}}}
\newcommand{\ellG}[1]{\ell_{\GroupG{#1}}} \newcommand{\ellG}[1]{\ell_{\GroupG{#1}}}
\newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}} \newcommand{\ReprG}[1]{\bitseq{\ellG{#1}}}
@ -1539,8 +1547,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\abstG}[1]{\abst_{\GroupG{#1}}} \newcommand{\abstG}[1]{\abst_{\GroupG{#1}}}
\newcommand{\PairingG}{\ParamG{\hat{e}}} \newcommand{\PairingG}{\ParamG{\hat{e}}}
\newcommand{\ExtractG}{\Extract_{\SubgroupG}} \newcommand{\ExtractG}{\Extract_{\SubgroupG{}}}
\newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG}_{#1}} \newcommand{\GroupGHash}[1]{\GroupHash^{\SubgroupG{}}_{#1}}
\newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}} \newcommand{\GroupGHashURSType}{\GroupHash\mathsf{.URSType}}
\newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}} \newcommand{\GroupGHashInput}{\GroupHash\mathsf{.Input}}
\newcommand{\URS}{\mathsf{URS}} \newcommand{\URS}{\mathsf{URS}}
@ -1548,10 +1556,13 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}} \newcommand{\ParamS}[1]{{{#1}_\mathbb{\hskip 0.03em S}}}
\newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}} \newcommand{\ParamSexp}[2]{{{#1}_\mathbb{\hskip 0.03em S}\!}^{#2}}
\newcommand{\GroupS}[1]{\mathbb{S}_{#1}} \newcommand{\GroupS}[1]{\mathbb{S}_{#1}}
\newcommand{\GroupSstar}[1]{\mathbb{S}^\ast_{#1}} \newcommand{\GroupSstar}[1]{\GroupS{#1}^{\ast}}
\newcommand{\SubgroupSstar}[1]{(\GroupSstar{#1}\kern-0.03em)_{\subgroupr}} \newcommand{\SubgroupS}[1]{\GroupS{#1}^{\subgroupr}}
\newcommand{\SubgroupSstar}[1]{\GroupS{#1}^{\subgroupr\ast}}
\newcommand{\SubgroupReprS}{\MakeRepr{\GroupS{}}{\subgroupr}}
\newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}} \newcommand{\CurveS}[1]{\Curve_{\GroupS{#1}}}
\newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}} \newcommand{\ZeroS}[1]{\Zero_{\GroupS{#1}}}
\newcommand{\OneS}{\ParamS{\mathbf{1}}}
\newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}} \newcommand{\GenS}[1]{\Generator_{\GroupS{#1}}}
\newcommand{\ellS}[1]{\ell_{\GroupS{#1}}} \newcommand{\ellS}[1]{\ell_{\GroupS{#1}}}
\newcommand{\reprS}[1]{\repr_{\GroupS{#1}}} \newcommand{\reprS}[1]{\repr_{\GroupS{#1}}}
@ -1559,14 +1570,15 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\PairingS}{\ParamS{\hat{e}}} \newcommand{\PairingS}{\ParamS{\hat{e}}}
\newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}} \newcommand{\MillerLoopS}{\ParamS{\mathsf{MillerLoop}}}
\newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}} \newcommand{\FinalExpS}{\ParamS{\mathsf{FinalExp}}}
\newcommand{\GrothProofS}{\ParamS{\mathsf{GrothProof}}} \newcommand{\GrothS}{\Groth_{\kern 0.05em\mathbb{S}}}
\newcommand{\GrothSProof}{\GrothS\mathsf{.Proof}}
\newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}} \newcommand{\ParamJ}[1]{{{#1}_\mathbb{\hskip 0.01em J}}}
\newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}} \newcommand{\ParamJexp}[2]{{{#1}_\mathbb{\hskip 0.01em J}\!}^{#2}}
\newcommand{\GroupJ}{\mathbb{J}} \newcommand{\GroupJ}{\mathbb{J}}
\newcommand{\SubgroupJ}{\mathbb{J}_{\subgroupr}} \newcommand{\SubgroupJ}{\GroupJ^{\subgroupr}}
\newcommand{\SubgroupReprJ}{\SubgroupJ^{\ReprNoKern}} \newcommand{\SubgroupJstar}{\GroupJ^{\subgroupr\ast}}
\newcommand{\PrimeOrderJ}{\SubgroupJ \setminus \ZeroJ} \newcommand{\SubgroupReprJ}{\MakeRepr{\GroupJ}{\subgroupr}}
\newcommand{\CurveJ}{\Curve_{\GroupJ}} \newcommand{\CurveJ}{\Curve_{\GroupJ}}
\newcommand{\ZeroJ}{\Zero_{\GroupJ}} \newcommand{\ZeroJ}{\Zero_{\GroupJ}}
\newcommand{\GenJ}{\Generator_{\GroupJ}} \newcommand{\GenJ}{\Generator_{\GroupJ}}
@ -1578,11 +1590,11 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg
\newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}} \newcommand{\SignedScalarLimitJ}{\frac{\ParamJ{r}-1}{2}}
\newcommand{\ExtractJ}{\Extract_{\SubgroupJ}} \newcommand{\ExtractJ}{\Extract_{\SubgroupJ}}
\newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJ}_{#1}} \newcommand{\GroupJHash}[1]{\GroupHash^{\SubgroupJstar}_{#1}}
\newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}} \newcommand{\GroupJHashURSType}{\GroupJHash{}\mathsf{.URSType}}
\newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}} \newcommand{\GroupJHashInput}{\GroupJHash{}\mathsf{.Input}}
\newcommand{\HashOutput}{\bytes{H}} \newcommand{\HashOutput}{\bytes{H}}
\newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJ}} \newcommand{\FindGroupJHash}{\FindGroupHash^{\SubgroupJstar}}
\newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}} \newcommand{\ParamM}[1]{{{#1}_\mathbb{\hskip 0.03em M}}}
\newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}} \newcommand{\ParamMexp}[2]{{{#1}_\mathbb{\hskip 0.03em M}\!}^{#2}}
@ -2056,7 +2068,7 @@ $\sorted(S)$ means the sequence formed by sorting the elements
of $S$. of $S$.
$\GF{n}$ means the finite field with $n$ elements, and $\GF{n}$ means the finite field with $n$ elements, and
$\GFstar{n}$ means its group under multiplication. $\GFstar{n}$ means its group under multiplication (which excludes $0$).
Where there is a need to make the distinction, we denote the unique Where there is a need to make the distinction, we denote the unique
representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$ representative of $a \typecolon \GF{n}$ in the range $\range{0}{n-1}$
@ -2132,7 +2144,7 @@ i.e.
The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is The $\scalarmult{k}{P}$ notation for scalar multiplication in a group is
defined in \crossref{abstractgroup}. defined in \crossref{abstractgroup}.
The convention of including a superscript $^{\Repr}$ in a variable name is used The convention of affixing $\Repr$ to a variable name is used
for variables that denote bit-sequence representations of group elements. for variables that denote bit-sequence representations of group elements.
The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional The binary relations $<$, $\leq$, $=$, $\geq$, and $>$ have their conventional
@ -2705,7 +2717,7 @@ Let $\MerkleDepthSprout$, $\MerkleHashLengthSprout$,
$\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}. $\RandomSeedLength$, $\PRFOutputLengthSprout$, $\hSigLength$, and $\NOld$ be as defined in \crossref{constants}.
\sapling{ \sapling{
Let $\GroupJ$, $\SubgroupJ$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}. Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, $\ParamJ{r}$, and $\ellJ$ be as defined in \crossref{jubjub}.
} %sapling } %sapling
\sprout{ \sprout{
@ -2751,10 +2763,10 @@ to derive the unique $\NoteAddressRand$ value for a \Sapling \note. It is also u
in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an in the \spendStatement to confirm use of the correct $\NoteAddressRand$ value as an
input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}. input to \nullifier derivation. It is instantiated in \crossref{concretemixinghash}.
$\DiversifyHash \typecolon \DiversifierType \rightarrow \PrimeOrderJ$ is a \hashFunction $\DiversifyHash \typecolon \DiversifierType \rightarrow \SubgroupJstar$ is a \hashFunction
satisfying the Unlinkability security property described in \crossref{concretediversifyhash}. instantiated in \crossref{concretediversifyhash}, and satisfying the Unlinkability
It is used to derive a \diversifiedBase from a \diversifier in \crossref{saplingkeycomponents}. security property described in that section. It is used to derive a \diversifiedBase
It is instantiated in \crossref{concretediversifyhash}. from a \diversifier in \crossref{saplingkeycomponents}.
} %sapling } %sapling
@ -3332,11 +3344,10 @@ A \representedGroup $\GroupG{}$ consists of:
\end{itemize} \end{itemize}
\vspace{-1.5ex} \vspace{-1.5ex}
\notsprout{ Define $\SubgroupG{}$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$.
Define $\SubgroupG$ as the order-$\ParamG{r}$ subgroup of $\GroupG{}$. Note that this includes $\ZeroG{}$. For the set of points of order $\ParamG{r}$ (which excludes $\ZeroG{}$), we write $\SubgroupGstar{}$.
Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG}$. Define $\SubgroupReprG := \setof{\reprG{}(P) \typecolon \ReprG{} \suchthat P \in \SubgroupG{}}$.
}
\vspace{0.5ex} \vspace{0.5ex}
For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that For $G \typecolon \GroupG{}$ we write $-G$ for the negation of $G$, such that
@ -3382,13 +3393,14 @@ efficiently computable left inverse.
\introlist \introlist
\subsubsection{Group Hash} \label{abstractgrouphash} \subsubsection{Group Hash} \label{abstractgrouphash}
Given a represented group $\GroupG{}$ with prime-order subgroup $\SubgroupG$, Given a \representedSubgroup $\SubgroupG{}$, a \term{family of group hashes into\, $\SubgroupG{}$},
a \term{family of group hashes into\, $\SubgroupG$}, $\GroupGHash{}$, consists of: $\GroupGHash{}$, consists of:
\begin{itemize} \begin{itemize}
\item a type $\GroupGHashURSType$ of \uniformRandomStrings; \item a type $\GroupGHashURSType$ of \uniformRandomStrings;
\item a type $\GroupGHashInput$ of inputs; \item a type $\GroupGHashInput$ of inputs;
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG$. \vspace{-1ex}
\item a function $\GroupGHash{} \typecolon \GroupGHashURSType \times \GroupGHashInput \rightarrow \SubgroupG{}$.
\end{itemize} \end{itemize}
In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into In \crossref{concretegrouphashjubjub}, we instantiate a family of group hashes into
@ -3418,7 +3430,7 @@ not return $\bot$) as a random oracle.
a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$ a sequence of \emph{distinct} inputs $m_{\alln} \typecolon \typeexp{\GroupGHashInput}{n}$
and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$ and a sequence of nonzero $x_{\alln} \typecolon \typeexp{\GFstar{\ParamG{r}}}{n}$
such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$. such that $\ssum{i = 1}{n}\!\left(\scalarmult{x_i}{\GroupGHash{\URS}(m_i)}\right) = \ZeroG{}$.
\item Under the Discrete Logarithm assumption on $\GroupG{}$, a random oracle almost surely satisfies \item Under the Discrete Logarithm assumption on $\SubgroupG{}$, a random oracle almost surely satisfies
Discrete Logarithm Independence. Discrete Logarithm Independence.
\item Discrete Logarithm Independence implies \collisionResistance\!, \item Discrete Logarithm Independence implies \collisionResistance\!,
since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a since a collision $(m_1, m_2)$ for $\GroupGHash{\URS}$ trivially gives a
@ -3445,23 +3457,22 @@ A \representedPairing $\GroupP{}$ consists of:
\begin{itemize} \begin{itemize}
\item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime; \item a group order parameter $\ParamP{r} \typecolon \PosInt$ which must be prime;
\item two \representedGroups $\GroupP{1, 2}$, both of order $\ParamP{r}$; \item two \representedSubgroups $\SubgroupP{1, 2}$, both of order $\ParamP{r}$;
\item a group $\GroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\, \item a group $\SubgroupP{T}$ of order $\ParamP{r}$, written multiplicatively with operation\,
$\mult \typecolon \GroupP{T} \times \GroupP{T} \rightarrow \GroupP{T}$ $\mult \typecolon \SubgroupP{T} \times \SubgroupP{T} \rightarrow \SubgroupP{T}$
and multiplicative identity $\ParamP{\mathbf{1}}$; and group identity $\ParamP{\mathbf{1}}$;
\item three generators $\GenG{1, 2, T}$ of the order-$\ParamG{r}$ subgroups of \item three generators $\GenP{1, 2, T}$ of $\SubgroupP{1, 2, T}$ respectively;
$\GroupG{1, 2, T}$ respectively;
\item a pairing function \item a pairing function
$\PairingP \typecolon \GroupP{1} \times \GroupP{2} \rightarrow \GroupP{T}$ $\PairingP \typecolon \SubgroupP{1} \times \SubgroupP{2} \rightarrow \SubgroupP{T}$
satisfying: satisfying:
\begin{itemize} \begin{itemize}
\item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$, \item (Bilinearity)\; for all $a, b \typecolon \GFstar{r}$,
$P \typecolon \GroupP{1}$, and $Q \typecolon \GroupP{2}$,\; $P \typecolon \SubgroupP{1}$, and $Q \typecolon \SubgroupP{2}$,\;
$\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and $\PairingP\Of{\scalarmult{a}{P}, \scalarmult{b}{Q}} = \PairingP\Of{P, Q}^{a \mult b}$;\, and
\item (Nondegeneracy)\; there does not exist $P \typecolon \GroupP{1} \setminus \ZeroP{1}$ \item (Nondegeneracy)\; there does not exist $P \typecolon \SubgroupPstar{1}$
such that for all $Q \typecolon \GroupP{2},\; such that for all $Q \typecolon \SubgroupP{2},\;
\PairingP(P, Q) = \ParamP{\mathbf{1}}$. \PairingP\Of{P, Q} = \OneP$.
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
@ -3632,7 +3643,7 @@ Let $\DiversifyHash$ be a \hashFunction, instantiated in \crossref{concretediver
Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig}, Let $\SpendAuthSig$, instantiated in \crossref{concretespendauthsig},
be a \rerandomizableSignatureScheme. be a \rerandomizableSignatureScheme.
Let $\reprJ$, $\SubgroupJ$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and Let $\reprJ$, $\SubgroupJ$, $\SubgroupJstar$, and $\SubgroupReprJ$ be as defined in \crossref{jubjub}, and
let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}. let $\FindGroupJHash$ be as defined in \crossref{concretegrouphashjubjub}.
Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$ Let $\LEBStoOSP{} \typecolon (\ell \typecolon \Nat) \times \bitseq{\ell} \rightarrow \byteseq{\sceiling{\ell/8}}$
@ -3661,7 +3672,7 @@ the \authProvingKey $\AuthProvePrivate \typecolon \GF{\ParamJ{r}}$, and the
If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$. If $\AuthSignPrivate = 0$, discard this key and repeat with a new $\SpendingKey$.
\vspace{1ex} \vspace{1ex}
$\AuthSignPublic \typecolon \PrimeOrderJ$, $\AuthProvePublic \typecolon \SubgroupJ$, and $\AuthSignPublic \typecolon \SubgroupJstar$, $\AuthProvePublic \typecolon \SubgroupJ$, and
the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as: the \incomingViewingKey $\InViewingKey \typecolon \InViewingKeyTypeSapling$ are then derived as:
\vspace{-0.5ex} \vspace{-0.5ex}
@ -3711,7 +3722,7 @@ be as defined in \crossref{concretegrouphashjubjub}. Define:
\end{cases}$ \end{cases}$
\item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) := \item $\DefaultDiversifier(\sk \typecolon \SpendingKeyType) :=
\first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i]))) \first\big(\fun{i \typecolon \byte}{\CheckDiversifier(\truncate{(\DiversifierLength/8)}(\PRFexpand{\sk}([3, i])))
\typecolon \maybe{(\PrimeOrderJ)}}\big)$. \typecolon \maybe{\SubgroupJstar}}\big)$.
\end{formulae} \end{formulae}
For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$; For a random \spendingKey, $\DefaultDiversifier$ returns $\bot$ with probability approximately $2^{-256}$;
@ -4408,15 +4419,15 @@ Instead of generating a key pair at random, we generate it as a function of the
and the \balancingValue. and the \balancingValue.
\vspace{2ex} \vspace{2ex}
Let $\SubgroupJ$ and $\ParamJ{r}$ be as defined in \crossref{jubjub}. Let $\SubgroupJ$, $\SubgroupJstar$, and $\ParamJ{r}$ be as defined in \crossref{jubjub}.
\introlist \introlist
Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$ Let $\ValueCommit{}$, $\ValueCommitValueBase$, and $\ValueCommitRandBase$
be as defined in \crossref{concretevaluecommit}: be as defined in \crossref{concretevaluecommit}:
\begin{formulae} \begin{formulae}
\item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$; \item $\ValueCommit{} \typecolon \ValueCommitTrapdoor \times \ValueCommitType \rightarrow \ValueCommitOutput$;
\item $\ValueCommitValueBase \typecolon \PrimeOrderJ$ is the value base in $\ValueCommit{}$; \item $\ValueCommitValueBase \typecolon \SubgroupJstar$ is the value base in $\ValueCommit{}$;
\item $\ValueCommitRandBase \typecolon \PrimeOrderJ$ is the randomness base in $\ValueCommit{}$. \item $\ValueCommitRandBase \typecolon \SubgroupJstar$ is the randomness base in $\ValueCommit{}$.
\end{formulae} \end{formulae}
$\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}. $\BindingSig$, $\combplus$, and $\grpplus$ are instantiated in \crossref{concretebindingsig}.
@ -5852,7 +5863,7 @@ Let $c := 63$.
\introlist \introlist
\vspace{2ex} \vspace{2ex}
Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \PrimeOrderJ$ by: Define $\PedersenGenAlg \typecolon \byteseq{8} \times \Nat \rightarrow \SubgroupJstar$ by:
\begin{formulae} \begin{formulae}
\item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$. \item $\PedersenGen{D}{i} := \FindGroupJHash\Of{D, \Justthebox{\gencountbox}}$.
@ -6358,11 +6369,11 @@ $\KASapling$ is a \keyAgreementScheme as specified in \crossref{abstractkeyagree
It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$ It is instantiated as Diffie-Hellman with cofactor multiplication on $\JubjubCurve$
as follows: as follows:
Let $\GroupJ$, $\SubgroupJ$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}. Let $\GroupJ$, $\SubgroupJ$, $\SubgroupJstar$, and the cofactor $\ParamJ{h}$ be as defined in \crossref{jubjub}.
Define $\KASaplingPublic := \GroupJ$. Define $\KASaplingPublic := \GroupJ$.
Define $\KASaplingPublicPrimeOrder := \PrimeOrderJ$. Define $\KASaplingPublicPrimeOrder := \SubgroupJstar$.
Define $\KASaplingSharedSecret := \SubgroupJ$. Define $\KASaplingSharedSecret := \SubgroupJ$.
@ -6478,12 +6489,12 @@ We first describe the scheme $\RedDSA$ over a general \representedGroup.
Its parameters are: Its parameters are:
\begin{itemize} \begin{itemize}
\item a \representedGroup $\GroupG{}$, which also defines \item a \representedGroup $\GroupG{}$, which also defines
a subgroup $\SubgroupG$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$, a subgroup $\SubgroupG{}$ of order $\ParamG{r}$, a cofactor $\ParamG{h}$,
a group operation $+$, an additive identity $\ZeroG{}$, a group operation $+$, an additive identity $\ZeroG{}$,
a bit-length $\ellG{}$, a representation function $\reprG{}$, a bit-length $\ellG{}$, a representation function $\reprG{}$,
and an abstraction function $\abstG{}$, as specified in and an abstraction function $\abstG{}$, as specified in
\crossref{abstractgroup}; \crossref{abstractgroup};
\item $\GenG{}$, a generator of $\SubgroupG$; \item $\GenG{}$, a generator of $\SubgroupG{}$;
\item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that \item a bit-length $\RedDSAHashLength \typecolon \Nat$ such that
$2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$; $2^{\RedDSAHashLength-128} \geq \ParamG{r}$ and $\RedDSAHashLength \bmod 8 = 0$;
\item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$. \item a cryptographic \hashFunction $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$.
@ -6613,7 +6624,7 @@ The scheme $\RedJubjub$ specializes $\RedDSA$ with:
\item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}. \item $\RedDSAHash(x) := \BlakeTwobOf{512}{\ascii{Zcash\_RedJubjubH}, x}$ as defined in \crossref{concreteblake2}.
\end{itemize} \end{itemize}
The generator $\GenG{} \typecolon \SubgroupG$ is left as an unspecified parameter, which is different between The generator $\GenG{} \typecolon \SubgroupG{}$ is left as an unspecified parameter, which is different between
$\BindingSig$ and $\SpendAuthSig$. $\BindingSig$ and $\SpendAuthSig$.
} %sapling } %sapling
@ -6820,33 +6831,33 @@ Let $\ParamG{b} := 3$.
(\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.) (\hairspace $\ParamG{q}$ and $\ParamG{r}$ are prime.)
Let $\GroupG{1}$ be the group of points on a Barreto--Naehrig (\cite{BN2005}) Let $\SubgroupG{1}$ be the group (of order $\ParamG{r}$) of rational points on a
curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$. Barreto--Naehrig (\cite{BN2005}) curve $\CurveG{1}$ over $\GF{\ParamG{q}}$ with equation $y^2 = x^3 + \ParamG{b}$.
This curve has embedding degree 12 with respect to $\ParamG{r}$. This curve has embedding degree 12 with respect to $\ParamG{r}$.
Let $\GroupG{2}$ be the subgroup of order $r$ in the sextic twist $\CurveG{2}$ of Let $\SubgroupG{2}$ be the subgroup of order $\ParamG{r}$ in the sextic twist $\CurveG{2}$ of
$\GroupG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$, $\CurveG{1}$ over $\GF{\ParamGexp{q}{2}}$ with equation $y^2 = x^3 + \frac{\ParamG{b}}{\xi}$,
where $\xi \typecolon \GF{\ParamGexp{q}{2}}$. where $\xi \typecolon \GF{\ParamGexp{q}{2}}$.
We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials We represent elements of $\GF{\ParamGexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial $a_1 \mult t + a_0 \typecolon \GF{\ParamG{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $\xi$ is given by $t + 9$. $t^2 + 1$; in this representation, $\xi$ is given by $t + 9$.
Let $\GroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in Let $\SubgroupG{T}$ be the subgroup of $\ParamGexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamGexp{q}{12}}$. $\GFstar{\ParamGexp{q}{12}}$, with multiplicative identity $\OneG$.
Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type Let $\PairingG$ be the optimal ate pairing (see \cite{Vercauter2009} and \cite[section 2]{AKLGL2010}) of type
$\GroupG{1} \times \GroupG{2} \rightarrow \GroupG{T}$. $\SubgroupG{1} \times \SubgroupG{2} \rightarrow \SubgroupG{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity For $i \typecolon \range{1}{2}$, let $\ZeroG{i}$ be the point at infinity
(which is the additive identity) in $\GroupG{i}$, and let (which is the additive identity) in $\SubgroupG{i}$, and let
$\GroupGstar{i} := \GroupG{i} \setminus \setof{\ZeroG{i}}$. $\SubgroupGstar{i} := \SubgroupG{i} \setminus \setof{\ZeroG{i}}$.
Let $\GenG{1} \typecolon \GroupGstar{1} := (1, 2)$. Let $\GenG{1} \typecolon \SubgroupGstar{1} := (1, 2)$.
\vspace{-1ex} \vspace{-1ex}
\begin{tabular}{@{}l@{}r@{}l@{}} \begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$ Let $\GenG{2} \typecolon \SubgroupGstar{2} :=\;$
% are these the right way round? % are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\ &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\ &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
@ -6854,8 +6865,7 @@ Let $\GenG{2} \typecolon \GroupGstar{2} :=\;$
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $ &$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular} \end{tabular}
$\GenG{1}$ and $\GenG{2}$ are generators of the order-$\ParamG{r}$ subgroups of $\GenG{1}$ and $\GenG{2}$ are generators of $\SubgroupG{1}$ and $\SubgroupG{2}$ respectively.
$\GroupG{1}$ and $\GroupG{2}$ respectively.
\newsavebox{\gonebox} \newsavebox{\gonebox}
\begin{lrbox}{\gonebox} \begin{lrbox}{\gonebox}
@ -6893,7 +6903,7 @@ Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell}
\bitseq{\ell}$ as in \crossref{endian}. \bitseq{\ell}$ as in \crossref{endian}.
\introlist \introlist
For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$: For a point $P \typecolon \SubgroupGstar{1} = (\xP, \yP)$:
\begin{itemize} \begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as \item The field elements $\xP$ and $\yP \typecolon \GF{q}$ are represented as
@ -6903,7 +6913,7 @@ For a point $P \typecolon \GroupGstar{1} = (\xP, \yP)$:
\end{itemize} \end{itemize}
\introlist \introlist
For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$: For a point $P \typecolon \SubgroupGstar{2} = (\xP, \yP)$:
\begin{itemize} \begin{itemize}
\item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow \item Define $\FEtoIP \typecolon \GF{\ParamG{q}}[t] / (t^2 + 1) \rightarrow
@ -6918,24 +6928,24 @@ For a point $P \typecolon \GroupGstar{2} = (\xP, \yP)$:
\end{itemize} \end{itemize}
\begin{nnotes} \begin{nnotes}
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
of most other integers in this protocol.
The encodings for $\GroupGstar{1, 2}$ are consistent with the
definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
(i.e.\ $\ECtoOSPXL$) is used for points in $\GroupGstar{1}$,
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
$\GroupGstar{2}$.
\item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and \item The points at infinity $\ZeroG{1, 2}$ never occur in proofs and
have no defined encodings in this protocol. have no defined encodings in this protocol.
\item Testing $y > y'$ for the compression of $\GroupGstar{2}$ points is equivalent \item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
verified to be of order $\ParamG{r}$, and therefore in $\SubgroupGstar{2}$,
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
\item The use of big-endian order by $\ItoBEBSP{}$ is different from the encoding
of most other integers in this protocol.
The encodings for $\SubgroupGstar{1, 2}$ are consistent with the
definition of $\ECtoOSP{}$ for compressed curve points in
\cite[section 5.5.6.2]{IEEE2004}. The LSB compressed form
(i.e.\ $\ECtoOSPXL$) is used for points in $\SubgroupGstar{1}$,
and the SORT compressed form (i.e.\ $\ECtoOSPXS$) for points in
$\SubgroupGstar{2}$.
\item Testing $y > y'$ for the compression of $\SubgroupGstar{2}$ points is equivalent
to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order. to testing whether $(a_{y,1}, a_{y,0}) > (a_{-y,1}, a_{-y,0})$ in lexicographic order.
\item Algorithms for decompressing points from the above encodings are \item Algorithms for decompressing points from the above encodings are
given in \cite[Appendix A.12.8]{IEEE2000} for $\GroupGstar{1}$, and given in \cite[Appendix A.12.8]{IEEE2000} for $\SubgroupGstar{1}$, and
\cite[Appendix A.12.11]{IEEE2004} for $\GroupGstar{2}$. \cite[Appendix A.12.11]{IEEE2004} for $\SubgroupGstar{2}$.
\item A rational point $P \neq \ZeroG{2}$ on the curve $\CurveG{2}$ can be
verified to be of order $\ParamG{r}$, and therefore in $\GroupGstar{2}$,
by checking that $\ParamG{r} \mult P = \ZeroG{2}$.
\end{nnotes} \end{nnotes}
When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in When computing square roots in $\GF{\ParamG{q}}$ or $\GF{\ParamGexp{q}{2}}$ in
@ -6983,32 +6993,32 @@ Let $\ParamS{b} := 4$.
(\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.) (\hairspace $\ParamS{q}$ and $\ParamS{r}$ are prime.)
Let $\GroupS{1}$ be the group of points on a Barreto--Lynn--Scott (\cite{BLS2002}) Let $\SubgroupS{1}$ be the subgroup of order $\ParamS{r}$ of the group of rational points
curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with equation $y^2 = x^3 + \ParamS{b}$. on a Barreto--Lynn--Scott (\cite{BLS2002}) curve $\CurveS{1}$ over $\GF{\ParamS{q}}$ with
This curve has embedding degree 12 with respect to $\ParamS{r}$. equation $y^2 = x^3 + \ParamS{b}$. This curve has embedding degree 12 with respect to $\ParamS{r}$.
Let $\GroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of Let $\SubgroupS{2}$ be the subgroup of order $\ParamS{r}$ in the sextic twist $\CurveS{2}$ of
$\GroupS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where $\CurveS{1}$ over $\GF{\ParamSexp{q}{2}}$ with equation $y^2 = x^3 + 4(i + 1)$, where
$i \typecolon \GF{\ParamSexp{q}{2}}$. $i \typecolon \GF{\ParamSexp{q}{2}}$.
We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials We represent elements of $\GF{\ParamSexp{q}{2}}$ as polynomials
$a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial $a_1 \mult t + a_0 \typecolon \GF{\ParamS{q}}[t]$, modulo the irreducible polynomial
$t^2 + 1$; in this representation, $i$ is given by $t$. $t^2 + 1$; in this representation, $i$ is given by $t$.
Let $\GroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in Let $\SubgroupS{T}$ be the subgroup of $\ParamSexp{r}{\mathrm{th}}$ roots of unity in
$\GFstar{\ParamSexp{q}{12}}$. $\GFstar{\ParamSexp{q}{12}}$, with multiplicative identity $\OneS$.
Let $\PairingS$ be the optimal ate pairing of type Let $\PairingS$ be the optimal ate pairing of type
$\GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$. $\SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$.
For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\GroupS{i}$, For $i \typecolon \range{1}{2}$, let $\ZeroS{i}$ be the point at infinity in $\SubgroupS{i}$,
and let $\GroupSstar{i} := \GroupS{i} \setminus \setof{\ZeroS{i}}$. and let $\SubgroupSstar{i} := \SubgroupS{i} \setminus \setof{\ZeroS{i}}$.
\introlist \introlist
Let $\GenS{1} \typecolon \GroupSstar{1} := (1, 2)$. Let $\GenS{1} \typecolon \SubgroupSstar{1} := (1, 2)$.
\begin{tabular}{@{}l@{}r@{}l@{}} \begin{tabular}{@{}l@{}r@{}l@{}}
Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$ Let $\GenS{2} \typecolon \SubgroupSstar{2} :=\;$
% are these the right way round? % are these the right way round?
&$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\ &$(11559732032986387107991004021392285783925812861821192530917403151452391805634$ & $\,\mult\, t\;+$ \\
&$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\ &$ 10857046999023057135944570762232829481370756359578518086990519993285655852781$ & $, $ \\
@ -7016,13 +7026,13 @@ Let $\GenS{2} \typecolon \GroupSstar{2} :=\;$
&$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $ &$ 8495653923123431417604973247489272438418190587263600148770280649306958101930$ & $). $
\end{tabular} \end{tabular}
$\GenS{1}$ and $\GenS{2}$ are generators of $\GroupS{1}$ and $\GroupS{2}$ respectively. $\GenS{1}$ and $\GenS{2}$ are generators of $\SubgroupS{1}$ and $\SubgroupS{2}$ respectively.
Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow Define $\ItoBEBSP{} \typecolon (\ell \typecolon \Nat) \times \binaryrange{\ell} \rightarrow
\bitseq{\ell}$ as in \crossref{endian}. \bitseq{\ell}$ as in \crossref{endian}.
\introlist \introlist
For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$: For a point $P \typecolon \SubgroupSstar{1} = (\xP, \yP)$:
\begin{itemize} \begin{itemize}
\item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as \item The field elements $\xP$ and $\yP \typecolon \GF{\ParamS{q}}$ are represented as
@ -7035,7 +7045,7 @@ For a point $P \typecolon \GroupSstar{1} = (\xP, \yP)$:
\end{itemize} \end{itemize}
\introlist \introlist
For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$: For a point $P \typecolon \SubgroupSstar{2} = (\xP, \yP)$:
\begin{itemize} \begin{itemize}
\item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow \item Define $\FEtoIPP \typecolon \GF{\ParamS{q}}[t] / (t^2 + 1) \rightarrow
@ -7050,14 +7060,14 @@ For a point $P \typecolon \GroupSstar{2} = (\xP, \yP)$:
\end{itemize} \end{itemize}
\begin{nnotes} \begin{nnotes}
\item The encodings for $\GroupSstar{1, 2}$ are specific to \Zcash.
\item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and \item The points at infinity $\ZeroS{1, 2}$ never occur in proofs and
have no defined encodings in this protocol. have no defined encodings in this protocol.
\item The encodings for $\SubgroupSstar{1, 2}$ are specific to \Zcash.
\item Algorithms for decompressing points from the encodings of \item Algorithms for decompressing points from the encodings of
$\GroupSstar{1, 2}$ are defined analogously to those for $\SubgroupSstar{1, 2}$ are defined analogously to those for
$\GroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that $\SubgroupGstar{1, 2}$ in \crossref{bnpairing}, taking into account that
the SORT compressed form (not the LSB compressed form) is used the SORT compressed form (not the LSB compressed form) is used
for $\GroupGstar{1}$. for $\SubgroupSstar{1}$.
\item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be \item A rational point $P \neq \ZeroS{2}$ on the curve $\CurveS{2}$ can be
verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$, verified to be of order $\ParamS{r}$, and therefore in $\GroupSstar{2}$,
by checking that $\ParamS{r} \mult P = \ZeroS{2}$. by checking that $\ParamS{r} \mult P = \ZeroS{2}$.
@ -7108,7 +7118,7 @@ be the left inverse of $\reprJ$ such that if $S$ is not in the range of
$\reprJ$, then $\abstJ\Of{S} = \bot$. $\reprJ$, then $\abstJ\Of{S} = \bot$.
Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$. Define $\SubgroupJ$ as the order-$\ParamJ{r}$ subgroup of $\GroupJ$. Note that this includes $\ZeroJ$.
For the set of prime-order points we write $\PrimeOrderJ$. For the set of points of order $\ParamJ{r}$ (which excludes $\ZeroJ$), we write $\SubgroupJstar$.
Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$. Define $\SubgroupReprJ := \setof{\reprJ(P) \typecolon \ReprJ \suchthat P \in \SubgroupJ}$.
@ -7210,14 +7220,14 @@ Let $\BlakeTwos{256}$ be as defined in \crossref{concreteblake2}.
Let $\LEOStoIP{}$ be as defined in \crossref{endian}. Let $\LEOStoIP{}$ be as defined in \crossref{endian}.
Let $\abstJ$ be as defined in \crossref{jubjub}. Let $\SubgroupJ$, $\SubgroupJstar$, and $\abstJ$ be as defined in \crossref{jubjub}.
\vspace{1ex} \vspace{1ex}
Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and Let $D \typecolon \byteseq{8}$ be an $8$-byte domain separator, and
let $M \typecolon \byteseqs$ be the hash input. let $M \typecolon \byteseqs$ be the hash input.
\introlist \introlist
The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as follows: The hash $\GroupJHash{\URS}(D, M) \typecolon \SubgroupJstar$ is calculated as follows:
\begin{algorithm} \begin{algorithm}
\item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$ \item let $\HashOutput = \BlakeTwos{256}(D,\, \URS \bconcat\, M)$
@ -7241,13 +7251,13 @@ The hash $\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ$ is calculated as foll
is injective, and both it and its inverse are efficiently computable. is injective, and both it and its inverse are efficiently computable.
$\exclusivefun{P \typecolon \GroupJ} $\exclusivefun{P \typecolon \GroupJ}
{\scalarmult{\ParamJ{h}}{P} \typecolon \PrimeOrderJ}{\ZeroJ}$ {\scalarmult{\ParamJ{h}}{P} \typecolon \SubgroupJstar}{\ZeroJ}$
is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable. is exactly $\ParamJ{h}$-to-$1$, and both it and its inverse relation are efficiently computable.
It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} It follows that when $\fun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
{\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$ {\BlakeTwosOf{256}{D,\, \URS \bconcat\, M}\! \typecolon \byteseq{32}}$
is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)} is modelled as a random oracle, $\exclusivefun{(D \typecolon \byteseq{8}, M \typecolon \byteseqs)}
{\GroupJHash{\URS}(D, M) \typecolon \PrimeOrderJ}{\bot}$ also acts as a random oracle. {\GroupJHash{\URS}\big(D, M\big) \typecolon \SubgroupJstar}{\bot}$ also acts as a random oracle.
\end{pnotes} \end{pnotes}
\vspace{0.5ex} \vspace{0.5ex}
@ -7256,7 +7266,7 @@ so that $\first(f) = f(i)$ where $i$ is the least integer in $\byte$
such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists. such that $f(i) \neq \bot$, or $\bot$ if no such $i$ exists.
Define $\FindGroupJHash(D, M) := Define $\FindGroupJHash(D, M) :=
\first(\fun{i \typecolon \byte}{\GroupJHash{\URS}(D, M \bconcat\, [i]) \typecolon \maybe{(\PrimeOrderJ)}})$. \first(\fun{i \typecolon \byte}{\GroupJHash{\URS}\Of{D, M \bconcat\, [i]} \typecolon \maybe{\SubgroupJstar}})$.
\vspace{-3ex} \vspace{-3ex}
\pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$. \pnote{For random input, $\FindGroupJHash$ returns $\bot$ with probability approximately $2^{-256}$.
@ -7276,15 +7286,15 @@ computation of a \defaultDiversifiedPaymentAddress in \crossref{saplingkeycompon
with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of with the $\PHGR$ \provingSystem described in \cite{BCTV2015}, which is a refinement of
the systems in \cite{PHGR2013} and \cite{BCGTV2013}. the systems in \cite{PHGR2013} and \cite{BCGTV2013}.
A $\PHGR$ proof consists of a tuple A $\PHGR$ proof consists of
$(\Proof{A} \typecolon \GroupGstar{1},\, $(\Proof{A} \typecolon \SubgroupGstar{1},\,
\Proof{A}' \typecolon \GroupGstar{1},\, \Proof{A}' \typecolon \SubgroupGstar{1},\,
\Proof{B} \typecolon \GroupGstar{2},\, \Proof{B} \typecolon \SubgroupGstar{2},\,
\Proof{B}' \typecolon \GroupGstar{1},\, \Proof{B}' \typecolon \SubgroupGstar{1},\,
\Proof{C} \typecolon \GroupGstar{1},\, \Proof{C} \typecolon \SubgroupGstar{1},\,
\Proof{C}' \typecolon \GroupGstar{1},\, \Proof{C}' \typecolon \SubgroupGstar{1},\,
\Proof{K} \typecolon \GroupGstar{1},\, \Proof{K} \typecolon \SubgroupGstar{1},\,
\Proof{H} \typecolon \GroupGstar{1})$. \Proof{H} \typecolon \SubgroupGstar{1})$.
It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters It is computed as described in \cite[Appendix B]{BCTV2015}, using the pairing parameters
specified in \crossref{bnpairing}. specified in \crossref{bnpairing}.
@ -7336,8 +7346,8 @@ verifier \MUST check, for the encoding of each element, that:
\item the remaining bytes encode a big-endian representation of an integer in \item the remaining bytes encode a big-endian representation of an integer in
$\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$)
$\range{0}{\ParamSexp{q}{2}\!-\!1}$; $\range{0}{\ParamSexp{q}{2}\!-\!1}$;
\item the encoding represents a point in $\GroupGstar{1}$ or (in the case of \item the encoding represents a point in $\SubgroupGstar{1}$ or (in the case of
$\Proof{B}$) $\GroupGstar{2}$, including checking that it is of order $\Proof{B}$) $\SubgroupGstar{2}$, including checking that it is of order
$\ParamG{r}$ in the latter case. $\ParamG{r}$ in the latter case.
\end{itemize} \end{itemize}
@ -7360,10 +7370,10 @@ After \Sapling activation, \Zcash uses \zkSNARKs with the \provingSystem describ
for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and for proofs both in \Sprout \joinSplitDescriptions, and in \Sapling \spendDescriptions and
\outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}. \outputDescriptions. They are generated by the \bellman library \cite{Bowe-bellman}.
A $\Groth$ proof consists of a tuple A $\Groth$ proof consists of
$(\Proof{A} \typecolon \GroupSstar{1},\, $(\Proof{A} \typecolon \SubgroupSstar{1},\,
\Proof{B} \typecolon \GroupSstar{2},\, \Proof{B} \typecolon \SubgroupSstar{2},\,
\Proof{C} \typecolon \GroupSstar{1})$. \Proof{C} \typecolon \SubgroupSstar{1})$.
It is computed as described in \cite{Groth2016}, using the pairing parameters specified It is computed as described in \cite{Groth2016}, using the pairing parameters specified
in \crossref{blspairing}. in \crossref{blspairing}.
@ -7401,8 +7411,8 @@ verifier \MUST check, for the encoding of each element, that:
\item the remaining bits encode a big-endian representation of an integer \item the remaining bits encode a big-endian representation of an integer
in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in in $\range{0}{\ParamS{q}\!-\!1}$ or (in the case of $\Proof{B}$) two integers in
that range; that range;
\item the encoding represents a point in $\GroupSstar{1}$ or (in the case of $\Proof{B}$) \item the encoding represents a point in $\SubgroupSstar{1}$ or (in the case of $\Proof{B}$)
$\GroupSstar{2}$, including checking that it is of order $\ParamS{r}$ $\SubgroupSstar{2}$, including checking that it is of order $\ParamS{r}$
in the latter case. in the latter case.
\end{itemize} \end{itemize}
} }
@ -7777,7 +7787,7 @@ For \incomingViewingKeys on the test network, the \humanReadablePart is \ascii{z
\sapling{ \sapling{
\subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding} \subsubsection{\Sapling \FullViewingKeys} \label{saplingfullviewingkeyencoding}
A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \PrimeOrderJ$, A \Sapling \fullViewingKey consists of $\AuthSignPublic \typecolon \SubgroupJstar$,
$\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$. $\AuthProvePublic \typecolon \SubgroupJ$, and $\OutViewingKey \typecolon \byteseq{\OutViewingKeyLength/8}$.
$\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve $\AuthSignPublic$ and $\AuthProvePublic$ are points on the \jubjubCurve
@ -7802,7 +7812,7 @@ The raw encoding of a \fullViewingKey consists of:
\end{itemize} \end{itemize}
When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$ When decoding this representation, the key is not valid if $\abstJ$ returns $\bot$
for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \PrimeOrderJ$, for either $\AuthSignPublic$ or $\AuthProvePublic$, or if $\AuthSignPublic \notin \SubgroupJstar$,
or if $\AuthProvePublic \notin \SubgroupJ$. or if $\AuthProvePublic \notin \SubgroupJ$.
For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}. For \incomingViewingKeys on the production network, the \humanReadablePart is \ascii{zviews}.
@ -9568,6 +9578,24 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\intropart \intropart
\section{Change History} \section{Change History}
\subparagraph{2018.0-beta-27}
\begin{itemize}
\item No changes to \Sprout.
\sapling{
\item Notational changes:
\begin{itemize}
\item Use a superscript $^{\subgroupr}$ to mark the subgroup order, instead of a
subscript.
\item Use $\SubgroupGstar{}$ for the set of $\ParamG{r}$-order points in $\GroupG{}$.
\item Mark the subgroup order in pairing groups, e.g. use $\SubgroupG{1}$ instead
of $\GroupG{1}$.
\item Make the bit-representation indicator $\Repr$ an affix instead of a superscript.
\end{itemize}
} %sapling
\end{itemize}
\introlist
\subparagraph{2018.0-beta-26} \subparagraph{2018.0-beta-26}
\begin{itemize} \begin{itemize}
@ -9665,7 +9693,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
\item Acknowledge Tomas Sander and Amnon TaShma for \cite{ST1999}. \item Acknowledge Tomas Sander and Amnon TaShma for \cite{ST1999}.
\item Acknowledge Kudelski Security's audit. \item Acknowledge Kudelski Security's audit.
\sapling{ \sapling{
\item Use the more precise subgroup types $\SubgroupG$ and $\SubgroupJ$ in preference to \item Use the more precise subgroup types $\SubgroupG{}$ and $\SubgroupJ$ in preference to
$\GroupG{}$ and $\GroupJ$ where applicable. $\GroupG{}$ and $\GroupJ$ where applicable.
\item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more \item Change the types of \auxiliaryInputs to the \spendStatement and \outputStatement, to be more
faithful to the implementation. faithful to the implementation.
@ -11358,7 +11386,7 @@ cryptanalytic attention to confidently use them for \Sapling.
The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}. The reference verification algorithm for $\RedDSA$ signatures is defined in \crossref{concretereddsa}.
Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG$ of order $\ParamG{r}$, Let the $\RedDSA$ parameters $\GroupG{}$ (defining a subgroup $\SubgroupG{}$ of order $\ParamG{r}$,
a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$, a cofactor $\ParamG{h}$, a group operation $+$, an additive identity $\ZeroG{}$, a bit-length $\ellG{}$,
a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$; a representation function $\reprG{}$, and an abstraction function $\abstG{}$); $\GenG{} \typecolon \GroupG{}$;
$\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$; $\RedDSAHashLength \typecolon \Nat$; $\RedDSAHash \typecolon \byteseqs \rightarrow \byteseq{\RedDSAHashLength/8}$;
@ -11380,33 +11408,33 @@ Define $\RedDSABatchEntry := \RedDSAPublic \times \RedDSAMessage \times \RedDSAS
Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N}) Define $\RedDSABatchVerify \typecolon (\Entry{\barerange{0}{N-1}} \typecolon \typeexp{\RedDSABatchEntry}{N})
\rightarrow \bit$ as: \rightarrow \bit$ as:
\begin{algorithm} \begin{algorithm}
\item For each $i \in \range{0}{N-1}$: \item For each $j \in \range{0}{N-1}$:
\item \tab Let $(\vk_i, M_i, \sigma_i) = \Entry{i}$. \item \tab Let $(\vk_j, M_j, \sigma_j) = \Entry{j}$.
\item \tab Let $\RedDSAReprR{i}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_i$, and \item \tab Let $\RedDSAReprR{j}$ be the first $\ceiling{\ellG{}/8}$ bytes of $\sigma_j$, and
let $\RedDSAReprS{i}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes. let $\RedDSAReprS{j}$ be the remaining $\ceiling{\bitlength(\ParamG{r})/8}$ bytes.
\item \tab Let $\RedDSASigR{i} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{i})\kern-0.15em\big)$, and \item \tab Let $\RedDSASigR{j} = \abstG{}\big(\LEOStoBSP{\ellG{}}(\RedDSAReprR{j})\kern-0.12em\big)$, and
let $\RedDSASigS{i} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{i})$. let $\RedDSASigS{j} = \LEOStoIP{\bitlength(\ParamG{r})}(\RedDSAReprS{j})$.
\item \tab Let $\vkBytes{i} = \LEBStoOSPOf{\ellG{}}{\reprGOf{}{\vk_i}\kern 0.05em}$. \item \tab Let $\vkBytes{j} = \LEBStoOSPOf{\ellG{}}{\reprG{}(\vk_j)\kern-0.1em}$.
\item \tab Let $\RedDSASigc{i} = \RedDSAHashToScalar(\RedDSAReprR{i} \bconcat \vkBytes{i} \bconcat M_i)$. \item \tab Let $\RedDSASigc{j} = \RedDSAHashToScalar(\RedDSAReprR{j} \bconcat \vkBytes{j} \bconcat M_j)$.
\vspace{1ex} \vspace{1ex}
\item \tab Choose random $z_i \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$. \item \tab Choose random $z_j \typecolon \GF{\ParamG{r}} \leftarrowR \range{1}{2^{128}-1}$.
\item \vspace{-2ex} \item \vspace{-2ex}
\item Return $1$ if \item Return $1$ if
\vspace{1ex} \vspace{1ex}
\begin{itemize} \begin{itemize}
\item for all $i \in \range{0}{N-1}$, $\RedDSASigR{i} \neq \bot$ and $\RedDSASigS{i} < \ParamG{r}$; and \item for all $j \in \range{0}{N-1}$, $\RedDSASigR{j} \neq \bot$ and $\RedDSASigS{j} < \ParamG{r}$; and
\item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{i=0}{N-1}{(z_i \mult \RedDSASigS{i}) \item $\scalarmult{\ParamG{h}}{\left(\bigscalarmult{\ssum{j=0}{N-1}{(z_j \mult \RedDSASigS{j})
\pmod{\ParamG{r}}}}{\GenG{}} + \pmod{\ParamG{r}}}}{\GenG{}} +
\ssum{i=0}{N-1}{\big(\scalarmult{z_i}{\RedDSASigR{i}} + \ssum{j=0}{N-1}{\big(\scalarmult{z_j}{\RedDSASigR{j}} +
\scalarmult{z_i \mult \RedDSASigc{i} \scalarmult{z_j \mult \RedDSASigc{j}
\pmod{\ParamG{r}}}{\vk_i}\big)}\!\right)} \pmod{\ParamG{r}}}{\vk_j}\big)}\!\right)}
= \ZeroG{}$, = \ZeroG{}$,
\end{itemize} \end{itemize}
\vspace{-0.5ex} \vspace{-0.5ex}
otherwise $0$. otherwise $0$.
\end{algorithm} \end{algorithm}
The $z_i$ values \MUST be chosen independently of the batch entries. The $z_j$ values \MUST be chosen independently of the batch entries.
The performance benefit of this approach arises partly from replacing the per-signature The performance benefit of this approach arises partly from replacing the per-signature
scalar multiplication of the base $\GenG{}$ with one such multiplication per batch, scalar multiplication of the base $\GenG{}$ with one such multiplication per batch,
@ -11418,7 +11446,7 @@ as Pippinger's method \cite{Bernstein2001} or the Bos--Coster method \cite{deRoo
binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$. binding signatures (\crossref{concretebindingsig}) use different bases $\raisedstrut\GenG{}$.
It is straightforward to adapt the above procedure to handle multiple bases; It is straightforward to adapt the above procedure to handle multiple bases;
there will be one there will be one
$\bigscalarmult{\ssum{i}{}{(z_i \mult \RedDSASigS{i}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$. $\bigscalarmult{\ssum{j}{}{(z_j \mult \RedDSASigS{j}) \pmod{\ParamG{r}}}}{\Generator}$ term for each base $\Generator$.
The benefit of this relative to using separate batches is that the multiscalar multiplication The benefit of this relative to using separate batches is that the multiscalar multiplication
can be extended across a larger batch.} %pnote can be extended across a larger batch.} %pnote
@ -11429,12 +11457,12 @@ can be extended across a larger batch.} %pnote
The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}. The reference verification algorithm for $\Groth$ proofs is defined in \crossref{groth}.
Let $\ParamS{q}$, $\ParamS{r}$, $\GroupS{1, 2, T}$, $\GroupSstar{1, 2, T}$, $\GenS{1, 2, T}$, Let $\ParamS{q}$, $\ParamS{r}$, $\SubgroupS{1, 2, T}$, $\SubgroupSstar{1, 2, T}$, $\GenS{1, 2, T}$,
and $\PairingS$ be as defined in \crossref{blspairing}. $\OneS$, and $\PairingS$ be as defined in \crossref{blspairing}.
Define $\MillerLoopS \typecolon \GroupS{1} \times \GroupS{2} \rightarrow \GroupS{T}$ Define $\MillerLoopS \typecolon \SubgroupS{1} \times \SubgroupS{2} \rightarrow \SubgroupS{T}$
and $\FinalExpS \typecolon \GroupS{T} \rightarrow \GroupS{T}$ to be the Miller loop and and $\FinalExpS \typecolon \SubgroupS{T} \rightarrow \SubgroupS{T}$ to be the Miller loop and
final exponentiation respectively of the pairing computation, so that: final exponentiation respectively of the $\PairingS$ pairing computation, so that:
\begin{formulae} \begin{formulae}
\item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$ \item $\PairingS\Of{P, Q} = \FinalExpS\Of{\MillerLoopS\Of{P, Q}\kern 0.05em}$
\end{formulae} \end{formulae}
@ -11442,9 +11470,9 @@ final exponentiation respectively of the pairing computation, so that:
where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$. where $\FinalExpS\Of{R} = R^{t}$ for some fixed $t$.
\vspace{2ex} \vspace{2ex}
Define $\GrothProofS := \GroupSstar{1} \times \SubgroupSstar{2} \times \GroupSstar{1}$. Define $\GrothSProof := \SubgroupSstar{1} \times \SubgroupSstar{2} \times \SubgroupSstar{1}$.
A $\Groth$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothProofS$. A $\GrothS$ proof consists of a tuple $(\Proof{A}, \Proof{B}, \Proof{C}) \typecolon \GrothSProof$.
Verification of a single $\Groth$ proof requires checking the equation Verification of a single $\Groth$ proof requires checking the equation
\vspace{-0.5ex} \vspace{-0.5ex}
@ -11469,7 +11497,7 @@ Raising to the power of random $z \neq 0$ gives:
\end{formulae} \end{formulae}
\vspace{1ex} \vspace{1ex}
This justifies the following optimized procedure for performing faster verification of a batch of $\Groth$ proofs. This justifies the following optimized procedure for performing faster verification of a batch of $\GrothS$ proofs.
Implementations \MAY use this procedure to determine whether all proofs in a batch are valid. Implementations \MAY use this procedure to determine whether all proofs in a batch are valid.
\introlist \introlist